BKNTWRKS.RVW  20010519

"Networks", Timothy S. Ramteke, 2001, 0-13-901265-6, U$105.00
%A   Timothy S. Ramteke ramteke@... slickk@...
%C   Upper Saddle River, NJ
%D   2001
%G   0-13-901265-6
%I   Prentice Hall
%O   U$105.00 corinne_mitchell@...
%P   705 p,
%T   "Networks", second edition

When I saw the first edition of Ramteke's book, with its singular
title of "Networks," it was bemusing.  Did it cover more on TCP/IP?
LANs?  WANs?  Public switched telephone networks?

Yes.

And very well, too.  Using three major examples of networks, with a
few additional digressions, it covered the concepts of networking.

So I expected the second edition to be more of the same.  Ramteke
obviously thought so, too, since his introduction states that he has
followed the same format.  However, I found the books to be quite
different.  This new edition is more than 200 pages longer, and the
additional material appears to concentrate on many more specific
network systems.  Therefore, while the title originally seemed to
imply a discussion of networking as an abstraction, the appellation
now appears to refer more to a catalogue of networks.

This is not necessarily a bad thing.  Hidebound old teachers, like
myself, who need a rigorous structure to a course will find it
difficult to find chapters to assign for different topics.  (It would
probably be easier simply to assign sections and pages: there is lots
of material to choose from.)  Readers, however, will find a great deal
of interest in the diverse topics, and telecommunications
professionals will find it handy to have a quick guide to different
types of networks as they move into diverse fields.

Most of the material is familiar to old hands: analog and digital
signals, transmission systems, basic LAN concepts, basic Internet
concepts, SNA (Systems Network Architecture), X.25 (still doesn't
mention Datapac), signalling system 7, ISDN (Integrated Services
Digital Network), SONET (Synchronous Optical NETwork), frame relay,
ATM (Asynchronous Transfer Mode), advanced LAN concepts, bridging and
routing, and additional TCP/IP concepts.  There is a section on voice
networks, covering signalling, switching, PSTN (Public Switched
Telephone Network), wireless communication and CDMA (Code Division
Multiple Access), private networks, voice processing, and T1 networks.
Other chapters also seem to show a predilection for telephony.

Some of the chapters seem slightly out of place, such as business and
residential network services, and Linux adminstration.  The topic of
VPNs (Virtual Private Networks) would seem to belong, were it not for
the fact that most of the text in this piece deals with basic
cryptography rather than its application.

In my original review I stated that this book has the potential to
become a technical classic.  I am not certain that this new
development takes the work further in that direction.  Although
Ramteke has thoroughly reworked and updated the content, the increased
emphasis on details of specific networks may date the volume quickly.

The book is, though, as readable as ever, and is still a good resource
for anyone wanting to understand this important aspect of
communications.

copyright Robert M. Slade, 1994, 2001   BKNTWRKS.RVW  20010519


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
Certainly, in taking revenge, a man is but even with his enemy;
but in passing it over, he is superior; for it is a prince's part
to pardon.            - Sir Francis Bacon (1561-1626), Essays (1597)
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKPMDCMT.RVW   20010523

"Principles of Modern Communications Technology", A. Michael Noll,
2001, 1-58053-284-5, U$65.00
%A   A. Michael Noll
%C   685 Canton St., Norwood, MA   02062
%D   2001
%G   1-58053-284-5
%I   Artech House/Horizon
%O   U$65.00 800-225-9977 fax: +1-617-769-6334 artech@...
%P   296 p.
%T   "Principles of Modern Communications Technology"

While Noll does not touch on all forms of communications, the breadth
of scope in this book is wider than most.  Four parts of the book
examine audio (generally music or broadcast), video, telephony, and
computers (emphasizing text data).  The coverage is not intended to be
deep: this work is for the non-technician, and is intended to provide
a general overview and communications technology literacy.

Chapter one is a surprisingly brief review of the anatomy of the ear.
In the abstract one can understand the need to deal with the human
side of acoustics, but the text doesn't touch on neurology,
psychology, or even the mechanics of changing pressure waves in the
air into nerve impulses.  A history of the phonograph, concentrating
on biographical details of Thomas Edison, occupies chapter two.  A
start on the physical characteristics of sound, in chapter three,
turns into a quick look at musical instruments and architectural
acoustics.  Chapter four starts into physics again, but turns into a
confusion of Fourier analysis and spectrograms.  After the earlier
very brief chapters, chapter five's explanation of electricity is
surprisingly complete.  Unfortunately, the subsequent discussion of
electronics, in chapter six, is a grab bag of topics.  Digital
sampling and compact disks finish off the section in chapter seven.

Part two follows a somewhat similar pattern, in relation to video.
Chapter eight does a good job of explaining the anatomy of the eye,
the psychophysics of vision, and colour theory.  Television basics are
outlined in chapter nine.    Chapter ten looks at modulation theory,
but appears disjointed, as does the discussion of radio, cable, and
satellite broadcasting in chapter eleven.  The description of colour
television, in chapter twelve, is full of details, but isn't very
clear.  Chapter thirteen is another grab bag.

Chapter fourteen takes a quick look at human anatomy in regard to
speech, but also looks at mechanical speaking machines.  The telephone
is explained in chapter fifteen, while sixteen provides much less
detail on telephone networks.  Transmission technologies are covered
in chapter seventeen, switches are listed in eighteen, and various
other topics mentioned in nineteen.

Chapter twenty gives a history of writing.  More history is involved
with the telegraph, in chapter twenty one, and the computer, in twenty
two.  Standard overviews of computer hardware and software follow in
twenty three and four.  A miscellany of data communications topics are
mentioned in chapter twenty five.

Unfortunately, while the book is very easy to read, the structure
appears almost random.  Overall, it seems to be a collection of very
superficial magazine articles.  While the reader is presented with a
number of interesting facts, concepts are not as evident.  Therefore a
familiarity with the technology might appear, but literacy will likely
remain elusive.

copyright Robert M. Slade, 2001   BKPMDCMT.RVW   20010523


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
At any given time, one third of the world's population is asleep.
That means two thirds are awake and causing problems.
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKSECLIE.RVW   20001022

"Secrets and Lies: Digital Security in a Networked World", Bruce
Schneier, 2000, 0-471-25311-1, U$29.99/C$41.95
%A   Bruce Schneier schneier@...
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2000
%G   0-471-25311-1
%I   John Wiley & Sons, Inc.
%O   U$29.99/C$41.95 416-236-4433 fax: 416-236-4448 pfurlong@...
%P   412 p.
%T   "Secrets and Lies: Digital Security in a Networked World"

"Secrets and Lies" has generated a great deal of interest in the
security community this year.  Much of this interest probably stems
from the simple fact that it isn't every day (or every year) that you
get a general security book, written for the non-specialist, produced
by a major name in the field.  But one point seems to have been
glossed over in the praise for this work.  Schneier's writing is
lively, entertaining, and even playful throughout the entire book.
Not only is this volume a realistic and useful view of the security
enterprise, but it's a lot of fun.

As the author of "Applied Cryptography," the leading text in the
field; the founder of Counterpane Systems, with its major influence in
encryption consulting; and the publisher of the Crypto-Gram
newsletter, regular and thoughtful analyses of major encryption
related issues; Bruce Schneier is, among the technically and
cryptographically knowledgeable, arguably more influential than many
academics whose names might be more widely known in relation to
specific algorithms.  So when Schneier states, in the preface, that
cryptography is not "The Answer(TM)" to security, you have to take him
seriously.  He goes on, in the introductory chapter, to point out that
"The Answer(TM)" does not exist: securing complex systems is a hard
job purely because the systems are complex, and any easy answer is
bound to be wrong.  The price of digital reliability is constant
vigilance.  As such, don't come looking to this work for easy answers
or cookbook solutions.  What you will find is a solid introduction,
and more, to the problems you have to overcome to keep your
information safe, and some guidelines on how to go about the task.

Part one is an overview of the field of network operations with a view
to restricting some ideal definition of "secure" to a more achievable
goal.  Chapter two describes a number of digital threats (aside from
the mention of salami attacks, quite realistically) and points out
that none of the crimes are new, although the extreme of accessibility
is.  Various attacks, and various motivations, are reviewed in chapter
three.  The discussion of different types of adversaries, in chapter
four, provides a reasonable assessment of the whole range from script
kiddies to infowarriors, and compares relative levels of competency
and risk tolerance.  Chapter five outlines security needs and, again,
points out that all computer security measures have their origins in
physical security practices we all take for granted.

Part two looks at the various technology components of security and
security systems.  The writing in this section is a little more
mundane and less sparkling than other parts of the book, but the
material is reliable and convincing.  Chapter six is, of course, an
excellent primer on the basic concepts and applications of
cryptography.  The analysis is extended to "real world" limitations
and faults with encryption in chapter seven, including an intriguing
comparison of proprietary protocols and alternative medicine.  Chapter
eight discusses computer security in broad terms, but concisely
expresses concepts and models that many other books waste pages on
without ever making the fundamentals clear.  (It also provides some
amazing, and occasionally amusing, glimpses into the lack of security
in Microsoft's Windows.)  Authentication is described well in chapter
nine.  Chapter ten is oddly unstructured.  Entitled "Networked-
Computer Security" it starts off with viruses and malware, talks a bit
about operating system architecture, and ends up with some Web
insecurities.  While there are errors (particularly in the virus
section) most of the material is not really bad: it just seems strange
in comparison to the earlier chapters.  Network Security, in chapter
eleven, returns to the original level of focus, and explains various
concepts using TCP/IP as an example.  Chapter twelve takes a
depressing, but accurate, look at the major network security tools, as
well as making the important, though counterintuitive, point that
false alarms can be worse than no security at all.  Software
reliability gets a fairly standard treatment in chapter thirteen, and
much the same is true of hardware security in chapter fourteen.  As
might be expected, the coverage of certificates and the public key
infrastructure, in chapter fifteen, clearly sets forth all necessary
considerations and weak points to examine.  Technical books usually
have some catch-all chapters, but not all of them admit it up front.
Chapter sixteen touches on a number of tricks that people have relied
on to protect data, and uses devastating logic to point out why said
stunts don't work.  Finally, in chapter seventeen, we come to the
largest source of security problems, and the one we can't do anything
about: people.

The first two parts looked at problems.  Part three tries to present
some solutions, or at least approaches to solutions.  Chapter eighteen
describes the vulnerability landscape, and suggests following the
process of attacking a system, in order to identify how much security
is needed at certain points, and weak areas that may need to be
reinforced somehow.  (This is a far cry from the "how to hack" tools
lists of some of the more sensational "security" books, and much more
useful.)  Risk assessment, in chapter nineteen, is reasonable and
balanced, but not great.  Chapter twenty is disappointing, in that it
is entitled "Security Policies and Countermeasures" but concentrates
on a series of specific examples of good and bad security systems.
Elsewhere the book promotes the fact that without a policy you have no
security.  It therefore seems a bit of an abdication of the topic to
leave it without much discussion of the actual production of a policy.
Attack trees might be seen as yet another example of a tool more
useful to the security breaker than the sysadmin, but chapter twenty
one's explanation shows how it can structure the task of analyzing
protective measures.  This process is far more likely to succeed than
a vague injunction to secure everything, and this chapter alone
probably makes this work a "must have" for every security library.
Product testing, in chapter twenty two, deals mostly with how *not* to
evaluate software, and includes a good discussion of full disclosure
and the open source movement.  However, I can definitely sympathize
with the position of the latter part of the chapter: potential
security is pointless, what really counts is how secure a system is
when set up by the typical harried administrator.  The future is
usually left for last, but Schneier takes a solid look at likely
trends and paints an alarming, if not completely apocalyptic, picture.
Chapter twenty four supports one of the major theses of the book:
security is a process, not a product.  Therefore, the chapter provides
a set of guidelines, attitudes, points, and general principles to be
used in looking at security as a process.  The conclusion, in chapter
twenty five, seems to be that lots of people are trying to avoid their
proper responsibility for security, but the task is achievable.

Quite apart from the general readability of the text, Schneier has
ensured that the content and explanations are accessible to any
intelligent reader.  You do not need specialist training to understand
the concepts presented herein.  And the concepts encompass pretty much
everything to consider about security in a networked world.  This is
one of the very few books that I feel I can recommend without
reservation to a newcomer concerned about computer or communications
security.  It presents the situation clearly, with real explanations
of the dangers, but no overpromoted sensationalism.  If the volume
seems a bit long all I can say, with Schneier, is that security is
complex.  The book has very little wasted space.

I can also say that security professionals will not regret time spent
with it.  We tend to need more frequent reminding than teaching, and
the comprehensive coverage touches on many issues that are important,
but may be ignored as not always being urgent.  However, the book also
does an excellent job of explaining some specialty and esoteric
topics.  Hopefully "Secrets and Lies" will have a prominent position
on many security library shelves.

copyright Robert M. Slade, 2000   BKSECLIE.RVW   20001022


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
           A computer, to print out a fact,
           Will divide, multiply, and subtract.
            But this output can be
            No more than debris,
           If the input was short of exact.
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKCMSCHB.RVW   20010530

"Computer Security Handbook", 1995, Arthur E. Hutt/Seymour
Bosworth/Douglas B. Hoyt, 0-471-11854-0
%E   Arthur E. Hutt
%E   Seymour Bosworth
%E   Douglas B. Hoyt
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   1995
%G   0-471-11854-0
%I   John Wiley & Sons, Inc.
%O   U$90.00 416-236-4433 fax: 416-236-4448
%T   "Computer Security Handbook, Third Edition"

Overall, this work appears to be strongly influenced from a time when
computers were mainframes locked in glass rooms, and the information
technology department was under the jurisdiction of accounting.
Although some effort has been made to address more recent topics, the
attempt is piecemeal at best, and quite limited in depth.

Part one looks at the responsibility of management in the security
concern.  The first essay, specifying the role of management,
certainly dates the work in the big iron era, defining security solely
from the perspective of availability.  Disclosure of information does
get a mention, but even the list of risks to be considered
concentrates primarily on malfunction or disaster.  A second paper
takes a rather vague look at policies and related documents, but is
backed up with a number of examples.  The review of risk analysis is
similarly nebulous, although it does have some potentially useful
tables of probable threats.  Optimism about the availability of
background information seems to surround the discussion of employee
policies, but some important basic principles are presented.  Legal
issues are dealt with briefly, but over a wide range of topics.  The
article on computer crime is not particularly realistic: as one
example, the examination of controls concentrates on provisions for
preventing programmers from installing logic bombs, but the case
studies actually cited as examples of the need for such controls were
perpetrated as fraud by those in positions of authority.

Part two outlines basic safeguards.  Disaster recovery is, again,
reviewed primarily from the mainframe perspective.  The principles may
be the same, but the important resources for a corporation probably
involve many more aspects than just a mainframe and data.  An overview
of insurance sounds very much like a sales pitch, although it does
divide the topic up by type of threat, and examines different factors
that can affect price and the willingness of the insurers to make good
on a loss.  (I was amused to note that the section on viruses
basically admits that vendors will use extraordinary interpretations
of standard wording to weasel out of paying.)  The chapter on auditing
appears to have been written solely from an accounting perspective,
and, while the points listed would be helpful in creating part of a
security policy, they address only those issues related to internal
fraud.  System application controls are discussed strictly in terms of
development cycles and ideas such as "total quality management" (TQM).

Part three moves to physical protection.  Hardware protection takes a
detailed look at internal error situations right down to the gate
level, as well as a more superficial examination of architecture
concerns and environmental problems.  Accidental calamities are also
the major emphasis in computer facility protection, although there is
some attention paid to the need to secure cabling.  "Monitoring and
Control Devices" presents theory behind surveillance and alarm
systems.

Part four starts to look into technical aspects of data security.  A
chapter on software and information security appears to have some
valid points to make (aside from the misinformation on viruses) but is
written in such a convoluted manner that most material must be read
several times to puzzle out the meaning.  An essay on records
retention has been retrofitted to become an examination of computer
data security.  The paper on encryption is extremely disjointed (for
example, dropping a discussion of network topologies into a purported
explanation of the RSA [Rivest Shamir Adleman] encryption algorithm),
and almost completely lacking in details.  A rather generic security
overview (with questionable virus information) is supposed to address
data communications and networking.  A grab bag of penetration
techniques and countermeasures provides some interesting prompts to
consider various attacks, but is not organized or complete enough to
fully cover the subject.  The chapter on viruses and related threats
is rife with errors, and confuses the various types of problems with
each other as well as with unverified speculation.

Part five deals with special protection issues.  Chapter twenty
suggests that you might want to be a little careful when dealing with
outside contractors.  While there is some disorganization, and a few
odd anachronisms, the paper on personal computers is much more
practical than most of the preceding material.  The essay on LANs
presents a primer on networks, and then a generic overview of
security, without an awful lot of relation between the two.  The
chapter on Internet security has some basic information, but is quite
disorganized.

Supplements are supposedly produced to update the work.  Some such
documents ask you to replace paragraphs and correct errors: others
offer additional sections to enhance the original essays.  In the 1997
supplement (ISBN 0-471-17297-9) there are some weak addenda for
auditing, encryption, and viruses, as well as a decent, though still
disorganized, extension to the Internet material.  There is also a
first rate examination of email privacy issues and a reasonable though
uninspired review of single sign-on.  When I contacted the publisher,
I was told that the 2000 supplement was still in the editorial stage.
In fact, so was the 1998 supplement!  So I wouldn't expect any updates
for the book in the near future.

Most of the material is fairly obviously old, and originally intended
to address topics applicable solely to mainframe computer
establishments, or even non-computerized systems.  Patchwork updating
is evidently an afterthought.  A great deal of material is repeated
many times over in different essays.  Generally the papers have little
detail or depth, so the recapitulations do not add much new content
each time.

There is useful material in the work, but it is difficult to abstract
the good from the outdated and mundane unless you are already quite
expert in the field.  The newcomer would be advised to get some basic
training or reading before attempting to deal with this work, but the
expert will be able to find some useful nuggets.

copyright Robert M. Slade, 2001   BKCMSCHB.RVW   20010530


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
This is not spam.           - the first sentence in most recent spam
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKISGFPD.RVW   20010605

"The Internet Security Guidebook", Juanita Ellis/Timothy Speed, 2001,
0-12-237471-1, U$44.95
%A   Juanita Ellis
%A   Timothy Speed tim.speed@...
%C   525 B Street, Suite 1900, San Diego, CA   92101-4495
%D   2001
%G   0-12-237471-1
%I   Academic Press
%O   U$44.95 619-231-0926 800-321-5068 fax: 619-699-6380
%P   320 p.
%T   "The Internet Security Guidebook: From Planning to Deployment"

The introduction outlines some of the basic types of attacks that can
happen over the Internet, and seems to concentrate on attacks against
machines, rather than people or companies.  This emphasis on the
technical is odd, since the material provides very few technical
details, but does contain more than a little error and confusion.  The
text of the book doesn't mention a specific target audience, although
the jacket notes seem to promote the work to CEOs and other senior
executives.  Which is odd: the writing level seems more appropriate to
the home user.

Chapter one is an overview of security planning.  Most of the
important parts of preparation are included, but the chapter structure
and even the figures are very confusing.  There are many gaps in the
discussion of security reviews, and a number of odd and apparently
misplaced items have been inserted.  Encryption is covered
simplistically, and the lack of depth in the material becomes a
problem in the chapter on network security.  After twelve pages that
*don't* explain the Internet and OSI (Open Systems Interconnection)
models of networking, the text attempts to deal with a number of
Internet security tools, most of which rely on encryption and key
exchange.  There are frequent errors and the sections sometimes even
provide contradictory and nonsensical explanations, such as the
statement that "unencoded" means both "not encrypted" and "not as
plain text."  The basic outline of firewalls is better than is
provided in most general guides, although the description of circuit-
level gateways keeps referring to "stateful inspection" without ever
explaining what that is.  The long evaluation section is,
unfortunately, the usual for this type of book: it does provide most
of the right questions to ask, but doesn't give the novice reader much
help in analyzing the answers.  Authentication is a very important
topic in security, and it is too bad that the material on this subject
is so confused, and confusing.  I find it very difficult to reconcile
the statement that there are "very few examples" of biometrics with
the existence of a great many fingerprint, palm geometry, iris,
voiceprint, and even face readers.  The depiction of Kerberos is wrong
in some basic aspects, does not address the fundamental problems with
the Microsoft version, and does not relate in any way to the very
closely associated topic of single sign-on that immediately follows.

The discussion of PKI (Public Key Infrastructure) does do well in
covering the "build or buy" debate for a certificate authority.
Directory issues are not handled particularly well, and there are
other errors.  (Excuse me?  The Internet didn't exist before the mid-
1980s?)  The chapter on messaging security is a real grab bag of
topics, none of which, with the possible exception of acceptable use,
are covered in sufficient depth.  (Viruses and trojans get lumped into
this chapter, and the commentary is quite sloppy.)  The basic outline
of risk analysis, including threat, impact, and probability, is good,
but the supporting material is not quite standard, and probably not
very helpful to the target audience.  The chapter also fails to point
out the full scope of such an appraisal, as well as the importance of
looking at the aggregate risk.  On the other hand, the review of
policy and procedures hardly seems to address policy creation at all.
This is another miscellaneous compendium of vulnerabilities, diving
into specifics and missing the bigger picture.  The material on
incident response is generic, but does point out the foundational
concepts.  There is little detail, and the text does concentrate on
dealing with events by severity, rather than by type.  The book closes
off with an ordinary presentation on project planning.

I would be the first to admit that security can be a dry topic, and a
little humour can help to spice up the text.  However, I am willing to
make an exception in the case of this book.  The jokes added to the
text do nothing to improve it.  They are intrusive, distracting, and
do not, in any way, help the reader to understand the topics under
discussion.  Indeed, the attempts at comedy generally sidetrack the
reader from the central issues of the work, and simply confuse any
issue under discussion.

If this text is aimed at executive management, it definitely needs to
be tightened up and reorganized to eliminate duplicated material and
ensure the structure and arguments are easier to follow.  Many points
raised throughout the work are important, but a number of vital issues
are not addressed, and the patchwork of writing level and quality of
information probably means that this is unsuitable as an only
introduction to security.  The Internet, in fact, is not really a
major concern in this book, although it does get mentioned from time
to time.  I would have difficulty in suggesting a group that would
benefit from this book, although it might serve as an adjunct text to
the security planning process, if ideas were being culled from
multiple sources.

copyright Robert M. Slade, 2001   BKISGFPD.RVW   20010605


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
Why should I care about posterity? What's posterity ever done for
me?                                                   - Groucho Marx
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKSSLTLS.RVW   20010607

"SSL and TLS", Eric Rescorla, 2001, 0-201-61598-3, U$39.95/C$59.95
%A   Eric Rescorla ekr@...
%C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8
%D   2001
%G   0-201-61598-3
%I   Addison-Wesley Publishing Co.
%O   U$39.95/C$59.95 416-447-5101 fax: 416-443-0948
%P   499 p.
%T   "SSL and TLS: Designing and Building Secure Systems"

The preface states, quite clearly, that this is a work for designers,
programmers, and implementors.  In other words, it's a very technical
book.  Even the preface, though, is written with a clarity that is
unusual, and refreshing, in technical literature.

Chapter one provides some background to communications security and
encryption.  The material is demanding, and is definitely not a
primer.  A number of items are glossed over, but the persistent reader
should be able to glean some very solid explanations of important
concepts.  The "family tree" of SSL (Secure Sockets Layer) is given in
chapter two, with a description of the development steps along the
way.  Chapter three outlines the basic, or most common, mode of SSL,
and then provides details about specific aspects of the algorithms and
data structures used at different points.  Various options and
extensions, for a number of functions, are described in chapter four.
The security of the SSL system itself, as opposed to the security it
provides for transactions, is thoroughly examined in chapter five.
Chapter six is an examination of performance issues, and the ways in
which execution can, and can't, be improved.

SSL is, of course, only a protocol and not a full application.  Design
considerations for effective use within a system are detailed in
chapter seven, and sample C and Java code for effecting the operations
is given in eight.  SSL was designed for, and is most widely used
with, HTTP (HyperText Transfer Protocol), and chapter nine details the
requirements and difficulties of using the system to secure Web
communications.  Chapter ten uses SMTP (Simple Mail Transfer Protocol)
as an example of the use of SSL to protect other communications
operations.  Finally, Rescorla compares SSL to the major competing
systems of IPsec, S-HTTP (Secure HTTP), and S/MIME.  (It is nice to
see that the author identifies his own potential bias in the debate.)

This book is aimed at a technical audience, and members of that group
will undoubtedly welcome it.  However, the lucid presentation, and
range of security concepts covered make this a useful reference for
many others.  Those involved in online commerce and the necessity to
secure transactions over insecure links will find solid discussions
addressing those issues.  Security analysts and practitioners may be
challenged to look into the internals of systems generally examined
only at a superficial level.  And anyone interested in the security of
the Internet will find a clear and fascinating review of its
underpinnings.

copyright Robert M. Slade, 2001   BKSSLTLS.RVW   20010607


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
The optimist sees the glass as half full.
The pessimist sees the glass as half empty.
The engineer sees that the glass was twice as large as necessary.
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKINSCMH.RVW   20010609

"Information Security Management Handbook", Harold F. Tipton/Micki
Krause, 2000, 0-8493-9829-0/0-8493-0800-3, U$155.00
%E   Harold F. Tipton haltip@...
%E   Micki Krause Micki.Krause@...
%C   2000 Corporate Blvd. NW, Boca Raton, FL   33431
%D   2000
%G   0-8493-9829-0, 0-8493-0800-3
%I   Auerbach Publications
%O   U$155.00 800-272-7737 auerbach@... slinton@...
%O   available separately 0-8493-9829-0 $95.00 0-8493-0800-3 $59.95
%P   2 vol., 711 p. + 626 p.
%T   "Information Security Management Handbook, Fourth Edition"

As an overview for the CISSP (Certified Information System Security
Professional) CBK (Common Body of Knowledge), this work covers a vast
range of topics.  The CBK, and the book, is divided into ten domains,
covering access control systems, telecommunications, security
management, systems development, cryptography, security architecture,
operations security, business continuity, law and ethics, and physical
security.  The text provides some excellent articles, some of which
are general but detailed overviews, and others that address particular
problems or new technologies.  However, even with fifty nine articles
and over thirteen hundred pages there are gaps, some surprisingly
basic.

The quality of the articles can vary widely.  The first essay, on
biometrics, provides an admirable review of the subject, as well as
some solid, practical, and useful detail information.  The next paper
is a rather odd treatment of single sign-on, addressing the concepts
well, but in a disjointed manner that makes reading or studying
difficult.  Following those comes a paper ostensibly dealing with
securing connections to external networks.  It collates some generic
and vague descriptions of a variety of topics, none of which are
particularly informative or reliable.  (A two-page section on computer
viruses contains numerous glaring and significant errors.  Personally,
I continue to find it appalling that general security texts deal so
poorly with this topic.)

Other areas covered are firewalls (terse), perimeter security for the
Internet (again, but this time with excellent technical information on
TCP/IP specifics), extranets (doctrinaire), firewall management (very
useful for planning), the OSI (Open Systems Interconnections) network
layer security model (questionable utility), the OSI transport layer
security model (not much better), application layer security
(interesting but undetailed), communications and security protocols
(broad overview, concise but fills in some common gaps), security
awareness training (reasonable points for success), security
architecture (brief but basic), IPsec (good overview), risk analysis
(thorough but perhaps a trifle pedantic), trade secret protection (an
interesting twist), information security for healthcare (a tad verbose
and US-centric), security for object-oriented databases (listing
proposals), fundamentals of cryptography (very clear explanations of
the math involved), key management (great review of principles, and
amusing anecdotes from history of the *wrong* ways to manage keys),
Kerberos (extensive coverage of both details and concepts), PKI
(Public Key Infrastructure, a quick guide to the basics),
microcomputer and LAN security (good concepts, overly optimistic,
oddities in details), trapping intruders (quick concepts), Java
security (quick basics), business continuity planning (a new process),
restoration after disaster (general review), computer crime
investigation (good coverage of many aspects), Internet ethics
(emphasis on privacy), jurisdictional issues (miscellaneous),
intrusion detection (concepts and evaluation points), single sign-on
(opinion this time), authentication services (concepts and amusing
overview), email security (concept review), ATM (Asynchronous Transfer
Mode) security (without really discussing security), remote access
(background fundamentals), sniffers (concepts and details), enclaves
(firewalls within), IPsec (good details), penetration testing (very
basic policies), policy (some good points but quite random), the
security business case (opinion), PeopleSoft security (as for any
major database), World Wide Web application security (reiteration of
general security planning with a few Web specifics), common system
design flaws (an important set), data warehouses (standard system
development advice with limited security relevance), PKI (simplistic),
introduction to encryption (a good one), new models for cryptography
application (useful for planning), cryptanalysis (decent review of
terminology), message authentication (detailed), UNIX security
(concepts and tools), hacker tools (not very detailed), malicious code
(theoretical and incomplete), business impact assessment (after Y2K),
computer crime investigation (document everything), computer incident
response teams (CIRTs, vague), intrusion detection (vague and
repetitious), and operational forensics (retain evidence and data).

Observant readers will have noted a fair amount of duplication in that
list.  In fact, the reiteration of content is worse than appears here,
since many topics rely on others, and certain basic ideas (Kerberos
operations, the Diffie-Hellman public key system, and risk management,
for three examples) recur in a variety of other discussions, with
differing levels of detail.  As in any work this size a number of
outright bizarre mistakes have occurred, like the table showing the
file structure of an authentication database, which has been swapped
with the structural diagram of a completely different authentication
system.

This is the closest thing there is to a textbook for the CISSP exam.
It is fairly easy to see which sections have been reproduced in the
ISC(2) (International Information System Security Certification
Consortium) course (in some cases complete down to specific errors).
Intriguingly, there are sections of the course that previously were
covered by the third edition, and which do not appear in any
significant form in this work.  (An example is the discussion of the
standard formal security models, such as Bell-La Padula and
Clark-Wilson.)

It should be noted that there is a significant difference in character
between the two volumes.  The first volume deals with topics that are
closer to the heart of security, and the essays are generally more
valuable to the practitioner.  Volume two contains papers over a wider
range of subjects, many of which (with the notable exception of the
pieces on cryptography) have little or no relevance to security beyond
fundamental concerns that are well covered elsewhere.  Book one will
be useful to the CISSP candidate and any specialty security worker:
book two may be of interest to a narrower group of senior security
executives and theorists, and, ironically, a wider audience of those
interested in newer technologies in general.

The quantity of good information that is contained in the work is
definitely worth the price, but there could easily be a wholesale
pruning of deadwood.

copyright Robert M. Slade, 2001   BKINSCMH.RVW   20010609

rslade@...  rslade@...  slade@... p1@...
Find virus, book info http://victoria.tc.ca/techrev/rms.htm
         Mirrored at http://sun.soci.niu.edu/~rslade/rms.htm
Review mailing list: send mail to techbooks-subscribe@egroups.com
Viruses Revealed (forthcoming) http://viruses-revealed.org.uk or
                      http://www.amazon.com/exec/obidos/ASIN/0072130903

BKLRNXML.RVW   20010708

"Learning XML", Erik T. Ray, 2001, 0-596-00046-4, U$34.95/C$51.95
%A   Erik T. Ray
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2001
%G   0-596-00046-4
%I   O'Reilly & Associates, Inc.
%O   U$34.95/C$51.95 800-998-9938 fax: 707-829-0104 nuts@...
%P   350 p.
%T   "Learning XML: Creating Self-Describing Data"

XML (eXtensible Markup Language) is currently being seen as the cure
for all the ills (and incompatibilities) of the Web, and, by extension
(sorry), for information technology as a whole.  Why this might
happen, and how XML might be used, is not often made clear.

Chapter one is enthusiastic and up-beat--but not very specific.  We
are told that XML allows you to describe data, and to create new data
structures, but then again, pretty much every computer language ever
invented does the same thing.  We are told that it performs functions
similar to SGML (Standard Generalized Markup Language) and that, in
fact, XML is a reduced version of SGML, but we are not told why SGML
was too big, nor what we might be giving up in moving to XML.  We are
not given any useful example of what we might do with XML: in fact,
the only realistic example in the chapter uses MathML (Math Markup
Language).  And the chapter ends by basically outlining the fact that
nobody really supports XML yet.

Chapter two provides clear examples of XML syntax and requirements,
but only at a basic level.  (For example, does the use of compound
documents help with the use of multiple namespaces, or just make the
problem worse?)  There is, finally, an example of real XML using the
Barebones DocBook application.  Links are dealt with in chapter three.
XLink is clear, though brief, with recognizable definitions of HTML
image and anchor tags.  The explanation of XPointer is more confused,
and the section concludes with an example of strict XHTML (eXtensible
HyperText Markup Language) which doesn't seem to fit the topic at all.
Presentation and stylesheets are covered in chapter four,
concentrating on the Cascading Style Sheets (CSS) model.  Chapter five
examines two types of document models, spending most of the time
explaining DTDs (Document Type Definitions) and then briefly looking
at XSchema.  While transformations are supposed to be the topic of
chapter 6, the point is not really clear, and the text seems to deal
primarily with XSLT (eXtensible Stylesheet Language for
Transformations) simply as a special case of XSL (eXtensible
Stylesheet Language).  Internationalization is limited to the fact
that you can specify encoding and language, in chapter seven.  Chapter
eight, on programming for XML, contains Perl code for a parser and
syntax checker.

This book is a good introduction to XML, and the various related
technologies.  It is difficult to say that, by the end of the work,
you will actually have learned XML, but that has more to do with the
current amorphous state of the technology than any fault in writing.

copyright Robert M. Slade, 2001   BKLRNXML.RVW   20010708



======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
  If you're not part of the solution, you're part of the precipitate
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKXMLNSH.RVW   20010715

"XML in a Nutshell", Elliotte Rusty Harold/W. Scott Means, 2001,
0-596-00058-8, U$29.95/C$43.95
%A   Elliotte Rusty Harold elharo@...
%A   W. Scott Means smeans@...
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2001
%G   0-596-00058-8
%I   O'Reilly & Associates, Inc.
%O   U$29.95/C$43.95 800-998-9938 fax: 707-829-0104 nuts@...
%P   480 p.
%T   "XML in a Nutshell"

As usual, the Nutshell book contains pretty much all you need to know
about XML, the eXtensible Markup Language.

Part one covers XML concepts and basics, with an introduction, the
fundamentals of XML structure and syntax, an outline of document type
definitions (DTDs), a review of the idea of namespaces for definition
sharing, and a look at the provisions for internationalization.  The
material is clear: it may be sparse in some places, but anyone with an
intermediate technical background should be able to follow the theory.
Part two explains XML from a narrative document perspective, starting
with a very lucid explanation of the conceptual roots in SGML
(Standard Generalized Markup Language) and then moving to the new
protocols with XHTML (eXtensible HyperText Markup Language), XSL
(eXtensible Stylesheet Language) for style sheet creation and XSLT for
document transformations, XPath for compound documents, XLinks for
link definition and creation, XPointer (a kind of search function for
non-indexed documents), and CSS (Cascading Style Sheets) and XSL for
document output.  Non-narrative, or data oriented, documents are
explained in Part three, with reviews of XML as a data format,
programming models, the Document Object Model (DOM), and SAX (the
Simple API [Application Programming Interface] for XML).

All of this material is, in a sense, mere preface.  The heart of the
books of the Nutshell series is the reference section.  Still, the
foregoing chapters are definitely useful for anyone starting out with
XML, since XML is subject to a great deal of hype, and not very much
hard explanation.  Parts two and three, particularly, help to sort out
the various pieces of the XML puzzle.

Part four, though, is up to the usual Nutshell reference standard,
with chapters on XML 1.0, XPath, XSLT, DOM, SAX, and the various
character sets, including Unicode.

For those working with XML a valuable resource, and for those starting
out an invaluable guide.

copyright Robert M. Slade, 2001   BKXMLNSH.RVW   20010715


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
To the man who only has a hammer, everything he encounters begins
to look like a nail.                             - Abraham H. Maslow
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKMSENNT.RVW   20010723

"Microsoft Encyclopedia of Networking", Mitch Tulloch, 2000,
0-7356-0573-4, U$79.99/C$115.99/UK#51.99
%A   Mitch Tulloch info@... www.mtit.com
%C   1 Microsoft Way, Redmond, WA   98052-6399
%D   2000
%G   0-7356-0573-4
%I   Microsoft Press
%O   U$79.99/C$115.99/UK#51.99 800-6777377 www.microsoft.com/mspress
%P   1470 p. + CD-ROM
%T   "Microsoft Encyclopedia of Networking"

The scope of the encyclopedia is stated to cover networking concepts,
the Internet, and Microsoft products.  The primary audience is novices
pursuing the MCSE (Microsoft Certified Systems Engineer) designation.

The Microsoft orientation and bias is evident from the very first
page.  The redirection (>) and pipe (|) symbols are defined only in
terms of MS-DOS and Windows, with no mention that they originated in
UNIX, "access control" (a generic security term) is defined in terms
of Windows NT and 2000, and clustering (invented by Digital Equipment
Corporation and used much more extensively in VAX and Linux systems
than it ever has been in Microsoft products) is defined in terms of a
Windows NT product.  Impersonation is defined only in terms of
assisting Win NT and 2K client/server communication, which is
startling in view of the importance of impersonation as a security
exploit.

A number of entries have little apparent function.  There are, for
example, fifteen listings for variant flavours of Ethernet, and these
items seem to describe only different vendor products.  In addition,
there is a great deal of repetition, fluff, and padding in the
writing.  The text often says the same thing over again in a slightly
different way, but this neither develops the topic, nor really assists
the novice user in understanding complex subjects.

Basic networking concepts are covered and, generally, the material is
reasonable, if uninspired.  However, a number of the fundamental ideas
are covered in such a way that the newcomer will not gain a full
understanding of the idea.  In many cases it is difficult to say that
the explanation is in error, but the abstraction could certainly have
been presented in a better way.  "Bursty" traffic, for example, is
described in terms of transferring video files, and any self-
respecting MPEG is going to be big enough to occupy a pipeline with
less capacity than an OC-192 for longer than a mere "burst."

While many entries are longer than the paragraph or two one might
expect from a dictionary, the content doesn't deliver much more
information.  Frame relay, for example, is described in terms of
packet switching, but there is nothing to say what differentiates the
two technologies.

Having written books myself, I can sympathize with some errors, like
the statement that a 56-bit key "allows for approximately 7.2 x 1016
possible keys."  (The real number would be closer to 10 to the 16th
power.)  Then there are the statements that "28 = 256" and "216 =
65,536."  Again, the error in typesetting is fairly obvious.

There are also surprisingly few cross-references in the listings.
This contributes to the difficulty novice users might have with the
book.  The lack of references is the more unexpected when you note
that entries that would clarify articles do exist, in most cases: they
simply aren't mentioned where they are needed.

As one has come to expect from a Microsoft product, security and
privacy concerns are downplayed at every turn.  The best possible
construction is put on issues such as Authenticode and cookies.
Again, while the descriptions are not necessarily erroneous, counter-
examples are easily generated.  A cookie, for example, cannot give out
your email address, as the book says.  Unless, that is, you have input
your email address to a Website, and the site has stored the
information in a cookie.  This is a fairly common occurrence.

The entry for virus is pretty appalling.  It averages slightly more
than one error per sentence for a page and a half, starting with the
assertion that a virus is "[a]ny piece of code that is deliberately
written to cause damage or annoyance to computer users on a network."

(Why is a Canadian giving the French sole credit for the development
of X.25?)

Would this book help someone study for the MCSE?  Probably.  One of
the major difficulties in writing the exam is clearing your mind of
how things work in the real world, and sticking to the Microsoft
terminological party line.  Would it help anyone else?  Possibly, but
there are many other, much better works: more complete, readable, and
reliable.  The "Microsoft Press Computer Dictionary" (cf.
BKMSCMDC.RVW) is much better: a fairly solid reference over a wide
range of issues.  It is unlikely that anyone with more than a passing
acquaintance with networking will find much of value in this
encyclopedia.

copyright Robert M. Slade, 2001   BKMSENNT.RVW   20010723


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
I finally realized why Windows is truly multitasking.  I find
myself keeping some secondary task (like ... mail) handy so I can
make good use of the time I spend waiting for Windows.'n
-Steve Edelson
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKMHENNT.RVW   20010725

"McGraw-Hill Encyclopedia of Networking and Telecommunications", Tom
Sheldon, 2001, 0-07-212005-3, U$69.99/UK#51.99
%A   Tom Sheldon http://www.linktionary.com tsheldon@...
%C   300 Water Street, Whitby, Ontario   L1N 9B6
%D   2001
%G   0-07-212005-3
%I   McGraw-Hill Ryerson/Osborne
%O   U$69.99/UK#51.99 905-430-5000 +1-800-565-5758 fax: 905-430-5020
%P   1447 p. + CD-ROM
%T   "McGraw-Hill Encyclopedia of Networking and Telecommunications"

This is a worthy reference.  The listings cover the topic, and the
descriptions are reliable.  If explanations are not always of
specialist level, that is only to be expected.  This is an
encyclopedia, not a specialty tome.

No bias is detectable either for or against any particular vendor or
operating system culture (with the possible exception of frequent
citations to the Google search site).  A number of specific products
and companies are listed (or discussed in related entries), but the
items included are important, and it would be difficult to identify
any left out that should have been incorporated.

The explanations are clear, easily understandable without a
significant technical background, and concentrate on fundamental
concepts.  Related entries are listed, sometimes quite extensively,
although there is no indication (such as the use of italics or a
special typeface) when a term used in one listing is defined
elsewhere.  The writing itself is easy to follow, and there is enough
humour to lighten the reading load without detracting from the issues
under discussion.

The material is not deep, in most cases.  There is, for example, a
gloss over the creation of MS-DOS outside of Microsoft, as well as the
origins of SGML (Standard Generalized Markup Language) in the earlier
GML (Generalized Markup Language).  In the latter case, this
simplification means that the importance of function, in generalized
markup, is submerged in the discussion of formatting.  However, an
encyclopedia, and a networking encyclopedia, at that, is usually seen
as giving a "once over lightly" precis of a subject, so a lack of
profundity is not to be disparaged.

A fairly important aspect of the work is the inclusion of Internet and
Web references for further research.  Of course, many books nowadays
contain Web references, but Sheldon has included some very important
and valuable resources.  There are also a substantial number of
citations, frequently half a dozen or more in a single article.  In
many books, this many URLs (Uniform Resource Locators, page 1293)
would indicate an attempt to pad material without doing research, but
the listings in this work were obviously chosen with care.  Most point
to established organizations, increasing the probability that the URLs
will still be good by the time the book makes it into print.  There
are also frequent directions to the Linktionary site, which also acts
as an update reference.  (Unfortunately, as of this writing, the site
is not fully available.  When the site is complete, considerable
material that was excised from the print version will be added back.)

I could quibble about certain items, but the points would be petty.
In common with most technical security people I would object to the
assertion that an attacker is "commonly called a hacker."  In fact,
the entry on page 84 uses the phrase twice in one paragraph.  But when
you start complaining about that level of detail, you know that there
isn't much to criticize.  (The article on "Hacking and Hackers" gives
more balance, in any case.)

The entry for virus is short, but at least doesn't make any serious
errors.  And, in a general text, that appears to be quite an
accomplishment.

The end pages of the book contain praise from an extensive fan club.
Overall, this acclaim is justified.  The book is a very useful
resource, suitable for any level.  The novice will find introductions
to a variety of topics, with basic but reliable explanations.  The
professional will find starting points and further resources for a
variety of technologies that may lie outside their area of particular
expertise.  The material is quite up to date: surprisingly so, given
the scope of the work.  The similarly sized, CD-ROMed, and priced
"Microsoft Encyclopedia of Networking" (cf. BKMSENNT.RVW) does not
compare in range of topics, quality of research, or depth of coverage:
Sheldon wins on all counts.  I have no reservations about recommending
this work as a useful communications reference.

copyright Robert M. Slade, 2001   BKMHENNT.RVW   20010725


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
A new idea is delicate. It can be killed by a sneer or a yawn; it
can be stabbed to death by a quip, and worried to death by a
frown on the right man's brow.                      - Charlie Brower
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKCGSNSP.RVW   20010728

"The CERT Guide to System and Network Security Practices", Julia H.
Allen, 2001, 0-201-73723-X, U$39.99/C$59.95
%A   Julia H. Allen
%C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8
%D   2001
%G   0-201-73723-X
%I   Addison-Wesley Publishing Co.
%O   U$39.99/C$59.95 416-447-5101 fax: 416-443-0948 bkexpress@...
%P   447 p.
%T   "The CERT Guide to System and Network Security Practices"

The preface states that the intended audience for this work is the
mid-level system and network administrator.  Actually, it uses the
plural, giving the first indication that this text is only intended
for those working in very large organizations.  Chapter one is an
overview of the structure of the book, along with a listing of some
other resources, and a few general security definitions.

Part one deals with securing or hardening computers against attack.
Chapter two lists good practices for servers and workstations,
providing basic guidelines.  There is something of a detailed
breakdown of these conventions, as well as considerations that might
be useful in policy discussions.  However, these are not procedures,
and there is very little in the way of system detail.  The reader is
advised to limit services running on computers.  This is a good
practice, but there is nothing to indicate how to find out what
services are running, nor how to limit or eliminate them once they are
found.  A number of assumptions have been implicitly made, for example
about centralized administration policy, so even the material that is
included may not be suitable for all environments.  The explanations
are reasonable, but rather pedestrian, and there is a great deal of
duplication of material (the sections dealing with limiting services
running on servers and workstations, for example, are almost
identical.)  Much the same is true of securing public web servers, in
chapter three.  Some material is quite specific (specifying the Common
Log Format, CLF, for activity files) while other recommendations are
vague.  Deploying firewalls, in chapter four, is a bit different, in
that it does contain some explanation of firewall types and
architectures.  Unfortunately, this text is very brief, and is padded
out with unilluminating illustrations.

Part two examines intrusion detection practices.  Chapter five covers
the preparation and setup of intrusion detection, chapter six the
actual detection of intrusions, and chapter seven outlines responses
to intrusions.  Overall, part two is more useful than part one, since
intrusion detection is a newer field, and general concepts are still
helpful even if specific details are lacking.

Given the complaints I have made about the lack of details, some will
respond that I have, heretofore, ignored the fact that there are two
appendices in the book, dealing with security implementations and
practices.  True, these documents exist.  In terms of the security
implementations, if you are using Solaris 2.x, Tripwire, Logsurfer,
and Snort, the additional material may be very useful.  Otherwise, it
still doesn't address the lack of specifics in the book.

This work does provide the security specialist, faced with
responsibility for policy creation or maintenance, a handy set of
checklists and some framework for the policy process.  Use of the text
will help remind the professional of areas to be addressed, and
prevent certain aspects from slipping between the cracks.  The
advanced and experienced system administrator may also benefit from
the volume, since he or she will likely already know system specifics
for a number of the functions required, and probably has some idea of
where to find information about others.  However, intermediate
sysadmins, with an "engineer" level certificate and a few years' work
experience, are unlikely to know the details of security operations
that have, usually, been seen as a specialty area.  Therefore, the
audience which will find this book to be useful is a rather narrow
one.

copyright Robert M. Slade, 2001   BKCGSNSP.RVW   20010728


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
   Inside some of us is a thin person struggling to get out,
   but he can usually be sedated with a few pieces of chocolate cake.
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKVR.RVW   20011013

"Viruses Revealed", Robert M. Slade/David Harley/Urs Gattiker, 2001,
0-07-213090-3, U$39.99
%A   Robert M. Slade rslade@..., rslade@..., p1@...
%A   David Harley harley@..., macvirus@...
%A   oh, yeah, and Urs Gattiker, too
%C   300 Water Street, Whitby, Ontario   L1N 9B6
%D   2001
%G   0-07-213090-3
%I   McGraw-Hill Ryerson/Osborne
%O   U$39.99 905-430-5000 +1-800-565-5758 fax: 905-430-5020
%O   (the authors are from Canada, the UK, and Denmark, but do we get
%O    prices in CDN$, pounds, or kroner?  Nooooooooo.  Of course, you
%O    could order it from Chapters.ca for C$63.95, but it'll take two
%O    weeks for them to get it ...)
%P   700 p.
%T   "Viruses Revealed"

The International Institute for Fashion and Other Really Nasty Things
today announced the winner of the 2001 Award for the World's Ugliest
Book Cover.  "Normally, we wouldn't announce a winner until next
spring some time," said Frederick Krueger, the Institute's president,
"but with the release of `Viruses Revealed,' there really isn't room
for any competition."

Spokespeople for Osborne/McGraw-Hill would not speak for attribution,
but one did admit that they were pleased with the award.  "We said we
were going for `bold' and `eye-catching,' but our real target was to
produce that sick-to-your-stomach flu feeling, to give people a real
virus queasiness.  It's nice to know we succeeded."

Security specialists were equally quick to comment on the contents of
the work.  "What a thick book!" said David Chess.

"Da- I mean, darn it, where are the taxonomies?" said Winn Schwartau,
author of "Internet and Computer Ethics for Kids."  He also promised
to give us his *real* reaction "as soon as I get rid of the best of
these rugrats."

"I think more time should go by between Slade's books." - Larry
Bridwell

"How come my work didn't get mentioned?" - sarah gordon

"read it" - A. Padgett Peterson

"Should be `reviled'." - PGN

"A mythic work!  No, sorry, that should be `mythical'." - Jeff Crume

"Why are these guys misusing my name?" - Gene Spafford

"Makes a great doorstop." - Tom Sheldon

"Oooh, a foreword from spaf!" - David Chess (no relation)

"Fills an unneeded gap." - Fred Cohen

Misinformation about semi-recent viruses can be found at
http://www.osborne.com/virus_alert/, while marketing hype is available
at http://victoria.tc.ca/techrev/vrupdate.htm and
http://sun.soci.niu.edu/~rslade/vrupdate.htm.  Some real links can be
found at http://www.sherpasoft.org.uk/viruses-revealed/.

copyright Robert M. Slade, 2001   BKVR.RVW   20011013


======================
rslade@...  rslade@...  slade@... p1@...
"If you do buy a computer, don't turn it on."     - Richards' 2nd Law
"Robert Slade's Guide to Computer Viruses" 0-387-94663-2 800-SPRINGER
"Viruses Revealed"                                      0-07-213090-3
============= for back issues:
[Victoria Freenet] site http://victoria.tc.ca/int-grps/books/techrev/
                      or http://www.victoria.tc.ca/techrev
                      or http://victoria.tc.ca/techrev
              an alternate site has been provided by CuD and NIU at:
                         http://sun.soci.niu.edu/~rslade/
AV contacts   : [Victoria Freenet]mnvr.htm
list, reviews,: [Victoria Freenet]quickref.htm
review FAQ and: [Victoria Freenet]avrevfaq.htm
AV tutorial   : [Victoria Freenet]mnvrcv.htm
                 http://csrc.ncsl.nist.gov/virus/virrevws/
                 ftp://ftp.cs.ucr.edu/pub/virus-l/docs/reviews
Viral Morality: http://www.bethel.edu/Ideas/virethic.html
PC Security:    [Victoria Freenet]mnvrrvsc.htm
Security Dict.: [Victoria Freenet]secgloss.htm
Comp Sec Wkly:  http://www.suite101.com/welcome.cfm/computer_security
Book reviews:   [Victoria Freenet]mnbk.htm
                 [Victoria Freenet]review.htm
                 http://www.webwaves.com/books/slade
                 ftp://x2ftp.oulu.fi/pub/books/slade
                 http://mag.mechnet.com/mne/books/reviews/slade/
                 gopher://gopher.technical.powells.portland.or.us:70
                 http://www.utexas.edu/computer/vcl/bkreviews.html
Partial/recent: http://www.eGroups.com/list/techbooks/
Review mailing list: send mail to techbooks-subscribe@egroups.com
Book columns:   [Victoria Freenet]mnbkc.htm
Freebie Mags:   [Victoria Freenet]magazine.htm
RobertS Rules of Int. Order: http://www.techbabes.com/zine/rules.html
                 http://www.brandonu.ca/~ennsnr/Resources/order.html

BKDCINTA.RVW   20010729

"Dictionary of Internetworking Terms and Acronyms", Cisco Systems,
2001, 1-58720-045-7, U$12.95/C$19.95
%A   Cisco Systems, Inc. wblack@...
%C   201 W. 103rd Street, Indianapolis, IN   46290
%D   2001
%G   1-58720-045-7
%I   Cisco Press/Macmillan Computer Publishing (MCP)
%O   U$12.95/C$19.95 800-858-7674 317-581-3743 info@...
%P   412 p.
%T   "Dictionary of Internetworking Terms and Acronyms"

The first thing that strikes you is that the dictionary is very
complete.  It is certainly fatter than the free glossaries that
vendors used to throw around as giveaways.  So complete, that a lot of
minor variations on a theme are included.  However, while the terms
encompassed in the book do cover a wide range, a number of listings
are missing.  As an example, "Newton's Telecom Dictionary," (cf.
BKNTTLDC.RVW) has 142 records in "X," where the Cisco work has 31, and
most of the Newton explanations are considerably more informative.
The preponderance of the entries in this volume are acronyms.

The entries are generally quite short, and frequently fail to explain
the phrase or technology under consideration.  Many acronyms are
merely expanded, with no attempt to define the resulting expression.
There does not seem to be any standard as to whether a definition, if
it is provided, is given with the acronym or the expanded phrase.

There are cross-references, but very few, and many of them don't work.
"24th channel signalling" points to "2G mobile network," but the
latter entry contains no reference at all to the former phrase.  This
example is far from being an isolated case.

That ActiveX is said to be a "superset" of Java would come as a
considerable surprise to both Microsoft and Sun, and, given the
radical differences in the two systems, to anyone who has the
slightest familiarity with both applet styles.

The entry for cookie defines what it is, but says nothing about use or
purpose.  The virus definition is technically correct, but is academic
and restrictive.  One entry says, in its entirety, "remote alarm
indication - yellow alarm."  A number of listings would have
benefitted from a slight review by someone more familiar with English:
one tells us that satellite communication has "a cost that is not
related to distance between earth stations, long bandwidth delays, or
broadcast capability."

Ultimately, this material is neither helpful nor reliable.  There are
many other, better, resources, such as Petersen (cf. BKDTTLDC.RVW),
Weik (cf. BKCMSTDC.RVW), Shnier (cf. BKCMPDCT.RVW), the
aforementioned
Newton, Microsoft (cf. BKMSCMDC.RVW), and good old FED-STD-1037C (cf.
BKGLTLTM.RVW), which can even beat it on price.

copyright Robert M. Slade, 2001   BKDCINTA.RVW   20010729


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
Teaching should be such that what is offered is perceived as a
valuable gift and not as a hard duty.              - Albert Einstein
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKCMTLEN.RVW   20010807

"Computer Telephony Encyclopedia", Richard Grigonis, 2000,
1-57820-045-8, U$39.95
%A   Richard Grigonis ctencyclopedia@...
%C   12 West 21 Street, New York, NY 10010
%D   2000
%G   1-57820-045-8
%I   CMP Media
%O   U$39.95 212-691-8215 1-800-LIBRARY fax 212-691-1191
%P   563 p.
%T   "Computer Telephony Encyclopedia"

Most of the time, the introduction talks something about the book, or
possibly gives an overview of the topic.  In this work, the preface
tells us, at rather astonishing length, of the life of one Richard
("Zippy") Grigonis, particularly as it centres around his getting
hired as writer and editor for "Computer Telephony" magazine.  A
significant fact in the life (and, presumably, budget) of this
periodical was an annual trade show.  These facts behind his
employment may explain a good many aspects of this book.

For example, a writer, faced with the constant need to fill space, may
opt for certain shortcuts, particularly if one is also the editor.
Opinions, debates, and information about products are all valid
material for trade journals, but there must be a constant temptation
to embrace the marketing side of the sources.  The egos of corporate
executives can provide a never-ending fount of quotes, and product
placement (complete with space-filling pictures) can even help sell
advertising (and booth) space.  Eventually one can convince oneself
that the elimination of technical information, detail, and analysis is
irrelevant to the undertaking.

This book has miscellaneous entries to do with computers and
telephony, although relatively few really centre on computer/telephony
integration.  The material isn't very technical, and most of the space
deals with the business and industry, in one form or another.  The
respective articles on the competing technologies of ActiveX and Java
make some basic points, but profoundly fail to deal with the
underlying concepts, in addition to being heavily biased in favour of
Microsoft.  The listings are padded out with attempts at humour, lots
of interview style quotes, and a great many company or product
references.  The essay on CompactPCI, for example, contains one page
of information on the bus itself, and twenty pages of a sort of
catalogue.  (In fact, the paper on computer telephony itself, even
with product inclusions, is only two thirds as long, although it is
backed up with a seventy page chart of CT boards.)  It doesn't read
like an encyclopedia: it reads like a compilation of superficial
magazine articles.

The topic of humour deserves some attention.  Grigonis is obviously
trying to emulate his employer and mentor, Harry Newton.
Unfortunately, Grigonis lacks not only Newton's sense of the absurd,
but also Newton's extensive knowledge of the technology.  Therefore,
while Newton knows whereof he makes fun, Grigonis is simply filling
space, and distracting from the issue at hand.

For all its faults, the book still may be useful to those seriously
interested in computer telephony.  Even with the high volume of filler
material, five hundred pages of dense type still has to hold some
information.  The technology is poor, but the corporate and product
data is reasonably broad, although it will date fast, in a rapidly
changing industry.

copyright Robert M. Slade, 2001   BKCMTLEN.RVW   20010807


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
Sometimes I worry about being a success in a mediocre world.
                                                        - Lily Tomlin
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKMLMBCD.RVW   20010814

"Malicious Mobile Code", Roger A. Grimes, 2001, 1-56592-682-X,
U$39.95/C$59.95
%A   Roger A. Grimes roger@...
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2001
%G   1-56592-682-X
%I   O'Reilly & Associates, Inc.
%O   U$39.95/C$59.95 800-998-9938 fax: 707-829-0104 nuts@...
%P   522 p.
%T   "Malicious Mobile Code: Virus Protection for Windows"

I have to admit to a very definite bias.  My co-authors and I have
just finished a book that attempts to provide up to date virus
protection information to sysadmins.  As I understand it, ours will be
printed about three weeks after this one.

I also have a problem with the title.  Grimes appears to be trying to
carve himself out a niche by promoting a term that nobody else is
currently using.  And the subtitle should more properly be, "Risk
Mitigation for Microsoft Software."  However, if you are using
Windows, there is a good deal of information is this book that, with
some diligience and additional work on your part, can help improve
your security.

Grimes starts off the book by listing some fallacies that we have
always believed.  "You can't get a virus by simply reading an email."
(OK, Microsoft has amply demonstrated that they've added virus
capabilities to their mail software.)  "Malicious code can't harm
hardware."  (Well, quibbles about terminology aside, it usually
can't.)  "A virus can't hide from a booted write-protected diskette."
(Ummm, I'm not sure that sentence even *means* anything.)

Melissa and the Love Bug were serious nuisances, and even worse, but
is it really accurate to say that they shut down tens of thousands of
networks?

This book is intended for intermediate and advanced users and system
administrators, and addresses only the Microsoft Windows operating
systems.  While I would agree that Windows is the system most in need
of virus protection and help, this focus does limit the audience.
Grimes also tries to avoid the virus/worm/replicating trojan argument
with the use of the term malicious mobile code, and states that the
book does not deal with attacks and security holes, but the coverage
of trojans, RATs (Remote Access/Administration Trojans/Tools), and
browser attacks seems to contradict that position.  (In fact, the more
detailed description of "malicious mobile code," and the MMC acronym
that Grimes creates, seems to be amply covered under the more commonly
used term malware.)

Chapter one provides a very brief outline of some malware related
concepts.  Most of the chapter concentrates on the virus writing
community, although only in a superficial way.  Grimes obviously feels
sympathetic towards virus writers, and presents their own stories
without criticism or analysis.  Some details of the MS-DOS operating
system, as well as basic virus technologies, are given in chapter two.
The programming particulars, and a bit of virus source code, are
likely to be of more help to budding virus writers than to the
defending sysadmins.  There are copious errors in the information
listed about specific viruses.  Sometimes the material is careless,
such as the assertion that Michelangelo formats hard drives (the
original version overwrites sections of the disk, and only the disk
booted from on the trigger date).  In other places the wording is
slipshod, such as the implication that a seldom seen screen artifact
of the Jerusalem virus is somehow responsible for file deletion.
(Oddly, while Grimes does not appear to have done serious research he
has obviously read my stuff at some point: one of the examples is
taken almost word for word from my writings.  Other passages
originating in my work are recognizable, although not quite as
blatant.)  The recovery advice is also suspect: he reiterates the
rather dangerous suggestions to format the disk or use FDISK /MBR.

Some very useful information about Windows, particularly the 9x, NT,
and higher versions, is presented in chapter three.  The material does
not often deal with malware as such, and, in a number of cases,
details are either too particular or not specific enough.  A few
"native" Windows viruses are described in chapter four, along with
some useful general security and recovery tips.  Unfortunately, the
virus detection and recovery tips are derivative, vague, and not
always comprehensive.  Chapter five has explanations of the VBA
(Visual Basic for Applications) macro system in Microsoft Office
applications, and lists some common macro viruses.

Chapter six lumps trojans, worms, backdoors, and DDoS (Distributed
Denial of Service) packages together in a somewhat confusing manner.
One useful inclusion in the material is a list of RAT utilized port
numbers.  The invention of real-time conferencing, or instant
messaging, appears to be credited to AOL, in chapter seven, although
various forms existed long before AOL's existence.  All forms of chat
or messaging seem to be lumped together in the chapter, although it
concentrates on the technology and examples from IRC (Internet Relay
Chat).

Chapter eight contains a reasonable overview of Web browser
technologies, although Grimes makes the usual mistakes, such as
confusing Secure HyperText Transfer Protocol (S-HTTP) with the https
protocol specifier actually used by Secure Sockets Layer (SSL).  A
number of old program bugs and exploits are described in chapter nine.
Most relate to browsers, although some depend on HTML enabled mail
clients.  The preventive measures listed, however, deal strictly with
the settings on recent versions of Microsoft's Internet Explorer, and
do not mention other browsers at all.  Since Java applet bugs and
exploits have been confined to implementation errors, it is difficult
to understand why chapter ten was included in the book.  Again, some
older exploits are described, and there is a bit of confusion in the
text between the applet sandbox model and the full Java security
model.  Chapter eleven examines the possibility of the malicious
misuses of the ActiveX system, but first it spends a lot of time and
space presenting the one security aspect of ActiveX: digital
signatures.  By doing so, Grimes is giving Microsoft way more than the
benefit of the doubt.  The text does, eventually, get around to
pointing out some of the flaws in the Authenticode system, but the
structure of the chapter works to downplay the dangers.

In chapter twelve, the Microsoft chauvinism that has been evident in
prior sections ramps up to full throttle.  Grimes states that it isn't
just Outlook that can be exploited for email viruses, any mail client
could be so abused.  (He later has to tacitly admit that almost no
other email client has been so utilized, and none to the same extent.)
There is even a paean of praise to Windows Script Host, the
application that made the Love Bug possible.  The material on virus
hoaxes, in chapter thirteen, is a bit of a mix, but does have a good
list of signs to watch for.  Defence consists mainly of a generic
security planning process and a reasonable, though brief, outline of
the types of antiviral software, in chapter fourteen.  Chapter fifteen
finishes off with the usual look to the future.

Overall, the content is wide-ranging, but not complete.  There is
coverage of a broader range of topics than was the case with other
recent books, such as Dunham (cf. BKBVRTPR.RVW) and Schmauder (cf.
BKVRSPRF.RVW).  However, depth of research and understanding of the
problem is not in evidence.  The material is very questionable in view
of the number of errors Grimes makes in his retailing of details of
specific viruses.

While some support and background content is included, the book is
written in a very field independent style: at the end of the chapter
you are simply supposed to do what Grimes tells you to, and believe
what he says.

There is virus code in the book.  Not extensively, perhaps, but it is
there.  Grimes justifies its presence by saying that it is not code
for an entire virus, and that he has made changes to disable it in any
case.  Unfortunately, it is real code, for some important sections of
viruses, and the missing and changed bits aren't all that hard to
spot.  While it would not allow wannabe vxers to compile a complete
virus right off the page, it would help any semi-competent code dweeb
write a more functional virus.  And, all protestations
notwithstanding, it doesn't provide any help to the user or network
manager.

Aside from problems with the content, Grimes' organization and writing
is careless and difficult to understand.  The chapters address
individual topics, and have a standard structure, but the structure is
only a template.  Within each topic the flow of sections and even
paragraphs does not always course logically.  The illustrations and
figures are not very informative.

This is not a good book on viruses or malware.  The breadth of
coverage and detailed content on macro and email virus technology does
save it from being really awful: up to the summer of 2001 no other
book has dealt with those topics in sufficient depth.  And the
MS-centrism does have one very positive advantage.  If you absolutely
must use Microsoft software and applications, the prevention sections
of the various chapters do contain a lot of detail that will be useful
in reducing the risk that you face.

copyright Robert M. Slade, 2001   BKMLMBCD.RVW   20010814


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
       When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl.
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKBRDRGN.RVW   20010703

"The Bear and the Dragon", Tom Clancy, 2000, 0-399-14563-X,
U$28.95/C$39.99
%A   Tom Clancy
%C   10 Alcorn Ave, Suite 300, Toronto, Ontario, M4V 3B2
%D   2000
%G   0-399-14563-X
%I   Penguin Putnam
%O   U$28.95/C$39.99 416-925-2249 Fax: 416-925-0068 service@...
%P   1028 p.
%T   "The Bear and the Dragon"

Clancy is becoming a bit of a curmudgeon in his old age.  He's still
up there with the best when he's writing about shooting or dropping
bombs on people, but he's started padding out the books with a lot
more preaching (in some cases literally), and that's a lot less fun in
anybody's book.

Clancy may know military hardware, but he doesn't show any evidence of
being familiar with any other technology.  Binary code, while it is
the object code that computers actually use, isn't measured in lines.
He fundamentally misunderstands the concept of a computer virus.
Digital telephone switches weren't around in the 1950s, and trap doors
tend to get found, particularly when people poke at them for thirty
years.  Yes, a proper operating system can improve the performance of
a piece of hardware (just ask any Linux devotee), but it can't work
miracles.  Ghost is a disk image program, and it does bundle files up,
but it's used for backup or replication, not spying.

One of the funniest mistakes in the book is the insistence that
Chinese computers would have to store all documents as graphics files.
(A word processor that stored material as graphics files would not be
much use: the operator would not be able to manipulate the "text" in
any way once it had been entered.)  There have always been encoding
systems for languages other than those that used a Latin alphabet, and
most would now use Unicode.  Ironically, for all the other mistakes,
when we are told about a download of stolen material, the numbers do
work out to a reasonable figure for a decade's worth of weekly
minutes, provided nothing else was stored on the computer.

He tapdances around encryption in this book, and, while he's obviously
been told that 256 and 512 are magic numbers, he still doesn't
understand what is going on in the field.  512 bits is probably not a
safe key length for asymmetric encryption any longer, but it's way
more than good enough for symmetric.  Nobody could possibly want any
key of 256 thousand bits.  "Totally random" numbers are the Holy Grail
of stream cyphers, but, as the sainted John Louis von Neumann has
said, anyone who considers arithmetical methods suitable for producing
random numbers is, of course, in a state of sin.  (Clancy would be big
on the "sin" part.)

Details of encryption keys aside, for the moment, we have a pretty
good idea of how strong any encryption system is.  The NSA may employ
more mathematicians than any other entity, but they don't employ all
the mathematicians in the world, and they certainly don't employ all
the computer scientists.  Within a relatively small, but actually
rather numerous, community, the strength of any particular algorithm
is well known, as well as how many computer cycles it is going to take
to break it.  For a nice IDEA or triple-DES system, which is only
nominally considered commercially secure, there simply aren't that
many computers in the world.  Yet.  The myth that the NSA can break
any code is just that, a myth.  (And, yes, quantum computing has
something to do with parallel processing, but not all that much at the
current state of the art.)

Given his lack of understanding of technology, and the software
development process, it isn't surprising that Clancy is a big fan of
the Star Wars missile defence plans.  Hey, it's just a matter of
making some software, right?  Computers can do anything!  The
complexities are bound to be lost on someone who believes that Echelon
can track, and the NSA can decrypt, every interesting phone
conversation in the world.

But I must admit that Clancy does get it right in the end.  No piece
of software is going to work flawlessly the first time, and it is
usually some hidden assumption that trips you up.

copyright Robert M. Slade, 2001   BKBRDRGN.RVW   20010703


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
I won't stand for it, and I'm not going to take it lying down,
so I guess I'll just have to sit it out.              - Larry Wall
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKINCMEK.RVW   20010815

"Internet and Computer Ethics for Kids", Winn Schwartau, 2001,
0-9628700-5-6, U$15.95/C$24.95
%A   Winn Schwartau www.nicekids.net winns@...
%C   11511 Pine St. N., Seminole, FL   33772
%D   2001
%G   0-9628700-5-6
%I   Inter.Pact Press
%O   U$15.95/C$24.95 727-393-6600 fax: 727-393-6361
%P   ~150 p.
%T   "Internet and Computer Ethics for Kids"

Computer ethics can be a very frustrating field.  Professional
organizations appear to have abandoned the area: they seem to have
given up on the idea of "codes of ethics" and now prefer to write
"codes of conduct."  "Values education" has progressed very little in
the last thirty years.  All of us seem to be the disciples of
Kohlberg, and assume that by sitting around discussing ethics, moral
dilemmas, and scenarios, we will all somehow become moral individuals.

And that's for the adults.

For kids, the task is even more important, and much more difficult.
Maybe it's impossible.  But it is good to see that someone has at
least given it a try.  I don't agree with everything Winn has done,
but he has produced a valuable and helpful tool.  I hope that a great
many people try it out, and, if it needs tuning, feed ideas back to
improve it.

This volume is a tool, and must be seen as such to be valued.
Schwartau has, probably wisely, not attempted to provide a full
examination of ethical theories or systems.  The chapters are all very
short: they are introductions, not expositions.  (As Blaise Pascal
famously noted, it takes much longer, and much more work, to write a
short piece than a long one.)  The text is generally possible for the
sixth grade reader, and is backed up with a short section on relevant
ideas from the law, topics to think about and discuss, and resources
for further study and research.

Unfortunately, the work starts out weakly.  The introduction is vague.
Seemingly the book is addressed to everyone.  The preface also states
that the book has questions, but no answers.  A second introduction is
more personal, but no clearer as to the intent of the text.

Chapter one states that there are no rules, and then lays out some
rules.  Aside from the contradiction, which may be too subtle for the
younger end of the audience, but which will probably be picked up by
the later teens, relativism makes it difficult to discuss ethics at
all.  To the question of what ethics are, chapter two has little
explanation except to say that they are the "little voices."  A brief
Internet history is probably supposed to point out that the Internet
has grown too fast for formal regulation, in chapter three.  Chapter
four starts out by raging against stereotypes of all kinds, and then
stereotypes the media.  The text also tersely outlines various types
of hackers.  Chapter five is a scenario, a rather simplistic story of
a young person who is very clearly dealt with unfairly by "the
Establishment," whose only possible recourse is to make unauthorized
alteration of data on a computer.

The material starts to get stronger as it becomes more specific.
Passwords, and the needs for strong ones, are discussed in chapter
six.  Graffiti is equated with web page defacement in chapter seven.
Phone phreaking, war dialling, and anonymity are defined in eight to
ten.  Malware, viruses and trojan horse programs, are covered in
chapters eleven and twelve.  Chapters thirteen and fourteen deal with
spoofing and spam.  Chapter fifteen points out that you have no idea
whether what is said on the net is true, which leads to discussions of
scams, online business, and rumours in sixteen to eighteen.  Stealing,
in chapter nineteen, leads to examinations of software piracy and
plagiarism.

Chapters twenty two to twenty five look at the more ambiguous topics
of social engineering, flaming, meeting people, and stalking.
Technical subjects, digital special effects and eavesdropping, get a
brief look in chapters twenty six and twenty seven.

The topics get harder as chapter twenty eight deals with pornography,
then two chapters on privacy, another on monitoring, and ratting on
others.

Although the topics could be presented in various sequences, it might
have been better to place chapter thirty three, discussing ethics and
the law, closer to chapter two.  But it is also a good lead-in to
civil disobedience and hacktivism, in chapter thirty four.

The review of personal responsibility, in chapter thirty five, is very
good.  "Computer Police," in thirty six, deals mostly with law
enforcement concerns, with a brief mention of vigilantism.  An
interesting juxtaposition with chapter thirty seven, on getting
caught.

Chapter thirty eight, asks who makes the rules, but deals primarily
with the home and who is in charge.  Again, making ethical decisions,
in thirty nine, is good, but should be related to two and thirty
three.

Although it finishes off the book, chapter forty, and cyber-parenting,
is the introduction for parents and teachers.  It is quite realistic
and balanced.

A final set of pages is probably an important part of the book.  A set
of lined pages, they are important exercises for self-examination,
headed with "My Personal CyberEthics," "My Family's CyberRules," "My
Friends' CyberEthics," "CyberRules at My Friends' House," "CyberRules
at School," "What My Parents Need to Learn," "What My Teachers Need to
Learn," "My Company's CyberEthics and Rules," and "What I think I Need
to Learn."

I won't give this book to my grandchildren, even though the oldest
would probably be able to read a good part of it.  But I will give it
to their mothers.

Not being a marketroid, I will not say that this book is a "must have"
for anyone with kids.  Unlike many other books, and like many computer
technologies, it must be used to be of any value.  Parents can't
simply present it to their children and forget it: to do so would be
to teach that ethics are not important.  If you want to get anything
out of this work, you will have to read it with your kids, or give it
to them to read, and discuss it with them.  It can be read in an
afternoon, but shouldn't be.  The material should be taken a chapter
at a time, perhaps once a week, perhaps at even longer intervals.  It
may take years to finish this slim volume (by which time all the URLs
may be 404).  As the adult you will have to be patient, and accept
that the discussions may not proceed in straight lines, as you think
they should.

The end result, though, should be worth it.  You'll have ethical kids.

copyright Robert M. Slade, 2001   BKINCMEK.RVW   20010815


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
Subscribe to the techbooks list at techbooks-subscribe@egroups.com
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKWHTHSA.RVW   20010814

"White Hat Security Arsenal", Aviel D. Rubin, 2001, 0-201-71114-1,
U$44.99/C$67.50
%A   Aviel D. Rubin rubin@...
%C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8
%D   2001
%G   0-201-71114-1
%I   Addison-Wesley Publishing Co.
%O   U$44.99/C$67.50 416-447-5101 fax: 416-443-0948 bkexpress@...
%P   330 p.
%T   "White Hat Security Arsenal: Tackling the Threats"

The distinctive of this book is that it approaches security as a
series of specific problems or concerns.  The non-distinctive, if you
will, is that it attempts to address all audience levels; users, IT
professionals, academics, and administrators.  A series of icons
identifies, at the beginning of each chapter and at particular
sections of the text, who should read the various segments of the
text.

Part one examines the size and scope of the security issue.  Chapter
one starts out with perhaps our biggest problem, as security people:
the insistence on secrecy by companies who get hit, and the fact that
this obstinate refusal to discuss the facts makes our job, in
protecting institutions, that much harder.  A brief look at what may
be at risk from security problems is given in chapter two.  Recent
email viruses are reviewed in chapter three, but they get an
interesting treatment.  The material, while technically sound,
concentrates on the general security attitudes and lessons to be
learned, as they apply to computer use in general.

Part two looks at information storage.  Chapter four's problem is to
ensure that information is kept private if an attacker gets hold of
your machine, and Rubin gives a good introduction to symmetric
encryption and provides tips on passwords.  If you are concerned about
storage at remote sites over an insecure network, chapter five touches
on passwords again, and asymmetric encryption.  Chapter six is
supposed to deal with securing backups, but seems to get a bit
confused, although it does provide some good tips, as well as an
overview of some online backup services.

Part three considers the problems of data transfers over an insecure
net.  Chapter seven introduces authentication and some of the problems
of public key management.  Session keys and key exchange are examined
in chapter eight: it has an academic icon at the top of the chapter,
and non-specialist users might get a bit confused here.  The aspects
of virtual private networks are reviewed in chapter nine, and the book
begins moving towards the usual technology oriented model.

Part four looks at network threats.  Chapter ten explains firewalls
while eleven discusses a variety of network based attacks.

Part five doesn't really have a central theme.  The title of chapter
twelve is "Protecting E-Commerce Transactions," but most of the text
deals with the Secure Sockets Layer for Web browsers.  Privacy, in
email and Web browsing, is discussed in chapter thirteen, but many
areas are left unexplored.

For managers and users who are not specialists in computer and
communications security, this book provides a readable and accurate
introduction to a number of important topics.  There are,
unfortunately, a number of gaps in terms of the total security
picture, but that is probably to be expected when taking the problem
oriented approach.  Rubin does not talk down to the audience and does
not oversimplify, and this work therefore is superior to a number of
the introductory books on the market.

copyright Robert M. Slade, 2001   BKWHTHSA.RVW   20010814


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
I'm out of my mind just now, but if you'd care to leave a message...
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKCISPPG.RVW   20010924

"The CISSP Study Guide", Ronald L. Krutz/Russell Dean Vines, 2001,
0-471-41356-9, U$69.99
%A   Ronald L. Krutz
%A   Russell Dean Vines
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2001
%G   0-471-41356-9
%I   John Wiley & Sons, Inc.
%O   U$69.99 416-236-4433 fax: 416-236-4448
%P   556 p.
%T   "The CISSP Study Guide: Mastering the Ten Domains of Computer
       Security"

Of late there has been a significant increase in interest in the CISSP
(Certified Information Systems Security Professional) exam and
designation produced by the (ISC)^2 (International Information Systems
Security Certification Consortium).  The CISSP exam is based on the
Common Body of Knowledge (CBK) which, as the name implies, is that
information assumed to be customarily known by those qualified or
experienced in the field of computer security.  Since the (ISC)^2 also
runs courses based on the CBK, many people seem to feel that there is
some trick or secret to passing the exam.

Krutz and Vines appear to want to foster this myth, since the first
sentence of the introduction states that this book holds the "key to
unlocking the secrets of the world of information systems security."
If true, this assertion would make a mockery of the (ISC)^2
requirement for three years' work experience, and the insistence that
no one book holds the entire CBK.

The introduction also states that this work is intended as a
preparatory guide for CISSP students, a reference for students of
other information security courses, and a manual in security basics
and emerging technologies for security professionals.  That's a rather
tall order.

For those who have seen the (ISC)^2 CBK course materials, it is
immediately obvious where the structure of the book, and most of the
content, originates.  Much of the text is in point form, following the
slides used in the CBK, with only minor expansion to explain the
elements.  Discussion of concepts is limited, and some of the detail
provided is of questionable value.  In addition, while the CBK is a
substantial and useful work, the (ISC)^2 course structure does suffer,
over time, as areas are added or amended, and the strict adherence to
that order, which can be smoothed over in a seminar, makes the book
very jumpy in places.  Security management practices, in chapter one,
is rather choppy, and access control, in chapter two, is even worse in
this regard.

Each chapter covers one of the ten domains of the CBK.  These topics
tend to overlap in places, but there is little attempt to explain,
reconcile, or reference duplicated material.  Both chapter two and
telecommunications and network security, in chapter three, address
intrusion detection systems, but neither section refers to the other.
(Telecom and networks is a large topic, and would have benefitted from
some attempt at reorganization.)

Chapter four describes many details of cryptography.  While the
particulars provided are correct, the lack of background reduces the
value of the text.  Security architecture and models, in chapter five,
defines most of the terms, but does not give a complete picture of the
topic.  Operations security generally involves the coordination of a
number of individually simple aspects, so chapter six deals with the
topic adequately.  The same minimalist denotation of points does not
work as well for applications and systems development, in chapter
seven.  (In addition, it is disturbing to see that discussion of
viruses has been completely excluded, particularly in view of the fact
that the subject has greater representation in the CISSP exam than in
the CBK course itself.)  Again, business continuity and disaster
recovery planning involve a number of basic operations, so chapter
eight provides reasonable coverage.  Chapter nine's review of law,
investigation, and ethics is terse, but not out of line with the
requirements of the exam.  Physical security, in chapter ten, is
covered better than most other areas.

There are a number of appendices.  A glossary is taken from the old
(1985) US government glossary, with a few additions.  There is an
overview of the old "Rainbow" series of security manuals.  An essay on
using the Capability Maturity Model (CMM) with the Health Information
Portability and Accountability Act (HIPAA) will possibly be of
interest to a very select group.  There is an overview of the National
Security Agency (NSA) Infosec Assessment Methodology, a simplistic
look at penetration testing, and a ludicrously brief list of the
contents of British Standard 7799.  The examination of the Common
Criteria is slightly better, but not sufficient to address the needs
of the CISSP exam.  A list of references for further study is
basically taken from the (ISC)^2 resource list with some added URLs,
and is not annotated.

Oddly, the illustrations are not copied from the CBK course, and table
and section headings relate very poorly to the surrounding text.

Practice with sample questions can be important in preparing for the
CISSP exam.  Those provided by the CBK course, and even the
independent www.cccure.org site, are very similar in tone, style, and
difficulty, to those on the exam.  The specimen questions in this
book, however, are not.  The quizzes are simplistic reading checks and
definition queries, with none of the complexity of the exam, and
requiring little in the way of judgment.  The full list of questions
is given again in appendix C, with answers: the solutions are
sometimes explained, but often are not.

For those studying for the CISSP exam, this book does provide a guide
to the topics to be covered.  If you are confident that you know more
than the book at every point, you should be in good shape to sit the
exam: if not, you will have to get help somewhere else.  If you are
studying for another security course, or are a security professional,
this work will not have much to offer you.

copyright Robert M. Slade, 2001   BKCISPPG.RVW   20010924


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
For years we have been saying you could not get a virus just by
opening E-Mail.  That bug is being fixed. - A. Padgett Peterson
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKHKRBWR.RVW   20010829

"Hackers Beware", Eric Cole, 2001, 0-7357-1009-0,
U$45.00/C$67.95/UK#34.99
%A   Eric Cole www.securityhaven.com eric@...
%C   201 W. 103rd Street, Indianapolis, IN   46290
%D   2002
%G   0-7357-1009-0
%I   Macmillan Computer Publishing (MCP)
%O   U$45.00/C$67.95/UK#34.99 800-858-7674 317-581-3743 info@...
%P   778 p.
%T   "Hackers Beware: Defending Your Network from the Wiley Hacker"

It is difficult to maintain confidence in a book that, within six
sentences of the opening of the first chapter, misspells the word
"brakes."  We are told that two developmental editors, two copy
editors, two proofreaders, and no less than five technical reviewers
had at this work.  Did any of them pay attention to what they were
reading?

Chapter one basically states that dangers are out there, security is
bad, and companies should be concentrating on prevention, detection,
and education.  Cole also nudges at the "hacking for protection"
theory, without ever really examining it.  A brief but reasonable list
of security breaking activities is given in chapter two.  Various
steps and tools involved in gathering information about a network
connected to the Internet are described in chapter three.
Unfortunately, this explanation, while helpful to a potential
attacker, has no utility for the defender: almost all of the data
discussed must be publicly available for the network to function, and
so there are no means of blocking this level of access.  Spoofing, or
masquerading, is dealt with in chapter four, but again, while some
protective measures are provided, much more time is spent on the
disease than the cure.  After twenty six pages of telling you how to
hijack sessions, including the best programs to use and how to operate
them, chapter five gives us two pages of simplistic advice (avoid
remote connections) on protection.  Chapter six lists a number of
common denial of service attacks and, while it does devote a lot of
ink to describing the exploits, the material is reasonably balanced,
and the suggested defensive measures realistic.  Chapter seven
requires almost forty pages to tell us that buffer overflows are not
good, and you should apply software patches.  Password security is
very important, but the material in chapter eight is vague,
disorganized, and has relatively little to say about good password
choice.  (Chapters nine and ten describe some NT and UNIX password
cracking programs.)  The examination of background fundamentals of NT,
in chapter eleven, is a terse and unfocused grab bag of information.
The analysis It would be of little help in explaining the specific
attack programs listed in chapter twelve, a number of which rely on
particular applications.  The same relation is true of chapters
thirteen and fourteen, relating to UNIX.  A number of backdoor and
remote access trojan programs are described in chapter fifteen.
Chapter sixteen discusses log files, and lists some programs for
generating spurious network traffic in order to hide attacks.  Some
random exploits are listed in chapter seventeen, and a few more in
eighteen.  An attempt is made to combine various attacks into
scenarios, in chapter nineteen, but these do not add anything to the
material already provided.  Chapter twenty is the usual vague look to
the future.

This book takes the all-too-common approach of assuming that teaching
you how to break into systems will help you to protect them.  The work
also amply demonstrates the fallacy of that argument.  While the
harried systems administrator spends several hours coming to grips
with the minutiae of the attacks described, the vast majority of the
exploits listed can be countered simply by ensuring that software
patches are up to date.  In addition, while dozens of loopholes are
listed in these pages, thousands more exist that are not covered.  The
material contained in these pages may be entertaining, but it is of
far more use to the attacker than to the defender.  This would be
upsetting, were it not for the fact that most of the exploits
described are old and not likely to remain unpatched if administrators
are keeping up to date.  (Of course, many small outfits can't commit a
lot of resources to keeping up to date ...)

For security specialists, this volume provides nothing that can't be
found elsewhere.  For non-specialists, it fails to supply a security
framework and strategy within which to work.

copyright Robert M. Slade, 2001   BKHKRBWR.RVW   20010829

As usual, a draft has been sent to the author.  He has requested that
this response be included, unedited:

Robert:
First allow me to say thank you for taking the time to review the book
as criticisms are as crucial as praise. We take your feedback
seriously. That being said, let me see if I might speak to some of
your discussions on "Hackers Beware".

When you buy "Hackers Beware", you buy it for the technical content.
While we maintain that this faction of the book is air-tight and well-
supported, we also admit that we could and should have done a better
job with edits on spelling and grammar. While we admit that
shortcoming, we also ask that you look at the eleven reviews posted on
Amazon, praising the technical content of my book and earning it FIVE-
STAR rating.

The book starts opens with some introductory material but does that
for a reason. Much of the security information that companies need to
protect their site is straightforward. Yet companies systems are still
hacked into with a growing frequency because they fail to understand
how to build a proper defense. So my book aims to ensure that everyone
is well, if not over-educated on DEFENSE.

There are many books on hacking but what makes this book different is
its emphasis on defense. Yes, you need to understand how the enemy
breaks into systems, so you can build better defenses. Every section
has an area on how to defend against a certain type of attack. So I am
not sure how a review can say that defense is not covered when that is
the thrust of this book. There are plenty of books that show you how
to break in. This book clearly and explicitly explains the properties
of a strong defense.

Thanks for letting me write a response.
Eric


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
I've got a PhD and no one listens.  I take off my clothes off,
and here you all are.           - Briony Penn to the media, 20010123
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKWRLSWB.RVW   20010925

"Wireless Web", Frank P. Coyle, 2001, 0-201-72217-8, U$39.99/C$59.95
%A   Frank P. Coyle
%C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8
%D   2001
%G   0-201-72217-8
%I   Addison-Wesley Publishing Co.
%O   U$39.99/C$59.95 416-447-5101 fax: 416-443-0948 bkexpress@...
%P   248 p.
%T   "Wireless Web: A Manager's Guide"

The introduction outlines three audiences for the book.  They can be
condensed into two: executives and consultants who only need to know
the implications of the technology, and technical managers, who need
to know the gritty details.  These two groups are almost completely
disjoint, and so it is odd that the author even attempts to address
both.  However, a significant effort has been made to design the book
in such a way that the core text can contain the details, while
highlights are addressed in marginal notes that can be skimmed.

Chapter one provides an overview of the convergence of the Internet
and wireless technology.  While it touches on the significance of the
change in technology, ultimately the document gets bogged down in
voice command examples.  Devices are discussed in chapter two, but in
spite of the problems noted with incompatibility there is no
examination of standardization.  A blue sky future is predicted for
the Bluetooth protocol. in chapter three, but no information about how
to implement real applications.  A mixed bag of protocols, some
addressing different levels of the communications stack, are very
tersely introduced in chapter four.  Protocols still on the drawing
board are mentioned in chapter five.  Chapter six looks at the
Wireless Application Protocol (WAP).  The usual non-explanation of XML
(eXtensible Markup Language) is given in chapter seven: it would
probably be better to say that WML (Wireless Markup Language, used in
WAP) and VoiceXML are XML applications, and leave it at that.  Java,
and its close relation to small devices, gets a decent accounting in
chapter eight, although extraneous details do obscure the issue.  Bits
and pieces of security technologies are discussed in chapter nine, but
not in a way that comprehensively and usefully addresses the topic.

Each chapter ends with a list of resources: mostly Web pages that can
be researched for more information on specific topics.

By and large, details of the various technologies are almost
completely absent from the book.  Thus, while it may be suitable for
providing a vague idea of the possibilities of wireless applications,
the work certainly does not set forth any data or guidance necessary
to implement anything.  The executive summaries and marginal notes
serve only to reduce what is already primarily a promotional piece
(albeit free from particular bias) to a pamphlet.

As a quick introduction to terms and technologies involved in wireless
communications, this volume has something of a place, although an
expensive one.  For anything more, you will have to look elsewhere.

copyright Robert M. Slade, 2001   BKWRLSWB.RVW   20010925


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
                         `For example' is not proof.
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKFUWLCM.RVW   20010925

"The Future of Wireless Communications", William Webb, 2001,
1-58053-248-9, U$69.00
%A   William Webb
%C   685 Canton St., Norwood, MA   02062
%D   2001
%G   1-58053-248-9
%I   Artech House/Horizon
%O   U$69.00 800-225-9977 fax: +1-617-769-6334 artech@...
%P   434 p.
%T   "The Future of Wireless Communications"

Predicting the future in the technical world is a dangerous business,
particularly in a rapidly changing field like communications.  Yet the
author attempts to do so not just in the short term, but over a range
of twenty years.  If nothing else, you have to admire his courage.
And Webb does know the dangers: he points out, in chapter one, the
foolish predictions that have been made over the years.  But he also
demonstrates the importance; to business, public policy, and other
endeavors; of prediction, and the possibility of achieving educated
guesses if you make the right kind of forecast.

Part two examines the factors that drive future development.  Chapter
two starts at the end--the end user, the final customer, and the
desires of the public market.  The material is generic, and possibly
too vague to be of use in prognostication, but does point out some
areas for consideration.  Discussion of the great number and variety
of technologies involved in the general field of wireless
communications makes chapter three rather lengthy.

Part three looks at practical constraints and limits on future
development.  Chapter four surveys technical restrictions, but is
confined to the traditional contention model, without considering the
benefits of cooperative models arising out of data networks.  Social,
financial, and other restraints are discussed in chapter five,
although the view of standards as a limiting factor seems odd in an
era when de facto norms seem to spring up in mere months.  The review
of organizations, in chapter six, seems a bit weak.

Part four is the heart of the book, or, rather, hearts: bets are
hedged by providing a number of views of the future.  Chapter seven
presents a view of how the future might have looked to an analyst of
twenty years ago.  A "technologist's" perspective sees more demand for
telecom, but provides contradictory views of using it to bring the
world to us (video-on-demand and home shopping) as opposed to going
out into the world (the "day in the life" scenario).  A "bold" vista
sees a growth in some forms of telecom in the near future.  A list of
various standards and potential applications makes up a realization of
the information society.  "Learning from the Past" is an
unintentionally ironic title, since the scenario that starts the
chapter uses applications which all exist already (apart from a
software operator that handles calls for the user).  Chapter twelve
discusses some minor problems with developing technologies.  The
"Communications Cocktail" is perhaps the most realistic attempt to
view the future: although I suspect it is a bit short-sighted, there
is an acknowledgement that one telecom solution will not fit all.  An
"official" prognostication from the UK reads much like every
government analysis you've ever seen.  A summary of the predictions is
given in chapter fifteen, but the appraisal (which is reasonable)
comes in sixteen.  The material is repeated, with different
structures, in chapter seventeen.

I suspect that the predictions made in the book will seem very
conservative when viewed twenty years hence.  At the same time, the
text does provide a very good overview of the immediate situation with
regard to mobile communications and the developments coming onstream.
For the telecommunications manager, this work is a reasonable, if
verbose, guide to the next few years in the wireless world.  The
longer term will probably be significantly different.

copyright Robert M. Slade, 2001   BKFUWLCM.RVW   20010925


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
Viruses Revealed   0072130903    victoria.tc.ca/techrev/vrfresft.htm
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKDSWLNT.RVW   20011013

"Designing a Wireless Network", Jeffrey Wheat et al, 2001,
1-928994-45-8, U$49.95/C$77.95
%A   Jeffrey Wheat et al
%C   800 Hingham Street, Rockland, MA   02370
%D   2001
%G   1-928994-45-8
%I   Syngress Media, Inc.
%O   U$49.95/C$77.95 781-681-5151 fax: 781-681-3585 amy@...
%P   379 p.
%T   "Designing a Wireless Network"

Designing a wireless network would seem to be a rather larger topic.
What kind of network?  How large?  For what type of applications?  For
what audience, environment or market?  Going by the case studies
provided, this book is intended to address those designing local area
networks: perhaps extending to other buildings, but not crossing
public roads.

Chapter one is a brief history of communications and computing, with
some very questionable facts.  The physical and engineering
characteristics of radio signals given in chapter two are clearly
explained, but the details aren't sufficient for antenna siting
engineers, and aren't really of practical use for other people.
Again, there is a lucid exegesis of TCP/IP and the OSI layering model,
but limited applicability to wireless networks, in chapter three.
Chapter four could use some of the previous clarity and information:
the material dealing with the various applications and standards
involved in an assortment of wireless systems is terse and poorly
structured.  The process of design is covered in chapter five, but
only in a vague way and at a high level.

More details of planning are given in the case studies in chapters six
through nine--but not many.  Security, traffic analysis, and antenna
siting are touched on, but only in a very superficial way.  Security
tends to be dismissed as covered, traffic analysis seems limited to
the number of terminals in existence, and radio footprints often
overlap, sometimes to a ridiculous extent.  (One example uses five
antennae where one would probably be sufficient.)  The home office
case study has a good discussion of interference sources, but bogs
down in a section detailing the connection of Windows to the Internet.

As noted, some of the explanations are very good--but they aren't
explanations of wireless technology.  The design process outline and
the case studies do point out aspects or wireless networks that should
be addressed--but they don't provide information about how to address
them.  This book is a good overview of the factors involved in
designing a wireless network--but it doesn't give you the information
you need to come up with the design.

copyright Robert M. Slade, 2001   BKDSWLNT.RVW   20011013


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
There are aphorisms that, like airplanes, stay up only while they
are in motion.                                    - Vladimir Nabokov
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKHWWLWK.RVW   20011017

"How Wireless Works", Preston Gralla, 2002, 0-7897-2487-1,
U$29.99/C$44.95/UK#21.99
%A   Preston Gralla preston@...
%C   201 W. 103rd Street, Indianapolis, IN   46290
%D   2002
%G   0-7897-2487-1
%I   Macmillan Computer Publishing (MCP)
%O   U$29.99/C$44.95/UK#21.99 800-858-7674 info@...
%P   232 p.
%T   "How Wireless Works"

Albert Einstein was once asked to explain radio.  His famous response
was that one should consider a cat long enough to stretch across the
United States.  Pull the cat's tail in New York, and it meows in Los
Angeles.  Radio, said Al, is just the same--except that there is no
cat.

What Einstein did facetiously, Gralla seems to be trying to do in
earnest.  This pictorial non-explanation provides the reader with a
lot of interesting information and trivia--about everything except the
central topic.

There is some very good material.  The basic explanations of
modulation and the electromagnetic spectrum are excellent.  But they
are also old news: well known concepts that aren't new fields of
technology.  When the book moves into applications it also starts to
engage in hand-waving.  Even basic broadcast radio and television is
only covered at the level of "the information goes in here and it
comes out there."  Once the topic moves to cellular systems and
wireless networks the terms are all there (handoff, CDMA, WML,
Bluetooth, GSM, WAP), but the reason given for how it works is merely
that it does.

Some of the material, simplistic as it is, contradicts itself.  On
page 91 we are told that all digital cellular systems use only one
frequency for both transmission and control, while the very next
sentence says that digital cellular phones can do so if necessary.
Other parts are unintentionally ironic, such as the page that shows a
"hacker" being stopped by a firewall on a wireless network, when the
security leakage that wireless networks provide has been amply
documented.  (In the section on security these problems are virtually
ignored: the only items of concern are "wireless viruses" and cloned
cell phones.)

A little effort put into bringing the contents of this colourful book
up to the same level as the introductory material would make it a more
useful tutorial for non-specialists.  It is rather frustrating to read
these pages and note that very brief additions could have immensely
enhanced them.  As it stands, the first chapters do explain the
concepts behind basic radio transmissions and data modulation.  The
bulk of the work is flashy, but pointless.

copyright Robert M. Slade, 2001   BKHWWLWK.RVW   20011017


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
Nothing is too high for the daring of mortals; we storm heaven
itself in our folly.                              - Horace, Epistles
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKIWWWHP.RVW   20000420

"Internet and World Wide Web How to Program", H. M. Deitel/P. J.
Deitel/T. R. Nieto, 2000, 0-13-016143-8, U$67.33
%A   H. M. Deitel deitel@...
%A   P. J. Deitel deitel@...
%A   T. R. Nieto deitel@...
%C   One Lake St., Upper Saddle River, NJ   07458
%D   2000
%G   0-13-016143-8
%I   Prentice Hall
%O   U$67.33 +1-201-236-7139 fax: +1-201-236-7131
%P   1157 p. + CD-ROM
%T   "Internet and World Wide Web How to Program"

Deitel and Deitel have made a name for themselves, and obtained a
commanding presence in the programming textbook market.  Their books
are generally well structured, in terms of advancing through the
material in such a way that the student is able to progressively add
to his or her arsenal of skills.  Unfortunately, the books are not
always as careful about the specific contents of the text.

This material is rather heavily dependent upon Microsoft products.
The book comes with Internet Explorer and FrontPage Express on the
CD-ROM, and examples use the Microsoft versions.  This is acceptable
in a work which is, after all, intended to take students through a
course of study and wants to minimize the variations in environment.
However, while there is mention of the fact that browsers, and even
versions of the scripting languages, may vary, this does not appear to
be pointed out in practice through the book.

Chapters one and two are very simplistic introductions first to
computers in general, and then to the Internet and World Wide Web.
The presentation of HTML (HyperText Markup Language) that is given in
chapters three and four is clear enough for the basic operations, but
emphasizes stylistic elements over functional ones.  Complications are
brushed aside, as when forms are proposed with a not-yet-covered Perl
script, rather than the more accessible mailto function that students
could use right away.  Three commercial products are promoted in
chapters five to seven.

Chapter eight begins instruction in JavaScript programming.
Unfortunately, some important points are mentioned tersely, or not at
all.  Having seen a number of examples of HTML in the previous
material, we are suddenly confronted with a DOCTYPE statement, and no
idea of why or how it may be needed.  There is a brief reference to
the fact that these initial scripts are being created in document
headers and a promise that inline scripts will be covered later, but
no explanation or specifics.  Server side programming is not reported.
Again, formatting of material is presented earlier, and in more
detail, than more substantive commands like window.prompt and
parseInt.  The material is definitely presented in a field independent
manner, which makes it easy to get started producing programs, but
quite difficult to understand what is actually going on.  For example,
although the terms are used correctly, there is no discussion of the
differences between keywords, object, methods, and functions.
Therefore, novice readers may misunderstand, for example, the
assertion that keywords never have capital letters since built in
functions quite clearly do.  Still, the text does not assume any prior
familiarity with programming, and touches on, albeit lightly, a number
of basic and important concepts.  Chapters nine and ten deal with
control structures.  (Occasionally the book disregards its own advice:
while earlier material stressed the importance of aligning indentation
for nested statements, the sample code for labeled breaks is very
confusing.)  Functions are illustrated in chapter eleven.  Once again
a limitation in prior material presents a problem: the ability of a
form to call a script as action is passed over too briefly.  (There is
also a typo in the one reference to help in chapter fourteen: it's in
sixteen.)  Chapter twelve takes a fairly standard look at arrays.  The
talk of objects in chapter thirteen may be misleading: it is only
specific JavaScript object methods (commands or operations) that are
discussed, and not object-oriented programming as such.  It should
also be noted that, despite the number of topics covered, this section
overall is really only an introduction to JavaScript.  Variations
between JavaScript 1.0, 1.1, 1.2, ECMAscript, and Microsoft's JScript
get such scant mention that one might as well say that they are not
covered at all.  Internals of the language, and inconsistencies in
behaviour of variables and operators, are not presented either.
Readers will be able to start generating simple "active" content on
Web pages, but only at a level that could be duplicated by other
methods.

Dynamic HTML (aka DHTML) starts with Cascading Style Sheets (CSS) in
chapter fourteen.  The notion of the Object Model, in fifteen, may be
confusing.  It begins with a reference to changing a P element, and is
the first mention of a paragraph element having any attributes.
(Understanding of the point is not assisted by the very terse
introduction of the P element back in chapter three, and the
inconsistent use of the closing tag.)  There is also no discussion of
the use of more basic technologies to accomplish, for example, timed
changing of pages.  Chapter sixteen's promised Event Model really only
lists the events that can be used to trigger an action.  Filters
likewise are a list of graphic effects in chapter seventeen.  Chapters
eighteen to twenty describe some ActiveX controls for data, graphics,
and animation.  A variety of multimedia (and other) programs are
suggested in chapter twenty one.

Chapter twenty two introduces VBScript very briefly, starting with the
differences between JavaScript and VBScript, looking at some string
functions, and then wandering into a confusing look at
object-orientation.  Electronic commerce and security is covered
mostly in terms of press releases in chapter twenty three.  Details
are few: the discussion of shopping carts doesn't mention cookies, the
secion on auctions doesn't mention fraud, and Authenticode is stated
to be reliable.  Chapter twenty four gives detailed instructions on
two Microsoft Web servers, along with a brief mention of those others
that have the majority of the market.  Database access is discussed in
chapter twenty five.  The material on Active Server Pages (ASP), in
chapter twenty six, concentrates on example scripts, and does not
explain either the basic concepts or the security weaknesses of the
system.  There is a rather slapdash introduction to Perl, and a brief
mention of CGI (Common Gateway Interface) in chapter twenty seven.
Chapter twenty eight looks at XML (Extensible Markup Language) but
even if you know SGML it doesn't explain much.  Some samples of Java
servlets and cookies are included in chapter twenty nine.

The primary target audience for this book is college courses or self-
study for programmers.  The questions, both self-review and other
exercises) are therefore fairly important to the work.  Unfortunately,
the practice sessions are weak.  The questions are, for the most part,
simplistic and serve primarily to determine whether the student has
read the material, not whether it has been understood at any depth.
Still, these may be useful as review, as are the collections of tips
and common errors at the end of each chapter.

It is also disappointing to find that the book has no command
reference for the programming sections, although there are summary
lists in various sections.

This book does touch on a number of Web programming topics, although
touch seems to be the operative word.  Instructors would be well
advised to go through the material for themselves, first, and be
certain they have identified the traps and errors.

copyright Robert M. Slade, 2001   BKIWWWHP.RVW   20000420


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
    `*If* he finds out.'    `If!  If is good.'    - Pain and Panic
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKINCRES.RVW   20011001

"Incident Response", Kenneth R. van Wyk/Richard Forna, 2001,
0-59600-130-4, U$34.95/C$52.95
%A   Kenneth R. van Wyk ken@...
%A   Richard Forna rick@...
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2001
%G   0-59600-130-4
%I   O'Reilly & Associates, Inc.
%O   U$34.95/C$52.95 800-998-9938 fax: 707-829-0104 nuts@...
%P   214 p.
%T   "Incident Response"

Incident response has, in the past, received short shrift in security
literature.  It is also a rather vague term: what type of an incident
are we talking about?  how big?  What type of response are we
considering?  protective?  defensive?  offensive?  The authors have
provided us a starting point for consideration and the benefit of some
years of experience, but this work is, unfortunately, less detailed
than it might have been.

Chapter one does not do a good job of defining incident response: the
examples are instructive, but the material wanders through a number of
topics without developing any central focus.  There is an examination
of the strengths and shortcomings of various types of response teams,
such as those internal to companies, related to vendors, or
established by security management companies, in chapter two.
Planning, in chapter three, has some good points to consider, but
doesn't offer a lot of guidance.  Chapter four, entitled "Mission and
Capabilities," seems to be the core of the book, touching on staff,
positions, training, legal considerations, procedures, and other
issues.  A wide-ranging list of attack types, albeit with very terse
descriptions, is given in chapter five.  The incident handling model
presented in chapter six is vague but reasonable.  Chapter seven
contains quick overviews of a number of detection tools, mostly
software.  A few resources, generally Web sites, are given in chapter
eight.

This book is the result of considerable background and practice.
While there are no obvious errors and the material presents good
advice, it is hard to be excited about the result.  Overall, the book
seems to lack direction, and fails to present a structured and clear
guide to the preparations necessary for dealing with computer
incidents.  However, in the absence of other material it is better
than nothing, and does raise the issues to be addressed.

In response to the first draft of this review, one of the authors has
responded that the intent of the book was not to address the
techniques of incident response, but to provide management with an
understanding of the subject.  That statement fits with the text, but
is in some opposition to the assertion in the preface that the book is
aimed at all would need to respond to incidents, including systems
administrators and other technical people.

copyright Robert M. Slade, 2001   BKINCRES.RVW   20011001


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
The magnificent and the ridiculous are so close that they touch.
                                            - Le Bovier de Fontenelle
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKRPTRVR.RVW   20011122

"The Raptor Virus", Frank Simon, 2001, 0-8054-2339-7, U$12.99
%A   Frank Simon
%C   127 Ninth Avenue North, Nashville TN   37234
%D   2001
%G   0-8054-2339-7
%I   Broadman & Holman Publishers
%O   U$12.99 615-251-2000 fax 615-251-2701 broadmanholman@...
%P   344 p.
%T   "The Raptor Virus"

The action is good.  In places.  The dialogue is stilted, alternately
racing through plot developments and turgidly spending whole pages on
irrelevancies.  The characters are inconsistent, sometimes undergoing
radical personality changes from one chapter to the next.
A few sections seem to be early versions of some chapters that have
been left unmodified even though the author subsequently changed his
mind about one of the characters.  In fact, at times, the plot seems
to "undevelop," and run backwards.

Throughout most of the book the overall feeling is one of a
sentimentality syrupy enough to engender tooth decay.  (Simon also
seems determined to prove that even Christians can get all steamy
about sex, coming up with a kind of chaste soft porn.)

The Review Project's Hong Kong correspondent had a few comments.  The
Special Administrative Region's residents apparently find this book
the funniest read since the Hitchhiker's Guide to the Galaxy.  Never
mind that the motivation of the evil Chinese is totally out of touch
with the Chinese mindset, or that people in Hong Kong suddenly speak
Mandarin instead of Cantonese, or that you *can't* run across
Connought Road, or that you get on trams at the back, and pay as you
get off at the front, or that freighters don't go anywhere near the
yacht club or North Point, or that The Peak isn't actually a peak at
all (and no longer bears Victoria's name), or that the Peak Tram
doesn't have dual tracks, and rests against bumpers at the bottom
anyway, or that businessmen here speak American dialect, not British,
or that you can't see the bus loop from the Star Ferry ...

Well, enough of pretending I'm a real book reviewer.  Let's cut to the
tech.

Sorry, there isn't any.

About all I can tell you about the Raptor Virus itself is that it
isn't a virus.  It's a kind of time-based logic bomb.  It's embedded
in chips.  While they don't exactly "blow up real good," they do
manage to generate a lot of smoke when they go off.  (We all know that
computers work by smoke an mirrors, and when you let the smoke out,
they don't work anymore, right?  Despite the fact that software
failures almost never cause hardware damage.)

What kind of chips?

Doesn't say.

Why are they essential to all kinds of utility equipment?

Doesn't say.

How is it that one company has managed to get a complete lock on
manufacturing of this apparently vital component?

Doesn't say.

How is it that this "added feature" manages to escape detection by all
kinds of Y2K paranoid testers, and those who are thinking ahead to the
End of Seconds for UNIX?

Doesn't say.

There are other technical problems.  Some mileages and speeds don't
add up.  Train system procedures pretty much universally state that,
in the absence of valid traffic control signals, you proceed slowly
enough that you can stop within half the distance you can see, not go
barrelling down the track as fast as you can.  The communications gear
harks back to the days of suitcases full of equipment, rather than
Iridium handhelds.

I don't suppose the book would manage to capture a Bulwer-Lytton
award, but it comes close.

copyright Robert M. Slade, 2001   BKRPTRVR.RVW   20011122


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
Techbooks subscription form http://www.eGroups.com/list/techbooks/
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKALASCR.RVW   20011122

"Algebraic Aspects of Cryptography", Neal Koblitz, 2001,
3-540-63446-0, U$64.99
%A   Neal Koblitz koblitz@...
%C   175 Fifth Ave., New York, NY   10010
%D   1998
%G   3-540-63446-0
%I   Springer-Verlag
%O   U$64.95 212-460-1500 800-777-4643
%P   206 p.
%T   "Algebraic Aspects of Cryptography"

When certain technical people find out that I am involved in data
security, they assert an interest in cryptography, and an intention to
write a cryptographic program sometime.  While I not wish to disparage
this goal, questioning of the individual's background in mathematics
tends to point out that the task is harder than they might have
foreseen.  The magic phrase "number theory" is usually the dividing
line.  For those who make it past that limit, I am going to recommend
that they get Koblitz's work.  Not that I am implying that this book
is more demanding than it needs to be: only that the topic itself is a
difficult one.

This is the heart of cryptology: the underlying foundations that make
it work.  The material presented does not address specific programs,
standards, or even algorithms, but deals with the basic mathematical
theory that can be used to construct algorithms, or test their
strength.

Chapter one is something of an overview, touching on many fields of
cryptography and introducing an appropriate and exemplar equation for
each.  Theories related to the strength of cryptographic algorithms
are given in chapter two.  Basic algebra associated with primes are
discussed in chapter three, underlying the more common asymmetric
(public key) systems such as RSA.  Chapter four outlines an
illustrative history of the development, cracking, and improvement of
one particular algorithm, demonstrating the mathematical work
necessary to each step.  Knapsack type problems and theories are
explained in chapter five.  Chapter six deals with the currently very
highly regarded elliptic curve algorithms, and is backed up with an
even more extensive appendix on hyperelliptic curves.

This is not an introduction.  It is intended as a text for graduate
(or possibly advanced undergraduate) work, and requires a solid
background in mathematics or engineering.  For those seriously
interested in cryptography, though, it is worth the work.

copyright Robert M. Slade, 2001   BKALASCR.RVW   20011122


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
The great majority of mankind is satisfied with appearances, as
though they were realities, and is often even more influenced by
the things that seem than by those that are.   - Niccolo Machiavelli
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKCISPET.RVW   20011122

"CISSP Examination Textbooks", S. Rao Vallabhaneni, 2000, , U$213.00
%A   S. Rao Vallabhaneni srvbooks@...
%C   P.O. Box 681354, Schaumburg, IL   60168-1354
%D   2000
%I   SRV Professional Publications
%O   U$99.00 per volume 847-330-0126 www.srvbooks.com
%P   ~500 p. per volume
%T   "CISSP Examination Textbooks" (vol 1 Theory, vol 2 Practice)

These books will not help you study for or write the CISSP (Certified
Information Systems Security Professional) exam.

These books may, in fact, make your study more difficult, and your
chances of passing the exam more remote.

At the very best, the time you spend studying these books will be
wasted, when you could have been reviewing other, more useful
material.

If I went back through the files I might be able to find one, but, off
the top of my head, I cannot recall a technical book with a poorer
structure, organization, or grasp of the titular material.  Many
authors fail to do full research.  A large number present the content
in a disorganized manner, forcing the reader to do more work.  Some
have their own idiosyncratic definition of the topic, and may be
slightly misleading in what they deliver.  Seldom do the confluences
of those aspects reach the depths of uselessness seen in these
volumes.

While the (ISC)2 (International Information Systems Security
Certification Consortium) CBK (Common Body of Knowledge) domain
structure can be problematic, the "Theory" volume does not seem to
follow either the (ISC)2 study guide nor the CBK course outline.
Point or section numbering is inconsistent, making it difficult even
to follow the material.  Tables and illustrations are unclear, and
either baldly repeat surrounding text, or have no relation to it.
(Tables are often carelessly broken between pages, making reading of
the charts and also surrrounding text extremely difficult.)  There are
endless mistakes in spelling, grammar, and sentence or paragraph
structure.  Non-standard terms are used, and not defined.
Occasionally small variations in phraseology seem to imply different
topics that further (and pointless) study reveals to be identical.
Major heading are sometimes simply printed, and are not explained or
introduced.  Certain topics and phrases are heavily emphasized,
although not defined, and many of these are the most minor of issues
in terms both of security and of the CISSP exam.  Much of the
technical material is confused, such as an analysis of the
correspondence between "ISDN and OSI networks," which is something
like comparing apples and juice extractors.  The text contradicts
itself frequently: a simple list of firewalls on one page does not
relate to another three pages later.  Some technologies have only one
aspect explained, others are touched on without mentioning inherent
dangers, others are so confused that closely related topics end up
being set in opposition to each other.  (The malware definitions,
needless to say, are appalling.)

The "Practice" volume is a set of multiple choice questions supposedly
similar to those you would encounter on the CISSP exam itself.  Only
those on the exam committee would be able to say, for certain, how
close these questions come to the real thing, but I can say that, in
terms of information security, a great many of these questions simply
make no sense.  The quality of the second volume seems to approximate
that of the first.

I must say that, while the books and the Web site do carry a
disclaimer that the tomes are not endorsed by (ISC)2, I am slightly
appalled that (ISC)2 has not objected to the use of this particular
name.  In fact, these books appear on the (ISC)2 resource list.
Which, itself, carries a disclaimer that such a listing does not imply
any endorsement.  Even so, the simple association gives the work a
cachet that is wholly undeserved, and probably misleading.

At the risk of repeating myself, if you are studying for the CISSP:

Do not buy these books.

If you have bought these books, do not read them.

(If you have passed the CISSP, you can, of course, do whatever you
wish.)

copyright Robert M. Slade, 2001   BKCISPET.RVW   20011122


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
This message contains not less than 70% post consumer electrons
and not less than 80% post harangue opinions.  Please recycle.
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade