REVIEW: "Tangled Web", Richard Power
- BKTANGWB.RVW 20001027
"Tangled Web", Richard Power, 2000, 0-7897-2443-X,
%A Richard Power
%C 201 W. 103rd Street, Indianapolis, IN 46290
%I Macmillan Computer Publishing (MCP)
%O U$25.00/C$37.95/UK#18.50 800-858-7674 317-581-3743 www.mcp.com
%P 431 p.
%T "Tangled Web: Tales of Digital Crime from the Shadows of
This book gives a reasonably balanced review of the perception of
security experts in regard to the level of computer or communications
involved crime going on in our networked world. That is because this
is not so much a book, as an extended compilation article. Power
reproduces interviews with, or grabs quotations from the written works
of, a great many forensic and security specialists or researchers.
Very large chunks of the book are taken from previously published
Note also that I say "balanced," and not "complete."
Part one appears to be intended as a general introduction to computer
related crime. Chapter one is the usual statement that it goes on,
mercifully brief. Despite an interview with Sarah Gordon and
extensive quoting from Donn Parker, chapter two's look at
cybercriminals focusses rather narrowly on the fact that people who do
crimes aren't normal. The CSI (Computer Security Institute)/FBI
Computer Crime and Security Survey is introduced with many graphs and
tables in chapter three. The description does mention, but doesn't
emphasize, the fact that the survey was self-selecting and self-
reporting, and therefore only marginally more informative than an
opinion poll. Chapter four tries to look at costs.
The title of part two seems to indicate a deeper analysis of criminals
and system breakers. Chapter five touches on the infamous Operation
Sundevil (the law enforcement disaster that was the inspiration behind
Bruce Sterling's "The Hacker Crackdown," cf. BKHKRCRK.RVW), and the
even more infamous Morris Internet Worm: is Power trying to equate
police activity with system breaking? Three penetration episodes that
led to the arrest of young crackers are described in chapter six.
Some stories of theft of credit card numbers, bank fraud, and advanced
phone phreaking are given in chapter seven, but these are cobbled
together from published interviews with police, and have little
technical background. There is a little bit about nuisances and
vandalism, and a lot about distributed denial of service, in chapter
eight. Chapter nine tells the stories of the Melissa and Love Bug
email worms. As with the earlier tales in the book, the material is
technically weak, and has other errors of fact as well. (I exclude
the respective CERT advisories, which are reproduced in full.)
Part three is about spies and espionage. However, chapter ten, which
talks about spies, doesn't really have anything to say about computer
penetration. The stories are all very terse mentions of spying culled
from general news reports. The tales of insider fraud, in chapter
eleven, vary in length and don't really present any more than trivial
information. Infowar gets a mix of anecdotes and speculation in
Part four looks at personal attacks. Both chapter thirteen, on
identity theft, and chapter fourteen, on child pornography, are short
and oddly unhelpful.
Part five turns to defensive activities. Chapter fifteen concentrates
on where the security department should be on the corporate org chart.
Global law enforcement recounts a few presentations by non-US law
enforcement people in chapter sixteen. There are more details on US
government security offices and activities, in chapter seventeen, but
not many. Countermeasures, in chapter eighteen, is a "once over
lightly" of the entire security field. The epilogue, entitled "The
Human Factor," is vague.
If you haven't been paying any attention to computer security, this
book is a quick read that will get you a very rough idea of what is
going on in the areas of greatest concern to large corporations. If
it scares a few people that will be all to the good: it certainly
doesn't help you to start doing anything about security. Presumably
it is the general public, with little knowledge of computer security,
that is the intended audience. However, the lack of structure and
uneven quality and depth of information make it difficult to know what
those readers will take from this book.
If, of course, you have been paying any attention at all, this is
pretty old news.
copyright Robert M. Slade, 2001 BKTANGWB.RVW 20001027
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... rslade@... slade@... p1@...
Anything a faculty member can learn, a student can easily.
- Richard Wesley Hamming
http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade