Book review: Permanent Record by Ed Snowden


Title: Permanent Record

Author: Edward Snowden

ISBN: 978-1-250-23723-1

Price: US$18 from Amazon

GH rating: 90%


Summary

Until I read this book, I considered my personal integrity a fundamental strength, core to my very being. It pales in comparison to Ed's extreme courage and intense determination to expose the shocking truth about the NSA's mass surveillance programme and the way it was concealed from Congress.

The step-by-step account of his revelations may be tedious to some, but his methodical approach and clear determination shines through from start to finish. It rings true, all the way down to the issues he had arranging to hand over the evidence to a small select group of journalists in Hong Kong.  

Pros

It's a page-turner, a gripping tale, well told and yet scarier than the most graphic horror flick due to the gravity and sheer scale of it.

There's a fair amount of autobiographical content as Ed explains the broader context - his home life, family and professional background at length. Having never been a spook, I was interested to learn about the recruitment and contracting processes, the access SysAdmins get (and the extraordinary level of trust placed in them, despite all the secrecy) and the associated security risks.

Whether you feel Ed is a whitstleblowing hero or a traitor, the book is a lucid  account direct from the main protagonist. Read it to understand what he did and why, perhaps to design and implement better controls. 


Cons

Now, just a few years after its publication in 2019, Ed's comments about the biggest players in the tech world embracing encryption are starting to ring hollow, while the rapid ascendance of AI overshadows even the most insidious governmental and commercial interests. In short, the technological content has dated rapidly since the big reveal in 2013.


Value

Excellent value as a primer in the security services and cybersecurity, a lucid account of the realities and challenges of sky-high-stakes whistleblowing, and a good read to boot.  

Popular posts from this blog

Pragmatic ISMS implementation guide (FREE!)

Image
Early this morning ( very  early!) I remotely attended an ISO/IEC JTC 1/SC 27/WG 1 editing meeting in London discussing the planned revision of ISO/IEC 27003:2017 . Overall, the meeting was very productive in that we got through a  long  list of expert comments on the preliminary draft standard, debated the objectives of the project and the standard and reached consensus on most points. In summary: 27003 is to be revised to align with the current 2022 releases of ISO/IEC 27001 , 27002 and 27005 : These changes are  mostly  minor aside from the new section 6.3 on ISMS changes.
Read more

Two dozen information risks that ISO forgot

Image
Selecting the wrong controls - controls that are inappropriate, ineffective, too costly, impracticable, fragile, unnecessary, counterproductive or whatever, often as a result of blind faith in fads and fashions of the day and FOMO e.g. MFA, AI, cyber Failing to select the right controls - controls that are ideal for the particular situation, both now and in perpetuity, for whatever reason - mostly ignorance and prejudice Selecting and implementing controls at the wrong time or in the wrong way (where 'wrong' includes ineffective, inappropriate, sub-optimal e.g. bolting on controls rather than designing and building them in) Inept and inaccurate identification, analysis and quantification of risk, including reliance on p oor quality (incomplete, inaccurate, out of date, misleading, unreliable ...) information about actual risks, particularly subtle and emerging risks plus those involving deliberate concealment and misdirection e.g. fraud, misinformation, disinformation, propagan
Read more

ISMS internal audit priorities

Image
A thread on the ISO27k Forum sparked my imagination over coffee this morning. Hope had previously asked for assistance with an ISO/IEC 27001:2022 audit plan.  Bhushan offered a lengthy and generally sound response explaining how to use a spreadsheet with tabs to plan and record the audit work performed on 100% of the main body clauses and 50% of the 93 Annex A controls, day-by-day. That's OK ... except it wasn't entirely clear that he was interpreting and elaborating on the standard's actual requirements. ISO/IEC 27001 does not explicitly require, for example, that (as Bhushan stated) "ALL the management system clauses from 4 to 10 AND their sub-clauses need to be listed and audited" in an ISMS internal audit, although evidently he interprets it in that way. In clause 9.2.1, the standard states a requirement for internal audits to provide information on whether the ISMS conforms to the organization’s own requirements for the ISMS plus the requirements of the stan
Read more