BKBEETNO.RVW   20071118

"Better Ethics Now", Christopher Bauer, 2005, 978-0-9765863-3-3,
U$21.99/C$29.99
%A   Christopher Bauer chris@...
%C   1604 Burton Ave., Nashville, TN   37215
%D   2005
%G   0-9765863-3-9 978-0-9765863-3-3
%I   Aab-Hill Business Books
%O   U$21.99/C$29.99 615-385-3523
%O  http://www.amazon.com/exec/obidos/ASIN/0976586339/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0976586339/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0976586339/robsladesin03-20
%O   Audience n Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   171 p.
%T   "Better Ethics Now: How to Avoid the Ethics Disaster You Never
       Saw Coming"

A note on the title page of the book states that the text is intended
to educate and entertain in regard to ethics, and that the material is
neither comprehensive nor tested.  (It is ethical to let the reader
know that, although my initial reaction was that the "entertain"
aspect might have been a bit of an abdication of the author's
responsibilities to the readers.)  The introduction asserts that the
focus of the work is on how a lack of personal responsibility creates
the foundation for corporate ethical disasters, and that having
individuals improve their own ethical standards will enhance the
integrity of the company.  There is, of course, something to this,
although it does fly in the face of a great many studies identifying
the "tone at the top" as the major determinant of corporate ethical
standards.

Chapter one notes that ethical breaches in companies have serious
financial ramifications, and reiterates the position that assessing
your own morals will improve those of the company, primarily by
forcing you to determine if the normal business behaviour you are
asked to follow is ethical.  (This does tie back to the issue of "tone
at the top": if your ethics stand up to scrutiny and you feel
comfortable in your working environment, the tone is probably OK.)
Ethics are guiding principles, chapter two tells us.  It isn't just
following (or even breaking) rules, says chapter three.  Chapter four
seems to repeat this last, in slightly different wording, properly
taking issue with the subject of "compliance," which has become
something of a buzzword and panacea in recent years.  Using cute
expansions of "ethics" as an acronym, chapter five tentatively
introduces the idea of personal responsibility and decision.  A simple
tool for personal assessment is described in chapter six.  Chapter
seven examines the issues of reporting or otherwise dealing with
ethical violations that you discover.

Chapter eight moves the discussion to the corporate level, noting the
importance of policy statements, processes, and procedures.  Ethical
behaviour involves achieving positive actions, we are told in chapter
nine, rather than merely avoiding negative ones.  Chapter ten does
promote the importance of the "tone at the top," noting that sometimes
you, as an employee, may need to walk away from an intolerable
situation.  Chapter eleven suggests that those in management and
leadership need to communicate ethics directly and openly.  The idea
that the moral standards of each employee are important is again
stressed in chapter twelve.  Proper ethics are not always easy, says
chapter thirteen.  Chapter fourteen repeats encouragement to be
proactive about promoting ethics, and suggests various procedures for
the corporation.

There are other books on ethics, and business ethics as well.
Johnson's "Computer Ethics" (cf. BKCMPETH.RVW) is a classic and
Tavani's "Ethics and Technology" (cf. BKETHTCH.RVW) adds depth and
intellectual rigour.  Bauer's work is very different: there is little
academic or conceptual background, but the brevity and practicality of
the work may make it more suitable for the general work environment.
While it doesn't add much to the debate, it could certainly be used
for training and the promotion of ethical standards, and is probably
more accessible for the general population of employees and managers.

copyright Robert M. Slade, 2007   BKBEETNO.RVW   20071118


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
Where there is much desire to learn, there of necessity will be
much writing, much arguing, many opinions; for opinion in good
persons is but knowledge in the making.                - John Milton
http://victoria.tc.ca/techrev/rms.htm

BKCISPPQ.RVW   20071119

"CISSP Practice Questions Exam Cram 2", Michael C. Gregg, 2005,
0-7897-3305-6, U$29.99/C$42.99
%A   Michael C. Gregg
%C   201 W. 103rd Street, Indianapolis, IN   46290
%D   2005
%E   Ed Tittel
%G   0-7897-3305-6
%I   Que
%O   U$29.99/C$42.99 800-858-7674 317-581-3743 http://www.mcp.com
%O  http://www.amazon.com/exec/obidos/ASIN/0789733056/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0789733056/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0789733056/robsladesin03-20
%O   Audience i Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   202 p. + CD-ROM
%T   "CISSP Practice Questions Exam Cram 2"

There are a number of book versions of practice questions for those
challenging the CISSP (Certified Information Systems Security
Professional) exam.  This is yet another.

Most of the questions are far too simplistic to represent those on the
CISSP exam.  The vast majority of the queries in the book have simple
fact-based answers, only occasionally moving into the realm of
synthesis.  The analytical and critical thinking challenges, dealing
with conceptual issues, that make up the bulk of the CISSP exam are
almost completely absent from this text.  A great many questions in
the book have a significant amount of extraneous and irrelevant detail
added, apparently in an attempt to appear to be complex, but the
solution almost inevitably turns out to be based on a rudimentary
definition.

In most cases the answers given would probably match those accepted if
these questions were on the exam.  Many of the resolutions turn on
minor issues of wording, and the CISSP exam, while it does pay
attention to terminology, frequently requires that you accept
synonyms, in order to prove understanding rather than rote memory.

Again, even if the answer is correct, sometimes the explanation makes
no sense.  A question on the multilevel Biba model, for example,
properly identifies integrity as the major factor, but the explanation
states that Biba is a model "in which security may only flow down."
(It makes no sense to talk about the flow of "security" since the Biba
model deals with information flow restrictions, and "down" needs to be
defined in terms of accuracy.)

Don't rely on this to pass the CISSP exam.

copyright Robert M. Slade, 2007   BKCISPPQ.RVW   20071119


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
Have no fear of perfection: you'll never reach it.   - Salvador Dali
http://victoria.tc.ca/techrev/rms.htm

BKPCPECO.RVW   20071119

"PC Pest Control", Preston Gralla, 2005, 0-596-00926-7,
U$24.95/C$34.95
%A   Preston Gralla
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2005
%G   0-596-00926-7
%I   O'Reilly & Associates, Inc.
%O   U$24.95/C$34.95 800-998-9938 fax: 707-829-0104 nuts@...
%O  http://www.amazon.com/exec/obidos/ASIN/0596009267/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0596009267/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0596009267/robsladesin03-20
%O   Audience n- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   275 p.
%T   "PC Pest Control: Protect Your Computers from Malicious Internet
       Invaders"

Chapter one, as is all too common in books about securing home
computers, is long on sensational stories and a bit short on useful
advice.  There are suggestions of things to do, and those
recommendations may even be proper security measures.  Instructions on
actually performing the security actions, however, are mostly absent.
Much the same material is repeated in chapter two, though in slightly
different wording and structure.  Various computer activities are
listed, and then some of the risks of those functions are described
briefly.  Once again, there are suggestions about actions to take to
protect yourself (this time in the form of "checklists"), but no
directions on how to perform them.  A number of pieces of security
software, mostly commercial, are mentioned in chapter three, but
requirements for management, or the implications of reports that you
might obtain from these applications are not covered.  Details related
to the operation of Microsoft Windows' System Restore and Registry are
given in chapter four, but while the instructions are clear the
significance of these activities may not be.  Immediately after
telling you to run Windows Update, in chapter five, Gralla provides
guidelines for disabling it--by disabling ActiveX and not running
Internet Explorer.  (The fact that this would be the outcome of
following the tutorial is not mentioned.)  Chapter six is concerned
with spyware, and by this time a lot of the recommendations are
starting to sound very familiar.  The definition of "virus" provided
in chapter seven is worse than is usual even for general home computer
security books.  It asserts that viruses are delineated by requiring
no user intervention, whereas the most useful distinction between
viruses and worms is that viruses generally do require some operator
action, even if uninformed.  (That Gralla keeps reiterating that
"virus" is just a generic term for any type of malware is also
annoying and misleading.)  Along with the (not terribly helpful) text
on trojans and bots comes a list of names and descriptions of the "top
five" or so programs in those categories.  This is a feature of other
sections of the book as well, and provides little help (or solid
information), and, of course, dates very quickly.  It is rather
strange that worms are not included with the related topic of malware
in chapter seven, but with the subject of email and instant messaging
in chapter eight, and that spam, which is related to email, is handled
separately in chapter nine.  (Chapter nine also contains an "ANSI"
table, which, instead, turns out to be a table of ASCII [American
Standard Code for Information Interchange] codes for text characters,
the table being used to illustrate a discussion of the alternate data
representations that can be employed in Web pages.)  Phishing,
anonymizing, and the customary vague rules for protecting kids online
makes up chapter ten.  Chapter eleven's material on safeguarding
wireless networks will make your home network less subject to attack,
though not as impregnable as Gralla seems to suggest.  The content on
safety at wireless "hotspots" is less useful.  The book is padded out
with an appendix that repeats material from the text.

There is a lot of white space, and the inclusion of pointless
graphics.  There is a lot of verbiage.  There is little helpful
information, and certainly nothing like the assistance that can be
obtained from Thomas Greene's "Computer Security for the Home and
Small Office" (cf. BKCMSCHO.RVW) or "Just Say No to Microsoft" by Tony
Bove (cf. BKJSN2MS.RVW).

copyright Robert M. Slade, 2007   BKPCPECO.RVW   20071119


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
[I]f a man has good corn, or wood, or boards, or pigs to sell...
you will find a broad, hard-beaten road to his house.
                                             - Ralph Waldo Emerson
  (some seven years after his death, Emerson's comment on quality
   was altered to the now famous dictum on innovation, that if you
   built a better mousetrap the world would beat a path to your door)
http://victoria.tc.ca/techrev/rms.htm

BKEPHPSC.RVW   20071123

"Essential PHP Security", Chris Shiflett, 2006, 0-596-00656-X,
U$29.95/C$41.95
%A   Chris Shiflett shiflett.org
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2006
%G   0-596-00656-X
%I   O'Reilly & Associates, Inc.
%O   U$29.95/C$41.95 707-829-0515 fax: 707-829-0104 nuts@...
%O  http://www.amazon.com/exec/obidos/ASIN/059600656X/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/059600656X/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/059600656X/robsladesin03-20
%O   Audience s- Tech 2 Writing 1 (see revfaq.htm for explanation)
%P   109 p.
%T   "Essential PHP Security"

PHP is an acronym (albeit a somewhat recursive one, standing for PHP:
Hypertext Preprocessor) but neither the foreword, preface, book, nor
index expands it.  Similarly, the intent of the book is not clarified
in either the foreword or the preface.

Chapter one does state that the purpose of the text is to teach how to
write secure code (with security left undefined) using features unique
to PHP.  However, only two such distinctive functions are listed in
this section, and they are not explained very well.  (Three appendices
at the end of the work do list some PHP commands related to the
security conventions noted.)  More space is devoted to general
application development principles and practices for safe programming.
Even there the solutions provided are outlined in terms of source code
rather than text, and the content requires an intimate knowledge of
PHP in order to derive value from the lessons presented.  In
discussing forms and URLs (Uniform Resource Locators), chapter two
distinguishes between filtered and tainted data, as well as GET and
POST form submissions, but does not initially examine the possibility
of user observation and deliberate malforming of submitted data.
Where details are provided on security, they are introduced with
coding examples, and, again, the effectiveness of the proposed
solutions are unclear unless the reader is well familiar with PHP
internals.  The database and SQL (Structured Query Language)
programming styles suggested in chapter three are good, but it is far
from clear that the filtering recommended will, in fact, prevent all
possibility of SQL injection attacks.  Chapter four examines sessions
and cookies: the explanations here also rely on understanding the
source code.

Chapter five, in talking about includes, is mostly concerned with
placing the files outside the root directory.  Much the same emphasis
is present in regard to files and commands (particularly with respect
to file traversal) in chapter six, although there is some discussion
of command injection.  Once again, the specifics in regard to
authentication and authorization are material only in the source code
examples in chapter seven.  The text of chapter eight explicitly
admits that the ability to address security issues in shared hosting
environments is weak.

For those who are thoroughly experienced in PHP programming, this book
does recommend styles that can result in more secure Web applications.
However, novice programmers, or even programmers experienced in other
languages, will have difficulty using the material effectively.

copyright Robert M. Slade, 2007   BKEPHPSC.RVW   20071123


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
In answer to the question of why it happened, I offer the modest
proposal that our Universe is simply one of those things which
happen from time to time.                          - Edward P. Tryon
http://victoria.tc.ca/techrev/rms.htm

BKRFIDES.RVW   20071124

"RFID Essentials", Bill Glover/Himanshu Bhatt, 2006, 0-596-00944-5,
U$39.99/C$55.99
%A   Bill Glover
%A   Himanshu Bhatt
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2006
%G   0-596-00944-5
%I   O'Reilly & Associates, Inc.
%O   U$39.99/C$55.99 800-998-9938 fax: 707-829-0104 nuts@...
%O  http://www.amazon.com/exec/obidos/ASIN/0596009445/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0596009445/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0596009445/robsladesin03-20
%O   Audience i+ Tech 2 Writing 2 (see revfaq.htm for explanation)
%P   260 p.
%T   "RFID Essentials"

According to the preface this book is intended for developers who are
beginning involvement with RFID (Radio Frequency IDentification),
system architects who need to know the elements, and project managers,
as well as professionals and students who want to understand the
technology.  Whiule it is more than a cursory introduction to the
field it is not an in-depth discussion of the various applications.
The author does note that general information makes up the first two
and last three chapters, while the details for actual development are
in the middle six.

Chapter one provides a rationale for RFID, a bit of history, and an
outline of different types of applications.  Elements of RFID
technology (and terminology), as well as useful architectural
principles, make up chapter two.  Characteristics and categories of
the physical tags themselves are given in chapter three.  Chapter four
describes various protocols used between RFID readers and tags.
Input and output is essential for any computer system, and chapter
five examines RFID readers and devices that print, produce, and apply
the tags.  Chapter six discusses the protocols that apply within the
infrastructure of the RFID system.  Middleware in RFID systems, as
chapter seven notes, is primarily concerned with error management and
event volume reduction.  Protocols in regard to storing and sharing of
data between companies and within the supply chain are reviewed in
chapter eight.  Chapter nine looks at principles in regard to the
management of the system.  Security and privacy are the particular
concerns of chapter ten.  Chapter eleven is the somewhat obligatory
look to the future, noting both short term plans and the applications
that may become available as the capability improves.

Basically, the book does fulfill its promise, providing an
introduction that is more than perfunctory, with added detail about
the major functions and characteristics of RFID systems and
operations.

copyright Robert M. Slade, 2007   BKRFIDES.RVW   20071124


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
Remember, Ginger Rogers did everything Fred Astaire did, but she
did it backwards and in high heels.               - Faith Whittlesey
http://victoria.tc.ca/techrev/rms.htm

BKSCDTVS.RVW   20071124

"Security Data Visualization", Greg Conti, 2007, 978-1-59327-143-5,
U$49.95/C$59.95
%A   Greg Conti www.gregconti.com
%C   555 De Haro Street, Suite 250, San Francisco, CA   94107
%D   2007
%G   978-1-59327-143-5 1-59327-143-3
%I   No Starch Press
%O   U$49.95/C$59.95 415-863-9900 fax 415-863-9950 info@...
%O  http://www.amazon.com/exec/obidos/ASIN/1593271433/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/1593271433/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1593271433/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   244 p.
%T   "Security Data Visualization: Graphical Techniques for Network
       Analysis"

Data visualization is very valuable.  It is, however, difficult to
perform properly in many situations: interpretation of data into
graphics can be extremely useful, but it is often difficult to
determine how best to present the information, and in the same way
that proper visualization can be tremendously helpful, the wrong
choice can be terrifically misleading.  Conti somewhat avoids this
issue in the introduction, since all he claims for the book is
inspiration.

Chapter one provides a number of data visualization and user interface
examples.  Some simple data visualization experiments in chapter two
show a few interesting ideas that can be explored with text and simple
graphics files, as well as comparative images as simple processing is
pursued.  The port scan data displays suggested in chapter three don't
seem to work quite as well.  Similarly, chapter four looks at
vulnerability scanning, but the recommendations presented don't appear
to add much of value in displaying the data.  Slightly better results
seem to be obtained using real Internet data in chapter five, since
some notion of the implications of the information can be taken from
the illustrations.  Chapter six contains a number of examples of
impressive visualization of security data, but there is limited
discussion as to how to determine the best means of displaying data of
different types.  The aspects of creation of visualizations, for
firewall logs, is dealt with in chapter seven, and with IDS (Intrusion
Detection System) data in eight.  Chapter nine discusses ways of
attacking visualizations, usually by injecting spurious data.  General
principles for building visualization systems are in chapter ten.
Chapter eleven turns to areas for additional research on the topic in
the future.  Chapter twelve lists references and resources.

The book is pretty, and it may provide inspiration.  However, it
probably won't provide an awful lot of assistance in getting your data
effectively visualized.

copyright Robert M. Slade, 2007   BKSCDTVS.RVW   20071124


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
We must scrupulously guard the civil liberties of all citizens,
whatever their background.  We must remember that any oppression,
any injustice, any hatred is a wedge designed to attack our
civilization.                            - Franklin Delano Roosevelt
http://victoria.tc.ca/techrev/rms.htm

BKCMSCPP.RVW   20080204

"Computer Security: Principles and Practice", William Stallings/Lawrie
Brown, 2008, 978-0-13-600424-0
%A   William Stallings williamstallings.com/CompSec/CompSec1e.html
%A   Lawrie Brown
%C   One Lake St., Upper Saddle River, NJ   07458
%D   2008
%G   0-13-600424-5 978-0-13-600424-0
%I   Prentice Hall
%O   800-576-3800 416-293-3621 +1-201-236-7139 fax: +1-201-236-7131
%O  http://www.amazon.com/exec/obidos/ASIN/0136004245/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0136004245/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0136004245/robsladesin03-20
%O   Audience i+ Tech 2 Writing 3 (see revfaq.htm for explanation)
%P   798 p.
%T   "Computer Security: Principles and Practice"

I am woefully laggard in getting this review out, particularly since I
reviewed the text in process, last fall, and therefore have to declare
a possibility of bias.

The preface states that the book is intended as the text for a one- or
two-semester course in computer security.  The work is also addressed
to professionals as a basic reference.  In that latter regard it may
come up short, missing elements of infrastructure, fire protection,
investigation, forensics, and being rather weak in terms of
architecture and business continuity planning.

There is a rather interesting chapter zero in the volume (it and
chapter one are presumably "part zero," which is sound computing
theory, but somewhat bemusing in a book) laying out the structure of
the text, as well as pointing to the technical resource and course
Website, noted above.  Chapter one defines fundamental security terms
and concepts from various sources.  The list is comprehensive, but,
given sometimes conflicting positions, little attempt is made to
analyze, integrate, or unify the material.  There is an excellent set
of references and a solid set of questions and problems, as well as a
brief appendix addressing security standards and documents.

Part one involves computer security technology and principles.
Chapter two introduces cryptographic tools.  The basic ideas of
cryptography are presented, but one must go to other chapters and
appendices for details and usage of the technology.  This structure is
unusual in cryptographic literature, but the new perspective may
demonstrate somewhat stale abstractions in a fresh way.  It is rather
odd that the coverage of authentication, in chapter three, does not
note the IAAA model of Identification, Authentication, Authorization,
and Accountability.  Access control, in chapter four, is limited to
data access.  ( The authors also follow the original paper describing
Role-Based Access Control as a form of mandatory access control, even
though RBAC is now frequently used in discretionary access control
environments.)  Chapter five's discussion of database security
emphasizes the theoretical aspects of that specialty.  Intrusion
detection is introduced in chapter six.  Malicious software is given a
scholarly, rather than practical, treatment in chapter seven, but the
content is more accurate than is usual even in the security
literature.  Denial of service attacks are addressed in chapter eight.
Chapter nine's review of firewalls concentrates, almost exclusively,
on stateful inspection, and the material on intrusion prevention
systems repeats, to a large extent, chapter six.  Trusted computing
and multilevel security, in chapter ten, are discussed in terms of
formal security models and security architecture.

Part two deals with software security, with chapter eleven being
devoted to the topic of buffer overflows, and the other software
subjects covered comprising chapter twelve.

Part three contains topics the authors consider to be management
issues.  These are (in order through chapters thirteen to eighteen),
physical and infrastructure security, human factors (primarily policy
and awareness concerns), auditing security management and risk
assessment, security controls (plans and procedures), and legal and
ethical aspects.

Part four details cryptographic algorithms, and the material is as
good as one might expect from the author of "Cryptography and Network
Security" (cf. BKCRNTSC.RVW).  Symmetric encryption and message
confidentiality, illustrated by the Data Encryption Standard and the
advanced Encryption Standard, is the topic of chapter nineteen.
Asymmetric cryptography and hashes are in twenty.

Part five turns to Internet security.  Some Internet security
protocols and standards are listed in chapter twenty-one.  A detailed
look at Kerberos leads off chapter twenty-two's examination of
authentication applications.

Operating systems security is the subject of part six, with a look at
the Linux model in chapter twenty-three, and Windows in twenty-four.

Appendices at the end of the book provide information on number
theory, pseudorandom number generation, projects for teaching
security, standards and standards organizations, and the TCP/IP
protocol suite.

Of the various domains of information systems security, there is
limited material in regard to the security implications of various
aspects of computer hardware and architecture, the formation of an
architectural model for security design, and business continuity
planning.  Otherwise, however, the coverage is quite comprehensive,
much more so than in other course texts such as Gollman's excellent
but now aging "Computer Security" (cf. BKCOMPSC.RVW), Bishop's rather
abstract "Computer Security: Art and Science" (cf. BKCMSCAS.RVW), and
Stamp's interesting, but sometimes spotty, "Information Security:
Principles and Practice" (cf. BKINSCPP.RVW).  Anderson's "Security
Engineering" (cf. BKSECENG.RVW) is, of course, not only a solid text,
but also a useful professional reference, and Stalling and Brown might
wish to examine the practical issues dealt with in that work.  A range
of editions of the "Information Security Management Handbook" (cf.
BKINSCMH.RVW) would have similar overview, and more detail, but hardly
in a single volume.  There is also the "Official (ISC)^2 Guide to the
CISSP Exam" (cf. BKOIGTCE.RVW), and now the "Official (ISC)^2 Guide to
the CISSP CBK," but Stalling and Brown's work, while less broad and
detailed, is more academically rigorous.

copyright Robert M. Slade, 2008   BKCMSCPP.RVW   20080204


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
I'm all in favor of keeping dangerous weapons out of the hands of
fools.  Let's start with typewriters.           - Frank Lloyd Wright
http://victoria.tc.ca/techrev/rms.htm

BKSMMARS.RVW   20080204

"Security Monitoring with Cisco Security MARS", Gary Halleen/Greg
Kellogg, 2007, 1-58705-270-9, U$60.00/C$75.00
%A   Gary Halleen
%A   Greg Kellogg
%C   800 East 96th Street, Indianapolis, IN   46240
%D   2007
%G   978-1-58705-270-5 1-58705-270-9
%I   Cisco Press
%O   U$60.00/C$75.00 feedback@... 800-382-3419
%O  http://www.amazon.com/exec/obidos/ASIN/1587052709/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/1587052709/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1587052709/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   316 p.
%T   "Security Monitoring with Cisco Security MARS"

Fair warning: these guys are into jargon.  To even begin to approach
this book you must know that CS-MARS is the Cisco Security Monitoring,
Analysis, and Response System, which "performs" as an STM (Security
Threat Mitigation) "solution."  The introduction states that the work
is intended for information security analysts charged with the
monitoring and administration for firewalls and similar devices.
(Usually that is the task of the administrator, not the analyst, but
we'll let that pass.)

Part one is an introduction to CS-MARS and security threat mitigation.
Chapter one is a vague promotion for the MARS product.  Even though it
limits security incident management (SIM) to network events, it still
claims the capability of countering frauds.  Definitions of a number
of terms such as event, incident, false positive, and mitigation are
non-standard and therefore problematic, since the common understanding
of the expressions may suggest that the authors are making claims
which the technology cannot actually support.  Regulatory challenges
are covered in some depth in chapter two, including coverage of HIPAA
(Health Insurance Portability and Accountability Act), the GLB (Gramm,
Leach, Bliley) Act, the Sarbanes-Oxley Act, and the Payment Card
Industry (PCI) standard.  (Note the emphasis on American legislation
and the financial industry.)  Rather than the deployment scenarios
promised by the title of chapter three (we do get a couple of brief
stories at the end), the text is a kind of catalogue of CS-MARS
products and size specifications.

Part two is supposed to be about CS-MARS operations and forensics.
Some generic advice about hardening the platform upon which the MARS
product is running (mostly ports required by MARS and firewall
rulesets) is in chapter four.  Rules, reports, and queries are
illustrated, in chapter five, mostly in terms of screenshots of the
user interface, with little discussion of the implications of certain
decisions.  Some of the suggested "drop" rules, used incautiously,
could eliminate most traffic through the system.  The examination of
incident investigation and forensics, in chapter six, lists
preparation, identification, containment, repair, recovery, and
debriefing as the major stages of the process, but really only deals
with identification and containment.  Chapter seven tells you to make
a backup.

Slightly more advanced topics are in part three.  Chapter eight has
screenshots showing the integration of MARS with the Cisco security
manager product.  There is a list of errors you might encounter while
using the program, in chapter nine, but not much about how to solve
any of the problems.  Chapter ten is a promotional pamphlet for Cisco
NAC (Network Admission Control) products.  Screenshots demonstrating
the use of the CS-MARS custom parser to look at data from other
sources are printed in chapter eleven.  Screenshots of using the
CS-MARS global controller for a large implementation are in twelve.

Overall, there is a great deal of promotion, and very little
demonstration of product capability in this book.  Basically what is
being described is an intrusion detection system (IDS) with some added
features.  But it's being described in very awed tones.

copyright Robert M. Slade, 2008   BKSMMARS.RVW   20080204


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
                        Materialists are Object-Oriented
http://victoria.tc.ca/techrev/rms.htm

BKCMSCFN.RVW   20080205

"Computer Security Fundamentals", Chuck Easttom, 2006, 0-13-171129-6,
U$52.00/C$51.95
%A   Chuck Easttom
%C   One Lake St., Upper Saddle River, NJ   07458
%D   2006
%G   0-13-171129-6
%I   Prentice Hall
%O   U$52.00/C$51.95 800-576-3800 416-293-3621 201-236-7139
%O  http://www.amazon.com/exec/obidos/ASIN/0131711296/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0131711296/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0131711296/robsladesin03-20
%O   Audience n- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   344 p.
%T   "Computer Security Fundamentals"

This is a textbook, and the preface states that it is intended for
students.  The author and reviewers are all from colleges, and one
presumes that they know something about textbooks.  They do not,
however, demonstrate much knowledge of security.

Chapter one is supposed to be an introduction to cyber crime and
security, but important terms are poorly defined, and many are
missing.  The material seems to be sensational rather than
educational.  Fundamental concepts are presented oddly as well.
Security is divided not into the fairly standard confidentiality,
integrity, and availability, but into malware, intrusions, and denial
of service (DoS), which leaves out all kinds of important issues.  A
terse overview of risk analysis is rather simplistic, but much better
than the rest of the content.  The questions included at the end of
the chapter are trivial: the exercises are more time-consuming but no
more difficult.

Chapter two contains random topics about networks and the Internet.
The structure is as disorganized as most of the book: the subject of
domain name service comes between a discussion of media access control
addresses and an illustration of RJ45 jacks, a type of physical plug.
Screenshots of network scanning utilities make up chapter three.
Chapter four, about denial of service attacks, confuses DoS and Man-
in-the-Middle offensives.  Malware, in chapter five, is treated even
worse than is normally the case, stating outright that there is no
difference between viruses and worms, confusing viruses with buffer
overflow conditions, and providing almost no information at all on the
types of virus protection.  Chapter six has more screenshots and
typically useless recommendations on hardening Windows systems: the
reader is advised to disable unnecessary services, but is not given
any information about how to find, enable, or disable services, or
determine which services are necessary or otherwise.

Chapter seven's outline of encryption is highly unreliable.  We are
told that there are two types of encryption, transposition and
substitution, and that within substitution there are two divisions:
symmetric and asymmetric.  (Most modern symmetric algorithms use
combinations of transposition and substitution, and asymmetric
algorithms use mathematical transformations.)  PGP, a cryptosystem, is
compared with the RSA algorithm.  (PGP, in fact, can use the RSA
algorithm: this is a bit like comparing apples with refrigerators.)
Two of the three virtual private network protocols that are discussed
in regard to encryption protocols have no encryption capability.

A list of some Internet frauds is given in chapter eight.  Chapter
nine, supposedly about corporate espionage, tells us that information
has value and we should have some information security.  (Rather
ironically, the advice that is given is irrelevant to the issue of
insider abuses, which is the most common form of business espionage
and fraud.)  Cyber terrorism and information warfare gets the usual
lurid (and inaccurate) treatment in chapter ten.  Entitled "Cyber
Detective," chapter eleven says that you can find information about
people by using Web search engines.  A few security utilities are
briefly described in chapter twelve.

This is a book that is very long on page format, and rather short on
content.  The material is unreliable and incomplete.  I would not want
to take a course that used this as a text, and I certainly wouldn't
hire anyone simply on the basis that they passed such a course.

copyright Robert M. Slade, 2008   BKCMSCFN.RVW   20080205


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
Acknowledge and take to heart this day that the Lord is God in
heaven above and on the earth below.  There is no other.  Deut. 4:39
http://victoria.tc.ca/techrev/rms.htm

BKGKNMCS.RVW   20080207

"Geekonomics: The Real Cost of Insecure Software", David Rice, 2008,
0-321-47789-8, U$29.99/C$32.99
%A   David Rice david@...
%C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario  M3C 2T8
%D   2008
%G   0-321-47789-8 978-0-321-47789-7
%I   Addison-Wesley Publishing Co.
%O   U$29.99/C$32.99 416-447-5101 800-822-6339 bkexpress@...
%O  http://www.amazon.com/exec/obidos/ASIN/0321477898/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0321477898/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0321477898/robsladesin03-20
%O   Audience n+ Tech 2 Writing 3 (see revfaq.htm for explanation)
%P   362 p.
%T   "Geekonomics: The Real Cost of Insecure Software"

In the preface, the author states that the only pre-requisite for
reading the book is a "hint of curiosity."  This is because the work
explores the issue of insecure and unreliable software from a
sociological and economic perspective, rather than giving the topic a
purely technical examination.

Rice's book is readable, informative, and makes important points.  I
enjoyed it.  Normally such an assessment comes at the end of the
review, but I want to state this up front, because, in the remainder
of the commentary contains a number of critical comments.  For the
most part, though, these apply to components that Rice has not
included, and which would tend to support his contention, rather than
detract from it.

Chapter one repeats a lot of the material in the preface, sometimes in
greater detail.  Rice compares software with cement, in terms of the
infrastructure of modern society, and also introduces the economic
concepts of incentives and utility.  The emphasis, in the analysis of
software flaws, is on intrusions and networking, but the examples
cited concentrate on concerns of reliability, rather than intrusions,
somewhat weakening the overall argument.  The lack of software
standards, and the fact that unregulated markets militate against
quality and safety, are addressed in chapter two.  The text also
specifically explores the problems involved in the ubiquitous practice
of patching software faults.  Rice's reasoning on the matters, while
generally sound and extremely convincing, does have some odd quirks.
For example, he repeats the widely held belief that building secure
software in the first place must necessarily be more expensive, or
companies would be doing it.  (A relevant counter-example in the world
of non-computer technology would be that of refrigerator doors.  For
years fridge door latches were a danger to children when old fridges
were abandoned.  Children playing around the fridges could enter them,
and then become locked inside.  It was only after appliance companies
were forced to change the door locking mechanisms that they turned to
magnetic closures--and found that not only were those mechanisms
safer, but also cheaper and more energy efficient.  Thus, companies
may sometimes need to be forced into practices that may actually be to
their advantage.  Overall, consideration of such additional elements
only serve to strengthen Rice's basic premise that insecure software
is unnecessarily costly.)

In chapter three, Rice notes the extremely low rate of prosecution for
computer crimes, and moves from there to the statement that
professional cybercrime is not just a criminal matter, but that the
issue of software unreliability is of concern for national, and even
international, economic security.  He concentrates, again, on software
vulnerabilities, failing to fully assess investigative weaknesses (and
the economic pressures preventing law enforcement agencies from hiring
and retaining trained forensic staff), the inherent risks of
information warfare (to the attacker as well as the target), and the
difficulty of establishing and validating trust relationships.  He
correctly identifies the problem with paying bounties for
vulnerabilities (which many have forgotten).  Noting the deleterious
effect of allowing visible dilapidation to go unrepaired, he asserts
that the invisible imperfections of software are even more important,
but his argument appears incomplete.

After reiterating the point that speed of innovation and time-to-
market is important to software developers, chapter four appears to
lose focus, finally seeming to make the point that we need some kind
of licensing for software development.  Chapter five's review of tort
law tends to overshadow the more significant message that software
developers enjoy an unparalleled immunity from lawsuits, and thus have
no motivation to produce software of high quality.  Various
characteristics of open source software, and related development
processes, are used to point out, in chapter six, differing economic
forces both for and against software reliabity.

Near the beginning of chapter seven Rice admits that he proposes no
ultimate answers to the question of code quality.  He does, however,
list arguments that can be used to start further discussion on the
possible approaches to revise the incentive environment in order to
promote quality software.  The list of potential approaches includes
allowing the "free market" to deal with the problem (in other words,
do nothing), promote litigation, license software engineers, create
standards, or impose some form of vulnerability tax on developers.

Towards the end of chapter seven, the author states that "[t]his book
has argued, no matter how imperfectly, that incentives are key to
changing the story of software."  Despite my minor quibbles, Rice's
case is solid, and his thesis is important.  This work should be
required reading for all involved in matters of technology policy,
from managers and security professionals responsible for application
development, to politicians.  If this publication is successful
enough, the publisher might have an incentive to ask the author to
update his text for a second edition, at which time Rice might tighten
up his arguments and include some of the missing bits.  Then this book
should be required reading for all developers and programming
students.

copyright Robert M. Slade, 2008   BKGKNMCS.RVW   20080207


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
                 In terms of paradigms, shift happens.
http://victoria.tc.ca/techrev/rms.htm

BKINSCET.RVW   20080207

"Information Security and Ethics", Marian Quigley, 2005,
1-59140-233-6, U$64.95
%E   Marian Quigley
%C   Suite 200 701 E. Chocolate Ave., Hershey, PA   17033-1117
%D   2005
%G   1-59140-233-6
%I   IRM Press/Idea Group/IGI Global
%O   U$64.95 800-345-432 717-533-8845 cust@...
%O  http://www.amazon.com/exec/obidos/ASIN/1591402336/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/1591402336/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1591402336/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   317 p.
%T   "Information Security and Ethics: Social and Organizational
       Issues"

Given the title, one might have hoped for more integration of the
topics of security and ethics.  In fact, the book is strictly divided
into two different sections: one for ethics, and one for security.

Part one purports to be about ethics.  Chapter one describes the Web
in social terms, but has limited relevance for ethics.  The initial
material in chapter two, on the digital divide between those who have
and use Internet access and those who don't, is interesting, but the
paper turns out to be simply a proposal for a study to determine
whether there is a digital divide, and what form it takes.  Chapter
three reports on a study that says the digital divide exists.  The
economic and labour market advantages of making Web pages accessible
to those with disabilities are promoted in chapter four.  Some aspects
of a theoretical background to the ethics of such accessibility are
examined in chapter five (which is the first time we've really had
much to do with ethics at all).  Dropping ethics again, chapter six
briefly notes some problems with Internet voting.  A general
discussion of children and online pornography, detailing Australian
media classifications, makes up chapter seven.  Chapter eight tells us
that young people use mobile (or cellular) phones a lot with their
friends and communities.

Part two turns to security.  Chapter nine suggests that we have
learned something about information security from the Y2K problem and
the 9/11 attacks, but it doesn't really say why or what (aside from
the fact that we need security).  Some vague ideas about cryptography
are in chapter ten.  You can assess your security controls, chapter
eleven tells us, by determining whether they perform the security you
intended them to achieve.  (This, apparently, is known as a
"strategy.")  Chapter twelve tells us that the security literature
says we should have security policies.  We should have security
metrics, says chapter thirteen, and to prove it, cites security
frameworks which don't.  Chapter fourteen promotes digital rights
management.

The book, as a whole, has no theme or thread to it.  In addition, the
individual papers have very little to contribute to the security
literature.  I cannot think of an audience that would benefit from
this work.

copyright Robert M. Slade, 2008   BKINSCET.RVW   20080207


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
Just because your voice reaches halfway around the world doesn't
mean you are wiser than when it reached only to the end of the
bar.                                              - Edward R. Murrow
http://victoria.tc.ca/techrev/rms.htm

BKEISASS.RVW   20080207

"Enterprise Information Systems Assurance and System Security",
Merrill Warkentin/Rayford Vaughn, 2006, 1-59140-912-8, U$74.95
%E   Merrill Warkentin mwarkentin@...
%E   Rayford Vaughn
%C   Suite 200 701 E. Chocolate Ave., Hershey, PA   17033-1117
%D   2006
%G   1-59140-912-8
%I   IRM Press/Idea Group/IGI Global
%O   U$74.95 800-345-432 717-533-8845 cust@...
%O  http://www.amazon.com/exec/obidos/ASIN/1591409128/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/1591409128/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1591409128/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   406 p.
%T   "Enterprise Information Systems Assurance and System Security"

This book is a collection of papers on various topics in information
security, divided into five subject areas.  There are a number of
similar works, such as the highly regarded Information Security
Management Handbook (cf. BKINSCMH.RVW), and the somewhat lower quality
"Computer Security Handbook" (cf. BKCMSCHB.RVW)

The first section of the work is supposedly devoted to security policy
and management.  Three of the papers are unstructured (and
surprisingly terse) collections of thoughts on various themes related
to security management (and some stories of work experiences retailed
as "case studies"): one examines malware protection and basically
suggests that you have virus scanning on the desktop, server, and
network gateway.  "Security Implications for Business" doesn't sound
like it would be easy to define, other than saying risks are bad, so
the fact that much of the material in the second section is similarly
vague and disorganized is no surprise.  What is startling is that we
get some actual details on documents related to the Sarbanes-Oxley
legislation, a review of Web commerce threats, and the recommendation
to use decentralization as a measure to build business continuity.
Security engineering should be more definitive, so the generic nature
of four of the five papers in section three is more disappointing.
The paper on securing wireless networks isn't great, but it is, at
least, useful.  Part four takes brief looks at intrusion detection
technologies, honeynets, an even worse than usual view of
steganography, some aspects of database security, and digital
forensics.  Of the three papers in the final section, only one
contains a decent overview of the topic of authentication.

Most of the material in this book is vague, generic, undetailed, and
of very questionable value.  In addition to those mentioned above,
Anderson's "Security Engineering" (cf. BKSECENG.RVW), Stallings'
"Computer Security: Principles and Practice" (cf. BKCMSCPP.RVW), and
Stamp's "Information Security: Principles and Practice" (cf.
BKINSCPP.RVW) all provide more complete, detailed, accurate, and
useful coverage of security management and assurance.

copyright Robert M. Slade, 2008   BKEISASS.RVW   20080207


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
[T]here was nothing illegal about [the Psychic Network], provided
that the ads hawking it clearly acknowledge, in the finest of
print, that the entire enterprise is `for entertainment only.'
Such logic is interesting, as it apparently means that I could
label the proprietors of such services as charlatans, bunko
artists and general rat finks without fear of legal action, as
long as I included the disclaimer that my comments were for
entertainment only ...                                - Steve Mirsky
http://victoria.tc.ca/techrev/rms.htm

BKISESWE.RVW   20080209

"Integrating Security and Software Engineering", Haralambos
Mouratidis/Paolo Giorgini, 2007, 1-59904-147-2, U$94.95
%E   Haralambos Mouratidis
%E   Paolo Giorgini
%C   Suite 200 701 E. Chocolate Ave., Hershey, PA   17033-1117
%D   2007
%G   1-59904-147-2
%I   IRM Press/Idea Group/IGI Global
%O   U$94.95 800-345-432 717-533-8845 cust@...
%O  http://www.amazon.com/exec/obidos/ASIN/1599041472/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/1599041472/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1599041472/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   288 p.
%T   "Integrating Security and Software Engineering"

In the preface, the editors state that, with this collection of
papers, they are attempting to provide a work that will narrow the gap
between software developers, who do not know or care much about
security, and security experts, who only deal in theoretical matters.
I'm sure a number of security experts would be surprised to hear that
last point.  Chapter one is a review of a few papers on secure
software engineering.

Section one deals with security engineering requirements.  Chapter two
suggests defining and checking security through formal and abstract
(and therefore theoretical) methods.  A standard breakdown of the
process of determining requirements is called a "method" in chapter
three.  A system for graphically representing social relationships is
used, in chapter four, to diagram a potential security problem.

Section two considers the use of software pattern models for secure
development.  Chapter five presents a generic view of the first few
phases of a standard system development cycle.  More graphical
representation is given in chapter six, but the explanation is even
more limited than in the previous paper, and the relation to security
engineering even more tenuous.

Section three moves on to modelling languages and methodologies for
secure software development.  Chapter seven discusses the extension of
security controls to agile development methods, but seems to recommend
limiting security considerations to a subset of development, which is
almost a blueprint for ensuring that security vulnerabilities will be
created in the resulting applications.  The graphical representation
scheme described in chapter eight is based on (and, in fact, explains
more effectively) the system from chapter four, but seems to be
limited to access control issues in complex database environments.  A
structure for documenting security issues that have been separately
identified is outlined in chapter nine.  (The method may have some
uses in quantitative risk analysis.)  A method for chronicling access
control in object-oriented systems is given in chapter ten.  In the
paper that makes up chapter eleven, the authors properly point out
that new approaches are needed for the extreme complexities of the
modern computing environment (including emergent properties of
interacting systems, which they refer to as "ambient intelligence"),
but they are only proposing that a new mechanism be created, rather
than proposing any solution.  (The text is also ragged and difficult
to read in places, from both problems in grammar and missing words.)
Chapter twelve is a terse and generic review of a few issues in
security.

The papers do present some interesting points for consideration, but
in very limited topics and areas.  The security of software
engineering is not addressed comprehensively.  The two groups of
software developers and security professionals will find little in
this book to assist them in their separate endeavors, let alone
bringing them closer together.

copyright Robert M. Slade, 2008   BKISESWE.RVW   20080209


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
My parents went to Middle Earth and all I got was a lousy ring.
                                                     - Marty Helgesen
http://victoria.tc.ca/techrev/rms.htm

BKTRAVLR.RVW   20080217

"The Traveler", John Twelve Hawks, 2005, 0-385-66135-5, C$32.95
%A   John Twelve Hawks en.wikipedia.org/wiki/John_Twelve_Hawks
%C   One Toronto Street, Unit 300, Toronto, ON, Canada  M5C 2V6
%D   2005
%G   0-385-66135-5
%I   Random House of Canada Limited/Doubeday
%O   C$32.95 416-364-4449 Fax 416-364-6863 randomhouse.ca
%O  http://www.amazon.com/exec/obidos/ASIN/0385661355/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0385661355/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0385661355/robsladesin03-20
%O   Audience n- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   456 p.
%T   "The Traveler"

Since John Twelve Hawks refuses to say who he is, there is a lot of
speculation about that.  To give you some clues to his (or her)
identity, "The Traveler" (as well as "The Dark River," the second book
of what is supposed to be an unfinished trilogy) is what you might get
if Deepak Chopra and Philip Pullman were asked to write a "book based
on the films" conflating both "Enemy of the State" and "Live Free or
Die Hard."  If you can get your head around that, you might enjoy this
story.

The Buddhists (well, *some* Buddhists) tell us that there are six
realms of existence.  The author says that some people (Travelers) can
travel (incorporeally) between the realms.  If other people, who can't
travel between the realms (Pathfinders), teach them how.  Those who do
travel to the other realms become wise and compassionate people who
also get to be great lie detectors (if they concentrate).  How they
get to be wise and compassionate is not revealed, so the fact that
some of them turn out not to be wise and compassionate; but greedy,
mean, and power-hungry; is only as surprising as the fact that they
sometimes turn out to be wise and compassionate.

A group of people known as the Tabula or the Brethren (depending upon
the group to whom you are talking) have been hunting down and killing
Travelers for millennia, although they didn't really know why until
the philosopher Jeremy Bentham invented the Panopticon, his
theoretical prison where the jailers could see all the prisoners, but
the prisoners wouldn't see the jailers.  At that point, the Tab/Breth
realized that they needed to implement the Panopticon by spying on
everyone, and realized that the Panopticon wouldn't work if some
people were able to leave their bodies and come back with wisdom and
compassion.  (Why wouldn't the Panopticon work when there are
compassionate people in the world?  Sorry, that is left as an exercise
for the reader.)  Somehow the Tab/Breth have always been rich and
powerful, even though the idea of spying on the masses hasn't been a
major idea until recently.

Another set (it's hard to say group, since these guys are the ultimate
paranoiacs, and don't even trust each other) of people, called
Harlequins, have been protecting Travelers, or, at least, trying to
keep them from being killed.  Both Harlequins and Pathfinders seem to
be deeply contemptuous of Travelers, as well as being haughtily
disdainful of love and compassion, so it is hard to understand why
anyone bothers.

The rest of us live within the Vast Machine of unthinking consumerism,
credit cards, and RFID chips embedded in our foreheads and wrists ...
oh, sorry, back of the hand.  (It's hard to keep these newage
syncretistic mythologies straight, sometimes.)  Except for some
isolated groups who live "off the Grid," without credit cards and RFID
equipped passports.  Some of these groups live pastoral "back to the
land" type lives, and others scavenge in the sewers and subways under
major cities.  These groups can be contacted by looking for two secret
graphical symbols in public places, or by posting messages on public
bulletin boards on the Internet.  Somehow the Tab/Breth, despite
almost unlimited budget and manpower, diligent searching on the
Internet (including hacking into Carnivore and using it for their own
searches), and the release of viruses onto the Internet (which, unlike
real computer viruses, actually scamper around from computer to
computer like little mice running down the bitstreams) haven't been
able to figure this out.

The use of technology in the story gives us some more clues about John
Twelve Hawks.  He/she obviously likes the Internet, but doesn't know
anything about basic computer technologies, including viruses.  He
(and the off-the-grids) don't know anything about encryption,
anonymizing technologies, ad hoc authentication, or onion routing.
The Tab/Breth are trying to use quantum computing (although they
really have no idea why), and are using one of the real (though not
the most promising) technologies, but obviously nobody has ever seen
liquid helium.  (One of the interesting characteristics of Helium II
is that it actually has no turbulence at all, so the roiling pea soup
described in the book would not be an issue.)  The quantum computer is
currently just being used to invite someone from another realm to come
and visit.  (At least two of the realms house some very nasty people,
and the Tab/Breth are at least as paranoid as the Harlequins, so it is
difficult to understand this eagerness.  However, since the Tab/Breth
have been killing Travelers as fast as they can find them, maybe they
don't know this ...)

In another few years the third book may come out and explain all of
this.  It'll have a major job to do ...

copyright Robert M. Slade, 2008   BKTRAVLR.RVW   20080217


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
       Timing has a lot to do with the outcome of a rain dance.
http://victoria.tc.ca/techrev/rms.htm

BKSCPWSA.RVW   20080219

"Secure Programming with Static Analysis", Brian Chess/Jacob West,
2007, 978-0-321-42477-8, U$49.99/C$61.99
%A   Brian Chess
%A   Jacob West
%C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario  M3C 2T8
%D   2007
%G   978-0-321-42477-8 0-321-42477-8
%I   Addison-Wesley Publishing Co.
%O   U$49.99/C$61.99 416-447-5101 800-822-6339 bkexpress@...
%O  http://www.amazon.com/exec/obidos/ASIN/0321424778/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0321424778/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0321424778/robsladesin03-20
%O   Audience a+ Tech 2 Writing 2 (see revfaq.htm for explanation)
%P   587 p. + CD-ROM
%T   "Secure Programming with Static Analysis"

Part one is an introduction to software security and static analysis.
The authors define static analysis as any means of assessing the
programming or code without executing the program.  Chapter one states
that defensive programming (coding in such as way as to deal with
unexpected submissions) will protect against errors, but possibly not
against a deliberate adversary, and that adding security features to
an application will not necessarily make for a secure program.  There
is a general outline of various types of software problems, and the
advantages of using static analysis early in the development process.
Chapter two describes the different types of static analysis and their
uses.  How to use static analysis as part of overall code review is
covered in chapter three.  Chapter four details the internal
structures and functions of static analysis.

Part two examines software problems that have been all too common in
our application environment.  Chapter five looks at the right and
wrong ways to handle input.  The ubiquitous buffer overflow gets two
chapters: six discusses string issues, while seven deals with integer
(particularly counter and pointer) situations.  Error and exception
handling is detailed in chapter eight.

Special application environments and requirements make up part three.
The Web is handled, in a generic manner, in chapter nine.  Chapter ten
specializes in XML (eXtensible Markup Language) and Web services.
Privacy, personally identifiable information, and pseudorandom number
generation all get put into chapter eleven.  The special issues of
privileged programs and processes are noted in chapter twelve.

Part four demonstrates static analysis in practice.  This is a set of
instructions for using the Fortify Code Analyzer and Audit Workbench
programs, which are provided on the CD.  Chapter thirteen is for Java,
and fourteen for the C language.  (Since the rest of the book has been
detailed, helpful, and quite free of taint of bias, this final sales
pitch seems acceptable.)

Code review and analysis gets mentioned in other works on secure
programming, but this guide goes into technicalities that can be of
considerable use to the developer.  Chess and West have also made a
very solid case that static analysis is a more effective way to find
highly significant faults, and correct them earlier in the process.  I
commend this both to developers, and to those in security who need to
better manage a secure development process.

copyright Robert M. Slade, 2008   BKSCPWSA.RVW   20080219


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
By analogy, stealing cars and joyriding does not provide one with
an education in mechanical Engineering, nor does pouring sugar in
the gas tank. - Gene Spafford, on using crackers as security experts
http://victoria.tc.ca/techrev/rms.htm

BKPLYMNY.RVW   20080219

"Play Money", Julian Dibbell, 2006, 0-465-01535-2, U$24.00/C$32.50
%A   Julian Dibbell Julian@...
%C   10 East 53rd Street, New York, NY  10022-5299
%D   2006
%G   978-0-465-01535-1 0-465-01535-2
%I   HarperCollins/Basic Books
%O   U$24.00/C$32.50 212-207-7000 800-242-7737 fax: 212-207-7433
%O  http://www.amazon.com/exec/obidos/ASIN/0465015352/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0465015352/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0465015352/robsladesin03-20
%O   Audience n Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   321 p.
%T   "Play Money"

I am sitting in an aircraft, writing this review.  In reviewing
Dibbell's book, I am working.  Maybe.  It is, for example, extremely
unlikely that I will be paid anything for reviewing this book, so I
can't say that this is professional reviewing by the definition that
it is something for which I'm going to be remunerated.  (On the other
hand, I'm on the aircraft because I am going to meetings.  I will not
be paid anything for attending the meetings, although they have a
relation to work for which I may be paid.  So, is this trip work?)

Another definition of work is that it is something that no one wants
to do.  I'm enjoying parts of Dibbell's book.  (I'm enjoying it more
than the movie the airline is currently showing, and certainly more
than the book I reviewed while waiting for the flight.)  I suspect
that a great many of the people who buy and read Dibbell's text will
be reading it for pleasure.  So, is my reviewing of the book "work,"
or not?

This is the type of question that Dibbell raises, fairly often, in his
publication.  He raises a large number of questions.  What is the
point, or the psychology, of games?  Why do people play, and what
makes some play have value, enough value that people will pay "real"
money for virtual gaming items?  (And what makes money more real than
virtual towers?)  Is the world's economy turning into a game, when
game-like speculation on the "value" of shares in a company may be
"worth" more than the goods or services produced?  Some of the
questions are never answered.  Others, such as the issue of companies
that hire workers to play games in order to sell the characters and
items "built" by playing, are answered oddly and belatedly.

As a matter of fact, there are very few answers to any of the
questions that are asked.  Sometimes there is a bit of an overview of
some opinions on the concerns.  Along the way, we get to see the
operations of gaming, and trading of game items, through Julian's
eyes, and from some other perspectives as well.  How interesting this
material is will probably vary according to the reader's own
preoccupation with gaming: personally I found these sections less than
compelling.  We are also given some descriptions of online fraud of
different types.  (Since certain gamers would say that real money
trading [RMT] of game goods is fraud in itself, and others would say
that theft of game items is part of the game, defining fraud might
start to become problematic ...)   The questions become less and less
a part of the book, and Julian Dibbell becomes more and more of the
subject, first through an early interest, then hope, then mixed
setbacks and successes (with increasing levels of anxiety) to final
tragedies which Dibbell, oddly, seems to see as almost incidental to
the gaming and trading activities.

The questions are interesting.  The book is generally readable, with
the earlier parts being better than the later.  The work says
something about economics and psychology.  It touches tenuously on the
types of crime that are using online gaming as sources of revenue and
money laundering.  The material doesn't do much to illuminate either
the technology or the lure of online gaming.

copyright Robert M. Slade, 2008   BKPLYMNY.RVW   20080219


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
                                  BEWARE OF GOD
http://victoria.tc.ca/techrev/rms.htm

BKOPLRSK.RVW   20080219

"Operational Risk", Anna S. Chernobai/Svetlozar T. Rachev/Frank J.
Fabozzi, 2007, 0-471-78051-0, U$95.00/C$113.99/UK#65.00
%A   Anna S. Chernobai
%A   Svetlozar T. Rachev
%A   Frank J. Fabozzi
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2007
%G   978-0-471-78051-9 0-471-78051-0
%I   John Wiley & Sons, Inc.
%O   U$95.00/C$113.99/UK#65.00 416-236-4433 fax: 416-236-4448
%O  http://www.amazon.com/exec/obidos/ASIN/0471780510/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0471780510/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0471780510/robsladesin03-20
%O   Audience a- Tech 2 Writing 1 (see revfaq.htm for explanation)
%P   300 p.
%T   "Operational Risk"

The preface notes that operational risk has not been handled well by
the banking industry, but also seems to indicate that the book intends
to pursue the subject from the perspective of insurance and
statistics.

Chapter one lays out examples of how changes in modern business,
society, and banking have led to much higher losses than were seen
previously.  Various ways of defining and categorizing operational
risk are presented in chapter two.  The provisions of the Basel II
accord (mostly for determining the floor capitalization necessary to
face operational risks) are discussed in chapter three.  Chapter four
points out what we, in information security, already know: without a
solid base of historical data, and in an ever changing environment, it
is difficult to do good quantitative risk analysis.  However, that
does not stop the authors from presenting, in chapters five through
nine, a number of mathematical and statistical models that might help
if we did actually have good data.  How well these might work is
briefly considered in chapter ten's examination of "goodness of fit."
Chapter eleven provides more mathematics to assess what we might call
single loss expectancy.  Some additional considerations that may alter
pure statistical analysis are noted in chapter twelve.  Aggregating
factors which may increase required capital reserves are discussed in
chapter thirteen.

Most of this book is a treatise on statistical models.  There is
little in it to add to the management of risk itself.

copyright Robert M. Slade, 2008   BKOPLRSK.RVW   20080219


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
Little did he know. That means there's something he doesn't know,
which means there's something you don't know, did you know that?
- `Stranger Than Fiction' http://www.imdb.com/title/tt0420223/quotes
http://victoria.tc.ca/techrev/rms.htm

BKHTCMIS.RVW   20080219

"How to Cheat at Managing Information Security", Mark Osborne, 2006,
1-59749-110-1, U$39.95/C$51.95
%A   Mark Osborne www.interoute.com
%C   800 Hingham Street, Rockland, MA   02370
%D   2006
%G   1-59749-110-1
%I   Syngress Media, Inc.
%O   U$39.95/C$51.95 781-681-5151 www.syngress.com amy@...
%O  http://www.amazon.com/exec/obidos/ASIN/1597491101/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/1597491101/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1597491101/robsladesin03-20
%O   Audience i Tech 2 Writing 2 (see revfaq.htm for explanation)
%P   315 p.
%T   "How to Cheat at Managing Information Security"

The introduction states that this book is intended to cover the basic
concepts of information security, and fundamental information about
the tools involved.

Chapter one discusses where the security function should be placed in
organizational structures.  What is a policy is, and isn't, as well as
what it does and does not do, is reviewed in chapter two.  Some basic
terms and concepts are described in chapter three, although the level
of the material varies quite a bit.  Chapter four looks at some UK and
US laws related to information security.  Terse (but, within limits,
realistic) comments on some of the major and popular security
frameworks are provided in chapter five.

Chapter six is a set of anecdotes from some really bad job interviews.
Osborne uses a lot of anecdotes, at least one at the beginning of
every chapter.  The stories are amusing, but really don't serve to
support or cement any of the security points under discussion.

Chapter seven outlines some security aspects of network topology.  The
advice is decent, but there are too many diagrams that are poorly
explained.  Firewall concepts are presented in chapter eight, but
largely from a vendor perspective.  Chapter nine takes a much more
realistic look at intrusion detection systems than is usually the
case, noting that the devices are not a panacea for security overall
and require a number of factors that are seldom noted in the general
literature.  More details of implementing the technology are given in
chapter ten.  Chapter eleven, I am delighted to see, addresses the
difficulty in defining the term "intrusion prevention system," and
then goes on to list the variety of technologies that may exist under
that banner.  The practicalities and problems of penetration testing
are examined in chapter twelve.  Some application security issues are
briefly described in chapter thirteen.

While not a complete guide to information security, this book does
provide a solid starting point, and useful tips that are often missed
in a number of the works that have been thrown on the security
bandwagon.  I would not have a problem in recommending it to those who
are in the initial stages of securing their own networks, as long as
they have a basic knowledge of system administration.

copyright Robert M. Slade, 2008   BKHTCMIS.RVW   20080219


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
It can be shown that for any nutty theory, beyond-the-fringe
political view or strange religion there exists a proponent on
the Net. The proof is left as an exercise for your kill-file.
                                                      - Bertil Jonell
http://victoria.tc.ca/techrev/rms.htm

BKGRFCEB.RVW   20080303

"Get Ready for CISSP Exam", Rafeeq Ur Rehman, 2007
%A   Rafeeq Ur Rehman rafeeq.rehman@...
%D   2007
%I   Conformix Technologies Inc.
%O   free from http://www.conformix.com/books/cissp/
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   95 p. (pdf)
%T   "Get Ready for CISSP Exam"

Not really a book, this is more of a checklist of security topics.
The English used in the text is not the best, and there is very little
in the way of explanation.  The work is also incomplete, providing
almost no information on BCP, OpSec, and Law/Investigation.  However,
for those without any other resources, if you can understand the
points covered, and find the flaws in this material, you have a good
chance of passing the CISSP exam.  (NB: the author sells consulting
and training.  If the quality of the book is an indication, the
quality of the training may be questionable.)

copyright Robert M. Slade, 2008   BKGRFCEB.RVW   20080303


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
Do the ones who make this madness have no babies to hold?
                                   - Connie Kaldor, `Mother's Prayer'
http://victoria.tc.ca/techrev/rms.htm

BKMCOSXL.RVW   20080418

"Mac OS X Leopard Pocket Guide", Chuck Toporek, 2008, 0-596-52981-3,
U$14.99/C$17.99
%A   Chuck Toporek
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2008
%G   0-596-52981-3 978-0-596-52981-9
%I   O'Reilly & Associates, Inc.
%O   U$14.99/C$17.99 800-998-9938 fax: 707-829-0104 nuts@...
%O  http://www.amazon.com/exec/obidos/ASIN/0596529813/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0596529813/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0596529813/robsladesin03-20
%O   Audience i Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   211 p.
%T   "Mac OS X Leopard Pocket Guide"

Chapter one looks at what is new in the Leopard version of the Mac's
OS X operating system.  The wording is rather odd in places, and,
unless you are well familiar with previous versions it may be
difficult to know whether the feature under discussion is completely
new, or a modification to an existing application.  Fundamental
operating concepts and terms are presented in chapter two, and these
include some items that may be new to Mac users, some that may be
important for understanding the overall system, and still others that
are simply pieces of trivial fluff.  Similarly, chapter three's review
of basic operations has no overt indication of novel functions, and
mixes vital and insignificant details without clear notice.  Figures
are sometimes separated from explanations by a few pages.  Some
interpretations rely on advanced knowledge of the system, while others
have no tutorials at all.  (Why can't the Spotlight index files that
haven't been created with graphical tools?)  Under Microsoft Windows
"System" is one of the tools in the Control Panel: chapter four lists
the various Mac control panels (setup options) that are amalgamated
into the System Preferences.  Chapter five catalogues a number of
applications and utilities that have been covered in previous chapters
(without adding any new information).  Troubleshooting setup choices
is dealt with in a "Frequently Asked Questions" style, in chapter six.
Chapter seven is a list of special characters that can be generated
using keyboard combinations.  (Why they are vital to computer
operations is not mentioned.)

For those new to the Mac, or to Leopard, this guide can get you
started quickly, but the intermediate reader will outgrow it almost as
fast.

copyright Robert M. Slade, 2008   BKMCOSXL.RVW   20080418


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
The only thing necessary for the triumph of evil is for good men
    to do nothing.             - Edmund Burke
http://victoria.tc.ca/techrev/rms.htm

BKCHTDFE.RVW   20080318

"Challenges to Digital Forensic Evidence", Fred Cohen, 2008,
1-878109-41-3, U$39.00
%A   Fred Cohen
%C   572 Leona Dr, Livermore, CA   94550
%D   2008
%G   1-878109-41-3
%I   Fred Cohen and Associates
%O   U$39.00 925-454-0171 all.net
%O  http://www.amazon.com/exec/obidos/ASIN/1878109413/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/1878109413/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1878109413/robsladesin03-20
%O   Audience s+ Tech 2 Writing 2 (see revfaq.htm for explanation)
%P   122 p.
%T   "Challenges to Digital Forensic Evidence"

Fred Cohen knows his stuff when it comes to digital forensics, despite
the fun he has with legalities in the frontmatter of this book.  Cohen
states, in chapter one, he wrote the book because of the mistakes he
had seen people make when bringing technical materials into a legal
setting.  The work is a sold background for a forensic examiner, and
covers a number of areas that are missed in most of the current
literature on this topic.  Forensics is more than simply getting bits
out of a given operating filesystem.

Chapter two concentrates on the errors or problems that arise in the
process of collecting evidence.  Many computer forensics books list
the sections that should be included in a written report, but this
author provides, in chapter three, practical advice on both wording
and approaches, including such aspects as the reporting of errors in
previously submitted reports.  Chapter four demonstrates difficult
situations, some covered in prior chapters and some new, based on
actual cases.

Chapter five reiterates and emphasizes a point that Cohen raises
frequently throughout the book: as an expert, you are working within,
and subject to, an adversarial system and all its attendant
limitations, but your primary responsibility is to the truth.  Being
honest in your work and statements is the basis for all of your
testimony.  As chapter six points out, it is also the best way to
avoid being challenged.

There are many books that talk about forensic tools: this isn't one of
them.  There are a number of works that address specifics of file
systems and storage devices: this isn't one of them.  A few texts even
address some aspects of the investigative process and management:
Cohen addresses some of those issues.  However, I have not seen any
other guides that will tell you, clearly and plainly, how to avoid the
most common failings of technical experts trying to provide evidence
in a decidedly non-technical legal system.

copyright Robert M. Slade, 2008   BKCHTDFE.RVW   20080318


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
`What was it you really put in the sugar?'
`Cascara,' said Malicia.
Keith sighed.  `How much did you give them?'
`Lots.  But they should be all right if they don't take too much
of the antidote.'
`What did you give them for the antidote?'
`Cascara.'
`Malicia, you are not a nice person.'
    - `The Amazing Maurice and His Educated Rodents,' Terry Pratchett
http://victoria.tc.ca/techrev/rms.htm

BKMLTMSC.RVW   20080418

"Multimedia Security", Chun-Shien Lu, 2005, 1-59140-275-1
%E   Chun-Shien Lu lcs@... www.iis.sinica.edu.tw/~lcs
%C   Suite 200 701 E. Chocolate Ave., Hershey, PA   17033-1117
%D   2005
%G   1-59140-275-1
%I   IRM Press/Idea Group/IGI Global
%O   800-345-432 717-533-8845 fax: 717-533-8661 cust@...
%O  http://www.amazon.com/exec/obidos/ASIN/1591402751/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/1591402751/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1591402751/robsladesin03-20
%O   Audience a- Tech 2 Writing 1 (see revfaq.htm for explanation)
%P   255 p.
%T   "Multimedia Security"

The title could cover a lot of ground.  The introduction doesn't make
it clear what the authors intend.

Chapter one looks at digital watermarking algorithms and theories.  A
mathematical examination of data hiding below the threshold of human
vision is in chapter two.  The material is disorganized, disjointed,
and poorly written, with many errors such as failures to define
acronyms before use.  Auditory watermarking is explored in chapter
three, in terms of concepts and measurement.  This is a good overview,
with more restrained use of mathematics.  Chapter four extends this
material into digital representations of audio content.

Chapter five notes desirable factors in regard to digital watermarking
for video, particularly in relation to promotional copies of movies.
Image integrity, authentication, and partial recovery from
manipulation is examined in chapter six.  Chapter seven looks at a
similar application, but from the perspective of digital signatures.
Document images, and the embedding of data therein, is the topic of
chapter eight.

It is interesting to note the factors that are being considered in
this field.  However, in this book the explanations are generally
poor, and shift to math for any actual technologies.  There is soem
academic interest in the text, but little direct or practical
application of the material to real systems.

copyright Robert M. Slade, 2008   BKMLTMSC.RVW   20080418


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
         Is reading in the bathroom considered multi-tasking?
http://victoria.tc.ca/techrev/rms.htm

BKFCBKMM.RVW   20080415

"Facebook: The Missing Manual", E. A. Vander Veer, 2008,
0-596-51769-6, U$19.99/C$19.99
%A   E. A. Vander Veer emilyamoore@... eamoore68@...
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2008
%G   0-596-51769-6 978-0-596-51769-4
%I   O'Reilly & Associates, Inc.
%O   U$19.99/C$19.99 (finally!) 800-998-9938 nuts@...
%O  http://www.amazon.com/exec/obidos/ASIN/0596517696/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0596517696/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0596517696/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   268 p.
%S   Missing Manual
%T   "Facebook: The Missing Manual"

Rather than an overview of Facebook, the introduction of the book
mentions that Facebook is very popular, and lists a few of the
activities that might go on if you have an account.  There is so
little information that the material is less appetite-whetting than
frustrating.

Part one covers aspects of initiating an account on Facebook and some
basic operations.  Chapter one's review of getting an account started
has an over-emphasis of the ease of the process, which is immediately
contradicted by details of the procedure itself.  This internal
discrepancy does not give the reader confidence in other assertions
the author makes about factors such as privacy, particularly in view
of the many exploits that have made the news recently.  There are tips
noting that you should protect the confidentiality of your
information, but most of these notices are forward references to
(much) later chapters in the book.  The major reason for using
Facebook, and the utility recommended for the system, is to join a
"network," which is kind of like a "group."  (There is a barely
mentioned distinction between "networks" and "groups," which is not
explained at this, or any other, point.)  According to the
instructions given in chapter two, joining is surprisingly difficult
unless you have managed to hold on to old email addresses dating back
to your college days, as well as those from all of your past
employers.  The instructions on finding "friends," given in chapter
three, contain screenshots, but very little else that would enhance
what you can see on the Facebook Website.  Chapter four lists various
forms of personal communications between Facebook members.  More
broadly-based communications, such as newsfeeds and blogs, are in
chapter five.

Part two looks at the functions of groups, still without making an
explicit distinction from networks.  Chapter six goes through the
basics of joining or creating a group: again, it doesn't give you much
more than the screenshots.  Arranging events and meetings (face to
face) is described in chapter seven.  Online shopping and classified
ad posting is in chapter eight.

Part three turns to more business oriented activities.  Aspects of job
search and recruiting are in chapter nine.  Chapter ten is supposed to
talk about using Facebook for collaborative work, but most of the
content is about how to put photographs into your Facebook account.
Different types of ads you can buy on Facebook are listed in chapter
eleven.

Part four is a grab-bag of leftover topics like security.  Chapter
twelve notes that there are applications that work within Facebook,
but doesn't provide an awful lot of information about them.  (A
paragraph at the end of the chapter does mention that applications can
access *all* the information you have provided to Facebook.)  In terms
of protecting your privacy, chapter thirteen does not equip the reader
with significant information about the implications of the various
settings available on Facebook.  Chapter fifteen remarks on using
Facebook via your cellular or mobile phone.

Part five is an appendix with limited resources and references.

At one point in the book, the author notes the difficulty of creating
a book to assist people with using a Website that is developing and
changing extremely rapidly.  She doesn't do herself any favours by
concentrating on the screenshot style of presentation.  By the time I
received the book, enormous numbers of the pages referenced had
changed.  In some cases it was possible to puzzle out an alternate
means of getting to the desired function.  In many cases it was not
possible to figure out whether the function had moved to a different
location, or had simply disappeared.  Many readers will be frustrated
and disappointed by the fact that the book fails to provide the
promised assistance.

copyright Robert M. Slade, 2008   BKFCBKMM.RVW   20080415


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
        Madness takes its toll.  Please have exact change ready.
http://victoria.tc.ca/techrev/rms.htm

BKDCRMNF.RVW   20080317

"The dotCrime Manifesto", Phillip Hallam-Baker, 2008, 0-321-50358-9,
U$29.99/C$32.99
%A   Phillip Hallam-Baker dotcrimemanifesto.com hallam@...
%C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario  M3C 2T8
%D   2008
%G   978-0-321-50358-9 0-321-50358-9
%I   Addison-Wesley Publishing Co.
%O   U$29.99/C$32.99 416-447-5101 fax: 416-443-0948 800-822-6339
%O  http://www.amazon.com/exec/obidos/ASIN/0321503589/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0321503589/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0321503589/robsladesin03-20
%O   Audience n+ Tech 2 Writing 2 (see revfaq.htm for explanation)
%P   415 p.
%T   "The dotCrime Manifesto: How to Stop Internet Crime"

In the preface, the author notes that network and computer crime is a
matter of people, not of technology.  However, he also notes that
changes to the network infrastructure, as well as improvements in
accountability, would assist in reducing user risk on the net.

Section one enlarges on the theme that people are more important than
machines or protocols.  Chapter one looks at the motive for Internet
crime (money, just like non-computer crime), and repeats the motifs of
the preface.  The text goes on to list various categories and examples
of network fraud.  The content of chapter two is very interesting, but
it is hard to find a central thread.  Overall it appears to be saying
that computer criminals are not the masterminds implied by media
portrayals, but that the problem of malfeasance is growing and needs
to be seriously addressed.  What Hallam-Baker seems to mean by
"Learning from Mistakes," in chapter three, is that security
professionals often rely too much on general principles, rather than
accepting a functional, if imperfect, solution that reduces the
severity of the problem.  Chapter four presents the standard (if
you'll pardon the expression) discussion of change and the acceptance
of new technologies.  A process for driving change designed to improve
the Internet infrastructure is proposed in chapter five.

Section two examines ways to address some of the major network crime
risks.  Chapter six notes the problems with many common means of
handling spam.  SenderID and SPF is promoted in chapter seven (without
expanding the acronym to Sender Policy Framework anywhere in the book
that I could find).  Phishing, and protection against it, is discussed
in chapter eight.  Chapter nine is supposed to deal with botnets, but
concentrates on trojans and firewalls (although I was glad to see a
mention of "reverse firewalls," or egress scanning, which is too often
neglected).

Section three details the security tools of cryptography and trust.
Chapter ten outlines some history and concepts of cryptography.
Trust, in chapter eleven, is confined to the need for aspects of
public key infrastructure (PKI).

Section four presents thoughts on accountability.  Secure transport,
in chapter twelve, starts with thoughts on SSL (Secure Sockets Layer),
and then moves to more characteristics of certificates and the
Extended Verification certificates.  (The promotion of Verisign,
infrequent and somewhat amusing in the earlier chapters is, by this
point in the book, becoming increasingly annoying.  The author is also
starting to make more subjective assertions, such as boosting the
trusted computing platform initiative.)  Domain Keys Identified Mail
(DKIM) is the major technology promoted in support of secure
messaging, in chapter thirteen.  Chapter fourteen, about secure
identity, has an analysis of a variety of technologies.  (The
recommendations about technologies are supported even less than
before, and the work now starts to sound rather doctrinaire.)  It may
seem rather odd to talk about secure names as opposed to identities,
but Hallam-Baker is dealing with identifiers such as email addresses
and domain names in chapter fifteen.  Chapter sixteen looks at various
considerations in regard to securing networks, mostly in terms of
authentication.  Random thoughts on operating system, hardware, or
application security make up chapter seventeen.  The author stresses,
in chapter eighteen, that the law, used in conjunction with security
technologies, can help in reducing overall threat levels.  Chapter
nineteen finishes off the text with a proposed outline of action that
recaps the major points.

Hallam-Baker uses a dry wit well, and to good effect in the book.  The
humour supports and reinforces the points being made.  So does his
extensive and generally reliable knowledge of computer technology and
history.  In certain areas the author is either less knowledgeable or
careless in his wording, and, unfortunately, the effect is to lessen
the reader's confidence in his conclusions.  This is a pity, since
Hallam-Baker is championing a number of positions that would promote
much greater safety and security on the Internet.  Overall this work
is, for the non-specialist, a much-better-than-average introduction to
the issue of Internet crime and protection, and is also worth serious
consideration by security professionals for the thought-provoking
challenges to standard approaches to the problems examined.

copyright Robert M. Slade, 2008   BKDCRMNF.RVW   2008031


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
Do not go where the path may lead, go instead where there is no
path and leave a trail.                        - Ralph Waldo Emerson
http://victoria.tc.ca/techrev/rms.htm

BKPCICPL.RVW   20080306

"PCI Compliance", Tony Bradley et al, 2007, 978-1-59749-165-5, U$59.95
%A   Tony Bradley
%A   James D. Burton
%A   Anton Chuvakin www.chuvakin.org
%A   Anatoly Elberg
%A   Brian Freedman
%A   David King
%A   Scott Paladino www.eds.com
%A   Paul Schooping
%C   800 Hingham Street, Rockland, MA   02370
%D   2007
%G   978-1-59749-165-5 1-59749-165-9
%I   Syngress Media, Inc.
%O   U$59.95 781-681-5151 fax: 781-681-3585 www.syngress.com
%O  http://www.amazon.com/exec/obidos/ASIN/1597491659/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/1597491659/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1597491659/robsladesin03-20
%O   Audience i- Tech 2 Writing 1 (see revfaq.htm for explanation)
%P   329 p.
%T   "PCI Compliance"

The Payment Card Industry Data Security Standards (PCI DSS, generally
referred to simply as PCI) document is currently the security
framework that is of greatest concern to those in the retail sector.

Chapter one very tersely introduces PCI and states that the book is
written at a strategic level appropriate for senior managers.  This
assertion of an executive audience is somewhat at odds with the
declaration, in chapter two, that the book is intended for small and
medium sized businesses.  (The chapter otherwise notes a few instances
of credit card fraud.)  The PCI elements of (and terms for) merchant
levels, assessors, and the six control objectives (and twelve
requirements) are given a quick overview in chapter three.

Chapter four presents general concepts related to firewalls and
intrusion detection systems, but does not completely fulfill the
titular promise of suggesting how to build and maintain a secure
network.  (Some additional topics are mentioned, such as a brief
reference of computer virus scanning.)  Most of chapter five, relating
to protection of cardholder data, concentrates on encryption.
However, there is a repeat of some of the network material from the
previous chapter, as well as a rather confused mention of information
classification.  Chapter six deals with log data, both from the
perspective of requirement 10 (which mandates monitoring) and in
relation to some of the other requirements as well.  The fourth
control objective, comprising requirements seven, eight, and nine,
address access control.  Chapter seven provides a good, general
overview of the topic, with the material being padded out by fourteen
pages of Windows screenshots.  Vulnerability management, in chapter
eight, mentions requirements five (antivirus), six (secure application
development, and eleven (testing), but in a confused and confusing
manner.  Since monitoring is covered in chapter six, and testing in
chapter eight, it is difficult to see what purpose chapter nine serves
in terms of recovery, monitoring and testing.  A mostly generic look
at project management makes up chapter ten.  Similarly vague and banal
is the material on roles and responsibilities, in chapter eleven, and
advice on how to react to the findings from a security audit, in
chapter twelve.  Chapter thirteen suggests that, once you are
compliant with the PCI standard, you have a periodic self-assessment.
(There is also a terse list of areas to check.

The book could have been considerably shorter, and perhaps more
helpful, had it concentrated more on the PCI standard and specific
details.  However, given the current interest in PCI, it does provide
a useful introduction, with a large amount of extraneous padding.

copyright Robert M. Slade, 2008   BKPCICPL.RVW   20080306


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
Mass transportation is doomed to failure in North America because
a person's car is the only place where he can be alone and think.
                                                   - Marshall McLuhan
victoria.tc.ca/techrev/rms.htm      en.wikipedia.org/wiki/Robert_Slade

BKWKPDMM.RVW   20080306

"Wikipedia: The Missing Manual", John Broughton, 2008,
978-0-596-51516-4, U$29.99/C$29.99
%A   John Broughton
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2008
%G   0-596-51516-2 978-0-596-51516-4
%I   O'Reilly & Associates, Inc.
%O   U$29.99/C$29.99 800-998-9938 707-829-0515 nuts@...
%O  http://www.amazon.com/exec/obidos/ASIN/0596515162/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0596515162/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0596515162/robsladesin03-20
%O   Audience i+ Tech 2 Writing 2 (see revfaq.htm for explanation)
%P   477 p.
%S   The Missing Manual
%T   "Wikipedia: The Missing Manual"

Wikipedia is the online encyclopedia that is user built and edited.
There has been much controversy over the concept that a reference
created by volunteers, and one where the material may be modified by a
random reader, could possibly have any significant value.  What would
drive anyone with anything worthwhile to say, to say it in this forum?
Participants could create articles with any kind of garbage in them.
Worthwhile articles could be altered or deleted.  However, with some
technical tools, and a semi-formal hierarchy of editors and
administrators, Wikipedia has become a major resource for millions.

The introduction states that the intended purpose of the book is to
provide a guide to the core functions and rules of Wikipedia, and a
structure for learning editing and related operations.  As well, some
of the material in the work may be of use to experienced editors,
simply because of the wealth of functionality in the system.  (The
text deals only with the English version of Wikipedia, but most of the
content should be relevant to other versions using the same software
and policies.)

Part one starts with the basics of editing, creating, and maintaining
articles.  Chapter one has extensive information on editing, although
a number of the figures have possibly been trimmed too much: they do
not always show relevant links and results of coding.  Wikipedia
articles must be documented, notes chapter two, and lists various
examples of citation.  While chapter three recommends creating an
account and personal page, the operations described in the text are
not always clear.  What not to do when creating a new page is in
chapter four.  Page histories, and the options for reversion, are
outlined in chapter five, and chapter six reviews options for
monitoring changes.  The issues of vandalism and spam (articles that
are contrary to the intent of Wikipedia) are addressed in chapter
seven.

Part two moves to collaboration with other editors.  Communicating
with editors, discussed in chapter eight, concentrates on the various
"talk" pages.  Wikiprojects and other group efforts are examined in
chapter nine.  The deliberation on content disputes, reviewed in
chapter ten, is part policy, and part psychology.  Chapter eleven's
material on personal attacks is similar.  Chapter twelve notes ways of
helping other editors learn and develop.

Part three turns to formatting of articles.  Sections, tables of
contents, and overall issues of structure are discussed in chapter
thirteen, lists and tables in fourteen, and images in fifteen.

Part four looks at factors involved in improving the encyclopedia.
Getting readers to the right article, using proper naming, redirect
pages, and disambiguation, is covered in chapter sixteen.  Chapter
seventeen notes categories of articles.  Much of the prior content is
repeated in chapter eighteen, which appears to be a review of basic
article creation and editing, but primarily in terms of policies.  The
process for deleting articles is described in chapter nineteen.

Personal customizing of Wikipedia makes up part five.  Chapter twenty
outlines the preferences for your account, while twenty-one notes how
to set up the possible JavaScript utilities available.

A good many people think they know about Wikipedia, but fail to fully
understand some of the necessary functions or policies that make it
work.  Indeed, many who would have much to contribute to the project
may have been discouraged by failed attempts because of simple
mistakes.  For anyone who is interested in becoming part of the noble
experiment, this book is an excellent introduction.

copyright Robert M. Slade, 2008   BKWKPDMM.RVW   20080306


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
Imagination is the only weapon in the war against reality.
                                                   - Jules de Gautier
victoria.tc.ca/techrev/rms.htm      en.wikipedia.org/wiki/Robert_Slade

BKXSSATK.RVW   20080308

"XSS Attacks", Jeremiah Grossman et al, 2007, 978-1-59749-154-9,
U$59.95
%A   Jeremiah Grossman
%A   Robert Hansen RSnake ha.ckers.org
%A   Petko D. Petkov gnucitizen.org
%A   Anton Rager
%A   Seth Fogie
%C   800 Hingham Street, Rockland, MA   02370
%D   2007
%G   978-1-59749-154-9 1-59749-154-3
%I   Syngress Media, Inc.
%O   U$59.95 781-681-5151 fax: 781-681-3585 www.syngress.com
%O  http://www.amazon.com/exec/obidos/ASIN/1597491543/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/1597491543/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1597491543/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   448 p.
%T   "XSS Attacks: Cross Site Scripting Exploits and Defense"

Chapter one traces cross-site scripting (XSS) back to early iframe
security problems, David Rice's 1999 "Script Injection" paper, and
ensuing discussion; bemoans the confusion surrounding the range of
technologies and exploits linked to this term; and then seems to say
that the topic is a risk associated with JavaScript applets and
particularly the XMLHttpRequest object.  In all of this, XSS does not
get delineated in any definitive manner.  A number of utilities for
probing Websites and Web interactions are briefly described in chapter
two.  Despite the title, chapter three does not provide an explanation
of "XSS Theory," but simply lists examples of XSS attack code.  There
is little explanation or analysis of the processes involved, and any
content is specific to the particular commands used, rather than XSS
concepts.  The same emphasis on code is true in chapter four (even
more so: the code sections are much longer), and in five and six as
well.  Thus, four chapters are simply one long list of code samples
and snippets, with little tutorial value other than to provide
specimens for script-kiddies to copy.

Chapter seven discusses exploit frameworks that can be used to
automate attacks and tests against the browser.  XSS attacks that can
reproduce or multiply effects are examined in chapter eight.
Protection and defence is purported to be covered in chapter nine, but
the material is terse and weak.

In relation to the page count, the content of the book has slight
value in terms of teaching what cross-site scripting attacks (as
opposed to other forms of malware) are, and how to protect against
them.

copyright Robert M. Slade, 2008   BKXSSATK.RVW   20080308


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
More than any time in history mankind faces a crossroads.  One
path leads to despair and utter hopelessness, the other to total
extinction.  Let us pray that we have the wisdom to choose
correctly.                                             - Woody Allen
victoria.tc.ca/techrev/rms.htm      en.wikipedia.org/wiki/Robert_Slade

BKVSLZDT.RVW   20080418

"Visualizing Data", Ben Fry, 2008, 0-596-51455-7, U$39.99/C$39.99
%A   Ben Fry benfry.com/writing
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2008
%G   0-596-51455-7 978-0-596-51455-6
%I   O'Reilly & Associates, Inc.
%O   U$39.99/C$39.99 800-998-9938 fax: 707-829-0104 nuts@...
%O  http://www.amazon.com/exec/obidos/ASIN/0596514557/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0596514557/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0596514557/robsladesin03-20
%O   Audience a- Tech 2 Writing 1 (see revfaq.htm for explanation)
%P   366 p.
%T   "Visualizing Data"

The preface states that the book is intended both for graphics
designers without a computer science background and for software
developers who do not have a graphics background.  The examples use
Processing, an open source Java API (Application Programming
Interface) developed by the author.

Chapter one is a basic introduction to data visualization, noting the
importance of asking the right questions.  There is also a mention of
a seven-stage iterative design model for creating visualizations.
Processing is introduced in chapter two, and will feel familiar to
those acquainted with Java programming.  There are also suggestions on
how to approach and use the language, based on the design model given
previously.  In chapter three an example is provided of building a
display using "random" data.  There are a few points on display
element choices, but most of the content deals with specific API
calls.  Much the same is done in chapter four, with more APIs, a few
options for display element choice but even less analysis of the
alternatives, and a rather poor illustration since a three dimensional
problem is forced into a two dimensional chart.  Chapter five starts
with twenty-two pages of acquisition and parsing, twenty-six pages of
the display including ten pages of source code, with figures that are
even less clear.  Code for the example used in chapter one is provided
in chapter six.  Chapter seven demonstrates the creation of a treemap
where the rectangles show relative sizes of values.  Network graphs,
showing relations and interactions between items, are shown in chapter
eight.

Some tools for acquiring data are listed in chapter nine.  This
includes MySQL, which is rather odd, since chapter ten reviews the
parsing of data.  The Processing language, and integration with Java,
is covered in chapter eleven.

Graphics designers comfortable with Java programming would find this
work very useful.  Software developers probably wouldn't get a lot out
of it.

copyright Robert M. Slade, 2008   BKVSLZDT.RVW   20080418


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
       Metabolically challenged - politically correct term for dead
http://victoria.tc.ca/techrev/rms.htm

BKJUNOSC.RVW   20080418

"JUNOS Cookbook", Aviva Garrett, 2006, 0-596-10014-0, U$54.99/C$71.99
%A   Aviva Garrett
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2006
%G   0-596-10014-0 978-0-596-10014-8
%I   O'Reilly & Associates, Inc.
%O   U$54.99/C$71.99 800-998-9938 707-829-0515 nuts@...
%O  http://www.amazon.com/exec/obidos/ASIN/0596100140/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0596100140/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0596100140/robsladesin03-20
%O   Audience i- Tech 2 Writing 1 (see revfaq.htm for explanation)
%P   657 p.
%T   "JUNOS Cookbook"

The preface lists some sample configurations for installing Juniper
routers using the JUNiper Operating System (JUNOS).  There is some
discussion of optimization, but the focus is on the components of
network interfaces and routing protocols.  The structure has problem
statements followed by sample configurations and then some discussion.

Chapter one introduces the basic command line interface, different
modes, and saving configuration files.  Rudimentary router security
and access control principles are noted in chapter two, but the
details are rather odd.  For example, the reader is advised against
telnet, but the commands to disable the service are not provided
(although implied by other examples).  The "discussion" of some
commands merely restates the command in more extensive verbiage.  The
structure and order of the material is not always logical and
therefore it is sometimes difficult to extract useful meaning from
some explanations.

Chapter three lists the commands related to IPSec, although the
description of the protocol itself is simplistic enough to be
incorrect in places.  SNMP (Simple Network Management Protocol) is
mentioned in chapter four.  There is a lot of examination of alternate
storage and redirection for logging and audit files, in chapter five,
but little content related to the choice of the most important logging
to enable.  Network Time Protocol (NTP) is covered in chapter six.
Chapter seven concentrates primarily on network and physical
interfaces, and does not do a good job of reviewing the other types of
interfaces.

Routing is at the heart of networking, so chapter eight, while it does
provide information about basic management commands, is not really
enough for the full task.  The material is backed up by that in
subsequent chapters, but those concentrate on specific aspects, and we
never get a solid overview.  Chapter nine gives details on creating
packet filtering firewalls.  Chapters ten through fourteen deal with
RIP (Routing Information Protocol), IS-IS (Intermediate System-to-
Intermediate System protocol), OSPF (Open Shortest Path First), BGP
(Border Gateway Protocol), and MPLS (MultiProtocol Label Switching).

Chapter fifteen notes some commands related to requirements for
virtual private networks (VPNs).  Configuring for multicast routing is
handled in chapter sixteen.

This is a reasonable compilation of the commands for a Juniper router.
But not much more.

copyright Robert M. Slade, 2008   BKJUNOSC.RVW   20080418


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
Virtual reality is for those who can't handle the command line
http://victoria.tc.ca/techrev/rms.htm

BKAVNMDG.RVW   20080420

"AVIEN Malware Defense Guide for the Enterprise", David Harley et al,
2007, 978-1-59749-164-8, U$59.95
%A   David Harley David.A.Harley@...
%A   Ken Bechtel
%A   Michael Blanchard
%A   Henk K. Diemer
%A   Andrew Lee
%A   Igor Muttik
%A   Bojan Zdrnja
%C   800 Hingham Street, Rockland, MA   02370
%D   2007
%G   1-59749-164-0 978-1-59749-164-8
%I   Syngress Media, Inc.
%O   U$59.95 781-681-5151 fax: 781-681-3585 www.syngress.com
%O  http://www.amazon.com/exec/obidos/ASIN/1597491640/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/1597491640/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1597491640/robsladesin03-20
%O   Audience i+ Tech 2 Writing 2 (see revfaq.htm for explanation)
%P   540 p.
%T   "AVIEN Malware Defense Guide for the Enterprise"

The preface and introduction stress that this work is a collaborative
effort, combining the views of a number of AVIEN (Anti-Virus
Information Exchange Network) and AVIEWS (Anti-Virus Information and
Early Warning System) members, trying to avoid the blind spots that
result from perspectives limited to one individual or company.

Chapter one outlines the history of AVIEN, noting the tensions between
the (rather small) community that has concentrated on research about
malware and protection against the various threats and the general
user population.  (The general user population includes, for various
reasons, many of the producers and vendors of antivirus products.)  It
is noted (although not stressed) that AVIEN concentrates on protection
of medium to large companies, and this point is important in regard to
protective approaches.  A brief, historically-oriented, look at
malware and related issues, in chapter two, tries to eliminate common
confusion and sets a groundwork for further discussion.  The Web is
now a major source of security vulnerabilities, but the malware
literature has seldom considered the problem as a specific category,
so chapter three's excellent overview of the related technologies and
exploits is particularly welcome.  Botnets are a major threat (or
threats: they are used in a variety of ways), and there is a good
examination of the major associated concepts in chapter four.
Unfortunately, the material is somewhat loosely structured and may be
confusing to some readers, and occasionally emphasizes specific (and
sometimes dated) technologies rather than the basic ideas.  Chapter
five examines the often-asked question of who writes malware, bringing
up a good deal of interesting material.  The text itself may be of
scant use to system administrators, although the points made in the
summary do indicate trends of concern.

Chapter six turns to protective measures, covering not just the usual
antiviral technologies, but advising on layered defence, with the
attendant required planning and management.  Outsourcing, of security
functions in general, and antiviral protection in particular, is
reviewed in chapter seven, with attention paid to both the dangers and
the conditions, agreements, and other factors that might provide
success.  Chapter eight's look at security awareness training and user
education seems to be intended to promote the idea, but is weaker in
providing solutions than other areas of the book, concentrating
primarily on the difficulties and failures.

A variety of tools that might be used in malware analysis, ranging
from system information utilities through debuggers to online virus
detectors, are listed in chapter nine.  Chapter ten considers aspects
of evaluating antiviral products, and makes a good, general guide.

Chapter eleven notes that the AVIEN organization is changing, and
feels like a promotional item to get the reader to become involved,
but the lack of detail of what the institution might become does not
seem calculated to appeal to busy administrators.

The book contains a tremendous wealth of information and references to
specific resources and studies.  This is not surprising, given the
background of the authors, and would, alone, make the text worthwhile.
Overall this work provides a solid overview and compendium of advice
on the current malware situation, and should be a required starting
point for anyone protecting corporate assets in the current, highly
threatening, environment.

copyright Robert M. Slade, 2008   BKAVNMDG.RVW   20080420


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
Let others complain that the times are wicked. I complain that
they are paltry; for they are without passion. The thoughts of
men are thin and frail like lace, and they themselves are feeble
like girl lace-makers. The thoughts of their hearts are too puny
to be sinful.      - Soren Kierkegaard (1813-1855), Either/or (1843)
http://victoria.tc.ca/techrev/rms.htm