BKSLMSPM.RVW   20071110

"Slamming Spam: A Guide for System Administrators", Robert
Haskins/Dale Nielsen, 2005, 0-13-146716-6, U$44.99/C$64.99
%A   Robert Haskins www.slammingspam.com
%A   Dale Nielsen
%C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario  M3C 2T8
%D   2005
%G   0-13-146716-6
%I   Addison-Wesley Publishing Co.
%O   U$44.99/C$64.99 fax: 416-443-0948 800-822-6339 bkexpress@...
%O  http://www.amazon.com/exec/obidos/ASIN/0131467166/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0131467166/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0131467166/robsladesin03-20
%O   Audience i Tech 2 Writing 1 (see revfaq.htm for explanation)
%P   396 p.
%T   "Slamming Spam: A Guide for System Administrators"

For once the title means no more or less than it says.  The authors
state, in the preface, that the book is intended as a reference for
administrators to use as a "how to" guide to stop spam.  Well,
possibly not stop it entirely, but to use widely known and available
tools for mail transfer agents that can seriously reduce the level of
the problem.  The authors assume little about the reader's familiarity
with Linux or UNIX, even though most of the tools discussed are for
that platform.

Chapter one is a brief introduction to email entities and components,
with a list and description of anti-spam technologies.  There is also
a discussion of policies and the likely level of user acceptance of
both policies and functions.  Procmail, a utility that can be used by
a variety of anti-spam applications, is explained in chapter two.  The
multi-function SpamAssassin program is examined in chapter three.
Chapter four outlines anti-spam functions that are built into common
mail transfer agents.  Various systems for authentication of users,
and authorization to use SMTP (Simple Mail Transfer Protocol) are
discussed in chapter five.  Chapter six notes the advantages of
Distributed Checksum Filtering (DCF).  (This may not be as widely
known among administrators of single systems, since it relies on the
collection of calculated signatures of spam messages, gathered from a
number of mail servers.  It is more widely used by systems that
provide mail services to a large number of clients.)  Bayesian
filtering is introduced in chapter seven, and chapter eight follows up
with details of the installation and use of a few such programs.
Various client filtering applications are described in chapter nine.
Spam related functions of the Microsoft Exchange mail server are noted
in chapter ten, with Lotus Domino and Lotus Notes covered in chapter
eleven.  Chapter twelve examines sender verification.  This is not
quite the same material as is covered in chapter five, since we are
not looking for specific authorization, but an intelligent response
indicating that the entity sending the mail is a user and not a bot.

The book, while not exciting, is a clear and useful guide to tools
that will be of value to system administrators who wish to reduce
overall spam levels.

copyright Robert M. Slade, 2007   BKSLMSPM.RVW   20071110


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
For years we have been saying you could not get a virus just by
opening E-Mail.  That bug is being fixed. - A. Padgett Peterson
http://victoria.tc.ca/techrev/rms.htm

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi everyone,

I'm going to be speaking at a small conference in April. The organizer put
up a Web site where the title of my talk about social psychology and
INFOSEC was follows:

"Social Phycology and INFOSEC."

<g>

Phycology is the study of algae....

Now THAT'S what I call interdisciplinary!!



Best wishes,

Mich

M. E. Kabay, PhD, CISSP-ISSMP
* CTO & Prog Dir, MSc in Info Assurance
School of Graduate Studies
P: +1.802.479.7937
NORWICH UNIVERSITY
Expect Challenge. Achieve Distinction.
* * *
E1: mailto:mekabay@...
E2: mailto:mkabay@... for University business
W: http://www2.norwich.edu/mkabay/
* Network World Security Strategies Newsletters
http://www.networkworld.com/newsletters/sec/

* Unless stated otherwise, this e-mail represents only the views of the
sender and not the views of Norwich University. *

=>o  ASCII ribbon campaign against HTML e-mail o<=



-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.7.1 (Build 1503)
Charset: utf-8

wj8DBQFHsiuzUbF73uXqlJ8RAnBwAKClsU31TeqVvCHE6PicfD78JSypEQCcC3ER
kd9xRcLfiNqFq+tcMoAGNbo=
=Qm2P
-----END PGP SIGNATURE-----

BKBEETNO.RVW   20071118

"Better Ethics Now", Christopher Bauer, 2005, 978-0-9765863-3-3,
U$21.99/C$29.99
%A   Christopher Bauer chris@...
%C   1604 Burton Ave., Nashville, TN   37215
%D   2005
%G   0-9765863-3-9 978-0-9765863-3-3
%I   Aab-Hill Business Books
%O   U$21.99/C$29.99 615-385-3523
%O  http://www.amazon.com/exec/obidos/ASIN/0976586339/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0976586339/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0976586339/robsladesin03-20
%O   Audience n Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   171 p.
%T   "Better Ethics Now: How to Avoid the Ethics Disaster You Never
       Saw Coming"

A note on the title page of the book states that the text is intended
to educate and entertain in regard to ethics, and that the material is
neither comprehensive nor tested.  (It is ethical to let the reader
know that, although my initial reaction was that the "entertain"
aspect might have been a bit of an abdication of the author's
responsibilities to the readers.)  The introduction asserts that the
focus of the work is on how a lack of personal responsibility creates
the foundation for corporate ethical disasters, and that having
individuals improve their own ethical standards will enhance the
integrity of the company.  There is, of course, something to this,
although it does fly in the face of a great many studies identifying
the "tone at the top" as the major determinant of corporate ethical
standards.

Chapter one notes that ethical breaches in companies have serious
financial ramifications, and reiterates the position that assessing
your own morals will improve those of the company, primarily by
forcing you to determine if the normal business behaviour you are
asked to follow is ethical.  (This does tie back to the issue of "tone
at the top": if your ethics stand up to scrutiny and you feel
comfortable in your working environment, the tone is probably OK.)
Ethics are guiding principles, chapter two tells us.  It isn't just
following (or even breaking) rules, says chapter three.  Chapter four
seems to repeat this last, in slightly different wording, properly
taking issue with the subject of "compliance," which has become
something of a buzzword and panacea in recent years.  Using cute
expansions of "ethics" as an acronym, chapter five tentatively
introduces the idea of personal responsibility and decision.  A simple
tool for personal assessment is described in chapter six.  Chapter
seven examines the issues of reporting or otherwise dealing with
ethical violations that you discover.

Chapter eight moves the discussion to the corporate level, noting the
importance of policy statements, processes, and procedures.  Ethical
behaviour involves achieving positive actions, we are told in chapter
nine, rather than merely avoiding negative ones.  Chapter ten does
promote the importance of the "tone at the top," noting that sometimes
you, as an employee, may need to walk away from an intolerable
situation.  Chapter eleven suggests that those in management and
leadership need to communicate ethics directly and openly.  The idea
that the moral standards of each employee are important is again
stressed in chapter twelve.  Proper ethics are not always easy, says
chapter thirteen.  Chapter fourteen repeats encouragement to be
proactive about promoting ethics, and suggests various procedures for
the corporation.

There are other books on ethics, and business ethics as well.
Johnson's "Computer Ethics" (cf. BKCMPETH.RVW) is a classic and
Tavani's "Ethics and Technology" (cf. BKETHTCH.RVW) adds depth and
intellectual rigour.  Bauer's work is very different: there is little
academic or conceptual background, but the brevity and practicality of
the work may make it more suitable for the general work environment.
While it doesn't add much to the debate, it could certainly be used
for training and the promotion of ethical standards, and is probably
more accessible for the general population of employees and managers.

copyright Robert M. Slade, 2007   BKBEETNO.RVW   20071118


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
Where there is much desire to learn, there of necessity will be
much writing, much arguing, many opinions; for opinion in good
persons is but knowledge in the making.                - John Milton
http://victoria.tc.ca/techrev/rms.htm

BKCISPPQ.RVW   20071119

"CISSP Practice Questions Exam Cram 2", Michael C. Gregg, 2005,
0-7897-3305-6, U$29.99/C$42.99
%A   Michael C. Gregg
%C   201 W. 103rd Street, Indianapolis, IN   46290
%D   2005
%E   Ed Tittel
%G   0-7897-3305-6
%I   Que
%O   U$29.99/C$42.99 800-858-7674 317-581-3743 http://www.mcp.com
%O  http://www.amazon.com/exec/obidos/ASIN/0789733056/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0789733056/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0789733056/robsladesin03-20
%O   Audience i Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   202 p. + CD-ROM
%T   "CISSP Practice Questions Exam Cram 2"

There are a number of book versions of practice questions for those
challenging the CISSP (Certified Information Systems Security
Professional) exam.  This is yet another.

Most of the questions are far too simplistic to represent those on the
CISSP exam.  The vast majority of the queries in the book have simple
fact-based answers, only occasionally moving into the realm of
synthesis.  The analytical and critical thinking challenges, dealing
with conceptual issues, that make up the bulk of the CISSP exam are
almost completely absent from this text.  A great many questions in
the book have a significant amount of extraneous and irrelevant detail
added, apparently in an attempt to appear to be complex, but the
solution almost inevitably turns out to be based on a rudimentary
definition.

In most cases the answers given would probably match those accepted if
these questions were on the exam.  Many of the resolutions turn on
minor issues of wording, and the CISSP exam, while it does pay
attention to terminology, frequently requires that you accept
synonyms, in order to prove understanding rather than rote memory.

Again, even if the answer is correct, sometimes the explanation makes
no sense.  A question on the multilevel Biba model, for example,
properly identifies integrity as the major factor, but the explanation
states that Biba is a model "in which security may only flow down."
(It makes no sense to talk about the flow of "security" since the Biba
model deals with information flow restrictions, and "down" needs to be
defined in terms of accuracy.)

Don't rely on this to pass the CISSP exam.

copyright Robert M. Slade, 2007   BKCISPPQ.RVW   20071119


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
Have no fear of perfection: you'll never reach it.   - Salvador Dali
http://victoria.tc.ca/techrev/rms.htm

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear Colleagues,

The ACM online publication Ubiquity < http://www.acm.org/ubiquity > is
looking for a wide variety of articles or think pieces on any topic of
interest to people engaged in any aspect of computing or information
technology. Send your proposed article to the editor-in-chief, John Gehl
< mailto:gehl@... >.


Best wishes,

Mich

M. E. Kabay, PhD, CISSP-ISSMP
* Associate Editor, ACM Ubuity
* CTO & Prog Dir, MSc in Info Assurance
School of Graduate Studies
P: +1.802.479.7937
NORWICH UNIVERSITY
Expect Challenge. Achieve Distinction.
* * *
E1: mailto:mekabay@...
E2: mailto:mkabay@... for University business
W: http://www2.norwich.edu/mkabay/
* Network World Security Strategies Newsletters
http://www.networkworld.com/newsletters/sec/

* Unless stated otherwise, this e-mail represents only the views of the
sender and not the views of Norwich University. *

=>o  ASCII ribbon campaign against HTML e-mail o<=




-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.7.1 (Build 1503)
Charset: utf-8

wj8DBQFH7QCBUbF73uXqlJ8RAjKFAKDMx+Z6Ebh68cc8fDp6tehWIKm7igCfdbti
UvPuXHrJZyg6OELNLXUGWY4=
=6A9s
-----END PGP SIGNATURE-----

BKEPHPSC.RVW   20071123

"Essential PHP Security", Chris Shiflett, 2006, 0-596-00656-X,
U$29.95/C$41.95
%A   Chris Shiflett shiflett.org
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2006
%G   0-596-00656-X
%I   O'Reilly & Associates, Inc.
%O   U$29.95/C$41.95 707-829-0515 fax: 707-829-0104 nuts@...
%O  http://www.amazon.com/exec/obidos/ASIN/059600656X/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/059600656X/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/059600656X/robsladesin03-20
%O   Audience s- Tech 2 Writing 1 (see revfaq.htm for explanation)
%P   109 p.
%T   "Essential PHP Security"

PHP is an acronym (albeit a somewhat recursive one, standing for PHP:
Hypertext Preprocessor) but neither the foreword, preface, book, nor
index expands it.  Similarly, the intent of the book is not clarified
in either the foreword or the preface.

Chapter one does state that the purpose of the text is to teach how to
write secure code (with security left undefined) using features unique
to PHP.  However, only two such distinctive functions are listed in
this section, and they are not explained very well.  (Three appendices
at the end of the work do list some PHP commands related to the
security conventions noted.)  More space is devoted to general
application development principles and practices for safe programming.
Even there the solutions provided are outlined in terms of source code
rather than text, and the content requires an intimate knowledge of
PHP in order to derive value from the lessons presented.  In
discussing forms and URLs (Uniform Resource Locators), chapter two
distinguishes between filtered and tainted data, as well as GET and
POST form submissions, but does not initially examine the possibility
of user observation and deliberate malforming of submitted data.
Where details are provided on security, they are introduced with
coding examples, and, again, the effectiveness of the proposed
solutions are unclear unless the reader is well familiar with PHP
internals.  The database and SQL (Structured Query Language)
programming styles suggested in chapter three are good, but it is far
from clear that the filtering recommended will, in fact, prevent all
possibility of SQL injection attacks.  Chapter four examines sessions
and cookies: the explanations here also rely on understanding the
source code.

Chapter five, in talking about includes, is mostly concerned with
placing the files outside the root directory.  Much the same emphasis
is present in regard to files and commands (particularly with respect
to file traversal) in chapter six, although there is some discussion
of command injection.  Once again, the specifics in regard to
authentication and authorization are material only in the source code
examples in chapter seven.  The text of chapter eight explicitly
admits that the ability to address security issues in shared hosting
environments is weak.

For those who are thoroughly experienced in PHP programming, this book
does recommend styles that can result in more secure Web applications.
However, novice programmers, or even programmers experienced in other
languages, will have difficulty using the material effectively.

copyright Robert M. Slade, 2007   BKEPHPSC.RVW   20071123


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
In answer to the question of why it happened, I offer the modest
proposal that our Universe is simply one of those things which
happen from time to time.                          - Edward P. Tryon
http://victoria.tc.ca/techrev/rms.htm

BKCMSCPP.RVW   20080204

"Computer Security: Principles and Practice", William Stallings/Lawrie
Brown, 2008, 978-0-13-600424-0
%A   William Stallings williamstallings.com/CompSec/CompSec1e.html
%A   Lawrie Brown
%C   One Lake St., Upper Saddle River, NJ   07458
%D   2008
%G   0-13-600424-5 978-0-13-600424-0
%I   Prentice Hall
%O   800-576-3800 416-293-3621 +1-201-236-7139 fax: +1-201-236-7131
%O  http://www.amazon.com/exec/obidos/ASIN/0136004245/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0136004245/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0136004245/robsladesin03-20
%O   Audience i+ Tech 2 Writing 3 (see revfaq.htm for explanation)
%P   798 p.
%T   "Computer Security: Principles and Practice"

I am woefully laggard in getting this review out, particularly since I
reviewed the text in process, last fall, and therefore have to declare
a possibility of bias.

The preface states that the book is intended as the text for a one- or
two-semester course in computer security.  The work is also addressed
to professionals as a basic reference.  In that latter regard it may
come up short, missing elements of infrastructure, fire protection,
investigation, forensics, and being rather weak in terms of
architecture and business continuity planning.

There is a rather interesting chapter zero in the volume (it and
chapter one are presumably "part zero," which is sound computing
theory, but somewhat bemusing in a book) laying out the structure of
the text, as well as pointing to the technical resource and course
Website, noted above.  Chapter one defines fundamental security terms
and concepts from various sources.  The list is comprehensive, but,
given sometimes conflicting positions, little attempt is made to
analyze, integrate, or unify the material.  There is an excellent set
of references and a solid set of questions and problems, as well as a
brief appendix addressing security standards and documents.

Part one involves computer security technology and principles.
Chapter two introduces cryptographic tools.  The basic ideas of
cryptography are presented, but one must go to other chapters and
appendices for details and usage of the technology.  This structure is
unusual in cryptographic literature, but the new perspective may
demonstrate somewhat stale abstractions in a fresh way.  It is rather
odd that the coverage of authentication, in chapter three, does not
note the IAAA model of Identification, Authentication, Authorization,
and Accountability.  Access control, in chapter four, is limited to
data access.  ( The authors also follow the original paper describing
Role-Based Access Control as a form of mandatory access control, even
though RBAC is now frequently used in discretionary access control
environments.)  Chapter five's discussion of database security
emphasizes the theoretical aspects of that specialty.  Intrusion
detection is introduced in chapter six.  Malicious software is given a
scholarly, rather than practical, treatment in chapter seven, but the
content is more accurate than is usual even in the security
literature.  Denial of service attacks are addressed in chapter eight.
Chapter nine's review of firewalls concentrates, almost exclusively,
on stateful inspection, and the material on intrusion prevention
systems repeats, to a large extent, chapter six.  Trusted computing
and multilevel security, in chapter ten, are discussed in terms of
formal security models and security architecture.

Part two deals with software security, with chapter eleven being
devoted to the topic of buffer overflows, and the other software
subjects covered comprising chapter twelve.

Part three contains topics the authors consider to be management
issues.  These are (in order through chapters thirteen to eighteen),
physical and infrastructure security, human factors (primarily policy
and awareness concerns), auditing security management and risk
assessment, security controls (plans and procedures), and legal and
ethical aspects.

Part four details cryptographic algorithms, and the material is as
good as one might expect from the author of "Cryptography and Network
Security" (cf. BKCRNTSC.RVW).  Symmetric encryption and message
confidentiality, illustrated by the Data Encryption Standard and the
advanced Encryption Standard, is the topic of chapter nineteen.
Asymmetric cryptography and hashes are in twenty.

Part five turns to Internet security.  Some Internet security
protocols and standards are listed in chapter twenty-one.  A detailed
look at Kerberos leads off chapter twenty-two's examination of
authentication applications.

Operating systems security is the subject of part six, with a look at
the Linux model in chapter twenty-three, and Windows in twenty-four.

Appendices at the end of the book provide information on number
theory, pseudorandom number generation, projects for teaching
security, standards and standards organizations, and the TCP/IP
protocol suite.

Of the various domains of information systems security, there is
limited material in regard to the security implications of various
aspects of computer hardware and architecture, the formation of an
architectural model for security design, and business continuity
planning.  Otherwise, however, the coverage is quite comprehensive,
much more so than in other course texts such as Gollman's excellent
but now aging "Computer Security" (cf. BKCOMPSC.RVW), Bishop's rather
abstract "Computer Security: Art and Science" (cf. BKCMSCAS.RVW), and
Stamp's interesting, but sometimes spotty, "Information Security:
Principles and Practice" (cf. BKINSCPP.RVW).  Anderson's "Security
Engineering" (cf. BKSECENG.RVW) is, of course, not only a solid text,
but also a useful professional reference, and Stalling and Brown might
wish to examine the practical issues dealt with in that work.  A range
of editions of the "Information Security Management Handbook" (cf.
BKINSCMH.RVW) would have similar overview, and more detail, but hardly
in a single volume.  There is also the "Official (ISC)^2 Guide to the
CISSP Exam" (cf. BKOIGTCE.RVW), and now the "Official (ISC)^2 Guide to
the CISSP CBK," but Stalling and Brown's work, while less broad and
detailed, is more academically rigorous.

copyright Robert M. Slade, 2008   BKCMSCPP.RVW   20080204


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
Without censorship, things can get terribly confused in the
public mind.                  -  General William Westmoreland, 1960s
http://victoria.tc.ca/techrev/rms.htm

BKCMSCFN.RVW   20080205

"Computer Security Fundamentals", Chuck Easttom, 2006, 0-13-171129-6,
U$52.00/C$51.95
%A   Chuck Easttom
%C   One Lake St., Upper Saddle River, NJ   07458
%D   2006
%G   0-13-171129-6
%I   Prentice Hall
%O   U$52.00/C$51.95 800-576-3800 416-293-3621 201-236-7139
%O  http://www.amazon.com/exec/obidos/ASIN/0131711296/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0131711296/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0131711296/robsladesin03-20
%O   Audience n- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   344 p.
%T   "Computer Security Fundamentals"

This is a textbook, and the preface states that it is intended for
students.  The author and reviewers are all from colleges, and one
presumes that they know something about textbooks.  They do not,
however, demonstrate much knowledge of security.

Chapter one is supposed to be an introduction to cyber crime and
security, but important terms are poorly defined, and many are
missing.  The material seems to be sensational rather than
educational.  Fundamental concepts are presented oddly as well.
Security is divided not into the fairly standard confidentiality,
integrity, and availability, but into malware, intrusions, and denial
of service (DoS), which leaves out all kinds of important issues.  A
terse overview of risk analysis is rather simplistic, but much better
than the rest of the content.  The questions included at the end of
the chapter are trivial: the exercises are more time-consuming but no
more difficult.

Chapter two contains random topics about networks and the Internet.
The structure is as disorganized as most of the book: the subject of
domain name service comes between a discussion of media access control
addresses and an illustration of RJ45 jacks, a type of physical plug.
Screenshots of network scanning utilities make up chapter three.
Chapter four, about denial of service attacks, confuses DoS and Man-
in-the-Middle offensives.  Malware, in chapter five, is treated even
worse than is normally the case, stating outright that there is no
difference between viruses and worms, confusing viruses with buffer
overflow conditions, and providing almost no information at all on the
types of virus protection.  Chapter six has more screenshots and
typically useless recommendations on hardening Windows systems: the
reader is advised to disable unnecessary services, but is not given
any information about how to find, enable, or disable services, or
determine which services are necessary or otherwise.

Chapter seven's outline of encryption is highly unreliable.  We are
told that there are two types of encryption, transposition and
substitution, and that within substitution there are two divisions:
symmetric and asymmetric.  (Most modern symmetric algorithms use
combinations of transposition and substitution, and asymmetric
algorithms use mathematical transformations.)  PGP, a cryptosystem, is
compared with the RSA algorithm.  (PGP, in fact, can use the RSA
algorithm: this is a bit like comparing apples with refrigerators.)
Two of the three virtual private network protocols that are discussed
in regard to encryption protocols have no encryption capability.

A list of some Internet frauds is given in chapter eight.  Chapter
nine, supposedly about corporate espionage, tells us that information
has value and we should have some information security.  (Rather
ironically, the advice that is given is irrelevant to the issue of
insider abuses, which is the most common form of business espionage
and fraud.)  Cyber terrorism and information warfare gets the usual
lurid (and inaccurate) treatment in chapter ten.  Entitled "Cyber
Detective," chapter eleven says that you can find information about
people by using Web search engines.  A few security utilities are
briefly described in chapter twelve.

This is a book that is very long on page format, and rather short on
content.  The material is unreliable and incomplete.  I would not want
to take a course that used this as a text, and I certainly wouldn't
hire anyone simply on the basis that they passed such a course.

copyright Robert M. Slade, 2008   BKCMSCFN.RVW   20080205


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
Acknowledge and take to heart this day that the Lord is God in
heaven above and on the earth below.  There is no other.  Deut. 4:39
http://victoria.tc.ca/techrev/rms.htm

BKGKNMCS.RVW   20080207

"Geekonomics: The Real Cost of Insecure Software", David Rice, 2008,
0-321-47789-8, U$29.99/C$32.99
%A   David Rice david@...
%C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario  M3C 2T8
%D   2008
%G   0-321-47789-8 978-0-321-47789-7
%I   Addison-Wesley Publishing Co.
%O   U$29.99/C$32.99 416-447-5101 800-822-6339 bkexpress@...
%O  http://www.amazon.com/exec/obidos/ASIN/0321477898/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0321477898/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0321477898/robsladesin03-20
%O   Audience n+ Tech 2 Writing 3 (see revfaq.htm for explanation)
%P   362 p.
%T   "Geekonomics: The Real Cost of Insecure Software"

In the preface, the author states that the only pre-requisite for
reading the book is a "hint of curiosity."  This is because the work
explores the issue of insecure and unreliable software from a
sociological and economic perspective, rather than giving the topic a
purely technical examination.

Rice's book is readable, informative, and makes important points.  I
enjoyed it.  Normally such an assessment comes at the end of the
review, but I want to state this up front, because, in the remainder
of the commentary contains a number of critical comments.  For the
most part, though, these apply to components that Rice has not
included, and which would tend to support his contention, rather than
detract from it.

Chapter one repeats a lot of the material in the preface, sometimes in
greater detail.  Rice compares software with cement, in terms of the
infrastructure of modern society, and also introduces the economic
concepts of incentives and utility.  The emphasis, in the analysis of
software flaws, is on intrusions and networking, but the examples
cited concentrate on concerns of reliability, rather than intrusions,
somewhat weakening the overall argument.  The lack of software
standards, and the fact that unregulated markets militate against
quality and safety, are addressed in chapter two.  The text also
specifically explores the problems involved in the ubiquitous practice
of patching software faults.  Rice's reasoning on the matters, while
generally sound and extremely convincing, does have some odd quirks.
For example, he repeats the widely held belief that building secure
software in the first place must necessarily be more expensive, or
companies would be doing it.  (A relevant counter-example in the world
of non-computer technology would be that of refrigerator doors.  For
years fridge door latches were a danger to children when old fridges
were abandoned.  Children playing around the fridges could enter them,
and then become locked inside.  It was only after appliance companies
were forced to change the door locking mechanisms that they turned to
magnetic closures--and found that not only were those mechanisms
safer, but also cheaper and more energy efficient.  Thus, companies
may sometimes need to be forced into practices that may actually be to
their advantage.  Overall, consideration of such additional elements
only serve to strengthen Rice's basic premise that insecure software
is unnecessarily costly.)

In chapter three, Rice notes the extremely low rate of prosecution for
computer crimes, and moves from there to the statement that
professional cybercrime is not just a criminal matter, but that the
issue of software unreliability is of concern for national, and even
international, economic security.  He concentrates, again, on software
vulnerabilities, failing to fully assess investigative weaknesses (and
the economic pressures preventing law enforcement agencies from hiring
and retaining trained forensic staff), the inherent risks of
information warfare (to the attacker as well as the target), and the
difficulty of establishing and validating trust relationships.  He
correctly identifies the problem with paying bounties for
vulnerabilities (which many have forgotten).  Noting the deleterious
effect of allowing visible dilapidation to go unrepaired, he asserts
that the invisible imperfections of software are even more important,
but his argument appears incomplete.

After reiterating the point that speed of innovation and time-to-
market is important to software developers, chapter four appears to
lose focus, finally seeming to make the point that we need some kind
of licensing for software development.  Chapter five's review of tort
law tends to overshadow the more significant message that software
developers enjoy an unparalleled immunity from lawsuits, and thus have
no motivation to produce software of high quality.  Various
characteristics of open source software, and related development
processes, are used to point out, in chapter six, differing economic
forces both for and against software reliabity.

Near the beginning of chapter seven Rice admits that he proposes no
ultimate answers to the question of code quality.  He does, however,
list arguments that can be used to start further discussion on the
possible approaches to revise the incentive environment in order to
promote quality software.  The list of potential approaches includes
allowing the "free market" to deal with the problem (in other words,
do nothing), promote litigation, license software engineers, create
standards, or impose some form of vulnerability tax on developers.

Towards the end of chapter seven, the author states that "[t]his book
has argued, no matter how imperfectly, that incentives are key to
changing the story of software."  Despite my minor quibbles, Rice's
case is solid, and his thesis is important.  This work should be
required reading for all involved in matters of technology policy,
from managers and security professionals responsible for application
development, to politicians.  If this publication is successful
enough, the publisher might have an incentive to ask the author to
update his text for a second edition, at which time Rice might tighten
up his arguments and include some of the missing bits.  Then this book
should be required reading for all developers and programming
students.

copyright Robert M. Slade, 2008   BKGKNMCS.RVW   20080207


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
                 In terms of paradigms, shift happens.
http://victoria.tc.ca/techrev/rms.htm

BKSCPWSA.RVW   20080219

"Secure Programming with Static Analysis", Brian Chess/Jacob West,
2007, 978-0-321-42477-8, U$49.99/C$61.99
%A   Brian Chess
%A   Jacob West
%C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario  M3C 2T8
%D   2007
%G   978-0-321-42477-8 0-321-42477-8
%I   Addison-Wesley Publishing Co.
%O   U$49.99/C$61.99 416-447-5101 800-822-6339 bkexpress@...
%O  http://www.amazon.com/exec/obidos/ASIN/0321424778/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0321424778/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0321424778/robsladesin03-20
%O   Audience a+ Tech 2 Writing 2 (see revfaq.htm for explanation)
%P   587 p. + CD-ROM
%T   "Secure Programming with Static Analysis"

Part one is an introduction to software security and static analysis.
The authors define static analysis as any means of assessing the
programming or code without executing the program.  Chapter one states
that defensive programming (coding in such as way as to deal with
unexpected submissions) will protect against errors, but possibly not
against a deliberate adversary, and that adding security features to
an application will not necessarily make for a secure program.  There
is a general outline of various types of software problems, and the
advantages of using static analysis early in the development process.
Chapter two describes the different types of static analysis and their
uses.  How to use static analysis as part of overall code review is
covered in chapter three.  Chapter four details the internal
structures and functions of static analysis.

Part two examines software problems that have been all too common in
our application environment.  Chapter five looks at the right and
wrong ways to handle input.  The ubiquitous buffer overflow gets two
chapters: six discusses string issues, while seven deals with integer
(particularly counter and pointer) situations.  Error and exception
handling is detailed in chapter eight.

Special application environments and requirements make up part three.
The Web is handled, in a generic manner, in chapter nine.  Chapter ten
specializes in XML (eXtensible Markup Language) and Web services.
Privacy, personally identifiable information, and pseudorandom number
generation all get put into chapter eleven.  The special issues of
privileged programs and processes are noted in chapter twelve.

Part four demonstrates static analysis in practice.  This is a set of
instructions for using the Fortify Code Analyzer and Audit Workbench
programs, which are provided on the CD.  Chapter thirteen is for Java,
and fourteen for the C language.  (Since the rest of the book has been
detailed, helpful, and quite free of taint of bias, this final sales
pitch seems acceptable.)

Code review and analysis gets mentioned in other works on secure
programming, but this guide goes into technicalities that can be of
considerable use to the developer.  Chess and West have also made a
very solid case that static analysis is a more effective way to find
highly significant faults, and correct them earlier in the process.  I
commend this both to developers, and to those in security who need to
better manage a secure development process.

copyright Robert M. Slade, 2008   BKSCPWSA.RVW   20080219


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
By analogy, stealing cars and joyriding does not provide one with
an education in mechanical Engineering, nor does pouring sugar in
the gas tank. - Gene Spafford, on using crackers as security experts
http://victoria.tc.ca/techrev/rms.htm

BKHTCMIS.RVW   20080219

"How to Cheat at Managing Information Security", Mark Osborne, 2006,
1-59749-110-1, U$39.95/C$51.95
%A   Mark Osborne www.interoute.com
%C   800 Hingham Street, Rockland, MA   02370
%D   2006
%G   1-59749-110-1
%I   Syngress Media, Inc.
%O   U$39.95/C$51.95 781-681-5151 www.syngress.com amy@...
%O  http://www.amazon.com/exec/obidos/ASIN/1597491101/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/1597491101/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1597491101/robsladesin03-20
%O   Audience i Tech 2 Writing 2 (see revfaq.htm for explanation)
%P   315 p.
%T   "How to Cheat at Managing Information Security"

The introduction states that this book is intended to cover the basic
concepts of information security, and fundamental information about
the tools involved.

Chapter one discusses where the security function should be placed in
organizational structures.  What is a policy is, and isn't, as well as
what it does and does not do, is reviewed in chapter two.  Some basic
terms and concepts are described in chapter three, although the level
of the material varies quite a bit.  Chapter four looks at some UK and
US laws related to information security.  Terse (but, within limits,
realistic) comments on some of the major and popular security
frameworks are provided in chapter five.

Chapter six is a set of anecdotes from some really bad job interviews.
Osborne uses a lot of anecdotes, at least one at the beginning of
every chapter.  The stories are amusing, but really don't serve to
support or cement any of the security points under discussion.

Chapter seven outlines some security aspects of network topology.  The
advice is decent, but there are too many diagrams that are poorly
explained.  Firewall concepts are presented in chapter eight, but
largely from a vendor perspective.  Chapter nine takes a much more
realistic look at intrusion detection systems than is usually the
case, noting that the devices are not a panacea for security overall
and require a number of factors that are seldom noted in the general
literature.  More details of implementing the technology are given in
chapter ten.  Chapter eleven, I am delighted to see, addresses the
difficulty in defining the term "intrusion prevention system," and
then goes on to list the variety of technologies that may exist under
that banner.  The practicalities and problems of penetration testing
are examined in chapter twelve.  Some application security issues are
briefly described in chapter thirteen.

While not a complete guide to information security, this book does
provide a solid starting point, and useful tips that are often missed
in a number of the works that have been thrown on the security
bandwagon.  I would not have a problem in recommending it to those who
are in the initial stages of securing their own networks, as long as
they have a basic knowledge of system administration.

copyright Robert M. Slade, 2008   BKHTCMIS.RVW   20080219


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
It can be shown that for any nutty theory, beyond-the-fringe
political view or strange religion there exists a proponent on
the Net. The proof is left as an exercise for your kill-file.
                                                      - Bertil Jonell
http://victoria.tc.ca/techrev/rms.htm

BKGRFCEB.RVW   20080303

"Get Ready for CISSP Exam", Rafeeq Ur Rehman, 2007
%A   Rafeeq Ur Rehman rafeeq.rehman@...
%D   2007
%I   Conformix Technologies Inc.
%O   free from http://www.conformix.com/books/cissp/
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   95 p. (pdf)
%T   "Get Ready for CISSP Exam"

Not really a book, this is more of a checklist of security topics.
The English used in the text is not the best, and there is very little
in the way of explanation.  The work is also incomplete, providing
almost no information on BCP, OpSec, and Law/Investigation.  However,
for those without any other resources, if you can understand the
points covered, and find the flaws in this material, you have a good
chance of passing the CISSP exam.  (NB: the author sells consulting
and training.  If the quality of the book is an indication, the
quality of the training may be questionable.)

copyright Robert M. Slade, 2008   BKGRFCEB.RVW   20080303


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
Do the ones who make this madness have no babies to hold?
                                   - Connie Kaldor, `Mother's Prayer'
http://victoria.tc.ca/techrev/rms.htm

BKCHTDFE.RVW   20080318

"Challenges to Digital Forensic Evidence", Fred Cohen, 2008,
1-878109-41-3, U$39.00
%A   Fred Cohen
%C   572 Leona Dr, Livermore, CA   94550
%D   2008
%G   1-878109-41-3
%I   Fred Cohen and Associates
%O   U$39.00 925-454-0171 all.net
%O  http://www.amazon.com/exec/obidos/ASIN/1878109413/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/1878109413/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1878109413/robsladesin03-20
%O   Audience s+ Tech 2 Writing 2 (see revfaq.htm for explanation)
%P   122 p.
%T   "Challenges to Digital Forensic Evidence"

Fred Cohen knows his stuff when it comes to digital forensics, despite
the fun he has with legalities in the frontmatter of this book.  Cohen
states, in chapter one, he wrote the book because of the mistakes he
had seen people make when bringing technical materials into a legal
setting.  The work is a sold background for a forensic examiner, and
covers a number of areas that are missed in most of the current
literature on this topic.  Forensics is more than simply getting bits
out of a given operating filesystem.

Chapter two concentrates on the errors or problems that arise in the
process of collecting evidence.  Many computer forensics books list
the sections that should be included in a written report, but this
author provides, in chapter three, practical advice on both wording
and approaches, including such aspects as the reporting of errors in
previously submitted reports.  Chapter four demonstrates difficult
situations, some covered in prior chapters and some new, based on
actual cases.

Chapter five reiterates and emphasizes a point that Cohen raises
frequently throughout the book: as an expert, you are working within,
and subject to, an adversarial system and all its attendant
limitations, but your primary responsibility is to the truth.  Being
honest in your work and statements is the basis for all of your
testimony.  As chapter six points out, it is also the best way to
avoid being challenged.

There are many books that talk about forensic tools: this isn't one of
them.  There are a number of works that address specifics of file
systems and storage devices: this isn't one of them.  A few texts even
address some aspects of the investigative process and management:
Cohen addresses some of those issues.  However, I have not seen any
other guides that will tell you, clearly and plainly, how to avoid the
most common failings of technical experts trying to provide evidence
in a decidedly non-technical legal system.

copyright Robert M. Slade, 2008   BKCHTDFE.RVW   20080318


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
`What was it you really put in the sugar?'
`Cascara,' said Malicia.
Keith sighed.  `How much did you give them?'
`Lots.  But they should be all right if they don't take too much
of the antidote.'
`What did you give them for the antidote?'
`Cascara.'
`Malicia, you are not a nice person.'
    - `The Amazing Maurice and His Educated Rodents,' Terry Pratchett
http://victoria.tc.ca/techrev/rms.htm

BKDCRMNF.RVW   20080317

"The dotCrime Manifesto", Phillip Hallam-Baker, 2008, 0-321-50358-9,
U$29.99/C$32.99
%A   Phillip Hallam-Baker dotcrimemanifesto.com hallam@...
%C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario  M3C 2T8
%D   2008
%G   978-0-321-50358-9 0-321-50358-9
%I   Addison-Wesley Publishing Co.
%O   U$29.99/C$32.99 416-447-5101 fax: 416-443-0948 800-822-6339
%O  http://www.amazon.com/exec/obidos/ASIN/0321503589/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0321503589/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0321503589/robsladesin03-20
%O   Audience n+ Tech 2 Writing 2 (see revfaq.htm for explanation)
%P   415 p.
%T   "The dotCrime Manifesto: How to Stop Internet Crime"

In the preface, the author notes that network and computer crime is a
matter of people, not of technology.  However, he also notes that
changes to the network infrastructure, as well as improvements in
accountability, would assist in reducing user risk on the net.

Section one enlarges on the theme that people are more important than
machines or protocols.  Chapter one looks at the motive for Internet
crime (money, just like non-computer crime), and repeats the motifs of
the preface.  The text goes on to list various categories and examples
of network fraud.  The content of chapter two is very interesting, but
it is hard to find a central thread.  Overall it appears to be saying
that computer criminals are not the masterminds implied by media
portrayals, but that the problem of malfeasance is growing and needs
to be seriously addressed.  What Hallam-Baker seems to mean by
"Learning from Mistakes," in chapter three, is that security
professionals often rely too much on general principles, rather than
accepting a functional, if imperfect, solution that reduces the
severity of the problem.  Chapter four presents the standard (if
you'll pardon the expression) discussion of change and the acceptance
of new technologies.  A process for driving change designed to improve
the Internet infrastructure is proposed in chapter five.

Section two examines ways to address some of the major network crime
risks.  Chapter six notes the problems with many common means of
handling spam.  SenderID and SPF is promoted in chapter seven (without
expanding the acronym to Sender Policy Framework anywhere in the book
that I could find).  Phishing, and protection against it, is discussed
in chapter eight.  Chapter nine is supposed to deal with botnets, but
concentrates on trojans and firewalls (although I was glad to see a
mention of "reverse firewalls," or egress scanning, which is too often
neglected).

Section three details the security tools of cryptography and trust.
Chapter ten outlines some history and concepts of cryptography.
Trust, in chapter eleven, is confined to the need for aspects of
public key infrastructure (PKI).

Section four presents thoughts on accountability.  Secure transport,
in chapter twelve, starts with thoughts on SSL (Secure Sockets Layer),
and then moves to more characteristics of certificates and the
Extended Verification certificates.  (The promotion of Verisign,
infrequent and somewhat amusing in the earlier chapters is, by this
point in the book, becoming increasingly annoying.  The author is also
starting to make more subjective assertions, such as boosting the
trusted computing platform initiative.)  Domain Keys Identified Mail
(DKIM) is the major technology promoted in support of secure
messaging, in chapter thirteen.  Chapter fourteen, about secure
identity, has an analysis of a variety of technologies.  (The
recommendations about technologies are supported even less than
before, and the work now starts to sound rather doctrinaire.)  It may
seem rather odd to talk about secure names as opposed to identities,
but Hallam-Baker is dealing with identifiers such as email addresses
and domain names in chapter fifteen.  Chapter sixteen looks at various
considerations in regard to securing networks, mostly in terms of
authentication.  Random thoughts on operating system, hardware, or
application security make up chapter seventeen.  The author stresses,
in chapter eighteen, that the law, used in conjunction with security
technologies, can help in reducing overall threat levels.  Chapter
nineteen finishes off the text with a proposed outline of action that
recaps the major points.

Hallam-Baker uses a dry wit well, and to good effect in the book.  The
humour supports and reinforces the points being made.  So does his
extensive and generally reliable knowledge of computer technology and
history.  In certain areas the author is either less knowledgeable or
careless in his wording, and, unfortunately, the effect is to lessen
the reader's confidence in his conclusions.  This is a pity, since
Hallam-Baker is championing a number of positions that would promote
much greater safety and security on the Internet.  Overall this work
is, for the non-specialist, a much-better-than-average introduction to
the issue of Internet crime and protection, and is also worth serious
consideration by security professionals for the thought-provoking
challenges to standard approaches to the problems examined.

copyright Robert M. Slade, 2008   BKDCRMNF.RVW   2008031


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
Do not go where the path may lead, go instead where there is no
path and leave a trail.                        - Ralph Waldo Emerson
http://victoria.tc.ca/techrev/rms.htm

BKPCICPL.RVW   20080306

"PCI Compliance", Tony Bradley et al, 2007, 978-1-59749-165-5, U$59.95
%A   Tony Bradley
%A   James D. Burton
%A   Anton Chuvakin www.chuvakin.org
%A   Anatoly Elberg
%A   Brian Freedman
%A   David King
%A   Scott Paladino www.eds.com
%A   Paul Schooping
%C   800 Hingham Street, Rockland, MA   02370
%D   2007
%G   978-1-59749-165-5 1-59749-165-9
%I   Syngress Media, Inc.
%O   U$59.95 781-681-5151 fax: 781-681-3585 www.syngress.com
%O  http://www.amazon.com/exec/obidos/ASIN/1597491659/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/1597491659/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1597491659/robsladesin03-20
%O   Audience i- Tech 2 Writing 1 (see revfaq.htm for explanation)
%P   329 p.
%T   "PCI Compliance"

The Payment Card Industry Data Security Standards (PCI DSS, generally
referred to simply as PCI) document is currently the security
framework that is of greatest concern to those in the retail sector.

Chapter one very tersely introduces PCI and states that the book is
written at a strategic level appropriate for senior managers.  This
assertion of an executive audience is somewhat at odds with the
declaration, in chapter two, that the book is intended for small and
medium sized businesses.  (The chapter otherwise notes a few instances
of credit card fraud.)  The PCI elements of (and terms for) merchant
levels, assessors, and the six control objectives (and twelve
requirements) are given a quick overview in chapter three.

Chapter four presents general concepts related to firewalls and
intrusion detection systems, but does not completely fulfill the
titular promise of suggesting how to build and maintain a secure
network.  (Some additional topics are mentioned, such as a brief
reference of computer virus scanning.)  Most of chapter five, relating
to protection of cardholder data, concentrates on encryption.
However, there is a repeat of some of the network material from the
previous chapter, as well as a rather confused mention of information
classification.  Chapter six deals with log data, both from the
perspective of requirement 10 (which mandates monitoring) and in
relation to some of the other requirements as well.  The fourth
control objective, comprising requirements seven, eight, and nine,
address access control.  Chapter seven provides a good, general
overview of the topic, with the material being padded out by fourteen
pages of Windows screenshots.  Vulnerability management, in chapter
eight, mentions requirements five (antivirus), six (secure application
development, and eleven (testing), but in a confused and confusing
manner.  Since monitoring is covered in chapter six, and testing in
chapter eight, it is difficult to see what purpose chapter nine serves
in terms of recovery, monitoring and testing.  A mostly generic look
at project management makes up chapter ten.  Similarly vague and banal
is the material on roles and responsibilities, in chapter eleven, and
advice on how to react to the findings from a security audit, in
chapter twelve.  Chapter thirteen suggests that, once you are
compliant with the PCI standard, you have a periodic self-assessment.
(There is also a terse list of areas to check.

The book could have been considerably shorter, and perhaps more
helpful, had it concentrated more on the PCI standard and specific
details.  However, given the current interest in PCI, it does provide
a useful introduction, with a large amount of extraneous padding.

copyright Robert M. Slade, 2008   BKPCICPL.RVW   20080306


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
Mass transportation is doomed to failure in North America because
a person's car is the only place where he can be alone and think.
                                                   - Marshall McLuhan
victoria.tc.ca/techrev/rms.htm      en.wikipedia.org/wiki/Robert_Slade

BKXSSATK.RVW   20080308

"XSS Attacks", Jeremiah Grossman et al, 2007, 978-1-59749-154-9,
U$59.95
%A   Jeremiah Grossman
%A   Robert Hansen RSnake ha.ckers.org
%A   Petko D. Petkov gnucitizen.org
%A   Anton Rager
%A   Seth Fogie
%C   800 Hingham Street, Rockland, MA   02370
%D   2007
%G   978-1-59749-154-9 1-59749-154-3
%I   Syngress Media, Inc.
%O   U$59.95 781-681-5151 fax: 781-681-3585 www.syngress.com
%O  http://www.amazon.com/exec/obidos/ASIN/1597491543/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/1597491543/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1597491543/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   448 p.
%T   "XSS Attacks: Cross Site Scripting Exploits and Defense"

Chapter one traces cross-site scripting (XSS) back to early iframe
security problems, David Rice's 1999 "Script Injection" paper, and
ensuing discussion; bemoans the confusion surrounding the range of
technologies and exploits linked to this term; and then seems to say
that the topic is a risk associated with JavaScript applets and
particularly the XMLHttpRequest object.  In all of this, XSS does not
get delineated in any definitive manner.  A number of utilities for
probing Websites and Web interactions are briefly described in chapter
two.  Despite the title, chapter three does not provide an explanation
of "XSS Theory," but simply lists examples of XSS attack code.  There
is little explanation or analysis of the processes involved, and any
content is specific to the particular commands used, rather than XSS
concepts.  The same emphasis on code is true in chapter four (even
more so: the code sections are much longer), and in five and six as
well.  Thus, four chapters are simply one long list of code samples
and snippets, with little tutorial value other than to provide
specimens for script-kiddies to copy.

Chapter seven discusses exploit frameworks that can be used to
automate attacks and tests against the browser.  XSS attacks that can
reproduce or multiply effects are examined in chapter eight.
Protection and defence is purported to be covered in chapter nine, but
the material is terse and weak.

In relation to the page count, the content of the book has slight
value in terms of teaching what cross-site scripting attacks (as
opposed to other forms of malware) are, and how to protect against
them.

copyright Robert M. Slade, 2008   BKXSSATK.RVW   20080308


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
More than any time in history mankind faces a crossroads.  One
path leads to despair and utter hopelessness, the other to total
extinction.  Let us pray that we have the wisdom to choose
correctly.                                             - Woody Allen
victoria.tc.ca/techrev/rms.htm      en.wikipedia.org/wiki/Robert_Slade

BKAVNMDG.RVW   20080420

"AVIEN Malware Defense Guide for the Enterprise", David Harley et al,
2007, 978-1-59749-164-8, U$59.95
%A   David Harley David.A.Harley@...
%A   Ken Bechtel
%A   Michael Blanchard
%A   Henk K. Diemer
%A   Andrew Lee
%A   Igor Muttik
%A   Bojan Zdrnja
%C   800 Hingham Street, Rockland, MA   02370
%D   2007
%G   1-59749-164-0 978-1-59749-164-8
%I   Syngress Media, Inc.
%O   U$59.95 781-681-5151 fax: 781-681-3585 www.syngress.com
%O  http://www.amazon.com/exec/obidos/ASIN/1597491640/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/1597491640/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1597491640/robsladesin03-20
%O   Audience i+ Tech 2 Writing 2 (see revfaq.htm for explanation)
%P   540 p.
%T   "AVIEN Malware Defense Guide for the Enterprise"

The preface and introduction stress that this work is a collaborative
effort, combining the views of a number of AVIEN (Anti-Virus
Information Exchange Network) and AVIEWS (Anti-Virus Information and
Early Warning System) members, trying to avoid the blind spots that
result from perspectives limited to one individual or company.

Chapter one outlines the history of AVIEN, noting the tensions between
the (rather small) community that has concentrated on research about
malware and protection against the various threats and the general
user population.  (The general user population includes, for various
reasons, many of the producers and vendors of antivirus products.)  It
is noted (although not stressed) that AVIEN concentrates on protection
of medium to large companies, and this point is important in regard to
protective approaches.  A brief, historically-oriented, look at
malware and related issues, in chapter two, tries to eliminate common
confusion and sets a groundwork for further discussion.  The Web is
now a major source of security vulnerabilities, but the malware
literature has seldom considered the problem as a specific category,
so chapter three's excellent overview of the related technologies and
exploits is particularly welcome.  Botnets are a major threat (or
threats: they are used in a variety of ways), and there is a good
examination of the major associated concepts in chapter four.
Unfortunately, the material is somewhat loosely structured and may be
confusing to some readers, and occasionally emphasizes specific (and
sometimes dated) technologies rather than the basic ideas.  Chapter
five examines the often-asked question of who writes malware, bringing
up a good deal of interesting material.  The text itself may be of
scant use to system administrators, although the points made in the
summary do indicate trends of concern.

Chapter six turns to protective measures, covering not just the usual
antiviral technologies, but advising on layered defence, with the
attendant required planning and management.  Outsourcing, of security
functions in general, and antiviral protection in particular, is
reviewed in chapter seven, with attention paid to both the dangers and
the conditions, agreements, and other factors that might provide
success.  Chapter eight's look at security awareness training and user
education seems to be intended to promote the idea, but is weaker in
providing solutions than other areas of the book, concentrating
primarily on the difficulties and failures.

A variety of tools that might be used in malware analysis, ranging
from system information utilities through debuggers to online virus
detectors, are listed in chapter nine.  Chapter ten considers aspects
of evaluating antiviral products, and makes a good, general guide.

Chapter eleven notes that the AVIEN organization is changing, and
feels like a promotional item to get the reader to become involved,
but the lack of detail of what the institution might become does not
seem calculated to appeal to busy administrators.

The book contains a tremendous wealth of information and references to
specific resources and studies.  This is not surprising, given the
background of the authors, and would, alone, make the text worthwhile.
Overall this work provides a solid overview and compendium of advice
on the current malware situation, and should be a required starting
point for anyone protecting corporate assets in the current, highly
threatening, environment.

copyright Robert M. Slade, 2008   BKAVNMDG.RVW   20080420


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
Let others complain that the times are wicked. I complain that
they are paltry; for they are without passion. The thoughts of
men are thin and frail like lace, and they themselves are feeble
like girl lace-makers. The thoughts of their hearts are too puny
to be sinful.      - Soren Kierkegaard (1813-1855), Either/or (1843)
http://victoria.tc.ca/techrev/rms.htm

BKINCTMN.RVW   20080715

"The Innocent Man", John Grisham, 2006, 0-385-51723-8, U$28.95/C$35.95
%A   John Grisham www.jgrisham.com
%C   666 Fifth Ave., New York, NY   10103
%D   2006
%G   0-385-51723-8
%I   Bantam Books/Doubleday/Dell
%O   U$28.95/C$35.95 800-323-9872 www.bdd.com www.doubleday.com
%O  http://www.amazon.com/exec/obidos/ASIN/0385517238/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0385517238/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0385517238/robsladesin03-20
%O   Audience n+ Tech 2 Writing 3 (see revfaq.htm for explanation)
%P   360 p.
%T   "The Innocent Man: murder and injustice in a small town"

In seminars dealing with forensics and investigation, I stress to my
students that it is important to be scrupulous, unprejudiced, and
honest in your investigation.  This is not only to give the suspect a
"fair chance," but also because when you become fixated on proving the
guilt of an individual, you may fail to determine the identity of the
person who actually committed the crime.

"The Innocent Man" is the story of the improper conviction of Ron
Williamson for murder, as well as the interrelated stories of other
improper convictions around the same time and place.

John Grisham's popular novels have demonstrated his ability to write.
They have also established his knowledge of the law and competence in
research.  This, the author's first non-fiction text, puts that
expertise to good work.  The ground is covered thoroughly, noting
limitations on the part of all involved.  Grisham is, in fact, very
careful to be fair, and avoids imputations of motive (which is rather
at odds with the descriptions of motivation he must make in his
fictional works).  United States case law in regard to investigations,
confessions, and aspects of forensic evidence and presentation is
introduced carefully at every point.

There are, of course, a great many books written about specific crimes
and their outcomes.  A number have been written about wrongful
convictions.  However, "The Innocent Man" is particularly relevant to
those interested in the management of investigations, especially where
forensic, rather than direct, evidence plays a major part in the case.
In one sense, it is an excellent primer on how not to conduct an
investigation.

The justice system is created and staffed by people, and people make
mistakes.  This is why structures have been created to catch possible
errors.  The adversarial system itself, and various appeals processes,
is intended to act as audits, checks, and balances for the system.  It
is, therefore, critical to note one other disturbing point that arises
from the events in the book.  There are numerous layers of appeals,
but a consistency of personnel and direction between the various
offices.  As any student of internal controls knows, weak separation
of duties creates the possibility of all kinds of problems.

This book is entertaining, readable, distressing, and important.

copyright Robert M. Slade, 2008   BKINCTMN.RVW   20080715


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
There is a theory which states that if ever anybody discovers
exactly what the Universe is for and why it is here, it will
instantly disappear and be replaced by something even more
bizarre and inexplicable. There is another theory which states
that this has already happened.                      - Douglas Adams
victoria.tc.ca/techrev/rms.htm
blogs.securiteam.com/index.php/archives/author/p1/

I will be out of the office starting  07/25/2008 and will not return until
08/04/2008.

Please refer any urgent matters to Ramy.X.Houssaini@..., 510/271-6994.
Thanks!

BKNTRDOS.RVW   20080420

"Internet Denial of Service", Jelena Mirkovic et al, 2005,
0-13-147573-8, U$39.99/C$57.99
%A   Jelena Mirkovic
%A   Sven Dietrich
%A   David Dittrich dittrich@...
%A   Peter Reiher
%C   One Lake St., Upper Saddle River, NJ   07458
%D   2005
%G   0-13-147573-8
%I   Prentice Hall
%O   U$39.99/C$57.99 800-576-3800 416-293-3621 201-236-7139
%O  http://www.amazon.com/exec/obidos/ASIN/0131475738/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0131475738/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0131475738/robsladesin03-20
%O   Audience i+ Tech 2 Writing 2 (see revfaq.htm for explanation)
%P   372 p.
%T   "Internet Denial of Service: Attack and Defense Mechanisms"

Chapter one is an introduction to the book itself, rather than the
topic, asserting that the work is intended for an audience of system
administrators, corporate managers, and those dealing with public
policy.  The topic is defined in chapter two, which notes that denial
of service (DoS) is not like other security risks where intrusion or
use (or misuse) of resources is the aim, but prevention of the
legitimate use of a system.  Much of the material concentrates on
distributed denial of service (DDoS), and the text mentions the
inherent risk of DoS where a service is being provided.  The structure
and logical flow of the content is not always obvious, but the
information is reasonably clear and readable.  The history of DoS
attacks, starting with the early, simple assaults intended to gain
status and notoriety and progressing through to the recent complex and
financially motivated offensives, is covered in chapter three.  There
is discussion of the fact that the structure of the Internet works
against many protective measures and hinders efforts to collect
digital forensic evidence.  Chapter four examines the process,
technology, and tools of DDoS attacks.

Defence is contemplated in chapter five, along with the intrinsic
difficulty presented by the need for availability, the possibility of
attacking either the computer-based service or the network-based
communications, and a poor authentication and tracking infrastructure.
The deliberation does note that defence can be attempted in many
layers, from secure application development to overt reaction.  A
detailed analysis of some defensive approaches is provided in chapter
six, which assessment is also valuable in terms of business continuity
planning.  Chapter seven has a listing and review of various research
projects on defence.  Legal issues are catalogued in chapter eight:
most of the content is general, but there is a fair amount that is
specific to the United States.  Chapter nine summarizes major points,
and speculates on future trends.

This is a thorough overview of a topic that is covered poorly, if at
all, in most of the security literature.  Availability has come very
late to add depth to the C-I-A (Confidentiality, Integrity,
Availability) triad, and therefore DoS attacks are still misunderstood
as mere nuisance.  The problem is growing, and this material should be
of greater interest to those charged with protecting both corporate
assets and the public infrastructure.

copyright Robert M. Slade, 2008   BKNTRDOS.RVW   20080420


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
Attempt the end, and never stand to doubt; Nothing's so hard, but
search will find it out.                            - Robert Herrick
victoria.tc.ca/techrev/rms.htm
blogs.securiteam.com/index.php/archives/author/p1/

BKCRMWRE.RVW   20080511

"Crimeware: Understanding New Attacks and Defenses", Markus
Jakobsson/Zulfikar Ramzan, 2008, 978-0-321-50195-0, 54.99/C$59.99
%E   Markus Jakobsson
%E   Zulfikar Ramzan
%C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario  M3C 2T8
%D   2008
%G   978-0-321-50195-0 0-321-50195-0
%I   Addison-Wesley Publishing Co.
%O   54.99/C$59.99 416-447-5101 fax: 800-822-6339 bkexpress@...
%O  http://www.amazon.com/exec/obidos/ASIN/0321501950/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0321501950/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0321501950/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   582 p.
%T   "Crimeware: Understanding New Attacks and Defenses"

The preface notes the change in incentive, for the production of
malware, from intellectual curiosity to the profit motive.  It also
states that the book is intended for anyone with an interest in
crimeware or computer security, including those with a background in
education or public policy rather than technology.

Although chapter one promises, at various points, a structured and
taxonomic overview of crimeware, it is little more than a grab bag of
points possibly related to malware and information security, and, as
such, is more confusing than educational.  Gary McGraw's seven-point
taxonomy of coding errors is given in chapter two.  It's an excellent
list, but has limited relevance to crimeware.  Chapter three consists
of two very distinct items: an interesting report on the spread of
malware through peer-to-peer (P2P) file-sharing networks, and an
account of one specific chain-mail hoax.  Malware implementations in
small devices, such as USB (Universal Serial Bus) and RFID (Radio
Frequency IDentification), are explored in chapter four, which
material does, at least, discuss how these technologies could be used
for criminal activity.  Although entitled "Crimeware in Firmware,"
most of chapter five is concerned with wireless LAN security, and is
highly speculative.  A few pieces of crimeware that run in Web
browsers are described in chapter six.  Chapter seven contains a
reasonable, though superficial, overview of botnets.  A number of
calls used by specific rootkit packages are described in chapter
eight.  Fraud in online gaming is examined in chapter nine, although,
oddly, the issue of theft of game goods for "real world" sale is not
mentioned.  Chapter ten covers politics and malicious online activity,
but is primarily concerned with Web defacements and online defamation.
Fraud, generally related to Web advertising, is in chapter eleven.
"Crimeware Business Models," in chapter twelve, are confined to only a
few types, although the section on adware is particularly good.
Advice on how not to do education is provided in chapter thirteen.
Chapter fourteen outlines a few US laws possibly relevant to
crimeware.  The activities of the Trusted Computing Group (TCG),
particularly with regard to Digital Rights Management, are promoted in
chapter fifteen.  A simplistic look at a few defensive technologies is
provided in chapter sixteen.  Chapter seventeen provides a vague
closing to the book.

The level of the writing and the technology varies from chapter to
chapter, since the book has a wide variety of authors.  Unfortunately,
very little of the content is directly relevant to crimeware as such:
most of the material is merely general information about malware.
Some of the text is interesting, but much of it is vague, and little
is new.  The work is a fairly reasonable introduction to malware
threats and protection, but does not add much to the existing
literature.

copyright Robert M. Slade, 2008   BKCRMWRE.RVW   20080511


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
[Upon being awakened] It's bright, I'm blind, I need to sleep...
(long pause)... thank you for visiting the Blind Residence...
good bye.                                            - TAH, 20060222
victoria.tc.ca/techrev/rms.htm
blogs.securiteam.com/index.php/archives/author/p1/

BKTNSOIS.RVW   20080511

"The New School of Information Security", Adam Shostack/Andrew
Stewart, 2008, 978-0-321-50278-0, U$29.99/C$32.99
%A   Adam Shostack
%A   Andrew Stewart homepage.mac.com/andrew_j_stewart
%C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario  M3C 2T8
%D   2008
%G   978-0-321-50278-0 0-321-50278-7
%I   Addison-Wesley Publishing Co.
%O   U$29.99/C$32.99 416-447-5101 fax: 416-443-0948 800-822-6339
%O  http://www.amazon.com/exec/obidos/ASIN/0321502787/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0321502787/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0321502787/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   238 p.
%T   "The New School of Information Security"

The preface is not very clear about the intent or audience for the
book, stating that it is not about security technologies (it's rather
specific about firewalls) as such, but about how technology interacts
with the world.

Chapter one says that information security is failing, and that we
need a "New School" of thought on the matter.  The authors state, in
chapter two, that everybody else is doing infosec incorrectly.  (I
have to admit that I strongly agree that "best practice" is a silly
and useless phrase.)  That what everyone else knows is also wrong,
seems to be the thesis of chapter three.  Chapter four notes that
nobody wants to admit mistakes.  (By this point I was willing to admit
that reviewing this book was probably a mistake.)  That security is
not just a matter of technology is asserted in chapter five, and the
point is valid, although reasonably well known.  Chapter six says that
everybody spends (security budgets) improperly.  Everybody does
planning wrong, too, we are told in chapter seven.  The authors finish
up by telling us, in chapter eight, that we should do better.

Thanks, guys.  That was helpful.

copyright Robert M. Slade, 2008   BKTNSOIS.RVW   20080511


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
              Remember, by the rules of the game, I *must* lie.
              *Now* do you believe me?        - Margaret Atwood
victoria.tc.ca/techrev/rms.htm
blogs.securiteam.com/index.php/archives/author/p1/

BKASWSCT.RVW   20080512

"The Art of Software Security Testing", Chris Wysopal et al, 2007,
0-321-30486-1, U$49.99/C$61.99
%A   Chris Wysopal
%A   Lucas Nelson
%A   Dino Dai Zovi
%A   Elfriede Dustin
%C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario  M3C 2T8
%D   2007
%G   0-321-30486-1
%I   Addison-Wesley Publishing Co.
%O   U$49.99/C$61.99 416-447-5101 800-822-6339 bkexpress@...
%O  http://www.amazon.com/exec/obidos/ASIN/0321304861/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0321304861/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0321304861/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   266 p.
%T   "The Art of Software Security Testing"

The preface states that the book is directed at developers who need to
know how to test for vulnerabilities.  Once you get into the text it
is clear that the intent is a bit more specific than that: the work
promotes the idea of using the same type of vulnerability scanning
tools that blackhats and intruders will be using against you.

Part one is an introduction to the basic process of application
penetration or vulnerability testing.  In chapter one the authors seem
to think the idea of application penetration testing is a radically
new idea, and that the use of attacker tools will provide much greater
protection than other methods.  (The fact that this only detects
vulnerabilities that have already been exploited and known is not
examined.)  A laundry list of bad programming practices is provided in
chapter two, but there is no discussion of which type of testing will
help against the various problems.  The stages of the system
development life cycle (SDLC) (and secure system development
lifecycle, or SSDL) are described in chapter three, but there is
little note of the types of testing relevant to each phase.  Chapter
four outlines threat modelling, but doesn't explain how testing for
known vulnerabilities assists in the design process.  Some components
for a testing environment are mentioned in chapter five.

Part two reviews the processes of a few attacks.  Chapter six looks at
the injection of malformed data packets.  A few attacks against Web
sessions are reported in chapter seven.  SQL (Structured Query
Language) attacks are discussed in chapter eight.  Chapter nine
describes the WebScarab Web proxy, and its use in intercepting traffic
to and from Web sites.  Some code that might be used with the SOAPy
(related to the Simple Object Access Protocol) API (Application
Programming Interface) to create a tool for fuzzing (submitting semi-
random data to a program for testing) makes up chapter ten.  A few
other tools are listed in chapter eleven.

Part three, supposedly about analysis, contains one final chapter with
a short deliberation on the ability to exploit different
vulnerabilities.

"How to Break Web Software" (cf. BKHTBWSW.RVW) does a much better job
of describing not only the attacks against Web applications (the
primary focus of Wysopal and friends), but also the defensive measures
that can be taken.  (And in fewer pages, too.)  "Software Security:
Building Security In" (cf. BKSWSBSI.RVW) covers a wider range of
testing, and notes the types appropriate to different stages of the
development process.  This work registers a few tools, but is limited
and of restricted usefulness.

copyright Robert M. Slade, 2008   BKASWSCT.RVW   20080512


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
My infected haiku
Jerusalem has added
more Jerusalem                                       - virus haiku
victoria.tc.ca/techrev/rms.htm
blogs.securiteam.com/index.php/archives/author/p1/

BKIDBENC.RVW   20080514

"Introduction to Identity-Based Encryption", Luther Martin, 2008,
978-1-59693-238-8, U$89.00
%A   Luther Martin
%C   685 Canton St., Norwood, MA   02062
%D   2008
%G   978-1-59693-238-8 1-59693-238-4
%I   Artech House/Horizon
%O   U$89.00 617-769-9750 800-225-9977 artech@...
%O  http://www.amazon.com/exec/obidos/ASIN/1596932384/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/1596932384/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1596932384/robsladesin03-20
%O   Audience s- Tech 2 Writing 1 (see revfaq.htm for explanation)
%P   232 p.
%T   "Introduction to Identity-Based Encryption"

The preface states that identity-based encryption (IBE) is equivalent,
in importance, to the invention of asymmetric encryption, but it
doesn't say why (nor, in fact, what identity-based encryption actually
is.)

Although chapter one is an introduction, the definition of IBE is on a
very abstract level.  We are told that the intent of IBE is to allow
one party to create a public key for another, identifiable, entity,
and encrypt material for transmission to them, even though an
asymmetric key pair has not been established in advance.  The receiver
could then generate a corresponding private key, and retrieve the
original information.  Some mathematics (number theory) involved in
asymmetric encryption is presented in chapter two, but not explained.
The same level of non-exegesis is used, in chapter three, regarding
elliptic curves, and in chapter four in relation to Tate pairing.  All
we are told is that these pairings are used in many IBE schemes.
Chapter five turns to the mathematics of basic encryption schemes, and
ends by looking at the theoretical cracking of keys by quantum
computers, using, for example, Shor's algorithm.  (Confidence in the
practicality of Martin's arithmetic is not helped by his provision of
a table of key cracking times that completely ignores the existence of
Moore's Law.)  Some common (non-IBE) encryption algorithms are
described in chapter six, and Martin actually does a better job
explaining these.

Chapters seven to ten outline four IBE encryption schemes.  The math
is all there (including analysis of the weaknesses, and potential
means of remediation), but the rather central point of the choice and
determination of identity values still has not been addressed.  All of
these systems rely on generation of the private keys from a single
agent (which can, therefore, become a single point of failure), so
chapter eleven examines ways to support key generation with multiple
sources.  Ways to improve the performance of the (computationally
intensive) operations of the IBE systems are examined in chapter
twelve.

The title is rather unfortunate, since Martin never does provide much
of an introduction.  The content is intriguing, although the practical
applications of any IBE system turn on the question of the identity
data, which is left unaddressed.  Martin's assertion of the importance
of IBE is therefore not demonstrated in this work.

copyright Robert M. Slade, 2008   BKIDBENC.RVW   20080514


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
Whenever you find yourself on the side of the majority, it's time
to pause and reflect.                                   - Mark Twain
victoria.tc.ca/techrev/rms.htm
blogs.securiteam.com/index.php/archives/author/p1/

BKCODBOK.RVW   20080724

"The Code Book", Simon Singh, 2001, 0-385-72913-8, U$16.95/C$24.95
%A   Simon Singh www.SimonSingh.com simon@...
%C   1540 Broadway, New York, NY 10036
%D   2001
%G   0-385-72913-8
%I   Random House
%O   U$16.95/C$24.95 http://www.bdd.com webmaster@...
%O  http://www.amazon.com/exec/obidos/ASIN/0385729138/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0385729138/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0385729138/robsladesin03-20
%O   Audience n- Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   263 p.
%T   "The Code Book"

The introduction states that the book is intended to outline the
evolution of encryption, and to demonstrate that encryption is more
important today than it has ever been.

It's too bad that the text doesn't live up to that noble ambition.
The work is readable and quite entertaining, and is even somewhat
educational.  The stories are interesting, and, being basically gossip
level tales, reveal the character of some individuals who have worked
on cryptography over the centuries.  However, the text lacks structure
in terms of the flow of the ideas and concepts of cryptology, and is
certainly far from complete.

The basic notions of cryptology; such as the operation of simple
substitution and transposition ciphers, and the use of frequency
analysis to break them; are explained.  Many fundamental concepts (the
importance of randomness, for example) are mentioned only
tangentially.  A significant number of foundational abstractions are
presented in either a misleading fashion, or with very odd emphases.
Singh asserts the idiosyncratic position that transposition and
substitution form two classes of encryption into which all types of
encryption can be grouped.  (This was picked up and even fallaciously
expanded by Eastton in "Computer Security Fundamentals" [cf.
BKCMSCFN.RVW].  Most modern symmetric algorithms use combinations of
transposition and substitution.)

Information technology is significant in modern society, and
encryption is vital to information technology: that much is obvious.
Singh does not, though, provide any further evidence of this fact.
The use of encryption is limited, in his writing, to the support of
confidentiality, and the importance of the technology in regard to
authentication, integrity, and even availability is noted only in
passing in some of the anecdotes.

The narratives are diverting, and some are even meaningful in the
history of cryptology.  Certain of the tales flesh out material that
is glossed over in works such as Stamp's "Information Security:
Principles and Practice" (cf. BKINSCPP.RVW).  However, Stamp obviously
knew his stuff in regard to encryption, and explained it clearly,
which Singh does not.  (And, in only 50% more pages, covered a good
chunk of the rest of infosec, to boot.)

copyright Robert M. Slade, 2008   BKCODBOK.RVW   20080724


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
Dictionary of Info Sec    www.amazon.com/exec/obidos/ASIN/1597491152
victoria.tc.ca/techrev/rms.htm
blogs.securiteam.com/index.php/archives/author/p1/

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Everyone,

I'm one of the three editors (with Senior Editor Sy Bosworth and Assistant
Editor Eric Whyne) of the Fifth Edition of the _Computer Security Handbook_
published by Wiley. We are trying to find Dr John D. Howard; he used to
work at Sandia Labs but has moved on and we don't know how to contact him.
We urgently need his copyright permission forms for his chapter (!) so the
book can go to press.

HELP!


Best wishes,

Mich

M. E. Kabay, PhD, CISSP-ISSMP
* CTO & Prog Dir, MSc in Info Assurance
School of Graduate Studies
P: +1.802.479.7937
NORWICH UNIVERSITY
Expect Challenge. Achieve Distinction.
* * *
E1: mailto:mekabay@...
E2: mailto:mkabay@... for University business
W: http://www2.norwich.edu/mkabay/
* Network World Security Strategies Newsletters
http://www.networkworld.com/newsletters/sec/

* Unless stated otherwise, this e-mail represents only the views of the
sender and not the views of Norwich University. *

=>o  ASCII ribbon campaign against HTML e-mail o<=




-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wj8DBQFI443tUbF73uXqlJ8RAhpUAKD7v2Rlv11pqdRRJ+U35MNpUPJXoQCg/OMp
C5biSIntbWMVyCC/JV1/3uU=
=LOU/
-----END PGP SIGNATURE-----

I believe he is working at NNSA or somewhere in the DoD for the year.
You might try the DoD locator Web site.

FC

On Oct 1, 2008, at 7:51 AM, Michel Kabay wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Everyone,
>
> I'm one of the three editors (with Senior Editor Sy Bosworth and
> Assistant
> Editor Eric Whyne) of the Fifth Edition of the _Computer Security
> Handbook_
> published by Wiley. We are trying to find Dr John D. Howard; he used
> to
> work at Sandia Labs but has moved on and we don't know how to
> contact him.
> We urgently need his copyright permission forms for his chapter (!)
> so the
> book can go to press.
>
> HELP!
>
>
> Best wishes,
>
> Mich
>
> M. E. Kabay, PhD, CISSP-ISSMP
> * CTO & Prog Dir, MSc in Info Assurance
> School of Graduate Studies
> P: +1.802.479.7937
> NORWICH UNIVERSITY
> Expect Challenge. Achieve Distinction.
> * * *
> E1: mailto:mekabay@...
> E2: mailto:mkabay@... for University business
> W: http://www2.norwich.edu/mkabay/
> * Network World Security Strategies Newsletters
> http://www.networkworld.com/newsletters/sec/
>
> * Unless stated otherwise, this e-mail represents only the views of
> the
> sender and not the views of Norwich University. *
>
> =>o  ASCII ribbon campaign against HTML e-mail o<=
>
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Desktop 9.8.3 (Build 4028)
> Charset: utf-8
>
> wj8DBQFI443tUbF73uXqlJ8RAhpUAKD7v2Rlv11pqdRRJ+U35MNpUPJXoQCg/OMp
> C5biSIntbWMVyCC/JV1/3uU=
> =LOU/
> -----END PGP SIGNATURE-----
>
>
> ------------------------------------
>
> Community email addresses:
>  Post message: secedu@onelist.com
>  Subscribe:    secedu-subscribe@onelist.com
>  Unsubscribe:  secedu-unsubscribe@onelist.com
>  List owner:   secedu-owner@onelist.com
>
> Shortcut URL to this page:
>  http://www.onelist.com/community/seceduYahoo! Groups Links
>
>
>

- This communication is confidential to the parties it is intended to
serve -
Fred Cohen & Associates                 tel/fax: 925-454-0171
http://all.net/       572 Leona Drive    Livermore, CA 94550
Join http://tech.groups.yahoo.com/group/FCA-announce/join for our
mailing list

BKCMPETH.RVW  20080922

"Computer Ethics", Deborah Johnson, 2001, 0-13-083699-0
%A   Deborah Johnson
%C   113 Sylvan Avenue, Englewood Cliffs, NJ   07632
%D   2001
%G   0-13-083699-0
%I   Prentice Hall
%O   (515) 284-6751 FAX (515) 284-2607
%O  http://www.amazon.com/exec/obidos/ASIN/0130836990/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0130836990/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0130836990/robsladesin03-20
%O   Audience n+ Tech 1 Writing 3 (see revfaq.htm for explanation)
%P   240 p.
%T   "Computer Ethics, Third Edition"

Unlike the famous quote about life in the state of nature being nasty,
dull, brutish and short, Johnson's examination of the state of ethics
in computing is readable, interesting, discerning--and short.

The usual treatment of ethics is done as proof by exhaustion.  In
opposition, Johnson does a complete and reasonable job.  Without
recourse to mounds of collected work (of dubious merit), the major
points of professionalism, property rights, privacy, crime, and
responsibility are addressed.  Even in this brief space, ethics are
studied more rigorously than in more weighty tomes.  Not content with
the usual reliance on relativism and utilitarianism, Johnson points
out the flaws in each.

"Complete" is, I suppose, an overstatement.  Although it is difficult
to imagine a scenario that the book does not touch upon at some point,
and even though Johnson continues to expand the text as the online
world expands, ultimately this volume is a good primer and discussion
starter.  While possibly the definitive work in the field to date, it
does not, in the final analysis, get us much closer to a computer
ethic.

Highly recommended.  Tavani's "Ethics and Technology" (cf.
BKETHTCH.RVW) is practical and a good structural examination, but
Johnson is the classic, as the oldest and most complete work in the
fewest words, and should be required reading for all computer science
students.  Exposure wouldn't hurt any number of professionals and
executives, either.

copyright Robert M. Slade, 1994, 2008   BKCMPETH.RVW  20080922


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
What I need is a list of specific unknown problems we will
encounter.   - manager at Lykes Lines Shipping, from DNRC newsletter
victoria.tc.ca/techrev/rms.htm
blogs.securiteam.com/index.php/archives/author/p1/

BKSECENG.RVW   20080929

"Security Engineering", Ross Anderson, 2008, 978-0-470-06852-6,
U$70.00
%A   Ross Anderson ross.anderson@... rja14@...
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2001
%G   978-0-470-06852-6 0-470-06852-3
%I   John Wiley & Sons, Inc.
%O   U$70.00 416-236-4433 fax: 416-236-4448
%O   http://www.cl.cam.ac.uk/~rja14/book.html
%O  http://www.amazon.com/exec/obidos/ASIN/0470068523/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0470068523/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0470068523/robsladesin03-20
%O   Audience i+ Tech 3 Writing 2 (see revfaq.htm for explanation)
%P   1040 p.
%T   "Security Engineering: A Guide to Building Dependable Distributed
       Systems, Second Edition"

Anything written by Gene Spafford is important.  Anything written by
Bruce Schneier is readable, and, even if you disagree with it, worth
thinking about.  Anything written by Ross Anderson is important,
readable, worth considering, and correct.

The preface states that this book is intended as a text for self-study
or for a one term course, a reference for professionals, an
introduction to the underlying concepts, and an original scientific
contribution in terms of the foundational principles for security
engineering.  In addition, the preface to the second edition notes
that these concepts now need to be understood by legal investigators,
managers, and, in the wake of 9/11, everyone.  A very tall order to
fulfill, but one which, for once, seems to have been accomplished.  I
have often been asked, in regard to these reviews, whether there are,
in fact, any books that I do like.  Well, I like this one.  If you are
involved with security and you haven't read "Security Engineering,"
you should.  And you have no excuse if you haven't.  This is the
second edition to be printed, and the first edition is available
online, in its entirety.

(And, if the first edition is available online for free, why should
you buy the second?  Because the second edition has more, in almost
every respect.)

Part one deals with the basic concepts of engineering and security.
Chapter one presents four example situations of security needs.
Protocols are not limited to the precise but limited structures with
which computer people are familiar.  Security is a people problem, and
chapter two, entitled "Usability and Psychology," addresses this issue
up front, along with a set of more conceptual, but more formal,
authentication problems and protocols.  It is unlikely that the models
presented exhaust the field, but some thought indicates that they are
pertinent to a wide variety of applications.  Much the usual thoughts
and advice on passwords is issued in chapter three, although the
research is better documented, and some additional research
(passphrase generated passwords are as secure as randomly assigned
ones, and as memorable as naively chosen ones) is presented.
(Anderson's writing is clear enough, but he does betray a taste for
symbolic logic that might limit the audience for the book.  Still,
perserverence on the part of the reader will be amply rewarded.)  It
is strange not to see any mention of the work factor of passwords
overall.  Chapter four reviews access control, but primarily from the
perspective of system and hardware internals.  Cryptography, in
chapter five, is covered reliably and well, although the structure and
flow of the material is not always in developmental order.  The
problems of distributed systems are examined; in terms of concurrency,
failure resistance, and naming; in chapter six.  Economics can be used
to examine a great many aspects of security (and insecurity).  Chapter
seven looks at a number, but I was disappointed to note that risk
analysis was not one of them.

Part two uses a number of applications of secure systems to introduce
particular concepts or technologies.  Chapter eight discusses
multilevel security, which encompasses most of the formal security
models such as Bell-LaPadula.  Medical (and census) databases are
used, in chapter nine, as examples of multilateral, or compartmented,
security: the need to deal with information of equal sensitivity, but
restricted to different groups.  Controls particularly related to the
banking system and fraud are presented in chapter ten, although the
material is long on anecdotes, and contains weaker analysis than the
preceding text.  A somewhat limited, but still interesting, review of
physical security has been added in chapter eleven.  Chapter twelve
reviews monitoring systems, of both monitoring and metering types.  In
regard to nuclear command and control systems, chapter thirteen
examines the tension between availability (the ability to fire a
missile) and confidentiality (or authentication: making sure nobody
else does).  Various aspects of the technology for security printing
and seals is dealt with in chapter fourteen.  Biometrics, in chapter
fifteen, gets a good, but fairly standard, treatment.  Chapter sixteen
delves into tamper-resistance in cryptographic gear and smartcards
(expanding on the content of fourteen).  The TEMPEST and Teapot (no,
I'm not kidding) projects on emission security are reviewed in chapter
seventeen.  Chapter eighteen examines the security problems inherent
in the use of application programming interfaces (APIs).  There is
good coverage of the basics of traditional electronic warfare in
chapter nineteen, although the material on information warfare is not
as thorough.  Chapter twenty looks at telecommunications system
security, with some material on phone phreaking and lots on cellular
encryption.  Network attack and defense, in chapter twenty-one, is
less focussed than other chapters, and adds malware.  Copyright and
DRM (Digital Rights Management) systems are examined in chapter
twenty-two, with solid coverage of recent controversies.  Gaming,
social networks, elections, and other complex applications are
discussed in chapter twenty-three.

Part three turns to politics, management, and assurance.  Chapter
twenty-four, under the title of "Terror, Justice, and Freedom," has a
fascinating discussion of major issues in public policy.  Management
issues, in chapter twenty-five, are presented in an interesting but
generic manner.  The discussion of system evaluation and assurance
asks the usual question in regard to how we know our systems are
secure.  In a sense, though, the subtitle of the book is wrong: much
of the material points out how *not* to build dependable systems, and
chapter twenty-six is a bit disheartening.  The conclusion, in chapter
twenty-seven, is that we need more engineers and engineering.

Although the material is presented in a very formal way, the writing
is usually quite readable, and the exceptional stilted passages are
still accessible to the determined reader.  On occasion, one could
hope for additional explanations of some items that are mentioned
briefly and passed over.  The constant emphasis on how security
protections have failed can be depressing, but the examination of the
errors of others does provide the basis for better designs in the
future.

copyright Robert M. Slade, 2002, 2008   BKSECENG.RVW   20080929


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
         Whatever.                                 - Jean Paul Sartre
victoria.tc.ca/techrev/rms.htm
blogs.securiteam.com/index.php/archives/author/p1/

BKHRTCET.RVW   20081002

"Handbook of Research on Technoethics", Rocci Luppicini/Rebecca Adell,
2009, 978-160566022-6, U$495.00
%E   Rocci Luppicini
%E   Rebecca Adell
%C   Suite 200 701 E. Chocolate Ave., Hershey, PA   17033-1117
%D   2009
%G   978-160566022-6
%I   IRM Press/Idea Group/IGI Global
%O   U$495.00 800-345-432 717-533-8845 cust@...
%O  http://www.amazon.com/exec/obidos/ASIN/1605660221/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/1605660221/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1605660221/robsladesin03-20
%O   Audience n Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   1028 p. (2 volumes)
%T   "Handbook of Research on Technoethics"

The (very brief) preface states that the work is for students,
instructors, researchers, ethicists, technology scholars, and just
about everybody.  Unfortunately, all it has to say about the topic is
that it is broad.  Ultimately, this is a compendium of papers related
to ethics related to technology (sometimes).

Even in the more detailed attempt to define technoethics, in the first
article, the authors have to admit that there is little agreement on
the term: that some see it as the special responsibility of
technologists and engineers, while others extend it to behavioural
standards for the new global community.  A "conceptual map" of the
topic is presented at one point.  In some attempt to be cute the
topics are overlaid on a map of Europe, but the specific subjects are
laid out in almost random fashion, primarily covering computer ethics
and related ideas, but extending somewhat into biomedical areas.  (One
of the more interesting papers examines the ethics of performance
enhancement technologies in sports.)

The essays are divided into broad categories: theoretical frameworks,
areas of research, case studies, emerging trends, and further reading.
The titles of the sections do little to differentiate the contents of
the pieces.  In the section on theoretical frameworks, for example,
one paper describes Lawrence Kohlberg's theory of moral development,
while another briefly notes John Rawls' theory of social justice: the
other five essays are generic introductions to ethics in technical
arenas.  (The article looking at Kohlberg is merely an overview of his
philosophy, without any real relation to technology.  Similarly, a
later treatise is simply an explanation of podcasting, without any
relevance to ethics at all.)  There does not appear to have been any
attempt to structure topics in advance, but rather to attempt to
arbitrarily impose some kind of organization after the fact.
Therefore, while some of the treatises are detailed and well written,
most are vague and simplistic.  There are different examples and focus
in various papers, but there is an enormous amount of duplicate
content, particularly in terms of basic concepts.

The range of examples might be interesting or useful for broad
discussions of ethics in a technical environment.  However, it is hard
to imagine an audience that would benefit from this work, rather than
a number of others that would be more valuable at less cost (even when
considered in total).  Deborah Johnson's "Computer Ethics" (cf.
BKCMPETH.RVW) is limited to information technology, true, but it is
more complete in that field.  Herman Tavani's "Ethics and Technology"
(cf. BKETHTCH.RVW) is more structured and foundational.  The addition
of a decent text on bioethics would equal or exceed the content of
these volumes, and be easier on the pocketbook.  (Or is it immoral to
contemplate such base considerations?)

copyright Robert M. Slade, 2008   BKHRTCET.RVW   20081002


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
Is your children learning?             - George W. Bush on education
victoria.tc.ca/techrev/rms.htm
blogs.securiteam.com/index.php/archives/author/p1/