BKINCRES.RVW   20011001

"Incident Response", Kenneth R. van Wyk/Richard Forna, 2001,
0-59600-130-4, U$34.95/C$52.95
%A   Kenneth R. van Wyk ken@...
%A   Richard Forna rick@...
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2001
%G   0-59600-130-4
%I   O'Reilly & Associates, Inc.
%O   U$34.95/C$52.95 800-998-9938 fax: 707-829-0104 nuts@...
%P   214 p.
%T   "Incident Response"

Incident response has, in the past, received short shrift in security
literature.  It is also a rather vague term: what type of an incident
are we talking about?  how big?  What type of response are we
considering?  protective?  defensive?  offensive?  The authors have
provided us a starting point for consideration and the benefit of some
years of experience, but this work is, unfortunately, less detailed
than it might have been.

Chapter one does not do a good job of defining incident response: the
examples are instructive, but the material wanders through a number of
topics without developing any central focus.  There is an examination
of the strengths and shortcomings of various types of response teams,
such as those internal to companies, related to vendors, or
established by security management companies, in chapter two.
Planning, in chapter three, has some good points to consider, but
doesn't offer a lot of guidance.  Chapter four, entitled "Mission and
Capabilities," seems to be the core of the book, touching on staff,
positions, training, legal considerations, procedures, and other
issues.  A wide-ranging list of attack types, albeit with very terse
descriptions, is given in chapter five.  The incident handling model
presented in chapter six is vague but reasonable.  Chapter seven
contains quick overviews of a number of detection tools, mostly
software.  A few resources, generally Web sites, are given in chapter
eight.

This book is the result of considerable background and practice.
While there are no obvious errors and the material presents good
advice, it is hard to be excited about the result.  Overall, the book
seems to lack direction, and fails to present a structured and clear
guide to the preparations necessary for dealing with computer
incidents.  However, in the absence of other material it is better
than nothing, and does raise the issues to be addressed.

In response to the first draft of this review, one of the authors has
responded that the intent of the book was not to address the
techniques of incident response, but to provide management with an
understanding of the subject.  That statement fits with the text, but
is in some opposition to the assertion in the preface that the book is
aimed at all would need to respond to incidents, including systems
administrators and other technical people.

copyright Robert M. Slade, 2001   BKINCRES.RVW   20011001


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
The magnificent and the ridiculous are so close that they touch.
                                            - Le Bovier de Fontenelle
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKRPTRVR.RVW   20011122

"The Raptor Virus", Frank Simon, 2001, 0-8054-2339-7, U$12.99
%A   Frank Simon
%C   127 Ninth Avenue North, Nashville TN   37234
%D   2001
%G   0-8054-2339-7
%I   Broadman & Holman Publishers
%O   U$12.99 615-251-2000 fax 615-251-2701 broadmanholman@...
%P   344 p.
%T   "The Raptor Virus"

The action is good.  In places.  The dialogue is stilted, alternately
racing through plot developments and turgidly spending whole pages on
irrelevancies.  The characters are inconsistent, sometimes undergoing
radical personality changes from one chapter to the next.
A few sections seem to be early versions of some chapters that have
been left unmodified even though the author subsequently changed his
mind about one of the characters.  In fact, at times, the plot seems
to "undevelop," and run backwards.

Throughout most of the book the overall feeling is one of a
sentimentality syrupy enough to engender tooth decay.  (Simon also
seems determined to prove that even Christians can get all steamy
about sex, coming up with a kind of chaste soft porn.)

The Review Project's Hong Kong correspondent had a few comments.  The
Special Administrative Region's residents apparently find this book
the funniest read since the Hitchhiker's Guide to the Galaxy.  Never
mind that the motivation of the evil Chinese is totally out of touch
with the Chinese mindset, or that people in Hong Kong suddenly speak
Mandarin instead of Cantonese, or that you *can't* run across
Connought Road, or that you get on trams at the back, and pay as you
get off at the front, or that freighters don't go anywhere near the
yacht club or North Point, or that The Peak isn't actually a peak at
all (and no longer bears Victoria's name), or that the Peak Tram
doesn't have dual tracks, and rests against bumpers at the bottom
anyway, or that businessmen here speak American dialect, not British,
or that you can't see the bus loop from the Star Ferry ...

Well, enough of pretending I'm a real book reviewer.  Let's cut to the
tech.

Sorry, there isn't any.

About all I can tell you about the Raptor Virus itself is that it
isn't a virus.  It's a kind of time-based logic bomb.  It's embedded
in chips.  While they don't exactly "blow up real good," they do
manage to generate a lot of smoke when they go off.  (We all know that
computers work by smoke an mirrors, and when you let the smoke out,
they don't work anymore, right?  Despite the fact that software
failures almost never cause hardware damage.)

What kind of chips?

Doesn't say.

Why are they essential to all kinds of utility equipment?

Doesn't say.

How is it that one company has managed to get a complete lock on
manufacturing of this apparently vital component?

Doesn't say.

How is it that this "added feature" manages to escape detection by all
kinds of Y2K paranoid testers, and those who are thinking ahead to the
End of Seconds for UNIX?

Doesn't say.

There are other technical problems.  Some mileages and speeds don't
add up.  Train system procedures pretty much universally state that,
in the absence of valid traffic control signals, you proceed slowly
enough that you can stop within half the distance you can see, not go
barrelling down the track as fast as you can.  The communications gear
harks back to the days of suitcases full of equipment, rather than
Iridium handhelds.

I don't suppose the book would manage to capture a Bulwer-Lytton
award, but it comes close.

copyright Robert M. Slade, 2001   BKRPTRVR.RVW   20011122


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
Techbooks subscription form http://www.eGroups.com/list/techbooks/
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKALASCR.RVW   20011122

"Algebraic Aspects of Cryptography", Neal Koblitz, 2001,
3-540-63446-0, U$64.99
%A   Neal Koblitz koblitz@...
%C   175 Fifth Ave., New York, NY   10010
%D   1998
%G   3-540-63446-0
%I   Springer-Verlag
%O   U$64.95 212-460-1500 800-777-4643
%P   206 p.
%T   "Algebraic Aspects of Cryptography"

When certain technical people find out that I am involved in data
security, they assert an interest in cryptography, and an intention to
write a cryptographic program sometime.  While I not wish to disparage
this goal, questioning of the individual's background in mathematics
tends to point out that the task is harder than they might have
foreseen.  The magic phrase "number theory" is usually the dividing
line.  For those who make it past that limit, I am going to recommend
that they get Koblitz's work.  Not that I am implying that this book
is more demanding than it needs to be: only that the topic itself is a
difficult one.

This is the heart of cryptology: the underlying foundations that make
it work.  The material presented does not address specific programs,
standards, or even algorithms, but deals with the basic mathematical
theory that can be used to construct algorithms, or test their
strength.

Chapter one is something of an overview, touching on many fields of
cryptography and introducing an appropriate and exemplar equation for
each.  Theories related to the strength of cryptographic algorithms
are given in chapter two.  Basic algebra associated with primes are
discussed in chapter three, underlying the more common asymmetric
(public key) systems such as RSA.  Chapter four outlines an
illustrative history of the development, cracking, and improvement of
one particular algorithm, demonstrating the mathematical work
necessary to each step.  Knapsack type problems and theories are
explained in chapter five.  Chapter six deals with the currently very
highly regarded elliptic curve algorithms, and is backed up with an
even more extensive appendix on hyperelliptic curves.

This is not an introduction.  It is intended as a text for graduate
(or possibly advanced undergraduate) work, and requires a solid
background in mathematics or engineering.  For those seriously
interested in cryptography, though, it is worth the work.

copyright Robert M. Slade, 2001   BKALASCR.RVW   20011122


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
The great majority of mankind is satisfied with appearances, as
though they were realities, and is often even more influenced by
the things that seem than by those that are.   - Niccolo Machiavelli
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKCISPET.RVW   20011122

"CISSP Examination Textbooks", S. Rao Vallabhaneni, 2000, , U$213.00
%A   S. Rao Vallabhaneni srvbooks@...
%C   P.O. Box 681354, Schaumburg, IL   60168-1354
%D   2000
%I   SRV Professional Publications
%O   U$99.00 per volume 847-330-0126 www.srvbooks.com
%P   ~500 p. per volume
%T   "CISSP Examination Textbooks" (vol 1 Theory, vol 2 Practice)

These books will not help you study for or write the CISSP (Certified
Information Systems Security Professional) exam.

These books may, in fact, make your study more difficult, and your
chances of passing the exam more remote.

At the very best, the time you spend studying these books will be
wasted, when you could have been reviewing other, more useful
material.

If I went back through the files I might be able to find one, but, off
the top of my head, I cannot recall a technical book with a poorer
structure, organization, or grasp of the titular material.  Many
authors fail to do full research.  A large number present the content
in a disorganized manner, forcing the reader to do more work.  Some
have their own idiosyncratic definition of the topic, and may be
slightly misleading in what they deliver.  Seldom do the confluences
of those aspects reach the depths of uselessness seen in these
volumes.

While the (ISC)2 (International Information Systems Security
Certification Consortium) CBK (Common Body of Knowledge) domain
structure can be problematic, the "Theory" volume does not seem to
follow either the (ISC)2 study guide nor the CBK course outline.
Point or section numbering is inconsistent, making it difficult even
to follow the material.  Tables and illustrations are unclear, and
either baldly repeat surrounding text, or have no relation to it.
(Tables are often carelessly broken between pages, making reading of
the charts and also surrrounding text extremely difficult.)  There are
endless mistakes in spelling, grammar, and sentence or paragraph
structure.  Non-standard terms are used, and not defined.
Occasionally small variations in phraseology seem to imply different
topics that further (and pointless) study reveals to be identical.
Major heading are sometimes simply printed, and are not explained or
introduced.  Certain topics and phrases are heavily emphasized,
although not defined, and many of these are the most minor of issues
in terms both of security and of the CISSP exam.  Much of the
technical material is confused, such as an analysis of the
correspondence between "ISDN and OSI networks," which is something
like comparing apples and juice extractors.  The text contradicts
itself frequently: a simple list of firewalls on one page does not
relate to another three pages later.  Some technologies have only one
aspect explained, others are touched on without mentioning inherent
dangers, others are so confused that closely related topics end up
being set in opposition to each other.  (The malware definitions,
needless to say, are appalling.)

The "Practice" volume is a set of multiple choice questions supposedly
similar to those you would encounter on the CISSP exam itself.  Only
those on the exam committee would be able to say, for certain, how
close these questions come to the real thing, but I can say that, in
terms of information security, a great many of these questions simply
make no sense.  The quality of the second volume seems to approximate
that of the first.

I must say that, while the books and the Web site do carry a
disclaimer that the tomes are not endorsed by (ISC)2, I am slightly
appalled that (ISC)2 has not objected to the use of this particular
name.  In fact, these books appear on the (ISC)2 resource list.
Which, itself, carries a disclaimer that such a listing does not imply
any endorsement.  Even so, the simple association gives the work a
cachet that is wholly undeserved, and probably misleading.

At the risk of repeating myself, if you are studying for the CISSP:

Do not buy these books.

If you have bought these books, do not read them.

(If you have passed the CISSP, you can, of course, do whatever you
wish.)

copyright Robert M. Slade, 2001   BKCISPET.RVW   20011122


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
This message contains not less than 70% post consumer electrons
and not less than 80% post harangue opinions.  Please recycle.
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKZIMALG.RVW   20011126

"Zimmerman's Algorithm", S. Andrew Swann, 2000, 0-88677-865-4
%A   S. Andrew Swann (Steven Swiniarski)
%C   375 Hudson Street, New York, NY   10014
%D   2000
%G   0-88677-865-4
%I   DAW Books Inc.
%P   387 p.
%T   "Zimmerman's Algorithm"

A thriller should have a convoluted plot, but this one has slightly
too many twists and turns for comfort.  It's very difficult to keep
track of at least three sets of bad guys, and by the time the
penultimate plot is exposed I had a hard time caring who was
responsible.  Still the action is brisk, and the writing is lively and
interesting.

So is the fact that so much technology in the story is basically
correct.  The outcomes are sometimes questionable, such as a computer
made with superconducting materials that physically (and not just
electrically) degrade at room temperature.  But the fact that
researchers developing artificial materials are steadily working
towards room temperature superconductors is true.

The math isn't that bad, either.  There is a slight overemphasis on
the need for primes in encryption systems, but it is interesting to
see a recognition of the controversy over enormous computer generated
proofs.

The computer work is a bit weaker.  Genetic algorithms are not
terribly well explained in the computer world in general, so it isn't
surprising that the detail in the book is a bit fuzzy.  The discussion
of computer viruses as a form of artificial life is interesting, as is
the view of benignity as a survival factor, although the idea of
masses of undetected viruses hiding out on the Internet is a bit much.
(I must say, though, that, if you are going to propose the usual
undetectable virus, one that can write operating systems is a good
candidate.)

I would like to know whether the choice of name for the eponymous
mathematician was influenced by PGP.

copyright Robert M. Slade, 2001   BKZIMALG.RVW   20011126


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
It is interesting to note that before the advent of Microsoft
Windows, `GPF' was better known for its usage in plumbing:
Gallons Per Flush.
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKHTMLDG.RVW   20011129

"HTML & XHTML: The Definitive Guide", Chuck Musciano/Bill Kennedy,
2000, 0-596-00026-X, U$34.95/C$51.95
%A   Chuck Musciano cmusciano@...
%A   Bill Kennedy bkennedy@...
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2000
%G   0-596-00026-X
%I   O'Reilly & Associates, Inc.
%O   U$34.95/C$51.95 800-998-9938 fax: 707-829-0104 nuts@...
%P   680 p.
%T   "HTML & XHTML: The Definitive Guide", 3rd edition

If you are serious about designing documents and Web pages with HTML
(HyperText Markup Language) then you *must* have this book.

First of all, it *is* definitive.  Many books, though much longer,
don't begin to match the depth of this current work.  Musciano and
Kennedy cover the standard HTML up to 4.01 and XHTML 1.0, and, more
importantly, include the non-standard extensions of Netscape and
Internet Explorer.  The basics, text, rules, multimedia, links, lists,
forms, tables, frames and more are all thoroughly covered, point by
point and attribute by attribute.  There is even the SGML (Standard
Generalized Markup Language) DTD (Document Type Definition) for HTML
and the XML (eXtensible Markup Language) DTD for XHTML.  (This must be
definitive: it's the definition of the languages.)

Second, it *is* a guide, and a very good one.  Lemay's "Web Publishing
With HTML" (cf. BKWPHTML.RVW) is no longer as approachable as a
beginner's introduction to Web page creation, while Musciano and
Kennedy can easily welcome the newcomer as well.  The structure is
logical and the explanations are crystal clear.

In spite of all this, the book contains even more.  Web design is not
given a separate section, but seamlessly permeates every section of
the book.  Readers are constantly reminded that while extensions may
be fun, not everyone in the world has the same browser.  Alternative
methods are suggested for non-standard effects and functions.
Shortcuts, suitable to only one browser or server, are recommended
against in order to ensure the utmost compatibility with all systems.
The authors no longer have coverage of CGI (Common Gateway Interface)
programming, but they do explain the use of email to collect form
data, which is much more useful for maintainers of small Web sites
without access to extensive server functions.  The new chapter on XML
is brief, but is probably all that most people will need to know about
the language.

All this, and readable, too.  The content is straightforward and
lucid.  While you might not read this book for laughs, it is not the
tome to choose to put yourself to sleep at night, either.

I can recommend this book, without reservation, to anyone who wants to
learn HTML programming and use.  It is, still, the definitive guide
and the only one I find I need to keep on my shelf.

copyright Robert M. Slade, 1996 - 2001   BKHTMLDG.RVW   20011129


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
No matter how bad things get you got to go on living, even if it
kills you.                                         - Sholom Aleichem
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKUPRPPC.RVW   20011129

"Upgrading and Repairing PCs", Scott Mueller, 2002, 0-7897-2542-8,
U$59.99/C$89.95/UK#43.99
%A   Scott Mueller scottmueller@...
%C   201 W. 103rd Street, Indianapolis, IN   46290
%D   1999
%G   0-7897-2542-8
%I   Macmillan Computer Publishing (MCP)
%O   U$59.99/C$89.95/UK#43.99 800-858-7674 317-581-3743 info@...
%P   1556 p. + CD-ROM
%T   "Upgrading and Repairing PCs, Thirteenth Edition"

There are all kinds of computer help, repair, maintenance,
troubleshooting, and upgrading books on the market.  A great many try
to give you a quick overview of what you need to know.  With the
personal computer market expanding its options on a pretty much daily
basis, though, generally what you need is more in the line of an
encyclopedia.  *Your* particular problem tends to be the one left out.
This book, however, leaves very little out.

Chapter one is a short history of the PC since the first IBM PC in
1981, or actually slightly before.  The defining characteristics, and
components, of a PC are given in chapter two, including a very
realistic overview of the market and major players.  Microprocessor
information is given in chapter three.  However, this chapter is
unlike any I have ever seen in another repair or troubleshooting book.
There are tables and lists of detailed processor specifications,
including the most important for any upgrader--the socket sizes and
specifications.  The chapter proceeds through conceptual material
first and then in turn through all kinds of individual processors, so
at first run it can be a bit confusing.  The motherboard is covered in
chapter four, with form factors, chipsets, interface connectors, and
bus sockets.  In this edition, the BIOS gets space of its own in
chapter five.  The various types and functions of memory, with
attention to practical as well as theoretical details, are described
in chapter six.

Chapters seven and eight look in detail at the IDE (Integrated Drive
electronics) and SCSI (Small Computer Systems Interface) interfaces.
General principles of magnetic storage are given in chapter nine, with
specifics of hard and floppy disks, removable storage, and optical
drives in ten to thirteen, successively.  Drive installation is
covered in chapter fourteen.

Display hardware is outlined in chapter fifteen, with information on
both monitors and adapters.  Audio hardware is a new addition in
chapter sixteen.  Chapter seventeen provides useful specifics on I/O
ports, dealing with serial and parallel ports, port replacement
technologies, and storage interfaces.  Keyboards and mice are covered
in significant detail in chapter eighteen.  Chapter nineteen, entitled
"Internet Connectivity," looks at a broad range of communications
hardware.  It provides a good deal of information, and has improved
substantially over past editions.  Local area networks, in chapter
twenty, fare well.  Chapter twenty one gets into the area that
possibly causes the most trouble, and therefore has the greatest
potential for usefulness, in PC hardware: power supplies, the NVRAM
(better known, if slightly inaccurately, as CMOS) battery, and even
UPS (Uninterruptible Power Supply) systems.  There are some
interesting points about portable computers in chapter twenty two.

Chapter twenty three looks at building a system, and, while there is
some duplication of material covered in earlier chapters, there is a
good deal of new content as well.  Diagnostics, testing, and
maintenance provides a lot of very practical advice, although the
sequence of topics in chapter twenty four can be jumpy at times.
(Given the scope of the rest of the book, the dismissal of viruses in
a single paragraph is disappointing: and unfortunately consistent with
what I have seen in all too many computer retail and repair shops.)
File systems and data recovery are covered well in chapter twenty
five.  The appendices in this edition are rather curtailed.  However,
the CD-ROM contains full versions of the sixth, eighth, tenth,
eleventh, and twelfth editions, so missing chapters, such as those on
printers and software troubleshooting, can still be found.

I can say with assurance that none of the books on upgrading or repair
of personal computers has had the scope of this one.  This is not
simply due to the size, although that certainly helps.  The material
is readable and clear, and there is very little fluff.  Certainly some
sections are not quite up to the overall standard; in particular, more
recent technologies tend to have hastily assembled entries; but for
the central unit itself, the book is without peer.  I can readily
agree with the rather effusive book jacket comments: they are not, as
I first thought, mere hype.  For anyone involved in computer
maintenance and repair, be it in a retail or technical support role,
this reference has immense value.  And for serious hobbyist users, it
can provide a great deal of interest, as well as definite help when
you need it.

copyright Robert M. Slade, 1998, 1999, 2001   BKUPRPPC.RVW   20011129


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
     Lucien, you got some 'splainin' to do!  - Double Exposure
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKSCFUEC.RVW   20020108

"Security Fundamentals for E-Commerce", Vesna Hassler, 2001,
1-58053-108-3, U$83.00
%A   Vesna Hassler hassler@...
%C   685 Canton St., Norwood, MA   02062
%D   2001
%G   1-58053-108-3
%I   Artech House/Horizon
%O   U$83.00 800-225-9977 fax: 617-769-6334 artech@...
%P   409 p.
%T   "Security Fundamentals for E-Commerce"

"The purpose of this book is to give an in-depth overview of all the
basic security problems and solutions that can be relevant for an
e-commerce application."  I'm sorry, but "in-depth overview" sounds a
bit like "jumbo shrimp": it's an oxymoron.  And "all the basic
security problems and solutions that can be relevant for an e-commerce
application" covers a lot of ground.  (Which is, I suppose, why this
text has twenty two chapters.)

Part one explains the basics of information security.  Chapter one
defines some of the basic jargon, but misses a number of the important
fundamental terms.  For example, the relationship between threats,
vulernabilities and exploits is fairly basic to security and risk
analysis, and yet all security problems seem to be lumped together as
threats.   The examination of security mechanisms, in chapter two, is
limited to cryptography.  Key management is restricted to X.509
certificates and Diffie-Hellman in chapter three.

Part two looks specifically at security of electronic payment systems.
Chapter four briefly lists a wide variety of payment systems.  A terse
set of payment security problems is given in chapter five, while some
seemingly random cryptographic solutions are given in six.  A little
bit of math for functions directed at electronic cash and cheques is
presented in chapters seven and eight, respectively.  Chapter nine
describes the Internet Open Trading Protocol.

Part three deals with communications security.  Chapter ten is a
general look at networking.  Chapters eleven to fourteen examine
different systems for security at different layers, but the depth of
coverage is very inconsistent: extremely terse in some cases, with
many gaps, and yet delving into minute detail in others.

Part four examines Web security.  Chapter fifteen details the
HyperText Transfer Protocol (HTTP), which is good, since few texts
bother to do.  Random topics related to Web servers make up chapter
sixteen.  Web client security topics are dealt with somewhat better in
chapter seventeen, although cookies aren't given any significant
discussion.  Active content does get its own chapter: eighteen
concentrates almost exclusively on Java.  Chapter nineteen contains
miscellaneous topics.

Part five covers some special issues for mobile or agent computing.
Agent technology is described in chapter twenty, some cellular phone
topics are reviewed in twenty one, and smart card security is
discussed in twenty two.

Well, overview it is.  The book does cover a variety of topics,
although there are a great many gaps and holes.  However, "in-depth"
can't be supported, except in a very few cases.  There are some topics
that are discussed in excruciating detail, but they are definitely in
the minority.  As a college text this undoubtedly has its uses, but
professionals or businesspeople will find the inconsistent coverage
problematic.

copyright Robert M. Slade, 2002   BKSCFUEC.RVW   20020108


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
I've got a PhD and no one listens.  I take off my clothes off,
and here you all are.           - Briony Penn to the media, 20010123
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKINCDRS.RVW   20020108

"Incident Response", Kevin Mandia/Chris Procise, 2001, 0-07-213182-9,
U39.99
%A   Kevin Mandia mandiak@...
%A   Chris Procise authors@...
%C   300 Water Street, Whitby, Ontario   L1N 9B6
%D   2001
%G   0-07-213182-9
%I   McGraw-Hill Ryerson/Osborne
%O   U$39.99 905-430-5000 fax: 905-430-5020
%P   509 p.
%T   "Incident Response: Investigating Computer Crime"

Part one is supposed to provide us with the basics of incident
response.  Despite the assertion, in the introduction, that such
response deals with much more than computer crime and that incidents
can vary widely, chapter one details a deliberate and malicious
intrusion into a computer system, by an incredibly inept attacker,
using inside information.  Chapter two provides a definition of
incident response, but it does lean heavily towards crimes, law
enforcement involvement, and directed attacks.  The material also
assumes that an incident response team can be called upon or formed at
short notice.  The suggestions for advance preparation, in chapter
three, do cover a broad range, but the writing is not always
organized, and the material has gaps and covers many topics
superficially.

Part two purports to deal with technical issues.  Chapter four deals
with guidelines for investigations, but, again, concentrates only on
directed attacks from outside the organization.  The computer forensic
process, in chapter five, is limited to retention and copying of
evidence.  There is a rather terse review of Internet Protocol header
information in chapter six.  Chapter seven lists some information
related to network monitoring and logging.  "Advanced Network
Surveillance" (chapter eight) examines a few of the more convoluted
exploits.

Part three describes operating system functions associated with system
investigation.  Chapters nine to twelve list a number of utility
programs that can be used to obtain system information.

Part four is a grab bag of material dealing with special topics,
chapter thirteen dealing with routers, fourteen the Web, and fifteen
various servers.  A number of security and security breaking tools are
enumerated in chapter sixteen.

The emphasis in this book is adversarial: seeing incident response as
primarily a matter of active defence against an active attacker.  Most
companies will probably see incident response as a matter related to
technical support: an endless stream of incidents, most of which are
trivial, and a select few of which indicate serious problems.  As
such, the book does, occasionally, point out some matters to consider,
and possibly new practices to adopt in order to deal with those
isolated events that are important enough to turn over to law
enforcement agencies.  However, overall, the text does not provide
much guidance in preparing for and responding to serious incidents.

copyright Robert M. Slade, 2002   BKINCDRS.RVW   20020108


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
A doctor's reputation is made by the number of eminent men who
die under his care.                            - George Bernard Shaw
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKAUTHNT.RVW   20020220

"Authentication: From Passwords to Public Keys", Richard E. Smith,
2002, 0-201-61599-1, U$44.99/C$67.50
%A   Richard E. Smith
%C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8
%D   2002
%G   0-201-61599-1
%I   Addison-Wesley Publishing Co.
%O   U$44.99/C$67.50 416-447-5101 fax: 416-443-0948 bkexpress@...
%P   549 p.
%T   "Authentication: From Passwords to Public Keys"

Chapter one looks at the history and evolution of password technology,
and introduces a system of discussing attacks and defences that
provides an easy structure for an end-of-chapter summary.  A more
detailed history appears in chapter two, while chapter three discusses
the enrolling of users.

Chapter four is rather odd: it brings up the concept of "patterns" as
defined in the study of architecture, but doesn't really explain what
this has to do with authentication or the book itself.  The closest
relation seems to be the idea of determining a security perimeter.
The material poses a number of authentication problems and touches on
lots of different technologies, but the various difficulties are not
fully analyzed.

Chapter five is supposed to be about local authentication, but mostly
examines encryption.

Strangely, chapter six inveighs against the complex rules for password
choice and management that are commonly recommended--and then adds to
the list of canons the requirement to assess the security of a system
when choosing a password.  Ultimately the text falls back on the
traditional suggestions, with a few good suggestions for password
generation.  This place in the text also marks a change in the volume:
the content moves from a vague collection of trivia to a much more
practical and useful guide.

Chapter seven is a decent overview of biometrics, although there is an
odd treatment of false acceptance and rejection rates, and some
strange opinions.  Authentication by address, emphasizing IP spoofing,
is covered in chapter eight, while hardware tokens are discussed in
chapter nine.  Challenge/response systems are reviewed in chapter ten,
as well as software tokens.  Indirect or remote authentication,
concentrating on the RADIUS (Remote Authentication Dial In User
Services) system, is examined in chapter eleven.  Chapter twelve
outlines Kerberos, and has a discussion of the Windows 2000 version,
albeit with limited analysis.  The study of public key (asymmetric)
cryptography in chapter thirteen would be more convincing with just a
few more sentences of explanation about how keys are established.
Chapter fourteen talks about certificates and signing, while fifteen
finishes with some vague thoughts on password storage.

After a slow (but interesting) start, the book does have a good deal
of useful material in the later chapters.  Long on verbiage and a bit
short on focus, this text does have enough to recommend it to security
practitioners serious about the authentication problem.

copyright Robert M. Slade, 2002   BKAUTHNT.RVW   20020220


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
Your e-mail has been returned due to insufficient voltage.
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKCNTRHK.RVW   20011023

"Counter Hack", Ed Skoulis, 2002, 0-13-033273-9, U$49.99/C$75.00
%A   Ed Skoulis
%C   One Lake St., Upper Saddle River, NJ   07458
%D   2002
%G   0-13-033273-9
%I   Prentice Hall
%O   U$49.99/C$75.00 800-576-3800 416-293-3621
%P   564 p.
%T   "Counter Hack"

Chapter one, as in many texts, is an introduction to the book, but is
unusually important in this case.  First, Skoulis lays out the
philosophy behind the work.  While the text of the book does
concentrate on attacks, the author points out that invaders already
have other sources of information.  Further, Skoulis proposes that a
detailed, complete, and integrated examination of representative
samples of classes of attacks will provide an outline of defensive
measures that can protect against a wide variety of assaults.

A second point in this introduction is a brief examination of the
character of attackers.  Skoulis does point out that those who attempt
to penetrate computer and communications security do so from a
diversity of motivations and skill levels.  However, he does tend to
overstress the participation of "professional hackers," proposing that
industrial espionage, terrorism, and organized computer crime
activities are common.  Certainly such campaigns may become common,
making the need for pre-planning even more important, but the vast
majority of endeavors we are seeing at present are amateur efforts.

Finally, the introduction recommends the establishment of a computer
security test laboratory, which is an excellent idea for any large
corporation, but probably is not within the financial, personnel, or
educational reach of even medium sized businesses.

Chapter two provides a background in TCP/IP for the purposes of
discussing networking offence and defence.  There are frequent forward
references to later sections of the book that deal with network
attacks.  The material could, however, have been condensed somewhat to
emphasize those aspects of the protocols that are closely related to
security.  UNIX and Windows (NT and 2000) are similarly covered in
chapters three and four, and, again, the text could be tightened up by
focusing on safety factors.

Chapter five points out the ways in which people can obtain data in
order to direct and mount an attack.  While the content is
informative, and there are a few suggestions for restricting the
release of such intelligence, the defensive value of the text is
limited.  The information gathering process continues in chapter six
with war dialling and port scanning.  Defences against application and
operating system attacks are covered a bit better than in most
"hacking" books (there are descriptions of buffer overflow detection
tools), but the protective value of chapter seven is still
questionable.  Chapter eight examines network sniffing, scanning,
spoofing, and hijacking.  Denial of service is covered well in chapter
nine.  Various examples of malware are described in chapter ten.
Chapter eleven deals with the means used to hide an attack.

A number of scenarios are created in chapter twelve.  Chapter thirteen
describes some resources for keeping up with the latest computer
vulnerabilities.

Recently there has been a flood of books to the security marketplace,
all based on the premise that if you know how to attack a system, you
will know how to defend it.  Skoulis has done a better job than most,
but the thesis is still unproven.  Yes, knowledge of the details of an
attack does help you fine tune your defence.  Yes, providing specifics
of an example of a class of attacks does help you consider a
protective mechanism that might work against a whole class.  Yes,
Skoulis does recommend safeguards for most of the attacks listed.  But
taking a crowbar to a padlock still doesn't teach you locksmith
skills.

copyright Robert M. Slade, 2001   BKCNTRHK.RVW   20011023


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
Health nuts are going to feel stupid someday, lying in hospitals
dying of nothing.
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKCMPFRN.RVW   20020221

"Computer Forensics", Warren G. Kruse II/Jay G. Heiser, 2001,
0-201-70719-5, U$39.99/C$59.95
%A   Warren G. Kruse II wkruse@...
%A   Jay G. Heiser
%C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8
%D   2002
%G   0-201-70719-5
%I   Addison-Wesley Publishing Co.
%O   U$39.99/C$59.95 416-447-5101 fax: 416-443-0948 bkexpress@...
%P   392 p.
%T   "Computer Forensics: Incident Response Essentials"

I'm still disappointed that authors seem to think computer forensics
is limited to data recovery, but this work at least has utility value
going for it.

Chapter one is a rough outline of data recovery, with an emphasis on
documentation and the chain of evidence.  Basic information about IP
addressing, for the purpose of tracing intruders, is given in chapter
two: it is useful and does not drown the reader in inconsequential
details.  (There is an oddly vitriolic dismissal of the story of the
origin of the term for Packet INternet Groper.)  A valuable discussion
of email headers, and a very terse outline of intrusion detection
systems (IDS) are also included.  Hard drive basics and concepts are
given in chapter three.  The material is generally good, but some
points on imaging and connecting are passed over rather quickly.
Chapter four has a reasonable high-level overview of encryption
abstractions, but it is difficult to see the immediate relevance of
the material to forensics.  "Data Hiding," chapter five, contains some
meandering topics that range from password cracking to NTFS (NT File
System) streams to steganography.  A few tools for dealing with these
problems are listed.  The description of hostile code, in chapter six,
matches that of weeds in gardening: anything you don't want.  It is,
therefore, unsurprising to find that the content, while basically
sound, is not particularly structured or helpful.

A list of software (and some hardware) tools are described in chapter
seven.  Chapter eight explains a number of points about the Windows
operating system that might affect data recovery and forensics.  (The
material discussed is not, unfortunately, exhaustive, although it is
very useful as far as it goes.)  The introduction to UNIX, in chapter
nine, is more structured and detailed, although it examines fewer
specific tools.  Chapter ten's general overview of an attack on a UNIX
system is fairly standard, although there is a useful table of
commonly compromised system utilities.  A wide variety of tools and
commands for collecting information from and about UNIX systems is
given briefly in chapter eleven.

Chapter twelve is a short introduction to general concepts in the (US)
law enforcement system.  The last chapter is a rather abrupt finish to
the book.  There are seven appendices, the most useful of which is a
handy point form overview of incident response activities.

Computer forensics books are starting to come out of the woodwork, and
most offer such sage advice as "gather evidence" and "don't mess up
the chain of custody."  This book does tend to follow the same style
and tone, but also has very valuable tips for practical work.  It
won't help you much in analysis, but it will help you become better at
collecting data that will stand up in court.

copyright Robert M. Slade, 2002   BKCMPFRN.RVW   20020221


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
Nam tua res agitur, paries cum proximus ardet.
- For it is your business, when the wall next door catches fire.
                                                   - Horace, Epistles
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKHKRCHL.RVW   20020221

"Hacker's Challenge", Mike Schiffman, 2001, 0-07-219384-0, U$29.99
%A   Mike Schiffman
%C   300 Water Street, Whitby, Ontario   L1N 9B6
%D   2001
%G   0-07-219384-0
%I   McGraw-Hill Ryerson/Osborne
%O   U$29.99 +1-800-565-5758 +1-905-430-5134 fax: 905-430-5020
%P   355 p.
%T   "Hacker's Challenge"

Initially, I was skeptical of the title, considering the wording to be
simply jumping on the current security bandwagon, with "hacker" this
and "hacker" that on every bookshelf.  In an odd way, however, the
title is quite appropriate.  This volume contains a series of twenty
tests that are supposed to challenge your ability to analyze network
data (most of the scenarios are network based) in order to identify
and assess intrusions.  Unfortunately, there are some problems in the
implementation.

The book is divided into two parts.  First come the twenty scenarios,
with varying types and degrees of detail about the problems.  Then
come twenty "solutions," which are supposed to point out how you
should have approached the situation, and what indicators should have
tipped you off to the intrusion and intruder.  This physical division
is rather meaningless: it isn't as if the solutions were short phrases
that had to be printed upside down at the bottom of the page so that
the reader doesn't inadvertently read the answer to the riddle while
thinking about it.  There is no reason that the solutions could not
immediately follow the stories.

Actually, the pieces were written by thirteen different authors, and
the amount of detail varies tremendously.  Therefore, all the possible
mistakes that could be made in a work of this type are represented.
Sometimes the audit logs presented to us in the scenario contain the
relevant details and very little else, but the explanation is very
sparse.  In other pieces readers are presented with huge amounts of
log data, and the relevant points are lost.  There are scenarios which
are not complete, and the data necessary to solve the problem is not
given until the solution write-up.  A few pieces contain almost no
data for the reader in the problem section, while the solution
presents almost no detection information or forensic exegesis.  In one
case we are given pages of log data and almost no analysis at all in
the solution.  There are articles that simply reproduce earlier
situations with different characters.  One solution makes no sense in
terms of the data given in the problem outline.  Some pieces are
unclear, some simplistic, and some can only be described as
misleading.

The occasional scenario is written up almost poetically, and isolated
solutions do have tutelary explanations of how to read network audit
logs.

If you are very good at forensic network analysis, you might enjoy
pitting yourself against these challenges.  Of course, if you are good
at forensic network analysis you have more work than you can handle,
and no time for games.  If you are weak at network analysis, this book
doesn't have very much to help you out.

copyright Robert M. Slade, 2002   BKHKRCHL.RVW   20020221


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
I have never been hurt by anything I didn't say.   - Calvin Coolidge
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKTYXML2.RVW   20020212

"Teach Yourself XML in 21 Days", Devan Shepherd, 2001, 0-672-32093-2,
U$39.99/C$59.95/UK#28.99
%A   Devan Shepherd devan@...
%C   201 W. 103rd Street, Indianapolis, IN   46290
%D   2001
%G   0-672-32093-2
%I   Macmillan Computer Publishing (MCP)
%O   U$39.99/C$59.95/UK#28.99 800-858-7674 317-573-2500 pr@...
%P   507 p.
%T   "Teach Yourself XML in 21 Days"

This book does have fairly complete coverage of XML (eXtensible Markup
Language), and all its related technologies, but one thing it does not
have is good explanations.  The examples are neither clear nor
complete.  It is just barely possible that you could teach yourself
XML with this text, but it would take considerable effort.

Part one is supposed to be about markup basics.  Chapter one is a poor
overview of markup languages.  While it does stress that XML is a meta
language, but it also confuses the function of XML with that of HTML
(HyperText Markup Language).  There is some review of XML syntax in
chapter two, but only in terms of filling in elements after they have
been defined.  Validity is explored, though neither clearly nor
convincingly, in chapter three.  Chapter four does explain DTDs
(Document Type Definitions) clearly and well.  The material is
frustrating, however, in that, of the examples given in earlier
chapters, primarily the third, and least interesting, example is
expanded.  The explanation of XDR (XML Data Reduced Schema), provided
in chapter five, is limited, questionable, sometimes contradictory,
and does not explain usage very well.  Chapter six's review of the XML
Schema Definition Language (XSD) has examples, but the exegesis is
almost incomprehensible, even if you know something of XML.  The
material on XML entities, in chapter seven, is easier but still
problematic: reordering the material might help significantly.

Part two starts to get into the processing of XML.  Chapter eight goes
to great lengths to explain why URIs (Uniform Resource Identifiers),
URNs (Universal Resource Names), and URLs (Universal Resource
Locators) are and should be unique, but fails to deal with how they
are used.  Diagrams showing how relative paths are like UNIX
directories still fail to demonstrate their employment in XML in
chapter nine.  There are confusing examples of Xlink and almost no
description of Xpointer in chapters ten and eleven.  Some references
to the Microsoft Document Object Model and a few JavaScript and
VBScript API commands (heavy on object addressing) take the place of
an outline of the XML Document Object Model in chapter twelve.
Chapter thirteen uses lots of Java code, unexplained, in place of a
discussion of the Simple API for XML (SAX).  A determined reader with
a technical background and a lot of time for experimentation can
possibly figure out the basic use of Cascading Style Sheets (CSS) from
chapter fourteen.  This actually makes it one of the more promising
chapters in the text.

Part three purports to put XML to work.  Chapter fifteen, supposedly
telling us about the eXtensible Stylesheet Language (XSL) concentrates
on using the eXtensible Stylesheet Language for Formatting Objects
(XSL-FO) to process a data file into an Acrobat .PDF.  XSL
Transformations (XSLT) isn't explained in detail but chapter sixteen
does seem like another potentially useful section.  Chapter seventeen
discusses the binding of XML data to HTML elements, but does not
clearly explain which part of a complex process does what.  The Xbase
and Xinclude commands seem to merit their own chapter (eighteen), but
the text is confused about why this is so.  Chapters nineteen, twenty,
and twenty one are uncompelling sales jobs about the use of XML for
business, e-commerce, and the Web.

Much of the material reads like a rote regurgitation of phrases that
the author does not fully understand.  The book does not demonstrate
evidence of an informed overview of XML and a clear direction for
passing the concepts along to readers.

This volume does a very poor job of teaching, and, while it is fairly
complete in regard to the scope of XML (particularly those adjunct
technologies that Microsoft would like to have included), the text is
too limited to act as a useful resource.  Unfortunately, I fail to see
a particular audience that would benefit from this work.

copyright Robert M. Slade, 2002   BKTYXML2.RVW   20020212


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
If liberty means anything at all, it means the right to tell people
what they do not want to hear.                        - George Orwell
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKCMCRIN.RVW   20020315

"Handbook of Computer Crime Investigation", Eoghan Casey, 2002,
0-12-163103-6
%E   Eoghan Casey
%C   525 B Street, Suite 1900, San Diego, CA   92101-4495
%D   2002
%G   0-12-163103-6
%I   Academic Press/Academic Press Professional/Harcourt Brace
%O   U$39.95 800-321-5068 fax: 619-699-6380 dtrujillo@...
%P   448 p.
%T   "Handbook of Computer Crime Investigation"

This book is hard to read.  Not because of excessive technical rigour
or depth: quite the opposite.  The work lacks focus and direction, and
appears to be a compilation of components without an assembly diagram.
It's the type of material that might result from the "war stories"
told around a security seminar, after the core curriculum had been
taken away.

Chapter one is entitled "Introduction," but, other than a statement
that the book is supposed to be a resource for forensic examiners who
may have to deal with computerized systems, there is almost no
declaration of what the volume is about.  The remaining material in
the chapter, while it does have an obvious relation to the act of
obtaining evidence from computers, does not have any clear structure.
The points asserted are good advice, but appear to be relatively
random thoughts.  The text is neither readable nor lucid: in places it
seems more like a parody of obfuscated academic papers.  Chapter two
is somewhat more understandable, offering an outline on how to prepare
documentaiton for discovery.  Unfortunately, while it does deal with
some technical issues (original media is better than a bit-wise copy,
which is better than a copy of a file), the material concentrates on
lawyerly debates about what might be needed, and, after a great deal
of verbiage, boils down to the recommendation to produce all possible
documentation, but not too much.  (Where the material does get
technical it frequently goes too far, starting to deal with specific
pieces of software, rather than concepts.)

Part one looks at tools in forensic computing.  Unfotunately, to a
greater or lesser extent, the four chapters each deal only with a
single tool or vendor; EnCase, Cisco's NetFlow logs, Network Flight
Recorder, and NTI.

Part two is entitled technology: it looks at operating systems,
networks, and other system types.  Chapter seven provides some details
of the FAT (File Allocation Table) and NTFS (NT File System)
structures, as well as print spool files.  A miscellaneous collection
of information about UNIX files is given in chapter eight.  A
similarly unstructured compilation is listed in chapter nine, which
reviews network data.  Wireless network analysis, in chapter ten,
concentrates on cellular telephone systems, and really only throws out
generic information about such setups.  Chapter eleven's overview of
embedded systems varies between a similar generality and unhelpful
photographs of breadboarded circuits.

Part three provides three case studies.  While interesting (parts of
the third are especially amusing), they really don't provide much in
the way of assistance to anyone having to perform investigations.

The authors and contributors seem to be much more involved in the law,
and law enforcement, than in the technology of computer forensics.
The book has no framework or structure within which to place the many
details.  Therefore, the material simply blends into a haze of trivia,
rather than providing the promised handbook.  For those seriously
working in the field there are many helpful points of information, but
organizing them is left as an exercise to the reader.

copyright Robert M. Slade, 2002   BKCMCRIN.RVW   20020315


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
Then Job replied: `How you have helped the powerless!  How you
have saved the arm that is feeble!  What advice you have offered
to one without wisdom!  And what great insight you have
displayed!  Who has helped you utter these words?  And whose
spirit spoke from your mouth?                           - Job 26:1-4
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKTRIGGR.RVW   20020425

"The Trigger", Arthur C. Clarke/Michael Kube-McDowell, 2000,
0-553-57620-8
%A   Arthur C. Clarke
%A   Michael Kube-McDowell
%C   1540 Broadway, New York, NY 10036
%D   2000
%G   0-553-57620-8
%I   Bantam Books/Doubleday/Dell
%O   http://www.bdd.com webmaster@...
%P   626 p.
%T   "The Trigger"

It sometimes seems as if the recent spate of Clarke Collaborations is
an attempt to do in science fiction what Paul Erdos did in
mathematical literature (cf BKMBRNOP.RVW).

The eponymous "trigger" is a device that will explode (or, later,
render impotent) any gunpowder or explosives.  The book is an attempt
to explore the complex social ramifications of such a technology.  The
book is not simplistic in examining the issues, but is ultimately
quite limited.  The major conflict deals with the proponents of the
use of the technology against a collection of gun advocates, the least
irrational of which is a thinly disguised National Rifle Association.
Therefore, the main discussions in the novel will make little sense
for those who are not thoroughly familiar with the Second Amendment to
the Constitution of the United States of America.

Absent some minor discussions of the chemistry and formulation of
explosives, and a completely unexplained foray into optical wave
dynamics, there is no real technology involved in this book.  The
trigger technology never does develop a theoretical basis.  Indeed, in
the only attempt to do so, the narrative seems to imply that the
trigger is the long-fabled philosopher's stone--and then blithely
abandons that intriguing possibility.

More than plot potential is discarded in this work.  Characters, loose
ends, Futurians, red herrings, tests, villains, suppositions, and
voyages to other planets are left hanging throughout the book like
half of a shoe store's stock waiting to drop.  However sympathetic the
personae populating the story it is difficult, in the end, to really
care about any of them: how do you know whether it is going to be
worth the effort of working up any emotional contact with someone who
may disappear, never to be heard from again, on the next page?

The book winds up with a rather ironic contradiction of itself.
Towards the end we find a speech that is should affect us deeply.  (It
is clear that we are to be stirred by this address: we are told so in
the book.)  It addresses the lamentable tendency of a creatively
bankrupt entertainment industry to turn, when all else fails, to
murders and mayhem that are completely at odds with with reality.  Why
then, in a last ditch attempt to introduce tension to a book notably
lacking in force, do we finish up with kidnapping, torture, and
murder?

copyright Robert M. Slade, 2002   BKTRIGGR.RVW   20020425


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
   Inside some of us is a thin person struggling to get out,
   but he can usually be sedated with a few pieces of chocolate cake.
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKCISPEC.RVW   20020321

"CISSP (Exam Cram)", Mandy Andress, 2001, 1-58880-029-6,
U$34.99/C$53.99/UK#24.49
%A   Mandy Andress
%C   14455 N. Hayden Road, Suite 220, Scottsdale, AZ  85260
%D   2001
%G   1-58880-029-6
%I   Coriolis
%O   U$34.99/C$53.99/UK#24.49 800-410-0192 fax: 602-483-0193
%P   265 p.
%T   "CISSP (Exam Cram)"

It is interesting, and somewhat disturbing, to note that while there
are a number of effusive quotes on and inside the cover extolling the
virtues of the Exam Cram series, none specifically mention this book.

Bound into the inside front cover is a cram sheet, with 50 points on
it that are obviously supposed to be vitally important to the exam.
Leaving aside both the simplistic nature of the information presented,
and the difficulty of answering a 250 question exam with a mere 50
points, we only have to get to the third point on the sheet before we
run into rather significant errors.  (Role-based access control is not
an alternative to discretionary or mandatory controls, but can
implement either.)  This does not bode well.

The introduction explains the CISSP (Certified Information Systems
Security Professional) designation.  The text makes frequent
references to the (ISC)^2 web site, but, since the recent site
redesign, all these URLs are incorrect.  There is also a short self-
assessment section, intended to help you determine whether or not you
are prepared for the exam, but the vague and generic metrics suggested
are unlikely to help determine your readiness.

Chapter one's discussion of the exam, and techniques for writing the
exam, does contain some useful recommendations (if you don't know,
answer anyway), but other advice is problematic, and may be
detrimental.  Access control, in chapter two, is the first of the ten
domains of the Common Body of Knowledge (CBK) of the CISSP.  The
material is presented as a list of key terms and phrases, and the
presentation might be helpful to the exam candidate were it not for
the extremely limited nature of the deliberation and frequent errors.
For some reason a significant amount of space is given to topics (like
SYN floods) that do not belong in this domain.  There is a brief list
of questions at the end of the chapter, with answers and discussion
presented immediately afterward.  Unfortunately, these questions are
so simplistic that they cannot be said to represent, in any way, the
exam itself, and the wording is so careless that it is often
impossible to say whether the answers given are, in fact, right or
wrong.

Chapter three provides an almost random assortment of topics related
to telecommunications and networking.  (There is a modicum of
structure in that subjects are grouped together, but there is no
logical flow: IPsec is discussed before the base IP concepts are
covered.)  There are many problems with the material: it is difficult
to say whether the definition of a "circuit gateway" firewall means
anything, let alone is right or wrong, and we are told that SSL
(Secure Sockets Layer) is only used for host-to-host communications
and resides in the session layer.  (The book contradicts itself:
chapter six does note that SSL is used between client browser and web
server.)  Again, many irrelevant topics are included while important
areas are missed.  (PPP (Point-to-Point Protocol) is listed, PPTP
(Point-to-Point Tunnelling Protocol) is not.)  Security management
practices are not covered in chapter four: the vital areas of policies
and risk analysis are given brief mention at the end of a meandering
and incomplete list of management concerns.  Another haphazard
catalogue of terms takes the place of the applications development
domain in chapter five.  (The definition of a virus is that of a
trojan and the definition for a worm seems to fit payload.)  That the
author is unfamiliar with basic concepts of cryptography is obvious
when, in chapter six, "strong encryption" is defined as the use of a
128-bit key.  (In the discussion of triple DES (Data Encryption
Standard), the "meet-in-the-middle" attack is obviously confused with
"man-in-the-middle.")  Chapter seven's review of security
architectures contains another arbitrary list of computer architecture
topics.  There is some material that is security related, but in the
discussion of the Bell-La Padula model, about the only reliable
information is that it involves security levels.  Operations security
is fairly straightforward, so chapter eight doesn't make any glaring
errors.  (The content is, however, very terse.)  Much the same holds
true for business continuity and disaster recovery in chapter nine.
Aside from an over-emphasis on US legislation, chapter ten does not do
a really bad job with law, investigation, and ethics.  Chapter eleven
collates some checklists related to physical security, but has
numerous gaps in the discussion of the overall topic.

About the best that can be said for this book is that most of the
items in the common body of knowledge get a mention at some point.
Beyond that, the material is too scattered and unreliable to be used
either to study for the CISSP exam (unless you want to play "spot the
error"), or even as a quick guide for those charged with security.

copyright Robert M. Slade, 2002   BKCISPEC.RVW   20020321


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
    The complete lack of evidence is the surest sign that
    the conspiracy is working.
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKCYBFOR.RVW   20020319

"Cyber Forensics", Albert J. Marcella/Robert S. Greenfield, 2002,
0-8493-0955-7, U$49.95
%E   Albert J. Marcella
%E   Robert S. Greenfield
%C   823 Debra St, Livermore, CA   94550
%D   2002
%G   0-8493-0955-7
%I   Auerbach Publications
%O   U$49.95 +1-800-950-1216 auerbach@... orders@...
%P   443 p.
%T   "Cyber Forensics: A Field Manual for Collecting, Examining, and
       Preserving Evidence of Computer Crimes"

The introduction to this book emphasizes the fact that this is a field
manual, designed for quick reference, and not a textbook for study.
Unfortunately, the authors seem to have taken this as licence to throw
in all manner of random text and documents, without much structure or
thought for the user.

Section one outlines the various aspects of cyber forensics, according
to the book's definition.  Chapter one is entitled "The Goal of the
Forensic Investigation," but the actual contents offer both more and
less than that.  The chapter starts with a few possible specific
investigations, and provides directions on initial questions to ask.
When the material moves to more general discussion of investigations,
it becomes vague, and loses utility.  Non-liturgical investigation
(one that is not expected to end up in court) is examined in chapter
three, even though the text admits that the procedure should be the
same whether you expect to end in court or not: just collect
everything you can.  The content is limited to Windows, and
specifically to the use of Internet Explorer.  Much the same, with a
little additional material on the Registry and event log, is done with
liturgical investigations in chapter three.  A repetition of the same
information about Internet Explorer cache and cookies is found in
chapter four.  Chapter five describes nmap, and its author, in some
detail, and then lists a number of other UNIX utilities.  The broadest
possible interpretation of intrusion investigation is discussed in
chapter six, and, again, the advice boils down to the importance of
careful collection of all possible information.  Chapter seven
outlines  rules of and considerations for evidence in US courts of
law.

Section two expands on this last chapter, looking at US (and
supposedly international) statutes.  Chapter eight examines US law
regarding the admissability of evidence intercepted from
communications or recovered from seized computers.  Changes to the US
National Information Infrastructure Protection Act, and an editorial
stating that cybercrime is bad, are given in chapter nine.  The
preamble to, and some questions about, a draft of the Council of
Europe Convention on Cybercrime, are reproduced in chapter ten.
Chapter eleven contains random comments on privacy.  US Presidential
Decision Directive 63, calling for a plan for protection of
information infrastructure, and a speech justifying the use of
Carnivore are reprinted in chapter twelve.  Chapter thirteen
replicates an overview of US Public Law 106-229 on electronic
signatures (E-SIGN) as well as a number of other pieces relating to
electronic commerce.  Legal considerations in providing the electronic
systems mandated by the US government paperwork reduction act are
discussed in chapter fourteen.  Speeches and comments on the US
government's attitude towards encryption ore given in chapter fifteen.
Chapter sixteen looks at various pieces of US legislation related to
copyright.

Section three concerns tools for forensic investigation.  Chapter
seventeen discusses such tools in a very generic way, and then briefly
lists a number of specific programs.  There is a two page list of FBI
office phone numbers in chapter eighteen, which is supposed to guide
you in reporting Internet-related crime.  Chapter nineteen is a
simplistic four page list of questions to ask when conducting a
computer audit.

This is definitely not a field manual.  It offers almost no practical
advice on collecting evidence from computers: if the material in this
book is helpful to you, you have too little knowledge of the
technology to have any business being engaged in computer forensics.
The most valuable part of the book involves the collection of
documents regarding US computer related legislation, but that would be
of interest only to American lawyers.  It would be difficult to
recommend this work to anyone else.  Even security personnel wanting a
background on US federal legislation might be advised to look
elsewhere, since the lack of structure and analysis in the book makes
it very hard to read.

copyright Robert M. Slade, 2002   BKCYBFOR.RVW   20020319


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
Acknowledge and take to heart this day that the Lord is God in
heaven above and on the earth below.  There is no other.  Deut. 4:39
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKCISPA1.RVW   20020503

"CISSP All-in-One Certification Exam Guide", Shon Harris, 2002,
0-07-219353-0, U$79.99
%A   Shon Harris shonharris@...
%C   300 Water Street, Whitby, Ontario   L1N 9B6
%D   2002
%G   0-07-219353-0
%I   McGraw-Hill Ryerson/Osborne
%O   U$79.99 905-430-5000 +1-800-565-5758 fax: 905-430-5020
%P   971 p. + CD-ROM
%T   "CISSP All-in-One Certification Exam Guide"

Chapter one is a very reasonable review of the CISSP (Certified
Information Systems Security Professional) credential, and the (ISC)^2
(International Information Systems Security Certification Consortium)
exam process, including recertification.  As with most of the chapters
in the book, it has a set of sample questions, and while I could
quibble with some, they cover a decent range of topics and a
representative extent of difficulty.  There are resources listed in
this and other chapters, mostly Web sites.  Web sites are, of course,
most easily accessible, but they also die on a regular basis, and it
might have been an idea to include references to other books on
specific topics.  It is difficult to see the point of chapter two--an
opinion-piece level overview of various security related topics.

Chapter three begins the first of the ten domains of the Common Body
of Knowledge (CBK) with security management practices.  It is obvious
that the material has been structured and based on the (ISC)^2 CBK
review course, even to the use of specific tables and diagrams, but
the material is, at least, enhanced and extended by narrative
discussion.  Access control is explained clearly (and sometimes
amusingly) in chapter four (although biometrics is generally
considered to be a form of authentication, not identification).  In
general, the coverage of security architecture and models in chapter
five is quite useful.  However, there is too much emphasis on the old
"Orange Book" TCSEC (Trusted Computer System Evaluation Criteria) and
not enough on the newer Common Criteria.  (The inclusion of a section
on computer hardware is also a bit odd.)  Chapter six has many of the
blind spots about physical security common to most computer security
types (including some erroneous information about Halon from the old
CBK course).  The telecommunications and networking material, in
chapter seven, presents the underlying concepts well, but for some
reason fails to address many of the security technologies.  The
explanations of cryptography, in chapter eight, are problematic.
Fortunately, the content is not necessarily wrong.  The author
obviously is not familiar with this area, and the text in such areas
as DES (Data Encryption Standard) modes and one way encryption doesn't
make sense, although it does not necessarily misinform the reader.
Chapter nine, dealing with business continuity and disaster recovery,
is reasonable, but not as detailed as other sections.  Law,
Investigation, and ethics is pretty good, although some old crimes and
the insistence on the salami scam myth are some notable flaws in
chapter ten.  Chapter eleven, applications development, contains the
basic information but does not always make the connections to
security.  Operations security gets a sensible review in chapter
twelve.

The material is much more reliable and better structured than the SRV
Press books (cf. BKCISPET.RVW), and much more reliable and complete
than the Andress work (cf. BKCISPEC.RVW).  Like the Krutz and Vines
volume (cf. BKCISPPG.RVW) it is quite obvious that the content and
organization is copied from the old CBK course (sometimes slavishly),
although Harris does put more explanatory and narrative substance into
the text.  (Interestingly, there are some indications that this is
based on an even older version of the course than Krutz and Vines
used.)  Even considering the noted weak areas in this book, it should
provide a reasonable basis as a study guide for the CISSP exam,
although those who use only this work should not expect to get a
particularly high mark.

copyright Robert M. Slade, 2002   BKCISPA1.RVW   20020503


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
Anyone who considers arithmetical methods of producing random
numbers is, of course, in a state of sin.
                                             - John Louis von Neumann
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKEFPHSC.RVW   20020503

"Effective Physical Security", Lawrence J. Fennelly, 1997,
0-7506-9873-X, U$44.99
%A   Lawrence J. Fennelly
%C   225 Wildwood Street, Woburn, MA  01801
%D   1997
%G   0-7506-9873-X
%I   Butterworth-Heinemann/CRC Press/Digital Press
%O   U$44.99 1-800-366-BOOK
%P   289 p.
%T   "Effective Physical Security, Second Edition"

Physical security tends to be an isolated, arcane, and misunderstood
field: the general public tends to see it as inconvenient and
unnecessary, and the practitioners tend to learn it by (often
difficult) experience.  This book has a number of gaps in coverage,
but provides useful guidance in a number of areas.

Part one is involved with design.  Chapter one starts by suggesting
that security be first considered at the initial architecting stage,
and then goes on to provide a number of checklists of points to
consider.  The lists are good, and fairly comprehensive, but terse,
and without much explanation.  One item, for example, notes "[l]ines
of vision," without going into details about considerations for sight
lines from guard positions over entrances and driveways, from the
street into and around buildings, and for the occupants to the
entrances and surrounding area.  Chapter two discusses security
surveys and risk analysis.  The main body has explanatory material
(including pointers on how to write and present such an assessment)
and is backed up by appendices detailing questions and elements for
different types of studies.  Extensive detail on environmental
(exterior) design, including landscaping and parking, is provided in
chapter three.  A more conceptual overall review of physical security
is given in chapter four.

Part two deals with equipment.  Chapter five explains considerations
for physical barriers such as doors, roofs, and fences.  The coverage
of locks is possibly more than anyone except a locksmith might want,
but chapter six does outline a number of considerations that would be
important, even for non-specialists.  Vaults and safes are discussed
in chapter seven.  Chapter eight's material on lights and lighting is
somewhat more generic, but still useful.  Intrusion sensors and alarms
are covered in chapter nine.  Provision for, and the requirements of,
closed circuit television (CCTV) is explained briefly in chapter ten.
Chapter eleven is a very short look at wiretapping.  Physical access
to computer systems gets chapter twelve all to itself.  Chapter
thirteen reviews electronic access control systems, and the need for
integration and management.

Part three discusses operations.  Chapter fourteen takes a rather
optimistic view of the capabilities and responsibilities of security
guards (and is also the only chapter to mention fire and safety
considerations).  Bomb incident handling is outlined in chapter
fifteen.  Chapter sixteen, on public relations and the media, also
contains discussion of how to promote security awareness within your
own organization.

While missing some areas of physical security, such as fire, safety,
and disaster response, this is an extremely informative and useful
guide.  It is concise, readable, and reliable.  I recommend this book
to managers of physical plant, security guard firms (often asked for
security assessments and resources), and information security
professionals (who generally lack experience and knowledge of the
physical aspects of their field).

copyright Robert M. Slade, 2002   BKEFPHSC.RVW   20020503


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
Sometimes I think that the patron saint of lawyers ought to be
Pontius Pilate, for surely he said it best: What is truth?
                                                     - Sharyn McCrumb
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKDEVTRS.RVW   20020514

"Developing Trust", Matt Curtin, 2002, 1-893115-72-0, U$39.95
%A   Matt Curtin cmcurtin@...
%C   175 Fifth Ave., New York, NY   10010
%D   2002
%G   1-893115-72-0
%I   Springer-Verlag/Apress
%O   U$39.95 212-460-1500 800-777-4643 orders@...
%P   282 p.
%T   "Developing Trust: Online Privacy and Security"

The title, foreword, preface, and introduction aren't terribly clear
about the purpose of the book.  Ultimately, the key word seems to be
not trust, but privacy: the work appears to be directed at providing
tips for developers, of all stripes, to help maintain the
confidentiality of information.

Part one is a generic introduction to security and privacy.  Chapter
one, entitled "Why Privacy," seems, ironically, to move us even
further away from the topic of privacy.  The emphasis of the chapter
is on intrusions, although the reconnaissance phase does get the most
space.  (The subtitle, "Why This Book," does not appear to be
addressed.)  The discussion of privacy theory, in chapter two, flips
back and forth between the technical issues of identity authentication
and access control, and the social concepts of privacy, failing to
make hard relations between the two ideas.  A partial list of basic
conceptual security terms are reasonably well defined in chapter
three.  Chapter four does start to get into privacy issues, specifying
a number of notions important to protecting confidentiality in an
online (generally Web based) environment.  A number (but not an
exhaustive list) of threats to privacy are discussed in chapter five.

Part two looks at the problem.  Chapter six provides a concise list of
the basic principles of development of secure applications.
(Interestingly, Curtin uses the principle of least common mechanism as
an argument for the adoption of modular code, where others might say
that it was a reason to avoid modularity.)  Background concepts for
the Internet and Web, the basic development environment assumed for
the book, are given in chapter seven.  Some specific examples of
privacy problems on the Web are presented in chapter eight.

Part three outlines the cure.  Chapter nine reviews some basic
security protections, such as firewalls and constrained systems.  Opt
out systems are criticized in chapter ten.  "Earning Trust," in
chapter eleven, points out that providing privacy for customers is not
just a cost and a nuisance, but good business.  A structure for
analyzing and designing secure Web systems is proposed in chapter
twelve.

Strangely, while the book is disjointed and difficult to pin down as
to the central theme, ultimately it could be quite valuable.  In the
end, the title is appropriate, albeit in a punning fashion: the
content is directed at developing trustworthy applications.  The
literature in the field of developing secure applications is not
extensive, and much of it is either ethereally academic or completely
language specific.  This book attempts to be practical, and, while
hardly ever touching on implementation, the precepts suggested are a
sound foundation.  Security professionals would find the general
background limited, but developers will neither be snowed under by
esoteric discussions nor left with too many vulnerabilities uncovered.
The specifics in the book deal with the Web, but the tenets of secure
design are applicable to all systems.

copyright Robert M. Slade, 2002   BKDEVTRS.RVW   20020514


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
                        Materialists are Object-Oriented
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKDECSEC.RVW   20020520

"Decrypted Secrets", F. L. Bauer, 2002, 3-540-42674-4, U$44.95
%A   F. L. Bauer
%C   175 Fifth Ave., New York, NY   10010
%D   2002
%G   3-540-42674-4
%I   Springer-Verlag
%O   U$44.95 212-460-1500 800-777-4643 rjohnson@...
%P   474 p.
%T   "Decrypted Secrets: Methods and Maxims of Cryptology, 3rd Ed."

Cryptology is the study of the technologies of taking plain, readable
text, turning it into an incomprehensible mishmash, and then
recovering the initial information.  There are two sides to this
study.  Cryptography is the part that lets you garble something, and
then recover it if you have the key.  Cryptanalysis is usually seen as
the "dark side" of the operation, because it is the attempt to get at
the original meaning when you *don't* have the key.  Most current and
popular works on cryptology actually only speak about cryptography.
For one thing, nobody wants to get into trouble by telling people how
to break encryption.  However, it is also much easier to blithely talk
about key lengths and algorithms and pretend to know what you are
doing than it is to demonstrate a sufficient mastery of mathematics to
enable you to go about cracking a particular cipher.

Bauer examines both sides, which is an important plus.  If you need to
decide how strong an encryption algorithm or system is, it is
important to know how difficult it might be to break it.

Chapter one looks at steganography, the science of hiding in plain
sight, or concealing the fact that a message exists at all.  In this
he first demonstrates a wide ranging historical background which is
quite fascinating in its own right.  Basic encryption concepts are
introduced by the same historical background, but move on to a very
dense mathematical discussion of cryptographic characteristics in
chapter two.  Encryption functions are started in chapter three, and
it is delightful to have examples other than Julius Caesar's
substitution code.  Polygraphic substitutions are in chapter four and
the math for advanced substitutions is in chapter five.  Chapter six
introduces transpositions.  Families of alphabets, and rotor
encryptors such as ENIGMA, are reviewed in chapter seven.  Keys are
discussed in chapter eight, ending with a brief look at key
management.  Chapter nine covers the combination of methods resulting
in systems such as DES (Data Encryption Standard).  The basics of
public key encryption are introduced in chapter ten.  The relative
security of encryption is introduced in chapter eleven, leading to
part two.  However, Chapter eleven also ends with a discussion of
cryptology and human rights, concentrating mainly, although not
exclusively, on the US public policy debates.

Part two examines the limits of functions used in cryptography, and
thus the points of attack on encryption systems.  Chapter twelve
calculates complexity, and thus the size of brute force attacks.
Known plaintext attacks are the basis of chapters thirteen to fifteen,
looking first at general patterns, then at probable words, and finally
at frequencies.  Frequency leads to a discussion of invariance in
chapter sixteen.  Chapter seventeen follows with a look at key
periodicity.  Alignment of alphabets is covered in chapter eighteen.
Of course, cryptographic users sometimes make mistakes, and chapter
nineteen reviews the different errors and various ways to take
advantage of them.  Chapter twenty one looks at anagrams as an
effective attack on transposition ciphers.  The concluding chapter
muses on the relative effectiveness of attacks and of cryptanalysis
overall.

Those seriously interested in cryptology will really *need* to be
serious: brush up on your number theory if you want to use this book
for anything.  This third edition is essentially and structurally
unchanged from its predecessors, although it has been updated to
reflect the latest algorithms and technologies.  Bauer's history and
vignettes from the story of codes and the codebreakers are
interesting, amusing, and accessible to anyone.

copyright Robert M. Slade, 1998, 2002   BKDECSEC.RVW   20020520


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
The chief forms of beauty are order and symmetry and
definiteness, which the mathematical sciences demonstrate in a
special degree.              - Aristotle (384-322 B.C.), Metaphysics
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKFREFRE.RVW   20020514

"Free as in Freedom", Sam Williams, 2002, 0-596-00287-4,
U$22.95/C$34.95
%A   Sam Williams sam@...
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2002
%G   0-596-00287-4
%I   O'Reilly & Associates, Inc.
%O   U$22.95/C$34.95 800-998-9938 fax: 707-829-0104 nuts@...
%P   225 p.
%T   "Free as in Freedom"

Richard Stallman would probably be worthy of a biography for his
production (management?) of emacs, alone.  But, of course, it is
Stallman's advocacy for free software that is the impetus behind, and
focus of, this work.

Williams' writing is very readable.  Which is a good thing, since it
is also quite circuitous.  The book takes a long time to come to the
point of certain stories, and a number of important bits of
information have to be put together from widely separated sections in
order to make a proper picture.  Early on the text suggests, of
Stallman, that you have to see the totality of a large number of
seemingly unrelated aspects in order to get a full picture: a similar
point could be made about the writing.  Some items never do get
explained.  An aside implies that Stallman is (at least somewhat)
estranged from his mother, but we are never told why or how this
happened.  I would readily admit the right of a biography subject to
some privacy, but the basic point of such a work is to find out what
it was in the past of the person that moulded character and prompted
actions.  This text is singularly devoid of such analysis.

The author uses a fairly standard flashback technique in developing
the narrative: events in the near present are interlaced with a mostly
linear, if rather patchy, progression through Stallman's life.  While
not completely disjointed, the style does not work as well in this
volume as in others.  If there is a connection between the current
events and the "historical" periods covered it is not evident, and the
intercutting is annoying without seeming to make any specific
statement or contribution.

It is interesting to note the extreme care in researching some
conversations in contrast with simple technical mistakes, such as the
confusion of HTML (HyperText Markup Language) with desktop publishing.
Despite Williams' stated background in the technical world, the
technology is not dealt with well in the story, and this failure
weakens the explanation of Stallman's significance.

An interesting read, but important only for the compilation of facts
and quotes about its subject.

copyright Robert M. Slade, 2001   BKFREFRE.RVW   20020514


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
Half of the wood he burns in the fire; over it he prepares his
meal, he roasts his meat and eats his fill.  He also warms
himself and says, `Ah!  I am warm; I see the fire.'  From the
rest he makes a god, his idol; he bows down to it and worships.
He prays to it and says, `Save me; you are my god.'   - Is. 44:16,17
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade


------- End of forwarded message -------

======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
Decadence is a much abused word, but one proof of a decadent
society seems to be that morality is replaced by style.  In
Warhohl's world, instead of good and evil, there was only what
was cool or uncool.                                    - Mary Harron
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKHCKDRY.RVW   20020519

"The Hacker Diaries", Dan Verton, 2002, 0-07-222364-2, U$24.99
%A   Dan Verton
%C   300 Water Street, Whitby, Ontario   L1N 9B6
%D   2002
%G   0-07-222364-2
%I   McGraw-Hill Ryerson/Osborne
%O   U$24.99 905-430-5000 +1-800-565-5758 fax: 905-430-5020
%P   219 p.
%T   "The Hacker Diaries: Confessions of Teenage Hackers"

Teenaged hackers are misunderstood.  Definitions are for lamers,
morality is a "bogus" concept.  These noble idealists are questers
after the Holy Grail of knowledge: problem solvers who are attempting
to enlighten the masses.  Given a little dedication, you too can,
inside of six months, go from being a technopeasant to "knowing
everything there [is] to know" about computers.  Thus it is written in
the Gospel of Verton.

(While we are at it, I have this nice bridge you might want to
purchase ...)

Even if you ignore questions about the definition of what "hacking"
actually is, and even if you leave aside the author's biased sympathy
for rebels-without-a-clue, the introduction alone points out that
Verton has not performed the research one would think minimal to such
a project: reading the "popular" literature on the subject, never mind
the more serious analyses by researchers like Denning and Gordon.  How
else can he make the statement that this book is the first ever to try
and penetrate the veil of secrecy surrounding the computer vandal
community, an assertion that must come as a bit of a shock to authors
like Levy ("Hackers," cf. BKHACKRS.RVW), Sterling ("Hacker Crackdown,"
cf. BKHKRCRK.RVW), Taylor ("Hackers," cf. BKHAKERS.RVW), Dreyfus
("Underground," cf. BKNDRGND.RVW), and a host of others.  It is,
therefore, no surprise that this author gets basic factual information
wrong, such as the confusion of the infamous Operation Sundevil with
more successful prosecutions of computer crime.

Verton decries the blind and ignorant stereotyping of loners who are
more comfortable with computers than with their peers, but he is,
himself, guilty of promoting the same kind of confusion.  The group
targeted after the Columbine shootings was not the computer community
but the Goths, who share almost no characteristics with hackers except
for a slightly obsessive interest in an esoteric topic and a position
outside the mainstream.  (Well, possibly also an aversion to sunlight
...)  Verton has attempted to include "representative" examples of
both maladjusted criminals and ethical hackers, but draws no
distinctions between them and, indeed, seems to be trying to lump them
all together.

No, I've changed my mind.  Let's not leave aside the question of a
definition of hacking.  Like too many authors, Verton also wants to
continue the confusion of the original idea of a hacker as a skilled
technologist with the more recent concept of the vandals of computer
systems.  But he also immediately destroys his position by pointing
out that a cracker cannot change his "handle," the (usually offensive)
nickname used to achieve both identity and anonymity online.  If an
underground "hacker" changes his handle, he loses his status and
becomes just another wannabe.  Verton does not seem to realize the
import of this statement.  A cracker's credibility is tied to his
nickname, since he is only as good as his "rep," the record of
defacements or intrusions he is able to boast about.  There is no
actual skill set behind such a reputation.  In opposition, if true
hackers like Richard Stallman or Eric Raymond were to change their
names, and were then to write new programs and release them to the
world, those programs would still be useful and of good quality.  (Top
programmers would, in fact, probably be able to identify the authors
of emacs and fetchmail by programming excellence and style.)

Verton's writing seems clear and readable unless you start to think
about it.  A story will say that A happened, then B happened, then C
happened, then B happened, then D happened, then B happened.  Times
are quite indefinite, but since the narrative is unclear even about
simple sequences it is not any real shock to find out that the author
does not know larger items of technical history, such as that UNIX
predates VMS.  Likewise, Verton isn't interested in having consistency
get in the way of a good story, even if the story doesn't make any
sense.  Directions and motivations change suddenly and without
apparent reason: reading between the lines indicates that there is a
lot that we aren't being told.  Probably the author wasn't told,
either.  It sounds like he didn't even ask.  (The interview subjects
seem to have realized that they were dealing with a credulous author:
Verton retails stories out of common urban legends and jokes without
seeming to have identified them as such.  Despite his credentials as a
reporter for a computer trade magazine Verton's technical knowledge is
questionable--he doesn't know a denial of service attack from a
reformat nor that the Macintosh doesn't have a Windows Registry.)

Despite tidbits of trivia, ultimately the book is boring.  One can
only read so many times that Amanda (or Betty or Cathy) accidentally
touched a computer on her seventh birthday and thereafter became
obsessed with re-writing the CP/M kernel before one loses interest.
The names may change, the hacks may change, the outcomes and choices
of whether or not to be useful or messed up may change, but in the
end, the lessons are the same: non-existent.

copyright Robert M. Slade, 2002   BKHCKDRY.RVW   20020519


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
Viruses Revealed   0072130903    victoria.tc.ca/techrev/vrfresft.htm
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKHCKATK.RVW   20020519

"Hacker Attack", Richard Mansfield, 2000, 0-7821-2830-0,
U$29.99/C$44.95/UK#19.99
%A   Richard Mansfield earth@...
%C   1151 Marina Village Parkway, Alameda, CA   94501
%D   2000
%G   0-7821-2830-0
%I   Sybex Computer Books
%O   U$29.99/C$44.95/UK#19.99 510-523-8233 Fax: 510-523-2373
%P   293 p.
%T   "Hacker Attack: Shield Your Computer from Internet Crime"

"FACT: It's unlikely that you'll ever personally experience a computer
virus in your home computer."  Ah, those glowing, carefree days of
yore when ... wait a minute.  This book wasn't published all THAT long
ago ...

This work is intended to address three issues: intrusions, privacy,
and viruses.  The author hopes that it will be as much fun to read as
it was to write.  Given the unrealistic assessment of risk levels, the
almost random choice of topics, and the lighthearted approach, I did
not start out feeling confident of the chances of finding useful
information herein.

(While we may agree that script kiddies and such cracker wannabes are
grubs and insects, the security community does *not* refer to them as
"larvae.")

Part one is entitled "Hackers, Crackers, and Whackers."  Chapter one
is a generic warning about the fact that some people may be trying to
probe you.  Some information (such as directions on turning file and
print sharing off) are useful, others (such as the need to share IP
addresses--assuming you even know them--with friends for chatting and
instant messages) are either wrong or not very useful.  Port scanning
gets mentioned, and, aside from the fact that there are more reliable
ways of determining open ports, the specific example of an open port
used isn't terribly handy since we are told neither what it is nor how
to turn it off.  Phone phreaks are discussed in chapter two--without
mention of the fact that in-band signalling is now obsolete.  Hackers
are academics studying decryption, viruses can harvest your passwords,
and munging your email address is an effective tool against spam, or
so we are told in chapter three.  Chapter four gives names to some
really silly cracking techniques.  Some equally silly defences are
suggested in chapter five.  Chapter six does say that there are better
protections available, but doesn't talk about how to implement them.
High-speed connections are said to be security risks (the real culprit
being static IP addresses) in chapter seven.  A variety of URLs are
given for the ZoneAlarm product, and instructions for getting warnings
about cookies from one version of the Internet Explorer browser are
provided in chapter eight.

Part two is supposed to deal with privacy.  Chapter nine does, with a
rapid race through a number of related issues.  Chapters ten through
thirteen, however, examine a number of encryption technologies that
are no longer used.  The algorithm central to DES (Data Encryption
Standard) is used as an example of a symmetric encryption system in
chapter fourteen.  Chapter fifteen explains the use of prime numbers
to create asymmetric (public key) systems.  Both of these chapters are
remarkably unhelpful in terms of the actual use of encryption.
Chapter sixteen explains digital signatures, but very briefly.  The
dialogue boxes involved in using the Encrypting File System of Windows
2000 are displayed in chapter seventeen.  Chapter eighteen speculates
on quantum computers.  Source code for a random number generator for a
one-time pad is given in chapter nineteen.

Part three looks at viruses.  (Ready?)  Chapter twenty gives a brief
account of the Internet/Morris/UNIX Worm of 1988, informing us that
viruses had been used for years for network administration (untrue)
and failing to explain what defrauding your girlfriend has to do with
the worm.  Some basics of virus structure are correct in chapter
twenty one, but there is also confusion of pranks and trojans, and the
discussion of virus functions applies only to boot sector infectors.
Chapter twenty two provides an overview of Melissa and Loveletter.
Useless means of defending against Microsoft Word macro viruses (known
to have been bypassed long before this book was written) are given in
chapter twenty three.  Chapter twenty four tells us that viruses are
mainly hype.

Well, there are a few tips in this work that might help you to prevent
intrusions, protect your privacy, and avoid viruses.  Very few.  The
material is scant, and is padded out to book length with random
insertions only nominally related to the topics at hand.  Although not
stated, it is fairly clear that the volume is intended for the average
computer user rather than the security specialist.  In terms of that
general audience, the text is nowhere near detailed enough in those
areas that the typical user can address.  The material on network
intrusions has some points, but many gaps.  The section on
cryptography might be interesting to a few, but is of little practical
use.  The opining on viruses is too often flatly wrong.

copyright Robert M. Slade, 2002   BKHCKATK.RVW   20020519


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
If you are riding ahead of the herd, take a look back now and
then to make sure it is still there.
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKWRINSP.RVW   20020601

"Writing Information Security Policies", Scott Barman, 2002,
1-57870-264-X, U$34.99/C$52.95/UK#27.50
%A   Scott Barman scott@... www.barman.ws/wisp
%C   201 W. 103rd Street, Indianapolis, IN   46290
%D   2002
%G   1-57870-264-X
%I   Macmillan Computer Publishing (MCP)/New Riders
%O   U$34.99/C$52.95/UK#27.50 800-858-7674 317-581-3743 info@...
%P   216 p.
%T   "Writing Information Security Policies"

Until recently, the classic resource for those charged with writing
security policies was "Information Security Policies Made Easy" (cf.
BKISPME.RVW).  Trouble was, that book made it a little bit too easy:
the format encouraged people to use pieces without modification, and
one size, in the security field, definitely does not fit all.  This
book, however, takes the opposite approach.  While still aimed at the
non-technical manager responsible for producing the policy, it uses
minimal examples, concentrating on the process of policy formation.

Part one looks at starting the process.  Chapter one defines what
policies are and why they are important, and outlines the first steps
needed to proceed.  A good, broad outline of what your company should
have in the way of a policy comes in chapter two.  Finally, the
responsibilities of different departments; their activities and roles;
are presented in chapter three.

Part two covers the main body of security policy development.  Chapter
four starts out with physical security.  As noted above, readers will
have to go beyond the example policies given in the text, but these
samples do provide a reasonable guide for what the final items should
look like.  Authentication and network security is dealt with in
chapter five, although the telecommunications material is quite
limited.  Some of this lack is made up in chapter six's review of
Internet policy, which goes beyond firewalls to examine training,
applications, e-commerce, and other areas.  Email use has a set of
special requirements separate from those of the net, and these are
addressed in chapter seven.  Unfortunately, as with all too many
works, the review of malware policies, in chapter eight, is weaker
than the rest of the book.  (Does the example policy to use "all means
to prevent the spread of computer viruses" mean that you can't use
Microsoft products?  And why, in this day and age of "fast burner"
email viruses, is a signature update every thirty days deemed
sufficient?)  The limited technical background also contributes to the
frailty of chapter nine's overview of encryption.  Some policies are
too broad, while there are missing areas that may need to be
addressed, depending upon industry and operations.  Chapter ten has
very solid coverage of application development policies, which are all
too often neglected in other works.

Part three is concerned with maintaining the policies.  Chapter eleven
seems slightly off topic, as it deals with acceptable use policies.
However, chapter twelve looks at the roles and responsibilities
involved in compliance and enforcement.  A short precis of the policy
review process ends the book in chapter thirteen.

While not a panacea, this book is clear, well written, and helpful.
There is valuable advice packed into few enough pages that a manager
should be able to read it on a cross-country plane trip.

copyright Robert M. Slade, 2002   BKWRINSP.RVW   20020601


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
Every exit is an entry somewhere else.                - Tom Stoppard
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKANRPWR.RVW   20020523

"From Anarchy to Power: The Net Comes of Age", Wendy Grossman, 2001,
0-8147-3141-4, U$24.95
%A   Wendy Grossman wendyg@...
%C   70 Washington Square South, New York, NY   10012-1091
%D   2001
%G   0-8147-3141-4
%I   New York University Press
%O   U$24.95 212-998-2575 fax 212-995-3833 feedback@...
%P   222 p.
%T   "From Anarchy to Power: The Net Comes of Age"

Those who have read Grossman's columns in "Scientific American" (among
other places) will know that she has a fine analysis of technical
topics, combined with a grasp of the social issues surrounding them.

It is difficult to find a common thread to the essays in this volume,
although they link serially much better than those in "net.wars" (cf.
BKNETWRS.RVW).  The material is informed and much more reasonable than
in most "information superhighway" works, but overall there is an
unfinished feel, as if the problems had been raised, but solutions had
not been explored to the same extent.

Chapter one takes the media to task not only for sensationalism, but
the many and enormous errors that make it into Internet stories in the
general press.  (The myth of "Internet addiction" is given the
majority of the space.)  The issue of community online is dealt with
in chapter two.  It is an Internet truism that no individual or
company owns the net, but Grossman points out, in chapter three, that
no *country* owns it, either (with particular respect to the notion
that the United States was alone in developing the net).  Chapter four
looks at both the central position of the DNS (Domain Name Service)
technology, and the controversies surrounding its management.  (The
material would possibly be stronger and more convincing with just
slightly more explanation of how DNS works.)  A number of other
weaknesses in the Internet system are explored in chapter five.  The
five hundred pound Microsoft gorilla's actions and legal battles are
reviewed in chapter six.  Moving to the other end of the development
continuum, chapter seven examines the open source and free software
movements.  Chapter eight looks at the very complex questions of
copyright, and attempted "rights protection" technologies.  "The
Future of Public Information," in chapter nine, contemplates
difficulties for education and libraries.  Public access, as well as
the paradox of the Web moving from an enabling to a restricting
technology, makes up chapter ten.  Chapter eleven outlines some of the
companies involved in Internet commerce.  Privacy, in chapter twelve,
seems to be primarily concerned with commerce, whether international
or retail.  Chapter thirteen finishes off with a somewhat unfocussed
look at where the net might be going, or what it might need.

Readable and reliable, if somewhat less exciting than it's
predecessor.

copyright Robert M. Slade, 2001   BKANRPWR.RVW   20020523


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
We die only once, and for such a long time.                - Moliere
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKMSENNT.RVW   20020523

"Microsoft Encyclopedia of Networking", Mitch Tulloch/Ingrid Tulloch,
2002, 0-7356-1378-8, U$79.99/C$115.99
%A   Mitch Tulloch info@... www.mtit.com
%A   Ingrid Tulloch
%C   1 Microsoft Way, Redmond, WA   98052-6399
%D   2002
%G   0-7356-1378-8
%I   Microsoft Press
%O   U$79.99/C$115.99 800-6777377 www.microsoft.com/mspress
%P   1313 p. + CD-ROM
%T   "Microsoft Encyclopedia of Networking, Second Edition"

As soon as I sent him the draft of my review of the first edition,
Mitch asked me to hold off, as the second edition was in the works.
He stated that he was addressing the issues I had identified, and that
the second edition would have fixed them.  His means of dealing with
the problems are ... interesting.

The scope of the encyclopedia is stated to cover networking concepts,
the Internet, and Microsoft products.  The primary audience is no
longer limited to novices pursuing the MCSE (Microsoft Certified
Systems Engineer) designation, although the Microsoft emphasis is
still fairly clear.

The Microsoft orientation and bias is not quite as explicit as it was
in the first edition, but is still evident.  The errors in dealing
with the redirection (>) and pipe (|) symbols have been eliminated:
the section on "Numbers and Symbols" no longer defines any symbols.
"Access control" and "clustering" are stated to be "[a]ny technology"
performing the respective functions, but, after a single initial
sentence in this generic fashion, there are two pages that relate only
to Microsoft products.  Impersonation is still defined only in terms
of assisting Windows client/server communication, which is startling
in view of the importance of impersonation as a security exploit.

Now, is it reasonable to complain about a Microsoft emphasis in what
is, after all the *Microsoft* networking encyclopedia?  Well, yes,
when it gets in the way of real information.

A number of entries have little apparent function.  There are, for
example, a number of listings for variant flavours of Ethernet, and
these items seem to describe only different vendor products.  In
addition, there is a great deal of repetition, fluff, and padding in
the writing.  The text often says the same thing over again in a
slightly different way, but this neither develops the topic, nor
really assists the novice user in understanding complex subjects.

Basic networking concepts are covered and, generally, the material is
reasonable, if uninspired.  However, a number of the fundamental ideas
are covered in such a way that the newcomer will not gain a full
understanding of the idea.  In many cases it is difficult to say that
the explanation is in error, but the abstraction could certainly have
been presented in a better way.  "Bursty" traffic, for example, is
described in terms of transferring video files, and any self-
respecting MPEG is going to be big enough to occupy a pipeline with
less capacity than an OC-192 for longer than a mere "burst."

While many entries are longer than the paragraph or two one might
expect from a dictionary, the content doesn't deliver much more
information.  Frame relay, for example, is described in terms of
packet switching, but the discussion of error checking, which
differentiates the two technologies, is almost lost in the sales
pitches for vendors of the service.

As one has come to expect from a Microsoft product, security and
privacy concerns are downplayed at every turn.  The best possible
construction is put on issues such as Authenticode and cookies.
Again, while the descriptions are not necessarily erroneous, counter-
examples are easily generated.  A cookie, for example, cannot give out
your email address, as the book says.  Unless, that is, you have input
your email address to a Website, and the site has stored the
information in a cookie.  This is a fairly common occurrence.

The entry for virus is pretty appalling.  The aren't quite as many
errors as there were last time, but there isn't anything to help,
either.

Would this book help someone study for the MCSE?  Probably.  One of
the major difficulties in writing the exam is clearing your mind of
how things work in the real world, and sticking to the Microsoft
terminological party line.  Would it help anyone else?  Possibly, but
there are many other works more complete, readable, and reliable.  The
"Microsoft Press Computer Dictionary" (cf. BKMSCMDC.RVW) is much
better: a fairly solid reference over a wide range of issues.  It is
unlikely that anyone with more than a passing acquaintance with
networking will find much of value in this encyclopedia.  Certainly,
with the wide variety of excellent and reliable communications
dictionaries available one wonders at the need for this.  For general
networking there is Newton (cf. BKNTTLDC.RVW), for authority there is
Weik (cf. BKCMSTDC.RVW), and for history and background there is
Petersen (cf. BKDTTLDC.RVW).

copyright Robert M. Slade, 2001, 2002   BKMSENNT.RVW   20020523


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
There are some Perl programs that look like nothing so much as
line noise.                                         - Margaret Fleck
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKCIGXML.RVW   20020212

"The Complete Idiot's Guide to XML", David Gulbransen, 2000,
0-7897-2311-3, U$24.99/C$37.95/UK#22.99
%A   David Gulbransen www.vervet.com press@...
%C   201 W. 103rd Street, Indianapolis, IN   46290
%D   2000
%G   0-7897-2311-3
%I   Macmillan Computer Publishing (MCP)
%O   U$24.99/C$37.95/UK#22.99 800-858-7674 317-581-3743 pr@...
%P   332 p. + CD-ROM
%T   "The Complete Idiot's Guide to XML"

I'm not really fond of "[Topic] for the Brain Damaged" books, but I
must say that the "Complete Idiot's" books have a rather decent track
record.  This book is a very careful and useful guide to getting
started with XML (eXtensible Markup Language).  It only covers the
basics, and doesn't get far into the related protocols, but if you are
willing to stick with XML and DTDs (Document Type Definitions) then
pretty much anyone could follow the explanation and tutorial here.

Part one concentrates on getting to know XML.  Chapter one provides
the basics of markup, but doesn't really say what XML is.  Even
starting with SGML (Standard Generalized Markup Language, the
precursor and foundation for XML), in chapter two, doesn't really
explain it in useful terms, but the beginning of the concepts are
there.  A decent idea of what XML markup can do is given in chapter
three.  Chapter four promotes the use of XML Pro (which the author has
created).  Using the XML Pro program to generate elements is covered
in chapter five.  Fortunately, this is the last chapter dedicated to
the package, and the rest of the book does concentrate on the base
technology.

Part two examines the fundamental building blocks of XML.  Chapter six
explains element syntax.  Element attribute examples, in chapter
seven, might be confusing for the novice, but the explanations are
sound.  Overall XML document structure is dealt with in chapter eight.
A simple, but not quite complete, XML document is described in chapter
nine.

Part three moves from the purely XML structure into the concepts
surrounding a base document.  Chapter ten presents both a document and
a DTD (Document Type Definition), but since the new material diverges
from what was done before, the content may not be as helpful as it
could have been.  A variety of XML derived languages are listed in
chapter eleven.  Syntax is reviewed again in discussing "well formed"
documents and validation, in chapter twelve.

Validation leads naturally into the total XML system in part four.
DTDs and Schemas are outlined briefly in chapter thirteen, with more
on DTDs as well as elements, attributes, and structure in chapters
fourteen to seventeen.

Part five deals with slightly more advanced topics.  Chapter eighteen
covers declaring entities as shortcuts and abbreviations.  More on
entities is in chapter nineteen.  Miscellaneous extras as in chapter
twenty.  The book finishes off with a sample project in chapter
twenty.

There is a lot more to the XML system than is encompassed in this
work.  However, many books try to cover the entire map and end up with
a confusing mess.  Gulbransen has provided enough so that you can
start actually using the system.  If readers want to go further, they
can find other resources, but they will, at least, know what the
system is about and how it works.

copyright Robert M. Slade, 2001   BKCIGXML.RVW   20020212


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
           Q. What's the difference between Batman and Bill Gates?
           A. When Batman fought the Penguin, he won.
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKHWBCPH.RVW   20020605

"How We Became Posthuman", N. Katherine Hayles, 1999, 0-226-32145-2,
U$49.00
%A   N. Katherine Hayles
%C   Chicago, IL   60637
%D   1999
%G   0-226-32145-2
%I   University of Chicago Press
%O   U$49.00 marketing@...
%P   350 p.
%T   "How We Became Posthuman"

It is ironic that literature has a prominent place in the subtitle
(Virtual Bodies in Cybernetics, Literature, and Informatics) and the
material in this book.  The writing is dense and sometimes almost
unreadable.  Unlike many books with such a writing style, this does
not indicate a lack of ideas: rather the reverse.  A number of
concepts tend to be implied by the wording, although few are actually
supported.

Chapter one, while it does not provide us with a solid definition of
posthuman, does present a number of characteristics of the term.
Information is vital (while the material is immaterial), conciousness
is irrelevant, the body (any body) is a replaceable prosthesis, and
the human and computer are interchangeable.  Interestingly, the text
dances around, but never actually examines, the classic "soul
good/body bad" dualism.  The assertion is made, in chapter two, that
literature is informed and molded by the form of the writing, but
supporting arguments are unclear.  The Macy cybernetics conferences
are reviewed in chapter three, which also outlines intriguing material
on the technically unwarranted prominence of neural nets in artificial
intelligence research.  Hidden in the analysis of Weiner's work and
thought, in chapter four, is the striking notion that he saw all
information as analogous (and therefore suspect) while accepting and
using the rather imprecise analogies from thermodynamics and entropy.
Chapter five seems to look at speech or text as a kind of prosthesis:
a "false limb" of communication.  The idea of life as "organization"
is examined in chapter six.  From my background in the field of virus
research, this idea is problematic: how specific do we get in
differentiating types of life?  Generally speaking, researchers say
that one virus is distinct from another if there is a difference of
one bit.  So much fiction is involved with all the discussions, that a
chapter, seven, on the work of science fiction writer Philip K. Dick
is unsurprising.  Chapter eight proposes that "embodied" knowledge is
somehow unique and affected by its embodiment since it is hard to
describe.  Again, what do we do about the field of psycholinguistics,
since kinesthetic knowledge has no words?  Chapter nine talks about
artificial life.  Four novels are analyzed, in chapter ten, on the
basis of a semiotic square flawed by having orthogonal axes.  Finally,
there is a conclusion without conclusions in chapter eleven.

While some interesting ideas are presented in the book, it is
extraordinarily demanding of the reader.  The glacial pace and
requirement for intense concentration seem less arbitrary and
calculated than in other, similar, works, but still appear to be aimed
at some "in group" rather than the general public.  A bit of effort in
terms of readability and an attempt to make the work more accessible
to non-specialists would increase the value substantially.

copyright Robert M. Slade, 2002   BKHWBCPH.RVW   20020605


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
No matter how bad things get you got to go on living, even if it
kills you.                                         - Sholom Aleichem
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade