BKCDBRKR.RVW   20090420

"Codebreaker", Stephen Pincock, 2006, 978-0-8027-1547-0, U$19.95
%A   Stephen Pincock
%C   104 Fifth Ave, New York, NY   10011
%D   2006
%G   978-0-8027-1547-0 0-8027-1547-8
%I   Walker and Company
%O   U$19.95 www.walkerbooks.com
%O  http://www.amazon.com/exec/obidos/ASIN/0802715478/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0802715478/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0802715478/robsladesin03-20
%O   Audience n- Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   176 p.
%T   "Codebreaker"

The introduction does not clearly identify the intent or audience of
the book.  The fact that readers are encouraged to delve into
cryptographic puzzles would seem to indicate that the codes used are
relatively simple.

The second paragraph of the first chapter contains errors in the early
use of cryptographic forms of Egyptian hieroglyphics, which doesn't
bode well for accuracy.  There is decent coverage of fundamental
cryptographic concepts (mostly in regard to substitution algorithms),
but this is hidden (you should pardon the expression) in lots of
miscellaneous history, and some misinformation as well.  Chapter two
covers some minor polyalphabetic ciphers, along with more history and
a fair bit of wild speculation.  Since a number of the chronicled
tales come from the period of 1400-1800 AD, it seems a bit odd that
chapter three starts out by telling us that, as of roughly 1850,
cryptography had been neglected for 450 years.  We are given an
algorithm for decrypting certain forms of polyalphabetic ciphers (and
some examples of digraphic encryption and other complex forms), but no
additional theory.

Chapter four provides acceptable reviews of the structures of Enigma,
Lorenz, and Purple, but with limited technical detail and no
abstraction.  The UK Government Communications Headquarters (GCHQ)
gets credit for asymmetric encryption, along with Diffie and Hellman,
but Ralph Merkle gets left out in the cold.  So do the details of, and
ideas behind, asymmetric encryption: instead we get lists of fictional
ciphers, mostly of the plain substitution variety.  In chapter six,
Pincock deals with quantum cryptography as well as the theorized
decryption of the RSA algorithm using quantum computers.  These are
radically different ideas, but that doesn't bother the author: he
flips back and forth between them with gay abandon, throwing in some
chaos theory for good measure.

I was asked to review this book to see if it would be useful in
helping candidates learn enough about cryptology to get through that
domain on the CISSP (Certified Information Systems Security
Professional) exam.  Well, it isn't.  The book is interesting, and
contains a lot of historical trivia.  It doesn't contain enough on the
basic concepts of cryptography.  It does go into practical
cryptanalysis in more depth than is to be found in the normal run of
texts on simple cryptography, but it doesn't get far enough into the
concepts for commercial or professional decision making.  Asymmetric
encryption is mentioned, but not the uses thereof, nor the extensive
infrastructure necessary for full utilization.

It's fun, but it isn't useful.

copyright Robert M. Slade, 2009    BKCDBRKR.RVW   20090420


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
          Rob Slade's fashion statement:
                          `Hey, I got dressed, didn't I?'       - GJS
http://victoria.tc.ca/techrev/rms.htm
http://blog.isc2.org/isc2_blog/slade/index.html http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/

BKAGNRLG.RVW   20090306

"Against Religion", Tamas Pataki, 2007, 1-921215-18-6, U$14.95/C$16.95
%A   Tamas Pataki
%C   PO Box 523,Carlton North, Victoria, Australia 3054
%D   2007
%G   1-921215-18-6
%I   Scribe Publications Pty Ltd
%O   U$14.95/C$16.95 info@...
%O  http://www.amazon.com/exec/obidos/ASIN/1921215186/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/1921215186/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1921215186/robsladesin03-20
%O   Audience n- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   136 p.
%T   "Against Religion"

The introduction says that religion, particularly theism, is evil.
There is little structure or thread to this argument, as presented,
and Pataki seems to think that admitting the work is a polemic, with
points chosen arbitrarily and incompletely, justifies saying pretty
much anything.  The writing is full of esoteric references but is
neither compelling nor structured.

In chapter one, Pataki says he will not argue, and does not care,
whether a god exists, but also says that most people who believe in
such a being are mostly stupid and irrational.  Religion is growing,
Pataki notes in chapter three, and then lists characteristics of
fundamentalism.  A psychological assessment is used, in chapter three,
to indicate that monotheism is wish fulfillment.  It is important to
note that chapter four is based on psychoanalytic thought.  The very
specialized terminology of this field is used, and it is assumed that
the reader understands it.  Therefore, the reader without a specific
academic or psychiatric background may fail to understand Pataki's
attempt to explain that religion can be seen as an automatic process
in the development of the growing mind, and not a conscious choice at
all.  (What the theory fails to explain is why some people are *not*
religious.)  Similar analysis is presented, in chapter five, to
support reports that religious people are violent and warlike, and
feel justified in attacking others because of a god's direction in the
matter.  Chapter six uses the same psychoanalytic basis to argue that
religious people are sexually confused (although it is hard to argue
that non-religious people are not so confused).  The thesis that
religious people are irrational is asserted in chapter seven.  It is
interesting that Pataki at one point rails that the "religiose do not
have beliefs--they *know*."  There really is no argument as such in
this chapter.  Pataki does not believe religious people cannot think
rationally--he just knows it.

It is extremely difficult to understand what Pataki intends the book
to convey.  As he states early on, he advances no reasoning to support
disbelief in God.  He proposes that religious people are foolish and
possibly do unpleasant things, but does not demonstrate that non-
religious people are wiser or kinder.  He does a fair job of
establishing that many, if not most, religious people believe for
reasons that are intellectually suspect, but huge numbers of the
populace conclude the truest things for the weirdest analyses, and the
author does, reluctantly, admit that some religiose may believe from
valid reasons.  Pataki singularly does not illustrate that belief in a
god creates irrationality or cruelty.  Nor can we determine whether
religious belief is any definitive indicator of untenable thought
processes.

Sorry, but I'm definitely against this book.

copyright Robert M. Slade, 2009    BKAGNRLG.RVW   20090306


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
We want to be creative and different, but we're squeamish about
`standing out', and we also want to fit in and belong--so let's
join a sub-culture and all be eccentric in the same way,
together.                         - Kate Fox, `Watching the English'
http://victoria.tc.ca/techrev/rms.htm
http://blog.isc2.org/isc2_blog/slade/index.html http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/

BKHLTSTT.RVW   20090419

"Halting State", Charles Stross, 2007, 978-0-441-01498-9,
U$25.95/C$30.00
%A   Charles Stross www.antipope.org/charlie/index.html
%C   10 Alcorn Ave, Suite 300, Toronto, Ontario, M4V 3B2
%D   2007
%G   978-0-441-01498-9 0-441-01498-4
%I   Penguin/Signet/Roc
%O   U$25.95/C$30.00 416-925-2249 Fax: 416-925-0068 service@...
%O  http://www.amazon.com/exec/obidos/ASIN/0441014984/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0441014984/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0441014984/robsladesin03-20
%O   Audience n+ Tech 2 Writing 3 (see revfaq.htm for explanation)
%P   351 p.
%T   "Halting State"

If you like William Gibson's writing, then you will probably like this
book.  Charles Stross isn't quite up to that level yet, but, with a
little more work, he could be.

Stross does seem to know his technology.  Which makes the few errors
all the more annoying, when they pop up.  He seems to understand (as
very few computer or security industry trade journalists do) the
difference between quantum cryptography and decryption of RSA keys by
quantum computer: he still manages to link them together in a
confusing fashion in the story.  (And, no, even with a quantum
computer you probably don't have a universal decryptor.)  Also, top
level domain country codes are two letters, not three.

However, Stross does understand societal dependence on computers, the
activities and misunderstandings of various communities, and that
disaster is more likely to arise due to ignorance than direct attack.
The work is very realistic, in those terms, and worth reading as a
warning of a substantial threat in that regard.

copyright Robert M. Slade, 2009    BKHLTSTT.RVW   20090419


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
              Si hoc legere scis nimium eruditionis habes
http://victoria.tc.ca/techrev/rms.htm
http://blog.isc2.org/isc2_blog/slade/index.html http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/

BKACTSTR.RVW   20090520

"Actionable Strategies", Stephen S. Bonham, 2008, 978-1-59693-119-0,
U$59.00/C$70.95
%A   Stephen S. Bonham
%C   685 Canton St., Norwood, MA   02062
%D   2008
%G   978-1-59693-119-0 1-59693-119-1
%I   Artech House/Horizon
%O   U$59.00/C$70.95 617-769-9750 artech@...
%O  http://www.amazon.com/exec/obidos/ASIN/1596931191/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/1596931191/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1596931191/robsladesin03-20
%O   Audience i Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   261 p.
%T   "Actionable Strategies"

The preface asserts that management or control approaches are
generally pursued from the separate viewpoints of performance (metrics
of various types), process (a beloved but ill-defined piece of
business jargon, roughly meaning "how we do things"), project
portfolio (the range, scope, and particularly diversity of projects or
products, poorly explained by Bonham), or risk management (which
requires whole books to even define).  (These four items are
abbreviated, by the author, as PePPR.)  As the author points out,
there is a good deal of overlap of information required in these four
areas, and an integrated approach might produce benefits.  This is
said with a great deal of verbiage, and a wealth of buzzphrases.

Chapter one starts by quoting Raynor's "Strategy Paradox" that
companies can't adapt because the environment is simply changing too
rapidly for anyone even to keep up with it: businesses must prepare
for change, but can't prepare for everything that might happen.
Bonham then goes on to say that businesses need to be adaptive and
prepared, and gives other equally contradictory advice.  PePPR is
again surrounded by a storm of utterances, with little that is useful.
Although chapter two is entitled "Maturity," and the Capability
Maturity Model is briefly mentioned, the Deloitte Business Maturity
Model is presented in two completely disjoint ways, and is forced into
alignment with two separate lifecycle or project models, leading to a
complete shambles which does not explain anything about business
maturity at all.  Towards the end an "execution" maturity model of
astounding complexity is attempted.  A generic overview of some
planning models is given in chapter three.  A survey of various models
and ideas on performance management is provided in chapter four, with
process management dealt with in five.  Project portfolio management,
in chapter six, does note the need to balance return on investment,
strategic alignment, organizational support, architectural alignment,
asset leverage, and resource availability.  The way to do this,
apparently, is to have good project management.  Some finance-oriented
(capital risk) risk management frameworks and general concepts are
discussed in chapter seven.  Bonham throws a lot of words at the idea
of integrated execution in chapter eight, but without providing much
useful guidance.

There are a great many business references in this work, and a good
deal of erudition.  Unfortunately, the content and writing does not
provide useful guidance to those having to make difficult business
decisions in tumultuous times.  Those who have used and worked with
these approaches, and who have worked with the range of them, will
best know whether they can be integrated and the combined process used
to advantage.  Those people will not need this book.

copyright Robert M. Slade, 2009    BKACTSTR.RVW   20090520


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
That's the problem with science.  You've got a bunch of
empiricists trying to describe things of unimaginable wonder.
                                                      -Bill Watterson
http://victoria.tc.ca/techrev/rms.htm
http://blog.isc2.org/isc2_blog/slade/index.html http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
http://twitter.com/NoticeBored

BKCDBRKS.RVW   20090703

"The Codebreakers", David Kahn, 1996, 0-684-83130-9, U$75.00
%A   David Kahn
%C   5 Maxwell Dr., Clifton Park, NY   12065-2919
%D   1967, 1993, 1996
%G   0-684-83130-9
%I   Charles Scribner's Sons/MacMillan/Delmar Cengage Learning
%O   U$75.00 800-354-9706 www.cengage.com
%O  http://www.amazon.com/exec/obidos/ASIN/0684831309/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0684831309/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0684831309/robsladesin03-20
%O   Audience n+ Tech 2 Writing 2 (see revfaq.htm for explanation)
%P   1200 p.
%T   "The Codebreakers"

It seems that no work on cryptography is complete without some
reference to Kahn's great historical reference.  For a long time I'd
been meaning to find a copy and get it into the series.  Its pages are
filled with fascinating stories, and some great historical
scholarship.

But almost nothing that you'd be asked on the CISSP (Certified
Information Systems Security Professional) exam.

The thing is, Kahn's work was originally written before the invention
of DES (the Data Encryption Standard) or any of the other now commonly
used symmetric block ciphers.  (Although Feistel must have been
working on the predecessor to Lucifer at the time the first edition of
the book was published.)  Whether you credit Diffie and Hellman,
Merkle, or GCHQ, asymmetric encryption wasn't even a gleam on the
horizon.  So all of modern cryptography came after Kahn produced his
primary version.

Some of the historical material is relevant, to be sure.  The fact
that implementation details always trip you up is demonstrated time
and again.  The truisms of Kerckhoffs' Law, Marcel Givierge's advice
to "[e]ncode well or do not encode at all.  In transmitting cleartext,
you give only a piece of information to the enemy, and you know what
it is; in encoding badly, you permit him to read all your
"correspondence and that of your friends," and even Charles Babbage's
assertion that "[o]ne of the most singular characteristics of the art
of deciphering is the strong conviction possessed by every person,
even moderately acquainted with it, that he is able to construct a
cipher which nobody else can decipher.  I have also observed that the
cleverer the person, the more intimate is his conviction" are all
supported time and time again.  The importance of key changes, the
concept of perfect forward secrecy, and many more important
cryptological factors are all illustrated here.

At great length.  This is definitely a bedtime book.  It's got a lot
of material, and it demands diligent attention from the reader.  Look
away for a second, and you'll find that we have jumped from the third
to the seventeenth century, and turned from transposition ciphers to
nomenclators.

Well, no, it isn't that bad.  Kahn is a good writer, and his text will
keep you engaged, but you do have to pay attention.  The historical
stories are complex and intertwined, and you will have to make
frequent reference to the index to re-read the specifics of particular
writers or ciphers.  Up until the twentieth century, however, the
content progresses in a fairly straightforward manner.  (By the time
of the world wars we start to suffer from an embarrassment of riches,
and the timeline rewinds many times through different countries and
agencies.)

When we get past the second world war, the material does start to show
its age.  Kahn admits, in the preface to the second edition, that he
only added one (very brief) chapter to bring things up to date (mostly
concerned with the Ultra project revelations that came to light in the
1970s), and didn't bother to check and update the previous material.
So it's a bit funny to find mentions, in his chapter on "current"
cryptography in the fifties and sixties, descriptions of the Soviet
Union as if it still existed.  You have to keep remembering that the
crypto "devices" aren't digital, and the "networks" are Telex.

There are some additional chapters covering commercial and criminal
codes, ciphers that people have imposed upon mysterious material (like
something out of "The Da Vinci Code"), decipherment of dead (and
interstellar) languages, and random aspects of cryptanalysis.  These
read like magazine articles that have been thrown into the work at the
last minute, and are outside the historical structure of the bulk of
the book.  There are still interesting tidbits, but Kahn also feels
freer to opine in this section.

Although Kahn states that he wanted to produce a complete history of
cryptology (combining both cryptography and cryptanalysis) it is
obvious that his heart is in cryptanalysis.  Thus is it rather strange
that the weakest areas of the text involve his explanations of
cryptanalytic techniques.  As Kahn is an amateur cryptanalyst himself,
this is possibly due to an overfamiliarity with the subject.  The
explanations frequently seem to assume a more extensive background on
the part of the reader.

This is a work of solid historical scholarship.  It will be
fascinating for anyone with the remotest interest in cryptology.  For
anyone seriously working in the field it makes great reading material
and is a salient reminder of some important points that often get lost
in the technology.

Just don't plan to use it to craft your public key infrastructure.

copyright Robert M. Slade, 2009    BKCDBRKS.RVW   20090703


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
Did you ever notice that everyone in favour of abortion has
     already been born?                         - Benny Hill
http://victoria.tc.ca/techrev/rms.htm
http://blog.isc2.org/isc2_blog/slade/index.html http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
http://twitter.com/NoticeBored

BKGOAPHA.RVW   20090723

"Google Apps Hacks", Philipp Lenssen, 2008, 978-0-596-51588-1,
U$29.99/C$29.99
%A   Philipp Lenssen Philipp.Lenssen@...
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2008
%G   0-596-51588-X 978-0-596-51588-1
%I   O'Reilly & Associates, Inc.
%O   U$29.99/C$29.99 707-829-0515 fax: 707-829-0104 nuts@...
%O  http://www.amazon.com/exec/obidos/ASIN/059651588X/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/059651588X/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/059651588X/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   361 p.
%T   "Google Apps Hacks"

Currently, I'm supposed to be helping out an organization that wants
to use Google Apps in order to make documents and resources available
to its members.  I can't figure it out.  I could really use a book
that would explain how to use the system.

This doesn't appear to be it.  The work does say that collaboration
and sharing can happen, it just doesn't tell you how, specifically, to
do it.  The authors do detail how to do some clever little tricks, but
the tricks don't appear (to me, as a novice) to be very useful.  The
"hacks" also appear to involve installing an awful lot of outside
software, and since this is a security group, and I'm a professional
paranoid, I'm not sure how much time I'd want to spend testing all
this stuff and making sure that it is safe.

That's chapter one.  It's supposed to be an introduction, but it
demands a fairly high level of familiarity with Google Apps if you are
going to make much sense of it.  The same is true with chapter two,
which addresses Google Docs (word processor).  There are hacks on how
to get fancy, but no help on how to get started.  Chapters three and
four, on Google Spreadsheets and Presentations, are similar.

The content on Gmail, in chapter five, is an odd mix of generic email
advice, notes for customizing Gmail, and other systems to use instead
of Gmail.  Chapter six deals with iGoogle (a way to create a Web page
for yourself).  The calendar, discussed in chapter seven, is fairly
basic.  RSS (Really Simple Syndication or Resource description
framework Site Summary), and Google's Reader, is outlined in chapter
eight.  Chapter nine notes some random functions of Picasa (for
pictures) and YouTube (for videos), whereas ten mentions various
Blogger features, and eleven talks about Google Maps, Earth, and
SketchUp 3D.  Some ideas on how to promote your Website, and track
traffic with Google Analytics, are dealt with in chapter twelve.

This book is definitely not an introduction.  However, even for those
familiar with Google products, the content is not organized in a way
that makes operations and tasks easy to find and use.  In addition,
since the work seems to require at least an intermediate knowledge of
how the applications work, one would assume that the "hacks" would be
detailed, but that is not always so.  In many cases it is pointed out
that you can do something, and then the specifics of "how" are left to
the reader to find out.  Certainly there are ideas which may be of
interest or use to Google Apps users in this text, but the value of
the manual, as a whole, is questionable.  Novices need the details.
Google Apps wizards presumably know all of this.

copyright Robert M. Slade, 2009    BKGOAPHA.RVW   20090723


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
After attacking the sacred majesty of kings, I shall scarcely
excite surprise by adding my firm persuasion that every
profession, in which great subordination of rank constitutes its
power, is highly injurious to morality.
Mary Wollstoncraft (1759-1797), A Vindication of the Rights of Woman
victoria.tc.ca/techrev/rms.htm blog.isc2.org/isc2_blog/slade/index.html
http://blogs.securiteam.com/index.php/archives/author/p1/
http://twitter.com/NoticeBored http://twitter.com/rslade

BKMOSXUG.RVW   20090725

"Mac OS X for Unix Geeks", Brian Jepson/Ernest E. Rothman/Rich Rosen,
2008, 978-0-596-52062-5, U$34.99/C$34.99
%A   Brian Jepson bjepson@...
%A   Ernest E. Rothman ernie.rothman@...
%A   Rich Rosen http://www.neurozen.com/website/
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2008
%G   978-0-596-52062-5 0-596-52062-X
%I   O'Reilly & Associates, Inc.
%O   U$34.99/C$34.99 800-998-9938 fax: 707-829-0104 nuts@...
%O  http://www.amazon.com/exec/obidos/ASIN/059652062X/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/059652062X/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/059652062X/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   406 p.
%T   "Mac OS X for Unix Geeks"

The preface states that this book is intended for people who are using
the Mac, and OS X, because of its foundation in the UNIX environment.

Part one is a basic introduction to the system.  Chapter one, entitled
"Inside the Terminal," tells how to access the command prompt (using
the "Terminal" terminal emulation application), with some alternative
settings you can use.  Search functions are covered in chapter two,
which is a bit odd, since files, filesystems, standard directory
features, and alternative filesystems aren't dealt with until chapter
three.  The boot process, options and preferences for customization,
and program invocation are explained in chapter four.  Chapter five
outlines account creation and services.  Installation of printers,
plus print management function, is in chapter six.  The X windowing
system and virtual network computing (VNC) is in seven.  Chapter eight
lists a few outside applications, and nine mentions some of the other
operating systems and emulators you can run.

Part two is for programmers (and open source devotees).  Chapter ten
provides a fairly simplistic overview of the concepts of compilation
and enumerates a lot of utilities, while chapter eleven discusses
libraries, headers, and frameworks.

Part three covers packages, which are basically applications with more
complicated installation.  Fink is one development system, reviewed in
chapter twelve, and MacPorts is another, outlined in thirteen.  The
creation of installation packages is discussed in chapter fourteen.

Part four deals primarily with other system functions.  A listing of
server software and tools is in chapter fifteen.  Chapter sixteen
notes a number of standard UNIX system management utilities, plus
tables of system variables.  Some oddities of Mac versions of the
Perl, Python, Ruby, and Java programming languages and libraries are
explained in chapter seventeen.

This book will get you a basic start into the UNIX side of the Mac if
you are new to the OS X operating system.  It will also provide
certain explanations of the UNIX world if you are used to working with
a Mac.  In either case, you will probably need to start lining up
additional resources fairly soon after your introduction to the other
system.  (The work will be slightly more useful if you are a
programmer as opposed to user.)

copyright Robert M. Slade, 2009    BKMOSXUG.RVW   20090725


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
It is a chilling thought, and until the authorities come up with
a plan of action, I am urging everybody to take the sensible
precaution of developing a nervous facial tic.          - Dave Barry
victoria.tc.ca/techrev/rms.htm blog.isc2.org/isc2_blog/slade/index.html
http://blogs.securiteam.com/index.php/archives/author/p1/
http://twitter.com/NoticeBored http://twitter.com/rslade

BKENDIGN.RVW   20090820

"The End of Ignorance", John Mighton, 2007, 978-0-676-97962-6, C$29.95
%A   John Mighton http://jumpmath.org/ John.Mighton@...
%C   201 E. 50th St., New York, NY   10022
%D   2007
%G   978-0-676-97962-6 0-676-97964-5
%I   Knopf
%O   C$29.95 212-572-2103 800-733-3000
%O  http://www.amazon.com/exec/obidos/ASIN/0676979645/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0676979645/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0676979645/robsladesin03-20
%O   Audience n- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   312 p.
%T   "The End of Ignorance"

After I finished reviewing the book, someone asked what the title
meant.  I'm not quite sure, since, on pages two and three, Mighton
talks of "destructive" ignorance and "redeeming" ignorance.
Presumably he only wants to end the destructive ignorance, but that is
never made clear.  There is a lot in the book that isn't clear, and
there is a lot that is contradictory.

Essentially, the book is a long promotional piece selling the virtues
of the author's JUMP (Junior Undiscovered Math Prodigies) math
tutoring and lesson program.  There is a short appendix which lists
the tenets of the program.  These would appear to be fairly standard
beliefs in the educational world: education is built on the
aggregation of a number of skills, it's better to be positive,
teachers can't teach what they don't understand, you need lessons and
assignments, teaching relies on task analysis, education is a mix of
group and individual work, and you need to assess students.  Yet
Mighton seems to think that these are new things he has discovered
which the rest of the world has yet to learn.

Well, not quite: this is one of the aspects where some passages in the
book contradict others.  The author admits that these factors in
education are widely understood, but he seems to think that his
program is the only one which follows these concepts.  Or maybe not.
For example, there is "discovery learning."  Some parts of the book
say that discovery learning is overblown.  Others say that JUMP math
is discovery learning.

While there is a great deal of interesting esoterica in the book
(although the author seems to have misunderstood or is willfully
misrepresenting emergent properties), there isn't a lot of structure.
The chapters do not seem to have consistent themes, and the book, as a
whole, does not present coherent arguments.  There are some examples
of lessons in the addition of fractions, and binary arithmetic, which
could be quite useful in teaching those units.  However, there is an
awful lot of whiny complaint about the lack of acceptance, on the part
of school boards, of the author's math program.

Pretty much all of chapter eight says that everything that you read in
the way of educational theory and research is wrong.  There are two
major points to Mighton's argument on this issue.  One is that a lot
of trained educators don't use, and even oppose the use of, JUMP math.
The second part of the/his argument is that many papers written by
trained educators and researchers display grammatical errors.

As a description of a process for building effective units and
lessons, this book is incomplete and unhelpful.  As a sales pitch for
JUMP math, it is unconvincing.

copyright Robert M. Slade, 2009    BKENDIGN.RVW   20090820


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
I think and think for months and years. Ninety-nine times, the
conclusion is false. The hundredth time I am right - Albert Einstein
victoria.tc.ca/techrev/rms.htm blog.isc2.org/isc2_blog/slade/index.html
http://blogs.securiteam.com/index.php/archives/author/p1/
http://twitter.com/NoticeBored http://twitter.com/rslade

BKSECUSA.RVW   20090727

"Security and Usability", Lorrie Faith Cranor/Simson Garfinkel, 2005,
0-596-00827-9, U$44.95/C$62.95
%E   Lorrie Faith Cranor
%E   Simson Garfinkel
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2005
%G   0-596-00827-9
%I   O'Reilly & Associates, Inc.
%O   U$44.95/C$62.95 800-998-9938 fax: 707-829-0104 nuts@...
%O  http://www.amazon.com/exec/obidos/ASIN/0596008279/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0596008279/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0596008279/robsladesin03-20
%O   Audience i- Tech 2 Writing 1 (see revfaq.htm for explanation)
%P   714 p.
%T   "Security and Usability"

The editors state that they intended this collection of essays more to
address the academic, than the practical, side of the security field.
Thus, the papers are chosen to reflect theory and principle, rather
than specific practice.  A prudent choice, since theory dates less
quickly than specific procedure.

The thirty-four compositions in this work are divided into six
sections.  Part one states that security and usability are not
antithetical, part two addresses authentication mechanisms and
techniques, part three examines how system software can contribute to
security, part four deals with privacy controls, part five examines
the vendor perspective of provision of security, while part six
finishes off the book with a few papers considered to be of lasting
value.

The papers contain interesting points, but sometimes both theoretical
and practical utility are lacking.  For example the first paper,
entitled "Psychological Acceptability Revisited," challenges the idea
that security mechanisms must be complex and difficult to use in order
to be effective.  Unfortunately, while the author clearly demonstrates
that a system can be both insecure and useless, he does not prove the
opposite, which is the condition we want.  A good many papers simply
state that human factors should be considered, and that security
provisions should be usable: these points are true, but not helpful.
With one exception (a good paper on password choice) all the pieces on
authentication present research having nothing to do with usability.
Most of the papers in the book describe security research that is
interesting, and which frequently has relations with human factors,
but the relevance to the provision of systems that are both usable and
secure is not often clear.

Even as a compilation of security bedtime reading, the essays
collected in this volume are somewhat lacking.  In terms of both
principles and practice, any volume of the "Information Security
Management Handbook" (cf. BKINSCMH.RVW) has superior selection, and
better structure, as well.

copyright Robert M. Slade, 2009    BKSECUSA.RVW   20090727


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
My idea would be to hang a few of the offenders.  This would not
only get rid of some but would discourage the development of
others.  It would be a saving of lives to do it.
  - Major Frank Moorman on WWI soldiers developing crypto `shortcuts'
victoria.tc.ca/techrev/rms.htm blog.isc2.org/isc2_blog/slade/index.html
http://blogs.securiteam.com/index.php/archives/author/p1/
http://twitter.com/NoticeBored http://twitter.com/rslade

BKPRDPRG.RVW   20091004

"The Productive Programmer", Neal Ford, 2008, 978-0-596-51978-0,
U$39.99/C$39.99
%A   Neal Ford nford@...
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2008
%G   978-0-596-51978-0 0-596-51978-8
%I   O'Reilly & Associates, Inc.
%O   U$39.99/C$39.99 800-998-9938 nuts@...
%O  http://www.amazon.com/exec/obidos/ASIN/0596519788/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0596519788/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0596519788/robsladesin03-20
%O   Audience a- Tech 2 Writing 1 (see revfaq.htm for explanation)
%P   206 p.
%T   "The Productive Programmer"

The preface states that this book started out as a book of tips for
the use of the command-line, but developed into a more general work
identifying factors that make programmers productive.  (This audience
description is later modified to individual programmers, ratehr than
teams.)  Chapter one is an introduction to the book.

Part one contains the mechanics of productivity, in terms of specific
tips (divided by category).  Chapter two deals with acceleration, but
of the interaction with the computer, rather than the computer itself.
This material is very useful, and feels somewhat like that contained
in the O'Reilly "Annoyances" series of guides and particulars, save
that Ford does not always fully explain how to set up or implement the
functions he is recommending.  The ability to focus on work, and avoid
distraction and clutter, is addressed in chapter three (although much
of the text is concerned with searching for files).  Chapter four
exhorts you to automate small, repetitive tasks.  The actual tips,
however, are unlikely to be of much assistance unless you want to do
those specific functions, or already know the tools being displayed.
The advice on limiting the number of copies of an item, in order to
reduce spurious "versions," is good, but the author seems to go
overboard, in chapter five, regarding complex ways to achieve this
end.

Part two provides general concepts and practices to promote
productivity.  Chapter six recommends "test-driven design," whereby
the tests are created first, and the application written to meet those
tests.  While there is merit in this approach, security professionals
know that the presence of desired functions does not preclude the
existence of unwanted vulnerabilities.  A few code static analysis
tools are described in chapter seven.  Proper object behaviour is
encouraged in chapter eight.  In chapter nine Ford recommends that
programmers not build code or functions that they do not need.
(However, as one of the illustrations shows, knowing what you need is
not easy.)  Chapter ten notes a few "ancient philosophies," mostly to
do with maintaining simplicity.  Having told us to learn from the
past, though, the author turns around in chapter eleven and suggests
that we dispense with received wisdom.  Chapter twelve is about meta-
programming: writing code to write code.  In chapter thirteen, Ford
seems to implement modular programming in an object-oriented
environment, as he recommends programming everything at a single layer
of abstraction.  Somewhat in contradiction to the concept of
simplicity emphasized elsewhere, chapter fourteen stresses using a
variety of programming languages, each where it is most useful.
Chapter fifteen describes some of Ford's favourite editors and other
tools.  An odd one-page "this is what I told you" closing makes up
chapter sixteen.

Parts of this book are excellent and helpful, other parts are less so,
presenting contradictory positions without guiding the reader to find
a proper balance.  In addition, Ford writes pretty much exclusively
from his own experience and perspective: some of the advice is
general, but a great deal will be helpful only to those who are doing
the same type of programming in the same scale of operation with the
same application intent.

copyright Robert M. Slade, 2009    BKPRDPRG.RVW   20091004


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
Hain't we got all the fools in town on our side? And ain't that a
big enough majority in any town?            - Mark Twain's Huck Finn
victoria.tc.ca/techrev/rms.htm blog.isc2.org/isc2_blog/slade/index.html
http://blogs.securiteam.com/index.php/archives/author/p1/
http://twitter.com/NoticeBored http://twitter.com/rslade

BKNESEAS.RVW   20091004

"Network Security Assessment", Steve Manzuik/Andre Gold/Chris Gatford,
2007, 978-1-59749-101-3, U$59.95/C$77.95
%A   Steve Manzuik
%A   Andre Gold
%A   Chris Gatford
%C   800 Hingham Street, Rockland, MA   02370
%D   2007
%G   978-1-59749-101-3 1-59749-101-2
%I   Syngress Media, Inc.
%O   U$59.95/C$77.95 781-681-5151 amy@...
%O  http://www.amazon.com/exec/obidos/ASIN/1597491012/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/1597491012/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1597491012/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   372 p.
%T   "Network Security Assessment: From Vulnerability to Patch"

Chapter one is a general discussion of vulnerabilities and risk.  The
material makes the process (and threat environment) seem more
formalized and simpler than it really.  Initially the review of
vulnerabilities seems limited to coding issues, but later parts of the
book concentrate almost exclusively on network issues.  A broad
overview of the usual "discovery/enumeration/analysis" style of
penetration testing is given in chapter two.  Assessment tools are
noted in chapter three, although the content is mostly a duplication
from two.  While most of the suggestions are reasonable (yes, you do
want a low rate of false positive alarms), some are unrealistic (a
zero rate of false negative results is almost inherently impossible to
achieve).

Chapter four addresses the discovery stage, though not in much depth.
Similarly, chapter five's examples of enumeration are limited to
various scans.  Chapter six repeats the penetration testing review
from chapter two, but with different examples.

Vulnerability management, as delineated in chapter seven, is simply a
project cycle with some audit functions included.  Chapter eight is a
terse listing of vulnerability management tools.  The content of
chapter seven is repeated in chapter nine, in a more confused form,
and now under the title "Vulnerability and Configuration Management."
"Regulatory Compliance," in chapter ten, is restricted to a brief
discussion of the Payment Card Industry Data Security Standard, and
the US Sarbanes-Oxley law.  Chapter eleven re-reviews the chapters in
the book.

An appendix covers legal factors for a variety of information security
concerns.

The material in this work provides a decent introduction to
vulnerability assessment and penetration testing, but with a great
deal of padding and duplication.  Condensed into a magazine article,
instead of running to almost four hundred pages, it could have been
very useful.  There is also a chance that the reader will be misled by
the doctrinaire stance in many cases, such as the presentation of
penetration testing as distinct from vulnerability assessment, when
the reality is a continuum, with most people taking a hybrid approach.
Overall the book is a good start, but those wishing to actually begin
working with assessments will need additional help.

copyright Robert M. Slade, 2009    BKNESEAS.RVW   20091004


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
I have found that many organizations want change,
but nobody wants to do anything differently.       - Jeffrey Pfeffer
victoria.tc.ca/techrev/rms.htm blog.isc2.org/isc2_blog/slade/index.html
http://blogs.securiteam.com/index.php/archives/author/p1/
http://twitter.com/NoticeBored http://twitter.com/rslade

BKBEASEC.RVW   20091008

"Beautiful Security", Andy Oram/John Viega, 2009, 978-0-596-52748-8,
U$39.99/C$49.99
%E   Andy Oram http://praxagora.com/andyo
%E   John Viega
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2009
%G   978-0-596-52748-8 0-596-52748-9
%I   O'Reilly & Associates, Inc.
%O   U$39.99/C$49.99 707-829-0515 fax: 707-829-0104 nuts@...
%O  http://www.amazon.com/exec/obidos/ASIN/0596527489/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0596527489/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0596527489/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   281 p.
%T   "Beautiful Security"

The preface states that the intention of the book is to a) make sure
that security books sell well, b) show that security is an exciting
career, and c) demolish the idea that security is a separate component
that can be added to any system.  (The first is a tall order, the
second is already a common belief among many who haven't worked in the
field or the real world, and the third is so well established in the
minds of so many that this book had better sell extremely well if it
is to have any chance of success.)  The work is directed at those
interested in starting a career in technology, and interested in the
cutting edge.

With pretty much any collection of essays the quality varies.  It is
also true of this assortment, but the articles in this work are
uninspired and uninspiring.

The first paper notes the psychological factors that lead to
insecurities, and which can be used to direct attacks against systems.
(It promises to suggest how psychological factors can be used against
attackers, but never delivers on that.)  Another essay describes the
common practice of creating fake wireless access points to collect
financial and authentication credentials.  A third suggests that
security metrics can protect companies, but the two examples given are
actually of situations where companies were using metrics: just not
ones that would catch those specific situations.  The underground
economy involved in the organization of blackhat crime is covered in
one piece, and presents material that is fairly simplistic from the
perspective of those who have worked in recent malware research, but
possibly surprising to those who have not.  A review of credit card
security issues in online commerce proposes to outline a new paradigm
for such transactions, but ends abruptly without saying how such a
thing might work.  Another paper notes problems with online
advertising, such as malware and click-through fraud.

One excellent and detailed essay by Phil Zimmermann and John Callas
describes the "web of trust" key signing and validation model from the
PGP (Pretty Good Privacy) program.  The honeyclient method of
searching for malicious Websites is explained in another item.  On the
other hand, the following paper is simply a collection of diverse
opinions without a theme.  An article recommends project management in
software development while another suggests making security a software
requirement: both of these are admirable pieces of advice, but the
papers don't provide any more convincing impetus to do so.  A rambling
dissertation on legal issues related to information security meanders
through a variety of topics, without any central theme.  The article
on factors affecting the usefulness of audit logs is broadly
comprehensive and to the point.  The subsequent paper on incident
detection examines a specific incident, but is otherwise a generic
discussion.

A bright spot in the book is Peter Wayner's intriguing description of
a system of partial encryption of common databases, where visibility
of the data depends upon location, which would have significant
implications for e-commerce, customer privacy, cloud computing, and
possibly even social networking.  Unfortunately, the book ends on a
slightly sour note, with a paper insisting that everyone is doing
antivirus protection incorrectly, except the company for which the
authors work.

I'm not certain that this work will do anything for the sales of
security texts.  With a few exceptions, the pedestrian writing and
ideas scarcely show that security is an exciting career.  Only one
item is close to the cutting edge.  Security is not approached in a
holistic manner in the material, so the notion of security as a
fundamental constituent, rather than a separate component, of a system
is unlikely to be dislodged.

copyright Robert M. Slade, 2009    BKBEASEC.RVW   20091008


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
            Mum, why do you have to brush and brush and brush?
        To get all the knots out of my hair before I blowdry it
           (Pause...look...) Well, I didn't see any fall out...
victoria.tc.ca/techrev/rms.htm blog.isc2.org/isc2_blog/slade/index.html
http://blogs.securiteam.com/index.php/archives/author/p1/
http://twitter.com/NoticeBored http://twitter.com/rslade

BKINTBRE.RVW   20091012

"Into the Breach", Michael J. Santarcangelo, 2008, 978-0-9816363-0-6
%A   Michael J. Santarcangelo michael@...
%C   New York, USA
%D   2008
%G   978-0-9816363-0-6 0-9816363-0-6
%I   Catalyst Media
%O   www.intothebreach.com
%O  http://www.amazon.com/exec/obidos/ASIN/0981636306/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0981636306/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0981636306/robsladesin03-20
%O   Audience i+ Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   110 p.
%T   "Into the Breach"

The introduction states that security (which seems to be limited to
disclosure or breaches) is a "people" problem, and therefore requires
social solutions.  This addresses a common problem: security
professionals, and even non-technical managers, concentrate on
breaches in systems and thus miss the real heart of the matter:
people.

Although not overtly stated, part one seems to be related to the first
stage in the Strategy to Protect Information, understanding
information.  Chapter one repeats the position that breaches are a
human problem.  Security awareness is promoted in chapter two.  In
chapter three an analogy is drawn between faddish security and crash
dieting, noting that neither works.  Chapter four addresses risk
management.

Part two suggests managing people.  Chapter five outlines the
aforementioned Strategy to Protect Information: understand your
information assets, manage and communicate with your people, and
optimize your processes and systems.  Implementing this strategy is
seen, in chapter six, as a five step process: learn the jobs, gather
information, priorize, plan, and communicate.  Steps seem to be
missing, such as dividing your data or systems into elements for the
process.  Guidance for planning is limited.  Chapter seven suggests
making a trial run with a pilot project, which is a good idea.
Measurement of the success of the project is discussed in chapter
eight.

Part three deals with improvement.  Chapter nine notes that the
strategy benefits overall management, which is unsurprising, since it
is basically a general management process.  Costs of compliance with
regulations or standards are also partially covered, as is mentioned
in chapter ten, since a significant portion of the initial cost of
compliance relies on the type of research and analysis demanded by the
strategy.  (However, a great deal of the content simply emphasizes the
importance of compliance.)  The advice about outsourcing, in chapter
eleven, seems to be to audit the vendor.  Chapter twelve closes off
the book with an exhortation to act.

Although generic, the strategy proposed is sound and likely useful.
This slim volume would help a significant number of managers and
security practitioners who are caught up in the latest security fad or
device, to the detriment of actual business (and personnel) needs.

copyright Robert M. Slade, 2009    BKINTBRE.RVW   20091012


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
                Your secrets are safe with me and all my friends.
victoria.tc.ca/techrev/rms.htm blog.isc2.org/isc2_blog/slade/index.html
http://blogs.securiteam.com/index.php/archives/author/p1/
http://twitter.com/NoticeBored http://twitter.com/rslade

BKCLAPAR.RVW   20091009

"Cloud Application Architectures", George Reese, 2009,
978-0-596-15636-7, U$29.99/C$29.99
%A   George Reese
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2009
%G   978-0-596-15636-7 0-596-15636-7
%I   O'Reilly & Associates, Inc.
%O   U$29.99/C$29.99 707-829-0515 fax: 707-829-0104 nuts@...
%O  http://www.amazon.com/exec/obidos/ASIN/0596156367/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0596156367/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0596156367/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   189 p.
%T   "Cloud Application Architectures"

The preface states that this book is intended to prepare your Web
applications to succeed in the cloud, although it hasn't said what the
cloud is, nor is the example used particularly clear about what goes,
or went, on.

Chapter one attempts to define cloud computing, but does so in a
highly promotional, and not particularly useful, manner.  If you can
use any browser, any operating system, and any Internet access
provider to use a service, that's cloud computing.  (Does this mean my
local library's online catalogue is a cloud?)  Later the material also
mentions pay-as-you-go services, as well as distributed storage and
processing.  A large section provides an overview of the AWS (Amazon
Web Services) system.  More detail on AWS is given in chapter two,
although the explanations are not very clear.  (This may be in part
because Reese does not fully understand some of them: his outline of
the use of public/private key pairs makes no sense unless Amazon
intends to allow a serious attack on the operations controlled by its
accounts.)  (It's fairly clear that this book was rushed to market in
order to take advantage of the current interest in cloud computing: so
fast that they forgot a number of the illustrative figures.)  Chapter
three provides some guidance in regard to calculating costs and
reliability: the examples are from AWS, but the formulae and process
are the same as for any information system.  The advice on preparing
your application for a scalable and distributed environment, in
chapter four, is confusing.  A wide range of technologies are
addressed, and there is so much hedging and backtracking that it is
very difficult to determine which suggestion the author actually
wishes to stress, in the end.  In terms of security, chapter five
suggests you encrypt your data, harden your applications, and then
describes some aspects of Amazon's operations.  Disaster recovery
appears to some to be inherent in cloud computing, but chapter six
notes that you still have to do all the same disaster planning work,
with the proviso that some things you want to do AWS won't let you.
Chapter seven says you can buy more cloud as you need it.

This book provides relatively little in terms of architectural
guidance.  It does promote AWS at every turn, and describes some of
the functions and API (Application Programming Interface) calls for
that system.

copyright Robert M. Slade, 2009    BKCLAPAR.RVW   20091009


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
For the time will come when men will not put up with sound
doctrine.  Instead, to suit their own desires, they will gather
around them a great number of teachers to say what their itching
ears want to hear.                                  - II Timothy 4:3
victoria.tc.ca/techrev/rms.htm blog.isc2.org/isc2_blog/slade/index.html
http://blogs.securiteam.com/index.php/archives/author/p1/
http://twitter.com/NoticeBored http://twitter.com/rslade

BKSECMON.RVW   20091009

"Security Monitoring", Chris Fry/Martin Nystrom, 2009,
978-0-596-51816-5, U$44.99/C$44.99
%A   Chris Fry
%A   Martin Nystrom http://xianshield.org
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2009
%G   978-0-596-51816-5 0-596-51816-1
%I   O'Reilly & Associates, Inc.
%O   U$44.99/C$44.99 800-998-9938 fax: 707-829-0104 nuts@...
%O  http://www.amazon.com/exec/obidos/ASIN/0596518161/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0596518161/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0596518161/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   227 p.
%T   "Security Monitoring"

The preface states that this is not an introduction to security or
network administration, but a more advanced guide, for those who have
the foundational background, to more targeted monitoring aimed at
detecting extrusions.

Chapter one says that there are lots of threats out there, and that
this type of monitoring will protect you better than other safeguards.
(It's hard to judge that assertion when no details of the proposal
have been provided.)  The authors introduce "policy based monitoring"
in chapter two, attempting to support this nomenclature with examples
relating to administrative policies, but it is difficult to see that
this is any different from whitelisting.  Chapter three mentions that
it is important to know the structure and operation of your network,
but most of the content is a description of the Cisco NetFlow utility.
Much of the rest of the material, contrary to the promises of the
preface, is basic network administration.  Choosing what to monitor is
emphasized in chapter four.  (It's a little bit hard to take some of
this seriously when one of the basic references is a CISSP study
guide.)  It is difficult to say why chapter five must discuss the
choice of event sources separately from the prior content, but much of
the book is similarly disjointed, confused, and lacking in structure.
Supposedly about tuning your monitoring, much of chapter six
duplicates the overview of network structure from chapter three.

Chapter seven stands out from the rest of the book.  It reiterates the
often neglected point that you need to ensure that the audit, log, and
monitoring data you think you are collecting is, in fact, being
collected.  The discussion is detailed and comprehensive.  This
chapter, alone, is probably worth the purchase price of the book.

Chapter eight is a review of the previous chapters, first with a
series of case study examples, and with a summery of the list of
topics.

With one notable exception, the work is basic and pedestrian
information, with a disorganized composition.  However, chapter seven
is definitely useful to both security and network professionals.

copyright Robert M. Slade, 2009    BKSECMON.RVW   20091009


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
        We are born naked, wet and hungry.  Then things get worse.
victoria.tc.ca/techrev/rms.htm blog.isc2.org/isc2_blog/slade/index.html
http://blogs.securiteam.com/index.php/archives/author/p1/
http://twitter.com/NoticeBored http://twitter.com/rslade

BKMGMLBI.RVW   20091018

"The Manga Guide to Molecular Biology", Masaharu Takemura/Sakura,
2009, 978-1-59327-202-9, U$19.95/C$24.95
%A   Masaharu Takemura
%A   Sakura
%C   555 De Haro Street, Suite 250, San Francisco, CA   94107
%D   2009
%G   978-1-59327-202-9 1-59327-202-2
%I   No Starch Press
%O   U$19.95/C$24.95 415-863-9900 fax 415-863-9950 info@...
%O  http://www.amazon.com/exec/obidos/ASIN/1593272022/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/1593272022/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1593272022/robsladesin03-20
%O   Audience n- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   225 p.
%T   "The Manga Guide to Molecular Biology"

Why would you want to write a comic book to explain "a profound
academic discipline"?  Although the author uses those words, he
doesn't provide an explanation of that question.  He also states that
the work only covers the basics of molecular biology, and implies that
it can be used as an introduction, with other texts used for further
study.

In fact, although fundamental points are made, and are correct, the
tutorial in the manga material is far from complete.  The central
facts are repeated, and expanded, in pages of text.  After twenty-two
pages of manga content, a more extensive explanation is provided in
two pages of text.  (Even this expanded material is terse and
simplistic, sometimes raising more questions than it answers.)  Like
the humour that is used in some other books, the manga content is
often not supportive of the concepts under discussion.  Often the
"story" line is not merely unrelated, but a distraction from the
thread of the molecular ideas.

There is information about molecular biology in the book.  There is
more than would comfortably fit into a magazine article, so that does
justify a book format.  However, in the manga sections, there are
points of interest that could have been explained and aren't, even in
the text sections.  This isn't good enough as a textbook, it isn't
interesting or complete enough for general interest, and I'm not sure
if the story is enough for even die hard manga fans.

copyright Robert M. Slade, 2009    BKMGMLBI.RVW   20091018


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
You can observe a lot by just watching.                 - Yogi Berra
victoria.tc.ca/techrev/rms.htm blog.isc2.org/isc2_blog/slade/index.html
http://blogs.securiteam.com/index.php/archives/author/p1/
http://twitter.com/NoticeBored http://twitter.com/rslade

BKCLSEPR.RVW   20091113

"Cloud Security and Privacy", Tim Mather/Subra Kumaraswamy/Shahed
Latif, 2009, 978-0-596-802769, U$34.99/C$43.99
%A   Tim Mather
%A   Subra Kumaraswamy
%A   Shahed Latif
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2009
%G   978-0-596-802769 0-596-802765
%I   O'Reilly & Associates, Inc.
%O   U$34.99/C$43.99 800-998-9938 707-829-0515 nuts@...
%O  http://www.amazon.com/exec/obidos/ASIN/0596802765/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0596802765/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0596802765/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   312 p.
%T   "Cloud Security and Privacy"

The preface tells how the authors met, and that they were interested
in writing a book on clouds and security.  It provides no definition
of cloud computing.  (It also emphasizes an interest in being "first
to market" with a work on this topic.)

Chapter one is supposed to be an introduction.  It is very brief, and,
yet again, doesn't say what a cloud is.  (The authors aren't very
careful about building background information: the acronym SPI is
widely used and important to the book, but is used before it is
defined.  It stands for Saas/Paas/Iaas, or software-as-a-service,
platform-as-a-service, and infrastructure-as-a-service.  More simply,
this refers to applications, management/development utilities, and
storage.)  A delineation of cloud computing is finally given in
chapter two, stating that it is characterized by multitenancy,
scalability, elasticity, pay-as-you-go options, and self-provisioning.
(As these aspects are expanded, it becomes clear that the scalability,
elasticity, and self-provisioning characteristics the authors describe
are essentially the same thing: the ability of the user or client to
manage the increase or decrease in services used.)  The fact that the
authors do not define the term "cloud" becomes important as the guide
starts to examine security considerations.  Interoperability is listed
as a benefit of the cloud, whereas one of the risks is identified as
vendor lock-in: these two factors are inherently mutually exclusive.

Chapter three talks about infrastructure security, but the advice
seems to reduce to a recommendation to review the security of the
individual components, including Saas, Paas, and network elements,
which seems to ignore the emergent risks arising from any complex
environment.  Encryption is said to be only a small part of data
security in storage, as addressed in chapter four, but most of the
material discusses encryption.  The deliberation on cryptography is
superficial: the authors have managed to include the very recent
research on homomorphic encryption, and note that the field will
advance rapidly, but do not mention that homomorphic encryption is
only useful for a very specific subset of data representations.  The
identity management problem is outlined in chapter five, and protocols
for managing new systems are reviewed, but the issue of integrating
these protocols with existing systems is not.  "Security management in
the Cloud," as examined in chapter six, is a melange of general
security management and operations management, with responsibility
flipping back and forth between the customer and the provider.
Chapter seven provides a very good overview of privacy, but with
almost no relation to the cloud as such.  Audit and compliance
standards are described in chapter eight: only one is directed at the
cloud.  Various cloud service providers (CSP) are listed in chapter
nine.  The terse description of security-as-a-service (confusingly
also listed as Saas), in chapter ten, is almost entirely restricted to
spam and Web filtering.  The impact of the use of cloud technology is
dealt with in chapter eleven.  It lists the pros and cons, but again,
some of the points are presented without noting that they are mutually
exclusive.  Chapter twelve finishes off the book with a precis of the
foregoing chapters.

The authors do raise a wide variety of the security problems and
concerns related to cloud computing.  However, since these are the
same issues that need to be examined in any information security
scenario it is hard to say that any cloud-specific topics are
addressed.  Stripped of excessive verbiage, the advice seems to reduce
to a) know what you want, b) don't make assumptions about what the
provider provides, and c) audit the provider.

copyright Robert M. Slade, 2009    BKCLSEPR.RVW   20091113


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
Murder is a crime. Describing murder is not. Sex is not a crime.
Describing sex is.        - Gershon Legman (b. 1917) American writer
victoria.tc.ca/techrev/rms.htm blog.isc2.org/isc2_blog/slade/index.html
http://blogs.securiteam.com/index.php/archives/author/p1/
http://www.infosecbc.org/links http://twitter.com/rslade

BKSSLTTP.RVW   20091129

"SSL and TLS: Theory and Practice", Rolf Oppliger, 2009,
978-1-59693-447-4
%A   Rolf Oppliger rolf.oppliger@...
%C   685 Canton St., Norwood, MA   02062
%D   2009
%G   978-1-59693-447-4 1-59693-447-6
%I   Artech House/Horizon
%O   617-769-9750 800-225-9977 artech@...
%O   http://books.esecurity.ch/ssltls.html
%O  http://www.amazon.com/exec/obidos/ASIN/1596934476/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/1596934476/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1596934476/robsladesin03-20
%O   Audience i+ Tech 3 Writing 2 (see revfaq.htm for explanation)
%P   257 p.
%T   "SSL and TLS: Theory and Practice"

The preface states that the book is intended to update the existing
literature on SSL (Secure Sockets Layer) and TLS (Transport Layer
Security), and to provide a design level understanding of the
protocols.  (Oppliger does not address issues of implementation or
specific products.)  The work assumes a basic understanding of TCP/IP,
the Internet standards process, and cryptography, altough some
fundamental cryptographic principles are given.

Chapter one is a basic introduction to security and some related
concepts.  The author uses the definition of security architecture
from RFC 2828 to provide a useful starting point and analogy.  The
five security services listed in ISO 7498-2 and X.800 (authentication,
access control, confidentiality, integrity, and nonrepudiation) are
clearly defined, and the resultant specific and pervasive security
mechanisms are mentioned.  In chapter two, Oppliger gives a brief
overview of a number of cryptologic terms and concepts, but some (such
as steganography) may not be relevant to examination of the SSL and
TLS protocols.  (There is also a slight conflict: in chapter one, a
secure system is defined as one that is proof against a specific and
defined threat, whereas, in chapter two, this is seen as conditional
security.)  The author's commentary is, as in all his works, clear and
insightful, but the cryptographic theory provided does go well beyond
what is required for this topic.

Chapter three, although entitled "Transport Layer Security," is
basically a history of both SSL and TLS.  SSL is examined in terms of
the protocols, structures, and messages, in chapter four.  There is
also a quick analysis of the structural strength of the specification.
Since TLS is derived from SSL, the material in chapter five
concentrates on the differences between SSL 3.0 and TLS 1.0, and then
looks at algorithmic options for TLS 1.1 and 1.2.  DTLS (Datagram
Transport Layer Security), for UDP (User Datagram Protocol), is
described briefly in chapter six, and seems to simply add sequence
numbers to UDP, with some additional provision for security cookie
exchanges.  Chapter seven notes the use of SSL for VPN (virtual
private network) tunneling.  Chapter eight reviews some aspects of
public key certificates, but provides little background for full
implementation of PKI (Public Key Infrastructure).  As a finishing
touch, chapter nine notes the sidejacking attacks, concerns about man-
in-the-middle (MITM) attacks (quite germane, at the moment), and notes
that we should move from certificate based PKI to a trust and
privilege management infrastructure (PMI).

In relatively few pages, Oppliger has provided background,
introduction, and technical details of the SSL and TLS variants you
are likely to encounter.  The material is clear, well structured, and
easily accessible.  He has definitely enhanced the literature. not
only of TLS, but also of security in general.

copyright Robert M. Slade, 2009    BKSSLTTP.RVW   20091129


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
In a real dark night of the soul it is always three o'clock in
the morning, day after day.                    - F. Scott Fitzgerald
victoria.tc.ca/techrev/rms.htm blog.isc2.org/isc2_blog/slade/index.html
http://blogs.securiteam.com/index.php/archives/author/p1/
http://www.infosecbc.org/links http://twitter.com/rslade

BKEAUTZF.RVW   20091107

"Enterprise Architecture Using the Zachman Framework", Carol
O'Rourke/Neal Fishman/Warren Selkow, 2003, 0-619-06446-3
%A   Carol O'Rourke carol@...
%A   Neal Fishman neal@...
%A   Warren Selkow warren@...
%C   25 Thomson Place, Boston, MA   02210
%D   2003
%G   0-619-06446-3
%I   Thomson Learning Inc.
%O   www.course.com
%O  http://www.amazon.com/exec/obidos/ASIN/0619064463/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0619064463/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0619064463/robsladesin03-20
%O   Audience i Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   716 p. + CD-ROM
%T   "Enterprise Architecture Using the Zachman Framework"

The preface states that this is a text for various courses in business
management and information systems, and a guide for business and
education professionals.  There is also a quick and dirty introduction
to the framework, mentioning the perspectives (rows of the framework)
and aspects (columns), but not describing what they are.  (For those
who want to understand the framework itself, the book does provide, as
an appendix, Zachman's original paper from the "IBM Systems Journal."
It is clearer and gives a much better idea of the intent and use of
the framework.  For those who have not used it before, the framework
is a two-dimensional breakdown model, with the stages of project
management as the vertical axis, and the W5+H interrogatives [what,
how, where, who, when, and why] as the columns, also labelled data,
function, network, people, time, and motivation.)

Part one of the book, consisting only of chapter one, supposedly
provides the reasons for the framework.  This consists of another
brief outline, and a great deal of promotional material.  "Examples,"
ranging from the alphabet to religion purport to illustrate the
structure, but are, instead, confusing and distracting.  The sporadic
outbursts of humour also divert attention from the central themes,
rather than supporting them.

Part two outlines the organization of the Zachman Framework's rows, or
perspectives.  Chapter two examines the concept (which may also be
referred to in different versions of the Zachman model as scope or
context) or planning stage, and the six examples follow the
interrogative aspects.  The owner (aka business model/concept) or
requirements phase is dealt with in chapter three, but the generic
material on business, and shorter case studies on the topic, are not
as clear in terms of the framework.  Things become even more confusing
in chapter four, where the idea of the design phase (system
model/logical) is surrounded by miscellaneous examples seemingly
related to psychology.  Stories that appear to be even more randomly
chosen comprise the content on the builder (technology model/physical)
or implementation stage, in chapter five.  Chapter six is entitled
"Systems Development," which deals with the subcontractor (detailed
representations/out-of-context) or implementation stage.  Although
there are interesting points about management, the material is, again,
unstructured and confusing.

Chapter seven finally attempts to describe the framework in detail and
context, and to provide a rationale for using it.

Part three consists of chapter eight, ostensibly about implementing (I
suppose this means using) the framework.  There are lots of management
tips and points, but no real structure, or indication of how the
framework is to be applied.  (There is also an apparent attempt to add
a third dimension to the Zachman grid, but this is not defined.)

If you want to get a good idea of the Zachman framework, you are
probably best to go to Zachman's original paper.  The intent and
structure of the Zachman's article, and the explanation of the model,
is much clearer than this mass of verbiage and examples.  As noted,
the paper is available as appendix E, but it is also available on the
Internet, such as at
http://www.zachmaninternational.com/images/stories/ibmsj2603e.pdf

copyright Robert M. Slade, 2009    BKEAUTZF.RVW   20091107


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
The cry echoed around the cavern and broke through mere rock, so
great was the force behind it, melted mere mountains, screamed
across the miles ... And in the sombre nursery Young Sam stopped
crying and looked around, suddenly happy but puzzled, and said,
to his despairing mother's surprise, `Co!'
                                           - `Thud!,' Terry Pratchett
victoria.tc.ca/techrev/rms.htm blog.isc2.org/isc2_blog/slade/index.html
http://blogs.securiteam.com/index.php/archives/author/p1/
http://www.infosecbc.org/links http://twitter.com/rslade

BKBEADAT.RVW   20091103

"Beautiful Data", Toby Segaran/Jeff Hammerbacher, 2009,
978-0-596-15711-1, U$44.99/C$56.99
%E   Toby Segaran blog.kiwitobes.com
%E   Jeff Hammerbacher
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2009
%G   978-0-596-15711-1 0-596-15711-8
%I   O'Reilly & Associates, Inc.
%O   U$44.99/C$56.99 800-998-9938 fax: 707-829-0104 nuts@...
%O  http://www.amazon.com/exec/obidos/ASIN/0596157118/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0596157118/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0596157118/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   364 p.
%T   "Beautiful Data: The Stories Behind Elegant Data Solutions"

The preface says that the editors published a book of essays on
program code, were approached to collect a similar volume dealing with
data, and are giving the royalties to charity.  These premises; that
random collections of articles are valuable, that an approach to the
topic of coding can be applied to data can be valuable, or that
donating royalties to charity makes the work more valuable, appear to
be a bit thin.

A number of the papers emphasize either the collection or (more
frequently) display of data.  One presents geographical data as
treemaps, and while these subjects would seem to be conceptually
related the actual utility of the approach is not apparent.  Crimes
are mapped, in another article, and this has proved useful in the past
but has also been done.  Three more essays note the use of social
networking in order to gather data for certain forms of research.

Some items seem unrelated to data as such.  One paper stresses "user
experience" (abbreviated to "UX") as if it was a new topic, when it
has been a subject of extensive study for at least thirty years.
Another promotes the idea of refining search results by looking at
past searches, which appears to be a rather obvious notion.  Yet
another promotes the idea of "data scientists," without making clear
what this field of study might be.  (It seems to involve data
warehousing, and a lot of switching of topics.)  If you are a rock
music fan, you may be interested in how an unusual video was made, but
it has nothing to do with data as such.  (The explanations in this
paper are careless, particularly in regard to issues of resolution.)
One paper notes that there are problems with statistical analysis, if
you aren't careful.  Another mentions that DNA is a form of data
storage, and that we need to store data about it.

A few articles appear to be simply reports of work in progress.  A
group is fuzzing input data on forms in order to index background
databases (which seems to sail perilously close to attempting to
breach confidentiality and intellectual property controls).

An interesting article describes the tradeoffs between data, storage,
processing, and power involved in the NASA Mars lander project.
Slightly disconcerting is a paper noting that social networking sites
are more concerned about an appearance of availability than actual
integrity.  (This essay relies on a mass of buzzwords rather than
actual analysis.)  Another notes the contribution of statistical
analysis of text to cryptanalysis, as well as the development of
programs to check spelling.

There are some interesting points as one works through the essays.
There is, though, nothing to say what types of data are beautiful, or
how data can be made beautiful, or handled or stored beautifully.
There is no central thread to the book, nor structure of any kind.
So, you can pay for this collection, or you can spend a few hours idly
toying with your Web search engine of choice.  The results are likely
to be equally useful.

copyright Robert M. Slade, 2009    BKBEADAT.RVW   20091103


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
     Key escrow to rule them all; key escrow to find them.
     Key escrow to bring them all and in the darkness bind them.
     In the land of surveillance where Big Brother lies.
                                                      - Peter Gutmann
victoria.tc.ca/techrev/rms.htm blog.isc2.org/isc2_blog/slade/index.html
http://blogs.securiteam.com/index.php/archives/author/p1/
http://www.infosecbc.org/links http://twitter.com/rslade

BKDRJNDL.RVW   20091129

"The Design of Rijndael", Joan Daemen/Vincent Rijmen, 2002,
3-540-42580-2
%A   Joan Daemen
%A   Vincent Rijmen
%C   233 Spring St., New York, NY   10013
%D   2002
%G   3-540-42580-2
%I   Springer-Verlag
%O   212-460-1500 800-777-4643 service-ny@...
%O  http://www.amazon.com/exec/obidos/ASIN/3540425802/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/3540425802/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/3540425802/robsladesin03-20
%O   Audience s- Tech 3 Writing 1 (see revfaq.htm for explanation)
%P   238 p.
%T   "The Design of Rijndael: AES - The Advanced Encryption Standard"

This book, written by the authors of the Rijndael encryption
algorithm, (the engine underlying the Advanced Encryption Standard)
explains how Rijndael works, discusses some implementation factors,
and presents the approach to its design.  Daemen and Rijmen note the
linear and differential cryptanalytic attacks to which DES (the Data
Encryption Standard) was subject, the design strategy that resulted
from their analysis, the possibilities of reduce round attacks, and
the details of related ciphers.

Chapter one is a history of the AES assessment and decision process.
It is interesting to note the requirements specified, particularly the
fact that AES was intended to protect "sensitive but unclassified"
material.  Background in regard to mathematical and block cipher
concepts is given in chapter two.  The specifications of Rijndael sub-
functions and rounds are detailed in chapter three.  Chapter four
notes implementation considerations in small platforms and dedicated
hardware.  The design philosophy underlying the work is outlined in
chapter five: much of it concentrates on simplicity and symmetry.
Differential and linear cryptanalysis mounted against DES is examined
in chapter six.  Chapter seven reviews the use of correlation matrices
in cryptanalysis.  If differences between pairs of plaintext can be
calculated as they propagate through the boolean functions used for
intermediate and resultant ciphertext, then chapter eight shows how
this can be used as the basis of differential cryptanalysis.  Using
the concepts from these two chapters, chapter nine examines how the
wide trail design diffuses cipher operations and data to prevent
strong linear correlations or differential propagation.  There is also
formal proof of Rijndael's resistant construction.  Chapter ten looks
at a number of cryptanalytic attacks and problems (including the
infamous weak and semi-weak keys of DES) and notes the protections
provided in the design of Rijndael.  Cryptographic algorithms that
made a contribution to, or are descended from, Rijndael are described
in chapter eleven.

This book is intended for serious students of cryptographic algorithm
design: it is highly demanding text, and requires a background in the
formal study of number theory and logic.  Given that, it does provide
some fascinating examination of both the advanced cryptanalytic
attacks, and the design of algorithms to resist them.

copyright Robert M. Slade, 2009    BKDRJNDL.RVW   20091129


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
Concerning the above message, you think Rob Slade is responsible?
Heavens, no!  I think Rob Slade is terribly *ir*responsible!
victoria.tc.ca/techrev/rms.htm blog.isc2.org/isc2_blog/slade/index.html
http://blogs.securiteam.com/index.php/archives/author/p1/
http://www.infosecbc.org/links http://twitter.com/rslade

BKGOAPMM.RVW   20091126

"Google Apps: The Missing Manual", Nancy Conner, 2008,
978-0-596-51579-9, U$39.99/C$39.99
%A   Nancy Conner nancy_conner@... nancylconner@...
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2008
%G   978-0-596-51579-9 0-596-51579-0
%I   O'Reilly & Associates, Inc.
%O   U$39.99/C$39.99 800-998-9938 707-829-0515 nuts@...
%O  http://www.amazon.com/exec/obidos/ASIN/0596515790/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0596515790/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0596515790/robsladesin03-20
%O   Audience n+ Tech 2 Writing 1 (see revfaq.htm for explanation)
%P   711 p.
%T   "Google Apps: The Missing Manual"

The introduction is very promotional of Google Apps.  There is some
brief description, but most of the text is gushing in tone, to the
extent that those with some experience in online applications may be a
bit uncomfortable with the apparent carelessness of the work.  For
example, Conner states that you don't need to worry about saving your
work, since it is updated automatically.  And you don't need to worry
about security, since Google is really concerned about security, and
uses the cloud.  Some of these factors are, in fact, eventually
addressed (later in the book), but it might have been more reassuring
to those who do understand the technology to have some simple forward
references demonstrating that the author was not simply basing her
assurances on Google press releases.

Part one deals with Docs, and covers four applications under that
title.  Chapter one covers obtaining an account, with a number of
screenshots, and some mention of Calendar and Toolbar.  Docs, the word
processor, itself, has basic functions described in chapter two.  The
material on sharing and collaboration (one of the major reasons for
using Google Apps) sometimes lacks detail (as in the description of
publishing on the Web), but does have some technicalities and
suggestions in other aspects.  Conner suggests having the team agree
that each one will use a specific text colour for entries, which can
even clarify issues of multiple simultaneous updates [the content
isn't clear about how Google handles that], but might not work well
with deletions and modifications.)  The Docs spreadsheets application,
as explained in chapter three, uses colour for multiple collaborators,
but this means that some of the (black and white) screenshots are
unclear.  Interestingly, collaboration on presentations is not
discussed in chapter four: does this mean that the function is not
available, or that the author has not tried it?

Part two reviews communication applications.  Chapter five outlines
the Gmail email system, with lots of screenshots.  There are some
useful tips, but these often get lost in the verbiage unless you are
reading the text carefully.  It's odd to think that an instant
messaging tool is complex enough to require all of chapter six, but
the whole thing is spent on Google Talk.  The Calendar program is
covered in chapter seven, but, oddly, sharing of calendar information
is not described, except for a mention that your system manager needs
to be involved.

Part three is involved with creating Web pages.  Chapter eight tells
you various things that can be added to "your" personal (private)
Google page with iGoogle.  Creating your own Web pages (which you can
then publish to the world) with Page Creator is described in chapter
nine.

Using Google Apps as a kind of groupware is examined in part four.
Domain names, colour schemes, and the like are noted in chapter ten.
There is some technical detail, but mostly not.  Miscellaneous
management controls are listed in chapter eleven.  Chapter twelve
deals with Google Sites, which appears to be a combination of iGoogle
and Page Creator.  Commercial services and the Google API (Application
Programming Interface) are mentioned in chapter thirteen.

Conner has created an introduction for novices that still manages to
provide pointers to intermediate or possibly experienced users.  This
is a considerable accomplishment, and is certainly superior to
Lenssen's "Google Apps Hacks" (cf. BKGOAPHA.RVW).  The balance of
material, however, could use some work.  The vast bulk of the text is
dedicated to extremely basic functions, with the occasional useful
gems buried in minor mentions, almost as asides.  If you are
interested in using Google Apps this provides a good starting point,
but will be demanding to work through.

copyright Robert M. Slade, 2009    BKGOAPMM.RVW   20091126


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
I am sitting in the smallest room in my house. I have your review
in front of me. Soon it will be behind me.      - composer Max Reger
victoria.tc.ca/techrev/rms.htm blog.isc2.org/isc2_blog/slade/index.html
http://blogs.securiteam.com/index.php/archives/author/p1/
http://www.infosecbc.org/links http://twitter.com/rslade

BKMTHSEC.RVW   20091221

"The Myths of Security", John Viega, 2009, 978-0-596-52302-2,
U$29.99/C$37.99
%A   John Viega viega@...
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2009
%G   978-0-596-52302-2 0-596-52302-5
%I   O'Reilly & Associates, Inc.
%O   U$29.99/C$37.99 800-998-9938 fax: 707-829-0104 nuts@...
%O  http://www.amazon.com/exec/obidos/ASIN/0596523025/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0596523025/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0596523025/robsladesin03-20
%O   Audience i Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   238 p.
%T   "The Myths of Security"

The foreword states that McAfee does a much, much better job of
security than other companies.  The preface states that computer
security is difficult, that people, particularly computer users, are
uninformed about computer security, and that McAfee does a much better
job of security than other companies.  The author also notes that it
is much more fun to write a book that is simply a collection of your
opinions than one which requires work and technical accuracy.

The are forty-eight "chapters" in the book, most only two or three
pages long.  As you read through them, you will start to notice that
they are not about information security in general, but concentrate
very heavily on the antivirus (AV) field.

After an initial point that most technology has a poor user interface,
a few more essays list some online dangers.  Viega goes on to note a
number of security tools which he does not use, himself.  He then
argues unconvincingly that free antivirus software is not a good
thing, unclearly that Google is evil, and incompletely that AV
software doesn't work.  (I've been working in the antivirus research
field for a lot longer than the author, and I'm certainly very aware
that there are problems with all forms of AV: but there are more forms
of AV in heaven and earth than are dreamt of in his philosophy.  By
the way, John, Fred Cohen listed all the major forms of AV technology
more than twenty-*five* years ago.)  The author subsequently jumps
from this careless technical assessment to a very deeply technical
discussion of the type of hashing or searching algorithms that AV
companies should be using.  And thence to semi-technical (but highly
opinionated) pieces on how disclosure, or HTTPS, or CAPTCHA, or VPNs
have potential problems and therefore should be destroyed.  Eventually
all pretence at analysis runs out, and some of the items dwindle down
to three or four paragraphs of feelings.

For those with extensive backgrounds in the security field, this work
might have value.  Not that you'll learn anything, but that the biases
presented may run counter to your own, and provide a foil to test your
own positions.  However, those who are not professionals in the field
might be well to avoid it, lest they become mythinformed.

copyright Robert M. Slade, 2009    BKMTHSEC.RVW   20091221


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
Computers are useless. They can only give you answers.
                                                      - Pablo Picasso
victoria.tc.ca/techrev/rms.htm blog.isc2.org/isc2_blog/slade/index.html
http://blogs.securiteam.com/index.php/archives/author/p1/
http://www.infosecbc.org/links http://twitter.com/rslade

BKBIPHAP.RVW   20091130

"Best iPhone Apps", Josh Clark, 2009, 978-0-596-80427-5,
U$19.99/C$24.99
%A   Josh Clark jclark@...
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2009
%G   978-0-596-80427-5
%I   O'Reilly & Associates, Inc.
%O   U$19.99/C$24.99 800-998-9938 707-829-0515 fax: 707-829-0104
info@... or nuts@...
%O  http://www.amazon.com/exec/obidos/ASIN/ /robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/ /robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/ /robsladesin03-20
%O   Audience n- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   228 p.
%T   "Best iPhone Apps: The Guide for Discriminating Downloaders"

This book is a catalogue.  It describes (rather briefly, in most
cases) programs for the iPhone from the Apple App Store.  There are
roughly 200 from the 50,000.  Josh Clark considers them the best.

In my early days as a reviewer, one book was poorly written, badly
structured, difficult to comprehend, and made mistakes.  I said so.  I
was astounded to be contacted by someone who wanted more information
on where to obtain the book.  Turns out it was one of the only works
on his thesis topic, and he needed it, regardless of its lack of
quality.  The point I'm trying to make is that it is difficult to say,
on the basis of your own perspective, what the "best" is for other
people.

The apps are divided into categories for work, dining and nightlife,
leisure, play, home, travel, and health.  The author has provided lots
of screenshots, but fairly terse descriptions.  Particularly in regard
to the work utilities, I frequently found myself wondering how quick
and easy it would be to enter necessary information.

Many of the programs involve a price or fee, but a roughly equal
number are free.  However, the free apps tend to be those associated
with a freely available Website: you'd be able to get at pretty much
all of those with any computer and browser, or a browser on a
smartphone.  Or a browser on an iPhone.

Somewhere in these pages there probably is something for pretty much
anyone.  I suspect you'd have to be a real iPhone devotee to get
excited over the whole thing.

copyright Robert M. Slade, 2009    BKBIPHAP.RVW   20091130


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
There is something wrong with a profession in which the only way
to get anything done is to find a bearded wonder, lock him in a
closet, and slip him crackers under the door.      - Robert W. Bemer
victoria.tc.ca/techrev/rms.htm blog.isc2.org/isc2_blog/slade/index.html
http://blogs.securiteam.com/index.php/archives/author/p1/
http://www.infosecbc.org/links http://twitter.com/rslade

BKLTTJYL.RVW   20091207

"Land the Tech Job You Love", Andy Lester, 2009, 978-1-934356-26-5,
U$23.95/C$29.95
%A   Andy Lester andy@...
%C   Raleigh, NC
%D   2009
%G   978-1-934356-26-5 1-934356-26-3
%I   Pragmatic Bookshelf
%O   U$23.95/C$29.95 praglife.com
%O  http://www.amazon.com/exec/obidos/ASIN/1934356263/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/1934356263/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1934356263/robsladesin03-20
%O   Audience n Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   252 p.
%T   "Land the Tech Job You Love"

It's a bit hard to keep faith in the instructions contained in a book
that starts out, not just on the first page, but inside the print
cover, with "Question everything, including this book."

There is a section, in the introduction, entitled "How This Book Was
Born."  It seems that two guys who hired people started giving talks
on how to apply for a job.  (It strikes me, anyway, that this might be
rather akin to having a toddler write a book on what to feed
children.)  Why this one wrote the book is unclear.

Part one is about the job search.  Chapter one says that you should be
honest, in order not to get the wrong job by misrepresenting yourself,
but spin yourself in the best possible light.  (How to balance these
somewhat contradictory positions is not specified.)  Assessing your
wants, needs, and motivation is dealt with in chapter two.  Creating
the content of your resume in the most promotional way is covered in
chapter three.  Style is substance, says chapter four, and, regardless
of what is important to you, follow the tips on fonts and paper
colour.  Unsurprisingly, chapter five notes that you should research
the job and the company, and use contacts to search for jobs.  Target
your resume and cover letter, is the advice in chapter six.

Part two deals with the interview, and subsequently.  Chapter seven
says to prepare for the interview.  Eight covers interview basics.
Stock answers to stock "tough" interview questions are given in
chapter nine.  Chapter ten notes topics that cannot be discussed in
job interviews in the US.  Post-interview follow-up, reference
submission, and accepting or declining a job offer are examined in
chapter eleven.  Chapter twelve discusses strategic (social or
professional) networking, training, and long term preparation for all
of the activities in part one, for the inevitable next time around.

Some appendices cover things you shouldn't do: cliched phrases in A,
resume and letter constructions in B, and interview presentations in
C.

The content and advice in this book are quite standard.  If you are
looking for a job in Web administration, page creation, or sales, and
are new to the applications and interview process, it will probably be
useful.  In terms of landing a job you love, probably the main thrust
of chapter one is the most significant: be honest, and you're less
likely to become stuck in a job you don't fancy.  (There is, of
course, no guarantee that the job you love actually exists ...)

copyright Robert M. Slade, 2009    BKLTTJYL.RVW   20091207


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
There is a theory which states that if ever anybody discovers
exactly what the Universe is for and why it is here, it will
instantly disappear and be replaced by something even more
bizarre and inexplicable. There is another theory which states
that this has already happened.                      - Douglas Adams
victoria.tc.ca/techrev/rms.htm blog.isc2.org/isc2_blog/slade/index.html
http://blogs.securiteam.com/index.php/archives/author/p1/
http://www.infosecbc.org/links http://twitter.com/rslade

BKYRBDMM.RVW   20091214

"Your Body: The Missing Manual", Matthew MacDonald, 2009,
978-0-596-80174-8, U$24.99/C$31.99
%A   Matthew MacDonald
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2009
%G   978-0-596-80174-8 0-596-80174-2
%I   O'Reilly & Associates, Inc.
%O   U$24.99/C$31.99 800-998-9938 fax: 707-829-0104 nuts@...
%O  http://www.amazon.com/exec/obidos/ASIN/0596801742/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0596801742/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0596801742/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   293 p.
%T   "Your Body: The Missing Manual"

Part one deals with the superficial layers, as it were.  Chapter one
outlines various facts about skin, and some implications for personal
hygiene.  Fat is covered in chapter two, with a lot of emphasis on
implications for dieting.  The material on muscle, in chapter three,
is indicative of the technical level of the content: it gets into
details, but inconsistently.  For example, while anaerobic respiration
and lactic acid are mentioned in separate places, their relationship
is not noted.  The skeletal system is addressed in chapter four.
Chapter five covers the senses of sight, hearing, taste, and smell.

Part two examines internal organs.  Chapter six discusses the lungs,
blood, nose, throat, speech, and other related entities.  Heart and
exercise is the topic of chapter seven.  The content describing the
digestive system, in chapter eight, is varied, covering biology,
diets, and social tidbits.  The immune system, and associated subjects
such as bacteria, viruses, cancer, auto-immune diseases, and
allergies, are dealt with in chapter nine.  Most of chapter ten, on
sex, discusses organs and activities, rather than reproduction.

The book finishes off with death.  And dying.  In chapter eleven.  A
lot of philosophy, and tips to stay young.

As I was reviewing this work, another person reading it complained
that, just when you get to the interesting parts, the explanation
stops and leaves you with no place to go (other than an irrelevant
joke).  That is, by and large, true.  There is a good deal of
information in the book, but while it would make more than one good
magazine article, it really doesn't get into any depth.  If you have
not thought or learned about your own body, this might be an
introduction to some basic aspects.  If you've taken any human biology
courses, you've probably gone beyond the material presented here.

copyright Robert M. Slade, 2009    BKYRBDMM.RVW   20091214


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
Much reading is an oppression of the mind, it extinguishes the
natural candle, which is the reason of so many senseless scholars
in the world.                                         - William Penn
victoria.tc.ca/techrev/rms.htm blog.isc2.org/isc2_blog/slade/index.html
http://blogs.securiteam.com/index.php/archives/author/p1/
http://www.infosecbc.org/links http://twitter.com/rslade

BKCRPTAN.RVW   20091015

"Cryptanalysis", Helen Fouche Gaines, 1939, 978-0-486-20097-2,
U$9.95/C$14.95
%A   Helen Fouche Gaines
%C   31 E. 2nd St, Mineola, NY   11501
%D   1939
%G   978-0-486-20097-2 0-486-20097-3
%I   Dover Publications, Inc
%O   U$9.95/C$14.95 www.doverpublications.com
%O  http://www.amazon.com/exec/obidos/ASIN/0486200973/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0486200973/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0486200973/robsladesin03-20
%O   Audience i+ Tech 3 Writing 2 (see revfaq.htm for explanation)
%P   237 p.
%T   "Cryptanalysis: A Study of Ciphers and Their Solution"

Written in 1939, and republished since, this work does not, of course,
address modern cryptography and algorithms.  It is primarily valuable
as an interesting guide to some of the history of cryptography.  It
also provides some general conceptual points, and gives practical
examples of the basic operations and principles of cryptanalysis.
Cracking modern algorithms is complicated, mathematically intensive,
and tutorially impractical, but it does use the same ideas and
approaches which are addressed in a more accessible fashion here.

Chapter one is a general introduction to the ciphers, codes, and the
requirements which existed at the time the work was written.  Some of
the subsequent chapters, such as those on concealment and general
transposition ciphers, are also basic introductions, and therefore of
little use to a modern professional, although probably of greater
interest to hobbyists.  Once Gaines gets into specific ciphers (for
example Nihilist Transposition, in chapter four) she also starts
delivering detailed procedures for breaking the encryption, and
recovering both plaintext and keys.  Following the procedures requires
some application, but her explanation of (for example) the strip
piecing attack against columnar transposition is much clearer than
that given by David Kahn in "Codebreakers" (cf. BKCDBRKS.RVW): even
though Kahn considered himself a cryptanalyst, he never matched the
level of exegesis that Gaines provides.  (Not all of the material is
from Gaines herself: she also includes essays and exercises from
members of the American Cryptogram Society.)  The decryption of
substitution ciphers is often the more complex exercise, turning on a
combination of frequency analysis and guessing at probable words.

While this work will be of limited help in understanding modern
complex ciphers, the fundamental concepts illustrated may be of some
use.  More interesting are the examples of the convoluted ways that
people have tried to hide their information over the years--and the
equally ornate means others evolved in order to break those codes.

copyright Robert M. Slade, 2010    BKCRPTAN.RVW   20091015


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
No one can make you feel inferior without your consent.
                                                  - Eleanor Roosevelt
victoria.tc.ca/techrev/rms.htm blog.isc2.org/isc2_blog/slade/index.html
http://blogs.securiteam.com/index.php/archives/author/p1/
http://www.infosecbc.org/links http://twitter.com/rslade

BKCOPUSP.RVW    20100430

"Confessions of a Public Speaker", Scott Berkun, 2010,
978-0-596-80199-1, U$24.99/C$31.99
%A   Scott Berkun
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2010
%G   978-0-596-80199-1 0-596-80199-8
%I   O'Reilly & Associates, Inc.
%O   U$24.99/C$31.99 800-998-9938 707-829-0515 nuts@...
%O  http://www.amazon.com/exec/obidos/ASIN/0596801998/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0596801998/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0596801998/robsladesin03-20
%O   Audience n+ Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   240 p.
%T   "Confessions of a Public Speaker"

This book contains a wealth of amusing anecdotes about working as a
speaker for conferences and other events.  Berkun writes well, and
provides his usual store of esoteric information.

Those in related fields, such as teaching, or work involving
presentations to groups, might find some of the points helpful, or at
least worth thinking about.  On the other hand, the author definitely
speaks from his own perspective, and doesn't address other options, in
terms of preparation or presentation styles.

The work is a great read, and should be considered for anyone's
bedside reading list.  It's usefulness may be limited.

copyright Robert M. Slade, 2010    BKCOPUSP.RVW    20100430


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
There is, in fact, no recognized principle by which the propriety
or impropriety of government interference is customarily tested.
People decide according to their personal preferences.
        - John Stuart Mill (1806-1873), On Liberty and Utilitarianism
victoria.tc.ca/techrev/rms.htm blog.isc2.org/isc2_blog/slade/index.html
http://blogs.securiteam.com/index.php/archives/author/p1/
http://www.infosecbc.org/links http://twitter.com/rslade

BKSUSNET.RVW   20100425

"The Sustainable Network", Sarah Sorensen, 2010, 978-0-596-15703-6,
U$29.99/C$37.99
%A   Sarah Sorensen Sarah@...
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2010
%G   978-0-596-15703-6 0-596-15703-7
%I   O'Reilly & Associates, Inc.
%O   U$29.99/C$37.99 800-998-9938 fax: 707-829-0104 nuts@...
%O  http://www.amazon.com/exec/obidos/ASIN/0596157037/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0596157037/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0596157037/robsladesin03-20
%O   Audience n- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   346 p.
%T   "The Sustainable Network"

This is not so much a book as a collection of essays; forty of them.
From the beginning, there is little logic or structure to the
material.  For example, the preface generally explains the intent of
the work.  One might assume, from the mention of "sustainable" in the
title (and the subtitle of "The Accidental Answer to a Troubled
Planet") that the author is concerned with the environment and energy
conservation.  Yet the preface doesn't mention this topic.  (Chapter
one does, but only in passing.)

Sorensen obviously thinks she has some technical information to
impart, but this data is scanty.  Chapters two and five outline some
terms used in networking, but don't explain them or the implications
of the associated concepts.  A good deal of the material in the book,
overall, promotes the Internet, and particularly broadband supply, but
does not go much beyond that.  There is brief mention of the carbon
debt of information and communication technologies, and even briefer
discussion of the toxic environmental impact of electronic devices.  A
great many numbers are thrown around, but the full implications or
comparisons seem to be missing.  (At one point, the numbers Sorensen
uses seem to imply that the total carbon debt of the entire trucking
industry is roughly equivalent to that output by about a hundred
families.)  The author proposes a "Sustainable Network Law," without
any facts, or even ideas, to back it up.  And it's not clear how
cyberwar would help the planet (aside from being more environmentally
friendly than the thermonuclear kind).

A few chapters deal with issues of computer and network security.
This material is unfortunately vague, and would not be helpful for
those trying to protect themselves from the attacks and misinformation
that exist on the net.

Late in the book, the focus turns to political action.  Again, most of
this material champions the idea that the net has altered everything
in politics, and is driving a new age of political freedom.  While
there certainly have been instances where new technologies have
contributed to the defeat of repression, you only have to look to the
recent elections (and protests) in Iran, and the severity of
censorship in China, to see strong counter-examples.

As stated previously, this work does not specifically state any intent
or audience.  Even having read it, I find it difficult to think of
anyone who might benefit from it.

copyright, Robert M. Slade   2010     BKSUSNET.RVW   20100425


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
My infected haiku
Jerusalem has added
more Jerusalem                                       - virus haiku
victoria.tc.ca/techrev/rms.htm blog.isc2.org/isc2_blog/slade/index.html
http://blogs.securiteam.com/index.php/archives/author/p1/
http://www.infosecbc.org/links http://twitter.com/rslade

BKCVAOMS.RVW   20100607

"Computer Viruses and Other Malicious Software", Organization for
Economic Co-operation and Development, 2009, 978-92-64-05650-3
%A   Organization for Economic Co-operation and Development
%C   2 rue Andre Pascal, 75775 Paris Cedex 16, France
%D   2009
%G   978-92-64-05650-3 92-64-05650-5
%I   OECD Publishing
%O   oecdna@... sourceoecd@...
%O  http://www.amazon.com/exec/obidos/ASIN/9264056505/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/9264056505/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/9264056505/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   244 p.
%T   "Computer Viruses and Other Malicious Software"

The executive summary doesn't tell us much except that malware is bad,
and that this report is seen as a first step in addressing the issue
in a global, comprehensive manner.

Part one, entitled "The Scope of Malware," is intended to provide
background to the problem.  Chapter one, as an overview, is a random
collection of technical issues, with poor explanations.  Although it
is good to see that the malware situation is defined in terms that are
more up-to-date than those in all too many security texts, the lack of
foundational material provided by the authors will necessarily limit
the perception of the issue for those readers who have not done
serious research themselves.  Various stories of attacks and payloads
(not all related to malware) are listed in an equally disjointed
manner in chapter two.  There are numerous errors, including in simple
aspects like arithmetic.  (20 million is not "5 times" one million.)
The explanation of why we should be concerned, in chapter three, boils
down to the fact that the net is important, and malware imposes costs.

Part two turns to the economics of malware.  Chapter four, while it
promises to deal with cybersecurity and economic incentives, merely
states that security is hard.  Chapter five does deal with economic
factors influencing decisions of key players on the Internet, but does
so only on the basis of an opinion survey, rather than any measured
costs or benefits.  Descriptions of different types of economic
situations are given in chapter six, but a final set of "findings"
doesn't seem to have much background support.

Part three is supposed to contain recommendations about actions to
take, or policies to follow, to address the malware issue.

Unfortunately, this work does not have sufficient technical depth on
areas of malware to contribute to the literature.  The concept of
addressing the economic aspects is interesting, but is not
sufficiently fulfilled.  Overall, this text has nothing to add to
existing information.

copyright, Robert M. Slade   2010     BKCVAOMS.RVW   20100607


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
The nice thing about standards is that you have so many to choose
from.  Furthermore, if you do not like any of them, you can just
wait for next year's model.                    - Andrew S. Tanenbaum
victoria.tc.ca/techrev/rms.htm blog.isc2.org/isc2_blog/slade/index.html
http://blogs.securiteam.com/index.php/archives/author/p1/
http://www.infosecbc.org/links http://twitter.com/rslade