Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "The Information Security Dictionary", Urs E. Gattiker

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Ha
    BKINSCDI.RVW 20041222 The Information Security Dictionary , Urs E. Gattiker, 2004, 1-4020-7889-7, U$145.00/C$203.50 %A Urs E. Gattiker
    Message 1 of 1 , Mar 14, 2005
    • 0 Attachment
      BKINSCDI.RVW 20041222

      "The Information Security Dictionary", Urs E. Gattiker, 2004,
      1-4020-7889-7, U$145.00/C$203.50
      %A Urs E. Gattiker dictionary@...
      %C 233 Spring St., New York, NY 10013
      %D 2004
      %G 1-4020-7889-7
      %I Springer-Verlag/Kluwer
      %O U$145.00/C$203.50 212-460-1500 800-777-4643
      %O http://www.amazon.com/exec/obidos/ASIN/1402078897/robsladesinterne
      http://www.amazon.co.uk/exec/obidos/ASIN/1402078897/robsladesinte-21
      %O http://www.amazon.ca/exec/obidos/ASIN/1402078897/robsladesin03-20
      %O tl n rl 1 tc 0 ta 2 tv 1 wq 0
      %P 411 p.
      %T "The Information Security Dictionary"

      A good dictionary of information security terms is seriously needed by
      the security community, and by the computer and communications
      industry as a whole. The "Internet Security Dictionary" (cf.
      BKINSCDC.RVW), by Phoha, was a good start, but needs to be expanded
      and updated.

      I have been working on a security glossary myself, so this might be
      yet another case of bias or conflict of interest. I should also note
      that, although it is widely believed that I enjoy trashing books, I am
      actively looking for works that I can recommend. Oh, it's easier to
      point out flaws in a work than it is to say why someone writes well.
      However, I take no particular pleasure in having to savage a work as
      thoroughly as this one requires.

      Far too many of the definitions contain misleading, incomplete, or
      outright false information. Anomaly-Based Intrusion Detection Systems
      are said to discover known attacks, which might be true, but
      signature-based systems would normally be considered better for that
      purpose: you want anomaly-based detection to discover previously
      unknown attacks. The entry for Authentication does not list the
      standard factors of something you know, have, or are. The definition
      for the Bell-La Padula security model doesn't provide any details of
      the pattern itself, does not mention confidentiality (a central
      concept), and does not refer to the Trusted Computer System Evaluation
      Criteria and other outcomes of the paradigm. The Biba integrity model
      is listed as "Bibra."

      Patent mentions the ability of the patent holder to restrict use, but
      doesn't mention that patent is only applicable to devices and that the
      device must be novel, useful, and non-obvious. Reference is made to
      copyright (the definition of which is equally flawed) and to Tables
      16A and B, neither of which alludes to intellectual property laws. No
      listing is given for trade secrets or trade marks. Both the entry for
      patent and the account of copyright state that patents protect ideas,
      which is specifically untrue.

      There is a listing for Illegal Software (software used without a
      licence), although there isn't one for piracy. There is one for
      Software Piracy, but neither of the two cross-references points to
      Illegal Software. There is an entry for Cable, as in cable TV, but
      nothing for cabling as in network media, which has much greater
      importance in terms of information security. Challenge Handshake
      points to Handshake (there is no listing for challenge/response) and,
      for some completely inexplicable reason, also to Circuit-Level
      Gateway.

      The sub-listing for Content Filtering (which comes under filtering,
      rather than content) makes no mention of the origin of the practice in
      restricting access to objectionable material.

      "DoS on the 13 Internet Root Servers" is not the title of a famous
      Cultural Revolution artwork, but a reference to the October, 2002
      attack against the top-level DNS servers. Almost no details of the
      event are provided (and this was actually a *distributed* denial of
      service attack).

      Digital Versatile Disk (generally used as an update to Digital Video
      Disk, the original expansion of the DVD acronym) is defined as using
      both sides of the disk (almost unknown in commercial DVDs) and also
      notes a capacity of 17 gigabytes, which would actually require both
      sides and both depths.

      One of the sub-entries under Disinfection is Generic Scan String,
      which has nothing to do with disinfection of computer viruses.

      "Activity monitor" is defined solely in terms of employee
      surveillance, and ignores the specialized use in malware detection.

      The entry for Cookies states (incorrectly) that they can only be used
      by the originating site. However, there is a cross-reference to table
      18A (a mere 140 pages from the entry). Table 18A has no mention of
      the term. Table 18B does have a listing for Java Cookies--which
      contradicts the earlier assertion, and says that other parties can
      read cookies. Defence-In-Depth has a reference to Table 6A. There is
      no 6A, although there is a 6. Table 6 contains no reference to
      defence-in-depth.

      Urs isn't always certain of his definitions: an Application Level
      Gateway "could" be a type of firewall. However, in that case, he is
      certain that it re-addresses traffic--which is actually the function
      of network address translation (NAT), generally considered a type of
      circuit-level proxy firewall. Phishing is equated with "carding"
      (obtaining or trading in credit card numbers for fraudulent use) while
      the more definitive practice of obtaining banking information is
      ignored. (We are told that avoiding the running of attachments
      prevents phishing. Phishing scams seldom make use of attachments or
      executable code.)

      Cross references are not always accurate. On page 12 the listing for
      "Anti-Virus Researcher" points to the entry for "Research." There is
      no material for Anti-Virus Researcher in that entry, but there is in
      the later entry for "Researcher." Ethics points to Justice, which
      doesn't say anything about ethics.

      Some of the terms included are rather odd. "Binders" are supposed to
      be utilities that bind multiple code modules together. Most people
      refer to these utilities as linkers. "Derf" was used as a term for
      hijacking sessions on logged in terminals, but in a limited setting
      and quite a while back: the term is pretty much unknown today.

      The definitions given for some entries don't seem to have any real
      meaning. For example, "Virus Algorithm means a set of operations or a
      procedure designed to create a virus problem." Many long definitions
      appear to have been patched together from disparate and unrelated
      sources, not listing additional meanings, just appending disjointed
      verbiage.

      Some of the definitions given are correct. Heck, some are copied
      straight out of government documents. But Gattiker has included a
      number of terms which are either generic, or have only the most
      tenuous of connections to security. There is an entry for Computer
      Mouse. There is a listing for the fictional cyberpunks, but no
      mention of the real-world cypherpunk community. The definition for
      Virology deals only with biology. The entry for Virus is only
      relevant to (pretty much obsolete) file infectors.

      As could be expected with a work of this calibre, a number of terms
      are simply missing. There are entries for false positive and false
      negative, but none for false acceptance or false rejection (the more
      widely known terms for similar concepts).

      It is difficult to give a complete picture of the unreliability of
      this text. It would be easy for me to simply do an exhaustive search
      of every minor error, and in a few pages collect all that might be
      wrong with an otherwise great work. But in this volume we have
      spurious listings, missing entries, definitions that make no sense to
      the reader, explanations that are erroneous, and even opinion stated
      as fact. (The man, or manual, pages of the UNIX system, incorrectly
      identified as "main" pages, are said to be technobabble, presumably
      because Urs doesn't understand their cryptic nature.) Slang is
      included and technical terms are left out.

      Probably the best way to give a flavour of the quality of this work is
      to reproduce some listings. (I have tried to be as careful as
      possible in copying the exact writing and punctuation of the entries
      as they appear in the book.)

      A listing that sounds good but makes no sense (as well as being a non-
      sequitur) provides a good feel for the quality of language and logic
      representative of the work as a whole:

      Homomorphic Encryption is a cryptographic technique in which
      the sum of two encrypted values is equal to the encrypted sum
      of the values. The signature operation in public key
      cryptography is an exponentiation operation using the private
      key as the exponent.

      According to "Algebraic Aspects of Cryptography" by Neal Koblitz (cf.
      BKALASCR.RVW), and a number of other references, homomorphism refers
      to groups or sets rather than express algorithms or techniques.
      Homomorphic encryption can be useful for signature or authentication
      systems where anonymity is important (such as in voting procedures)
      but it probably isn't necessary to specify exponentiation.

      The sub-entry for "Anti-Virus Researcher or Security Assurance
      Researcher" on page 270 is lengthier, and requires a bit more
      dissection:

      Anti-Virus Researcher or Security Assurance Researcher may
      conduct his or her research in many ways. An example might be
      a lawyer searching among old court cases for legal precedents
      regarding Privacy and Hacking.

      An epidemiologist studying age groups or cohorts and hip-
      fracture incidents to an Anti-Virus Researcher studying
      malicious code to discover programming patterns and
      characteristics (see Theory).

      Often Anti-Virus Researcher is used synonymously with "product
      development." Sometimes, a "bonafide antivirus researcher's"
      role within his or her organization might be documented by
      independent examination (see also Appendix 3 and badguys
      website).

      It should be reasonably obvious that the specialized activity of
      antivirus research and the more general undertaking of security
      assurance research are not exactly synonymous. In addition, very
      little antivirus research involves case law. If you are confused by
      the meaning of the sentence about an epidemiologist, you are not
      alone. Again, very little antivirus research involves hip-fractures.
      Some AV researchers are also product developers, but the two
      activities are hardly identical. The reference to "badguys website"
      is to the "Bad Guys" Website (www.badguys.org) run by Sarah Gordon,
      which does have some information about legitimate virus research, in
      opposition to the blackhats who write viruses and call themselves
      researchers.

      If, following the cross reference to Theory, we flip to page 324, we
      find a sub-entry for "Anti-Virus Theory":

      Anti-Virus Theory if it would exist would be based on
      Inductive or Deductive Research outline phenomena and their
      relationship to other issues. Hence, investigation of the
      subject aimed at uncovering new information in a systematic
      way, while permitting a group of statements about how some
      part of the world works, in this case Computer Viruses. A
      good Anti-Virus Theory would allow us to generalize from one
      virus to the next (see Tables 19A and 19B).

      The wording here would seem to imply that Anti-Virus Theory does not
      exist, which raises the immediate question of why you would include an
      entry for a non-existent entity. Induction and deduction are fairly
      broad tools: the first sentence doesn't really appear to say anything
      useful about the type of theory or research. Tables 19A and B are
      nowhere near that entry. In fact, you will find them on pages 207 and
      209-11. Neither do the tables have anything to do with viruses: they
      talk about the costs and prevalence of various forms of Internet
      access. In any case, that entry doesn't appear to say anything about
      any theory to do with computer viruses, beyond the definition of a
      theory in general.

      (If we follow the further cross-reference to "Methodology," we find no
      allusion to antivirus research at all.)

      Errors in formatting (particularly indenting) are rife, and make it
      difficult to follow the structure of entries, or the book as a whole.
      Bold text sometimes means that the term is another entry, but
      sometimes it doesn't seem to mean anything. Sometimes the formatting
      problem might explain entries that appear to be out of place, but I'm
      not sure that they explain the sequential listings of Autopsy,
      Authorization, and Auto Dial-Back.

      There are numerous typographical errors, mistakes in spelling and
      grammar, and tremendous inconsistencies in capitalization. Even the
      most cursory copy and style edit would have improved things
      enormously.

      The security community and industry deserves better than this.
      Students of security need more accurate information than is provided
      in this work. Society as a whole is relying on information security
      and requires more credible content than this book contains.

      copyright Robert M. Slade, 2004 BKINSCDI.RVW 20041222


      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... slade@... rslade@...
      Mike: I swear, you must think you're some kind of god.
      Pitr: God, root, what is difference?
      http://www.userfriendly.org/cartoons/archives/98nov/19981111.html
      http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
    Your message has been successfully submitted and would be delivered to recipients shortly.