BKCNSNTW.RVW   20121205

“Consent of the Networked”, Rebecca MacKinnon, 2012, 978-0-465-02442-1, U$26.99/C$30.00
%A   Rebecca MacKinnon
%C   387 Park Ave. South, New York, NY   10016-8810
%D   2012
%G   978-0-465-02442-1 0-465-02442-1
%I   Basic Books
%O   U$26.99/C$30.00 special.markets@perseusbooks.com
%O  http://www.amazon.com/exec/obidos/ASIN/0465024421/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0465024421/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0465024421/robsladesin03-20
%O   Audience n Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   294 p.
%T   “Consent of the Networked: The Worldwide Struggle for Internet Freedom”

In neither the preface nor the introduction is there a clear statement of the intent of this work.  The closest comes buried towards the end of the introduction, in a sentence which states “This book is about the new realities of power, freedom, and control in the Internet Age.”  Alongside other assertions in the opening segments, one can surmise that MacKinnon is trying to point out the complexities of the use, by countries or corporations, of technologies which enhance either democracy or control, and the desirability of a vague concept which she refers to as “Internet Freedom.”

Readers may think I am opposed to the author’s ideas.  That is not the case.  However, it is very difficult to critique a text, and suggest whether it is good or bad, when there is no clear statement of intent, thesis, or terminology.

Part one is entitled “Disruptions.”  Chapter one outlines a number of stories dealing with nations or companies promising freedom, but actually censoring or taking data without informing citizens or users.  The “digital commons,” conceptually akin to open source but somewhat more nebulous (the author does, in fact, confuse open source and open systems), is promoted in chapter two.

Part two turns more directly to issues of control.  Chapter three concentrates on factors the Republic of China uses to strengthen state censorship.  Variations on this theme are mentioned in chapter four.

Part three examines challenges to democracy.  Chapter five lists recent US laws and decisions related to surveillance and repression of speech.  The tricky issue of making a distinction between repression of offensive speech on the one hand, and censorship on the other, is discussed in chapter six.  The argument made about strengthening censorship by taking actions against intellectual property infringement, in chapter seven, is weak, and particularly in light of more recent events.

Part four emphasizes the role that corporations play in aiding national censorship and surveillance activities.  Chapter eight starts with some instances of corporations aiding censorship, but devolves into a review of companies opposed to “network neutrality.”  Similarly, chapter nine notes corporations aiding surveillance.  Facebook and Google are big, states chapter ten, but the evil done in stories given does not inherently relate to size.

Part five asks what is to be done.  Trust but verify, says (ironically) chapter eleven: hold companies accountable.  MacKinnon mentions that this may be difficult.   Chapter twelve asks for an Internet Freedom Policy, but, since the author admits the term can have multiple meanings, the discussion is fuzzy.  Global Information Governance is a topic that makes chapter thirteen apposite in terms of the current ITU (International Telecommunications Union) summit, but the focus in the book is on the ICANN (Internet Committee on Assigned Names and Numbers) top level domain sale scandals.  The concluding chapter fourteen, on building a netizen-centric Internet is not just fuzzy, but full of warm fuzzies.

There are a great many interesting news reports, stories, and anecdotes in the book.  There is a great deal of passion, but not much structure.  This can make it difficult to follow topical threads.  This book really adds very little to the debates on these topics.

copyright, Robert M. Slade   2013   BKCNSNTW.RVW   20121205

Douglas Adams is still right: No language has the phrase “As pretty as an airport”. But in my humble opinion, airports have come a long way in the last 10 years. Or maybe my expectations have become so low, I can’t be disappointed. Either way, it seems to me going through an airport isn’t as bad or boring or inconvenient as it used to be.
I’m not just talking about the East-Asian airports (Hong Kong, Seoul, Singapore) which have always been stellar. Even the infamous American airports are newer, and more convenient.

I’m giving you this airport cheer-leading chant because if you live in Europe, you should go and check out how much your airport has improved since you’ve last seen it. Then, take a flight to Istanbul. Not just because Istanbul is one of the nicest cities in Europe but also because Nopcon is taking place June 6, and has some very interesting and incredibly original speaker lineup: Moti Joseph, Nikita Tarakanov, Gökhan Alkan, Svetlana Gaivoronski, Canberk Bolat and Ahmet Cihan (aka Hurby). Nice!

More info here: http://www.nopcon.org/

Canadian terrorists strike again: apparently we are responsible for taking down a major piece of transportation infrastructure, vis, the I-5 bridge over the Skagit river at Mount Vernon.

A friend in Seattle assures me that, while he is disappointed in us, he holds no grudges, and is willing to warn us if he hears of any drone strikes planned for north of the border.

(Allow me, for a moment, to examine this “oversized load” on which everyone is blaming the collapse.  Image 2 in the slide deck [if they don't change it] is this “oversized load.”  You will notice that it is basically an empty box with the two sides missing, and has, relatively, zero structural rigidity.  If a ding from that kind of load brought the bridge down [and didn't even collapse the load itself], the bridge was definitely unsafe.)

I drive that route regularly, and, when I heard that a bridge had gone down, that bridge was the first one I thought of.  I have always felt unsafe crossing it.  There is a wrongness about it you can just feel.

It’s also ugly.  And I am reminded of an essay by an engineer who said that bridges were the most beautiful products of all forms of engineering.  A properly designed bridge has curves, and those curves just feel right.  They are beautiful.

So, if you ever have questions about a bridge, and you don’t have enough facts to go on, just look at it.

If it’s ugly, don’t cross it.

BKCLDCRS.RVW   20101009

“Cloud Crash”, Phil Edwards, 2011, 978-1466408425, U$9.99
%A   Phil Edwards PhilEdwardsInc.com philipjedwards@gmail.com
%C   Seattle, WA
%D   2011
%G   978-1466408425 1466408421
%I   CreateSpace Independent Publishing Platform/Amazon
%O   U$9.99
%O  http://www.amazon.com/exec/obidos/ASIN/1466408421/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/1466408421/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1466408421/robsladesin03-20
%O   Audience n Tech 2 Writing 1 (see revfaq.htm for explanation)
%P   386 p.
%T   “Cloud Crash”

To a background of the Internet crashing, and opposed by a conspiracy that has penetrated the highest levels of government, two (no, make that three … err … four … better say five …) groups of individuals race to save the world from … a stock market fraud?  hostile takeover? aliens?  (No, I’m pretty sure the aliens were a red
herring.)

The story and inconsistent characterizations could use some work, and the plot twists don’t make it very easy to follow what is going on.  It’s fairly easy to tell who the good and bad guys are: the politics and philosophy of the book are fairly simple, and one is reminded of the scifi and comics of the 30s and 40s, with heavily anti-fascist and (ironically) right-wing rhetoric.

It would be tempting to dismiss the work as a simple “jump on the latest buzzword” potboiler, were it not for the fact that the technology is fairly realistic.  Yes, right now everyone is jumping on the cloud bandwagon without much regard for real security.  Yes, if you wanted to make a big (and public) splash on the Internet, without doing too much permanent damage, taking down power supplies would still leave the data intact.  (Of course, an axe would do just as good a job as bombs …)

So, while the story isn’t great, at least the technology is less annoying than is normally the case …

copyright, Robert M. Slade   2012     BKCLDCRS.RVW   20101009

BKSCPRO2.RVW   20121122

“Security and Privacy for Microsoft Office 2010 Users”, Mitch Tulloch,
2012, 0735668833, U$9.99
%A   Mitch Tulloch info@mtit.com www.mtit.com
%C   1 Microsoft Way, Redmond, WA   98052-6399
%D   2012
%G   0735668833
%I   Microsoft Press
%O   U$9.99 800-MSPRESS fax: 206-936-7329 mspinput@microsoft.com
%O  http://www.amazon.com/exec/obidos/ASIN/0735668833/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0735668833/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0735668833/robsladesin03-20
%O   Audience n- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   100 p.
%T   “Security and Privacy for Microsoft Office 2010 Users”

Reducing the complex jargon in the introduction to its simplest terms, this book is intended to allow anyone who uses the Microsoft Office 2010 suite, or the online Office 365, to effectively employ the security functions built into the software.  Chapter one purports to present the “why” of security, but does a very poor job of it.  Company policy is presented as a kind of threat to the employee, and this does nothing to ameliorate the all-too-common perception that security is there simply to make life easier for the IT department, while it makes work harder for everyone else.

Chapter two examines the first security function, called “Protected View.”  The text addresses issues of whether or not you can trust a document created by someone else, and mentions trusted locations.  (Trusted locations seem simply to be defined as a specified directory on your hard drive, and the text does not discuss whether merely moving an unknown document into this directory will magically render it trustworthy.  Also, the reader is told how to set a trusted location, but not an area for designating untrusted files.)  Supposedly “Protected View” will automatically restrict access to, and danger from, documents you receive from unknown sources.  Unfortunately, having used Microsoft Office 2010 for a couple of years, and having received, in that time, hundreds of documents via email and from Web sources, I’ve never yet seen “Protected View,” so I’m not sure how far I can trust what the author is telling me.  (In addition, Tulloch’s discussion of viruses had numerous errors: Concept came along five years before Melissa, and some of the functions he attributes to Melissa are, in fact, from the CHRISTMA exec over a decade earlier.)

Preparation of policy is promised in chapter three, but this isn’t what most managers or security professionals would think of as policy: it is just the provision of a function for change detection or digital signatures.  It also becomes obvious, at this point, that Microsoft Office 2010 and Office 365 can have significantly different operations.  The material is quite confusing with references to a great many programs which are not part of the two (2010 and 365) MS Office suites.

Chapter four notes the possibility of encryption with a password, but the discussion of rights is unclear, and a number of steps are missing.

An appendix lists pointers to a number of references at Microsoft’s Website.

The utility of this work is compromised by the fact that it provides instructions for functions, but doesn’t really explain how, and in what situations, the functions can assist and protect the user.  Any employee using Microsoft Office will be able to access the operations, but without understanding the concepts they won’t be able to take advantage of what protection they offer.

copyright, Robert M. Slade   2012     BKSCPRO2.RVW   20121122

“Fraudster James McCormick has been jailed for 10 years for selling fake bomb detectors. … One invoice showed sales of £38m over three years to Iraq, the judge said.”

http://www.bbc.co.uk/news/uk-22380368

Closer to our technical field, we know about the pure fraud of fake AV, of course.  And there are plenty of companies out there selling shoddy products.  But there are also the “consultants” out there doing desultory work, and spending more time on building a client base than doing any research or analysis.  (I recently ran into a monitoring and surveillance “expert” who had no idea about the problems with IP-connected video cameras.)  Some of them even hold CISSP certificates.

This is basically the whole reason behind the certificate: to have a standard that allows people to expect a minimal level of competence.  It’s not perfect, never will be, and there are other attempts (so far seemingly even less successful) at doing the same thing.  We need to assist the process, where we can, even if we don’t feel like pushing the ISC2 “brand.”

Do what you can to help.  Even if it is just pointing out fixable errors.

(When was the last time you submitted a question to the exam committee?)

Whenever political pundits get together, they all start the competition for “our politicians are more corrupt/venal/just plain weird than yours.”  Whenever anyone from BC enters the fray, everyone else concedes.

Herewith our latest saga.

The ruling “Today’s BC Liberal Party” is finding itself polling behind the NDP.  (Do not let the word “liberal” in the party name fool you.  Whereas pretty much every other liberal party would be centre-left, the BC Liberals are, politically, somewhat to the right of Attila the Hun.)  The liberals are runing attack ads stating that, twelve years ago, the leader of the NDP backdated a memo.

(No, I’m not making this up.)

The Liberals have just released another version of the same attack ad, this time using a snippet of footage from the recent leaders debate.  Trouble is, the media consortium that ran the debate has copyright on the video of the debate, and all parties agreed that none of the material would be used for political purposes.

The Liberals, called on their use of the video, have refused to take it down.

(How old do you have to be to understand the meaning of “copyright infringement?”)

(I am eagerly awaiting the next installment of this story.  I assume the lawyers paid for by Today’s BC Liberals [or possibly by public money: that's happened before] will argue the provisions of “fair use,” and claim that the attack ads are commentary, or even educational …)

BKWWHACK.RVW   20121009

“World War Hack”, Ethan Bull/Tsubasa Yozora, 2012, 978-0-9833670-8-6
%A   Ethan Bull
%A   Tsubasa Yozora
%C   9400 N. MacArthur Blvd., Suite 124-215, Irving, TX   75063
%D   2012
%E   Gwendolyn Borgen
%G   978-0-9833670-8-6 0-9833670-8-6
%I   Viper Entertainment Inc./Viper Comics
%O   U$7.95 wyatt@worldwarhack.com www.worldwarhack.com
%O  http://www.amazon.com/exec/obidos/ASIN/0983367086/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0983367086/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0983367086/robsladesin03-20
%O   Audience n- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   72 p.
%T   “World War Hack”

Someone (eventually we find out they are backed by the Chinese) has hacked into the United States military and government control systems.  Fortunately, despite being in complete control and untraceable, all they seem to want to do is make one military drone act up.

The US government immediately swings into action, and sponsors a hacking contest, to try and identify suitably talented young geniuses (genii?) to find out what is going on.

It’s hard to follow what is going on, since the artwork makes it difficult to differentiate between characters.  There are young people with bad haircuts, and there are other people with suits.  Some people are female.  After that, it gets hard to tell who’s who.  One of the hackers is a government agent, another one has a criminal record but seems to be a son of a suited government agent.

Some of the technical and hacking activity is somewhat realistic, but other aspects are bizarre, and betray a complete lack of understanding of basic technology.  For example, at different times a programming language gets “hacked” (in the sense of breaking into it), and at another time a government administrator can’t tell what computer language has been used to write a specific program.  In the real world of programming and hacking neither of these scenarios makes any sense.  Absent Ken Thompson’s famous speech nobody “hacks” a language, and generally nobody cares what language has been used to write a utility once it is operating.  (By the way, no programmer ever said LISP was a concise language, and there is no way that even a “skin” on top of LISP would look like C.)  At another point two devices “piggyback” on the same IP address, which simply does not work in networking terms.

There are aspects of this story that are realistic.  One is that, if you are not careful with your systems, someone can penetrate them and mess with you.  If there are any other useful factors in this story, I can’t think of them offhand.

(As usual, the draft of this review was submitted to the author/publisher for comment prior to publication.  I often get rude email in response, sometimes threats of physical harm, and once even a death threat.  [Yes, really.]  In this case the publisher has threatened unspecified legal action “to protect the copyright on our work.”  I would be interested to see the publisher’s reaction to counsel explaining the “commentary” aspect of the concept of “fair use.”)

copyright, Robert M. Slade   2012     BKWWHACK.RVW   20121009

Recently therewas some discussion about “self-service” password resets.  The standard option, of course, is to have some sort of “secret question” that the true account holder should be able to answer.  You know: super-secret stuff like your pet’s name.  (Yes, Paris Hilton, I’m talking about you.)

The discussion was more detailed, turning to policy and options, and asked whether you should turn off “custom” questions, and stick to a list of prepared questions.

I would definitely allow custom questions.  The standard lists never seem to give me options that I can both a) remember, and b) that wouldn’t be immediately obvious to anyone who was able to find out some minimal information about me.

If I can make up my own question, I can ask myself what my favourite burial option would be.  The answer, “encryption,” is something I will remember to my dying day, and nobody else is ever going to guess.  (Well, those who have read the “Dictionary of Information Security” might guess that one, so I guess I won’t actually use it.)

Go ahead: try and guess what is the only pain reliever that works for me.

What sits under my desk and keeps the computers running in the case of a power failure?

What is Gloria’s favourite ice cream flavour?

Finish the following sentence: Don’t treat Rob as your _______ ___.  (This is a two-factor authentication: you also have to fill in the standard response to that statement.)

The thing is, all of these oddball questions have special meaning for Gloria and I, but for very few other people in the world.  They rely on mistakes or quirks that have become “family phrases.”  For example, what do you need before bed to get to sleep?  Answer: “warum melek,” coming from an elderly lady of our acquaintance from a northern European background.

Yeah, I like “custom questions” a lot.

(OK, yes, you do have to do a bit of security awareness training to indicate that “who is my sweetie poo” may not be as secret as some people seem to think …)

The CEO of BitTorrent thinks we should think about using distributed computing to deal with upgrade issues over the Internet.

It sounds like a good idea.  So good, that you wonder why someone hasn’t thought of it before.  Well, surprise, surprise (unless you know Slade’s Law of Computer History), someone has.  How about Shoch and Hupp, who worked on the idea at Xerox PARC in the late 70s, and reported on it in 1980 and 1982?  Or Fred Cohen, who was quite vocal about using “good” viruses in the late 80s, and mentioned it in one of his earlier popular books?  Or Vesselin Bontchev, who, in the 90s, gave a detailed outline of what you have to do to make it work …

South Korea suffered a major cyber attack yesterday. The origin of the attack seems to be China at the moment, but that is far from being definite.

I happened to be in one of the (several) cyber security operation centers, by pure coincidence. I had a chance to see events unravel in real time. Several banks have been hit (including the very large shinhan bank) and a few broadcasting channels.

The damage is hard to assess, since it’s now in everyone’s advantage to blame the cyber attack on anything from a system crash to the coffee machine running out of capsules. Budget and political moves will dominate most of the data that will be released in the next few days.
It’s clear, however, that the damage substantial. I reached out to a few friends in technical positions at various MSPs and most had a sleepless night. They’ve been hit hard.

The most interesting part of this incident, in my opinion, was a report on car GPS crashing while the attack was taking place. I haven’t seen a news report about that yet, and I couldn’t personally verify it (as I mentioned, I was stationary at the time, watching the frantic cyber-security team getting a handle on a difficult situation) but this is making rounds in security forums and a couple of friends confirmed to me that their car navigation system crashed and had to be restarted, at the exact time the attack was taking place.

The most likely explanation is that the broadcasting companies, who send TPEG data to the GPS devices (almost every car in Korea has a GPS device, almost all get real-time updates via TPEG), had sent malformed data which caused the devices to crash. This data could have been just a result of a domino effect from the networks crashing, or it could have been a very sophisticated proof-of-concept by the attacker to see if they can create a distruption. Traffic in Seoul is bad even on a normal day; without GPS devices it can be a nightmare.

Which brings up an interesting point about fuzzing network devices. TPEG fuzzers have been available for a while now (beSTORM has a TPEG module, and you can easily write your own TPEG fuzzer). The difficult part is getting the GPS device to communicate with the fuzzing generator; this is something the GPS developer can do (but probably won’t) but it is also possible for a government entity to do the necessary configuration to make that happen, given the proper resources or simply by forcing the vendors to cooperate.

The choice of the attacker to bring down the broadcasting networks might be deliberate: other than knocking TV and radio off the air (an obvious advantage in a pre-attack strike) the broadcasting networks control many devices who rely on their data. Forcing them to send malformed data to crash a variety of devices can have interesting implications. If I was a little more naive, I would predict that this will push governments around the world to focus more on fuzzing to discover these kind of vulnerabilities before they see their adversaries exploit them. But in the world we live in, they will instead throw around the phrase “APT” and buy more “APT detection products” (an oximoron if I’ve ever heard one). Thank god for APT, the greatest job saving invention since bloodletting.

An detailed analysis of the attack here:

http://training.nshc.net/KOR/Document/virus/20130321_320CyberTerrorIncidentResponseReportbyRedAlert(EN).pdf

So, my boss had asked me last week to read the Mandiant report and see how these Chinese APT1 attacks could be detected on a network both during and after an attack. After reading the report, I was pretty saddened by just how little has been done in the last 20 years in Infosec. The tactics and protocols used to steal data are old (decades old) and stale. My initial reaction was, and is, that user’s are still not being properly educated AND held responsible for their actions. We’re letting the users off too easily! Corporations are still trying to solve a people problem with software or appliances.

Take a look at the top 15 Security startups of 2013 (http://www.businessinsider.com/15-most-important-security-startups-2013-1?op=1). Now, look at how many of these software products ASSUME that the user will do the wrong thing and click on a link or an attachment. We have sandbox technology so that when the user downloads the malware, software can fix it (remember Pelican SafeTNet from late 90′s early 2000′s). We have software that steers employees away from bad websites (how does this work? A list of bad sites won’t work…downloading the page and running static checks won’t work…I dunno…would be interesting to hear more, but I digress).

Look, if your kids were prone to starting fires while cooking food, is the fix to create a million dollar stove that auto-senses when the heat is too high or when the smell of burnt food is in the air and automatically shuts down? Or, is the fix to teach your kids the proper way to use the stove? If I was a Corporate Security officer, I would make user education a top priority. I would even be willing to bring in a company that specialized in user security education (train the trainer type stuff). That would be money well spent. Every new user gets a class in computer security complete with a hands-on lab, test, and an Acceptable Use policy that they sign after completion. Existing users have to “re-certify” every year when they get a performance review.

Next, hold the user accountable for their actions after completing said training. In this day and age, a compromised computer inside the network is a license to steal. Having a computer with Internet access is a serious responsibility. If you mess up and do what you were trained NOT to do, then you are punished. Keep messing up and you get your pink slip. The user’s aren’t as stupid as we make them out to be. If their actions impact their bottom line, they will act accordingly. If we don’t hold the user responsible, why do they have any reason to change their behavior?

And, on a related tangent, maybe I’m just too old school but I don’t understand why a company would allow their employees (paid to do a Corporate-related job) to surf social media, p2p, job-search sites, dating sites, web-based email, etc. etc.

smh,

!Dmitry

(We have the OT indicator to say that something is off topic.  This isn’t, because ethics and sociology is part of our profession, but it is a fairly narrow area of interest for most.  We don’t have a subject-line indicator for that 

This article, and the associated paper, are extremely interesting in many respects.  The challenge to whole fields of social factors (which are vital to proper management of security) has to be addressed.  We are undoubtedly designing systems based on a fundamentally flawed understanding of the one constant factor in our systems: people.

(I suppose that, as long as the only people we interact with are WEIRD [1] westerners, we are OK.  Maybe this is why we are flipping out at the thought of China?)

(I was particularly interested in the effects of culture on actual physical perception, which we have been taught is hard wired.)

[1] – WEIRD, in the context of the paper, stands for Western, Educated, Industrialized, Rich, and Democratic societies

I have been reviewing security books for over twenty years now.  When I think of how few are really worthwhile that gets depressing.

However, Ross Anderson is always worth reading.  And when Ross Anderson first published “Security Engineering” I was delighted to be able to tell everyone that it was a worthwhile read.  If you are, in any way, interested in, or working in, the field of security, there is something there for you.  Probably an awful lot.

When Ross Anderson made the first edition available online, for free, and then published the second edition, I was delighted to be able to tell everyone that they should buy the second edition, but, if they didn’t trust me, they should read the first edition free, and then buy the second edition because it was even better.

Now Ross has made the second edition available, online, for free.

Everyone should read it, if they haven’t already done so.

(I am eagerly awaiting the third edition 

BKIDTHMA.RVW   20120831

“Identity Theft Manual: Practical Tips, Legal Hints, and Other Secrets Revealed”, Jack Nuern, 2012
%A   Jack Nuern http://www.idtheftadvocates.com
%C   4901 W. 136 St., Leawood, KS, USA   66224
%D   2012
%G   ASIN: B0088IG92E
%I   Roadmap Productions
%O   fax 866-594-2771
%O  http://www.amazon.com/exec/obidos/ASIN/B0088IG92E/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/B0088IG92E/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/B0088IG92E/robsladesin03-20
%O   Audience n- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   128 p.
%T   “Identity Theft Manual: Practical Tips, Legal Hints, and Other Secrets Revealed”

Despite the implications of the title, this is not a primer for performing identity theft, but a guide to preventing and recovering from it.  The information, unfortunately, is fairly pedestrian, and most of it could be obtained from any magazine article on the topic.

Chapter one is a (very) basic introduction to identity theft, with a rather odd emphasis on the use of medical information.  Methods of identity theft are described in chapter two.  Unfortunately, this is where the book starts to show signs of serious disorganization, and some of the material is more sensational than helpful.  Chapter three lists some steps you can take to attempt to prevent identity theft.  The suggestions are the usual standards of not giving out any information to anyone, and the book tacitly admits that protection is not assured.

Chapter four gets to the real intent of the work: actions to take when your identity has been stolen and misused.  There is a great deal of useful content at this point, limited by two factors.  One is that everything discussed is restricted to institutions in the United States.  The other is that there is almost no discussion of what the entities mentioned can do for you or what they can’t or won’t.

As one could expect from a book written by a law firm, chapter five addresses the liability that the victim of identity theft faces.  The answer, unsurprisingly, is “it depends,” backed up with a few stories.  (Pardon me: “case studies.”)

There are some appendices (called, predictably, “Exhibits”).  Again, most of these will only be of use to those in the United States, and some, sections of related laws, will be of very little use to most.  There is a victim complaint and affidavit form which would probably be very helpful to most identity theft victims, reminding them of information to be collected and presented to firms and authorities.

The book is not particularly well written, and could certainly use some better structure and organization.  However, within its limits, it can be of use to those who are in the situation, and who frequently have nowhere to turn.  As the book notes, authorities are often unhelpful and take limited interest in identity theft cases.   And, as the book also (frequently) notes, the book is cheaper than hiring a law firm.

copyright, Robert M. Slade   2012     BKIDTHMA.RVW   20120831

I ordered a new computer before Christmas, and there have been delays getting it.  Today the shop called and said that the one I ordered (with 4 Gigs of RAM) was still short, but they did have one with 6 Gigs, if I was willing to pay an extra ten bucks.  So I said fine.

Got off the phone and told Gloria about it.  She asked “How many Commodores is that?” since I still have a Commodore 64 in the “computer museum” trunk.

32,000.  Give or take a few for rounding purposes.  For ten bucks, the equivalent memory of 32,000 Commodore 64 computers.

We work in a bizarre field.