My favorite books from 2017

I thought I'd share my favorites from 2017. These are the ones I gave 5 stars to... I recommend them all :)

To see all my books, follow me on Goodreads.

I've organized the books I read this year by theme:

North Korea

The Girl with Seven Names: A North Korean Defector’s Story 

by Hyeonseo Lee 

The Orphan Master's Son: A Novel 

by Adam Johnson

The first is non-fiction, the second fiction, and combined they present an in-depth and disturbing picture of life in North Korea. There is certainly no shortage of brutal regimes in the world, but the Kim dynasty has taken the cult of personality to an unbelievable extreme while leading the world in human rights abuses. In order to fund one of the world's largest militaries, domestic food production is deprioritized leading to massive famines and hardship. The best example of the deification of the Kims: every home was given two mounted portraits, one of Kim Il-sung and one of his son, Kim Jong-il. The pictures were to be hung on the wall of the main (often the only) room in the house, and no other hangings were allowed. A local party official would make frequent, unannounced inspections: If the pictures had dust, or were smudged, or were crooked, the entire family would go missing. Hyeonseo Lee, the author of The Girl with Seven Names, has spoken about her life in North Korea in a couple TED talks, it's worth it to hear firsthand what it's like to witness public executions and widespread desperation. And Adam Johnson won a Pulitzer Prize for The Orphan Master's Son--it's a great read with compelling insights into the brutal farce which is life in North Korea.

History

Destiny Disrupted: A History of the World Through Islamic Eyes

by Tamim Ansary

One Nation Under God: How Corporate America Invented Christian America

by Kevin Kruse

How the Scots Invented the Modern World: The True Story of How Western Europe's Poorest Nation Created Our World and Everything in It 

by Arthur Herman

I was very impressed by Destiny Disrupted, and posted about it a couple months ago. It's a broad narrative of the history of Islam, told from an insiders perspective and with surprising insights into Christianity and the west as well.

The theme of One Nation Under God is how business leaders, frustrated by FDR's New Deal and with zero credibility after the depression, looked for ways to "get their message out" and therefore made common cause with religious leaders in the late 1930s. A couple decades later, we get the phrase “under God” added to the Pledge of Allegiance and we made “In God We Trust” the country's official motto. I found it a surprisingly informative history of mid 20th century politics and how religion became ingrained in our public discourse in ways that were new and unique--and which continue today.

Silly me, I thought it was the Irish who saved civilization. The history of Scotland, roughly beginning in the 1600s and through to Andrew Carnegie and Woodrow Wilson (both of Scottish heritage), is fascinating and while I expect the author was somewhat selective to make a point I was still very impressed by the influence of Scottish thought and key individuals. I only vaguely knew about John Knox and the Presbyterian Church of Scotland, and knew next to nothing about the Scottish Enlightenment. Scots were influential in India, Canada, Australia as well as the US; many of the names cited I knew about but didn't realize were Scottish. Altogether an enlightening read.

Modern Times/Technology vs Humans

Drawdown: The Most Comprehensive Plan Ever Proposed to Reverse Global Warming 

by Paul Hawken

Hit Makers: The Science of Popularity in an Age of Distraction

by Derek Thompson

Blink: The Power of Thinking Without Thinking 

by Malcolm Gladwell 

Everybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are

by Seth Stephens-Davidowitz

The Upstarts: How Uber, Airbnb, and the Killer Companies of the New Silicon Valley Are Changing the World 

by Brad Stone 

Technology. From the steam engine (invented by a Scot!) to the internal combustion engine to the Internet and ubiquitous smartphone: Tech disrupts what came before, and never without unforeseen side effects including global warming, insidious privacy invasion, and online addictions.

We all know there are a variety of things we can do as consumers, and as governments, if we're concerned about climate change. In Drawdown, Paul Hawken lists the 100 most substantive solutions to reverse global warming, based on meticulous research by leading scientists and policymakers around the world. A coalition of geologists, engineers, agronomists, researchers, fellows, writers, climatologists, biologists, botanists, economists, financial analysts, architects, companies, agencies, NGOs, activists, and other experts have been working on Project Drawdown (http://www.drawdown.org/), so named for approaches to draw down carbon levels in the atmosphere. Each of the 100 approaches is described in terms of its potential to draw down carbon (other terms for this include decarbonization and negative emissions). By characterizing the benefit of each approach in a common metric, namely gigatons of carbon dioxide reduced, they can be compared rationally. And the ranking is surprising.  The top four items (out of 100) are: refrigeration management; onshore wind turbines; reduced food waste; and plant-rich diets. Note that for 3 of those 4 items, we can make an impact as consumers. Other approaches that didn't rank as high I as I would have imagined: electric vehicles (26); mass transit (37); LED lighting (44); and ridesharing (75). So for wannabe climate activists, this is a handy guide to best direct our collective efforts.

Hit Makers was pretty interesting. Ever wonder how things go viral? What makes for the best clickbait headlines? How did Rock Around the Clock become the best selling rock record of all time? How did Facebook become the world’s most important modern newspaper? This book answers those questions, and more! (Readers of a certain age may find this interesting: Rock Around the Clock sold more single records than anything by Elvis or the Beatles; the only record that's outsold it is White Christmas by Bing Crosby. But I digress.) Smart people are at work developing clickbait and other online inducements to keep you engaged. Beware.

I became a Malcolm Gladwell fan listening to his podcast, Revisionist History. Gladwell comes up with unique and often charming ways of interpreting the world around us. In Blink, he tackles how we think--especially how our instincts influence decisions good and bad. Some examples he dives into include the election of Warren Harding; "New Coke"; and the shooting of an unarmed black man by police.

In Everybody Lies, author Seth Stephens-Davidowitz makes some startling and possibly revolutionary discoveries about how elements of Big Data about us can reveal truths that would otherwise not be forthcoming. Psychologists and sociologists have known for years not to put too much trust in surveys or questionnaires; people in general aren't totally truthful on topics that they may find embarrassing or about which they're ashamed. Stephens-Davidowitz's insight is that, by way of contrast, we're collectively (and sometimes frighteningly) honest when confront with a Google search bar. His research post election revealed some things about our society that are deeply troubling. Raj Chetty, economics professor at Stanford, characterized it as "Freakonomics on steroids". Everyone should read this!

I liked The Upstarts for a couple of reasons. First, it's an inside look not just at how companies are funded in 21st-century silicon valley, but how unicorns have come to be. Second, it's more about popular, new approaches versus entrenched interests than it is about technology. It's also a book about ambition, greed, and a bad-behaving bro culture at Uber. Very relevant to our times.

Christian History and Theology

Early Christian Traditions 

by Rebecca Lyman

When the Church Was Young: Voices of the Early Fathers

by Marcellino D'Ambrosio

Christianity As Mystical Fact: And the Mysteries of Antiquity

by Rudolf Steiner 

According to Matthew: The Gospel of Christ’s Humanity

by Rudolf Steiner 

I've recently become interested in the church fathers and the history of the church. Last year I read Augustine and Aquinas; this year I started more from the beginning. It's fascinating to me to see how the Christian movement formed and grew; my recent historical fiction foray into Roman history (see below) provides an interesting counterpoint.

Early Christian Traditions is unique in many ways, chief among them that the author is the adjunct priest at our Episcopal church in Sunnyvale. I'm facilitating a book study on Wednesday nights, and have found that going through it a second time, chapter by chapter, discussing it with others as well as with the author, has really deepened my understanding if this era.

I've been reading Rudolf Steiner for about 20 years, He's generally referred to as an Austrian mystic, and he's most widely known for founding Waldorf Schools, biodynamic agriculture, anthroposophical medicine (which was my primary cancer therapy), and The Christian Community (known in Germany as Christengemeinschaft). Steiner has written about 20 books on bible commentary and Christology. This is my second time through both of the books above.

Historical Fiction: The Cicero Trilogy

Imperium: A Novel of Ancient Rome

by Robert Harris

Conspirata: A Novel of Ancient Rome

by Robert Harris

Dictator: A Novel 

by Robert Harris

This is as good as historical fiction gets. I learned a great deal about Rome, it's culture and customers as well as key historical events (there were a lot of those). I of course about Cicero, and read his great speeches in context; through all three novels the parallel plot is about Julius Caesar--probably the ost fascinating historical character there is. And, like with good fiction, I cared about the characters and what would happen next--even though the events themselves were over 2,000 years ago.

Speculative Fiction/Sci Fi

Do Androids Dream of Electric Sheep?

by Philip K. Dick 

The Man in the High Castle

by Philip K. Dick 

The Mongoliad (The Mongoliad Series Book 1) 

by Greg Bear

Walkaway: A Novel

by Cory Doctorow 

Ready Player One: A Novel

by Ernest Cline 

I won't describe each book; I suspect people either like this kind of stuff or they don't. A couple points, though:

2017 is the year I became a Philip K. Dick fan. I've certainly heard of him for quite some time, and my son-in-law has a personal connection. I've always enjoyed the movies made of his books, just never got around to reading him. I have to say, his books provide a whole new level of depth and insights.

As for the Mongoliad: It's a 5-book series, and I don't plan to proceed. Not listed, but one of the authors is a favorite of mine: Neal Stephenson. Big favorite. This describes why I liked it OK, but didn't love it: "The Mongoliad began as a social media experiment, combining serial story-telling with a unique level of interaction between authors and audience during the creative process. Since its original iteration, The Mongoliad has been restructured, edited, and rewritten under the supervision of its authors to create a more cohesive reading experience and will be published as a trilogy of novels." I also read another Neal Stephenson collaboration this year called The Rise and Fall of D.O.D.O.. Maybe it was the title, but I'm now resolved to stick to solo Neal Stephenson efforts.

Obscure New Detective Series

The Coroner's Lunch (A Dr. Siri Paiboun Mystery) 

by Colin Cotterill 

Thirty-Three Teeth (A Dr. Siri Paiboun Mystery) 

by Colin Cotterill 

I'm hooked, and I have 11 books to go in the series. You might be tired of murder mysteries set in Laos in the 1970s but I can't seem to get enough. Dr. Siri has fought in the jungle with the Path Lao for 40 years; the king has abdicated, the Americans have left, and the glorious revolution is in power. Siri, now 72, is named official coroner of Laos despite the fact he has no experience other than as a doctor. Oh, yeah, he's also hosting an ancient shaman. The writing is charming, slightly literary, with a dash of whimsy. So the series is kind of a cross between Agatha Christie, the Hobbit, and a super-insightful travel guide for southeast Asia. 

Healing Thoughts

God's Hotel: A Doctor, a Hospital, and a Pilgrimage to the Heart of Medicine

by Victoria Sweet 

Hildegard of Bingen: A Spiritual Reader 

by Carmen Acevedo Butcher

The Shift: One Nurse, Twelve Hours, Four Patients' Lives

by Theresa Brown 

God's Hotel describes San Francisco’s Laguna Honda Hospital, the last almshouse in the country, a descendant of the Hôtel-Dieu (God’s hotel) that cared for the sick in the Middle Ages. Who takes care of those who can't care for themselves and have a chronic or long-term condition? This was warm, heartfelt, and more compassionate than I've ever experienced. Author Victoria Sweet was a practicing doctor at Laguna Honda, and came up with some pretty amazing insights. You can see Victoria Sweet on a TED talk, discussing what she calls "slow medicine."

In order to better improve her healing abilities, Victoria Sweet took it upon herself to study Hildegard. So did I, but I didn't learn German and go to Bingen to study it. Instead, I read and enjoyed Hildegard of Bingen: A Spiritual Reader.

I mostly read (Kindle) but on our last trip to Eugene we listened to The Shift: One Nurse, Twelve Hours, Four Patients' Lives. It takes place in the cancer ward of a major teaching hospital, and it's a real eye-opener. Nurses are the bedrock of institutional healthcare, and Theresa Brown gives an intimate, often intense, and ultimately warm tour of how life and death matters are handled.

A Great Thriller, For When You Don't Have to Get Up Early the Next Day

I Am Pilgrim: A Thriller 

by Terry Hayes 

I think this is Terry Hayes' only book; it was released in 2014. I hope he's working on more!

A Lightweight Approach to Mobile Security

In a post last week, I summarized some of the reasons that mobile security is hard for enterprises. The Gartner-defined approach known as Mobile Threat Defense, or MTD, has been widely agreed to as the best practice for mobile security. This approach, while comprehensive, represents heavy lifting for most enterprises. Let's unpack that before exploring what might represent a more reasonable, lightweight approach for getting started with enterprise mobile security.

MTD, as defined, has the following four general requirements:

1. Device behavioral anomalies — MTD tools provide behavioral anomaly detection by tracking expected and acceptable use patterns.
2. Vulnerability assessments — MTD tools inspect devices for configuration weaknesses that will lead to malware execution.
3. Network security — MTD tools monitor network traffic and disable suspicious connections to and from mobile devices.
4. App scans — MTD tools identify "leaky" apps (meaning apps that can put enterprise data at risk) and malicious apps, through reputation scanning and code analysis.

Most vendors propose to address requirements 1, 2, and 3 above with on-device apps, or agents. Item 4, app scans, is generally addressed through an Enterprise Mobility Management (EMM) integration or a proprietary MDM server, either of which must be deployed and managed by the enterprise IT staff (although many enterprises may already have an EMM deployed).

Requirements 1 and 2 are focused on malware detection. As I've outlined in prior posts, while mobile malware represents a real risk to individuals due to the threat of identity theft, financial fraud, ransomware and spyware, it is only a negligible enterprise threat. Requirement 3, network security, has been highlighted by vendors as critical to preventing WiFi-based man-in-the-middle (MiTM) attacks with real-time detections for SSL stripping and rogue access points. But, again, such attacks are far more of a threat to individuals than enterprises. Think about it this way: A MiTM attack against mobile devices is essentially the same as a MiTM attack against laptops, which have been used in coffee shops, hotels, airports and other public spaces for more than a decade prior to the wide adoption of smartphones. How many enterprises were breached due to MiTM laptop attacks against enterprises? None that have been publicly reported. And how many commercial solutions exists to protect laptops against MiTM attacks? None that I can find. The evidence suggests that the need for protection against mobile MiTM attacks is vendor-generated hype rather than a response to real risks to enterprises. And feedback from enterprises attempting to deploy network security approaches suggest that the current generation of products in this space are rife with false positives--a huge burden to IT staff, and something that leads to loss of trust from users.

Because MTD requires enterprises to deploy a mobile app on all users' mobile devices, it imposes challenges from both an operational and employee relations perspective (enterprises routinely receive push-back from employees due to concerns about corporate surveillance as well the many questions they will have regarding the app). Furthermore, MTD solutions remediate risks by requiring employees to delete apps that violate corporate policies their personal devices, even if those apps are not used at work. For example, an employee or contractor might be required to permanently delete a gaming, social network or messaging app that the individual might otherwise use and enjoy often. That's a tough sell, and can lead to employee resentment and dissatisfaction--and creative attempts to circumvent controls.

In summary, MTD is a heavyweight approach to mobile security due to the fact it's orthogonal to the existing security infrastructure, requires a complex integration with EMMs, introduces a new system that requires management and operational responses, and involves convincing all employees, contractors and other users to deploy a mobile app that performs on-device security functions (hopefully with minimal battery drain) and which may require employees to delete beloved apps from their personal device. This is the reason MTD can be characterized as requiring heavy lifting for enterprise mobile security.

An App-Centric, Lightweight Approach to Mobile Security
Are there other approaches to securing mobile devices in the enterprise that don't require mobile apps deployment or EMM integrations? Unfortunately, there are no commercial products that I'm aware of. I therefore believe there's an opportunity for vendors or enterprising startups to fill the solution gap between doing nothing and adopting a heavyweight solution. I'll outline the main characteristics below.

First, I think the issue of mobile security is largely an issue of mobile app security and requires an app-centric approach. The device and network threats, while real, are less of a threat to enterprises than vendors and the trade press would have us believe.

Second, the unfamiliar terrain of mobile security concepts represents a new strain for IT security staff in having to master concepts regarding EMM capabilities and operational aspects of integrations with MTD solutions.

Third, it would be ideal if a mobile security solution leveraged current enterprise security infrastructure rather than having to introduce a new platform. Most enterprise security today is based on identifying threats that come from specific external sites as identified by IP addresses. Threat intelligence, employed by many enterprises, includes a list of IPs that should be blocked, and the ubiquitous firewall is the primary security solution for accomplishing that.

If an enterprising vendor developed a mobile threat intelligence feed, that could be used to provide a reasonable level of protection within the enterprise.

The ideal feed would include endpoints and servers associated with malware campaigns which could be blocked by a firewall or other perimeter security solutions (while as noted above this is a negligible threat to enterprises, blocking those connections would be a relatively trivial task so the cost/benefit ratio is positive).

In addition, the mobile threat intelligence feed would identify apps' network connections that leak data contrary to corporate policy. Of course, each enterprise has different criteria for developing such policies, so the feed should include enough meta data so that connections could be selectively blocked based on the nature of the data leakage risk.

The vendor providing such a feed would have to analyze the connections from all apps available from Google Play, the App Store, and any other sanctioned app stores. This is simpler than doing a full behavioral analysis of the apps. A higher level solution would classify connections based on the type of data being leaked. I believe the apps' network connections could be categorized as follows:

• backend: the servers that the app connects to for cloud-based computation, aggregation and persistent storage
• auxiliary:  the third-party servers that provide auxiliary services to the app, such as outside temperature or a map overlay
• marketing frameworks: the third-party servers, such as Flurry,  that provide app use analysis and some forms of surveillance to precisely identify characteristics of the user, usually for input into big data algorithms for ad networks
• ad networks: the third-party servers and related infrastructure for serving ads (and sometimes malvertising) to the mobile device

The mobile threat intelligence feed, with meta data for each IP identifying the source app and which category the connection falls into, would give enterprises enough data to provide lightweight security to their mobile devices, both COPE and BYOD.

Here are some use cases that could be addressed with such a solution:

1. Malware protection: block all connections to/from malicious sites. Note that blocking of such connections would only be performed while the mobile device is on the corporate network; when the employees go home no further protection would be active unless a VPN is used. However, this is exactly the paradigm in place for laptop protection, when employees take their laptops home. When accessing enterprise resources remotely, a VPN is almost always required, and malicious IPs would be blocked.
2. Data leakage: block all connections, based on policy criteria. For example, apps that send address books could be blocked. The enterprise wouldn't know which are the offending apps necessarily (although a mature solution would have the option to query that). Note that the blocking of those connections prevents data leakage without having an on-device agent and without requiring any action on the part of the user. The user experience would simply be that the app would fail to work normally. If it's not a work-based productivity app, the employee really has nothing to complain about except having to wait until they get home to play games or engage their social network. Maybe productivity will improve!
3. Advertising: while employees using apps that receive ads isn't generally considered a threat, does an enterprise really want content from any one of hundreds of as networks sending data into their secure environment? And while ad network malware, known as malvertising, is rare, that would be prevented by blocking all advertising connections.

Note that with such a solution most of the MTD deployment and operational challenges are not present. No EMM integration is required. No mobile apps or agents need to be deployed on all users' devices, and employees are never asked to delete apps from their device. Some personal apps that violate policy may not operate correctly while employees are at work, but that's hardly something they can complain about.

A specialized mobile threat intelligence feed could represent an enterprise's first step into mobile security. Based on how the threat landscape evolves, and how MTD solutions mature over time, there's nothing to preclude adoption of MTD at some future date.

I haven't done an exhaustive search of the many threat intelligence feeds available today. It's possible that one or more are already covering mobile connections to some extent. And I don't know for sure that existing MTD vendors aren't exploring lightweight options similar to what has been described above. Hopefully the enterprises that have opted not to procure MTD due to its cost and operational burden may find a lightweight approach to mobile security in the near future.

Another Massive Data Leakage Incident Reported

We shouldn't be surprised by this anymore, and regular readers know I've talked about the risks of data leakage on multiple occasions. This has the same characteristics as HospitalGown and Eavesdropper: the app itself is not necessarily insecure; instead, the cloud-based storage system hasn't been properly secured.

The app in this case is A.I.type Keyboard, available on both Google Play and the App Store. This threat was discovered by The Kromtech Security Center. What they learned was that the A.I.type Keyboard app leaked PII and other data from over 31 million users. The root cause appears to be that the app's backend, a 577 GB MongoDB database, was misconfigured so that all of it's data is available to anyone with an Internet connection.

What is included in the exposed 577 GB? Here's a partial rundown:

Phone number, full name of the owner, device name and model, mobile network name, SMS number, screen resolution, user languages enabled, Android version, IMSI number (international mobile subscriber identity used for interconnection), IMEI number (a unique number given to every single mobile phone), emails associated with the phone, country of residence, links and the information associated with the social media profiles (birthdate, title, emails etc.) and photo (links to Google+, Facebook etc.), IP (if available), location details (long/lat).

In addition, there were over 6 million records that contained "data collected from users’ contact books, including names (as entered originally) and phone numbers, in total more than 373 million records scraped from registered users’ phones, which include all their contacts saved/synced on linked Google account."

Ouch. One of the things that's a bit unusual--and pretty insidious-- is the information associated with social media profiles. This should enable a second level of privacy invasion and surveillance against the victims. Given how valuable data is to marketers as well as black hats, this data will no doubt find its way into various commercial and dark net datasets, so be used at some future date with almost zero chance of tracing it back to the offending app.

Well, at least it's not mobile malware, right? So we shouldn't worry, correct? We'll see what kind of media coverage this gets.