Good question?

So, now it’s getting personal. From Rob Novak via Ed Brill:

While standing there, I saw a title from Microsoft Press: “Secure Messaging for Exchange Server 2003”.  OK, that sounds reasonable.  It belongs there. Then I realized something.  Why in the WORLD would you need a 506-page book to tell you how to do secure messaging???  You just have to Sign and Encrypt!  What is with these people?

Fair question, one deserving of a comprehensive answer. The short answer: there’s a hell of a lot more to messaging security than “sign and encrypt”! What about anti-spam protection? What about hardening the base OS? What about risk assessment? What do you do if your boss comes to you and says he wants to read a coworker’s mail?
The book’s 506 pages because it:

• begins at the beginning with a detailed discussion of fundamental security principles, including the need for good physical security and the difference between various methods of authentication, encryption, and access control
• covers risk assessment and physical and operational security in some depth– rare for a non-textbook security book
• completely describes a workable patch management process, something that every Windows or Linux admin had better be good at (particularly on the Linux side, where patch auditing, assessment, and deployment tools suck. Disclaimer: I don’t talk about Linux patch management. Ha ha.)
• explains how to deploy and use S/MIME– a topic that’s poorly explained in most of the Exchange and Domino books I’ve evaluated to date. Can you cross-certify? Can you issue certificates to use the web client with smartcards? My readers can.
• explains how to use and secure a number of Exchange 2003 features that Domino doesn’t even have, like wireless device access, attachment blocking and control for the web client, the anti-virus API, and so on
• tackles several issues that even Domino admins care about, like message archiving and retention requirements and legal issues about when you can, cannot, should, and should not open or scan user mail for legal or law enforcement reasons, the DMCA, and so on.

In fact, I’m so confident that even Domino administrators who run on Windows would find the OS hardening, archiving/retention, and legal chapters to be useful that I’ll make a bet: I’ll let the Domino community pick a representative to review the book, and I’ll supply a review copy. If the reviewer doesn’t honestly think that this is a terrific and useful book, and that it does a great job of explaining the wealth of security features provided in Exchange 2003, then I’ll donate US$250 to a charity of Ed Brill’s choice. On the other hand, if the reviewer finds– as I’m confident he will– that the book rocks, the reviewer will post reviews at Slashdot, ERCB, his own site, and Ed’s site. Deal?