BKWLSCEE.RVW   20031019

"Wireless Security End to End", Brian Carter/Russell Shumway, 2002,
0-7645-4886-7, U$39.99/C$59.99/UK#29.95
%A   Brian Carter
%A   Russell Shumway
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2002
%G   0-7645-4886-7
%I   John Wiley & Sons, Inc.
%O   U$39.99/C$59.99/UK#29.95 416-236-4433 fax: 416-236-4448
%O  http://www.amazon.com/exec/obidos/ASIN/0764548867/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0764548867/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0764548867/robsladesin03-20
%P   336 p.
%T   "Wireless Security End to End"

Part one is an introduction to wireless network security.  Chapter one
is supposed to be an opening to wireless networking, but is basically
a list of common protocols.  Wireless threat analysis, in chapter two,
is an unstructured list of miscellaneous threats.  A facile overview
of blackhat communities, some intrusion tools, and a discussion of
insider attacks (without mention of any relevance to wireless
networking) is in chapter three.

Part two looks at the components of network security.  Chapter four
presents us with random security factors in place of the promised
network security model.  Network intrusion protection is said, in
chapter five, to consist of firewalls and other tools with limited
application to wireless topologies.  In regard to network intrusion
detection, some of the material in chapter six is pointless (who would
expect an intrusion detection system (IDS) to protect against insider
attacks?) and some is wrong (a honeypot would only act as an intrusion
detection sensor by chance).  Chapter seven has sound information on
host-based IDS and some advice on hardening systems, but wireless
networking is almost unmentioned.  Virtual private networks are
discussed in chapter eight, while nine turns to logging and audits.

Part three reviews wireless security components.  Chapter ten outlines
a configuration for basic level wireless security.  Secure
authentication, in chapter eleven, has at least some relation to
wireless.  The examination of encryption, in chapter twelve, lists
protocols without much discussion of concepts, and records weaknesses
of the systems without providing details.  Chapter thirteen briefly
considers the placement of wireless access points, from a convenience
rather than security perspective.

Part four contemplates the integration of wireless security into the
network security process.  Chapter fourteen registers some tools for
the logging of wireless security events.  A number of points to
consider for a wireless security policy are enumerated in chapter
fifteen.  Various sniffing and cracking tools are described in chapter
sixteen.  Chapter seventeen isn't really clear as to its purpose, but
seems to be talking about management of device configuration.

Part five lists products, rather than the promised security models.
We look at Cisco and LEAP, RADIUS, IPSec, secure wireless public
access, and secure wireless point-to-point in chapters eighteen to
twenty two.

While not as bad as "Wireless Security" (cf. BKWRLSSC.RVW), by Randall
K. Nichols and Panos C. Lekkas, this work is only on a par with
bloated exercises such as Jahanzeb Khan and Anis Khwaja's "Building
Secure Wireless Networks with 802.11" (cf. BKBSWNW8.RVW) or the
comprehensive list of topics (but missing details) in "Designing a
Wireless Network" (cf. BKDSWLNT.RVW) by Jeffrey Wheat et al.
Certainly "Wireless Security Essentials" by Russell Dean Vines (cf.
BKWLSCES.RVW) is far superior to the Carter and Shumway book.

copyright Robert M. Slade, 2003   BKWLSCEE.RVW   20031019


======================
rslade@...      slade@...      rslade@...
Computer Security Day, November 30  http://www.computersecurityday.com/
victoria.tc.ca/techrev/mnbksc.htm sun.soci.niu.edu/~rslade/secgloss.htm

BKBIOMTR.RVW   20031018

"Biometrics", Samir Nanavati/Michael Thieme/Raj Nanavati, 2002,
0-471-09945-7, U$34.99/C$54.50
%A   Samir Nanavati
%A   Michael Thieme
%A   Raj Nanavati
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2002
%G   0-471-09945-7
%I   John Wiley & Sons, Inc.
%O   U$34.99/C$54.50 416-236-4433 fax: 416-236-4448
%O  http://www.amazon.com/exec/obidos/ASIN/0471099457/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0471099457/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0471099457/robsladesin03-20
%P   300 p.
%T   "Biometrics"

Part one deals with the fundamentals of biometrics.  Chapter one
presents a brief rationale for the use of the technology.  Biometric
concepts are given in chapter two, but only the most basic.  In
chapter three's look at accuracy there are standard metrics as well as
a few unusual ones (and some non-standard jargon).

Part two reviews the various biometric technologies.  Chapters four
through nine cover fingerprint scanning, face recognition (although it
fails to cover the selection of skin areas, or the characteristics of
eigenfaces), iris scanning, voiceprint, other physical factors (hand
geometry, retina scanning, and an odd inclusion of the automated
fingerprint identification system), and behavioral characteristics
(signature and keystroke).

Part three outlines biometric applications and markets.  Chapter ten
tries to categorize biometric uses and ends up being scattered and
confusing.  "Citizen-Facing Applications," in chapter eleven, turns
out to involve law enforcement and government surveillance.  Likewise,
in chapters twelve and thirteen, "Employee-Facing Applications" refers
to employee monitoring and "Customer-Facing Applications" drifts
around some issues related to identity verification for commerce.
Chapter fourteen presents law enforcement, government, the financial
industry, healthcare, and travel as being vertical markets for
biometrics.

Part four touches on privacy and standards, with privacy risks in
chapter fifteen, designing biometrics for privacy in sixteen, and some
proposed standards in seventeen.

This text provides broad but superficial coverage of the topic.  The
non-standard terminology (verification instead of authentication, and
false match rate rather than false acceptance rate) may be confusing,
but the totally meaningless phrases (citizen-, employee-, and
customer-facing applications) are probably even more so.  While other
book-length treatments of the subject are rare, it is difficult to see
that this work adds much value to the discussion, especially compared
with superior articles (such as "Biometric Identification" by Donald
R. Richards, printed in the "Information Security Management Handbook"
[cf. BKINSCMH.RVW]) which do.

copyright Robert M. Slade, 2003   BKBIOMTR.RVW   20031018


======================
rslade@...      slade@...      rslade@...
Computer Security Day, November 30  http://www.computersecurityday.com/
victoria.tc.ca/techrev/mnbksc.htm sun.soci.niu.edu/~rslade/secgloss.htm

BKCRECOM.RVW   20031019

"Cryptography and E-Commerce", Jon C. Graff, 2001, 0-471-40574-4,
U$29.99/C$46.50
%A   Jon C. Graff
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2001
%G   0-471-40574-4
%I   John Wiley & Sons, Inc.
%O   U$29.99/C$46.50 416-236-4433 fax: 416-236-4448
%O  http://www.amazon.com/exec/obidos/ASIN/0471405744/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0471405744/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0471405744/robsladesin03-20
%P   222 p.
%T   "Cryptography and E-Commerce"

The introduction states that the author has set out to write an
"accessible, easily understood, and entertaining" guide to modern
cryptography.

Part one is a presentation of current cryptography.  Chapter one opens
with symmetric key concepts, but states that DES (Data Encryption
Standard) is safe for the present (DES had been broken at least twice
by the time the book was written).  The basic ideas are presented, but
the metaphors and illustrations used may confuse, rather than explain,
the issues.  The same is true for integrity protection (hashes and
digests) in chapter two, and with key management, Kerberos, asymmetric
(public key) cryptography, certificates (using only a hierarchical
structure), certificate extensions and attributes, and US export
restrictions, in the succeeding chapters.  The section finishes with a
one page "chapter" of concluding remarks.

Part two, consisting of chapter ten, is a tutorial on the underlying
mathematics of asymmetric cryptography.  As with the basics of
cryptography presented earlier, using pictures and stories does not
seem to help matters, particularly since the math is not correct.  (In
explaining RSA on page 127, 3 x 11 does *not* equal 44, and a
previously undefined function appears partway through the process.)

Part three contains case studies of architectures proposed by the
author.  Chapter eleven utilizes Kerberos, but the most interesting
parts involve the use of hardware cards.  Chapter twelve is an outline
of a fairly generic PKI (Public Key Infrastructure).

Overall, the explanations of cryptographic concepts are not bad, but
they are not particularly accessible or easily understood, and there
are certainly clearer and more complete books that make fewer
mistakes, even the simpler ones, such as "Cryptography Decrypted" by
H. X. Mel and Doris Baker (cf. BKCRPDEC.RVW), or "Internet
Cryptography" by Richard E. Smith (cf. BKINTCRP.RVW).  The
entertainment value of the pictures and stories is minimal, and, as
noted, the graphics and personal names are unlikely to assist the
reader in understanding the fundamental theory.

copyright Robert M. Slade, 2003   BKCRECOM.RVW   20031019


======================
rslade@...      slade@...      rslade@...
Computer Security Day, November 30  http://www.computersecurityday.com/
victoria.tc.ca/techrev/mnbksc.htm sun.soci.niu.edu/~rslade/secgloss.htm

BKEDASIG.RVW   20031018

"Enterprise Directory and Security Implementation Guide", Charles
Carrington et al, 2002, 0-12-160452-7
%A   Charles Carrington
%A   Timothy Speed
%A   Juanita Ellis
%A   Steffano Korper
%C   525 B Street, Suite 1900, San Diego, CA   92101-4495
%D   2002
%G   0-12-160452-7
%I   Academic Press
%O   619-231-0926 800-321-5068 fax: 619-699-6380
%O  http://www.amazon.com/exec/obidos/ASIN/0121604527/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0121604527/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0121604527/robsladesin03-20
%P   238 p.
%T   "Enterprise Directory and Security Implementation Guide"

You've got to wonder about the quality of a book that starts out with
an eight page section dedicated to copyright notices and disclaimers.

The foreword is unclear about what directories are, although it does
name DNS as a directory.  One sentence starts out by saying that there
are both risks and benefits to publishing a directory and then lists
only the most dire of risks.  There is no mention that directories can
be used to support security activities such as PKI (Public Key
Infrastructure.)

Chapter one is an introduction, stating that directories provide
information and mentioning X.500 and LDAP (Lightweight Directory
Access Protocol) without clarifying why directories need a formal
protocol.  (There seems to be, in the text, a preference for humour
over information.)  The basics of directories as information sources
are given in chapter two (although there is no material on the
problems of distribution, scaling, and replication), as well as a
brief mention of security.  There is a bit of discussion of directory
architecture design, another mention of LDAP, and illustrations that
do not illuminate, in chapter three.  Chapter four has an explanation
of LDAP that will make sense to those already familiar with relational
database concepts (but probably not, otherwise), and an allusion to
the difference between security information stored in the database and
the security of the directory, but this important point is not given
the emphasis it deserves.  Chapter five gives us a history of street
directories, some discussion of privacy, and a consideration of email
routing.  Basic relational database concepts are examined fairly
simplistically in chapter six.  Chapter seven is a generic overview of
enterprise security.  There is a good outline of the suggested
contents of a high-level security policy in chapter eight, although
the material becomes repetitive when an email policy basically
duplicates the previous material.  Chapter nine has a brief but
reasonable overview of PKI, several pages of screenshots (of
questionable utility) of a Cylink demonstration, and a fifteen page
sample "Certification Practices Statement."  Examples of directories
in chapter ten include Kerberos and DNS.  A list of miscellaneous PC
security products is in chapter eleven.

Although the issues of security related to directories are both
important and sparsely covered in the security literature, this poorly
focussed and structured work does not provide much useful direction.

copyright Robert M. Slade, 2003   BKEDASIG.RVW   20031018


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
What can you say about a society that says God is dead
and Elvis is alive?                                   - Irv Kupcinet
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

Apologies for the duplicate sent out yesterday.

(Also, for the question/comment last Thursday about whether I liked *any* books,
yes, occasionally I do  :-)

BKLNSCCB.RVW   20031019

"Linux Security Cookbook", Daniel J. Barrett/Richard E.
Silverman/Robert G. Byrnes, 2003, 0-596-00391-9, U$39.95/C$61.95
%A   Daniel J. Barrett dbarrett@...
%A   Richard E. Silverman res@...
%A   Robert G. Byrnes byrnes@...
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2003
%G   0-596-00391-9
%I   O'Reilly & Associates, Inc.
%O   U$39.95/C$61.95 707-829-0515 fax: 707-829-0104 nuts@...
%O  http://www.amazon.com/exec/obidos/ASIN/0596003919/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0596003919/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0596003919/robsladesin03-20
%P   311 p.
%T   "Linux Security Cookbook"

In the introduction, the authors state that this is not a security
text, but a list of practical and individual pointers for improving
security in specific areas.

Chapter one covers how to take system snapshots with Tripwire, in
order to detect changes that might indicate an intrusion or a virus.
The establishment of a firewall, using the iptables and ipchains
utilities, is dealt with in chapter two.  Chapter three examines the
control of access to various network services.  Authentication
techniques and infrastructures are detailed in chapters four and five.
Protecting outgoing network connections, files, and email are
described in chapters six, seven, and eight respectively.  The
material on testing and monitoring, in chapter nine, is the most
extensive in the book, and provides a good introduction to Snort as
well.

This is good, practical advice, and makes an excellent reference for
anyone dealing with the security of Linux in a networked environment.
In one sense the authors are right, for they stick to the nuts and
bolts, without discussing security frameworks or theories.  In another
sense they are wrong: this text does what the "hacking" books only
pretend to do.  The authors of the genre of "Teach Total Idiots How to
Hack and They Will Automatically Turn Into Security Experts" texts all
imagine that they teach you how to harden/secure a system, but don't.
This does.

copyright Robert M. Slade, 2003   BKLNSCCB.RVW   20031019


======================
rslade@...      slade@...      rslade@...
"If you do buy a computer, don't turn it on."     - Richards' 2nd Law
"Robert Slade's Guide to Computer Viruses"              0-387-94663-2
"Viruses Revealed"                                      0-07-213090-3
"Software Forensics"                                    0-07-142804-6
============= for back issues:
[Base URL] site http://victoria.tc.ca/techrev/
alternate site http://sun.soci.niu.edu/~rslade/
CISSP refs:     [Base URL]mnbksccd.htm
PC Security:    [Base URL]mnvrrvsc.htm
Security Dict.: [Base URL]secgloss.htm
Security Educ.: [Base URL]comseced.htm
Book reviews:   [Base URL]mnbk.htm
                 [Base URL]review.htm
Partial/recent: http://groups.yahoo.com/group/techbooks/
Security Educ.: http://groups.yahoo.com/group/comseced/
Review mailing list: send mail to techbooks-subscribe@egroups.com

BKSSCPPG.RVW   2003107

"The SSCP Prep Guide", Debra S. Isaac/Michael J. Isaac, 2003,
0-471-27351-1, U$60.00/C$92.95/UK#41.95
%A   Debra S. Isaac
%A   Michael J. Isaac
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2003
%G   0-471-27351-1
%I   John Wiley & Sons, Inc.
%O   U$60.00/C$92.95/UK#41.95 416-236-4433 fax: 416-236-4448
%O  http://www.amazon.com/exec/obidos/ASIN/0471273511/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0471273511/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0471273511/robsladesin03-20
%P   508 p. + CD-ROM
%T   "The SSCP Prep Guide"

Chapter one is a supposed overview of security, although it is rather
vague and iconoclastic.  Access control, in chapter two, provides an
unstructured list of related terms.  At the end of the chapter we get
the expected list of sample questions, but these are either
simplistic, idiosyncratic, or both.  Chapter three, ostensibly about
administration, is a completely mixed bag of security management,
security architecture, operations security, and networking topics.
The information on auditing given in chapter four concentrates
primarily on networking, has way too many screenshots of Windows
tools, and far too little content on forensics.  A surprisingly good
section on risk, advice on incident response that starts well but ends
abruptly, and a short but standard piece on business continuity
planning is in chapter five.  Cryptography, in chapter six, has a list
of terms, poor explanations of the important concepts, and an
unimportant overview of the history of cryptography, padded out with
annoyingly fuzzy photographs.  Most of chapter seven is a list of
communications terms.  There is a disproportionate emphasis on
penetration testing, and a very odd reiteration of material on the
system development life cycle.  (Possibly the authors got confused
with the *other* SDLC: Synchronous Data Link Control?)  The material
on malware, in chapter eight, has been very carelessly put together.
There are two separate descriptions of macro viruses almost adjacent
to each other, and a level three header section on trojan horses
immediately followed by a level four header on trojan horses, which
starts out saying "Trojan horses are another threat ..."  There is a
recommendation to use "false data directories" to trap polymorphic
viruses.  (No mention is made of how this technobabble might work.)
The authors should take note that a multipartite virus is *not* the
same thing as a companion virus, and that worms *do* replicate.

There is very little useful material in this book.

copyright Robert M. Slade, 2003   BKSSCPPG.RVW   2003107


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
It is a humbling experience knowing that your fate depends on a
vehicle built by the lowest bidder!
                           - Alan B. Shepard, Mercury Astronaut, 1965
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKEFSCMN.RVW   20031006

"Effective Security Management", Charles A. Sennewald, 2003,
0-7506-7454-7, U$49.95/C$72.50
%A   Charles A. Sennewald
%C   225 Wildwood Street, Woburn, MA  01801
%D   2003
%G   0-7506-7454-7
%I   Butterworth-Heinemann/CRC Press/Digital Press
%O   U$49.95/C$72.50 800-366-BOOK fax 800-446-6520 www.bh.com/bh/
%O  http://www.amazon.com/exec/obidos/ASIN/0750674547/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0750674547/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0750674547/robsladesin03-20
%P   395 p.
%T   "Effective Security Management"

The preface makes clear that the author's major background is in the
field of physical security.  This is evident in places throughout the
rest of the book, but much of the material is more broadly applicable.

The introduction presents a wonderful statement about management, that
it is "the ability to create an environment in which other individuals
willingly participate to achieve objectives."

Part one deals with general security management.  Chapter one outlines
some principles of organization, and provides an excellent overview of
the basics of management.  The physical security background shows in,
for example, the assumption that demonstrating a "contribution to
profits" is relatively straightforward and easy to quantify.  The
review questions at the end of the chapter are an adequate summary of
the material, but provide no more than a simple reading check.
Organizational structure, in chapter two, is based on the real world
rather than theory.  Sennewald notes the difference between formal and
informal arrangements, as well as both the good and bad reasons that
the two exist.  Security's role in the organization emphasizes
physical security, but chapter three also addresses non-traditional
functions such as training, internal consulting, and executive
protection.  Chapters four, five, and six deal with the roles of,
respectively, the security director, supervisor (emphasizing the chain
of command), and employee (mostly stressing personal character and
integrity).

Part two addresses security personnel management.  Chapter seven, on
hiring, is reasonable, but fails to provide useful guidance on
avoiding common pitfalls in reviewing resumes and interviewing
candidates.  There is, for example, a heavy reliance on open-ended
questions, which often backfire on interviewers since the responses
tend to be so different that it makes the difficult task of judging
between people even harder.  The creation of a job description, in
chapter eight, provides good pointers and a helpful outline.  There
are more complaints about how training is done poorly than suggestions
about how to fix the problem in chapter nine.  The material on
discipline, in chapter ten, is good but not great.  In regard to the
motivation of employees, Sennewald presents the classic "Theory X and
Theory Y" model, but chapter eleven is more concerned with pointing
out the disadvantages of punishment and control (X) than with
suggesting how to support employees (Y).  Chapter twelve, on
promotions, repeats many of the points of chapter seven.  The vague
look at communications, in chapter thirteen, is not necessarily
helpful.  The classic debate between employment of, or contracting
out, security personnel is presented in chapter fourteen.

Part three considers operational management.  Budgeting, in chapter
fifteen, is a good start for those without a financial background, but
gets bogged down in specific forms.  The basics of risk management
(albeit limited to physical security situations) is introduced in
chapter sixteen.  Some expansion is given in chapter seventeen, but
the content is generally duplicated, and I wonder why the chapters
were split.  Review and audit, renamed the security survey, is
important, but chapter eighteen seems to be a not-completely-recycled
magazine article.  It seems odd to cover office administration, in
chapter nineteen, but many physical security officers may have limited
office background, so this might be quite useful.  The discussion of
policy and procedures, in chapter twenty, primarily deals with
procedures.  Chapter twenty one, on computers and security management,
is the longest in the book, but is only a computer literacy article
and addresses no specific security applications.  Sennewald argues
that tatistics can be useful, but chapter twenty two does not provide
much direction in their manipulation.

Part four deals with public relations.  A pedestrian selling job for
security is in chapter twenty three.  The relationship with law
enforcement, in chapter twenty four, emphasizes what the police can
provide.  Chapter twenty five promotes cooperation with those in the
same industry and the importance of trade groups, as well as community
service.  This latter topic is expanded in twenty six.  Chapter twenty
seven is a very recognizable list of thirty two "jackass traits" for
managers, pointing out all kinds of mistakes people can make.  How to
improve your performance gets less space, and it is hard to know where
to draw the line between opposing problems, such as "the Despot" and
"The Popularity Kid."

Despite specific problems, this book provides some extremely valuable
advice for security managers of all kinds, not just the physical
security officers at whom it is aimed.

copyright Robert M. Slade, 2003   BKEFSCMN.RVW   20031006


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
`Notwithstanding'--that is the metaphor for Canada - A Fotheringham
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKWNXPHK.RVW   20031120

"Windows XP Hacks", Preston Gralla, 2003, 0-596-00511-3,
U$24.95/C$38.95
%A   Preston Gralla preston@...
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2003
%G   0-596-00511-3
%I   O'Reilly & Associates, Inc.
%O   U$24.95/C$38.95 800-998-9938 fax: 707-829-0104 nuts@...
%O  http://www.amazon.com/exec/obidos/ASIN/0596005113/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0596005113/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0596005113/robsladesin03-20
%P   280 p.
%T   "Windows XP Hacks"

Chapter one covers startup and shutdown options for the system.  The
material is not always careful about actual names and procedures,
which may make use of the hacks difficult.  Much of the content is
presented without a great deal of thought or analysis.  For example,
clearing the page file gets mentioned, but not the fact that most
machines nowadays will have 256 megabytes of main memory or above,
and, at that level, users can probably improve both security and
performance by shutting virtual memory off: it simply should not be
necessary in most situations.  The advice to check out services.msc
for disabling services is good, but not much additional assistance is
provided.  The discussion of the user interface, in chapter two, has
odd and careless duplications of material, such as hiding desktop
icons (on page 27), deleting desktop icons (on page 28), and yet again
in hack #13 on page 44.  A great many of the hacks require or
advertise shareware.  The Briefcase gets the usual inadequate
explanation and there is almost no mention of the extensive
customization that can be performed on Windows Explorer, in chapter
three.  (And, yes, you *can* put access to the command line on the
desktop: it's simple.)

Chapter four provides pretty basic information on the Web (and a very
poor explanation of cookies).  Networking, in chapter five, is random
and disorganized.  There are good tips, but some give just enough
information to be dangerous.  A few items that would be extremely
useful (like how to have multiple LAN setups for laptops with netsh)
are not discussed.  Chapter six retails pedestrian anti-spam advice
and shows how to look at headers, but not how to interpret what you
see.  The content on the Registry, in chapter seven, is good, but the
level of information is not consistent throughout.  Chapter eight is
supposed to be about basic utilities, such as backup and
defragmentation, but why is instant messaging considered basic?  Other
than replacements for Microsoft Office, chapter nine's material on
applications offers little of use.  Multimedia, in chapter ten, is
mostly about copying CDs.  Chapter eleven's coverage of system
performance is probably going to be confusing to the average reader,
and is of questionable utility.  Hardware tuning shareware and some
suggestions for connecting two computers on the cheap makes up chapter
twelve.

There is a good deal of interesting and useful content in the book,
but the quality is inconsistent.  This is a random collection of tips
that is going to have something for pretty much everyone, but also
probably will not answer the question you want.

copyright Robert M. Slade, 2003   BKWNXPHK.RVW   20031120


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
Henslowe: Mr. Fennyman, allow me to explain about the theatre
    business.  The natural condition is one of insurmountable
    obstacles on the road to imminent disaster.
Fennyman: So what do we do?
Henslowe: Nothing.  Strangely enough, it all turns out well.
Fennyman: How?
Henslowe: I don't know.  It's a mystery.
                                         - Shakespeare in Love (1998)
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKBNFRWS.RVW   20031013

"Ben Franklin's Web Site", Robert Ellis Smith, 2000, 0-930072-14-6,
U$24.50/C$32.25
%A   Robert Ellis Smith ellis84@...
%C   P. O. Box 28577, Providence, RI   02908
%D   2000
%G   0-930072-14-6
%I   Privacy Journal
%O   U$24.50/C$32.25 401-274-7861  orders@...
%O  http://www.amazon.com/exec/obidos/ASIN/0930072146/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0930072146/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0930072146/robsladesin03-20
%P   407 p.
%T   "Ben Franklin's Web Site"

In the introduction, Smith notes that Americans are both (and
simultaneously) interested in protecting their privacy, and very
curious about others.  This work is a social history of American
thought and feelings about privacy.  The chapters are not numbered,
but named.  There is an attempt to assign date ranges to periods of
events and opinion, but this effort is pretty much exhausted by the
time the book ends.

"Watchfulness," from the late seventeenth to the early eighteenth
century, notes an age of church based communities and close living.
Fear of the government registration is suggested to be primarily based
on anxiety about the fact that a low population (or other indicator of
lack of wealth) would reflect badly on the locale (or locals).
"Serenity" links geographic isolation with privacy, but mostly
concentrates on early enumeration operations.  The post office, more
about the census, and the beginnings of information technology with
Hollerith and Morse is in a chapter called "Mistrust."  "Space"
outlines the degradations of slavery, factories, and workhouses.
"Curiosity" looks at gossip and the popular press.

A chapter called "Brandeis" doesn't talk about him or his essay (with
Warren in the Harvard Law Review) as much as the intellectual
environment and subsequent debate.  Another reviews decisions and
government actions in regard to different types of surveillance.  It
is difficult to say what a chapter called "Sex" has to do with
privacy, and it reuses a lot of material from "Serenity," "Curiosity,"
and "Brandeis."  "Torts" examines various lawsuits related to invasion
of privacy.  Politicking on the Supreme Court in cases possibly
related to privacy populates a chapter called "Constitution."
"Numbers," unlike "Census," discusses the improper use of the Social
Security Number, as well as the concept of a national identity card.
Credit reporting agencies are examined in "Databanks."  "Cyberspace"
touches on a number of Internet related topics.  "Ben Franklin's Web
Site" attempts to guess what Franklin's "Poor Richard's Almanac" would
say about privacy, in pithy aphorisms: a kind of Poor Robert's list of
privacy protecting guidelines.

Smith's book is certainly an entertaining read, and does provide the
occasional lost nugget of significant information on the development
of thought in regard to privacy.  It is, however, difficult to say how
useful the work is for practical endeavours in pursuit of the
protection of privacy, or development of current privacy policy.

copyright Robert M. Slade, 2003   BKBNFRWS.RVW   20031013


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
Freedom is not worth having if it does not connote freedom to
err. It passes my comprehension how human beings, be they ever so
experienced and able, can delight in depriving other human beings
of that precious right.                - Mahatma Gandhi, (1869-1948)
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKRSAPKC.RVW   20031107

"RSA and Public Key Cryptography", Richard A. Mollin, 2003,
1-58488-338-3, U$79.95/C$119.95
%A   Richard A. Mollin ramollin@...
%C   115 Fifth Avenue, New York, NY   10003
%D   2003
%G   1-58488-338-3
%I   Chapman & Hall
%O   U$79.95/C$119.95
%O  http://www.amazon.com/exec/obidos/ASIN/1584883383/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/1584883383/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1584883383/robsladesin03-20
%P   291 p.
%T   "RSA and Public Key Cryptography"

This book is written as the text for a course.  Rather than an
introduction course in cryptography, the preface recommends that it be
used for a second, and assumes that the students will have a
background in number theory.

Chapter one provides a little history and some basic cryptographic
concepts.  The emphasis is on symmetric algorithms, and most are
expressed in formal mathematical style.  Unfortunately, a number of
the text explanations of the formulae are not very good, and this
weakness continues throughout the work.  The practice questions (which
are distributed within the chapter after particular sections, rather
than being collected at the end) are sometimes surprisingly
simplistic, as in the case of multiple examples of "decrypting" ROT
13.  (Solutions to odd-numbered questions are provided at the end of
the book.)  The purpose or intention behind cryptographic work is
examined in chapter two, and discreet logarithms and the Diffie-
Hellman work is introduced.  More asymmetric concepts, including RSA
and others (and pointers to the Communications Electronics Security
Group [CESG] papers that pre-date the Diffie-Hellman publication) are
provided in chapter three.  Chapter four looks at statistical methods
used to test for relative primality (important in choosing strong RSA
keys).  Factoring processes (which might be important in attacking
RSA) are in chapter five.  Chapter six reviews both implementation
factors as well as the algorithm in assessing the strength of RSA.
Various aspects of authentication, including the oddly oxymoronic
anonymous authentication that is important to systems for digital
cash, are outlined in chapter seven.  Key management is discussed in
chapter eight.  Chapter nine looks at some practical applications, and
analyses weaknesses of current procedures and requirements for secure
systems.

While the material is sound, and a good deal of interesting and
important information is included, this book could have been written
more clearly for the intended audience.  In addition, while some of
the content has more immediate practical application, somehow this
work does not have the feeling of centrality to the topic that is
found in "Algebraic Aspects of Cryptography" by Neal Koblitz (cf.
BKALASCR.RVW).

copyright Robert M. Slade, 2003   BKRSAPKC.RVW   20031107


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
With what shall I come before the Lord and bow down before the
exalted God?  Shall I come before him with burnt offerings, with
calves a year old?  Will the Lord be pleased with thousands of
rams, with ten thousand rivers of oil?  Shall I offer my first
born for my transgression, the fruit of my body for the sin of my
soul?   He has showed you, O Man, what is good.  And what does
the Lord require of you?  To act justly and to love mercy and to
talk humbly with your God.                             - Micah 6:6-8
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKDIREPL.RVW   20031105

"Disaster Recovery Planning", Jon William Toigo, 2003, 0-13-046282-9,
U$54.99/C$85.99
%A   Jon William Toigo www.drplanning.org
%C   One Lake St., Upper Saddle River, NJ   07458
%D   2003
%G   0-13-046282-9
%I   Prentice Hall
%O   U$54.99/C$85.99 +1-201-236-7139 fax: +1-201-236-7131
%O  http://www.amazon.com/exec/obidos/ASIN/0130462829/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0130462829/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0130462829/robsladesin03-20
%P   482 p.
%T   "Disaster Recovery Planning"

Toigo's first edition outshone almost all later DRP (Disaster Recovery
Planning) and BCP (Business Continuity Planning) works.  This edition
vastly expands the resources and thinking on the topic.  In the
preface, Toigo examines the question of whether people will see this
new edition as simply an exercise in opportunistic marketing, using
the events of September 11, 2001 to promote a fresh work.  He
concludes that changes in technology do justify another edition.  In
addition, the new pieces giving post-9/11 perspectives from various
parties (generally vendors) do provide some additional insights.  The
leading foreword, a first-hand account of the evacuation of one of the
World Trade Center towers, offers interesting observations such as the
fact that the tens of thousands of people using the exit stairwells
created potential problems with respect to condensation on the stairs
and walls of the structure.

Chapter one, an introduction to the topic, is no longer as incisive as
it once was.  However, there are still striking items, such as the
mention of the Bank of New York information technology outage (lasting
twenty seven hours) which led to a requirement to borrow twenty two
billion dollars, cascading into destablization of the federal reserve
fund and interest rate fluctuations.  The advice is still practical,
pointing out legislation that may indirectly support disaster recovery
planning (although there is no mention of the widely used Americans
with Disabilities Act), a detailed assessment of the uselessness of
disaster recovery certifications and related groups, and suggestions
for dealing with political realities.  Various perspectives and
disputes over risk are reviewed in chapter two, although the material
becomes a bit disjointed when it ends with policy development.  There
is an excellent overview of fire protection and power problems, but
the rest of the facility management material in chapter three is quite
limited.  A detailed examination of the options, products, and vendors
related to data recovery (well beyond the usual discussion of full,
incremental, and differential backups) is given in chapter four.

Chapter five deals with strategies for the recovery of centralized
systems.  This is the standard view of disaster recovery, but Toigo
offers good, quality advice.  Recovering decentralized systems is
analysed in chapter six, although most of the solutions seem to rely
on recentralising.  End-user requirements, touching on remote
computing, virtual private networks, and so forth, are discussed in
chapter seven.  Examination of network recovery, in chapter eight, is
useful, although many solutions (such as wireless LANs) are not
perused for problems (such as security), while, at the same time, they
are not pushed far enough (groups in many locations are now planning
city-wide wireless networks which should be available in the event of
the collapse of major telecommunications carriers).  Emergency
decision making, in chapter nine, concentrates on teams, functions,
and flowcharts.  References and resources for recovery management,
mostly in the US, are in chapter ten.  There is an odd inclusion of a
story about vendor versus reseller infighting in the plan maintenance
material in chapter eleven.  The book concludes in chapter twelve.

While the later edition is sometimes too verbose, this work is
definitely worthwhile for anyone in the security or disaster recovery
planning field.  Even if you have the first edition, continuity and
recovery professionals will probably find that this latest work has
fresh insights that justify its purchase.

copyright Robert M. Slade, 2003   BKDIREPL.RVW   20031105


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
                  All reports are in.  Life is now officially unfair.
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKUNDPKI.RVW   20031107

"Understanding PKI", Carlisle Adams/Steve Lloyd, 2003, 0-672-32391-5,
U$49.99/C$77.99
%A   Carlisle Adams
%A   Steve Lloyd
%C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario  M3C 2T8
%D   2003
%G   0-672-32391-5
%I   Addison-Wesley Publishing Co.
%O   U$49.99/C$77.99 416-447-5101 fax: 416-443-0948
%O  http://www.amazon.com/exec/obidos/ASIN/0672323915/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0672323915/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0672323915/robsladesin03-20
%P   322 p.
%T   "Understanding PKI"

Part one is about concepts.  Chapter one (and the first chapter of
every section) is an outline of the contents of this part of the book.
A simple introduction to symmetric cryptography, and the basics of
asymmetric, is provided in chapter two.  The purpose and components of
a public key infrastructure (PKI) is reviewed in chapter three.
Chapter four relates core PKI to the standard security model of
confidentiality, integrity, and availability.  Some extension of the
basic services is given in chapter five (although there is no mention
of the most common hybrid form of encryption).  Certificates and some
fundamentals of certification are in chapter six.  Chapter seven looks
at key and certificate management.  Certificate revocation, in chapter
eight, is oddly undetailed in comparison to the previous material.
Chapters nine to thirteen cover, in short order, trust models,
certificate and information dissemination, operational factors, and
digital signature legislation.  What PKI does, and doesn't, do is
presented in chapter fourteen, which probably should have come earlier
in the book.  Chapter fifteen speculates on the future of PKI.
Chapter sixteen, and the last chapter of every part, outlines
conclusions and further reading.  The material is very terse: in this
case, only two pages.

Part two is entitled standards.  There is the introduction, and then
chapter eighteen lists major standards.  The status of some of those
standards is discussed in chapter nineteen.  Chapter twenty provides
examples of the piloting of standards, and points out that the
standards do not always confer interoperability.  The reading list in
chapter twenty one is a bit bigger than that in sixteen.

Part three concerns deployment.  There is a generic cost/benefit
argument in chapter twenty three.  Chapters twenty four and twenty
five basically reiterate earlier material in regard to deployment.
Some specific issues are mentioned in regard to the business models
discussed in chapter twenty six.  There are almost no conclusions and
suggestions for further reading in chapter twenty seven.

This book does cover many issues associated with PKI, but in a very
pedestrian fashion.  There is nothing here that is not covered by many
volumes dealing with cryptography as a general topic, such as
Schneier's "Applied Cryptography" (cf. BKAPCRYP.RVW) or the simpler
works like Mel and Baker's "Cryptography Decrypted" (cf.BKCRPDEC.RVW).
Indeed, any number of general security texts provide as much detail on
PKI as does this book.

copyright Robert M. Slade, 2003   BKUNDPKI.RVW   20031107


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
Politicians are the same all over the world, we build bridges
where there are no rivers.                       - Nikita Khrushchev
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKMNHBCS.RVW   20031107

"The Manager's Handbook for Corporate Security", Gerald L.
Kovacich/Edward P. Halibozek, 2003, 0-7506-7487-3, U$49.99/C$72.50
%A   Gerald L. Kovacich
%A   Edward P. Halibozek
%C   225 Wildwood Street, Woburn, MA  01801
%D   2003
%G   0-7506-7487-3
%I   Butterworth-Heinemann
%O   U$49.99/C$72.50 800-366-BOOK fax: 800-446-6520 www.bh.com/bh/
%O  http://www.amazon.com/exec/obidos/ASIN/0750674873/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0750674873/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0750674873/robsladesin03-20
%P   463 p.
%T   "The Manager's Handbook for Corporate Security"

The intent that is asserted in the preface is to provide a state-of-
the-art, holistic, practical, "cut and paste" approach to corporate
asset protection, using examples from a fictional company.

Part one, titularly about the old and new world of the security
professional, provides some historical perspective.  Chapter one, "New
Century, New World," says that it is a big, bad, complex, changing,
interconnected world out there now.  The argument is somewhat
unconvincing, since the history provided points out that the times
they always have been a-changin'.  A standard view of threat and risk
is in chapter two.  Corporate security and law enforcement, in chapter
three, is simply a terse history of the military and law enforcement.
Chapter four is a promotional piece for corporate security
professionals.

Part two, on corporate security management, starts taking itself way
too seriously by coining a new acronym of CSM.  Our fictional company
is created in chapter five.  Generic security management roles are
dressed up in the fictional company clothes in chapter six.  The
corporate security management department that is invented in chapter
seven assumes a clean slate and a perfect world.

Part three outlines some security functions.  Where many would assume
that "administrative security" might involve some operational aspects,
chapter eight concentrates on plans, policies, and procedures.
Chapter nine's review of physical security is fairly ordinary,
although it is short on details in areas such as fire protection and
power provision.  The usual debate about outsourcing versus in-house
security is somewhat biased in favour of outsourcing, in chapter ten.
Personnel security, in chapter eleven, is limited to background checks
and workplace violence.  Chapter twelve looks at security education.
Fire protection is given another run in chapter thirteen, which is big
on procedures but short on detail.  Contingency planning, in chapter
fourteen, is broad but vague.  Chapter fifteen's view of
investigations is heavily influenced by law enforcement and assumes a
very large staff.  Chapter sixteen tells us that dealing with the
government has--surprise!--special requirements.  Information has
value and requires protection, says chapter seventeen, which also
generates more new acronyms.  Executive protection is examined in more
than the usual level of detail, in chapter eighteen.  Chapter nineteen
looks at security for events.

Part four assesses the security profession now and in the future.  The
advice about corporate security career development, in chapter twenty,
is equally applicable to any profession.  (Is this a commentary on the
lack of distinction of security as a profession?)  Chapter twenty one,
entitled "What you can do to help others," is primarily concerned with
self-promotion.  Vague opining and some reprints of codes of ethics
makes up chapter twenty two.  Chapter twenty three closes the book
with blue-sky futurism.

For those completely new to the security profession, this book does
have some tips, but contains nothing like the practicality of
Sennewald's "Effective Security Management" (cf. BKEFSCMN.RVW).

copyright Robert M. Slade, 2003   BKMNHBCS.RVW   20031107


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
The secret of the demagogue is to make himself as stupid as his
audience so they believe they are clever as he.         - Karl Kraus
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKWLSHCK.RVW   20031110

"Wireless Hacks", Rob Flickenger, 2003, 0-596-00559-8, U$24.95/C$38.95
%A   Rob Flickenger
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2003
%G   0-596-00559-8
%I   O'Reilly & Associates, Inc.
%O   U$24.95/C$38.95 707-829-0515 fax: 707-829-0104 nuts@...
%O  http://www.amazon.com/exec/obidos/ASIN/0596005598/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0596005598/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0596005598/robsladesin03-20
%P   286 p.
%T   "Wireless Hacks"

Unlike most pieces that simply list the various wireless standards,
chapter one provides excellent coverage of both regulations and
protocols, giving clear and practical explanations of the benefits and
drawbacks of the various conventions, and recommending the best one
for any particular purpose.  This sets the tone for the book as a
whole, providing advice and information that far exceeds details and
suggestions found in other wireless works.  (I must say, though, that
the exegesis of Direct Sequence Spread Spectrum and Frequency Hopping
Spread Spectrum is still lacking.)  Chapter two shows how to use
Bluetooth (mostly with cell phones, Mac OS X, and Linux) for some
amazing applications.  Descriptions of many monitoring tools are
furnished in chapter three, starting with system utilities.  There is
solid guidance on using these instruments in combination for best
effect.  Antennae, cables, and the use of minimalist equipment as
routers and infrastructure is covered in chapter four.  Five deals
with antennae in more detail.  Long distance point-to-point links are
examined in chapter six.  Wireless security, in chapter seven,
discusses the usual WEP (Wired Equivalent Privacy) cracks and SSID
(Station Set IDentifier) issues, but also reviews SSH (Secure SHell)
and tunnelling.

For anyone dealing seriously with wireless networks, there is a wealth
of information collected here that you will only find elsewhere after
prolonged searching.

copyright Robert M. Slade, 2003   BKWLSHCK.RVW   20031110


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
A witty saying proves nothing.                            - Voltaire
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKBYTWRS.RVW   20031107

"Byte Wars", Edward Yourdon, 2002, 0-13-047725-7, U$24.00/C$37.99
%A   Edward Yourdon
%C   One Lake St., Upper Saddle River, NJ   07458
%D   2002
%G   0-13-047725-7
%I   Prentice Hall
%O   U$24.00/C$37.99 +1-201-236-7139 fax: +1-201-236-7131
%O  http://www.amazon.com/exec/obidos/ASIN/0130477257/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0130477257/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0130477257/robsladesin03-20
%P   314 p.
%T   "Byte Wars: The Impact of September 11 on Information Technology"

Chapter one, and introduction, draws a parallel between the events of
9/11 and the rise of Napster, noting that both involve "stateless
actors" with disproportionate power because of their involvement with
technology.  Quite apart from the fact that this seriously overstates
the technical capabilities of Al Queda (as Marcus Ranum points out in
"The Myth of Homeland Security", cf. BKMYHLSC.RVW), the analogy seems
to be seriously strained.  Yourdon also notes that the book is
intended as a lesson for system developers, as a reminder to provide
for system continuity or soft failure.  The strategic implications of
9/11 are supposedly discussed in chapter two, but instead we have
random thoughts and unconvincing logic.  The world of information
technology has *not* embraced information security or business
continuity, most of the national initiatives listed in the book have
subsequently failed, and privacy has, rather surprisingly, enjoyed
something of a resurgence in importance.  (Oh, and Magic Lantern was
*not* a virus, Ed.)  A simplistic and limited overview of system
security is given in chapter three, followed by vague opining about
risk management in four.

In chapter five Yourdon proves that he misunderstands emergent systems
by confusing the rapid response capability that might be expected from
a flat organizational structure with the unexpected and unforeseen
behaviours that arise out of a large number of units governed by
simple rules.  In discussing resilience, in chapter six, there is a
good presentation of the fragility of efficient systems, but this is
not translated into practical advice.  Yourdon's point about "good
enough" software, from his "Rise and Resurrection of the American
Programmer" (cf. BKRRAMPR.RVW), is reiterated in chapter seven, but
the process remains unclear.  His material about death march projects,
from another book, is repeated in chapter eight, but any relation to
the main theme of this book is a mystery.  Chapter nine is not a
conclusion, but a compilation of the summary points from each chapter
through the book.

Overall, the book has very little to say about system development, and
not much of use to say about 9/11.

copyright Robert M. Slade, 2003   BKBYTWRS.RVW   20031107


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
       Timing has a lot to do with the outcome of a rain dance.
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKDDSAIW.RVW   20031128

"Defense and Detection Strategies Against Internet Worms", Jose
Nazario, 2004, 1-58053-537-2, U$85.00/C$131.95
%A   Jose Nazario jose@...
%C   685 Canton St., Norwood, MA   02062
%D   2004
%G   1-58053-537-2
%I   Artech House/Horizon
%O   U$85.00/C$131.95 800-225-9977 artech@...
%O  http://www.amazon.com/exec/obidos/ASIN/1580535372/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/1580535372/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1580535372/robsladesin03-20
%P   287 p.
%T   "Defense and Detection Strategies Against Internet Worms"

The preface states that the book is intended for security
professionals, security researchers, and academics in the field of
computer science.  It is obvious that the author has attempted to
write the material in a scholastic tone, but the necessary rigour and
structure of thought is missing.

Chapter one, an introduction of sorts, provides random information of
questionable utility, such as the table listing the discovery of
vulnerabilities compared against the time that elapsed before those
loopholes were first released in active worms: no particular pattern
seems to be indicated.

Part one is supposed to be a background and taxonomy.  Chapter two
provides us with a definition.  Nazario has obviously taken the
Cohenesque definition of viruses (as attaching to files) and then
assumed that a worm is any self-replicating program that does *not* so
bind.  The definition therefore appears to include almost all current
viruses, and yet the author also attempts to ascribe certain
characteristics to worms, such as control and construction of a
network, and communication with other worm nodes.  His later examples
of worms, however, include a number that do not contain any of these
aspects.  He lists a number of components of worms, and yet the
communications, command, and intelligence elements are not inherently
part of much of modern malware, usually existing simply as specialized
payloads.  A simplistic growth pattern (and the fact that worms can
generate network traffic) is presented in chapter three, but the
actual traffic patterns examined do not fully correspond to the
projected graph.  The history and taxonomy given in chapter four has
numerous errors: even the fictional representative, the tapeworm from
Brunner's "The Shockwave Rider," is introduced erroneously, since it
didn't shut down the network in the book, but rather opened it.
Workstations affected by the infamous Xerox PARC worm could be
restarted, and a vaccine was not needed or produced.  The Morris Worm
was an enormous nuisance, but it hardly "crashed the Internet."  (And
Loveletter did the rounds in 2000, not 2001.)  There is a quick precis
of a number of lesser known worms, and this may be helpful as a
reference, but the analysis is very limited.  The construction of a
worm is described in chapter five, but the outline is often at odds
with that given in chapter two.

Part two reviews worm trends.  Chapter six reworks some of the
material from five in a facile listing of infection patterns (and
presents an artificial "Shockwave Rider" pattern that does not seem to
have any correspondence to reality).  "Targets of attack," in chapter
seven, simply enumerates network connected devices.  Nazario does
attempt to bring in abstract concepts related to network topologies,
but these have little practical bearing on worms in reality.  The
possible futures for worms, as expressed in chapter eight, deals
mostly with existing and already used technologies.  There is some
effort made to model effects, but these are not fully analyzed.

Part three turns to detection.  Chapter nine looks at traffic
analysis, but only in terms of network based intrusion detection with
rudimentary appraisal.  Honeypots and "dark networks" (ranges of
unused IP addresses) are said to be ways to detect and trap worms, but
the explanation and dissection of the topic in chapter ten is very
narrow.  Signature based detection, in chapter eleven, revisits
network based intrusion detection, and adds a brief mention of file
scanning.

Part four looks at defences.  Chapter twelve's review of host based
defence deals primarily with system hardening, antivirus scanners, and
the concept of throttling.  Nazario seems very loath, in his
discussion of firewalls in chapter thirteen, to admit that this is
simply another type of signature.  The use of scanning within
application level proxies is examined in chapter fourteen, although
there seems to be some confusion with circuit level proxies at points.
Chapter fifteen, entitled "Attacking the Worm Network," outlines a
number of active measures: except for the idea of "sticky" tarpits
(after the LaBrea program model) all of them require extensive
specific knowledge of individual worms.  A concluding chapter is
provided in sixteen.

Nazario's work does address the often neglected topic of worms, and he
does break away from the mass of virus books that are locked into the
traditional "file and boot infectors" model.  His examples are drawn
from more recent events, and he does attempt to analyze network
effects and complications, rather than simply looking at systems in
isolation.  While he is to be commended for all this, his definition
is too broad to provide for serious new modelling of the problem, and
his analysis fails to provide a basis for future work.  Still, for
those who need a more complete picture of the malware threat, this
work should be considered.  It does provide new information, and does
attempt to address the difference between worms, viruses, and other
forms of malware.  In this regard, it is a significant improvement
over such lackluster spacefillers as Skoudis "Malware" (cf.
BKMLWFMC.RVW), the "E-mail Virus Protection Handbook" (cf.
BKEMLVRS.RVW), Dunham's "Bigelow's Virus Troubleshooting Pocket
Reference" (cf. BKBVRTPR.RVW), Schmauder's "Virus Proof" (cf.
BKVRSPRF.RVW), and even Grimes' somewhat better "Malicious Mobile
Code" (cf. BKMLMBCD.RVW).

copyright Robert M. Slade, 2003   BKDDSAIW.RVW   20031128


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
After attacking the sacred majesty of kings, I shall scarcely
excite surprise by adding my firm persuasion that every
profession, in which great subordination of rank constitutes its
power, is highly injurious to morality.
Mary Wollstoncraft (1759-1797), A Vindication of the Rights of Woman
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKMYHLSC.RVW   20031124

"The Myth of Homeland Security", Marcus J. Ranum, 2004, 0-471-45879-1,
U$24.99/C$37.50
%A   Marcus J. Ranum mjr@...
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2004
%G   0-471-45879-1
%I   John Wiley & Sons, Inc.
%O   U$24.99/C$37.50 416-236-4433 fax: 416-236-4448
%O  http://www.amazon.com/exec/obidos/ASIN/0471458791/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0471458791/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0471458791/robsladesin03-20
%P   244 p.
%T   "The Myth of Homeland Security"

Regular readers of the RISKS-FORUM Digest come to know a number of
phrases that are repeated over and over again, in assessing risks and
problems in technical systems.  One is "single point of failure" and
another is "cascading failure."  Yet another, and the one that Ranum
seems to be concentrating on, is "protecting against the wrong
threat."  The book starts out, in "It's Another Code Orange Day,"
noting that the vast new machinery of airline security has not caught
any terrorists, and also notes that the defenders are completely
disorganized.

Chapter one asserts that Homeland Security is (along with a number of
other similar terms) a convenient invention.  Information warfare is
derided as such a device, and although I could agree in terms of books
such as Erbschloe's (cf. BKINFWFR.RVW), I don't think Ranum gives
enough thought to the work by Dorothy Denning (cf. BKINWRSC.RVW).  The
one myth that the author attacks in chapter two is of superior
attackers and defenders.  The anti-FBI stance is somewhat overblown,
even though there are numerous examples to support it, both in the
book and elsewhere.  Politics, in chapter three, is mostly about the
PATRIOT Act (and finding out that it stands for "Provide Appropriate
Tools Required to Intercept and Obstruct Terrorism" is almost worth
the price of the book all by itself), although Ranum's seemingly
deliberate attempts to avoid being politically pigeon-holed make it
difficult to determine exactly what his point is.  Merging inefficient
agencies is unlikely to help things, as is pointed out in chapter
four. Immigration, in chapter five, looks at weak borders (and, rather
ironically, Ranum seems to be promoting the myth of terrorist entry
through Canada), but the text also admits that the 9/11 attackers all
had valid visas, and ultimately suggests no solutions.  Chapter six
notes that TSA (Transportation Safety Administration) salaries are
higher, and hiring requirements more stringent, than before (and the
book has previously indicated that TSA personnel are more
professional), but Ranum points out a few instances of hiring
irregularities, and then flatly states that airport security is a
sieve.  He is also seemingly inconsistent in his positions, arguing
generally against biometrics and profiling, but then apparently
endorsing them.  The arguments are not reasoned: he is for a national
identity system, but admits elsewhere that the 9/11 terrorists had
valid identification.  Chapter seven says that the army is good, the
border patrol is looking for the wrong things (although this is
confusingly amended to a position that they have the technology but
aren't using it), and the FBI and CIA have an ongoing turf fight.
Having stated that he is not interested in media bashing, Ranum spends
most of chapter eight anecdotally doing just that.  There is a token
mention of access to information, and a final assertion that probably
nothing can be done about the problem of the media because the public
is so gullible.

Cyberattacks are an unreal myth, says chapter nine, but our
information infrastructure is mostly undefended.  The lack of
standardization in government systems is seen as making government
systems harder to defend (even though homogeneity means that a single
attack can penetrate everything).  While this material starts off very
well, possibly due to Ranum's greater familiarity with strictly
technical issues, he makes numerous errors in regard to viruses and
malware.  His lack of experience in this specific area reappears in
chapter ten, where he says that even outdated antivirus scanners
should have caught Code Red because the exploit was a known one.
However, scanners would not have caught Code Red since it did not
write itself out to a file, and also because scanners search for
strings or patterns, not exploits.  (If anything should have caught
Code Red it was more likely to have been the firewalls that Ranum has
made his name in designing.)  Computer insecurity is put down to being
on the cutting edge (advanced technologies being less completely
understood), but is also due to foolish government purchasing
procedures.

Those of us who work in the security field can certainly sympathize
with the tone of Ranum's work.  Yes, governments (and businesses) are
foolish.  Yes, the general public sees a complex problem in simplistic
terms.  Yes, you can find instances of stupidity in any large
enterprise.  But does any of this have a real bearing on how security
can be improved, or how we should look at it?  (Particularly to a non-
American audience, this book must read like a long string of sometimes
whiny complaints.)  Yes, Ranum starts off by saying that he is not
actually offering solutions, but that bald statement hardly absolves
him of not offering anything, including insights.  While this work is
at least well-informed about the problems, I am at a loss to explain
the adulation that has been heaped upon it by many of my colleagues,
aside from the fact that we all feel very much the same way.

Presumably, however, we are not the target audience, and the book is
aimed at demonstrating to the general public that Homeland Security
is, as the cover graphically puts it, a house of cards.  Pointing out
that the Emperor has no clothes does have some merit, although the
rewards of the activity are questionable at best.  When addressing a
non-technical audience, the anecdotal evidence provided is probably
more realistic than a closely reasoned argument.  However, the lack of
clear suggestions for improvement, and inconsistency in positions,
detract from the book's value.

We can agree that security is a mess, and that governments can create
enormous boondoggles.  This book is among many that make the point,
but does not do much to improve the situation.

copyright Robert M. Slade, 2003   BKMYHLSC.RVW   20031124


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
                 God is real.  Unless declared integer.
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

For a bit of lighter relief:

BKHGMNSG.RVW   20031112

"The Hanged Man's Song", John Sandford (John Camp), 2003,
0-399-15139-7, U$25.95/C$39.00
%A   John Sandford (John Camp) js@...
%C   375 Hudson Street, New York, NY  10014
%D   2003
%G   0-399-15139-7
%I   Berkley
%O   U$25.95/C$39.00 http://www.berkley.com/berkley online@...
%O  http://www.amazon.com/exec/obidos/ASIN/0399151397/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0399151397/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0399151397/robsladesin03-20
%P   321 p.
%T   "The Hanged Man's Song"

It is always a delight to find a new John Sandford/John Camp novel, a
pleasure that is unalloyed by any regrets and annoyances in regard to
technical goofs.  As was the quality of the technical material in "The
Fool's Run" (cf BKFLSRUN.RVW) and "The Devil's Code" (cf.
BKDVLSCD.RVW), so it is with "The Hanged Man's Song."

The technology is firmly grounded in reality.  The communities, both
blackhat and law enforcement, do not have the jarring quality found in
all too many works where the author becomes fascinated with "hackers."
(Having lugged around a number of "development" laptops in order to
demonstrate company products, I was wryly glad to find that someone
else knows that not *all* such machines are featherweights  :-)  There
is an intriguing idea for distributed backup of secure-but-secret
data, although I suspect that even very young computer wizards would
very quickly act to close loopholes and find anomalies.

I'm a bit surprised that a careful and paranoid group, such as is
described in the novel, did not take more care with authentication,
perhaps through a "web of trust" model, but I suppose that would have
gotten in the way of the plot.  Onion routing would also have been
handy for these people, but, again, would not be as exciting.  (I also
want to get my hands on that quad track DVD-R: the best I can find for
my own systems is the basic single track that only lays down 5-6
gigs.)

The main complaint I would have with this particular work is that the
technology seemed somehow divorced from the primary thread of the
plot.  This seems an odd statement to make, given the three-cornered
race by technically savvy people, turning primarily on computer
forensics and data recovery, but I was left feeling that this was more
akin to an old-fashioned chase thriller.  Albeit an interesting one.

copyright Robert M. Slade, 2003   BKHGMNSG.RVW   20031112


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
A fanatic is one who can't change his mind and won't change the
subject.                                         - Winston Churchill
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKKRBSDG.RVW   20031018

"Kerberos: The Definitive Guide", Jason Garman, 2003, 0-596-00403-6,
U$34.95/C$54.95
%A   Jason Garman
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2003
%G   0-596-00403-6
%I   O'Reilly & Associates, Inc.
%O   U$34.95/C$54.95 800-998-9938 fax: 707-829-0104 nuts@...
%O  http://www.amazon.com/exec/obidos/ASIN/0596004036/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0596004036/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0596004036/robsladesin03-20
%P   253 p.
%T   "Kerberos: The Definitive Guide"

Kerberos is not flashy, but it is a venerable and mature technology.
Yes, it has limited scalability, but most of the "successful" PKI
(Public Key Infrastructure) projects are small enough that they could
easily have been accomplished with Kerberos technology: an eminently
elegant solution to the problem of communicating and authenticating
over any channel that is, or must be, assumed to be insecure.

Chapter one provides a history, base concepts, and variants of
Kerberos.  Terms and components are given in chapter two.  The
Needham-Schroeder work, and the idea of ticket-granting, is in chapter
three.  Implementation, in chapter four, reviews design, UNIX and
Windows servers, and special considerations for a mixed environment.
The troubleshooting chapter, five, for once comes early enough in a
book to be of use.  Security aspects external to Kerberos, and
specific settings for different implementations, are covered in
chapter six.  Chapter seven looks at some generic support for
applications, as well as some specific programs that already have
Kerberos support built in.  Cross realm trust is one of the advanced
topics, but most of chapter eight concentrates on special requirements
for Windows.  Chapter nine is a kind of review of the book, involving
the various topics that have been discussed in a sample Kerberos
installation.  Chapter ten looks at the future of Kerberos, with
possible public key additions, Web applications, and smartcards.  An
appendix contains an administrative command list.

While Kerberos may not be as highly regarded as the more
mathematically complex asymmetric cryptographic systems, it still have
many uses, and this book provides the outline, background, and details
to help you take full advantage of them.

copyright Robert M. Slade, 2003   BKKRBSDG.RVW   20031018


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
Hanlon's razor: Never attribute to malice that which can be
adequately explained by stupidity.
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKBIOMTC.RVW   20031204

"Biometrics", John D. Woodward/Nicholas M. Orlans/Peter T. Higgins,
2003, 0-07-222227-1, U$49.99/C$74.95
%A   John D. Woodward
%A   Nicholas M. Orlans
%A   Peter T. Higgins
%C   300 Water Street, Whitby, Ontario   L1N 9B6
%D   2003
%G   0-07-222227-1
%I   McGraw-Hill Ryerson/Osborne
%O   U$49.99/C$74.95 905-430-5000 +1-800-565-5758 fax: 905-430-5020
%O  http://www.amazon.com/exec/obidos/ASIN/0072222271/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0072222271/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0072222271/robsladesin03-20
%P   432 p.
%T   "Biometrics"

The book is intended for both students and professionals, covering all
of the aspects and uses of biometrics.  The chapters are written by a
number of contributing authors.  For example, Richard E. Smith, author
of "Authentication" (cf. BKAUTHNT.RVW) wrote the introduction found in
chapter one.  It is an excellent precis of the uses of, and
requirements for, authentication, paying particular attention to the
use, strengths, and weaknesses of biometrics.  The functional aspects
of biometric assessment; feature extraction, storage, error rates, and
so forth; are covered well in chapter two.  (There is a rather odd
confusion of genetic and phenotypic sources of biometrics: aside from
behavioural measures and DNA testing itself, almost all biometrics are
expressed characteristics, and therefore phenotypic.)

Part two deals with types of biometrics.  Chapter four provides
fascinating details on the history, technology, storage, indexing, and
searching of fingerprint records, and a brief mention of hand
geometry.  After the wealth of technicalities about fingerprints, the
very basic explanations of enrollment of face and voice recognition
are disappointing.  The material on iris and retina scanning, in
chapter five, is slightly better, but signature and keystroke dynamics
again get minimal coverage in chapter six.  Eleven of the more
esoteric biometrics are briefly described in chapter seven, ranging
from standards such as DNA testing to odd entries like sweat pore
distribution or body odour.

Part three looks at various aspects or factors to consider in
implementing biometrics.  Chapter eight looks at the question of
"liveness" testing.  (This is the biometrics topic beloved of students
the world over: "What if you cut off the guy's finger and used that?"
Students tend to be rather gruesome creatures.)  Most of chapter nine
is devoted to a guide for contracting out, or questions to ask
contractors or vendors.  Various standards bodies are described in
chapter ten.  Chapter eleven talks about issues involved in testing of
biometric systems.

Part four deals with privacy, policies, and legal issues.  Chapter
twelve examines both the threats and the benefits that biometrics
holds for privacy.  There is a detailed and interesting look at
(mostly US) law and decisions relating to privacy, and the
implications for biometric applications, in chapter thirteen.  Chapter
fourteen does have brief case studies of the use of biometrics at the
Super Bowl and in Virginia Beach, but concentrates on the legal
issues.  Chapter fifteen deals with the American digital signature
law, and the potential relation to the inclusion of biometrics in the
process.  Some material is repeated from earlier chapters.

Part five reviews selected biometrics programs.  Chapter sixteen
covers government and military programs, most related to law
enforcement.  Searching the FBI files of civil (or non-criminal)
fingerprint files, in chapter seventeen, reiterates a fair amount of
content from chapter four.  Private sector programs, in chapter
eighteen, are primarily concerned with face recognition in casinos or
a variety of systems for banks, but others are mentioned.  Chapter
nineteen presents a very detailed and thoughtful analysis of the
possibilities for a national identity card.

Because this book is essentially a collection of standalone essays by
a variety of authors, there is a great deal of overlap and duplication
of material, and at times this repetition becomes annoying.  This is,
however, the most useful and informative work on biometrics that I
have reviewed to date, and the analysis, in particular, is
comprehensive and even-handed.  I would recommend this as both a
serviceable introduction to anyone who must work with biometrics, and
as a guide to the controversies surrounding them.

copyright Robert M. Slade, 2003   BKBIOMTC.RVW   20031204


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
                 You don't stop laughing because you grow old;
                    you grow old because you stop laughing.
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKA1SECP.RVW   20031018

"Security+ Certification All-in-One Exam Guide", Gregory White, 2003,
0-07-222633-1, U$59.99/C$89.95/UK#45.00
%A   Gregory White
%C   300 Water Street, Whitby, Ontario   L1N 9B6
%D   2003
%G   0-07-222633-1
%I   McGraw-Hill Ryerson/Osborne
%O   U$59.99/C$89.95/UK#45.00 +1-800-565-5758 fax: 905-430-5020
%O  http://www.amazon.com/exec/obidos/ASIN/0072226331/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0072226331/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0072226331/robsladesin03-20
%P   558 p. + CD-ROM
%T   "Security+ Certification All-in-One Exam Guide"

Part one is nominally on authentication.  Chapter one covers general
security concepts.  Good ideas are provided, but sometimes in a poor
structure (the domains are unique, adhering neither to the CISSP
[Certified Information System Security Professional] CBK [Common Body
of Knowledge] nor the Security+ formation).  The wording can sometimes
confuse those new to the field, such as the use of "diversity of
defence" for what is otherwise known as least common mechanism.

Part two describes malware and attacks.  Chapter two could use more
organization and taxonomy, and the virus material is limited and
dated, but otherwise it is generally good.

Part three concentrates on networking, or security in transmissions.
Chapter three deals with remote access, and is not as good as the
prior material, consisting mostly of a list of protocols.  Email, in
chapter four, is not particularly good at examining viruses, worms,
hoaxes, spam, and encryption.  The Web is limited to SSL (Secure
Sockets Layer), programming bugs, and cookies, in chapter five.  The
wireless part of chapter six is fine as far as it goes, and there is
an odd inclusion of instant messaging.

Part four looks at security for the infrastructure.  Chapter seven is
an oddly structured list of networking and computer components, with
even more duplication of topics and material than earlier chapters
showed.  The basics of intrusion detection systems are provided in
chapter eight, but there are also extraneous details.  Chapter nine
suggests hardening computers, but, as is usual with such advice, it is
short on how: for example, we are told to turn off unnecessary Windows
services but not how to tell which ones can be safely discarded or
even how to find out which services are running.  Linux and UNIX fair
rather worse than usual in this section.

Cryptography and applications are in part five.  Chapter ten has
another odd organizational flow, with lots of details but few that are
of use, and a very short mention of the concept of asymmetric
encryption.  Public Key Infrastructure, in chapter eleven, is verbose
but still thin on details.  Standards and protocols, in chapter
twelve, starts with excessive detail on PKI, but then ventures
randomly into other topics.

Part six looks at operations security.  Chapter thirteen, on
organizational and operational security, touches on security
management, physical security, and miscellaneous topics.  A little bit
on business continuity planning, backups, policies, and ethics is in
chapter fourteen.

Part seven refers to administrative controls.  There is a wandering
discussion of security and law in chapter fifteen, privilege
management (otherwise known as access control) in sixteen, computer
forensics and simple evidence preservation in seventeen, risk
management in eighteen, and change management in nineteen.

This book could do with a wholesale restructuring, and, overall, the
material is rather vague and general.

copyright Robert M. Slade, 2003   BKA1SECP.RVW   20031018


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
No amount of experimentation can ever prove me right; a single
experiment can prove me wrong.                     - Albert Einstein
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKPKISSE.RVW   20031025

"PKI Security Solutions for the Enterprise", Kapil Raina, 2003,
0-471-31529-X, U$40.00/C$61.95/UK#27.95
%A   Kapil Raina
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2003
%G   0-471-31529-X
%I   John Wiley & Sons, Inc.
%O   U$40.00/C$61.95/UK#27.95 416-236-4433 fax: 416-236-4448
%O  http://www.amazon.com/exec/obidos/ASIN/047131529X/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/047131529X/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/047131529X/robsladesin03-20
%P   307 p.
%T   "PKI Security Solutions for the Enterprise"

The introduction states that the book contains basic information and
specific examples and models for PKI (Public Key Infrastructure)
development and deployment.

Part one talks about trust basics.  Chapter one wanders through
various topics, possibly related to the question of what trust is.
Chapter two should discuss PKI components, and eventually does, but
the logical structure of the material is poor.  Best practices of PKI,
in chapter three, is really only some thoughts on how to pick a
vendor.  The other side of the coin, selling PKI, is in chapter four.

Part two, solutions for trust, is mostly a discussion of needs.  This
content is divided by vertical market, and so chapter five deals with
healthcare (talking about HIPAA, and with an odd inclusion of
biometrics), a financial product in six, government and identity cards
in seven, and communications (mostly email, and mostly existing
services that have done just fine without PKI) in eight.  Other random
topics are in chapter nine, including Kerberos, which doesn't need any
PKI.

Part three is a list of vendors (in chapter ten), and a closing
chapter eleven, that ostensibly talks about the future of PKI, but
just does another promotional job selling the PKI concept.

The author obviously has commerce in mind, but the hawking goes on so
long that pretty much anything of value in this volume gets lost.

copyright Robert M. Slade, 2003   BKPKISSE.RVW   20031025


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
          The client interface is the boundary of trustworthiness.
                                              - Tony Buckland, UBC
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKMCOSXS.RVW   20031025

"Mac OS X Security", Bruce Potter/Preston Norvell/Brian Wotring, 2003,
0-7357-1348-0, U$39.99/C$62.99/UK#30.99
%A   Bruce Potter
%A   Preston Norvell
%A   Brian Wotring
%C   201 W. 103rd Street, Indianapolis, IN   46290
%D   2003
%G   0-7357-1348-0
%I   Macmillan Computer Publishing (MCP)
%O   U$39.99/C$62.99/UK#30.99 800-858-7674 www.mcp.com info@...
%O  http://www.amazon.com/exec/obidos/ASIN/0735713480/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0735713480/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0735713480/robsladesin03-20
%P   385 p.
%T   "Mac OS X Security"

Part one covers the basics.  Chapter one provides a very brief look at
foundational security tools, and some UNIX user and group information.
Installation, in chapter two, has a little information about BSD
services and filesystems, but otherwise is a fairly standard run
through the installation process.

Part two is about system security.  Chapter three looks at general
security practices for the Mac OS X client, in terms of boot and
screensaver passwords and user setup.  There is a review and some
expansion (additional commands) of the UNIX material from chapter one
in chapter four.  The user applications discussed in chapter five
mostly have to do with the keychain, email, and Web browser.

Part three deals with network security.  Internet services, in chapter
six, concentrates on the configuration of the Apache Web server.  A
variety of file sharing options are discussed in chapter seven.
Chapter eight looks at network services in terms of firewalls, virtual
private networks (VPNs), and wireless networking, and has a rather odd
inclusion of antivirus tools.  The concepts are good but the details
are weak.

Enterprise security is in part four.  Chapter nine looks at the host
configuration very briefly, mentioning the login banner and Kerberos.
Directory services and Open Directory are reviewed in chapter ten.

Part five examines auditing and forensics.  (Get it?  Never mind ...)
Chapter eleven discusses various logs and options for auditing.  The
Osiris change detection program and TASK (The @stake Sleuth Toolkit)
are described in chapter twelve.  Chapter thirteen closes off with a
generic look at incident response.

Once again Mac users get a rather lackluster resource for security,
which is a pity, since they now have a reasonably secure underpinning
to the system.

copyright Robert M. Slade, 2003   BKMCOSXS.RVW   20031025


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
A witty saying proves nothing.                            - Voltaire
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKWSPP3P.RVW   20031019

"Web Site Privacy with P3P", Helena Lindskog/Stefan Lindskog, 2003,
0-471-21677-1, U$40.00/C$61.95/UK#27.95
%A   Helena Lindskog
%A   Stefan Lindskog
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2003
%G   0-471-21677-1
%I   John Wiley & Sons, Inc.
%O   U$40.00/C$61.95/UK#27.95 416-236-4433 fax: 416-236-4448
%O  http://www.amazon.com/exec/obidos/ASIN/0471216771/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0471216771/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0471216771/robsladesin03-20
%P   244 p.
%T   "Web Site Privacy with P3P"

Chapter one is a brief but reasonable introduction to privacy.
Internet security gets the same level of treatment in chapter two.
The World Wide Web is explained in chapter three.  Privacy and the net
are examined in chapter four.  All of this acts as background by the
time we get to chapter five, which explains the Platform for Privacy
Preferences, or P3P.  Chapter six describes how to enhance your Web
site's privacy.  The creation of a privacy policy is reviewed in
chapter seven.  Chapter eight lists such a policy in English, and then
nine provides a detailed structure of how the policy is established
using P3P.  Special consideration for cookies is outlined in chapter
ten.  Chapter eleven examines P3P tools.  P3P and mobile networking,
as well as XML source code for policies, is given in chapter twelve.

A serviceable guide, with no major problems, but no stellar qualities,
either.

copyright Robert M. Slade, 2003   BKWSPP3P.RVW   20031019


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
Every exit is an entry somewhere else.                - Tom Stoppard
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKHKATDN.RVW   20031019

"Hack Attacks Denied", John Chirillo, 2003, 0-471-23283-1,
U$50.00/C$77.50/UK#37.50
%A   John Chirillo
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2002
%G   0-471-23283-1
%I   John Wiley & Sons, Inc.
%O   U$50.00/C$77.50/UK#37.50 416-236-4433 fax: 416-236-4448
%O  http://www.amazon.com/exec/obidos/ASIN/0471232831/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0471232831/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0471232831/robsladesin03-20
%P   689 p. + CD-ROM
%T   "Hack Attacks Denied"

The introduction states that this book is a companion to "Hack Attacks
Revealed" and that the audience is everyone.

Part one is about securing ports and services.  Chapter one,
describing common ports and services, recommends replacing TFTP with
Tiger FTP, which just happens to be written by the author.  Eighteen
pages are helpfully devoted to reprinting the source code, just in
case you'd like to type it in for yourself.  The level of security
information varies substantially: there is, for example, no mention of
the fact that TFTP has no real use in Windows, and that disabling it
is a very good idea.  More detail is provided for UNIX than Windows,
and some items are helpful, but most are not.  Concealed ports and
services, otherwise known as backdoors or trojans, are discussed in
chapter two.  There is a fourteen page source code listing of a
crippled trojan, a catalogue of backdoor trojans, and mention of some
protective software.  Chapter three is mostly about how to get other
information, although less space is devoted to the discovery of
countermeasures, and an awful lot of the content is of the "you might
be able to" variety.

Part two, which consists only of chapter four, is about intrusion
defence and safeguarding against penetration attacks, but, again, more
space is devoted to attacks than defence.

Part three is entitled "Tiger Team Secrets."  Chapter five is a random
list of attacks, including various viruses.  Some items, such as the
"reboot attack," make no sense as described.  Seventy five attacks,
most of which have been recounted before, are in chapter six.  The
countermeasures usually boil down to "protect against this," but are
short on how.  Chapter seven finishes off with a guide for consultants
who want to write security policies (including an outline that bears a
striking resemblance to the CISSP CBK).  Two sample "audits" are
given, along with a reprint of a twenty one page router log (with no
analysis).

This book is not very revealing, and won't do much to deny access to
attackers.

copyright Robert M. Slade, 2003   BKHKATDN.RVW   20031019


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
Strange game. The only winning move is not to play. - WOPR, Wargames
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKSECPSG.RVW   20031019

"Security+ Study Guide", Michael Pastore, 2003, 0-7821-4098-X,
U$49.99/C$79.95/UK#37.99
%A   Michael Pastore
%C   1151 Marina Village Parkway, Alameda, CA   94501
%D   2003
%G   0-7821-4098-X
%I   Sybex Computer Books
%O   U$49.99/C$79.95/UK#37.99 800-227-2346 info@...
%O  http://www.amazon.com/exec/obidos/ASIN/078214098X/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/078214098X/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/078214098X/robsladesin03-20
%P   555 p. + CD-ROM
%T   "Security+ Study Guide"

The introduction has a kind of pre-test, a set of opening questions.
This is, in the right hands, a great idea.  Unfortunately, in this
case, the questions are very simplistic, and the answers are either
incomplete or concentrate exclusively on one possibility.

Chapter one reviews general security concepts, as well as access
control, and network security.  The structure is quite random.  Again,
the end-of-chapter questions are rather odd: one asks which access
method relies on pre-established access, and, of MAC, DAC, RBAC, and
Kerberos (all of which have to have access established in advance) the
correct answer is said to be MAC.  Chapter two outlines attack
strategies, TCP/IP basics, TCP/IP attacks, and has some very bad
information about viruses.  (A boot sector infector is *not*
inherently a stealth virus.)  Infrastructure and connectivity, in
chapter three, lists network components and a few protocols.
Monitoring network activity turns into a grab bag of topics (including
intrusion detection and incident response) in chapter four.  More
random information, mostly about hardening systems, but not detailed
or helpful, is in chapter five.  Chapter six looks at physical
security, business continuity, and bits of security management.  A
list of cryptographic terms with some added stories is in chapter
seven, while eight reviews some related protocols and a bit of public
key infrastructure management.  Chapter nine discusses backups and
miscellaneous security policies.  Chapter ten, under the heading of
security management, gets into the chain of custody, policies, change
management, and regulations.

Overall, the organization of this material is very poor.  As the book
progresses, there are increasing amounts of repeated material.  Even
for the Security+ exam, this is probably not a useful guide.

copyright Robert M. Slade, 2003   BKSECPSG.RVW   20031019


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
When did ignorance become a point of view?       - Dilbert, 20001231
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKMLWFMC.RVW   20031202

"Malware: Fighting Malicious Code", Ed Skoudis, 2004, 0-13-101405-6,
U$44.99/C$67.99
%A   Ed Skoudis
%C   One Lake St., Upper Saddle River, NJ   07458
%D   2004
%G   0-13-101405-6
%I   Prentice Hall
%O   U$44.99/C$67.99 +1-201-236-7139 fax: +1-201-236-7131
%O  http://www.amazon.com/exec/obidos/ASIN/0131014056/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0131014056/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0131014056/robsladesin03-20
%P   647 p.
%T   "Malware: Fighting Malicious Code"

Chapter one introduces, but also mixes up, all kinds of malware,
attack tools, and attacks.  It does eventually provide a table of
types of malware, but the definitions are not very clear or explicit.
Chapter two has wide ranging, but careless, information about viruses.
The strictly Cohenesque definition eliminates boot sector infectors
from consideration, which is rather ironic given the prominence that
they are given in the chapter.  There is a confused outline of
infection mechanisms.  Many of the assertions made are based on
questionable analysis: Strange Brew is stated to be potentially
dangerous because of platform independence, but there is no mention of
the fact that it fails as an applet, which is the most mobile form of
Java code.  Random thoughts on worms are in chapter three, with
defence measures seemingly a vague afterthought.  Malicious mobile
code is limited to active content for Web pages in chapter four.
Chapter five confuses maintenance hooks and rootkits, but mostly
describes remote access trojans.  Trojans, or trojan horse programs,
are the broadest class of malicious software, so it is not surprising
that chapter six is an unfocused grab bag: what is odd is that there
is so much content that is a repeat of earlier material.  Chapter
seven deals with "user-mode" rootkits, providing lengthy examples
which are nonetheless vague on concepts.  "Kernel-mode" rootkits, in
chapter eight, goes into excruciating operating system internals
detail about how such software can be inserted into the system.  Both
chapters concentrate heavily on UNIX, with only limited mention of
Windows, and both are primarily concerned about how to attack, with
little attention paid to defence.  ("Harden systems and apply
patches.")  Chapter nine theorizes about BIOS (Basic Input/Output
System) and microcode malware, managing to confuse not only the two
concepts with each other, but also with standard rootkits.  A number
of fictional attacks are outlined in chapter ten, although the
"mistakes" pointed out do suggest some protective measures that might
be of use.  Chapter eleven lists hardware and software for building a
setup to analyze malware.  The book concludes with some opining in
chapter twelve.

The text is much more verbose than it really needs to be, and
sensational rather than precise.  There is a lot of specific detail in
some areas, particularly for those interested in UNIX system
internals, but the material on malware itself tends to be careless,
and the author is obviously much keener on attacking than defending.
This work does not offer much help to those who want to fight
malicious code.

copyright Robert M. Slade, 2003   BKMLWFMC.RVW   20031202


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
Keep away from people who try to belittle your ambitions. Small
people always do that, but the really great make you feel that
you, too, can become great.                             - Mark Twain
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKPRVPOF.RVW   20031019

"Privacy Payoff", Ann Cavoukian/Tyler J. Hamilton, 2002,
0-07-090560-6, U$24.95/C$39.99
%A   Ann Cavoukian
%A   Tyler J. Hamilton
%C   300 Water Street, Whitby, Ontario   L1N 9B6
%D   2002
%G   0-07-090560-6
%I   McGraw-Hill Ryerson/Osborne
%O   U$24.95/C$39.99 905-430-5000 800-565-5758 fax: 905-430-5020
%O  http://www.amazon.com/exec/obidos/ASIN/0070905606/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0070905606/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0070905606/robsladesin03-20
%P   332 p.
%T   "Privacy Payoff"

In the Foreword, Don Tapscott touches on the issues of privacy and
security, but in a vague and unclear manner.  Most of the material
simply points out some advantages of advertising the fact that you
have a privacy policy.  It is also rather ironic that Earthlink is
used as an example of a good privacy policy, in chapter one, since
that Internet provider has, at times, created some of the greatest
problems for other Internet users with regard to spam.  Yet another
example of a case where addressing one security problem creates
another?  Chapter two tells us that people are concerned about
privacy, and may sue over perceived breaches of confidence.
DoubleClick is used as an example, but, interestingly in view of the
titular intent of the book, the authors fail to note the direct
financial hit involved with the fall in stock price when the plans to
merge online tracking with personal data became public.  There is a
good overview of the definition, history, and philosophy of privacy,
in chapter three, including a number of points that other works miss.
The usual list of American privacy laws, with some nods to the
European Union directives and the Canadian C-6/PIPEDA, is given in
chapter four.  Chapter five asserts, without doing much to prove, that
privacy is a business imperative: most of the content is limited to
the idea that privacy protection won't cost *that* much, although
there is a study showing that privacy policies can help efficiency.
There is good, practical information about the role and requirements
for a Chief Privacy Officer in chapter six.  Chapter seven contains a
generic admonition to have adequate security.  The virus section
stresses Code Red, which the authors admit had nothing to do with
privacy, and neglect Melissa, Sircam, and Klez, which did.  There are
scary stories about miscellaneous privacy related topics, in chapter
eight, but the point is unclear.  Targeted marketing can be good or
bad, but chapter nine doesn't tell you how to do the good type.
Chapter ten looks at various issues and examples of workplace privacy
and surveillance, but sometimes not very deeply.  For example, there
is mention of the use of monitoring to prevent lawsuits over sexual
harassment, but not the fact that such monitoring has been held to
increase employer liability if harassment happens.  The material in
chapter eleven supposedly deals with privacy enhancing technologies,
but it is confused and poorly explained.  (The authors apparently
don't understand some of the basic information technology: firewalls
generally deal only with header information, and so do not face the
same privacy considerations as content scanning.)

There are some useful, and even important, points in the book, but the
valuable content tends to be buried in a great deal of excess
verbiage.  This book could have been a lot shorter, and would have
been more serviceable if it had been.

copyright Robert M. Slade, 2003   BKPRVPOF.RVW   20031019


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
The prayer of the scientist if he prayed, which is not likely:
Lord, grant that my discovery may increase knowledge and help
other men.  Failing that, Lord, grant that it will not lead to
man's destruction.  Failing that, Lord, grant that my article in
'Brain' be published before the destruction takes place.
                                                       - Walker Percy
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKDSDSCO.RVW   20031201

"Developing Secure Distributed Systems with CORBA", Ulrich Lang/Rudolf
Schreiner, 2002, 1-58053-295-0, U$69.00/C$106.95
%A   Ulrich Lang
%A   Rudolf Schreiner
%C   685 Canton St., Norwood, MA   02062
%D   2002
%G   1-58053-295-0
%I   Artech House/Horizon
%O   U$69.00/C$106.95 617-769-9750 800-225-9977 fax: +1-617-769-6334
%O  http://www.amazon.com/exec/obidos/ASIN/1580532950/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/1580532950/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1580532950/robsladesin03-20
%P   308 p.
%T   "Developing Secure Distributed Systems with CORBA"

Chapter one is an introduction, but it very quickly gets into CORBA
(Common Object Request Broker Architecture) jargon, and C++ API calls.
The explanations could be written with more clarity for outsiders.
Security is first defined, in chapter two, in terms of restricting
access, but the authors are not clear about whether they are primarily
concerned with integrity or confidentiality.  The material then goes
on to a good overview of security management basics and a very brief
outline of some security concerns in the CORBA environment.  The lead-
in to the CORBA security architecture, in chapter three, is a lengthy
discussion of the benefits of flexibility, abstraction, and
simplicity: the authors then note that the CORBA architecture is not
simple.  MICO, an open source CORBA compliant object request broker,
has a security component (MICOsec), and chapter four is dedicated
mostly to installation instructions.  Chapter five looks at
programming CORBA level one security, using MICOsec and C++, while
chapter six takes a longer look at the more complex level two
requirements.  CORBA security does have support for applications that
do not contain any security provisions (a rather interesting concept),
and these are reviewed in chapter seven.

CORBA security is not widely understood, and this work can assist both
those needing a conceptual idea of the system and those needing to
program with it.

copyright Robert M. Slade, 2003   BKDSDSCO.RVW   20031201


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
Americans are a broad-minded people. They'll accept the fact that
a person can be an alcoholic, a dope fiend, a wife beater, and
even a newspaperman, but if a man doesn't drive there's something
wrong with him.                                       - Art Buchwald
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKHDPLST.RVW   20031205

"Hiding in Plain Sight", Eric Cole, 2003, 0-471-44449-9,
U$35.00/C$53.95/UK#24.50
%A   Eric Cole
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2003
%G   0-471-44449-9
%I   John Wiley & Sons, Inc.
%O   U$35.00/C$53.95/UK#24.50 416-236-4433 fax: 416-236-4448
%O  http://www.amazon.com/exec/obidos/ASIN/0471444499/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0471444499/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0471444499/robsladesin03-20
%P   335 p. + CD-ROM
%T   "Hiding in Plain Sight"

Part one explores the world of covert communication.  Chapter one
suggests that covert communication is all around us, but weakens its
case by providing only fictional examples.  The author also states
that he has detected huge numbers of files which contain embedded
steganographic materials.  He doesn't seem to understand that this
hurts his argument: what good is steganography if you can detect its
effects?  There is a confused and incomplete introduction to
cryptography in chapter two.  To be fair, it does make some good
practical points, such as the difference between an algorithm and an
implementation.  The basics of steganography are provided in chapter
three but the explanations and examples may not make clear the
distinction between steganography and covert channels or codes.  The
definition and illustration of digital watermarking, in chapter four,
does not present a rationale as to why the invisible marking data
cannot be removed.  The example is confused and unconvincing.

Part two is supposed to take us into the hidden realm of
steganography.  Chapter five outlines miscellaneous computer crimes
and intrusions with only the most tenuous ties to steganography,
fabricated by the author.  A list of steganographic programs (almost
all of the insertion type) are provided without details in chapter
six.  There are more examples of the same illustrations, a couple of
related programs, and some mislabelled figures (a graphical layout of
an IP header rather than the promised sniffer example) in chapter
seven.  Cole uses an instance of hiding a virus with steganography,
but the dangers of inventing your own cases becomes evident: the
virus, as described, wouldn't work anymore.

Part three purports to show you how to make your own communications
secure.  Chapter eight lists cryptanalytic and steganalytic
techniques, but does not delineate them well.  A rehash of previous
ideas and weak examples substitutes for the strategy promised in
chapter nine: the main illustration has a complete failure of forward
secrecy.  Chapter ten pledges that steganography will get better.

Although Cole is more entertaining than Katzenbeisser and Petitcolas
manage to be in their "Information Hiding Techniques for Steganography
and Digital Watermarking" (cf. BKIHTSDW.RVW), his information is
sketchy and suspect.  In comparison, his work is little more than a
pamphlet.

copyright Robert M. Slade, 2003   BKHDPLST.RVW   20031205


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
Vah! Denuone Latine loquebar? Me ineptum. Interdum modo elabitur.
Oh! Was I speaking Latin again? Silly me. Sometimes it just sort
of slips out.
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade