Haven't you always wondered about the backstories and the anecdotes in the history of information security? What were the early motivations of computer security? How did all those concepts come about?

If that is what you are wondering about, you are in luck: Andrew J. Stewart acts as a historian and digs into the history of information security in this new book. While other writers have provided insights into the history of cryptography, in this work we learn about the Orange Book, the early attacks on computer systems, and how it all evolved to current times.

Andrew J. Stewart's book "A Vulnerable System: The History of Information Security Age" takes a stab at shining light into the far and dark corners of computer security. It mentions some names of early-day computer security researchers that I had the honor of meeting in the Claremont Tower Suite ("606") at the Security and Privacy conference in the late 1990s. It includes stories about the creation of the Internet as well.

The book is divided into several chapters and contains an extensive bibliography from popular science sources and research articles in supplement to the many contextual and chapter-related notes at the end of the book. The introduction mentioning the "Three Stigmata" is followed by a chapter on 'A "New Dimension" for the Security of Information', 'The Promise, Success, and Failure of the Early Researchers', 'The Creation of the Internet and the Web, and a Dark Portent', 'The Dot-Com Boom and the Genesis of a Lucrative Feedback Loop', 'Software Security and the "Hamster Wheel of Pain", 'Usable Security, Economics, and Psychology', 'Vulnerability Disclosure, Bounties, and Markets', 'Data Breaches, Nation-State Hacking, and Epistemic Closure', and 'The Wicked Nature of Information Security'.

The author writes in an easily accessible style, allowing the reader to gain a good overview of computer security at various stages of development, from the mid-20th-century events to the late 2010s, and to delve deeper either by following the notes at the back of the book (there are over 70 pages of them!), or even by reading the relevant research articles that are referenced in the select (and somewhat short) bibliography. Most topics are covered this way and this lends a curious reader to complement their scientific knowledge with amusing or eye-opening anecdotes.

Some topics, such as vulnerability disclosure, are approached in a controversial manner, but then again those topics are controversial in real life. Also there are surprising shortcomings: while the book takes note of cyberattacks, including general and nation-state ones, there is no mention of distributed denial-of-service (DDoS) attacks for example, even though he mentions the Morris worm attack from 1988.

I enjoyed reading this book: some of the anecdotes brought back fond (or not so fond, depending on how you look at computer security events) memories for me, spanning the last three decades or so. Perhaps it will intrigue you as well.