I have been reviewing security books for over twenty years now.  When I think of
how few are really worthwhile that gets depressing.

However, Ross Anderson is always worth reading.  And when Ross Anderson first
published "Security Engineering" I was delighted to be able to tell everyone
that it
was a worthwhile read.  If you are, in any way, interested in, or working in,
the
field of security, there is something there for you.  Probably an awful lot.

When Ross Anderson made the first edition available online, for free, and then
published the second edition, I was delighted to be able to tell everyone that
they
should buy the second edition, but, if they didn't trust me, they should read
the
first edition free, and then buy the second edition because it was even better.

http://victoria.tc.ca/int-grps/books/techrev/bkseceng.rvw

Now Ross has made the second edition available, online, for free:

http://www.cl.cam.ac.uk/~rja14/book.html

Everyone should read it, if they haven't already done so.

(I am eagerly awaiting the third edition  :-)

======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
Education: the path from cocky ignorance to miserable uncertainty
                                                         - Mark Twain
victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links
http://blogs.securiteam.com/index.php/archives/author/p1/
http://twitter.com/rslade

BKGETPOT.RVW   20120907

"Guide to Effective Technologies for Providing Online Training",
Joanne Kaattari, 2012
%A   Joanne Kaattari
%C   80 Bradford St., Suite 508, Barrie ON, L4N 6S7
%D   2012
%G   ASIN B007CMLLRA
%I   Community Literacy of Ontario
%O   705-733-2312 clo@... http://www.nald.ca/clo.htm
%O  http://www.amazon.com/exec/obidos/ASIN/B007CMLLRA/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/B007CMLLRA/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/B007CMLLRA/robsladesin03-20
%O   Audience n- Tech 1 Writing 1 (see revfaq.htm for explanation)
%T   "Guide to Effective Technologies for Providing Online Training"

This is a rather odd book.  It possibly is a guide, but is based on a
questionnaire survey of opinions and tools from other organizations.
The survey asked for types of training and technologies used, benefits
and problems of using online training (for both the organization and
the staff or clients), and new technologies that the organization
might want to try.  There is little analysis of the results, and a
great deal of duplication.

The book lists, as chapters, fifteen categories (which should probably
more properly be seven).  For each there is a brief description, but
most of the material is comprised of lists of Websites.  These could
be useful as a set of contact points for a variety of technologies.

In regard to the tools themselves, the work lists, as separate
categories of tools, online video, Webinars, and online presentations,
which are all, in terms of training delivery, substantially the same
function.  Similarly, the categories of online conference resources,
Moodle, social networking, and Web-based training modules are all just
collections of online training tools.  On the other hand, Wiki and
cloud computing are included together as one functional category,
despite having almost no connection.

For the pros and cons, again, there is little consideration and a
great deal of reiteration.  The listed benefits go on for pages, but
boil down to greater distance and/or audience, speed of creation of
materials, lower costs and increased communication for the enterprise.
For the staff, there was convenience of access and schedule, and the
ability to repeat a module for remediation.

The challenges showed a much greater range, noting increased budget
requirements for the technology, lack of technical skills and
awareness for the trainer, as well as a learning curve prior to
delivery, conflicts in learning styles and poor learning experiences,
a variety of topics found to be unsuitable for online delivery, lack
of policy, a digital divide in the learners, and interactivity and
community communication and formation problems.  In addition, staff
noted problems with the technology itself, technology and device
requirements and lack of availability, poor quality in the courses,
and a significant self-management requirement.  (Note that the text
makes no attempt to assess or rectify the contradiction of cost and
communications being described as both a benefit and a problem.)

As a list of Websites for finding tools and resources this guide may
be of use to those exploring training technologies.  However, the
analysis and descriptions will provide no assistance, and the reader
will have to perform his or her own assessment of the tools and uses.

copyright, Robert M. Slade   2012     BKGETPOT.RVW   20120907


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
The universe is full of magical things, patiently waiting for
our wits to grow sharper.                          - Eden Phillpotts
victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links
http://blogs.securiteam.com/index.php/archives/author/p1/
http://twitter.com/rslade

BKWWHACK.RVW   20121009

"World War Hack", Ethan Bull/Tsubasa Yozora, 2012, 978-0-9833670-8-6
%A   Ethan Bull
%A   Tsubasa Yozora
%C   9400 N. MacArthur Blvd., Suite 124-215, Irving, TX   75063
%D   2012
%E   Gwendolyn Borgen
%G   978-0-9833670-8-6 0-9833670-8-6
%I   Viper Entertainment Inc./Viper Comics
%O   U$7.95 wyatt@... www.worldwarhack.com
%O  http://www.amazon.com/exec/obidos/ASIN/0983367086/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0983367086/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0983367086/robsladesin03-20
%O   Audience n- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   72 p.
%T   "World War Hack"

Someone (eventually we find out they are backed by the Chinese) has
hacked into the United States military and government control systems.
Fortunately, despite being in complete control and untraceable, all
they seem to want to do is make one military drone act up.

The US government immediately swings into action, and sponsors a
hacking contest, to try and identify suitably talented young geniuses
(genii?) to find out what is going on.

It's hard to follow what is going on, since the artwork makes it
difficult to differentiate between characters.  There are young people
with bad haircuts, and there are other people with suits.  Some people
are female.  After that, it gets hard to tell who's who.  One of the
hackers is a government agent, another one has a criminal record but
seems to be a son of a suited government agent.

Some of the technical and hacking activity is somewhat realistic, but
other aspects are bizarre, and betray a complete lack of understanding
of basic technology.  For example, at different times a programming
language gets "hacked" (in the sense of breaking into it), and at
another time a government administrator can't tell what computer
language has been used to write a specific program.  In the real world
of programming and hacking neither of these scenarios makes any sense.
Absent Ken Thompson's famous speech nobody "hacks" a language, and
generally nobody cares what language has been used to write a utility
once it is operating.  (No programmer ever said LISP was a concise
language, and there is no way that even a "skin" on top of LISP would
look like C.)  At another point two devices "piggyback" on the same IP
address, which simply does not work in networking terms.

There are aspects of this story that are realistic.  One is that, if
you are not careful with your systems, someone can penetrate them and
mess with you.  If there are any other useful factors in this story, I
can't think of them offhand.

(As usual, the draft of this review was submitted to the
author/publisher for comment prior to publication.  I often get rude
email in response, sometimes threats of physical harm, and once even a
death threat.  [Yes, really.]  In this case the publisher has
threatened unspecified legal action "to protect the copyright on our
work."  I would be interested to see the publisher's reaction to
counsel explaining the "commentary" aspect of the concept of "fair
use.")

copyright, Robert M. Slade   2012     BKWWHACK.RVW   20121009


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
You have done all this, and I have said nothing, so you thought
that I am like you.                                      - Ps. 50:21
victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links
http://blogs.securiteam.com/index.php/archives/author/p1/
http://twitter.com/rslade

BKSCPRO2.RVW   20121122

"Security and Privacy for Microsoft Office 2010 Users", Mitch Tulloch,
2012, 0735668833, U$9.99
%A   Mitch Tulloch info@... www.mtit.com
%C   1 Microsoft Way, Redmond, WA   98052-6399
%D   2012
%G   0735668833
%I   Microsoft Press
%O   U$9.99 800-MSPRESS fax: 206-936-7329 mspinput@...
%O  http://www.amazon.com/exec/obidos/ASIN/0735668833/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0735668833/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0735668833/robsladesin03-20
%O   Audience n- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   100 p.
%T   "Security and Privacy for Microsoft Office 2010 Users"

Reducing the complex jargon in the introduction to its simplest terms,
this book is intended to allow anyone who uses the Microsoft Office
2010 suite, or the online Office 365, to effectively employ the
security functions built into the software.  Chapter one purports to
present the "why" of security, but does a very poor job of it.
Company policy is presented as a kind of threat to the employee, and
this does nothing to ameliorate the all-too-common perception that
security is there simply to make life easier for the IT department,
while it makes work harder for everyone else.

Chapter two examines the first security function, called "Protected
View."  The text addresses issues of whether or not you can trust a
document created by someone else, and mentions trusted locations.
(Trusted locations seem simply to be defined as a specified directory
on your hard drive, and the text does not discuss whether merely
moving an unknown document into this directory will magically render
it trustworthy.  Also, the reader is told how to set a trusted
location, but not an area for designating untrusted files.)
Supposedly "Protected View" will automatically restrict access to, and
danger from, documents you receive from unknown sources.
Unfortunately, having used Microsoft Office 2010 for a couple of
years, and having received, in that time, hundreds of documents via
email and from Web sources, I've never yet seen "Protected View," so
I'm not sure how far I can trust what the author is telling me.  (In
addition, Tulloch's discussion of viruses had numerous errors: Concept
came along five years before Melissa, and some of the functions he
attributes to Melissa are, in fact, from the CHRISTMA exec over a
decade earlier.)

Preparation of policy is promised in chapter three, but this isn't
what most managers or security professionals would think of as policy:
it is just the provision of a function for change detection or digital
signatures.  It also becomes obvious, at this point, that Microsoft
Office 2010 and Office 365 can have significantly different
operations.  The material is quite confusing with references to a
great many programs which are not part of the two (2010 and 365) MS
Office suites.

Chapter four notes the possibility of encryption with a password, but
the discussion of rights is unclear, and a number of steps are
missing.

An appendix lists pointers to a number of references at Microsoft's
Website.

The utility of this work is compromised by the fact that it provides
instructions for functions, but doesn't really explain how, and in
what situations, the functions can assist and protect the user.  Any
employee using Microsoft Office will be able to access the operations,
but without understanding the concepts they won't be able to take
advantage of what protection they offer.

copyright, Robert M. Slade   2012     BKSCPRO2.RVW   20121122


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
The only thing necessary for the triumph of evil is for good men
    to do nothing.             - Edmund Burke
victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links
http://blogs.securiteam.com/index.php/archives/author/p1/
http://twitter.com/rslade