(Rather disturbingly, when I went to post this on Usenet News, I found as many
lists dedicated to child pornography as I did to child protection ...)

BKCSKCST.RVW   20070615

"Cyber-Safe Kids, Cyber-Savvy Teens", Nancy Willard, 2007,
978-0-7879-9417-4, US$14.95/C$17.99/UK#9.99
%A   Nancy Willard cskcst.com
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2007
%G   978-0-7879-9417-4
%I   John Wiley & Sons, Inc.
%O   US$14.95/C$17.99/UK#9.99 416-236-4433 fax: 416-236-4448
%O  http://www.amazon.com/exec/obidos/ASIN/0787994170/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0787994170/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0787994170/robsladesin03-20
%O   Audience n+ Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   324 p.
%T   "Cyber-Safe Kids, Cyber-Savvy Teens"

There are thirty-five short chapters in the book, grouped into five
parts.  The work seems to proceed from an assumed position that
children need parental guidance, but addresses only in limited fashion
the frequently held perception that children know more about the
Internet and computers, although they lack judgment.  (This perception
may cause children to disregard advice from those who aren't current
with the technology, and may make parents hesitant about taking charge
in unfamiliar territory.)

Part one is an overview of approaches to the online world and it's
dangers, a mix of general background information and strategies that
parents can use in regard to the use of the Internet by their
children.  The material starts with an analogy to the development of
safe activities at play, and touches on risks and concerns, guidelines
at different ages, parenting styles (a trifle dismissively),
filtering, supervision, the benefits of collaborating with other
parents, warning indications, non-home venues, and the importance of a
formal parent-teen agreement.  The content includes a list of online
dangers, ranging from pornography to plagiarism.  While the risk of
the former is fairly obvious, there is little discussion of the perils
of the latter activity, and this glossing over of the less common
topics is unfortunately characteristic of the book as a whole,
although it is understandable given the vast range of content that
could be covered.  Part two notes broad categories of hazards, looking
into aspects of social networking, e-commerce, privacy, addictive
behaviour, the credibility of online information, and the
trustworthiness (or not) of strangers.

Part three again examines liberal classifications, this time on
limitations of young judgment.  Whereas the earlier material on
technology was limited in detail, this section moves into deep
conceptual areas such as developmental requirements and sequences.
Unfortunately, for those who do not have Willard's extraordinary grasp
of those issues, little background is provided.  Thus, parents are
advised to use arguments that they may not be able to support (or even
understand).  (Interestingly, one chapter has a list of indicators to
determine whether your child is "at risk," but does not overtly deal
with the possibility that the child may be "at risk" due to parents
that are uninvolved, over-controlling, or over-permissive.)

Part four is probably the section that will feel closer in tone to
other works on the topic of children and the Internet, as well as
being of the greatest direct use to parents.  Specific concerns of
sex, online aggression, self-destructive activity communities, hate
groups, threats of suicide or killing, addictive or violent gaming,
gambling, and computer scams are addressed.  The quality is uneven:
sex is handled fully and well, but malware, while decent guidelines
are provided, has little in the way of rationale or background
material.

Part five is a one chapter, three page list of seven brief suggestions
for safer and useful online activities for kids.

The information provided in the book is useful and extensive, but is
not always structured as a reference guide.  However, Willard has gone
beyond the volumes that are simple lists of dos and don'ts, by
examining the inherent reasons that kids, specifically, are at greater
risk on the net.  The material in the work is not a simple panacea,
but will reward diligent application.

copyright Robert M. Slade, 2007   BKCSKCST.RVW   20070615


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
This is a very good sign, [that someone] is a humanist,
a universal spirit,  too interested in too many things to become
a monomaniac.  Only a monomaniac gets what we commonly refer to
as `results'.         - Albert Einstein
http://victoria.tc.ca/techrev/rms.htm

BKAFDRFC.RVW   20070814

"The Complete April Fools' Day RFCs", Thomas A. Limoncelli/Peter H.
Salus, 2007, 978-1-57398-042-5
%A   Thomas A. Limoncelli funnybook@...
%A   Peter H. Salus http://www.rfc-humor.com peter@...
%C   P.O. Box 640218, San Jose, CA 95164-0218
%D   2007
%G   978-1-57398-042-5
%I   Peer-to-Peer Communications, Inc.
%O   U$19.95 800-420-2677 fax: 408-435-0895 info@...
%O  http://www.amazon.com/exec/obidos/ASIN/1573980420/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/1573980420/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1573980420/robsladesin03-20
%O   Audience a+ Tech 2 Writing 2 (see revfaq.htm for explanation)
%P   390 p.
%T   "The Complete April Fools' Day RFCs"

For those in the know, the designation "RFC" is a bit of a joke in
itself.  As a "Request For Comment," there is an implication of a
proposal, as opposed to a standard.  In fact, the RFCs are the
"official" documents of the Internet protocols, and are part of a
formal process.  Given the nature of the Internet, and the people
involved, it should come as no surprise that embedded in this library
are jokes, making fun of the process as much as anything else.

(Just to make things clear, this is far from a compendium of all of
the jokes flying around the net, or even all of the jokes about
network standards.  The April Fools' RFCs are a specific class of net
jokes, and are the material of this volume.)

The RFCs themselves present a kind of technical history of the
Internet.  In a similar way, the April Fools' RFCs are a history of
aspects of the Internet.  Some of them document technical concerns and
emphasis, such as the 1990s attempts to implement the Internet on any
base physical transport (RFC 1149, dealing with avian carriers) or
2002's efforts to run all utilities over the Internet (RFC 3251, for
providing electricity over Internet Protocol).  Others reflect more
general social concerns.

The RFCs are all freely available.  This book collects all the April
Fools' documents, and the authors have even made the collection
available on the Internet.  However, the print version contains
additional commentary, structure, and supplementary background
information about the RFC authors.

And it's handy to have the dead trees edition for those times when the
avian carriers aren't flying to your particular hotspot.

copyright Robert M. Slade, 2007   BKAFDRFC.RVW   20070814


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
I have heard many things like these, miserable comforters are you
all!  Will your long-winded speeches never end?  What ails you
that you keep on arguing?  I also could speak like you if you
were in my place; I could make fine speeches against you and
shake my head at you.                                   - Job 16:2-4
http://victoria.tc.ca/techrev/rms.htm

BKEXONGA.RVW   20070913

"Exploiting Online Games", Greg Hoglund/Gary McGraw, 2008,
0-13-227191-5, U$44.99/C$55.99
%A   Greg Hoglund www.rootkit.com
%A   Gary McGraw www.exploitingonlinegames.com gem@...
%C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario  M3C 2T8
%D   2008
%G   978-0-13-227191-2 0-13-227191-5
%I   Addison-Wesley Publishing Co.
%O   U$44.99/C$55.99 416-447-5101 fax: 416-443-0948 bkexpress@...
%O  http://www.amazon.com/exec/obidos/ASIN/0132271915/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0132271915/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0132271915/robsladesin03-20
%O   Audience i+ Tech 2 Writing 2 (see revfaq.htm for explanation)
%P   340 p.
%T   "Exploiting Online Games: Cheating Massively Distributed Systems"

Shall We Play A Game?
or
Being a Review of "Exploiting Online Games" With Much Editorializing
and Extensive Digressions

Fair warning, then: this review is going to be a bit different.

Why games?  Isn't this topic a bit trivial?  After all, Hoglund and
McGraw are among the very select few who have been able to use the
"hack to protect" style work.  By examining vulnerabilities they have
created books like "Software Security" (cf. BKSWSBSI.RVW) that have
contributed useful guidance to those attempting to build more robust
and reliable programs.  Therefore, the foreword, preface, and first
chapter all attempt to provide reasons why such a book is needed.

First off, there is a very large virtual economy that interpenetrates
with the [real|cash] one.  Since gamers have started selling
abilities, "game gold," and even characters, game objects now have
cash values in the real world.  As with anything that has an
exchangeable value, the criminal world has taken an interest.  Trade
in game objects now comprises a large fraction of online frauds,
identity theft, and money laundering.  (The trojan posted at the
Dolphin Stadium Website, and others, around SuperBowl time had a
subordinate payload looking specifically for "World of Warcraft"
accounts.)

Everything that relates to software insecurity (and security) in the
online gaming environment applies (though possibly not equally) to
security in other systems.  Therefore, a book noting the security
vulnerabilities of game systems provides an introduction to system
security in general, and application security in particular.  It helps
that the gaming topic is of intrinsic interest to a number of people,
and therefore may spark interest in information security.

(Interestingly, no argument is made in the book is that the existence
of vulnerabilities in the game system itself, and particularly on the
client side, may open the gamer to various forms of attack [and not
just by axe-swinging berserkers].  Loopholes in the client software
could lead to openings for intrusions, means of gaining information
about the user or system, or entry points for malware.  We have seen
numerous instances of problems associated with widely used client
software packages, such as those for instant messaging and peer-to-
peer file sharing.)

Chapter two contains a discussion of various ways of manipulating
games.  Most of these are at a conceptual level, although some are
extremely detailed, including macro and C code.  The material also
addresses some countermeasures to the cheats, and a few ways to defeat
the safeguards, as well.  Instances and examinations of the virtual
economies that have sprung up around online games are presented in
chapter three.  Given the earlier stress on the importance of the
point (as a rationale for the book itself), the content is
disappointingly thin in this separate chapter.  American copyright and
related laws (particularly the Digital Millennium Copyright Act) and
End User Licence Agreements are the substance of chapter four.

Chapter five notes a number of bugs, primarily those involving
interactions of complex functions and states of games.  Tools and
techniques for examining and manipulating client software are
described in chapter six.  There is a lot of C code, and, although the
programming is extensive it can't be exhaustive, since the chapter
basically covers a topic to which whole books are devoted.  (Most of
the suggestions are directed at attacking the server, and, again,
there are few mentions of the risks of vulnerabilities in the client.)
Chapter seven provides C code for programming robots to cheat at the
game for you.  The chapter seems oddly placed, since eight returns to
the topic of reverse engineering of software, and lists more tools.
(There is also a rather comprehensive guide to basic functions in
assembly code.)  Advanced game hacking, in chapter nine, deals mostly
with the modification of clients or the creation of alternate game
servers.

Chapter ten starts off with the statement that the primary goal (of
the book) is to "understand the security implication of massively
distributed software systems that have millions of users."  That's a
worthy goal, and one that is indicated by the subtitle.  Therefore, it
is strange to note that not only is this intent omitted from the
rationale given at the beginning, but also that the topic really isn't
addressed in the text.  There are so many notions that could be
explored under that subject, such as the social engineering aspects of
working with large groups, the emergent properties that might arise
from simple functions operating in large numbers of nodes, the massive
power of distributed systems, or even the relation to the botnets that
are currently such a concern.  None of these ideas are explored in the
book or in chapter ten itself, which is simply a fairly brief review
of some decent but basic software security guidelines.

The book is, therefore, a partial success.  The introduction to the
fundamentals of software security via the gaming medium is a
potentially useful and valuable device.  The work does tend to
concentrate more on the game aspects, and less on the generic
principles, but that emphasis is not necessarily a flaw.  The precepts
are sound, and those who do become interested in security will be able
to apply them, and move on to more advanced areas.

copyright Robert M. Slade, 2007   BKEXONGA.RVW   20070913


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
As long as the world is turning and spinning, we're gonna be
dizzy and we're gonna make mistakes.                    - Mel Brooks
http://victoria.tc.ca/techrev/rms.htm

BKSVOIPN.RVW   20070913

"Securing VoIP Networks", Peter Thermos/Ari Takanen, 2008,
0-321-43734-9, U$44.99/C$51.99
%A   Peter Thermos
%A   Ari Takanen
%C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario  M3C 2T8
%D   2008
%G   978-0-321-43734-1 0-321-43734-9
%I   Addison-Wesley Publishing Co.
%O   U$44.99/C$51.99 fax: 416-443-0948 800-822-6339 bkexpress@...
%O  http://www.amazon.com/exec/obidos/ASIN/0321437349/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0321437349/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0321437349/robsladesin03-20
%O   Audience s- Tech 2 Writing 1 (see revfaq.htm for explanation)
%P   359 p.
%T   "Securing VoIP Networks"

The foreword and preface both stress that the principles used to
secure VoIP (Voice over Internet Protocol) systems are suitable for
any multimedia application over the Internet.  While this may be true
in terms of the technology, the perspective indicates that the authors
fail to recognize how many naive users are experimenting with the
technology, and managing their own systems.  The large number of
novices in this technology space is a major threat in itself.  It is a
truism that there are social controls for technical problems, but no
technical controls for social problems.  That Thermos and Takanen
disregard this situation is disturbing.

Chapter one is a generic overview of telephony and VoIP related
topics.  The discussion of security is also vague.  There is, for
example, mention of the difficulty of node identification, but no
follow up deliberation on resultant problems such as fraud.  VoIP
architectures and protocols are listed in chapter two.  A structure,
and the relationship of the protocols to each other, would have been
an improvement.  Threats are examined in chapter three: some
nebulously and others in excruciating detail.  Chapter four outlines
two lists of vulnerabilities, and then presents a taxonomy of VoIP
hazards based upon those previously presented.  There doesn't seem to
be much practical application to the material, although it may be of
interest to researchers.  Signalling protection mechanisms, listed in
chapter five, are primarily based on existing Internet encryption and
authentication protocols, except for the specialized subset of the
H.323 suite.  The Secure Real Time Protocol (SRTP) is outlined in
chapter six.  Chapter seven deals with key management, which is an
important issue in regard to almost all the security conventions
associated with VoIP.  General network security concerns are discussed
with some emphasis on VoIP in chapters eight and nine.  Chapter ten
examines overall Internet Service Provider (ISP) architectures in
terms of VoIP issues.  Chapter eleven revisits some topics from the
previous three chapters.

The text is turgid and verbose, and the use of idioms is often quite
clumsy and annoying.  While "Practical VoIP Security" (cf.
BKPVOIPS.RVW) is older, and the current work lists some of the more
recent protocols, it is difficult to say that Thermos and Takanen have
provided a more useful text.

copyright Robert M. Slade, 2007   BKSVOIPN.RVW   20070913


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
Puritanism: The haunting fear that someone, somewhere may be
happy.                                               - H. L. Mencken
http://victoria.tc.ca/techrev/rms.htm

BKNTSCHK.RVW   20070921

"Network Security Hacks", Andrew Lockart, 2007, 0-596-52763-2,
U$29.99/C$38.99
%A   Andrew Lockart
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2007
%G   0-596-52763-2 978-0-596-52763-1
%I   O'Reilly & Associates, Inc.
%O   U$29.99/C$38.99 707-829-0515 fax: 707-829-0104 nuts@...
%O  http://www.amazon.com/exec/obidos/ASIN/0596527632/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0596527632/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0596527632/robsladesin03-20
%O   Audience i Tech 2 Writing 1 (see revfaq.htm for explanation)
%P   298 p.
%T   "Network Security Hacks, 2nd Edition"

Chapter one lists twenty-two tips for using a number of utilities and
programs to enhance the security of UNIX systems.  The explanations
are clear and specific, although you would probably have to be really
familiar with UNIX administration to get the full benefit of these
suggestions.  Windows gets fourteen hacks in chapter two.  While
useful, these could have had more explanation in some cases, in regard
to the limitations and pitfalls of the recommendations.  A variety of
tools that address aspects of confidentiality are listed in chapter
three.  Almost all of the firewall tools discussed in chapter four are
for UNIX, although some do have Windows versions.  (The Windows
firewall is discussed, but so poorly that one almost suspects that the
whole purpose is to force the reader to use the suggested
alternative.)  Advice on securing various services and applications
(mostly from Guess What Operating System) is given in chapter five.
Again, the bulk of the network security tools discussed in chapter six
are for UNIX, with some Windows editions.  The wireless tips, in
chapter seven, work best with UNIX.  The same is true with the logging
tips in chapter eight, although there is mention of arranging to have
Windows report to a syslogd.  Network monitoring, and some analysis
thereof, is in chapter nine.  Tunnels and VPN (Virtual Private
Network) products are detailed in chapter ten.  Most of the network
intrusion detection material in chapter eleven concerns Snort.  (You
are not my NIDS, you are a Snort!)  Chapter twelve lists a few
recovery and response tools.

If you run a UNIX system and network, this book enumerates many useful
tasks, settings, and tools that will help to make your systems and
network more secure.

copyright Robert M. Slade, 2004, 2007   BKNTSCHK.RVW   20070921

--
Attn CISSPs: (ISC)^2 Board Election voting starts Nov. 16
https://www.isc2.org/cgi-bin/content.cgi?page=1322
https://www.isc2.org/cgi-bin/content.cgi?page=1325
www.noticebored.com/blog/2007/11/attention-fellow-cissps-sscps-and-
caps.html


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
Just watch me.               - Pierre Elliott Trudeau, Oct. 13, 1970
http://victoria.tc.ca/techrev/rms.htm

BKDIGCON.RVW   20070923

"Digital Contagions", Jussi Parikka, 2007, 978-0-8204-8837-0, U$35.95
%A   Jussi Parikka users.utu.fi/juspar juspar@...
%C   Moosstrasse 1, Postfach 350, CH-2542 Pieterlen, Switzerland
%D   2007
%G   978-0-8204-8837-0 0-8204-8837-2
%I   Peter Lang AG
%O   U$35.95 +41-32-376-17-17 fax: +41-32-376-17-27 www.peterlang.net
%O  http://www.amazon.com/exec/obidos/ASIN/0820488372/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0820488372/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0820488372/robsladesin03-20
%O   Audience i Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   327 p.
%T   "Digital Contagions: A Media Archaeology of Computer Viruses"

Buried in the mass of verbiage that makes up the introduction there is
an indication (far from clear) that the intent of the book is to
examine the topic of computer viruses from a cultural, rather than a
technical perspective.  Further, the material Parikka proposes to use
is not related to actual events or activities, but to reports, essays,
and even fiction.  (Hence the reference to "media archaeology" in the
subtitle.  The "contagion" of the title is intended, by the author, to
refer not only to the reproductive spread of viral programs, but also
the new ideas prompted by the existence of these reproductive
applications.)  The idea of examining what people think computer
viruses do (instead of what they actually do) and how the programs are
perceived (rather than how they actually operate) could possibly lead
to some interesting observations.  (I recall, in early seminars on
computer viruses and discussions with the general public, how
frequently I had to explain that viruses were programs and had
authors, and correct the misperception that the applications had just
evolved out of the general computer environment.)  Unfortunately the
introduction also indicates that while Parikka has done extensive
research, he probably hasn't understood it all.  There are a number of
mistakes even in this early listing of events, including an extremely
simplistic definition of viruses and worms themselves, and therefore
the results of his analysis are suspect right from the start.

(In response to the draft of this review, the author stated that "the
point exactly was to question [as the intro says quite clearly] who is
able and allowed to produce knowledge concerning viruses, what is
acknowledged as a "truth" in this context, what kind of alternative
approaches one might be able to come up with. So beyond any ideas of
relativism, it proposes an approach of relationalism: how viruses are
part of broader structures of producing knowledge concerning digital
culture [always in relations, that is.]"  Again, I would have to say
that this is a potentially fascinating study, but that it isn't
articulated clearly, and that the resulting opinions are severely
limited in value due to a lack of distinction between perception and
technical reality.)

In chapter one, the author states that viruses have created fear in
computer users.  Unfortunately, he gives computer users too much
credit in terms of their understanding of the processes involved, as
well as overstating the concern felt by the majority of information
security professionals.  It is only in the past two years that surveys
have started to show the overarching magnitude of the situation, and
only in the past year that "endpoint security" has become a product
selling point.  His background analysis is also slipshod: insects
didn't get into the Mark II because of lights at night, but due to
(humanly inaccessible) windows that had to be left open for
ventilation.  (The use of this particular example in Parikka's work is
rather fascinating, since the Mark II used Harvard Architecture, and
would have been immune to viruses without a major shift in the
underlying operational model.)  The use of the term "bugs" for errors
in Morse code was more likely due to the use of the term "bug" for the
telegraph key: it was the user interface.  (A similar term exists in
the computer world to describe errors: pebkac, or "problem exists
between keyboard and chair.")  Parikka has not sufficiently understood
the culture of the technical communities he is studying.  In
subsequent discussions, the author fails to appreciate the importance
of the distinction between independent malware, and the more directly
utilized blackhat programs such as network mappers and rootkits, as
well as the distinction between malware activity and computer
intruders.  The historical overview seems to end rather abruptly circa
1995.

Although there are occasional mentions of, and references to, computer
viral programs in chapter two, in general Parikka seems to turn away
from the topic in order to explore cultural ideas of the body,
biological viruses, AIDS, the face, and immunity.  He does finish off
with a section exploring the idea of virus writers as psychologically
abnormal, but even here much of the content falls prey to the all-too-
common confusion between virus writers and other blackhat groups.

Chapter three discusses ideas of artificial organisms and ecologies.
Again, while viruses are remarked on, they are not central to the
deliberation.  It is, however, interesting to note Fred Cohen's
comment that the Morris worm was possibly "the most powerful high-
speed computation event" up to that date, particularly in light of
estimates that the Storm botnet was, at one point, potentially the
second most powerful supercomputer in existence.

A "Conclusion" is entitled "Media Archaeology as Ecology."  The point
seems to be that writings not only record what people have thought
about certain events and conditions, but what they will think in the
future.

Parikka seems to go out of his way to use abstruse words that are
seldom used, and therefore probably poorly understood.  The text is
heavily larded with esoteric cultural references and unusual (and
frequently poorly defined) terms or constructions.  One gets the
feeling that the author is possibly unsure of his own propositions,
and is attempting to convince the reader by a kind of verbal hand-
waving.  The bibliography, and extensive footnotes, is impressive and
even intimidating.  A couple of my own works are cited frequently.
Because of that, I know that statements and passages supposedly from,
or supported by, those references sometimes are not buttressed by the
credential in question.  In any case, there are definitely errors of
fact even in the "Timeline of Computer Viruses."  No version of the
Dellinger Apple virus of 1981 spread via the "Congo" game, although
one variant interfered with it.

Another point that the author made in response to the draft of this
review is that he is writing from a perspective in social science, and
that what I dismiss as verbiage would make sense to his colleagues.
Unfortunately, I have to believe that this attitude betrays the
obligation a writer has to his readers, not all of whom may be from a
specialized field.  A creator of technical literature (aside from
documentation or textbooks crafted specifically for a limited
audience) has to be prepared to explain, in basic language, the intent
and major concepts being presented.  This requirement is as applicable
to social science as it is to computer science, and Parikka has not
addressed it sufficiently.  If he is, indeed, to make a contribution
in this field, presumably he has to be able to make his points clearly
to us dummies in the malware research community, too.

Parikka's aim, in examining the influence of computer viruses on
popular culture, as well as the prejudices that popular culture might
impose upon attitudes toward viruses, is a good one, and could have
resulted in some interesting insights.  While other authors (despite
the exaggerated claim by at least one reviewer) have addressed the
history and development of viral programs, I cannot think of another
work so dedicated to the "people" side of the problem.  Unfortunately,
the lack of rigour in Parikka's research and analysis (possibly
exacerbated by his limited understanding of the underlying
technologies) restricts the confidence one can have in his
conclusions.

copyright Robert M. Slade, 2007   BKDIGCON.RVW   20070923


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
Sometimes I worry about being a success in a mediocre world.
                                                        - Lily Tomlin
http://victoria.tc.ca/techrev/rms.htm

BKMFBAOB.RVW   20070923

"Mastering FreeBSD and OpenBSD Security", Yanek Korff/Paco Hope/Bruce
Potter, 2005, 0-596-00626-8, U$49.95/C$69.95
%A   Yanek Korff
%A   Paco Hope
%A   Bruce Potter
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2005
%G   0-596-00626-8
%I   O'Reilly & Associates, Inc.
%O   U$49.95/C$69.95 800-998-9938 fax: 707-829-0104 nuts@...
%O  http://www.amazon.com/exec/obidos/ASIN/0596006268/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0596006268/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0596006268/robsladesin03-20
%O   Audience a Tech 3 Writing 1 (see revfaq.htm for explanation)
%P   445 p.
%T   "Mastering FreeBSD and OpenBSD Security"

Part one provides a security foundation.  Chapter one is a general
introduction to security concepts.  Most of the material is decent
(though pedestrian), but there is an odd acceptance of security by
obscurity, and the definition of "fail safe" is flatly wrong.  Broadly
applicable but intermediate security functions are discussed in
chapter two.  The utilities examined are not the basic functions
normally noted in UNIX security texts (such as chmod), and the
explanations do not start at a fundamental level.  Therefore, those
who intend to use this content to secure their systems should have
solid experience not only with Linux administration, but also with the
foundational security functions.  Likewise, the secure installation
deliberation, in chapter three, requires that the reader be thoroughly
familiar with the cardinal operations for installing FreeBSD or
OpenBSD (BSD being the Berkeley Systems Distribution of UNIX-like
operating systems).  Chapter four is an extensive grab bag of
administrative tools and considerations.

Part two is about deployment of specific applications or types of
servers.  Chapters five through nine address basic security issues,
applications, and related utilities for Domain Name Service (DNS),
email, web, firewall, and intrusion detection.

Similarly, part three covers auditing and incident response in
chapters ten (mostly logging) and eleven (mostly disk recovery, and
not much of that) respectively.

For advanced BSD administrators who want to add enhanced security
tools to their arsenal, this is a good next step, although how useful
it will be is left up to the reader.

copyright Robert M. Slade, 2007   BKMFBAOB.RVW   20070923


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
There are two ways to slide easily through life: to believe
everything or to doubt everything; both ways save us from
thinking.                                         - Alfred Korzybski
http://victoria.tc.ca/techrev/rms.htm

BKBLCKHT.RVW   20070923

"Black Hat", John Biggs, 2004, 1-59059-379-0, US$19.99
%A   John Biggs john@... www.blackhatbook.com
%C   2560 Ninth Street, Suite 219, Berkeley, CA   94710
%D   2004
%G   1-59059-379-0
%I   Apress
%O   U$19.99 510-549-5930 fax 510-549-5939 info@...
%O  http://www.amazon.com/exec/obidos/ASIN/1590593790/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/1590593790/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1590593790/robsladesin03-20
%O   Audience n- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   158 p.
%T   "Black Hat: Misfits, Criminals and Scammers in the Internet Age"

Chapter one contains the all-too-common exhortation that "Bad Stuff"
is out there on the Internet.  The chapter content tends to the
sensational and is short on details and accuracy.  The discussion of
spam, in chapter two, is rather specific to the time the book was
written (and will therefore date quickly).  It doesn't provide much
detail on the general types of anti-spam systems, although it does
have a short (but reasonable) section on dissecting headers to track
down spam sources.  The information on spyware and adware that chapter
three provides is unreliable: the text confuses spyware with
keylogging trojans, the FBI's proposed Magic Lantern system, and even
hardware keyloggers.  Chapter four's examination of viruses and worms
is even worse, containing a compilation of tidbits (some true, other
not too reliable) and stories of various programs but providing little
or no useful background on the basic concepts.

By the nature of the topic, the examples of scams that are listed in
chapter five are more helpful: if you recognize them, you can avoid
them.  Chapter six, about software piracy, is less so.  The tales
touch on a number of concepts, but there is no subsequent analysis of
the implications.  Biggs seems to have swallowed, wholesale, the
narratives given to him about intrusions, retailed in chapter seven.
These yarns are, however, the usual pieces of blackhat boasting, and
deal with many disparate activities and technologies.  Chapter eight
supposedly approaches all the themes of the volume from the whitehat
(protection) side, but contains only some banal and generic advice.

Yet another attempt to jump on the Internet security "Fear,
Uncertainty, and Doubt" bandwagon.

copyright Robert M. Slade, 2007   BKBLCKHT.RVW   20070923


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
   Inside some of us is a thin person struggling to get out,
   but he can usually be sedated with a few pieces of chocolate cake.
http://victoria.tc.ca/techrev/rms.htm

BKPRPAAN.RVW   20070926

"Practical Packet Analysis", Chris Sanders, 2007, 1-59327-149-2,
U$39.95/C$49.95
%A   Chris Sanders
%C   555 De Haro Street, Suite 250, San Francisco, CA   94107
%D   2007
%G   978-1-59327-149-7 1-59327-149-2
%I   No Starch Press
%O   U$39.95/C$49.95 415-863-9900 fax 415-863-9950 info@...
%O  http://www.amazon.com/exec/obidos/ASIN/1593271492/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/1593271492/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1593271492/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   164 p.
%T   "Practical Packet Analysis"

Chapter one is a brief, and rather simplistic, outline of some basic
networking fundamentals.  In terms of an introduction to packet
analysis it is so terse as to be misleading.  For example, there is a
mention of the need to use promiscuous mode, but not the fact that
many network cards don't support it.  There is also a description of
switches, but not the multiple locations that must be monitored on a
switch to get a full picture of network operations.  There is, in
chapter two, an indication that switches present options in terms of
monitoring, but no details, and promiscuous mode is only reported to
be limited by permissions set in Windows.  Screenshots for the
installation of the Wireshark make up chapter three.  Chapters four
and five list, and briefly describe, various functions of the program.
Screenshots of displays for a few different types of packets are shown
and hastily characterized in chapter six.  Chapter seven lists a few
examples of packet captures that indicate specific problems.  The data
is all there, but the explanation is rather curt and lacks sufficient
detail to assist the reader in using it.  Slightly more particular
situations, dealing with network performance, are given in chapter
eight, and a smattering of security related situations in chapter
nine.  Different pieces of technology and factors involved in sniffing
traffic on wireless networks are discussed in chapter ten.  Chapter
eleven briefly lists a few more tools and related resources.

A random, somewhat incomplete, but occasionally interesting collection
of tidbits related to sniffing traffic.

copyright Robert M. Slade, 2007   BKPRPAAN.RVW   20070926


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
Failure is not an option. It is a privilege reserved only for
                         those who try.
http://victoria.tc.ca/techrev/rms.htm

BKMAKNSE.RVW   20070927

"Managing Knowledge Security", Kevin C. Desouza, 2007, 0-7494-4961-6,
U$65.00/UK#32.50
%A   Kevin C. Desouza secureknow.blogspot.com kev.desouza@...
%C   120 Pentonville Rd, London, UK, N1 9JN
%D   2007
%G   0-7494-4961-6 978-0-7494-4961-2
%I   Kogan Page Ltd.
%O   U$65.00/UK#32.50 +44-020-7278-0433 kpinfo@...
%O  http://www.amazon.com/exec/obidos/ASIN/0749449616/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0749449616/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0749449616/robsladesin03-20
%O   Audience i Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   200 p.
%T   "Managing Knowledge Security"

Desouza is of the "competitive intelligence" community, so the
"knowledge" of the title refers to special skills, processes, or other
information that gives your business a particular advantage, and which
is either unknown or in limited circulation elsewhere.

Chapter one provides some examples of thefts of intellectual property.
The author also exhorts companies to classify and assign a value to
their informational assets (with which advice I can only heartily
concur).  He goes on to describe the activities involved in spying on
corporations, and notes the limitations of traditional security guards
in this regard.  Chapter two explains how employees can be the
greatest threat to the loss of institutional knowledge--and can also
be the biggest asset in protecting it.  Considerations with regard to
personal computing devices (such as laptops and advanced cell phones)
for travelling executives are discussed in chapter three.  As well,
there are suggestions on how to avoid being kidnapped, and some
recommendations with respect to recycling paper and obsolete computer
equipment.  Chapter four looks at a range of the possible alliances
between companies, and the ways that various problems related to
intellectual property might occur as a result of those associations.
Chapter five contains recommendations of diverse measures to limit
physical access to corporate offices.  Business continuity is
addressed, in chapter six, from the perspective of loss of knowledge
resources.  (Oddly, there is little discussion of the higher levels of
risk from social engineering inherent in such situations.)  Basic
information security practices, threats, and technologies are outlined
in chapter seven.

The book presents an interesting viewpoint in regard to security, but
does not seem to break any new ground.  In terms of information
security or classification, this work does not go beyond any standard
security text such as the original edition of "Computer Security
Basics" (cf. BKCMPSEC.RVW) or (ISC)2's "Official Guide" (cf.
BKOITCE.RVW).  With regard to social engineering, which one might
consider a specialty of those in the "business intelligence" field,
any of Ira Winkler's volumes, such as "Corporate Espionage" (cf.
BKCRPESP.RVW) or "Spies Among Us" (cf. BKSPAMUS.RVW), has more detail
and extensive suggestions.  Desouza's work, clear and engaging as it
is, is possibly an interesting additional outlook, but hardly a
necessary addition or replacement.

copyright Robert M. Slade, 2007   BKMAKNSE.RVW   20070927


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
Your email has been returned due to insufficient voltage.
http://victoria.tc.ca/techrev/rms.htm

BKSIQIQC.RVW   20071018

"Short Introduction to Quantum Information and Quantum Computing",
Michel Le Bellac, 2006, 0-521-86056-3, U$70.95
%A   Michel Le Bellac
%C   The Edinburgh Building, Cambridge CB2 2RU, UK
%D   2006
%G   0-521-86056-3 978-0-521-86056-7
%I   Cambridge University Press
%O   U$70.95 800-872-7423 www.cambridge.org
%O  http://www.amazon.com/exec/obidos/ASIN/0521860563/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0521860563/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0521860563/robsladesin03-20
%O   Audience a Tech 3 Writing 1 (see revfaq.htm for explanation)
%P   167 p.
%T   "Short Introduction to Quantum Information and Quantum Computing"

Chapter one is a short discussion of some ideas about quantum
computing.  Qubits, the basic informational unit in a quantum system,
have a mathematical introduction in chapter two.  (There is also the
obligatory mention of the BB84 [Bennett/Brassard 1984] protocol for
quantum key distribution.)  Chapter three looks at the variation, over
time, of qubits in order to perform manipulations, and therefore
computation.  Quantum computing, unlike traditional digital circuits,
relies upon the relations and entanglement between qubits, which is
examined in chapter four.  Chapter five moves into the basic
structures and operations of quantum computing with qubits, some gate
level arrangements, a comparison of classical and quantum algorithms,
and intractable problems in classical systems.  Potential physical
constructions of these designs are presented in chapter six.  Storage
and transmission of information, in chapter seven, is at first given a
purely abstract and mathematical treatment, but this does lead to a
discussion of quantum error correction.

This is a text, and one that relies almost purely on the mathematical
foundations behind quantum mechanics and physics.  Students of that
field will find interesting extensions from theory into the practical
realizations, but those truly wanting an introduction to quantum
computing will need to look elsewhere.

copyright Robert M. Slade, 2007   BKSIQIQC.RVW   20071018


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
There's no reason to be the richest man in the cemetery. You
can't do any business from there.         - `Colonel' Harlan Sanders
http://victoria.tc.ca/techrev/rms.htm

BKHKWNFD.RVW   20070930

"Hacking Wireless Networks for Dummies", Kevin Beaver/Peter T. Davis,
2005, 0-7645-9730-2, U$24.99/C$31.99/UK#15.99
%A   Kevin Beaver kbeaver@...
%A   Peter T. Davis
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2005
%G   0-7645-9730-2
%I   John Wiley & Sons, Inc.
%O   U$24.99/C$31.99/UK#15.99 416-236-4433 fax: 416-236-4448
%O  http://www.amazon.com/exec/obidos/ASIN/0764597302/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0764597302/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0764597302/robsladesin03-20
%O   Audience i- Tech 2 Writing 1 (see revfaq.htm for explanation)
%P   362 p.
%T   "Hacking Wireless Networks for Dummies"

In the introduction, the authors state that the purpose of the book is
to teach the reader, presumably a network administrator, how to test
for vulnerabilities in wireless local area networks (WLANs, otherwise
known as Wi-Fi), in order that the loopholes may be patched.  In other
words, another "hack to protect" text.

Part one is a foundation for the testing of WLANs, with chapter one
being an introduction to the penetration of wireless networks.  (This
seems to boil down to the fact that you are at risk if you allow
unmanaged additions to your network.)  Although it is entitled "The
Wireless Hacking Process," chapter two actually just lists ten
commandments for ethical hacking, and a few general security
frameworks documents.  Some tools for network discovery are noted in
chapter three.  Some hardware and software items are described
(sometimes in terms of installation) in chapter four.  The authors
aren't clear about why VMware and Linux are included.

Part two turns to some common Wi-Fi assessment programs.  Chapter five
discusses the human factors leading to insecurity, and recommends
users be made aware of certain principles.  "Containing the Airwaves,"
in chapter six, examines signal strength and antenna design, but also
enumerates a range of access card settings (under Linux).  Utilities
for determining the availability for various network services are
catalogued in chapter seven.  Instruments for determining settings and
passwords are mentioned in chapter eight.  Chapter nine describes
NetStumbler.

Advanced intrusion activities are in part three.  Kismet and
MiniStumbler are outlined in chapter ten.  Chapter eleven notes ways
to find out about unauthorized nodes associated with your network.
Some basic types of network attacks, and advice on the resources
necessary to perform them, are in chapter twelve.  Somewhat more
specialized, chapter thirteen lists various denial of service (DoS)
attacks.  Chapter fourteen reviews a number of programs for cracking
keys for the original WEP (Wired Equivalent Privacy) implementation.
As something of a standout in the book, there are also useful
suggestions for increasing confidentiality by using alternative
encryption protocols.  Chapter fifteen has a fairly brief overview of
diverse means of authentication.

Part four is the mandatory ("... for Dummies") part of tens, with a
listing of ten necessary tools, ten mistakes in testing wireless
security, and ten tips for following up on assessments.

While numerous vulnerabilities and poor practices are noted, advice on
countermeasures and controls gets less space.  In many cases the
suggested safeguard is limited to "do some more research on your own."
The material is possibly interesting, but not directly helpful to the
network security administrator without further work and study.

copyright Robert M. Slade, 2007   BKHKWNFD.RVW   20070930


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
Woe to those who enact evil statutes, and to those who
continually record unjust decisions, so as to deprive the needy
of justice, and rob the poor of My people of their rights... Now
what will you do in the day of punishment, and in the devastation
which will come from afar?                          - Isaiah 10: 1-3
http://victoria.tc.ca/techrev/rms.htm

BKVRTHNP.RVW   20070930

"Virtual Honeypots", Niels Provos/Thorsten Holz, 2008, 0-321-33632-1,
U$49.99/C$61.99
%A   Niels Provos
%A   Thorsten Holz
%C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario  M3C 2T8
%D   2008
%G   0-321-33632-1 978-0-321-33632-3
%I   Addison-Wesley Publishing Co.
%O   U$49.99/C$61.99 800-822-6339 617-944-3700 bkexpress@...
%O  http://www.amazon.com/exec/obidos/ASIN/0321336321/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0321336321/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0321336321/robsladesin03-20
%O   Audience i- Tech 2 Writing 1 (see revfaq.htm for explanation)
%P   440 p.
%T   "Virtual Honeypots: From Botnet Tracking to Intrusion Detection"

Right off the top you have to question the reliability of research
that credits, in the preface, Robert Morris with "inventing" (in the
course of creating the Internet Worm of 1988) the buffer overflow.

Chapter one provides some background information for honeypot
operation, with a very terse review of some basic TCP/IP protocols,
descriptions of some common honeypot types, and a few tools that can
be used for data capture and analysis.  High-interaction honeypots are
defined (by the authors in chapter two) as virtual machines that can
provide (to the attacker or intruder) as much, or as little,
functionality as you wish.  A number of such machines are described,
mostly in terms of installation.  Overviews (and installation
instructions) for a variety of specialized and limited emulators are
given in chapter three.  Chapter four introduces the honeyd program
that is widely used for creating multiple virtual machines on a single
computer.  Advanced functions of honeyd are discussed in chapter five.

Chapter six examines the possibilities for collecting malware with
honeypots, specifically the nepenthes and honeytrap programs.  Some
systems for presenting apparently extensive functionality without
risking the danger of a compromise are explained in chapter seven.
Emulation of the activity of an active computer or Internet user
(rather than a passive server) is the idea behind client honeypots as
outlined in chapter eight.

Indications that betray the presence or operation of a honeypot are
discussed in chapter nine.  Some experiences using honeypots are noted
in chapter ten. Chapter eleven specifically examines the use of
honeypots to discover the functions and activity of botnets.
CWSandbox, a tool for the analysis of malware, is explored in chapter
twelve.

The classic text in the field of honeypots is, of course, "Know Your
Enemy" (cf. BKKNYREN.RVW).  That volume does not go into specific
details of construction in the way that Spitzer's "Honeypots" (cf.
BKHNYPOT.RVW) or even Grimes' "Honeypots for Windows" (cf.
BKHNPTWN.RVW) does.  However, between them the existing works provide
a solid background, and this tome adds little to the mix.  The
addition of client honeypots is valuable, but the writing and
explanations provide little that will be of help to those trying to
use the technology.

copyright Robert M. Slade, 2007   BKVRTHNP.RVW   20070930


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
      DYNAMIC LINKING ERROR: Your mistake is now everywhere.
http://victoria.tc.ca/techrev/rms.htm

BKDSBSDR.RVW   20071005

"Designing BSD Rootkits", Joseph Kong, 2007, 1-59327-142-5,
U$29.95/C$36.95
%A   Joseph Kong
%C   555 De Haro Street, Suite 250, San Francisco, CA   94107
%D   2007
%G   1-59327-142-5 978-1-59327-142-8
%I   No Starch Press
%O   U$29.95/C$36.95 415-863-9900 fax 415-863-9950 info@...
%O  http://www.amazon.com/exec/obidos/ASIN/1593271425/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/1593271425/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1593271425/robsladesin03-20
%O   Audience i- Tech 2 Writing 1 (see revfaq.htm for explanation)
%P   136 p.
%T   "Designing BSD Rootkits: An Introduction to Kernel Hacking"

The purpose of the book is to teach how to use techniques of
kernel-mode programming that will provide control over certain aspects
of the FreeBSD (Berkeley Systems Distribution) operating system
without making such control apparent to the user.  As a secondary aim,
the reader should also be able to consider recoding functions of the
operating system, as well as techniques for detecting and removing
rootkits.

Chapter one introduces the programming of Loadable Kernel Modules
(LKMs, which are also known as Dynamic Kernel Linkers or KLDs).  C
code for short routines and system calls are listed, although the
explanations are extremely terse, and the reader would have to be well
familiar with system programming in order to understand the use and
access to these functions.  Call hooking (or just "hooking"), the
redirection of calls to standard operations in order to modify system
behaviour, is the subject of chapter two.  Kernel objects maintain
information about the operations underway in the computer, and
therefore direct manipulation of these structures, explained in
chapter three, is necessary to hide from attempts to detect unusual
processes.  Since kernel objects also control program flow, chapter
four briefly demonstrates how to hook the structures.  Chapter five
examines the type of programming necessary to directly patch code in
the kernel memory area.

Chapter six uses the various ideas discussed earlier to create a
rootkit for avoiding detection by change-detection style host-based
intrusion detection systems (HIDS), specifically Tripwire.  Chapter
seven outlines (without code examples) techniques for detecting the
type of programming and activity described earlier in the book.

In my opening sentence, I said that the volume's purpose was to teach
kernel-mode programming.  That statement, and the preface, begs the
question of the intended audience.  Actually, the book only addresses
specific functions: it certainly doesn't teach kernel-mode programming
as such.  The reader will already have to know a fair mount of it in
order to apply the content of the tome.  The text does seem to imply
that it is hoped whitehats will use it, but is the substance really
directed at protective measures?

The material in the book does provide a number of examples of kernel-
mode programming, and may act as a guide for those interested in
exploring the areas for which code is provided.  Certain aspects of
the internals of the BSD operating systems are explained.  However,
those interested in having in-depth examinations of the operating
system, or those wishing to know about detection of these types of
applications, may wish to look elsewhere.

copyright Robert M. Slade, 2007   BKDSBSDR.RVW   20071005


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
At any given time, one third of the world's population is asleep.
That means two thirds are awake and causing problems.
http://victoria.tc.ca/techrev/rms.htm

BKFUZZNG.RVW   20071005

"Fuzzing", Michael Sutton/Adam Greene/Pedram Amini, 2007,
0-321-44611-9, U$54.99/C$68.99
%A   Michael Sutton
%A   Adam Greene
%A   Pedram Amini
%C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario  M3C 2T8
%D   2007
%G   0-321-44611-9 978-0-321-44611-4
%I   Addison-Wesley Publishing Co.
%O   U$54.99/C$68.99 416-447-5101 fax: 416-443-0948 bkexpress@...
%O  http://www.amazon.com/exec/obidos/ASIN/0321446119/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0321446119/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0321446119/robsladesin03-20
%O   Audience a+ Tech 2 Writing 1 (see revfaq.htm for explanation)
%P   543 p.
%T   "Fuzzing: Brute Force Vulnerability Discovery"

In the foreword, H. D. Moore states that fuzzing is the submission, to
a system, of miscellaneous inputs in order to find vulnerabilities,
and that it is more art than science.

In the preface, the authors assert that, since it is important to have
as many people as possible finding vulnerabilities in our
applications, the book is written not only for researchers, but for
the general public and those with no background in the idea and
activity of fuzzing.

Part one provides background information and concepts.  Chapter one
outlines the three basic types of vulnerability discovery: white box,
utilizing source code and other developer materials; black box,
submitting inputs and observing the results; and gray box, using tools
such as disassemblers and debuggers.  A definition of fuzzing is
attempted in chapter two, discussing boundary values analysis
(submission of inputs that straddle the line between acceptable and
improper), but notes that fuzzing goes beyond this level of activity.
There is brief mention of mutation-basing (modification of input
described as acceptable) and generation-basing (creation of test data
from the specification of the format).  Fuzzing methods are supposed
to be the topic of chapter three, but it generally lists different
types of programs (based on the types of applications they test).
Different types of data representation are mentioned in chapter four.
The requirements for successful fuzzing, discussed in chapter five,
are basically the best possible understanding of the system under
test, the ability to determine when an effect has been created, and
care in recording attempts and results.

Part two examines a variety of application target types, and the
automation of fuzzing activities.  Chapter six lists some tools, and
notes some factors in programming test generation programs.
Subsequently, chapters follow a pattern of an initial discussion of a
specific category of intended quarry (environment variables and
arguments in chapter seven) and then automation of fuzzing for that
purpose (environment parameters in chapter eight).  The targets are
Web applications (nine and ten), file formats (eleven, with automation
for UNIX in twelve, and Windows in thirteen), network protocols
(fourteen, fifteen, and sixteen), Web browsers (seventeen and
eighteen), and in-memory fuzzing (nineteen and twenty).

Part three introduces advanced fuzzing technologies.  Fuzzing
frameworks, described in chapter twenty-one, are applications for
specifying formats and generating ranges of test and probe input data
to be used for submission to programs.  It is difficult to find a
consistent thread for chapter twenty-two, but the topic seems to have
something to do with general programmatic approaches that may have
promise for the automation of fuzzing.  While fuzzing can create
failures, and therefore note the existence of faults, in a program, it
cannot help us to identify vulnerabilities to be addressed unless we
can distinguish the part of the application that is responsible for
the malfunction.  Chapter twenty-three explores this idea under the
title of fuzzer tracking, or code coverage, and notes some of the
utilities that can be of assistance, but doesn't do a good job of
explaining the necessary functions and concepts.  Intelligent fault
detection, in chapter twenty four, is related to the material in
twenty-two, although on a more generic level.

Part four is a kind of summary, with "Lessons Learned" (and the
potential for the use of fuzzing in software development) in chapter
twenty-five.  The title "Looking Forward," in twenty-six, would
normally lead the reader to expect some examination of future
directions, but instead there is a list of some advanced fuzzing
programs to close off the book.

This work does delineate the concepts involved in probing and testing
of software through random or semi-random input submission.  For those
managing the software development process, these ideas are helpful,
although the book may seem a trifle long to that audience.  For those
more directly involved in testing, the text may seem frustrating at
times: either simplistic, for experienced testers, or not detailed
enough, for quality assurance people just getting started in technical
explorations.  Still, this is the most complete volume in the field so
far, easily exceeding Beaver's "Hacking for Dummies" (cf.
BKHACKDM.RVW), Chirillo's "Hack Attacks Testing" (cf. BKHKATTS.RVW),
or "The Software Vulnerability Guide" (cf. BKSWVLGD.RVW).  Andrews'
and Whittaker's "How to Break Web Software" (cf. BKHTBWSW.RVW) has a
higher level of writing, but is more specialized, so Sutton, Greene,
and Amini have provided a useful and more general guide.

copyright Robert M. Slade, 2007   BKFUZZNG.RVW   20071005


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
Do not fold, spindle or mutilate - originated by Charles A. Phillips
http://victoria.tc.ca/techrev/rms.htm

BKMYTHIN.RVW   20071103

"The Myths of Innovation", Scott Berkun, 2007, 0-596-52705-5,
U$24.99/C$32.99
%A   Scott Berkun www.scottberkun.com
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2007
%G   0-596-52705-5 978-0-596-52705-1
%I   O'Reilly & Associates, Inc.
%O   U$24.99/C$32.99 800-998-9938 fax: 707-829-0104 nuts@...
%O  http://www.amazon.com/exec/obidos/ASIN/0596527055/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0596527055/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0596527055/robsladesin03-20
%O   Audience n- Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   176 p.
%T   "The Myths of Innovation"

Berkun states, in the preface, that the intent of the book is to note
popularly held myths about innovation, and then to examine, with
historical examples, the realities.  There is, however, no implication
that there are to be suggestions about what to do in terms of aiding
innovation: this work is about avoiding mistakes, and doesn't address
the "how to."

Chapter one scrutinizes the concept of the epiphany: sudden revelation
or insight.  The author starts with an example of Google (not
Microsoft?) as a company believed to foster such idea creation, but
then basically denigrates the perception.  Examples of mythical
epiphanies that are known not to have happened are retailed, and there
is an emphasis on the primacy of hard work and preparation, as well as
some stress on the fineness of the line separating "creative" from
"crazy."  There is an incomplete and poorly structured look at
historical novelties in chapter two.  Chapter three says that there is
no procedure for driving or producing innovation.  The innate, and
evolutionarily driven, conservatism of the human species is used, in
chapter four, to prove that people don't like new ideas.  Berkun
appears almost to attempt to establish that nothing was ever invented
by the legendary "lone inventor" as he examines that notion in chapter
five.  Chapter six notes that people think that the birth of new
thoughts is a rare occurrence, but mostly talks about how to ensure
that they are stillborn.  Chapter seven essentially repeats chapter
three: if there is no method for producing ideas, then of course there
is no way to manage the process.  Examples of cases where the
invisible hand of the market did not choose the best alternative are
given in chapter eight.  Chapter nine doesn't really deal with any
myths in regard to innovation, the stories told just point out the
importance of limited ambition.  New ideas don't bring unalloyed
benefits, says chapter ten.

Berkun writes entertainingly, but his points are as one-sided as the
myths he tries to destroy.  The ideas presented are important, but
hardly new.  And, since he is determined to observe but not to
recommend, it is hard to say how helpful this is going to be to
anyone.  But it is fun.

copyright Robert M. Slade, 2007   BKMYTHIN.RVW   20071103


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
When we write programs that learn, it turns out that we do and
they don't.                                         - Alan J. Perlis
http://victoria.tc.ca/techrev/rms.htm

BKSTPTMN.RVW   20071110

"Software Testing Practice: Test Management", Andreas Spillner et al,
2007, 978-1-933952-13-0, U$44.95
%A   Andreas Spillner spillner@...
%A   Thomas Rossner thomas.rossner@...
%A   Mario Winter winter@...
%A   Tilo Linz tilo.linz@...
%C   26 West Mission St, Suite 3, Santa Barbara, CA   93101-2432
%D   2007
%G   978-1-933952-13-0 1-933952-13-X
%I   Rocky Nook Inc.
%O   U$44.95 805-687-8727 fax 805-687-2204 joan@...
%O  http://www.amazon.com/exec/obidos/ASIN/193395213X/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/193395213X/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/193395213X/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   321 p.
%T   "Software Testing Practice: Test Management"

This book is intended to assist candidates who are writing the exam
for the International Software Testing Qualifications Board (ISTQB)
Certified Tester.

Chapter one stresses the importance of software and software quality,
and explains that the text is based on the ISTQB Certified Tester
second ("Advanced") level, specifically the Test Manager module
(excluding the topic of reviews).  This chapter also presents an
overview of the first ("Foundation") level as background.  The tools
and processes used to structure testing are outlined in chapter two.
Testing is examined, in chapter three, in relation to the software
life cycle.  Problems with different development models are analyzed,
but it is interesting that the complexity of the models is not covered
as a risk factor.  Criteria for a testing policy are discussed in
chapter four.  Chapter five mandates a formal test plan.  The
blueprint will be helpful for those who do not have a structure in
place, but appears overly committed to items that are not inherently
necessary for all trials.  Controls to ensure and follow the progress
of testing are detailed in chapter six.  Chapter seven explains some
of the common quality and process improvement models, and their
implications for testing.  Testing is used to detect faults or
deviations in software, and chapter eight looks at the classification
and handling of such issues.  Chapter nine examines risk analysis with
respect to software testing.  The material follows most standard
principles for risk management, and so is not wrong in any specifics,
but the text fails to present helpful means for using this technique
to best advantage.  Various important skills that should be contained
within the test team are listed in chapter ten.  Test metrics are
discussed, in chapter eleven, in an academic manner that is very
similar to the style of chapter nine.  In the same way, by attempting
to apply a single process of evaluation to all test management
software tools, the authors restrict the utility of chapter twelve.
Chapter thirteen lists standards bodies, as well as some of the
guidelines that relate to software development and evaluation.

The book reflects the certification, and one cannot fault it for that.
However, if the authors had been willing to move beyond the overall
coverage of principles, they might have produced a more useful work

copyright Robert M. Slade, 2007   BKSTPTMN.RVW   20071110


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
Q.  Does Usenet help stamp out ignorance?
A.  That depends on whether by `stamp out' you mean `eliminate'
or `reproduce rapidly in great quantity.' - Dr. Roger M. Firestone
http://victoria.tc.ca/techrev/rms.htm

BKTSLNFW.RVW   20071110

"Troubleshooting Linux Firewalls", Michael Shinn/Scott Shinn, 2005,
0-321-22723-9, U$44.99/C$64.99
%A   Michael Shinn www.gotroot.com
%A   Scott Shinn
%C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario  M3C 2T8
%D   2005
%G   0-321-22723-9
%I   Addison-Wesley Publishing Co.
%O   U$44.99/C$64.99 416-447-5101 fax: 416-443-0948 bkexpress@...
%O  http://www.amazon.com/exec/obidos/ASIN/0321227239/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0321227239/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0321227239/robsladesin03-20
%O   Audience i Tech 2 Writing 2 (see revfaq.htm for explanation)
%P   369 p.
%T   "Troubleshooting Linux Firewalls"

Even though it is contained within part one of the book itself,
chapter one is basically a preface.  It outlines the tripartite nature
of the work, which contains basic security principles and background
on firewalls (presented from a context of risk management), diagnostic
tools to use in order to identify the specifics of problems, and
cookbook type solutions to common problems.

Part one, therefore, starts out with the general principles, and
chapter one, as well as the outline of the book, presents some of
these conceptual details.  The risk management that is outlined in
chapter two is mostly structured on project management and process.
Utilities to manage and maintain bastion security for firewall
machines are noted in chapter three.  A troubleshooting methodology is
suggested in chapter four.

Part two examines tools and internals in regard to investigation of
issues.  Chapter five looks at the OSI (Open Systems Interconnection)
model.  This is mostly in terms of details of the various protocols,
but there is a quick run-through of items to check in the different
layers of the OSI stack.  Flowcharts of netfilter and iptables
utilities, provided in chapter six, can assist in demonstrating how
the processes work, and so how to find out when they don't.  The rules
for iptables are discussed in chapter seven (and I am delighted to see
some attention paid to egress filtering).  Basic utilities are
mentioned in chapter eight, and specific diagnostic tools in nine.

Part three, although entitled diagnostics, is the "how to" cookbook
section.  A variety of situations and functions, as addressed by
different types of filters, are described as the chapters proceed
through testing firewall rules (in chapter ten: although the material
is basically limited to penetration testing), layer 2 filtering
(chapter eleven), NAT (Network Address Translation) and forwarding
(twelve), general IP (Internet Protocol) at layers 3 and 4 (thirteen),
SMTP (Simple Mail Transfer Protocol) and email (fourteen), Web
services (fifteen), file services (NFS and ftp, in sixteen), instant
messaging (seventeen), DNS (Domain Name Service) and DHCP (Dynamic
Host Configuration Protocol) (eighteen), and virtual private networks
(nineteen).

Within the well-defined limits set on the book by the authors, it
fulfills all three purposes quite well.  Those who need to manage and
maintain firewalls in a Linux environment, but have limited resources
or background, will find it quite useful.

copyright Robert M. Slade, 2007   BKTSLNFW.RVW   20071110


======================
rslade@...     slade@...     rslade@...
"If you do buy a computer, don't turn it on."     - Richards' 2nd Law
"Robert Slade's Guide to Computer Viruses"              0-387-94663-2
"Viruses Revealed"                                      0-07-213090-3
"Software Forensics"                                    0-07-142804-6
"Dictionary of Information Security" Syngress           1-59749-115-2
============= for back issues:
[Base URL] site http://victoria.tc.ca/techrev/
CISSP refs:     [Base URL]mnbksccd.htm
PC Security:    [Base URL]mnvrrvsc.htm
Security Dict.: [Base URL]secgloss.htm
Security Educ.: [Base URL]comseced.htm
Book reviews:   [Base URL]mnbk.htm
                 [Base URL]review.htm
Partial/recent: http://groups.yahoo.com/group/techbooks/
Security Educ.: http://groups.yahoo.com/group/comseced/
Review mailing list: send mail to techbooks-subscribe@egroups.com

BKSLMSPM.RVW   20071110

"Slamming Spam: A Guide for System Administrators", Robert
Haskins/Dale Nielsen, 2005, 0-13-146716-6, U$44.99/C$64.99
%A   Robert Haskins www.slammingspam.com
%A   Dale Nielsen
%C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario  M3C 2T8
%D   2005
%G   0-13-146716-6
%I   Addison-Wesley Publishing Co.
%O   U$44.99/C$64.99 fax: 416-443-0948 800-822-6339 bkexpress@...
%O  http://www.amazon.com/exec/obidos/ASIN/0131467166/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0131467166/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0131467166/robsladesin03-20
%O   Audience i Tech 2 Writing 1 (see revfaq.htm for explanation)
%P   396 p.
%T   "Slamming Spam: A Guide for System Administrators"

For once the title means no more or less than it says.  The authors
state, in the preface, that the book is intended as a reference for
administrators to use as a "how to" guide to stop spam.  Well,
possibly not stop it entirely, but to use widely known and available
tools for mail transfer agents that can seriously reduce the level of
the problem.  The authors assume little about the reader's familiarity
with Linux or UNIX, even though most of the tools discussed are for
that platform.

Chapter one is a brief introduction to email entities and components,
with a list and description of anti-spam technologies.  There is also
a discussion of policies and the likely level of user acceptance of
both policies and functions.  Procmail, a utility that can be used by
a variety of anti-spam applications, is explained in chapter two.  The
multi-function SpamAssassin program is examined in chapter three.
Chapter four outlines anti-spam functions that are built into common
mail transfer agents.  Various systems for authentication of users,
and authorization to use SMTP (Simple Mail Transfer Protocol) are
discussed in chapter five.  Chapter six notes the advantages of
Distributed Checksum Filtering (DCF).  (This may not be as widely
known among administrators of single systems, since it relies on the
collection of calculated signatures of spam messages, gathered from a
number of mail servers.  It is more widely used by systems that
provide mail services to a large number of clients.)  Bayesian
filtering is introduced in chapter seven, and chapter eight follows up
with details of the installation and use of a few such programs.
Various client filtering applications are described in chapter nine.
Spam related functions of the Microsoft Exchange mail server are noted
in chapter ten, with Lotus Domino and Lotus Notes covered in chapter
eleven.  Chapter twelve examines sender verification.  This is not
quite the same material as is covered in chapter five, since we are
not looking for specific authorization, but an intelligent response
indicating that the entity sending the mail is a user and not a bot.

The book, while not exciting, is a clear and useful guide to tools
that will be of value to system administrators who wish to reduce
overall spam levels.

copyright Robert M. Slade, 2007   BKSLMSPM.RVW   20071110


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
For years we have been saying you could not get a virus just by
opening E-Mail.  That bug is being fixed. - A. Padgett Peterson
http://victoria.tc.ca/techrev/rms.htm

BKAGLRTR.RVW   20071111

"Agile Retrospectives: Making Good Teams Great", Esther Derby/Diana
Larsen, 2006, 0-9776166-4-9, U$29.95/C$38.95
%A   Esther Derby
%A   Diana Larsen
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2006
%G   0-9776166-4-9
%I   O'Reilly & Associates, Inc./Pragmatic Bookshelf
%O   U$29.95/C$38.95 800-998-9938 fax: 707-829-0104 nuts@...
%O  http://www.amazon.com/exec/obidos/ASIN/0977616649/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0977616649/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0977616649/robsladesin03-20
%O   Audience n Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   170 p.
%T   "Agile Retrospectives: Making Good Teams Great"

Even after a foreword, a preface, and an introduction it still isn't
clear what a "retrospective" is, other than a review.

Chapter one contains some pointers on getting input from participants
in a meeting.  Practical tips for meeting arrangements, in chapter
two, range from issues of timing to the physical layout of chairs and
tables.  Chapter three's tips for leaders are full of jargon, but the
concepts are fine.  Chapters four to eight provide various prepared
activities that can be used for getting started (four), gathering
input (five), analysis (six), driving decision making (seven), and
closure (eight).  Reviews at the completion of releases and projects
are outlined in chapter nine.  Nominally about the implementation of
lessons that have been learned during the review, more of chapter ten
is based on exhortation than on useful advice.

If you have to hold or run meetings and are new to the process, this
book has some neat tips.  But nothing particularly significant.

copyright Robert M. Slade, 2007   BKAGLRTR.RVW   20071111


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
A man is called a good fellow for doing things which, if done by
a woman, would land her in a lunatic asylum.          - H.L. Mencken
http://victoria.tc.ca/techrev/rms.htm

BKDDRTFP.RVW   20071112

"Database in Depth: Relational Theory for Practitioners", C. J. Date,
2005, 0-596-10012-4, U$29.95/C$41.95
%A   C. J. Date
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2005
%G   0-596-10012-4
%I   O'Reilly & Associates, Inc.
%O   U$29.95/C$41.95 800-998-9938 fax: 707-829-0104 nuts@...
%O  http://www.amazon.com/exec/obidos/ASIN/0596100124/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0596100124/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0596100124/robsladesin03-20
%O   Audience i- Tech 2 Writing 2 (see revfaq.htm for explanation)
%P   208 p.
%T   "Database in Depth: Relational Theory for Practitioners"

The preface states that this book is intended for those (great many)
who understand relational databases primarily from their work with SQL
(Structured Query Language) without a formal background understanding
of the underlying model.  It is, therefore, not peoposed as
introduction for those unfamiliar with relational concepts, but
provides the basic and fundamental concepts and principles accurately
for the benefit of that particular audience.

Chapter one outlines the foundational precepts and terms.  Although
the text is clear and well-written, those without some working
experience in relational databases would have difficulty with the
material.  Examples (mostly SQL commands) are used, in chapter two,
the differences between relations and data types.  Again, readers
should have a solid grasp of relational concepts in order to get the
greatest benefit from this material.  Questions are given at the end
of the chapter, and are much more than the usual reading checks. (Some
exercises expect readers to be familiar with the author's "Tutorial D"
language, which comes from a different book.)  A comparison of
relations and tuples is in chapter three.  Relation variables, or
relvars, are outlined in chapter four, which also contains a
comparison with predicates.  Chapter five describes relational
algebra, and notes the original relational operators.  Integrity
constraints, both for data types and database information, are covered
in chapter six.  Chapter seven does not teach database design as such,
but examines and promotes certain principles of design by
concentrating on the meaning of the data.  Date recaps and reinforces
the important aspects of the relational model in chapter eight.

As Date notes, those who want a "ground up" introduction to relational
databases will have to go elsewhere.  This is demanding material, and
requires at least a working background with relational databases.
Relational theory is a formal specification precisely because that
particularity of specification helps to ensure that database systems
provide the best and most consistent results.  Therefore, those who
are familiar with database administration but do not have formal
training in the abstract principles of relational databases would be
well advised to make the effort to work through this book, which is
uniquely crafted for that particular audience.  Doing so will improve
both understanding and performance.

copyright Robert M. Slade, 2007   BKDDRTFP.RVW   20071112


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
If 50 million people say a foolish thing, it is still a foolish
thing.                                               - Anatole Franc
http://victoria.tc.ca/techrev/rms.htm

BKSWTSFD.RVW   20071115

"Software Testing Foundations", Andreas Spillner/Tilo Linz/Hans
Schaefer, 2007, 1-933952-08-3, U$44.95
%A   Andreas Spillner spillner@...
%A   Tilo Linz tilo.linz@...
%A   Hans Schaefer hans.schaefer@...
%C   26 West Mission St, Suite 3, Santa Barbara, CA   93101-2432
%D   2007
%G   1-933952-08-3 978-1-933952-08-6
%I   Rocky Nook Inc.
%O   U$44.95 805-687-8727 fax 805-687-2204 joan@...
%O  http://www.amazon.com/exec/obidos/ASIN/1933952083/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/1933952083/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1933952083/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   272 p.
%T   "Software Testing Foundations, Second Edition"

This book is intended to assist candidates who are writing the exam
for the International Software Testing Qualifications Board (ISTQB)
Certified Tester.

Chapter one stresses the importance of software and software quality,
and briefly outlines the structure of the ISTQB.  Chapter two contains
a very generic overview of the terms and process of software testing.
The activities appear to be restricted to submission of test data or
cases, even though issues such as usability and maintainability are
discussed in relation to software quality.  (In addition, some of the
material is questionable: the non-iterative waterfall software
development model is illustrated with a graphic showing iteration.)
Testing related to the various stages of the software development life
cycle is noted in chapter three.  The content is fairly limited,
without the scope and analysis of a work such as Gary McGraw's
"Software Security: Building Security In" (cf. BKSWSBSI.RVW).  "Static
Analysis," in chapter four, appears to be related to code analysis, or
code review.  However, while there is much discussion of roles,
meetings, and processes, there is little specificity of what is
actually being "inspected manually."  (The brief mentions of code
analysis tools supports the idea that source code review is the
subject of the text.)  Chapter five, entitled "Dynamic Analysis,"
provides more detail than did chapter one on actual test design and
techniques.  The text is quite formal and larded with jargon, though,
and clearer introductions of terms would definitely assist readers who
have not had formal training in the field.  Test management is the
topic of chapter six: a significant portion of the material repeats
from earlier sections of the book.  Some types of testing tools are
briefly described in chapter seven.

Presumably the book reflects the ISTQB certification.  If so, the
certification itself may be of limited utility.

copyright Robert M. Slade, 2007   BKSWTSFD.RVW   20071115


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
We need not worry so much about what man descends from--it's what
he descends to that shames the human race.              - Mark Twain
http://victoria.tc.ca/techrev/rms.htm

BKMNTSPL.RVW   20071115

"Managing the Test People", Judy McKay, 2007, 978-1-933952-12-3,
U$39.95
%A   Judy McKay
%C   26 West Mission St, Suite 3, Santa Barbara, CA   93101-2432
%D   2007
%G   1-933952-12-1 978-1-933952-12-3
%I   Rocky Nook Inc.
%O   U$39.95 805-687-8727 fax 805-687-2204 joan@...
%O  http://www.amazon.com/exec/obidos/ASIN/1933952121/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/1933952121/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1933952121/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   180 p.
%T   "Managing the Test People"

In the preface, McKay states that the book is intended for those who
may soon be commencing leadership positions in technology.  The
introduction is a bit more specific in this regard, asserting that the
text is meant to assist newly commissioned managers in determining how
to succeed as a manager in a technical environment, and particularly
in a lead role within the testing team.

Chapter one is an animal-oriented (and somewhat strained) metaphor
about a variety of qualities necessary in the test team.  The initial
activities of someone new to quality assurance testing are outlined in
chapter two.  The content on interview questions for hiring, in
chapter three, is good, but the advice about resume selection is more
appropriate to administrative jobs.  Chapter four starts out with more
material on job descriptions, but then devolves into a long, generic
discussion of having the proper "mix" of people on the team.
Integrating and interoperating with the rest of the enterprise is the
topic of chapter five.  Chapter six looks at communications and some
team organizational structures.  Quality assurance is seen, like all
aspects of security in relation to corporate operations, as requisite
to the task of development but a problem and a hindrance rather than a
benefit, and chapter seven tries to examine ways to deal with the
issues of morale that this perception may create for the workers.
(Most of the suggestions have more to do with preventing people from
falling into despair than with building enthusiasm and team spirit.)
Chapter eight is supposedly about leadership, but then so is the book:
the material appears to be a catch-all that the author can use for any
items that don't seem to fit anywhere else.  Performance evaluations
are mentioned in chapter nine.  The discussion of remuneration and
recognition, in chapter ten, comprises lots of stories, but little
material that is useful or helpful.  Staff training and development
gets an astonishingly short treatment in chapter eleven.  Stories of
firing and termination make up chapter twelve, but the examination of
the topics, while containing useful points, is quite ordinary.
Chapter thirteen seems to be intended as a recap of the work, but the
points don't follow the organization of the book.

The structure of the text is clear, and the writing is easy enough to
read.  However, a great deal of material that could have been included
is missing, that would have provided much more utility and assistance
to new managers.  There is, for example, no advice on the different
types of (organizational) files or other administrative tools.  I
particularly missed the inclusion of that content in regard to
discussions of planning, performance, and termination: it is vital to
make quick memoranda all the time, and have repositories for those
notes that will bring them back to your attention at the appropriate
times.  I found the formatting of the text annoying: the highest level
of header is printed in the smallest font.

McKay has written an interesting book about leadership, and it does
contain points that can be useful for new managers, but it not at the
level of works such as "The Art of Project Management" (cf.
BKARPRMA.RVW) by Scott Berkun (which is also aimed at the neophyte).
Brown's "Technimanagement" (cf. BKTCHNMN.RVW), Stellman and Greene's
"Applied Software Project Management" (cf. BKAPSWPM.RVW), or Kyle's
painless "Making It Happen" (cf. BKMAKHAP.RVW) are all solid advice
aimed at the technical manager.  In terms of a complete and practical
(though specialized) guide, one might turn to a model such as
Sennewald's excellent "Effective Security Management" (cf.
BKEFSCMN.RVW).  For specific tasks there are works like Limoncelli's
"Time Management for System Administrators" (cf. BKTMFRSA.RVW).
McKay's book is only able to approach the quality of vague and generic
attempts such as Rothman and Derby's "Behind Closed Doors" (cf.
BKBHCLDR.RVW).

copyright Robert M. Slade, 2007   BKMNTSPL.RVW   20071115


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
                       E Pluribus Modem
http://victoria.tc.ca/techrev/rms.htm

BKBEETNO.RVW   20071118

"Better Ethics Now", Christopher Bauer, 2005, 978-0-9765863-3-3,
U$21.99/C$29.99
%A   Christopher Bauer chris@...
%C   1604 Burton Ave., Nashville, TN   37215
%D   2005
%G   0-9765863-3-9 978-0-9765863-3-3
%I   Aab-Hill Business Books
%O   U$21.99/C$29.99 615-385-3523
%O  http://www.amazon.com/exec/obidos/ASIN/0976586339/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0976586339/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0976586339/robsladesin03-20
%O   Audience n Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   171 p.
%T   "Better Ethics Now: How to Avoid the Ethics Disaster You Never
       Saw Coming"

A note on the title page of the book states that the text is intended
to educate and entertain in regard to ethics, and that the material is
neither comprehensive nor tested.  (It is ethical to let the reader
know that, although my initial reaction was that the "entertain"
aspect might have been a bit of an abdication of the author's
responsibilities to the readers.)  The introduction asserts that the
focus of the work is on how a lack of personal responsibility creates
the foundation for corporate ethical disasters, and that having
individuals improve their own ethical standards will enhance the
integrity of the company.  There is, of course, something to this,
although it does fly in the face of a great many studies identifying
the "tone at the top" as the major determinant of corporate ethical
standards.

Chapter one notes that ethical breaches in companies have serious
financial ramifications, and reiterates the position that assessing
your own morals will improve those of the company, primarily by
forcing you to determine if the normal business behaviour you are
asked to follow is ethical.  (This does tie back to the issue of "tone
at the top": if your ethics stand up to scrutiny and you feel
comfortable in your working environment, the tone is probably OK.)
Ethics are guiding principles, chapter two tells us.  It isn't just
following (or even breaking) rules, says chapter three.  Chapter four
seems to repeat this last, in slightly different wording, properly
taking issue with the subject of "compliance," which has become
something of a buzzword and panacea in recent years.  Using cute
expansions of "ethics" as an acronym, chapter five tentatively
introduces the idea of personal responsibility and decision.  A simple
tool for personal assessment is described in chapter six.  Chapter
seven examines the issues of reporting or otherwise dealing with
ethical violations that you discover.

Chapter eight moves the discussion to the corporate level, noting the
importance of policy statements, processes, and procedures.  Ethical
behaviour involves achieving positive actions, we are told in chapter
nine, rather than merely avoiding negative ones.  Chapter ten does
promote the importance of the "tone at the top," noting that sometimes
you, as an employee, may need to walk away from an intolerable
situation.  Chapter eleven suggests that those in management and
leadership need to communicate ethics directly and openly.  The idea
that the moral standards of each employee are important is again
stressed in chapter twelve.  Proper ethics are not always easy, says
chapter thirteen.  Chapter fourteen repeats encouragement to be
proactive about promoting ethics, and suggests various procedures for
the corporation.

There are other books on ethics, and business ethics as well.
Johnson's "Computer Ethics" (cf. BKCMPETH.RVW) is a classic and
Tavani's "Ethics and Technology" (cf. BKETHTCH.RVW) adds depth and
intellectual rigour.  Bauer's work is very different: there is little
academic or conceptual background, but the brevity and practicality of
the work may make it more suitable for the general work environment.
While it doesn't add much to the debate, it could certainly be used
for training and the promotion of ethical standards, and is probably
more accessible for the general population of employees and managers.

copyright Robert M. Slade, 2007   BKBEETNO.RVW   20071118


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
Where there is much desire to learn, there of necessity will be
much writing, much arguing, many opinions; for opinion in good
persons is but knowledge in the making.                - John Milton
http://victoria.tc.ca/techrev/rms.htm

BKCISPPQ.RVW   20071119

"CISSP Practice Questions Exam Cram 2", Michael C. Gregg, 2005,
0-7897-3305-6, U$29.99/C$42.99
%A   Michael C. Gregg
%C   201 W. 103rd Street, Indianapolis, IN   46290
%D   2005
%E   Ed Tittel
%G   0-7897-3305-6
%I   Que
%O   U$29.99/C$42.99 800-858-7674 317-581-3743 http://www.mcp.com
%O  http://www.amazon.com/exec/obidos/ASIN/0789733056/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0789733056/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0789733056/robsladesin03-20
%O   Audience i Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   202 p. + CD-ROM
%T   "CISSP Practice Questions Exam Cram 2"

There are a number of book versions of practice questions for those
challenging the CISSP (Certified Information Systems Security
Professional) exam.  This is yet another.

Most of the questions are far too simplistic to represent those on the
CISSP exam.  The vast majority of the queries in the book have simple
fact-based answers, only occasionally moving into the realm of
synthesis.  The analytical and critical thinking challenges, dealing
with conceptual issues, that make up the bulk of the CISSP exam are
almost completely absent from this text.  A great many questions in
the book have a significant amount of extraneous and irrelevant detail
added, apparently in an attempt to appear to be complex, but the
solution almost inevitably turns out to be based on a rudimentary
definition.

In most cases the answers given would probably match those accepted if
these questions were on the exam.  Many of the resolutions turn on
minor issues of wording, and the CISSP exam, while it does pay
attention to terminology, frequently requires that you accept
synonyms, in order to prove understanding rather than rote memory.

Again, even if the answer is correct, sometimes the explanation makes
no sense.  A question on the multilevel Biba model, for example,
properly identifies integrity as the major factor, but the explanation
states that Biba is a model "in which security may only flow down."
(It makes no sense to talk about the flow of "security" since the Biba
model deals with information flow restrictions, and "down" needs to be
defined in terms of accuracy.)

Don't rely on this to pass the CISSP exam.

copyright Robert M. Slade, 2007   BKCISPPQ.RVW   20071119


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
Have no fear of perfection: you'll never reach it.   - Salvador Dali
http://victoria.tc.ca/techrev/rms.htm

BKPCPECO.RVW   20071119

"PC Pest Control", Preston Gralla, 2005, 0-596-00926-7,
U$24.95/C$34.95
%A   Preston Gralla
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2005
%G   0-596-00926-7
%I   O'Reilly & Associates, Inc.
%O   U$24.95/C$34.95 800-998-9938 fax: 707-829-0104 nuts@...
%O  http://www.amazon.com/exec/obidos/ASIN/0596009267/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0596009267/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0596009267/robsladesin03-20
%O   Audience n- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   275 p.
%T   "PC Pest Control: Protect Your Computers from Malicious Internet
       Invaders"

Chapter one, as is all too common in books about securing home
computers, is long on sensational stories and a bit short on useful
advice.  There are suggestions of things to do, and those
recommendations may even be proper security measures.  Instructions on
actually performing the security actions, however, are mostly absent.
Much the same material is repeated in chapter two, though in slightly
different wording and structure.  Various computer activities are
listed, and then some of the risks of those functions are described
briefly.  Once again, there are suggestions about actions to take to
protect yourself (this time in the form of "checklists"), but no
directions on how to perform them.  A number of pieces of security
software, mostly commercial, are mentioned in chapter three, but
requirements for management, or the implications of reports that you
might obtain from these applications are not covered.  Details related
to the operation of Microsoft Windows' System Restore and Registry are
given in chapter four, but while the instructions are clear the
significance of these activities may not be.  Immediately after
telling you to run Windows Update, in chapter five, Gralla provides
guidelines for disabling it--by disabling ActiveX and not running
Internet Explorer.  (The fact that this would be the outcome of
following the tutorial is not mentioned.)  Chapter six is concerned
with spyware, and by this time a lot of the recommendations are
starting to sound very familiar.  The definition of "virus" provided
in chapter seven is worse than is usual even for general home computer
security books.  It asserts that viruses are delineated by requiring
no user intervention, whereas the most useful distinction between
viruses and worms is that viruses generally do require some operator
action, even if uninformed.  (That Gralla keeps reiterating that
"virus" is just a generic term for any type of malware is also
annoying and misleading.)  Along with the (not terribly helpful) text
on trojans and bots comes a list of names and descriptions of the "top
five" or so programs in those categories.  This is a feature of other
sections of the book as well, and provides little help (or solid
information), and, of course, dates very quickly.  It is rather
strange that worms are not included with the related topic of malware
in chapter seven, but with the subject of email and instant messaging
in chapter eight, and that spam, which is related to email, is handled
separately in chapter nine.  (Chapter nine also contains an "ANSI"
table, which, instead, turns out to be a table of ASCII [American
Standard Code for Information Interchange] codes for text characters,
the table being used to illustrate a discussion of the alternate data
representations that can be employed in Web pages.)  Phishing,
anonymizing, and the customary vague rules for protecting kids online
makes up chapter ten.  Chapter eleven's material on safeguarding
wireless networks will make your home network less subject to attack,
though not as impregnable as Gralla seems to suggest.  The content on
safety at wireless "hotspots" is less useful.  The book is padded out
with an appendix that repeats material from the text.

There is a lot of white space, and the inclusion of pointless
graphics.  There is a lot of verbiage.  There is little helpful
information, and certainly nothing like the assistance that can be
obtained from Thomas Greene's "Computer Security for the Home and
Small Office" (cf. BKCMSCHO.RVW) or "Just Say No to Microsoft" by Tony
Bove (cf. BKJSN2MS.RVW).

copyright Robert M. Slade, 2007   BKPCPECO.RVW   20071119


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
[I]f a man has good corn, or wood, or boards, or pigs to sell...
you will find a broad, hard-beaten road to his house.
                                             - Ralph Waldo Emerson
  (some seven years after his death, Emerson's comment on quality
   was altered to the now famous dictum on innovation, that if you
   built a better mousetrap the world would beat a path to your door)
http://victoria.tc.ca/techrev/rms.htm

BKEPHPSC.RVW   20071123

"Essential PHP Security", Chris Shiflett, 2006, 0-596-00656-X,
U$29.95/C$41.95
%A   Chris Shiflett shiflett.org
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2006
%G   0-596-00656-X
%I   O'Reilly & Associates, Inc.
%O   U$29.95/C$41.95 707-829-0515 fax: 707-829-0104 nuts@...
%O  http://www.amazon.com/exec/obidos/ASIN/059600656X/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/059600656X/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/059600656X/robsladesin03-20
%O   Audience s- Tech 2 Writing 1 (see revfaq.htm for explanation)
%P   109 p.
%T   "Essential PHP Security"

PHP is an acronym (albeit a somewhat recursive one, standing for PHP:
Hypertext Preprocessor) but neither the foreword, preface, book, nor
index expands it.  Similarly, the intent of the book is not clarified
in either the foreword or the preface.

Chapter one does state that the purpose of the text is to teach how to
write secure code (with security left undefined) using features unique
to PHP.  However, only two such distinctive functions are listed in
this section, and they are not explained very well.  (Three appendices
at the end of the work do list some PHP commands related to the
security conventions noted.)  More space is devoted to general
application development principles and practices for safe programming.
Even there the solutions provided are outlined in terms of source code
rather than text, and the content requires an intimate knowledge of
PHP in order to derive value from the lessons presented.  In
discussing forms and URLs (Uniform Resource Locators), chapter two
distinguishes between filtered and tainted data, as well as GET and
POST form submissions, but does not initially examine the possibility
of user observation and deliberate malforming of submitted data.
Where details are provided on security, they are introduced with
coding examples, and, again, the effectiveness of the proposed
solutions are unclear unless the reader is well familiar with PHP
internals.  The database and SQL (Structured Query Language)
programming styles suggested in chapter three are good, but it is far
from clear that the filtering recommended will, in fact, prevent all
possibility of SQL injection attacks.  Chapter four examines sessions
and cookies: the explanations here also rely on understanding the
source code.

Chapter five, in talking about includes, is mostly concerned with
placing the files outside the root directory.  Much the same emphasis
is present in regard to files and commands (particularly with respect
to file traversal) in chapter six, although there is some discussion
of command injection.  Once again, the specifics in regard to
authentication and authorization are material only in the source code
examples in chapter seven.  The text of chapter eight explicitly
admits that the ability to address security issues in shared hosting
environments is weak.

For those who are thoroughly experienced in PHP programming, this book
does recommend styles that can result in more secure Web applications.
However, novice programmers, or even programmers experienced in other
languages, will have difficulty using the material effectively.

copyright Robert M. Slade, 2007   BKEPHPSC.RVW   20071123


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
In answer to the question of why it happened, I offer the modest
proposal that our Universe is simply one of those things which
happen from time to time.                          - Edward P. Tryon
http://victoria.tc.ca/techrev/rms.htm

BKRFIDES.RVW   20071124

"RFID Essentials", Bill Glover/Himanshu Bhatt, 2006, 0-596-00944-5,
U$39.99/C$55.99
%A   Bill Glover
%A   Himanshu Bhatt
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2006
%G   0-596-00944-5
%I   O'Reilly & Associates, Inc.
%O   U$39.99/C$55.99 800-998-9938 fax: 707-829-0104 nuts@...
%O  http://www.amazon.com/exec/obidos/ASIN/0596009445/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0596009445/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0596009445/robsladesin03-20
%O   Audience i+ Tech 2 Writing 2 (see revfaq.htm for explanation)
%P   260 p.
%T   "RFID Essentials"

According to the preface this book is intended for developers who are
beginning involvement with RFID (Radio Frequency IDentification),
system architects who need to know the elements, and project managers,
as well as professionals and students who want to understand the
technology.  Whiule it is more than a cursory introduction to the
field it is not an in-depth discussion of the various applications.
The author does note that general information makes up the first two
and last three chapters, while the details for actual development are
in the middle six.

Chapter one provides a rationale for RFID, a bit of history, and an
outline of different types of applications.  Elements of RFID
technology (and terminology), as well as useful architectural
principles, make up chapter two.  Characteristics and categories of
the physical tags themselves are given in chapter three.  Chapter four
describes various protocols used between RFID readers and tags.
Input and output is essential for any computer system, and chapter
five examines RFID readers and devices that print, produce, and apply
the tags.  Chapter six discusses the protocols that apply within the
infrastructure of the RFID system.  Middleware in RFID systems, as
chapter seven notes, is primarily concerned with error management and
event volume reduction.  Protocols in regard to storing and sharing of
data between companies and within the supply chain are reviewed in
chapter eight.  Chapter nine looks at principles in regard to the
management of the system.  Security and privacy are the particular
concerns of chapter ten.  Chapter eleven is the somewhat obligatory
look to the future, noting both short term plans and the applications
that may become available as the capability improves.

Basically, the book does fulfill its promise, providing an
introduction that is more than perfunctory, with added detail about
the major functions and characteristics of RFID systems and
operations.

copyright Robert M. Slade, 2007   BKRFIDES.RVW   20071124


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
Remember, Ginger Rogers did everything Fred Astaire did, but she
did it backwards and in high heels.               - Faith Whittlesey
http://victoria.tc.ca/techrev/rms.htm

BKSCDTVS.RVW   20071124

"Security Data Visualization", Greg Conti, 2007, 978-1-59327-143-5,
U$49.95/C$59.95
%A   Greg Conti www.gregconti.com
%C   555 De Haro Street, Suite 250, San Francisco, CA   94107
%D   2007
%G   978-1-59327-143-5 1-59327-143-3
%I   No Starch Press
%O   U$49.95/C$59.95 415-863-9900 fax 415-863-9950 info@...
%O  http://www.amazon.com/exec/obidos/ASIN/1593271433/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/1593271433/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1593271433/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   244 p.
%T   "Security Data Visualization: Graphical Techniques for Network
       Analysis"

Data visualization is very valuable.  It is, however, difficult to
perform properly in many situations: interpretation of data into
graphics can be extremely useful, but it is often difficult to
determine how best to present the information, and in the same way
that proper visualization can be tremendously helpful, the wrong
choice can be terrifically misleading.  Conti somewhat avoids this
issue in the introduction, since all he claims for the book is
inspiration.

Chapter one provides a number of data visualization and user interface
examples.  Some simple data visualization experiments in chapter two
show a few interesting ideas that can be explored with text and simple
graphics files, as well as comparative images as simple processing is
pursued.  The port scan data displays suggested in chapter three don't
seem to work quite as well.  Similarly, chapter four looks at
vulnerability scanning, but the recommendations presented don't appear
to add much of value in displaying the data.  Slightly better results
seem to be obtained using real Internet data in chapter five, since
some notion of the implications of the information can be taken from
the illustrations.  Chapter six contains a number of examples of
impressive visualization of security data, but there is limited
discussion as to how to determine the best means of displaying data of
different types.  The aspects of creation of visualizations, for
firewall logs, is dealt with in chapter seven, and with IDS (Intrusion
Detection System) data in eight.  Chapter nine discusses ways of
attacking visualizations, usually by injecting spurious data.  General
principles for building visualization systems are in chapter ten.
Chapter eleven turns to areas for additional research on the topic in
the future.  Chapter twelve lists references and resources.

The book is pretty, and it may provide inspiration.  However, it
probably won't provide an awful lot of assistance in getting your data
effectively visualized.

copyright Robert M. Slade, 2007   BKSCDTVS.RVW   20071124


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
We must scrupulously guard the civil liberties of all citizens,
whatever their background.  We must remember that any oppression,
any injustice, any hatred is a wedge designed to attack our
civilization.                            - Franklin Delano Roosevelt
http://victoria.tc.ca/techrev/rms.htm

BKCMSCPP.RVW   20080204

"Computer Security: Principles and Practice", William Stallings/Lawrie
Brown, 2008, 978-0-13-600424-0
%A   William Stallings williamstallings.com/CompSec/CompSec1e.html
%A   Lawrie Brown
%C   One Lake St., Upper Saddle River, NJ   07458
%D   2008
%G   0-13-600424-5 978-0-13-600424-0
%I   Prentice Hall
%O   800-576-3800 416-293-3621 +1-201-236-7139 fax: +1-201-236-7131
%O  http://www.amazon.com/exec/obidos/ASIN/0136004245/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0136004245/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0136004245/robsladesin03-20
%O   Audience i+ Tech 2 Writing 3 (see revfaq.htm for explanation)
%P   798 p.
%T   "Computer Security: Principles and Practice"

I am woefully laggard in getting this review out, particularly since I
reviewed the text in process, last fall, and therefore have to declare
a possibility of bias.

The preface states that the book is intended as the text for a one- or
two-semester course in computer security.  The work is also addressed
to professionals as a basic reference.  In that latter regard it may
come up short, missing elements of infrastructure, fire protection,
investigation, forensics, and being rather weak in terms of
architecture and business continuity planning.

There is a rather interesting chapter zero in the volume (it and
chapter one are presumably "part zero," which is sound computing
theory, but somewhat bemusing in a book) laying out the structure of
the text, as well as pointing to the technical resource and course
Website, noted above.  Chapter one defines fundamental security terms
and concepts from various sources.  The list is comprehensive, but,
given sometimes conflicting positions, little attempt is made to
analyze, integrate, or unify the material.  There is an excellent set
of references and a solid set of questions and problems, as well as a
brief appendix addressing security standards and documents.

Part one involves computer security technology and principles.
Chapter two introduces cryptographic tools.  The basic ideas of
cryptography are presented, but one must go to other chapters and
appendices for details and usage of the technology.  This structure is
unusual in cryptographic literature, but the new perspective may
demonstrate somewhat stale abstractions in a fresh way.  It is rather
odd that the coverage of authentication, in chapter three, does not
note the IAAA model of Identification, Authentication, Authorization,
and Accountability.  Access control, in chapter four, is limited to
data access.  ( The authors also follow the original paper describing
Role-Based Access Control as a form of mandatory access control, even
though RBAC is now frequently used in discretionary access control
environments.)  Chapter five's discussion of database security
emphasizes the theoretical aspects of that specialty.  Intrusion
detection is introduced in chapter six.  Malicious software is given a
scholarly, rather than practical, treatment in chapter seven, but the
content is more accurate than is usual even in the security
literature.  Denial of service attacks are addressed in chapter eight.
Chapter nine's review of firewalls concentrates, almost exclusively,
on stateful inspection, and the material on intrusion prevention
systems repeats, to a large extent, chapter six.  Trusted computing
and multilevel security, in chapter ten, are discussed in terms of
formal security models and security architecture.

Part two deals with software security, with chapter eleven being
devoted to the topic of buffer overflows, and the other software
subjects covered comprising chapter twelve.

Part three contains topics the authors consider to be management
issues.  These are (in order through chapters thirteen to eighteen),
physical and infrastructure security, human factors (primarily policy
and awareness concerns), auditing security management and risk
assessment, security controls (plans and procedures), and legal and
ethical aspects.

Part four details cryptographic algorithms, and the material is as
good as one might expect from the author of "Cryptography and Network
Security" (cf. BKCRNTSC.RVW).  Symmetric encryption and message
confidentiality, illustrated by the Data Encryption Standard and the
advanced Encryption Standard, is the topic of chapter nineteen.
Asymmetric cryptography and hashes are in twenty.

Part five turns to Internet security.  Some Internet security
protocols and standards are listed in chapter twenty-one.  A detailed
look at Kerberos leads off chapter twenty-two's examination of
authentication applications.

Operating systems security is the subject of part six, with a look at
the Linux model in chapter twenty-three, and Windows in twenty-four.

Appendices at the end of the book provide information on number
theory, pseudorandom number generation, projects for teaching
security, standards and standards organizations, and the TCP/IP
protocol suite.

Of the various domains of information systems security, there is
limited material in regard to the security implications of various
aspects of computer hardware and architecture, the formation of an
architectural model for security design, and business continuity
planning.  Otherwise, however, the coverage is quite comprehensive,
much more so than in other course texts such as Gollman's excellent
but now aging "Computer Security" (cf. BKCOMPSC.RVW), Bishop's rather
abstract "Computer Security: Art and Science" (cf. BKCMSCAS.RVW), and
Stamp's interesting, but sometimes spotty, "Information Security:
Principles and Practice" (cf. BKINSCPP.RVW).  Anderson's "Security
Engineering" (cf. BKSECENG.RVW) is, of course, not only a solid text,
but also a useful professional reference, and Stalling and Brown might
wish to examine the practical issues dealt with in that work.  A range
of editions of the "Information Security Management Handbook" (cf.
BKINSCMH.RVW) would have similar overview, and more detail, but hardly
in a single volume.  There is also the "Official (ISC)^2 Guide to the
CISSP Exam" (cf. BKOIGTCE.RVW), and now the "Official (ISC)^2 Guide to
the CISSP CBK," but Stalling and Brown's work, while less broad and
detailed, is more academically rigorous.

copyright Robert M. Slade, 2008   BKCMSCPP.RVW   20080204


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
I'm all in favor of keeping dangerous weapons out of the hands of
fools.  Let's start with typewriters.           - Frank Lloyd Wright
http://victoria.tc.ca/techrev/rms.htm