BKMKNNMB.RVW   20031214

"Makin' Numbers", I. Bernard Cohen/Gregory W. Welch, 1999,
0-262-03263-5, U$40.00/C$67.50
%E   I. Bernard Cohen
%E   Gregory W. Welch
%C   55 Hayward Street, Cambridge, MA   02142-1399
%D   1999
%G   0-262-03263-5
%I   MIT Press
%O   U$40.00/C$67.50 +1-800-356-0343 fax: +1-617-625-6660
%O  http://www.amazon.com/exec/obidos/ASIN/0262032635/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0262032635/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0262032635/robsladesin03-20
%P   279 p.
%T   "Makin' Numbers: Howard Aiken and the Computer"

In teaching about emerging technologies, I frequently point out to the
classes that those who fail to learn about computer history are going
to buy the same old failed ideas again, repackaged with new buzzwords.
Nowhere have I found this more amply demonstrated, within the compass
of a limited total of pages, than in "Makin' Numbers."  Time and again
I found intriguing tidbits addressing concepts which we currently
consider highly advanced.

There is, for example, the concept of pipelining, and the speeding up
of execution time within the central processor.  The devotees of this
practice would be astounded to find the lengths to which Mark I
programmers took the idea.  Not content with simply preparing in
advance of an operation, they would actually start extra operations
with unused parts of the machine, such as getting in some extra
additions while the multiplication or division unit was crunching
through a multi-cycle function.

In one piece, Grace Hopper speculates on what Howard Aiken meant by
his continual reference to computing "engines," concluding that he saw
a computer as a kind of number factory, in which were employed a
number of specialized machines with differing functions.  This
corresponds with the prevailing thinking about embedded or pervasive
computing.

As a virus researcher, I am very sensible of Aiken's antipathy towards
von Neumann architecture, with no distinction between instructions and
data, and his pursuit of the forgotten Harvard architecture.  Making a
division between code and information that is processed would
eliminate viruses as a possibility.  It is, however, intriguing that
Aiken championed the idea, given his insistence on the pursuit of
usability in computers, and his prediction that programmers would be
more important than the fabricators of computing machinery: von
Neumann architecture is certainly much easier to use in developing
systems.

Even more than in the companion "Howard Aiken: Portrait of a Computer
Pioneer" by Cohen (cf. BKHAPOCP.RVW), "Makin' Numbers" provides a
wealth of ideas from the history of the field.

copyright Robert M. Slade, 2003   BKMKNNMB.RVW   20031214


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
Where you go I will go, and where you stay I will stay.  Your
people will be my people and your God my God.  Where you die I
will die, and there I will be buried.                 - Ruth 1:16,17
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKMOSXJE.RVW   20031220

"Mac OS X Bible", Lon Poole/Dennis R. Cohen/Steve Burnett, 2003,
0-7645-3731-8, U$39.99/C$59.99/UK#27.95
%A   Lon Poole
%A   Dennis R. Cohen
%A   Steve Burnett
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2003
%G   0-7645-3731-8
%I   John Wiley & Sons, Inc.
%O   U$39.99/C$59.99/UK#27.95 416-236-4433 fax: 416-236-4448
%O  http://www.amazon.com/exec/obidos/ASIN/0764537318/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0764537318/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0764537318/robsladesin03-20
%P   895 p.
%T   "Mac OS X Bible: Jaguar Edition"

This is a huge, fat, book, and one would think that somewhere in it
there must be useful information.  One would be wrong.

Part one is about getting to know Mac OS X.  Chapter one outlines the
visible changes to the interface.  Basic functions (starting up,
shutting down, and invoking programs) are in chapter two.  The Finder
and basic objects (programs, files, directories and so forth) are
reviewed in chapter three.  Chapter four outlines interface settings
and preferences.  Chapter five discusses some basic operations with
respect to files and applications.  Too little information on Internet
connections, the Web, and email, is given in chapter six.  Chapter
seven does not really make clear that Find is for local files, and
Sherlock is an Internet application.  Chapter eight describes the
interface for the help system.

Part two deals with basic operations.  Chapter nine lists printer and
queue management screens.  There is a confused amalgam of local and
Internet networking and file transfer in chapter ten.  Chapter eleven
lists some programs that come with the system.  A little information
about fonts is in chapter twelve.  Dialogue boxes for video
applications are printed in chapter thirteen and the same for audio is
in fourteen.  Chapter fifteen notes a number of preferences that can
be set.

Part three is supposed to cover more advanced topics.  Chapter sixteen
outlines user account information, but does not deal with the
underlying structures or command line utilities.  Chapter seventeen
talks about speech applications.  (Sorry, couldn't help myself.)  Both
ethernet and wireless networking are assumed to work properly without
any trouble in chapter eighteen.  (How likely this is to happen is
left as an exercise to the reader.)  Chapter nineteen tells you how to
run on file sharing.  Chapter twenty tells you how to enable even more
dangerous network services.  An introduction to AppleScript is given
in chapter twenty one.

Part four is *also* supposed to cover more advanced topics.  Chapter
twenty two lists more programs included with the system.  Chapter
twenty three lists some shareware.  Miscellaneous tips are in chapter
twenty four.  Chapter twenty five gives you enough information about
the underlying system to be dangerous, and recommends that you keep
your system clean and backed up.  Too little information about UNIX,
in too much bloated verbiage, is provided in chapter twenty six.

The advice is banal, the text runs in circles and repeats itself, and,
overall, this book does not provide much help or assistance to any
level of user.

copyright Robert M. Slade, 2003   BKMOSXJE.RVW   20031220


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
I have heard many things like these, miserable comforters are you
all!  Will your long-winded speeches never end?  What ails you
that you keep on arguing?  I also could speak like you if you
were in my place; I could make fine speeches against you and
shake my head at you.                                   - Job 16:2-4
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKBYNDFR.RVW   20031219

"Beyond Fear", Bruce Schneier, 2003, 0-387-02620-7, U$25.00/C$38.95
%A   Bruce Schneier schneier@...
%C   115 Fifth Ave., New York, NY   10003
%D   2003
%G   0-387-02620-7
%I   Copernicus/Springer-Verlag
%O   U$25.00/C$38.95 800-842-3636 212-254-3232 fax: 212-254-9499
%O  http://www.amazon.com/exec/obidos/ASIN/0387026207/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0387026207/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0387026207/robsladesin03-20
%P   295 p.
%T   "Beyond Fear"

It is instructive to view this book in light of another recent
publication.  Marcus Ranum, in "The Myth of Homeland Security" (cf.
BKMYHLSC.RVW) complains that the DHS (Department of Homeland Security)
is making mistakes, but provides only tentative and unlikely
solutions.  Schneier shows how security should work, and does work,
presenting basic concepts in lay terms with crystal clarity.  Schneier
does not tell you how to prepare a security system as such, but does
illustrate what goes on in the decision-making process.

Part one looks at sensible security.  Chapter one points out that all
security involves a balancing act between what you want and how badly
you want it.  An important distinction is also made between safety and
security, and the material signals the danger of ignoring the
commonplace in order to protect against the sensational but rare.
Fundamental security concepts are outlined as well as risk analysis.
Chapter two examines the effect (usually negative) that bias and
subjective perceptions have on our inherent judgment of risks.
Security policy is based on the agenda of the major players, and
chapter three notes that we should evaluate security systems in that
light.

Part two reviews how security works.  Chapter four introduces systems
and how they fail.  "Know the enemy," in chapter five, is not just a
platitude: Schneier shows how an understanding of motivations allows
you to assess the likelihood of different types of attack.  Chapter
six is less focused than those prior: it notes that attackers reuse
old attacks with new technologies, but it is difficult to find a
central thread as the text meanders into different topics.  Finding a
theme in chapter seven is also difficult: yes, technology creates
imbalances in existing power structures, and, yes, complexity and
common mechanisms do tend to weaken security positions, but the
relationships between those facts is not as lucidly presented as in
earlier material.  The point of chapter eight, that you always have to
be aware of the weakest link in the security chain, even when it
changes, is more straightforward, but the relevance of the
illustrations surrounding it is not always obvious.  Resilience in
security systems is important, but it is not clear why this needs to
be addressed in a separate chapter nine when it could have been
discussed in eight with defence in depth (or "class breaks" and
single-points-of-failure in seven).  The hurried ending is also very
likely to confuse naive readers in regard to "fail-safe" and "fail-
secure": Schneier does not sufficiently stress the fact that the two
concepts are not only different, but frequently in conflict.  Chapter
ten notes that people are both the strongest and weakest part of
security: adaptable and resilient but terrible at detail; frequently
surprisingly intuitive but often randomly foolish.

At this point the book is not only repetitive, but loses some of its
earlier focus and structure.  Detection and prevention are examined,
in chapter eleven, not as part of the classic matrix of controls, but
as yet another example or aspect of resilience.  Most of the rest of
the types of controls in the preventive/detective axis are listed in
chapter twelve, lumped together as response.  Chapter thirteen looks
at identification, authentication, and authorization (but not
accountability, which was seen, in the form of audit, in chapter
eleven).  Various types of countermeasures are described in chapter
fourteen.  Countermeasures with respect to terrorism are examined, in
chapter fifteen, both in general terms and in light of the events of
9/11.  What works is discussed, as well as what does not, and there is
an interesting look at the different roles of the media in the US as
contrasted with the UK.

Part three, entitled "The Game of Security," is not clear as to
purpose.  Chapter sixteen starts off by pointing out that the five
step assessment process is constant and never-ending--which begs the
question of how to determine when diminishing returns start to set in
on assessment itself.  However, there is good material in regard to
the actions you can take to influence decisions about security.  A
concluding editorial, in chapter seventeen, encourages the reader to
move beyond fear and think realistically about security and the
tradeoffs you are willing to make.

Some of the terms Schneier uses or invents may be controversial.  His
use of "active" and "passive" failures for the concepts more commonly
known respectively as false rejection (false positive) or false
acceptance (false negative) is probably much clearer, initially, to
the naive reader.  The concept is an important one, and so the
presentation of it in this way could be a good thing.  On the other
hand, does "active failure" completely map to what is meant by "false
acceptance," and, if not, how much of a problem is created by the use
of the new term?  Similarly, "class break" does indicate the
importance of new forms of attack, but the concept seems to partake
aspects of defence in depth, single point of failure, and least common
mechanism, all important constructs in their own right.  Schneier's
invention of "default to insecure" is not really any more
understandable than the more conventional terms of fail-safe or fail-
open.

I recommend this book.  Unlike Ranum's, "Beyond Fear" has a more
significant chance of informing and educating the public on vital
issues of security.  Security educators will find a treasure trove of
ideas and examples that they can use to explain security concepts, to
a variety of audiences.  Security professionals are unlikely to find
anything new in this material, but Schneier's writing is always worth
reading, and this work is refreshingly free of the grating of
erroneous ideas.

copyright Robert M. Slade, 2004   BKBYNDFR.RVW   20031219


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
    .^.        .^.        .^.        .^.        .^.        .^.
_|\   /|_  _|\   /|_  _|\   /|_  _|\   /|_  _|\   /|_  _|\   /|_
>   C   <  >   a   <  >   n   <  >   a   <  >   d   <  >   a   <
  >_/|\_<    >_/|\_<    >_/|\_<    >_/|\_<    >_/|\_<    >_/|\_<
Modified from JD Small <ai369@...>
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKTTHTGR.RVW   20040306

"The Teeth of the Tiger", Tom Clancy, 2003, 0-399-15079-X,
U$27.95/C$40.00
%A   Tom Clancy
%C   10 Alcorn Ave, Suite 300, Toronto, Ontario, M4V 3B2
%D   2003
%G   0-399-15079-X
%I   Penguin Putnam
%O   U$27.95/C$40.00 416-925-2249 Fax: 416-925-0068 service@...
%O  http://www.amazon.com/exec/obidos/ASIN/039915079X/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/039915079X/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/039915079X/robsladesin03-20
%P   431 p.
%T   "The Teeth of the Tiger"

It is interesting to note, reading the reviews on Amazon, that even
die-hard Clancy fans are starting to lose faith.  Clancy has moved
from curmudgeon to outright maverick in this work.  The plot doesn't
just depend on bending the rules, but by going completely outside them
and playing God.  (In which regard, I'm fairly sure that quite a few
Catholics would take issue with the assertion that as long as you
*think* you are doing the right thing, God can't say anything about
it.)  The "good guys" luck out a lot, but are extremely sloppy, and
any group that did operate in this manner would tend to kill a lot of
innocent people.  Despite crises of conscience (very brief ones), none
of the characters in this tale are attractive or sympathetic: they all
seem to be pretty thin.  But that isn't what we are here to talk
about.

Clancy demonstrated in "The Bear and the Dragon" (cf. BKBRDRGN.RVW)
that he didn't understand cryptography, and he proves his lack of
comprehension again here.  Sun makes good workstations, but they
aren't supercomputers.  Single pass DES (Data Encryption Standard) has
fallen to brute force attacks, but serious users have plenty of
algorithms to choose from that haven't.  Clancy has moved the myth of
the NSA providing encryption standards with backdoors built into it
slightly out of the house, but it's still a myth.  (Yes, the NSA does
have smart people, but the one time they did really try it, with the
Clipper/SKIPJACK key escrow system, it failed.  Ironically, the
failure didn't lie in their ability not to get caught, since they were
completely open about it, but in a weakness that meant the escrowing
system could be broken.)  As far as getting everyone to buy into a
proprietary, unreviewed encryption system and use it pretty much
universally for several years without anybody twigging as to what was
going on, forget it.  There are a number of players in the crypto
market, everybody serious enough to study the field knows not to buy
snake oil, and anyone following the security field at all knows that
backdoors get found every day.

Just because you use the same accounting system as someone else
doesn't mean that you can read all their files.  (In fact, if you are
breaking in to someone's system, it is often easier to grab the data
files themselves and process them with your own tools.)  There is no
discussion about getting access to files on remote systems at all:
Clancy just seems to assume that it can be done.  Admittedly, he is
assuming a backdoor into Echelon, and assuming that Echelon can, in
fact, collect all the transmission of voice and data anywhere in the
world.  (We'll leave that tall order for the moment, since it isn't
inherently impossible, however unlikely.)  The data under
investigation, however, isn't in transit: it resides on a bank
computer.

This book has annoying errors in technology, flat characters, a shaky
premise, and very little of the old Clancy flair.

copyright Robert M. Slade, 2004   BKTTHTGR.RVW   20040306


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
If people do not believe that mathematics is simple, it is only
because they do not realize how complicated life is.
                                             - John Louis von Neumann
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKWIRED.RVW   20040331

"Wired", Robert L. Wise, 2004, 0-446-69163-1, U$13.95/C$19.95
%A   Robert L. Wise revwise@...
%C   1271 Avenue of the Americas, New York, NY   10020
%D   2004
%G   0-446-69163-1
%I   Time Warner
%O   U$13.95/C$19.95 www.twbookmark.com
%O  http://www.amazon.com/exec/obidos/ASIN/0446691631/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0446691631/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0446691631/robsladesin03-20
%P   305 p.
%T   "Wired"

Some books are good, and some books are bad.  Some books are so
unsatisfactory that you think that you could do better.  Some books
are so poorly written that you think *anyone* could have produced an
improved tome.  Generally, though, these idle thoughts are dismissed
by recognition of the fact that writing a book is hard work.  Why put
in all that time and effort just to prove you could surpass what you
are reading?

Every once in a while, though, you come across a book that is *so*
rotten you feel that the exertion might be justified if it meant that
volumes like it didn't get published.  You'd be doing the world a
favour.

It is difficult to even begin to note the failings of the writing.
Characterization, of both individuals and whole societies, is
inconsistent and unrealistic.  Dialogue is stilted.  Action is uneven
and disjointed.  Description, of both characters and settings, is
contradictory and confusing.  It's difficult to develop any empathy
for the personae in the story, since, with constantly changing
motivations and reactions, it is almost impossible to tell who they
actually are.

Wise is a Christian and this is a Christian story.  (One assumes Wise
is a Christian: even for a professional paranoid like myself it is
difficult to seriously entertain the notion that maybe Wise *isn't* a
Christian, and is, with this effort, trying to further debase the body
of contemporary Christian fiction.)  It attempts to posit a near-
future occurrence of the Tribulation, one possible interpretation of
sections of the Revelation of John (the final book in the Christian
Bible).  For anyone who has read Revelation (and some passages in the
Gospels) the references are glaringly obvious: wars and rumours of
wars, the moon as blood, earthquakes in unusual places, the opponent
of Christian believers, the mark on the forehead, and so forth.  (Wise
rather misses a trick when he doesn't get into the inability to
conduct business without the mark, and we haven't yet got to the
miraculous head wound, but the book simply cries out "FIRST OF A
SERIES!!!" so that'll probably be coming.)

Speaking of paranoia, the book reeks of it.  The feel is of the newly
created Christian group as an embattled small band.  They have
identifiable and specific enemies, but, in addition, are constantly
under a kind of passive attack by basically everyone else in the
world.  One has the impression of reading "The Dawn of the Morally
Dead," with drooling lechers and drunkards shambling across the
apocalyptic landscape.

OK, enough editorial, let's talk tech.  It's terrible, and has no
particular relation to reality or logic.  An object that looks like it
might have an eye must be frightening.  Machines resembling miniature
hooks, missiles, or robots evidently have a potential for disaster.
Computers that are very tiny have a brain but no conscience!  (No room
for a conscience?)  Devices with internal structures the width of
several atoms are monstrous!  (Wise can be inadvertantly hilarious at
times.)  Objects measured on the atomic scale can be seen with an
ordinary optical microscope.  But objects the size of a human hair are
invisibly tiny.  (Heck, *I* can see hairs even with *my* tired old
eyes!)

Wise throws around miscellaneous technologies that have no relation to
each other.  Quantum computers can control photons.  (So can the on-
off switch on a flashlight, and, no, Wise isn't talking about optical
fibre.)  Sending photons, even when there is no line of sight, can
cause nanoparticles to disappear!  (I don't think Wise even knows what
a photon *is*.)  However, sending the *other* photons can cause the
nanoparticles to attack!  (I can never recall: am I the good photon,
or the evil photon?)

The major tech in the book is nanotechnology.  Wise doesn't appear to
know anything about it except that it involves little bitty things.
The possibilities of object creation, medical uses, or information
storage are unexplored.  (Wise should read something on the topic: if
he prefers fiction, perhaps "The Diamond Age" [cf. BKDAYLIP.RVW].)
The questions of pollution, energy consumption, and heat dissipation
are likewise ignored.  Clusters of nanoparticles, the width of a hair
in total extent, can somehow allow complete surveillance of the
individual on whom they are placed.  There is no attempt to discuss
how this might take place.

In the end, though, the technology that does have some bearing on the
plot is rather pedestrian.  The US Department of Homeland Security's
Total Information Access plan, coupled with Echelon (which Wise
doesn't name), and aided by a plain old-fashioned entrapment operation
are the major plot devices.

If this book is aimed only at entertaining Christians, it doesn't
provide them with anything in the way of literary values or good
story-telling.  If this work is intended to be an apologia to the rest
of the world it is an ignorant and insulting attempt.

copyright Robert M. Slade, 2004   BKWIRED.RVW   20040331


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
                   ______________________
                  |    |     /\     |    | swiped
                  |    | __ |  | __ |    | from
                  |    | \ \    / / |    | Mike
                  |    | /________\ |    | Church
                  |____|_____][_____|____| @sfu.ca
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKMOSXNS.RVW   20040415

"Mac OS X in a Nutshell", Jason McIntosh/Chuck Toporek/Chris Stone,
2003, 0-596-00370-6, U$34.95/C$54.95/UK#24.95
%A   Jason McIntosh
%A   Chuck Toporek
%A   Chris Stone
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2003
%G   0-596-00370-6
%I   O'Reilly & Associates, Inc.
%O   U$34.95/C$54.95/UK#24.95 800-998-9938 nuts@...
%O  http://www.amazon.com/exec/obidos/ASIN/0596003706/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0596003706/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0596003706/robsladesin03-20
%P   801 p.
%T   "Mac OS X in a Nutshell"

The preface, on behalf of the reader, asks why there should be a need
for this Nutshell series book, when a "Missing Manual" (another
O'Reilly series) Mac OS X title exists.  It concludes that the
Nutshell books are for the power users who are "curious about what
happens under the hood."  The preface goes on to promise that this
work is terse and without excessive verbiage.  Overall, this
commitment to consision is met, but the "under the hood" material
seems to be missing.  This volume is a good index in terms of where to
look for a given operation, but gives little explanation of the
underlying technology or functions that the power user could utilise.
"Terse" should not just mean a command to "do this," without any
exegesis.

Part one is a general introduction.  Chapter one presents the usual
list of desktop GUI (Graphical User Interface) basics.  File and
application management with the Finder is covered in chapter two.  The
differences between Mac OS X, OS 9, and Classic are presented in
chapter three.  Chapter four is an index to functions and settings.

Part two deals with system configuration.  System preferences are
outlined in chapter five.  Chapter six has a listing and brief
description of many applications and utilities shipped with the
operating system.  Dialogue boxes related to net connections are
discussed in chapter seven, but there is little additional
information.  Printer control, in chapter eight, is reviewed with
slightly more data.  Chapter nine lists some file systems, and
presents a few UNIX file system concepts, but is very disappointing in
its lack of detail.  Superficial coverage of Java related settings in
Internet Explorer and MRJAppBuilder makes up chapter ten.

Part three reviews system and network administration.  Chapter eleven
lists miscellaneous administrative tasks such as running commands with
root privileges, mounting disks, and (oddly) the firewall.  The
explanation of network directory services and NetInfo, in chapter
twelve, clarifies some items that were confusing in chapter eleven: a
forward reference would have been helpful.  Chapter thirteen talks
about starting Web, email, and other servers, and fourteen discusses
installing parts of Darwin, Apache, MySQL, PHP, Perl, and Python (all
under the acronym DAMP).

Scripting and development, in part four, has a catalogue of
development tools (in chapter fifteen), a brief description of
AppleScript (sixteen), text editors and command lists for vi and emacs
(seventeen), and a CVS (Concurrent Versions System) command reference
(eighteen).

Part five is, ostensibly, the long promised look under the Mac OS X
hood.  Chapter nineteen reviews terminal preferences, twenty takes a
brief look at patterns and regular expressions (regex), twenty one
lists some tcsh shell commands and operators, twenty two discusses
settings in property list (plist) files, twenty three deals with some
aspects of starting X, twenty four has an extremely terse mention of
installing UNIX software, and twenty five is a UNIX command reference.
Yes, this section does give a bit of background in UNIX, the operating
system underlying OS X, but the look is fleeting, and the hood is
slammed shut without much useful information being imparted.

While this book is a serviceable guide for the general MAC OS X user,
coming from the usually superior Nutshell series it is a
disappointment.

copyright Robert M. Slade, 2004   BKMOSXNS.RVW   20040415


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
If 50 million people say a foolish thing, it is still a foolish
thing.                                               - Anatole Franc
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKINSCRA.RVW   20040509

"Information Security Risk Analysis", Thomas R. Peltier, 2001,
0-8493-0880-1
%A   Thomas R. Peltier
%C   920 Mercer Street, Windsor, ON   N9A 7C2
%D   2001
%G   0-8493-0880-1
%I   Auerbach Publications
%O   +1-800-950-1216 orders@...
%O  http://www.amazon.com/exec/obidos/ASIN/0849308801/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0849308801/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0849308801/robsladesin03-20
%P   281 p.
%T   "Information Security Risk Analysis"

Chapter one, supposedly discussing effective risk management, outlines
a number of points important to the process, but in a rather scattered
manner.  Material seems to have been gathered from a variety of
sources, but the gaps between those references and articles have not
been filled.  The information given is inconsistent in terms of
significance: a list of natural threats lists "air pollution" (there
is no corresponding "water pollution") and "earthquakes" as generic
issues, but breaks weather conditions down into items as specific as
"Alberta Clipper" and "lake effect snow" (as well as a very odd
mention of "yellow snow," defined as snow coloured by pollen).  Risk
analysis methods are generally divided into quantitative and
qualitative, so one would assume that chapter two, "Qualitative Risk
Analysis," would present the concepts of this idea, leaving
quantitative analysis for another section.  Neither of those
assumptions is true: chapter two lists three different methods that
would probably be seen as qualitative, but does not analyse or compare
them, and quantitative analysis is not reviewed in any specific part
of the book.  Chapter three, entitled "Value Analysis," is an
extremely terse mention of the importance of calculating the value of
assets.  Five more qualitative procedures are listed in chapter four.
Another such, the Facilitated Risk Analysis Process (FRAP), suitable
for a quick risk review in a small department, is described in chapter
five, along with some related, but incompletely described, forms and
charts.  "Other Uses of Qualitative Risk Analysis," in chapter six,
enumerates a few other risk analysis factors, mostly to do with
business impact analysis.  Chapter seven is supposed to be a case
study using FRAP, but consists of fifty pages of unexplained forms.
The appendices contain various forms, again without commentary or
exegesis, including a questionnaire that bears a strong resemblence to
the US NIST (National Institute of Standards and Technology) security
self-assessment form.

The basics of risk analysis are here, but, aside from a padding of
verbiage, there is not much else.  A decent article on the subject,
such as Ozier's in the "Information Security Management Handbook" (cf.
BKINSCMH.RVW), covers every bit as much territory, and in a more
concise manner.

copyright Robert M. Slade, 2004   BKINSCRA.RVW   20040509


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
I think that it is worth keeping in mind that the businessmen who
run banks are so worried about holding on to things that they put
little chains on all their pens.                        - Miss Piggy
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKSECWRR.RVW   20040509

"Security Warrior", Cyrus Peikari/Anton Chuvakin, 2004, 0-596-00545-8,
U$44.95/C$65.95
%A   Cyrus Peikari
%A   Anton Chuvakin
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2004
%G   0-596-00545-8
%I   O'Reilly & Associates, Inc.
%O   U$44.95/C$65.95 800-998-9938 fax: 707-829-0104 nuts@...
%O  http://www.amazon.com/exec/obidos/ASIN/0596005458/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0596005458/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0596005458/robsladesin03-20
%P   531 p.
%T   "Security Warrior"

The preface isn't a really clear piece of writing, but does,
eventually, get around to stating that the book focuses on security
from an attack, rather than defence, perspective.  I have, in numerous
other reviews, pointed out the errors and limitations in this
position.

Part one deals with cracking software, primarily involved with
breaking copy protection.  Chapter one explains a few concepts about
assembly language quite well, and then ends abruptly.  Some Windows
tools for reverse engineering are listed in chapter two, plus a couple
of poorly explained examples.  The material on reverse engineering in
Linux is longer and more detailed, but still has very limited tutorial
value, and is padded with extensive code listings of dubious worth.
Chapter four is supposed to deal with reverse engineering for
Windows CE, but contains an odd mix of CE operating system
architecture, a partial list of ARM CPU opcodes, and a description of
how to crack the registration code check in a program written solely
to allow you to crack the registration code check embedded within it.
Overflow attacks, in chapter five, explains buffer and other overflow
conditions, and gives an example of a buffer overflow as a crack in
another fake program.

Part two presents information about networks.  Chapter six is a rather
unstructured overview of TCP/IP and a listing of some sniffing tools.
(TCP is explained before IP itself, and the relationship of the
various protocols in the suite is not discussed.  A section on "covert
channels" emphasizes a strange misuse of header fields, and then
drifts into something like session hijacking.)  Social engineering can
be used in a variety of ways, so it is strange that chapter seven
should be here rather than in the "Advanced Defence" of part four.
The random content provided has little organization and a fair number
of errors: the authors insist that social engineering attacks can be
divided into active and passive types, but, by its nature, social
engineering is almost entirely active.  (The book does seem to tacitly
admit this: there is a list of example "active" attacks, but no
corresponding "passive" list.)  Chapter eight mentions a few methods
of reconnaissance with differing levels of detail.  Some more advanced
techniques for identifying the operating systems in chapter nine, but
the particulars are similarly inconsistent.

Part three lists attacks against specific platforms.  The authors
betray their lack of study once again in chapter eleven: UNIX is *not*
"reborn from" MULTICS (although it was heavily influenced), and TCSEC
(the Trusted Computer System Evaluation Criteria) is definitely *not*
the Common Criteria.  The various security related aspects, tools, and
hardening of UNIX are not bad, but lack definition.  The UNIX attacks
listed in chapter twelve are good: ironically, because of the generic
nature of the descriptions the examples are probably useful as a guide
to defensive measures, rather than being outdated tricks.  The Windows
client attacks listed in chapter thirteen, because they are specific,
have limited the material both in scope and utility.  Chapter
fourteen, listing Windows server attacks, notes some interesting
security bugs in Server 2003 and other programs (and one bit on
smartcards.)  "SOAP XML Web Services Security," in chapter fifteen, is
a long title for a short piece on XML digital signatures.  "SQL
Injection," in chapter sixteen, has some examples of malformed data
attacks, and also points out the dangers of adding programming
functionality to applications.  As with social engineering, the tie to
networks is thin, seemingly limited to the PHPNuke program.  Some
aspects of wireless antennae, sniffing, and a brief review of the
weaknesses in WEP (Wired Equivalent Privacy) are in chapter seventeen.

Part four looks at more advanced defence.  Miscellaneous thoughts on
logging are in chapter eighteen.  Chapter nineteen has a confused
explanation of intrusion detection systems (IDS).  There is no mention
of rule (or activity monitoring) based engines, signature based
engines are said to be restricted to net-based IDS, different terms
are used for anomaly detection engines on hosts versus networks, and
there is a muddled attempt to tie Bayesian analysis to odd
mathematical ratios of false positive (false rejection) and false
negative (false acceptance) errors.  The installation of a simple
honeypot is described in chapter twenty (which probably *should* be in
part two).  There is a good initial outline of incident response in
chapter twenty one, but it breaks down when getting into specifics.
Forensics and antiforensics, in chapter twenty two, gives some
background and tools for data recovery and obfuscation.

It is ironic that the book starts out with a quotation from "The Code
of the Samurai," stating that "[a]ll samurai ought certainly to apply
themselves to the study of military science.  But a bad use can be
made of this study to puff oneself up and disparage one's colleagues
by a lot of high-flown but incorrect arguments that only mislead the
young ..."  This assessment fits Peikari and Chuvakin's work almost
perfectly.  There is a lot of interesting information in this volume:
if you have limited technical background in the fields examined, you
will find that a quick perusal will provide you with some superficial
familiarity with the topics.  However, the uneven coverage ensures
that the information is spectacular, rather than tutorial.  The
disjointed jumps from one subject to the next prove the technical
erudition of the authors, but do not help the reader very much.

copyright Robert M. Slade, 2004   BKSECWRR.RVW   20040509


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
My interest is in the future because I am going to spend the rest
of my life there.               - Charles F. Kettering (1876 - 1958)
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKEXPLSW.RVW   20040531

"Exploiting Software", Greg Hoglund/Gary McGraw, 2004, 0-201-78695-8,
U$49.99/C$71.99
%A   Greg Hoglund
%A   Gary McGraw
%C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario  M3C 2T8
%D   2004
%G   0-201-78695-8
%I   Addison-Wesley Publishing Co.
%O   U$49.99/C$71.99 416-447-5101 fax: 416-443-0948
%O  http://www.amazon.com/exec/obidos/ASIN/0201786958/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0201786958/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0201786958/robsladesin03-20
%P   471 p.
%T   "Exploiting Software: How to Break Code"

I have learned to beware of books with titles like this, which
generally indicate a hastily compiled set of old vulnerabilities,
benefitting nobody save the author.  This work, however, turns out to
have a lot of value for those interested in security of software.

Although it does not deal with the factors inherent in software that
almost ensure problems, chapter one outlines the fact of bugs in
software, the relative rate and increasing prevalence, and future
developments that may exacerbate the issue.  Chapter two provides
taxonomies of general types of software problems (distinguishing, for
example, between a bug and a flaw), patterns of attack activities
(pointing out that most exploits are used in combination), and types
of system scanning activities (used to determine specific attacks that
might be effective).  This material is very useful in structuring the
debate about software exploits and attacks in general, but,
ironically, the chapter (and book) itself could benefit from better
organization.  Reverse engineering, both via black box testing and
through code analysis, is described in chapter three.  The discussion
is general, and presents the different activities that can be
undertaken, usually at a fairly abstract level.  (This is not true in
all cases: there is a chunk of twelve pages of code for a plug-in
module and eight pages of script for the IDA disassembler, which is of
questionable utility, depending on the familiarity the reader may have
with that particular program.)

At this point in the book, the issue of the validity of the "learn to
exploit in order to learn to protect" philosophy should be addressed.
In general, the "hack to protect" books do not provide much that is of
value for the defenders.  That statement is not necessarily true of
this work.  Since most of the presentation is at a conceptual level,
it is the ideas, and not particular exploits, that are being reviewed.
The authors are explaining tools and techniques that, yes, can be used
by attackers, but can equally be used by those who wish to probe a
given system for weaknesses in order to determine vulnerabilities to
be patched.  (There appears to be only one exception in chapter three:
the authors note that vendor patches tend to act as a roadmap for
vulnerabilities, and it is difficult to say how this technique is
useful for defence, other than to note that the probability of an
exploit increases after a patch has been issued.)

Chapter four lists types of attacks on server software, while five
looks at clients, primarily web browsers.  Indications pointing to
patterns of malformed input that are likely to generate successful
exploits are described in chapter six.  The classic and ubiquitous
buffer overflow gets a detailed explanation (supported with a number
of examples) in chapter seven, which has a strangely extensive section
on RISC (Reduced Instruction Set Computer) architectures.  Chapter
eight is rather disappointing in light of the tone of the rest of the
book: it is primarily concerned with how to create and program
rootkits, and the worth for defence is doubtful.

While ultimately of greatest use to a rather select audience (those
specifically concerned with finding and patching loopholes in
software), this book does have a lot to say to most security
professionals.  The security aspects of software development tend to
be glossed over too quickly in most general works on security.
Specific examples of malformed input are used, in too many security
texts, as evidence of the author's superior security erudition, rather
than to explain the underlying concepts.  Hoglund and McGraw have
prepared solid tutorials and definitions of these important ideas
(although one could wish that they had prepared the arrangement of the
book with the same degree of care).

copyright Robert M. Slade, 2004   BKEXPLSW.RVW   20040531


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
Daughters of feminists love to wear pink and white short frilly
              dresses and talk of successes with boys/
                                            It annoys/
                                        Their Mums ...  - Nancy White
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKPRINSC.RVW   20040531

"Principles of Information Security", Michael E. Whitman/Herbert J.
Mattord, 2003, 0-619-06318-1
%A   Michael E. Whitman
%A   Herbert J. Mattord
%C   25 Thomson Place, Boston, MA   02210
%D   2003
%G   0-619-06318-1
%I   Thomson Learning Inc.
%O   U$67.95/C$93.17 www.course.com
%O  http://www.amazon.com/exec/obidos/ASIN/0619063181/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0619063181/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0619063181/robsladesin03-20
%P   532 p.
%T   "Principles of Information Security"

The introduction, in chapter one, seems to be a compilation of
security views from a variety of sources.  While this could be
interesting for the experienced professional, the lack of structure
and guidance is likely to confuse the beginning student, the audience
at which the book is aimed.  Each chapter starts with a fictional
scenario: the stories do very little to add to the understanding of
the topic.  Review questions and exercises at the end of the chapters
are generally either simplistic or open-ended.  Chapter two lists
various types of threats and attacks: classifications and groupings
are unclear and are likely to lead students into erroneous assumptions
about the different exploits.  Most of the textual material on legal
and ethical issues, in chapter three, deals with (primarily old) US
laws.  Actually, a substantial portion of the chapter is given over to
screenshots of numerous computer related agencies and organizations.
Risk management is broken into two chapters, four, which gives a
pedestrian but not bad overview of analysis and assessment, and five,
which is another unstructured amalgam of topics, some of which should
have been covered in four.  Chapter six is a wandering discussion of
policy, spending a lot of space listing the NIST (US National
Institutes of Standards and Technology) guides.  Business continuity
planning, in chapter seven, concentrates on incident response, and has
an odd mention of the involvement of law enforcement.  Chapter eight
lists network security tools and also has simplistic coverage of
cryptography, extended with an appendix that gets the mathematics of
asymmetric encryption mostly right, but the implementation seriously
wrong.  Physical security is dealt with reasonably well in chapter
nine, although the fire suppression content may be confusing.  Generic
project planning advice is in chapter ten.  Chapter eleven's review of
personnel security lists job titles, security related certifications,
and some general principles.  Security maintenance, in chapter twelve,
is limited to patch and change management as well as risk re-
assessment advice that probably should have been included with chapter
four.

An introductory security text need not contain the depth, or even
breadth, of a reference for professionals.  However, this one could
use a lot more structure in the presentation of the content, and more
than a little care with facts and implications.

copyright Robert M. Slade, 2004   BKPRINSC.RVW   20040531


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
               Some people think I am naive and apathetic.
      I simply don't know what they mean, and I really don't care.
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKNTSCJS.RVW   20030604

"Network Security Jumpstart", Matthew Strebe, 2002, 0-7821-4120-X,
U$24.99/C$39.95/UK#18.99
%A   Matthew Strebe mbs+jumpstart@...
%C   1151 Marina Village Parkway, Alameda, CA   94501
%D   2002
%G   0-7821-4120-X
%I   Sybex Computer Books
%O   U$24.99/C$39.95/UK#18.99 800-227-2346 info@...
%O  http://www.amazon.com/exec/obidos/ASIN/078214120X/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/078214120X/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/078214120X/robsladesin03-20
%P   365 p.
%T   "Network Security Jumpstart"

The introduction states that this book is suitable for anyone from the
home user to the network administrator to the CEO.  Which is a pretty
tall order.

Chapter one has a decent overview of why computers aren't secure, a
scant computer security history, a few security concepts, and a fairly
trivial set of "review" questions.  There is a media level exposition
on "hackers," in chapter two, a rough outline of intrusion procedures,
and a list of specific attacks that I'm not sure the author fully
understands.  (Immediately following "Denial of Service" comes a
separate entry for "Floods": flooding being a type of denial of
service.)  There is a terse introduction to cryptography, and not much
more than chapter one gave us about authentication, in chapter three.
The suggestions for policy creation, in chapter four, aren't bad for
simple cases, but seriously understate the difficulty of establishing
a full policy, even for home users.  Chapter five describes firewalls
(and seven tells a little bit more about using them at home).  Chapter
six makes the common mistake of assuming that all VPNs (Virtual
Private Networks) are about confidentiality: some are merely about
managing communications configurations.

There is some correct and useful information about viruses in chapter
eight, but it is unfortunately mixed in with a lot of garbage.
Windows NT and its subsequent versions are *not* immune to viruses,
although a rigorous set of file permissions can reduce your risk of
file infectors (which are no longer a major category anyway).
Signature scanners are *not* the only type of antiviral software.
Viruses were *not* invented by accident, BRAIN *never* had an onscreen
display and didn't infect program files, and neither Stoned nor
Jerusalem (Friday the 13th is one variant) were based on BRAIN.
Neither Stoned nor BRAIN relied on program sharing to propagate: data
disks were quite sufficient.  Viruses that only replicate are *not*
benign (anybody ever have problems with Stoned?  Melissa?
Loveletter?), *will* be discovered, and scanning signatures *are*
created.

Fault tolerance, in chapter nine, is not quite business continuity
planning (BCP), but does go beyond the usual UPS (Uninterruptable
Power Supply) and backup recommendations.  Although chapter ten lists
a number of security mechanisms in Windows, a practical understanding
of their use is not presented.  The UNIX tools in eleven are described
more usefully--but they only relate to file permissions.  The network
security tools for UNIX are in twelve--but are only enumerated.
Chapter thirteen has good suggestions for Web server security--but
doesn't say how to implement them.  A random collection of email
security tools and threats makes up chapter fourteen.  IDS (Intrusion
Detection System) concepts are not explained very well in chapter
fifteen: Strebe apparently doesn't understand that all forms use audit
data of one type or another, and doesn't list the major distinctions
between either the engine type or sensor location.

Even given all the faults, one has to admit that Strebe has not done a
bad job with his ambitious intent.  Certainly home users and CEOs can
find better explanations here than in many of the other works aimed at
them, however much I might wish that the book as a whole was more
accurate.  And, yes, even the network administrators might find some
helpful points in the more conceptual material at the beginning of the
book: most of them could do with a better understanding of the need
for policy.  This work isn't great, by any means, but it can fulfill a
need for a quick guide to network threats, for a variety of audiences.

copyright Robert M. Slade, 2004   BKNTSCJS.RVW   20030604


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
       This message is in beta test, but should ship any day now.
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKBLTSEC.RVW   20040622

"Bluetooth Security", Christian Gehrmann/Joakim Persson/Ben Smeets,
2004, 1-58053-504-6, U$79.00/C$114.95
%A   Christian Gehrmann
%A   Joakim Persson
%A   Ben Smeets
%C   685 Canton St., Norwood, MA   02062
%D   2004
%G   1-58053-504-6
%I   Artech House/Horizon
%O   U$79.00/C$114.95 617-769-9750 artech@...
%O  http://www.amazon.com/exec/obidos/ASIN/1580535046/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/1580535046/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1580535046/robsladesin03-20
%P   204 p.
%T  "Bluetooth Security"

Part one presents the basics of Bluetooth security.  Chapter one is an
introduction to the Bluetooth protocol suite (mostly at the packet
level), and also mentions a few security concepts (in a somewhat
haphazard manner).  The overview of Bluetooth security, in chapter
two, could be clearer: some minutia (such as the bit lengths of
various components of key generation) obscure the basic concepts,
while other specifics (such as the algorithms used) are missing where
they could support the text.  Pairings and key management rely on a
considerable amount of alphabet soup, making frequent references to
the list of acronyms a necessity.  The detailed descriptions make the
explanations difficult, but would make cryptographic analysis possible
for the determined reader.  The algorithms are laid out in chapter
four: although most are based on SAFER+ the greatest emphasis is given
to the E(0) stream cipher.  Chapter five looks at the encryption used
in a broadcast to all members of a piconet.  The discussion of
security policy and access control, in chapter six, deals mostly with
the services required, rather than provided.  A lot of time is spent
analysing cryptographic strength of the algorithms, in chapter seven,
only to come to the conclusion that the greatest problem lies in
pairing and tracking.

Part two deals with Bluetooth security enhancements, still in
development.  Chapter eight discusses anonymity, in terms of varying
the device address to avoid tracking, and the requirements for such a
scenario.  Improved key management, using asymmetric encryption or
challenge-response type systems, is considered in chapter nine.
Chapter ten deliberates on refinement of some standard Bluetooth
applications.

Bluetooth security is not well known, despite the proliferation of
Bluetooth enabled devices.  While this book has a number of
shortcomings in terms of writing, the material provides an
introduction to a number of important considerations.

copyright Robert M. Slade, 2004   BKBLTSEC.RVW   20040622


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
    Power corrupts.  PowerPoint corrupts absolutely.    - Vinton Cerf
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKASWQTT.RVW   20040622

"Achieving Software Quality Through Teamwork", Isabel Evans, 2004,
1-58053-662-X, U$79.00/C$114.95
%A   Isabel Evans
%C   685 Canton St., Norwood, MA   02062
%D   2004
%G   1-58053-662-X
%I   Artech House/Horizon
%O   U$79.00 617-769-9750 fax: 617-769-6334 artech@...
%O  http://www.amazon.com/exec/obidos/ASIN/158053662X/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/158053662X/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/158053662X/robsladesin03-20
%P   294 p.
%T   "Achieving Software Quality Through Teamwork"

The preface notes that software is produced by people, and usually
teams of people.  The author proposes that understanding people, and
teams, should help make better software.

Chapter one attempts to point out that quality depends upon
perception, but doesn't do a really clear job of it.  Four definitions
of quality are presented: product (specifications), manufacturing
(development process), user (fitness for use: the most subjective),
and value (related to return on investment).  The European Foundation
for Quality Management (EFQM) model is introduced as the basis for the
book (which appears to concentrate on the user and value definitions).
Different groups of people, and the different ways of viewing quality,
are outlined in chapter two, but the interactions and implications are
not apparent.  One set of divisions; between customers, managers,
builders, measurers, and supporters; is used to structure the next
five chapters.

Chapter three looks at various types, factors, and needs of customers,
but gives little that would be of help in the development process.
Managers fare slightly better in chapter four: one specific
communications tool or exercise is listed.  Builders are defined, in
chapter five, by a litany of complaints that programmers have about
others.  Oddly, responsibility for communications is laid at the feet
of the coders, but no means of improvement is provided for them.  The
role of measurers, in chapter six, is again described primarily in
terms of problems, with few solutions discussed.  Chapter seven uses
lots of words in dealing with supporters, but says little of
substance.

Chapter eight describes the life cycle of systems, collapsing
requirements, design, and implementation into a small development
block, and emphasizing delivery and post-delivery.  Start-up has some
brief ideas on concepts and initiation, and then gets into contracts.
The software development life cycle (which, since it is only referred
to as SDLC, is hard to keep separate from the "system" cycle) provides
a terse outline of some project management methods.  A few aspects of
delivery and acceptance are reviewed in chapter eleven.  The post-
delivery material, in chapter twelve, is confused and confusing, but
eventually talks about maintenance.

Overall, the book has numerous points worth considering in the
development process.  Some may help when dealing with requirements and
design, which may assist with the user and value definitions of
quality.  Very little of the content is applicable to the product or
manufacturing aspects noted at the beginning.  In addition, the
particulars are buried in a great deal of superfluous verbiage, and
little is of direct and practical use.  For example, communications is
frequently noted as a problem, and appendix A lists a variety of
communications techniques, but there is very little discussion as to
how to use these methods.

It is very difficult to identify an audience that would benefit from
this work.

copyright Robert M. Slade, 2004   BKASWQTT.RVW   20040622


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
             Absurdiveness Training: Don't get even, get odd.
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKDFNDIT.RVW   20040623

"Defend I.T.", Ajay Gupta/Scott Laliberte, 2004, 0-321-19767-4,
U$34.99/C$49.99
%A   Ajay Gupta
%A   Scott Laliberte
%C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario  M3C 2T8
%D   2004
%G   0-321-19767-4
%I   Addison-Wesley Publishing Co.
%O   U$34.99/C$49.99 800-822-6339 Fax: 617-944-7273 bkexpress@...
%O  http://www.amazon.com/exec/obidos/ASIN/0321197674/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0321197674/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0321197674/robsladesin03-20
%P   349 p.
%T   "Defend I.T.: Security by Example"

The preface states that this collection of (sixteen) "case studies" is
intended to explain the security profession.  This seems to be a bit
of a challenge since not all security work involves "cases."

Part one is entitled "Basic Hacking."  Chapter one describes the
process of enumerating a network with nmap and other tools.  There is
lots of information about blackhat activity in this regard, but
nothing on defending IT and nothing on what security professionals do.
Chapter two, however, actually does deal with security work in
describing forensics and the importance of logs and auditing when
dealing with intrusions and attacks over trusted links.  Unlike the
conceptual discussion in chapter two, chapter three's packet dump
listings are not explained in terms of the evidence that would
indicate a DDoS (Distributed Denial of Service) attack.

Part two's emphasis seems to be on how "current methods" of security
are insufficient for most companies.  Chapter four follows the
security assessment of a new wireless network, although not quite the
system design process promised at the beginning.  A virus infection
(except that Sadmind is a worm) is used to demonstrate the need for
patching and scanning, in chapter five.  A worm infection is used, in
chapter six, to prove the need for incident response.  (There is
significant misleading information: the user actions described would
not start a worm, and virus scanning of email would not prevent it.)
Chapter seven looks at a web defacement indicating the need for clear
contracts and understandings in penetration tests.

Part three reviews additional items.  Chapter eight deals with the
selection of an IDS (Intrusion Detection System), but could be a
general model for any security acquisition.  While a company's ad hoc
recovery from disaster is exciting, chapter nine does not clearly make
the case for business continuity planning.  Policy is vital to
security, but chapter ten does not effectively demonstrate either the
centrality or the process.  Chapter eleven could have had the
requirements of HIPAA (Health Insurance Portability and Accountability
Act) point out the need for re-assessment under changing legislation,
but didn't.

Part four nominally reviews old stuff.  Unfortunately, it returns to
the pattern of chapter one, concentrating on the attack aspects and
limiting the discussion of defence.  Chapter twelve looks at war
dialling and says very little about the countermeasures: thirteen is
even worse in dealing with social engineering.

Part four covers aspects of computer forensics.  Supposedly about
industrial espionage, fraud, and a really clumsy attempt at extortion,
chapters fourteen to sixteen actually just recycle the usual material
on data recovery and chain of custody.

A "conclusion" attempts to fill in the holes that this book leaves in
dealing with other areas of security.

The division of the book into parts seems quite arbitrary and
artificial.  The groups of chapters do seem to have vague themes, but
they are tenuous at best.

Overall, the book must be said to have gone some ways towards
fulfilling its goal of explaining what the security profession is
about.  Not the whole way: there are serious gaps in the coverage, and
someone getting a picture of a security career from this book alone
would receive a fairly skewed image.  But the book does present some
interesting aspects of the field in a (mostly) readable form.  There
are any number of books that present a more misleading image.

copyright Robert M. Slade, 2004   BKDFNDIT.RVW   20040623


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
A man is called a good fellow for doing things which, if done by
a woman, would land her in a lunatic asylum.          - H.L. Mencken
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

As well as being (in the words of my brother-in-law) the ugliest in the world,
my
menus of the book reviews are often sadly out of date.

I've been trying to do some catching up, and, while the menus aren't yet
completely up to date, I've added quite a bit of material.

======================
rslade@...      slade@...      rslade@...
"If you do buy a computer, don't turn it on."     - Richards' 2nd Law
"Robert Slade's Guide to Computer Viruses"              0-387-94663-2
"Viruses Revealed"                                      0-07-213090-3
"Software Forensics"                                    0-07-142804-6
============= for back issues:
[Base URL] site http://victoria.tc.ca/techrev/
alternate site http://sun.soci.niu.edu/~rslade/
CISSP refs:     [Base URL]mnbksccd.htm
PC Security:    [Base URL]mnvrrvsc.htm
Security Dict.: [Base URL]secgloss.htm
Security Educ.: [Base URL]comseced.htm
Book reviews:   [Base URL]mnbk.htm
                 [Base URL]review.htm
Partial/recent: http://groups.yahoo.com/group/techbooks/
Security Educ.: http://groups.yahoo.com/group/comseced/
Review mailing list: send mail to techbooks-subscribe@egroups.com

BKWNXPSL.RVW   20040623

"Windows XP Solutions", Neil Randall, 2004, 0-7645-6773-X,
U$24.99/C$35.99/UK#16.99
%A   Neil Randall
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2004
%G   0-7645-6773-X
%I   John Wiley & Sons, Inc.
%O   U$24.99/C$35.99/UK#16.99 416-236-4433 fax: 416-236-4448
%O  http://www.amazon.com/exec/obidos/ASIN/076456773X/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/076456773X/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/076456773X/robsladesin03-20
%P   458 p.
%T   "Windows XP Solutions"

Part one deals with user interface options and configuration.  Chapter
one reviews the login, desktop, and appearance options.  The Start
Menu and the Taskbar are covered in chapter two, while three is
primarily concerned with folder alternatives.  Special selections,
such as accessibility factors, are in chapter four, along with the
functions of TweakUI.

Part two talks about installing and removing hardware and software.
Chapter five; installing software; is nothing special, while seven;
hardware; is nothing much.  Removing software, in chapter six, details
various methods and has a valuable section on getting rid of spyware.
Troubleshooting hardware (mostly to do with driver updates) and some
brief hard disk maintenance tips are in chapter eight.

Users, permissions, and policies are the subject of part three.
Chapter nine discusses creating user accounts, but does not mention
the dangers of the defaults.  Changing permissions, in chapter ten,
explains the dialogue boxes.  Chapter eleven's material on handling
data files is not very useful.  Chapter twelve lists some policy
options, but doesn't deal with the implications.

Part four reviews some aspects of security and recovery.  Chapter
thirteen retails run-of-the-mill backup advice.  The dialogue boxes
for the XP firewall and EFS (Encrypting File System) are in fourteen.
There are errors in chapter fifteen's explanation of Windows Update,
such as the fact that MS Office Update sometimes *does* involve the
same files as Windows Update, and has a less sophisticated engine,
which is why Windows Update should always be run after an Office
Update.  System Restore is covered poorly (there is no mention of the
difficulties it can create when the user tries to customize the
machine) in chapter sixteen, along with other recovery related
activities.

Part five deals with creative bits.  Chapter seventeen lists included
tools for modifying digital images, while eighteen and nineteen
discuss video, and twenty talks about audio.

Part six has an overview of Internet options.  Chapter twenty one
takes a vague look at Internet connections, twenty two examines
choices in Outlook, twenty three deals with Internet Explorer, and
twenty four discusses Remote Desktop and Remote Assistance.

Part seven discusses home or small networks.  Chapter twenty five
tabulates network device basics, twenty six takes a terse look at
small workgroup nets, and twenty seven provides just enough
information about starting Internet services to be dangerous.

This book does have some pointers, but (in a larger footprint) it has
nowhere near the value of David Karp's "Windows XP Annoyances" (cf.
BKWNXPAN.RVW) or even Gralla's "Windows XP Hacks" (cf.
BKWNXPHK.RVW).

copyright Robert M. Slade, 2004   BKWNXPSL.RVW   20040623


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
Priority is an attempt to implement the principles of jealousy
and envy in computer networks.                          - Tony Lauck
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKSNDRNG.RVW   20040629

"The Sundering", Walter Jon Williams, 2004, 0-380-82021-8
%A   Walter Jon Williams
%C   10 East 53rd Street, New York, NY  10022-5299
%D   2004
%G   0-380-82021-8
%I   HarperCollins/Basic Books/Torch
%O   800-242-7737 fax: 212-207-7433 information@...
%O  http://www.amazon.com/exec/obidos/ASIN/0380820218/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0380820218/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0380820218/robsladesin03-20
%P   436 p.
%T   "The Sundering"

Once upon a time, a long, long time from now (and far away) there was
a great space war.

Given that it's a long time from now, it's rather bemusing that
technology hasn't advanced very far, aside from discovering
traversable wormholes and producing antimatter in commercial
quantities.  This isn't entirely the fault of human beings, since a
mysterious and powerful race has come along and generally interfered
with social and technological development, although they now seem to
have stepped out for an extinction.

But you can forgive a lot to a book which understands that space
battles, even those confined to a mere solar system, take place over
days, and that the ability to withstand crushing accelerations for
long periods of time is what makes the difference.

Faster than light communications would certainly help, but that may be
too much to ask from the universe.  Smarter computers would
*definitely* help, and should have been possible.

The use and operation of computers in this brave new world is not
clearly spelled out, but they seem to run on scripts, rather than
machine code.  The mysterious and powerful race have ensured that all
computers are registered and known, thus fulfilling Microsoft's dreams
for Palladium.  (Apparently no Linux hackers, or other amateur
computer enthusiasts, have survived.)  Serious cryptography seems to
have been forgotten: there is one reference to the fact that nobody
can use cryptography since everyone has powerful computers and can
therefore break any ciphers.  This indicates that everyone has
forgotten that, when computer power increases, you can just increase
the key length.

The fact that computers are known and registered is used to prove the
need for low-tech communications solutions when the bad guys move in
and take over the seats of power.  However, a few pages later, our
merry band of counter-revolutionaries is happily using communications
devices that seem to have a lot of computer-related functions (even
real-time broadcasts seem to be "store and forward").

Our underground heroine manages to become a fully-fledged intruder in
the space of twenty-four hours.  Along the way she does learn
something that I wish every security professional knew: when you have
functional security, you'd better have an assurance activity as well.

(Of course, if anyone had put "defence in depth" in place, she'd have
been sunk.)

copyright Robert M. Slade, 2004   BKSNDRNG.RVW   20040629


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
People will accept your ideas much more readily if you tell them
that Benjamin Franklin said it first.
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKOIGTCE.RVW   20040618

"Official (ISC)^2 Guide to the CISSP Exam", Susan Hansche/John
Berti/Chris Hare, 2004, 0-8493-1707-X, U$69.95/C$101.50
%A   Susan Hansche susan.hansche@...
%A   John Berti jberti@...
%A   Chris Hare chare@..., chare@...
%C   920 Mercer Street, Windsor, ON   N9A 7C2
%D   2004
%G   0-8493-1707-X
%I   Auerbach Publications
%O   U$69.95/C$101.50 800-950-1216 orders@...
%O  http://www.amazon.com/exec/obidos/ASIN/084931707X/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/084931707X/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/084931707X/robsladesin03-20
%P   910 p. + CD-ROM
%T   "Official (ISC)^2 Guide to the CISSP Exam"

Once again I have to state a bias in regard to this book.  I've known
about this book since its inception, I've known and advised the
authors, I provided bits of the material, and even contributed one
appendix.  (The annotated bibliography and references--surprise,
surprise.)

I was asked to review the chapters while the book was in production.
The reason was, of course, that I had reviewed all the other CISSP
(Certified Information Systems Security Professional) guides.
Specifically, the intent was to ensure that this manual, prepared and
supported by (ISC)^2 (International Information Systems Security
Certification Consortium) was "head and shoulders" above all the other
published works.  This volume is not perfect, by any means, but it is
the best of the current bunch.

Taking material from one source is copying, taking material from two
sources is plagiarism, and taking material from many sources is
research.  This volume has not only research but direct input from a
great many sources.  Some are mentioned in the acknowledgements, a
number of others are to be found on the title page, since sections of
major articles from the venerable "Information Security Management
Handbook" (cf. BKINSCMH.RVW) were included or used as the basis for
parts of the guide.  Even this doesn't exhaust the contributions,
since much of the work is informed by the material in the (ISC)^2 CBK
(Common Body of Knowledge) Review Seminar, and over a hundred
individuals have had the chance to augment that content.  The result
is a breadth and currency of information that exceeds any other guide
on the market.

Sample questions and exams are eagerly sought by candidates for the
CISSP exam.  This guide has a significant advantage in this regard:
not only do a number of the contributors produce questions for the
exam itself (therefore being more than passingly familiar with the
style and level of difficulty required), but the CISSP exam committee
was also approached for advice and input.  No source is able to
provide "actual" CISSP exam questions, but the examples provided in
this volume are very close in form, mix, degree of difficulty, and
concept.

The book is not without its faults.  The sheer volume of the
contributors ensured that topics were covered multiple times, and not
all duplicated areas have been amalgamated.  In addition, the variety
of writing styles can make the text disjointed in places, as it moves
from section to section and subject to subject.  These factors can
make the work difficult and demanding to read and follow.

The CISSP exam, as the security field itself, is a changing target,
and no book can expect to provide the "best" coverage of the topic
indefinitely.  As well, security is an immense discipline, and touches
on an inordinate number of other areas.  This work, however, has come
closest to spanning the range of subject matter necessary to challenge
the CISSP exam, and is currently the best of the guides.

copyright Robert M. Slade, 2004   BKOIGTCE.RVW   20040618


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
Resentment is like taking poison and waiting for the other person
to die.                                            - Malachy McCourt
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

OK, the book review menus on niu.edu are up to date, as of Friday.  The menus on
victoria.tc.ca are *almost* up to date, but wouldn't accept a connection to get
the
last few files up today.  Hmmm ...

So what the the rest of you doing with the middle-of-the-summer weekend?  :-)

======================
rslade@...      slade@...      rslade@...
"If you do buy a computer, don't turn it on."     - Richards' 2nd Law
"Robert Slade's Guide to Computer Viruses"              0-387-94663-2
"Viruses Revealed"                                      0-07-213090-3
"Software Forensics"                                    0-07-142804-6
============= for back issues:
[Base URL] site http://victoria.tc.ca/techrev/
alternate site http://sun.soci.niu.edu/~rslade/
CISSP refs:     [Base URL]mnbksccd.htm
PC Security:    [Base URL]mnvrrvsc.htm
Security Dict.: [Base URL]secgloss.htm
Security Educ.: [Base URL]comseced.htm
Book reviews:   [Base URL]mnbk.htm
                 [Base URL]review.htm
Partial/recent: http://groups.yahoo.com/group/techbooks/
Security Educ.: http://groups.yahoo.com/group/comseced/
Review mailing list: send mail to techbooks-subscribe@egroups.com

BKKNYREN.RVW   20040618

"Know Your Enemy", Honeynet Project, 2004, 0-321-16646-9,
U$49.99/C$71.99
%A   Honeynet Project project@... www.honeynet.orb/book/
%C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario  M3C 2T8
%D   2002
%G   0-321-16646-9
%I   Addison-Wesley Publishing Co.
%O   U$49.99/C$71.99 416-447-5101 fax: 416-443-0948
%O  http://www.amazon.com/exec/obidos/ASIN/0321166469/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0321166469/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0321166469/robsladesin03-20
%P   768 p. + CD-ROM
%T   "Know Your Enemy, Second Edition: Learning About Security
       Threats"

The first edition of "Know Your Enemy" was a lot of fun, and it also
contained some valuable advice if you were brand new to the idea of a
honeypot, and wanted to get started quickly.  This second edition has
taken advantage of another couple of years in the development of
honeypots and honeynets, and provides guidance on a new generation of
the technology.  More than that, it promises, and mostly provides,
more detailed information on the analytical aspects of honeynet
operation, including the all-too-often neglected topic of network
forensics.  The page count has more than doubled.

I have frequently said that any book with "hack," or any variant
thereof, in the title is automatically suspect.  This work helps prove
my point, first, because the Honeynet Project members have not used
the term (they refer to attackers as blackhats), and the text also
notes the problems with "exploit" type books: they list old and known
attacks, most of which are protected against, and say nothing about
the attackers and how they work.

Part one describes the honeynet.  Chapter one points out the value of
"knowing the enemy" and the history of the Honeynet Project.  Chapter
two explains what a honeypot is, leading to details on how a honeynet
works, in terms of architecture, policies, and the risks and
responsibilities of operating one, in chapter three.  Building a first
generation honeynet, in chapter four, presents specific details,
although a number of concepts have already been given.  The lessons
from the early years of the project have led to a second generation of
design, which is outlined in chapter five.  Using a single machine to
create a virtual network of simulated machines is described in chapter
six.  Chapter seven extends all of this into distributed networks of
machines.  A number of legal issues are discussed in chapter eight:
specific citations are primarily from US laws, but general concepts
are also examined.

Part two concerns the analysis of data collected from the Honeynet.
Chapter nine looks at the various sources of evidence.  Network
forensic ideas and tools are reviewed in chapter ten, although the
material does tend to jump abruptly from Networking 101 to an
assumption that the reader can parse Snort captures.  Fundamentals of
the data recovery aspects of computer forensics are given in chapter
eleven, leading to the specifics of UNIX recovery in chapter twelve,
and Windows in thirteen.  (These chapters contain details of up to
date tools not available in most of the standard computer forensic
texts.)  I was delighted to see that chapter fourteen addresses
reverse engineering, although only in a limited subset of the full
range of software forensics.  Chapter fifteen reiterates the sources
from chapter nine, and suggests centralized collection and management
of data.

Part three explains what the project has determined about "the enemy"
by the types of attacks that have been launched and detected.  Chapter
sixteen takes a random crack at several topics related to the blackhat
community: a number of points are interesting, but few are very
helpful.  A general overview of attacks in given in chapter seventeen.
Specific attacks, and analyses, on Windows, Linux, and Solaris are
detailed in chapters eighteen to twenty.  Future trends are projected
in chapter twenty one.

The repetition of material that plagued the first edition has been
cleaned up to a great extent, although the text would still benefit
from a tightening up of the material in some chapters.  In addition,
the early examples are not thoroughly explained, making the reader
initially feel that only a firewall audit log specialist would be able
to understand what is being said.  However, as with the first edition,
most of the book is written clearly and well, and it is certainly
worth reading.  In addition, the new material definitely makes this
not merely an interesting read, but something that has the potential
to be a serious reference in the forensic field.

copyright Robert M. Slade, 2004   BKKNYREN.RVW   20040618


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
I have to share the credit. I invented it, but Bill made it
famous.                - IBM engineer Dave Bradley describing the
                                   control-alt-delete reboot sequence
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKSFWRFR.RVW   20040706

"Software Forensics", Robert M. Slade, 2004, 0-07-142804-6,
U$39.95/C$3.95/UK#29.99
%A   Robert M. Slade rslade@... rslade@...
%C   300 Water Street, Whitby, Ontario   L1N 9B6
%D   2004
%G   0-07-142804-6
%I   McGraw-Hill Ryerson/Osborne
%O   U$39.95/C$3.95/UK#29.99 800-565-5758 fax: 905-430-5020
%O  http://www.amazon.com/exec/obidos/ASIN/0071428046/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0071428046/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0071428046/robsladesin03-20
%P   215 p.
%T   "Software Forensics"

As long as I'm reviewing books about which I can't be objective, I
might as well review my own.

This book is about software forensics.  Nobody seems to know what that
is.

"Oh, you look for child porno and drug dealer addresses on seized
computers, right?"  Umm, no.  That's computer forensics which,
although it should be broader, has become limited to the basic data
recovery aspect of the wider field of digital forensics.

Software forensics delves into what evidence you can glean from
software itself.  This is useful in malware and virus research (where
it has long been known as forensic programming), as well as in cases
involving intellectual property and plagiarism.  The study and tools
utilized in software forensics can assist with determining the intent
and authorship of a piece of software.  At times it can even help with
tasks such as recovering source code with legacy programs, or porting
to new systems.

In the book there is an overview of software forensics itself.  One
chapter looks at blackhat sociology and culture, since those
characteristics can be evident in the programming style.  There is
material on the various tools, and properties of malicious software.
Presentation of this type of evidence in court is difficult, so
chapter five reviews expert witness restrictions and other legal
issues.  Content is included on programming cultures, stylistic
analysis, and authorship analysis.

I can say, without any bias whatever, that this is the finest work on
this topic available today.  I can say that, because it's the *only*
book that is dedicated to the subject.

copyright Robert M. Slade, 2004   BKSFWRFR.RVW   20040706


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
If we poison our children with hatred
Then the hard life is all that they'll know
                  - `It's a Hard Life Wherever You Go', Jackson/Finch
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKSTNHOC.RVW   20040721

"Stealing the Network: How to Own a Continent", Ryan Russell, 2004,
1-931836-05-1, U$49.95/C$69.95
%E   Ryan Russell BlueBoar@...
%C   800 Hingham Street, Rockland, MA   02370
%D   2004
%G   1-931836-05-1
%I   Syngress Media, Inc.
%O   U$49.95/C$69.95 781-681-5151 fax: 781-681-3585 www.syngress.com
%O  http://www.amazon.com/exec/obidos/ASIN/1931836051/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/1931836051/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1931836051/robsladesin03-20
%P   402 p.
%T   "Stealing the Network: How to Own a Continent"

This book is fiction (more a series of short stories or scenarios than
a novel), but, like Winn Schwartau's "Pearl Harbor Dot Com" (cf.
BKPRHRDC.RVW, and "Terminal Compromise" before it, BKTRMCMP.RVW),
the
authors intend the book to be taken as a serious addition to security
literature.

Chapter one is basically about hiding and paranoia.  The central
character seems to be using a considerable amount of money to hide
while setting up some kind of crime, and then abandons everything.
The points in regard to ensuring computers and data are unrecoverable
are interesting, and probably workable.  The more important aspects of
the plot which involve creating a team, employing cutouts, and
disappearing are left almost completely undetailed.  If, therefore, we
are supposed to learn anything either about crime, or how to detect or
prevent it, the content and information simply aren't there.  The
claim that the "technology" is real, and would work, is unverifiable
because we haven't had any technology yet.  (The writing is edgy,
interesting, and mostly readable.  However, it's also difficult and
confused in places.)

The story continues, via another character (two, actually) in chapter
two.  This time the technical aspects are more detailed (and fairly
realistic) although the community factors are questionable (and the
story has some important gaps).  (I can personally vouch for the fact
that the description of the physical attributes of that specific hotel
are bang on, although the ... umm ... social amenities are not.)  An
"Aftermath" section is at the end of every chapter.  In some instances
the segment provides a little advice on detecting the attacks
described in the story, but this is by no means true in all cases.
Nothing much is added in chapter three: a wireless network is
penetrated for a second time.  Man-in-the-middle attacks, some IP, and
UNIX cracking are added in chapter four, phone phreaking in five, and
sniffing and rootkits in six.  Chapters seven and eight describe
software analysis and exploits.  Malware is used in chapter nine,
although there are the usual unresolved problems with directing
attacks and limiting spread.  The lack of particulars on the intent of
the attack makes the chapter quite perplexing.

As with any volume where multiple authors work on separate chapters,
the quality of the writing varies.  (That the authors did strive
together on the overall plot is evident from a few subtle ties between
different stories.  An appendix lists some of the discussion in this
regard: for those interested in the process of writing and
collaboration it is an interesting piece in its own right.)  One
specific point is that a few sections have very stilted dialogue.
Overall, most of the book is readable as fiction, although it is
hardly thriller level plotting.

Since it is fiction, the story has to be a story, and interesting, and
therefore contain elements that are not related to the technology
under examination.  It is difficult to draw the line between not
enough and too much, but the authors do seem to have included an awful
lot of material that is unimportant either to the security functions
or to the plot.  A number of these digressions are simply confusing.

The characters used in the stories are frequently stereotypes,
although not always of the same type.  (I was very amused by the note
that the book attempted to remain true to geek culture, including
"swearing, boorishness, and allusions to sex without there being any
actual sex.")  If you watch a lot of movies with somewhat technical
themes you can recognize where quite a number of personae come from.

Basic editing is the province of the publisher rather than the
author(s), but it must be noted that spelling, grammatical, and
typographical errors are surprisingly common.  Not enough to be a real
annoyance, but a proper copy edit would have improved the book quite a
bit.

This book is certainly interesting enough (albeit rather disjointed)
as fiction, and technical enough for everyone tired of the usual
Hollywood view of computers.  The security risks noted are real, and
therefore a read through the book could be used to alert non-
specialists to a number of security issues and vulnerabilities
(although you'd hardly want to use it for training).  I enjoyed it and
I think it's got a place, although I'm having difficulty in defining
where that place is.

copyright Robert M. Slade, 2004   BKSTNHOC.RVW   20040721


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
After the rush is over, I'm going to have a nervous breakdown.
I've worked for it, I owe it to myself, and nobody is going to
deprive me of it.
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKSACSNI.RVW   20040721

"Security Assessment", Greg Miles et al, 2004, 1-932266-96-8,
U$69.95/C$89.95
%A   Greg Miles gmiles@...
%A   Russ Rogers rrogers@...
%A   Ed Fuller
%A   Matthew Paul Hoagberg
%A   Ted Dykstra
%C   800 Hingham Street, Rockland, MA   02370
%D   2004
%G   1-932266-96-8
%I   Syngress Media, Inc.
%O   U$69.95/C$89.95 781-681-5151 fax: 781-681-3585 www.syngress.com
%O  http://www.amazon.com/exec/obidos/ASIN/1932266968/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/1932266968/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1932266968/robsladesin03-20
%P   429 p.
%T   "Security Assessment: Case Studies for Implementing the NSA IAM"

The introduction tries to explain the NSA (National Security Agency)
IAM (Information Assurance Methodology), but is so heavily larded with
(management) buzzwords that no clear concept emerges.  The indications
are that the book is primarily aimed at those who have taken one of
the IAM courses, although there is an explicit statement that the
material can be used by untrained professionals and also by the
"customers" who are undergoing an assessment.

Chapter one describes IAM in words that make it seem very similar to
such tools as CoBIT (ISACA's Control Objectives for Information
Technology tool), ISO 17799, and the NIST (the US National Institute
of Standards and Technology) self-assessment guide.  However, almost
all of the chapter is devoted to a promotion of sharp negotiation of
the scope of an IAM contract, from the vendor perspective.  Chapter
two reiterates the need to control customer expectations and define
contract objectives.  (There is more jargon, and also the use of
idiosyncratic and undefined acronyms like PASV [Pre-Assessment Site
Visit].)  The Organizational Information Criticality Matrix (OICM)
described in chapter three is a kind of simplistic business impact
analysis.  In chapter four, system information criticality and the
System Criticality Matrix (SCM) are said to be more detailed than the
OICM.  Defining system boundaries is acknowledged to be difficult, but
neither the explanation nor the examples used are of any help in
clarifying the issue.  Both the text and the tables used in the "case
study" are extremely confusing in regard to the relation between
entries in the OICM and the SCM.

The system security environment, described in chapter five, is what
most people would know as corporate culture: the general attitudes and
behaviours common to an institution.  The book suggests finding and
using the CONOPS (concept of operations) documentation while admitting
that it may not be found in most commercial enterprises.  (The authors
don't explain that this is basically identical to the common policy
and procedures manuals, although they do eventually get around to
mentioning these texts.)  The TAP (Technical Assessment Plan) is
actually just a specific format for a detailed contract, so we have to
go through all of that type of editorial comment again, without really
getting much information about the recommended TAP structure.  Chapter
seven involves the assessment itself, and generally deals with
administrative details--and making sure that the customer does not
modify the scope of the contract.  The eighteen basic information
security models get listed, although this seems to be almost an
afterthought, rather than the core of the IAM itself.  Findings, the
report of the assessment results, are described in chapter eight.  A
sixteen page example does little more than provide a format.  The
close out report, in chapter nine, is a final sales meeting with the
customer.  The final report is given in a different, and more general,
format in chapter ten.  Cleanup work and followup sales of consulting
are discussed in chapter eleven.

The constant repetition of very basic ideas and the turgid and
buzzword-laden text make this work far longer than is justified by the
information provided.  In addition, the extreme emphasis on the
viewpoint of a vendor trying to sell a contract (and protect himself
from doing any unbillable work) is a severe limitation on the audience
for this tome.  Essential components of the IAM model and process do
not seem to hold any central place in the book, and the reader
discovers them almost by accident, and despite of the writing rather
than because of it.

copyright Robert M. Slade, 2004   BKSACSNI.RVW   20040721


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
...a State, which dwarfs its men, in order that they may be more
docile instruments in its hands even for beneficial purposes,
will find that with small men no great thing can really be
accomplished...
        - John Stuart Mill (1806-1873), On Liberty and Utilitarianism
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKCMSCHO.RVW   20040727

"Computer Security for the Home and Small Office", Thomas C. Greene,
2004, 1-59059-316-2, U$39.99/C$57.95
%A   Thomas C. Greene http://basicsec.org tcgreene@...
%C   2560 Ninth Street, Suite 219, Berkeley, CA   94710
%D   2004
%G   1-59059-316-2
%I   Apress
%O   U$39.99/C$57.95 510-549-5930 fax 510-549-5939 info@...
%O  http://www.amazon.com/exec/obidos/ASIN/1590593162/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/1590593162/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1590593162/robsladesin03-20
%P   405 p.
%T   "Computer Security for the Home and Small Office"

Thomas Greene asked me to do the technical review for this book, which
speaks to his bravery, regardless of what it says about his wisdom.
So there's no point in pretending that I'm unbiased here.  However, I
must say that I was bracing myself for yet another security book by a
writer rather than a techie--and was delightfully surprised, right
from the beginning, at how useful Greene's material was.

The "Introduction" is a bit unusual: it doesn't lay out the theme or
structure of the book, but jumps right into dispelling myths and
making suggestions.  You will be introduced to the fact that Greene is
an Open Source/Linux ... well, fanatic might be too mild a term,
extremist might be closer to reality.  There is also a section on how
to get, and configure, the Mozilla Web browser for safer surfing.

Chapter one deals with the dark side of computing, and a variety of
attendant risks.  The descriptions sometimes gloss over technical
niceties, but the assessment of threat levels is more reasonable than
in most similar works.  Vulnerabilities and means of attack are
presented in chapter two.  An excellent and helpful list of Windows
services that most users can turn off at no cost to function (and
considerable addition in safety) is provided, as is a similar list for
Linux.  A sensible review of social engineering is presented in
chapter three.  More advanced tools are introduced in chapter four,
but, in contrast to many similar works, the text goes on to provide
explanations and suggestions on use.

Chapter five explains many places where information may be stored on
your computer (and network) in the course of normal operations, and
how to clean up after yourself.  Greene really lets himself go in his
promotion of Linux and Open Source software in chapter six, presenting
sanguine arguments.  In chapter seven, a number of anecdotes are used
to support the idea that you can learn about the computer and take
control of your own safety, without having to live in fear of the
unknown, or be dependent upon consultants of unknown competence.

This book presents material for the intelligent but non-specialist
computer user.  The text is readable, and the content useful.  It does
not cover the entire range of computer security, but it does provide
valuable information for those who rely on computers for their work,
and would like to achieve a level of security that is significantly
higher than that available by default, without having to spend a great
deal of time and money on it.  Particularly for the Windows XP user,
this is my primary endorsement for a computer security book.  I would
also recommend the work to security professionals, at least as a
reference, since it contains Windows configuration that system
administrators should know, and the vast majority don't.

copyright Robert M. Slade, 2004   BKCMSCHO.RVW   20040727


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
Any medium powerful enough to extend man's reach is powerful
enough to topple his world.
     - Alan Kay, `Computer Software', Scientific American, Sept. 1984
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKCYBETH.RVW   20040719

"Cyberethics: Morality and Law in Cyberspace", Richard Spinello, 2004,
0-7637-1269-8
%A   Richard Spinello
%C   40 Tall Pine Drive, Sudbury, MA   01776
%D   2000
%G   0-7637-1269-8
%I   Jones and Bartlett Publishers
%O   U$32.95/C$54.57 978-443-5000 fax: 978-443-8000 info@...
%O  http://www.amazon.com/exec/obidos/ASIN/0763712698/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0763712698/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0763712698/robsladesin03-20
%P   165 p.
%T   "Cyberethics: Morality and Law in Cyberspace"

Chapter one outlines basic moral theories and categories of theories.
The early material is turgid and unclear, but it does improve.  A
simplistic history and outline of Internet technology and use, in
chapter two, points out that all forms of net governance have problems
and therefore ethics are important.  There is, though, no ethical
debate on regulation.  Free speech and censorship are discussed in
chapter three, mostly dealing with pornography.  The difficulties of
various positions are enumerated but there is little ethical analysis.
Two ethical scenarios are included for deliberation, at the end of the
chapter.  Chapter four examines the legal view with regard to
intellectual property, but does go on to assess the ethical arguments,
particularly from Locke and Hegel.  The material is limited: there is,
for example, no analysis of the various eastern philosophies that
place a higher value on the rights of society over that of the
individual, and therefore hold patent restrictions to be somewhat
immoral.  The text goes on to raise related issues such as digital
rights architectures, but fails to explore, for example, the
historical technical failures of such systems (as in the case of CD
and DVD protection) or the fragmenting and isolating effects of the
technologies.  Chapter five does deal with moral arguments for
privacy, initially, but only briefly, and primarily points out the
problems that philosophical debate has had in dealing with the issue.
The theoretical debate is limited and fails to deal with positions
such as those of David Brin, who holds that the "good" provided by
privacy can, in most cases, be supported by reciprocal transparency
(cf. BKTRASOC.RVW).  The rather spotty overview of security, in
chapter six, is flawed because it relies heavily on fundamentals, such
as property and privacy rights, which were only partially supported in
earlier parts of the book.

This work does discuss a number of problematic areas where ethics
could make a contribution.  However, aside from the lucid presentation
of divisions of moral theories given in the last half of chapter one,
overall the book does not add much to the literature already covering
the topic.  I would still suggest that Johnson's volume (cf.
BKCMPETH.RVW) has the clearest presentation of the topic, and Tavani's
more recent "Ethics and Technology" (cf. BKETHTCH.RVW) provides better
academic background.

copyright Robert M. Slade, 2004   BKCYBETH.RVW   20040719


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
Book (n): a utensil used to pass time while waiting for TV repair.
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKFTSPDM.RVW   20040719

"Fighting Spam for Dummies", John R. Levine/Margaret Levine Young/Ray
Everett-Church, 2004, 0-7645-5965-6, U$14.99/C$21.99/UK#9.99
%A   John R. Levine www.iecc.com/johnl
%A   Margaret Levine Young www.gurus.com/margy
%A   Ray Everett-Church www.everett.org
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2004
%G   0-7645-5965-6
%I   John Wiley & Sons, Inc.
%O   U$14.99/C$21.99/UK#9.99 416-236-4433 fax: 416-236-4448
%O  http://www.amazon.com/exec/obidos/ASIN/0764559656/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0764559656/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0764559656/robsladesin03-20
%P   222 p.
%T   "Fighting Spam for Dummies"

Part one introduces the world of spam.  Chapter one tells us that spam
is bad and that spammers like to do it, but there is little substance
to the material and a lot of oddly spam-like verbiage.  Even though
the authors outline the "dictionary" process (that generates addresses
on a semi-random basis) in chapter two, they insist on trotting out
the usual recommendations to limit exposure and prevent address
harvesting.  A confusing look at US law, in chapter three, says that
the situation is confused.  Chapter four does provide information
about obtaining and deciphering email headers, but the attempts to be
funny make it hard to understand.

Part two deals with filtering spam.  Chapter five has a generic
description of filtering, but there is little useful content.
Chapters six to ten describe menu items related to filtering in the
Outlook, Netscape, Eudora, AOL, Hotmail, and Yahoo programs.

Part three looks at filtering programs and services.  Chapter eleven
has a terse review list of major filtering programs (with some odd
exceptions: SpamAssassin is not mentioned), a few spam filter review
sites, and fairly detailed descriptions of POPfile and Spam Bully.  A
reasonable, if brief, outline of filtering services is given in
chapter twelve.  Chapter thirteen touches on a few items not
previously detailed, but it is far from being a useful guide to the
network and email administrators that it supposedly addresses.

Part four is the usual "Part of Tens."  Chapter fourteen lists the
most common spam scams.  The list of annoyances in chapter fifteen is
mostly unrelated to spam.  (For the one that is, dealing with popups,
some fairly complex solutions are listed, and a simple one is missed--
turning off JavaScript and ActiveX works great.  The cost to the user
will vary with patterns of activity.)

This book does provide some pointers to software based assistance with
spam filtering and removal.  However, even in relation to the
minuscule size of the book the content is very thin.  Repetition,
editorializing, and attempted humour take the place of substantive
information.

"Stopping Spam" (cf. BKSTPSPM.RVW) and "Removing the Spam" (cf.
BKRMSPAM.RVW) are from an older era, and address the issue from a
perspective of users who were more used to manual email controls, as
well as a time when spam was not the overwhelming majority of email.
Even so, they dealt with the issue realistically and informatively,
which this book does not.  The current work is better than nothing,
but only just.

copyright Robert M. Slade, 2004   BKFTSPDM.RVW   20040719


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
       I haven't lost my mind -- it's backed up on tape somewhere.
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKISJSAM.RVW   20040719

"Internet Security", Tim Speed/Juanita Ellis, 2003, 1-55558-298-2,
U$44.99
%A   Tim Speed
%A   Juanita Ellis
%C   225 Wildwood Street, Woburn, MA  01801
%D   2003
%G   1-55558-298-2
%I   Digital Press
%O   U$44.99 800-366-BOOK Fax: 617-933-6333 fax: +1-800-446-6520
%O  http://www.amazon.com/exec/obidos/ASIN/1555582982/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/1555582982/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1555582982/robsladesin03-20
%P   398 p.
%T   "Internet Security: A Jumpstart for Systems Administrators and
       IT Managers"

The introduction starts out by talking about wild west bank robbers
and then admits that those stories have nothing to do with the topic
at hand.  Inexplicably, the theme continues to be used throughout the
book.

Chapter one gives a timeline of Internet related historical events,
and an overview of the base protocols of the TCP/IP suite at various
levels of detail.  (There are also some screenshots from Microsoft
Windows.)  The security review process provided in chapter two is not
bad, although it gets weaker as it moves into details.  Cryptography
is explained on an "it works by magic" level in chapter three.
Chapter four talks about some of the technologies discussed earlier,
but the purpose of the repetition is unclear.  Firewalls are described
in chapter five, and a checklist for evaluating them is provided, but
many points on the review form will be difficult for any but the
expert to assess.  Aspects of authentication are discussed in chapter
six, but there is very limited explanation on most points.  Factors
involved in public key infrastructures are handled in much the same
way in chapter seven.  Chapter eight, supposedly about messaging
security, starts out with viruses and other malware, drifts through
spam, and ends up with a number of issues regarding proper
configuration of email systems.  A reasonably good overview of risk
management and mitigation is given in chapter nine, although the
material could use a bit more structure.  The content on incident
response, disaster recovery, and business continuity, in chapter ten,
is not as good, but still fair.

Those who know security will recognize the patterns underlying the
material that the authors present.  Those who have tried to explain
security concepts, however, will understand that what is given in the
text is superficial and sometimes misleading.  IT managers who do not
require details may be able to take a very limited familiarity with
terms and concepts from this work.  System administrators will need
considerably more detail, and need material with a greater
comprehension of areas of strength and weakness in the various aspects
and technologies of security.

copyright Robert M. Slade, 2004   BKISJSAM.RVW   20040719


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
Solve 90% of the problem as simply as you can, and then remove
the other 10% from the problem requirements.         - Marshall Rose
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKSEPYIA.RVW   20040719

"The Secured Enterprise", Paul E. Proctor/F. Christian Byrnes, 2002,
0-13-061906-X, U$34.99/C$54.99
%A   Paul E. Proctor
%A   F. Christian Byrnes
%C   One Lake St., Upper Saddle River, NJ   07458
%D   2002
%G   0-13-061906-X
%I   Prentice Hall
%O   U$34.99/C$54.99 +1-201-236-7139 fax: +1-201-236-7131
%O  http://www.amazon.com/exec/obidos/ASIN/013061906X/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/013061906X/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/013061906X/robsladesin03-20
%P   304 p.
%T   "The Secured Enterprise: Protecting Your Information Assets"

The introduction states that the book is aimed at business
professionals, but that security professionals may also find it useful
as a reference.

Part one is an introduction to security.  So is chapter one, which
extends the traditional CIA (Confidentiality, Integrity, Availability)
security triad to include non-repudiation.  (Most security analysts
would see that function as a special case of integrity.)  This muddled
thinking is echoed by the muddled structure of the chapter, which
touches tersely on roles and policies, and contains an extremely
incomplete list of security technologies.  Miscellaneous threats are
mentioned in chapter two.  Policies are revisited in chapter three,
although the discussion is not clear in regard to high level policy
formation, and more applicable to access privilege or procedures.
Chapter four deals specifically with access control, but in a
disorganized and incomplete fashion.

Part two deals with security technologies.  Chapter five is an
incomplete definition and description of firewalls (stateful and
circuit proxy types are never mentioned).  An incomplete description
of vulnerability scanners is given in chapter six.  An incomplete and
very dated discussion of viruses and protection makes up chapter
seven.  (Various implementations of scanning are noted, but there is
no reference to activity monitors or change detection).  The limited
review of intrusion detection, in chapter eight, has a rather
misleading explanation of sensor topology, and no clear explanation at
all of engine types.  Chapter nine has a simplistic outline of
asymmetric cryptography and public key infrastructure (and a very odd
example of the key management problem).  Chapter ten has lots of
verbiage about virtual private networks.  A strange conflation of
mobile communication and wireless LAN topics is in chapter eleven.
Chapter twelve seems to both recommend and disparage single sign-on.
A promotional piece for digital signature technology is in chapter
thirteen.

Part three discusses implementation.  Chapter fourteen outlines the
setting up of a security program, but only if you know what should go
into the various pieces already.  Security assessment, in chapter
fifteen, is limited to different types of penetration or vulnerability
testing, with a ludicrously short description of risk assessment.
There is a simplistic overview of incident response and business
continuity planning in chapter seventeen.  Random bits of Web and
Internet security are listed in eighteen.

Given the scattered nature of the entire work, it is curious that part
four is entitled "Odds and Ends."  Miscellaneous legal issues are
raised in chapter nineteen.  Chapter twenty is supposed to help you
with "Putting It All Together," but just contains editorial advice.

OK, is it good for non-security businesspeople?  Maybe, if they really
know extremely little about security, and don't need to manage the
security function.  They will at least obtain some familiarity with
the terms that might be used, although it could be a case of a little
knowledge being a dangerous thing.  As for security professionals: get
some decent references.

copyright Robert M. Slade, 2004   BKSEPYIA.RVW   20040719


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
I appreciate the fact that this draft was done in haste, but
some of the sentences that you are sending out in the world to
do your work for you are loitering in taverns or asleep beside
the highway.
            -- Dr. Dwight Van de Vate, Professor of Philosophy,
                    University of Tennessee at Knoxville
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKETHCMP.RVW   20040623

"Ethics and Computing", Kevin W. Bowyer, 2001, 0-7803-6019-2,
U$65.96/C$93.99
%A   Kevin W. Bowyer kwb@...
%C   10662 Vaqueros Circle, Los Alamitos, CA   90720-1314
%D   2001
%G   0-7803-6019-2
%I   IEEE Computer Society Press
%O   U$65.96/C$93.99 800-2726657 fax 714-8214401 cs.books@...
%O  http://www.amazon.com/exec/obidos/ASIN/0780360192/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0780360192/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0780360192/robsladesin03-20
%P   429
%T   "Ethics and Computing:Living Responsibly in a Computerized World"

Chapter one is a mundane outline of concepts in ethics and
professional ethics, without getting into the standard theories.  The
chapter ends with an actual scenario involving whistle-blowing.  There
are reprints of articles on related issues (at the end of each
chapter), and "worksheets" asking some fairly general ethical
questions.  Critical thinking, in chapter two, concentrates on
failures of logic.  A number of professional codes of conduct are
printed in chapter three, with a bit of discussion.  Chapter four
describes some blackhat types and activities, without looking much at
the ethical issues.  (The reprinted articles are more than twice as
long as the chapter itself.)  Chapter five is a rather confusing
amalgam of basic encryption types and US legal cases involving
wiretaps.  A vague mention of the Therac 25 incident, and the
importance of safety critical systems, exhausts the three pages of
chapter six, but leads to fifty-five pages of reprints.  Whistle-
blowing gets more detailed review in chapter seven.  Chapter eight
outlines US law with regard to intellectual property.  Hazardous
materials and bad ergonomic design are mentioned briefly in chapter
nine.  Chapter ten moves back to an arena closer to ethics with the
concept of fairness.  Some vague advice about managing your career is
in chapter eleven.

While the assortment of articles might be handy in terms of collecting
"real world" scenarios for discussion, the written text of the book,
and the discussion of ethical issues, does not provide much in the way
of direction or philosophical background.  Deborah Johnson's "Computer
Ethics" (cf. BKCMPETH.RVW) is far superior and even Schwartau's
"Internet and Computer Ethics for Kids" (cf. BKINCMEK.RVW) provides
better discussions and explanation, while Tavani's "Ethics and
Technology" (cf. BKETHTCH.RVW) contributes significantly more to the
formal framework for ethical study.

copyright Robert M. Slade, 2004   BKETHCMP.RVW   20040623


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
In six years G. W. Bush and Texas executed 131 prisoners, of whom
43 had defence attorneys sanctioned for misconduct at some point
40 involved the defence presenting no evidence or one witness
29 included psychiatric testimony deemed unethical/untrustworthy
23 included jailhouse informants, and
3 in which the defence lawyers slept during the trial.
                                   - Maclean's, March 19, 2001, p. 56
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKSYRLFP.RVW   20040531

"Systems Reliability and Failure Prevention", Herbert Hecht, 2004,
1-58053-372-8, U$79.00
%A   Herbert Hecht
%C   685 Canton St., Norwood, MA   02062
%D   2004
%G   1-58053-372-8
%I   Artech House/Horizon
%O   U$79.00 800-225-9977 fax: +1-617-769-6334 artech@...
%O  http://www.amazon.com/exec/obidos/ASIN/1580533728/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/1580533728/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1580533728/robsladesin03-20
%P   230 p.
%T   "Systems Reliability and Failure Prevention"

Chapter one is a very brief introduction: almost a preface.  Basic
statistical measures of failure and service are described in chapter
two.  "Organizational Causes of Failures," in chapter three, tells
stories of some major disasters, but provides no structural
recommendations.  Chapter four looks at analytical approaches to
failure prevention, covering the failure modes and effects analysis
(FMEA) and fault tree analysis (FTA) methods that should be more
widely used in general risk assessment.  The discussion of testing
types, purposes, and analysis, in chapter five, raises some very
interesting questions: if a thousand versions of a part are tested for
a thousand hours and only one fails, does this *really* support the
vendor's assertion that the mean time between failures (MTBF) is a
million hours--or is it equally possible that all of them start
failing shortly after a thousand hours, and one failed early?  Factors
such as partitioning, involved in implementing redundancy in a system,
are reviewed in chapter six.  The material on software reliability, in
chapter seven, is rather disappointing: there is still an evident
hardware bias, little deliberation regarding the nature of software,
and the techniques for stability are limited to UML (Universal
Modeling Language) analysis, which is, itself, only suitable to
object-oriented tasks.  Chapter eight looks at the project life cycle,
the preferred development models, reliability activities in various
phases, testing, and reviews.  In chapter nine Hecht addresses
economic considerations in preventing versus accepting failures with a
good deal of math: a more practical illustration is provided in
chapter ten.  Chapter eleven uses the techniques explained in the book
in three example cases.

For those involved in risk analysis and operation continuity work,
this text is a tutorial for a number of engineering principles that
are not widely discussed in the available literature.  However, there
are a multitude of topics that sound interesting and useful, but are
not presented in sufficient detail to be useful to the non-engineering
professional.  For those in the field, the book will definitely be
worth reading, but it probably could have provided much more
assistance to those in the safety and security field.

copyright Robert M. Slade, 2004   BKSYRLFP.RVW   20040531


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...      slade@...      rslade@...
I do not know what I may appear to the world; but to myself I
seem to have been only like a boy playing on the seashore, and
diverting myself now and then finding a smoother pebble or a
prettier shell than ordinary, whilst the great ocean of truth lay
all undiscovered before me.                           - Isaac Newton
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade