BKSCPRO2.RVW   20121122

“Security and Privacy for Microsoft Office 2010 Users”, Mitch Tulloch,
2012, 0735668833, U$9.99
%A   Mitch Tulloch info@mtit.com www.mtit.com
%C   1 Microsoft Way, Redmond, WA   98052-6399
%D   2012
%G   0735668833
%I   Microsoft Press
%O   U$9.99 800-MSPRESS fax: 206-936-7329 mspinput@microsoft.com
%O  http://www.amazon.com/exec/obidos/ASIN/0735668833/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0735668833/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0735668833/robsladesin03-20
%O   Audience n- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   100 p.
%T   “Security and Privacy for Microsoft Office 2010 Users”

Reducing the complex jargon in the introduction to its simplest terms, this book is intended to allow anyone who uses the Microsoft Office 2010 suite, or the online Office 365, to effectively employ the security functions built into the software.  Chapter one purports to present the “why” of security, but does a very poor job of it.  Company policy is presented as a kind of threat to the employee, and this does nothing to ameliorate the all-too-common perception that security is there simply to make life easier for the IT department, while it makes work harder for everyone else.

Chapter two examines the first security function, called “Protected View.”  The text addresses issues of whether or not you can trust a document created by someone else, and mentions trusted locations.  (Trusted locations seem simply to be defined as a specified directory on your hard drive, and the text does not discuss whether merely moving an unknown document into this directory will magically render it trustworthy.  Also, the reader is told how to set a trusted location, but not an area for designating untrusted files.)  Supposedly “Protected View” will automatically restrict access to, and danger from, documents you receive from unknown sources.  Unfortunately, having used Microsoft Office 2010 for a couple of years, and having received, in that time, hundreds of documents via email and from Web sources, I’ve never yet seen “Protected View,” so I’m not sure how far I can trust what the author is telling me.  (In addition, Tulloch’s discussion of viruses had numerous errors: Concept came along five years before Melissa, and some of the functions he attributes to Melissa are, in fact, from the CHRISTMA exec over a decade earlier.)

Preparation of policy is promised in chapter three, but this isn’t what most managers or security professionals would think of as policy: it is just the provision of a function for change detection or digital signatures.  It also becomes obvious, at this point, that Microsoft Office 2010 and Office 365 can have significantly different operations.  The material is quite confusing with references to a great many programs which are not part of the two (2010 and 365) MS Office suites.

Chapter four notes the possibility of encryption with a password, but the discussion of rights is unclear, and a number of steps are missing.

An appendix lists pointers to a number of references at Microsoft’s Website.

The utility of this work is compromised by the fact that it provides instructions for functions, but doesn’t really explain how, and in what situations, the functions can assist and protect the user.  Any employee using Microsoft Office will be able to access the operations, but without understanding the concepts they won’t be able to take advantage of what protection they offer.

copyright, Robert M. Slade   2012     BKSCPRO2.RVW   20121122

BKWWHACK.RVW   20121009

“World War Hack”, Ethan Bull/Tsubasa Yozora, 2012, 978-0-9833670-8-6
%A   Ethan Bull
%A   Tsubasa Yozora
%C   9400 N. MacArthur Blvd., Suite 124-215, Irving, TX   75063
%D   2012
%E   Gwendolyn Borgen
%G   978-0-9833670-8-6 0-9833670-8-6
%I   Viper Entertainment Inc./Viper Comics
%O   U$7.95 wyatt@worldwarhack.com www.worldwarhack.com
%O  http://www.amazon.com/exec/obidos/ASIN/0983367086/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0983367086/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0983367086/robsladesin03-20
%O   Audience n- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   72 p.
%T   “World War Hack”

Someone (eventually we find out they are backed by the Chinese) has hacked into the United States military and government control systems.  Fortunately, despite being in complete control and untraceable, all they seem to want to do is make one military drone act up.

The US government immediately swings into action, and sponsors a hacking contest, to try and identify suitably talented young geniuses (genii?) to find out what is going on.

It’s hard to follow what is going on, since the artwork makes it difficult to differentiate between characters.  There are young people with bad haircuts, and there are other people with suits.  Some people are female.  After that, it gets hard to tell who’s who.  One of the hackers is a government agent, another one has a criminal record but seems to be a son of a suited government agent.

Some of the technical and hacking activity is somewhat realistic, but other aspects are bizarre, and betray a complete lack of understanding of basic technology.  For example, at different times a programming language gets “hacked” (in the sense of breaking into it), and at another time a government administrator can’t tell what computer language has been used to write a specific program.  In the real world of programming and hacking neither of these scenarios makes any sense.  Absent Ken Thompson’s famous speech nobody “hacks” a language, and generally nobody cares what language has been used to write a utility once it is operating.  (By the way, no programmer ever said LISP was a concise language, and there is no way that even a “skin” on top of LISP would look like C.)  At another point two devices “piggyback” on the same IP address, which simply does not work in networking terms.

There are aspects of this story that are realistic.  One is that, if you are not careful with your systems, someone can penetrate them and mess with you.  If there are any other useful factors in this story, I can’t think of them offhand.

(As usual, the draft of this review was submitted to the author/publisher for comment prior to publication.  I often get rude email in response, sometimes threats of physical harm, and once even a death threat.  [Yes, really.]  In this case the publisher has threatened unspecified legal action “to protect the copyright on our work.”  I would be interested to see the publisher’s reaction to counsel explaining the “commentary” aspect of the concept of “fair use.”)

copyright, Robert M. Slade   2012     BKWWHACK.RVW   20121009

I have been reviewing security books for over twenty years now.  When I think of how few are really worthwhile that gets depressing.

However, Ross Anderson is always worth reading.  And when Ross Anderson first published “Security Engineering” I was delighted to be able to tell everyone that it was a worthwhile read.  If you are, in any way, interested in, or working in, the field of security, there is something there for you.  Probably an awful lot.

When Ross Anderson made the first edition available online, for free, and then published the second edition, I was delighted to be able to tell everyone that they should buy the second edition, but, if they didn’t trust me, they should read the first edition free, and then buy the second edition because it was even better.

Now Ross has made the second edition available, online, for free.

Everyone should read it, if they haven’t already done so.

(I am eagerly awaiting the third edition 

BKIDTHMA.RVW   20120831

“Identity Theft Manual: Practical Tips, Legal Hints, and Other Secrets Revealed”, Jack Nuern, 2012
%A   Jack Nuern http://www.idtheftadvocates.com
%C   4901 W. 136 St., Leawood, KS, USA   66224
%D   2012
%G   ASIN: B0088IG92E
%I   Roadmap Productions
%O   fax 866-594-2771
%O  http://www.amazon.com/exec/obidos/ASIN/B0088IG92E/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/B0088IG92E/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/B0088IG92E/robsladesin03-20
%O   Audience n- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   128 p.
%T   “Identity Theft Manual: Practical Tips, Legal Hints, and Other Secrets Revealed”

Despite the implications of the title, this is not a primer for performing identity theft, but a guide to preventing and recovering from it.  The information, unfortunately, is fairly pedestrian, and most of it could be obtained from any magazine article on the topic.

Chapter one is a (very) basic introduction to identity theft, with a rather odd emphasis on the use of medical information.  Methods of identity theft are described in chapter two.  Unfortunately, this is where the book starts to show signs of serious disorganization, and some of the material is more sensational than helpful.  Chapter three lists some steps you can take to attempt to prevent identity theft.  The suggestions are the usual standards of not giving out any information to anyone, and the book tacitly admits that protection is not assured.

Chapter four gets to the real intent of the work: actions to take when your identity has been stolen and misused.  There is a great deal of useful content at this point, limited by two factors.  One is that everything discussed is restricted to institutions in the United States.  The other is that there is almost no discussion of what the entities mentioned can do for you or what they can’t or won’t.

As one could expect from a book written by a law firm, chapter five addresses the liability that the victim of identity theft faces.  The answer, unsurprisingly, is “it depends,” backed up with a few stories.  (Pardon me: “case studies.”)

There are some appendices (called, predictably, “Exhibits”).  Again, most of these will only be of use to those in the United States, and some, sections of related laws, will be of very little use to most.  There is a victim complaint and affidavit form which would probably be very helpful to most identity theft victims, reminding them of information to be collected and presented to firms and authorities.

The book is not particularly well written, and could certainly use some better structure and organization.  However, within its limits, it can be of use to those who are in the situation, and who frequently have nowhere to turn.  As the book notes, authorities are often unhelpful and take limited interest in identity theft cases.   And, as the book also (frequently) notes, the book is cheaper than hiring a law firm.

copyright, Robert M. Slade   2012     BKIDTHMA.RVW   20120831

Recently, on the CISSPforum, there was some discussion of the new, third edition of the Official (ISC)2 Guide to the CISSP CBK (which, I note, is pretending to be available as an ebook for only ten bucks).  At the end of one post, one of the correspondents stated that he was “leaning towards buying the new book.”

First, lemme say that, for those who haven’t yet got the cert, I do recommend the “Official Guide” as my first choice.  (Harris is easier to read, but does contain *lots* of errors, and I tell my seminar candidates that I refuse to answer any question that starts out “Shon Harris says …”  

However, on the other hand … why would anyone who has the cert buy the guide?  Of course, I am speaking from the perspective of someone who does read the source literature (and I am aware that all too many of my colleagues do not).

I also recall at least two seminar attendees who actually did have the cert.  Furthermore, they were consultants, and thus going on their own dime for the course.  The reason given was the same: they charged by the hour, so any time spent upgrading was time they could not charge.  Therefore, regularly attending the seminar was the fastest, and therefore, in their situation cheapest, way to ensure they were current.

So, yes, I can see that some people would want to get the guide as a quick check.  (In that regard, I would tend to recommend ISMH instead of the guide, but …)  But I still find it kind of odd …

BKQNTTHF.RVW   20120724

“The Quantum Thief”, Hannu Rajaniemi, 2010, 978-1-4104-3970-3
%A   Hannu Rajaniemi
%C   175 Fifth Avenue, New York, NY  10010
%D   2010
%G   978-1-4104-3970-3 0765367661
%I   Tor Books/Tom Doherty Assoc.
%O   pnh@tor.com www.tor.com
%O  http://www.amazon.com/exec/obidos/ASIN/0765367661/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0765367661/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0765367661/robsladesin03-20
%O   Audience n Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   466 p.
%T   “The Quantum Thief”

This is the type of space opera that creates whole worlds, technologies, and languages behind it.  The language or jargon makes it hard to read.  The worlds are confusing, especially since some are real, and some aren’t.  The technologies make it way too easy to pull huge numbers of deuses ex way too many machinas, which strain the ability to follow, or even care about, the plot.  In this situation, the plot can be random, so the impetus for continued reading tends to rely on the reader’s sympathy for the characters.  Unfortunately, in this work, the characters can also have real or imagined aspects, and can change radically after an event.  It was hard to keep going.

Some of the jargon terms can be figured out fairly easily.  An agora, as it was in Greece, is a public meeting place.  Gogol wrote a book called “Dead Peasants,” so gogols are slaves.  Gevulot is the Hebrew word for borders, and has to deal with agreed-upon privacy deals.  But all of them have quirks, and a number of other terms come out of nowhere.

I was prompted to review this book since it was recommended as a piece of fiction that accurately represented some interesting aspects of information security.  Having read it, I can agree that there are some cute descriptions of significant points.  There is mention of a massive public/asymmetric key infrastructure (PKI) system.  There is reference to the importance of social engineering in breaking technical protection.  There is allusion to the increased fragility of overly complex systems.  But these are mentions only.  The asymmetric crypto system has no mention of a base algorithm, of course, but doesn’t even begin to describe the factors in the PKI itself.

If you know infosec you will recognize some of the mentions.  If you don’t, you won’t learn them.  (A specific reference to social engineering actually relates to an implementation fault.)  Otherwise, you may or may not enjoy being baffled by the pseudo-creativity of the story.

copyright, Robert M. Slade   2012     BKQNTTHF.RVW   20120724

Or: One Of The Reasons Why I’ve Never Actually Bought Any Kindle Books from Amazon, And Only Install Free Books:

Amazon closes account and wipes Kindle. Without notice. Without explanation.

BKLNFOCT.RVW   20120714

“Learning from the Octopus”, Rafe Sagarin, 2012, 978-0-465-02183-3, U$26.99/C$30.00
%A   Rafe Sagarin
%C   387 Park Ave. South, New York, NY   10016-8810
%D   2012
%G   978-0-465-02183-3 0-465-02183-2
%I   Basic Books/Perseus Books Group
%O   U$26.99/C$30.00 800-810-4145 www.basicbooks.com
%O  http://www.amazon.com/exec/obidos/ASIN/0465021832/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0465021832/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0465021832/robsladesin03-20
%O   Audience n+ Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   284 p.
%T   “Learning from the Octopus”

The subtitle promises that we will learn “how secrets from nature can help us fight terrorist attacks, natural disasters, and disease.”  The book does fulfill that aim.  However, what it doesn’t say (up front) is that it isn’t an easy task.

The overall tone of the book is almost angry, as Sagarin takes the entire security community to task for not paying sufficient attention to the lessons of biology.  The text and examples in the work, however, do not present the reader with particularly useful insights.  The prologue drives home the fact that 350 years of fighting nation-state wars did not prepare either society or the military for the guerilla-type terrorist situations current today.  No particular surprise: it has long been known that the military is always prepared to fight the previous war, not this one.

Chapter one looks to the origins of “natural” security.  In this regard, the reader is inescapably reminded of Bruce Schneier’s “Liars and Outliers” (cf. BKLRSOTL.RVW), and Schneier’s review of evolution, sociobiology, and related factors.  But whereas Schneier built a structure and framework for examining security systems, Sagarin simply retails examples and stories, with almost no structure at all.   (Sagarin does mention a potentially interesting biology/security working group, but then is strangely reticent about it.)  In chapter two, “Tide Pool Security,” we are told that the octopus is very fit and functional, and that the US military and government did not listen to biologists in World War II.

Learning is a force of nature, we are told in chapter three, but only in regard to one type of learning (and there is no mention at all of education).  The learning force that the author lauds is that of evolution, which does tend to modify behaviours for the population over time, but tends to be rather hard on individuals.  Sagarin is also opposed to “super efficiency” (and I can agree that it leaves little margin for error), but mostly tells us to be smart and adaptable, without being too specific about how to achieve that.  Chapter four tells us that decentralization is better than centralization, but it is interesting to note that one of the examples given in the text demonstrates that over-decentralization is pretty bad, too.  Chapter five again denigrates security people for not understanding biology, but that gets a bit hard to take when so much of the material betrays a lack of understanding of security.  For example, passwords do not protect against computer viruses.  As the topics flip and change it is hard to see whether there is any central thread.  It is not clear what we are supposed to learn about Mutual Assured Destruction or fiddler crabs in chapter six.

Chapter seven is about bluffing, use  and misuse of information, and alarm systems.  Yes, we already know about false positives and false negatives, but this material does not help to find a balance.  The shared values of salmon and suicide bombers, religion, bacterial addicts, and group identity are discussed in chapter eight.  Chapter nine says that cooperation can be helpful.  We are told, in chapter ten, that “natural is better,” therefore it is ironic to note that the examples seem to pit different natural systems against each other.  Also, while Sagarin says that a natural and complex system is flexible and resilient, he fails to mention that it is difficult to verify and tune.

This book is interesting, readable, erudite, and contains many interesting and thought-provoking points.  For those in security, it may be good bedtime reading material, but it won’t be helpful on the job.  In the conclusion, the author states that his goal was to develop a framework for dealing with security problems, of whatever type.  He didn’t.  (Schneier did.)

copyright, Robert M. Slade   2012     BKLNFOCT.RVW   20120714

BKMHFIIS.RVW   20120216

“Managing the Human Factor in Information Security”, David Lacey, 2009, 978-0-470-72199-5, U$50.00/C$55.00/UK#29.99
%A   David Lacey
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2009
%G   978-0-470-72199-5 0-470-72199-5
%I   John Wiley & Sons, Inc.
%O   U$50.00/C$55.00/UK#29.99 416-236-4433 fax: 416-236-4448
%O  http://www.amazon.com/exec/obidos/ASIN/0470721995/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0470721995/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0470721995/robsladesin03-20
%O   Audience n- Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   374 p.
%T   “Managing the Human Factor in Information Security”

The preface states that the intent of the book is to identify and explain the range of human, organizational, and social challenges when trying to manage security in the current information and communications environment.  It is hoped this material will help manage incidents, risks, and design, and assist with promoting security systems to employees and management.  A subsidiary aim is to leverage the use of social networking.

Some aspects of security are mentioned among the indiscriminate stories in chapter one.  Chapter two has more tales, with emphasis on risks, and different people you encounter.  Generic incident response and business continuity material is in chapter three.  When you know the risk management literature, you can see where the arguments in chapter four come from.  (Yes, Donn, we know quantitative risk analysis is impossible.)  The trouble is, Lacey makes all of them, and therefore comes to no conclusion.  Chapter five has some points to make about different types of people, and dealing with them.  Unfortunately, it’s hard to extract the useful bits from the larding of stories and verbiage.  (Given the haphazard nature of the content, making practical application would be even more difficult.)  Aspects of corporate culture are discussed, in an unstructured fashion, in chapter six.  Chapter seven notes a number of factors that have appeared in successful security awareness programs, but doesn’t fulfill the promise of helping the reader design them.  Chapter eight is about changing organizational attitudes, so it’s an (equally random) extension of chapter six.  It also adds some more items on training programs.  Chapter nine is about building business cases.  Generic advice on creating systems is provided in chapter ten.  Some even broader advice on management is in chapter eleven.  A collection of some points from throughout the book forms a “conclusion.”

There are good points in the book.  There are points that would be good in one situation, and bad in another.  There is little structure in the work to help you find useful material.  There are stories about people, but not a survey of human factors.  Lacey uses lots of aphorisms throughout the text.  I am reminded of the proverb that if you can tell good advice from bad advice, you don’t need any advice.

copyright, Robert M. Slade   2012     BKMHFIIS.RVW   20120216

http://www.sophos.com/en-us/security-news-trends/security-trends/threatsaurus.aspx

Concentrating on malware and phishing, this is a very decent guide for “average” computer users with little or no security background or knowledge.  Three sections in a kind of dictionary or encyclopedia format: malware and threats, protection technologies, and a (very brief but still useful) history of malware (1949-2012).

Available free for download, and (unlike a great many “free” downloads I could name) you don’t even have to register for endless spam from the company.

Recommended to pass around to family, friends, and your corporate security awareness department.

BKYPENDM.RVW   20120125

“Young People, Ethics, and the New Digital Media: A Synthesis from the
GoodPlay Project”, Carrie James et al, 2009, 978-0-262-51363-0
%A   Carrie James
%A   Katie Davis
%A   Andrea Flores
%A   John M. Francis
%A   Lindsay Pettingill
%A   Margaret Rundle
%A   Howard Gardner
%C   55 Hayward Street, Cambridge, MA   02142-1399
%D   2009
%G   978-0-262-51363-0 0-262-51363-3
%I   MIT Press
%O   +1-800-356-0343 fax: +1-617-625-6660 www-mitpress.mit.edu
%O  http://www.amazon.com/exec/obidos/ASIN/0262513633/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0262513633/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0262513633/robsladesin03-20
%O   Audience n Tech 1 Writing 1 (see revfaq.htm for explanation)
%P
%T   “Young People, Ethics, and the New Digital Media”

It is not until more than a tenth of this book has passed before the authors admit that this is, in essence, only a proposal for a study which they hope will be carried out in future.  No actual research or interviews have been conducted, so there aren’t really any results to be reported.  The authors hypothesize that five factors are involved in “media-identity”: “privacy, ownership and authorship, credibility, and participation.”  (Yes, I agree that it looks like four factors, expressed that way.  But the authors repeatedly express it in exactly that way, and insist that it makes five.)

The authors note that social networking (or social media, or new digital media) is a frontier, and thus lacks comprehensive and well-enforced rules and regulations.  Social media permits and encourages “participatory cultures,” with relatively low barriers to artistic expression and “civic” engagement, strong support for creating and sharing creations, and some type of informal mentorship whereby what is  known by the most experienced is passed along to novices.  The goals of the project are to investigate the ethical values and structures of new media and to create entities to promote ethical thinking and conduct.

The project is also to focus on “play,” with a fairly broad definition of that term, including gaming, instant messaging, social networking, participation in fan fiction groups, blogging, and content creation including video sharing.  Some of these activities may lead to employment, but are undertaken without support, rewards, and constraints of adult supervisors, and without explicit standards of conduct and quality.  “Good play” is defined as online conduct that is both meaningful and engaging to the participant and responsible to others in the community in which it is carried out.

A number of questions are raised in this book, but few are answered in any way at all.  While there is some review of existing work in related areas, it is hardly comprehensive, convincing, or useful.  It is difficult to say what the intent of publishing this book was.

copyright, Robert M. Slade   2012     BKYPENDM.RVW   20120125

BK11HCSG.RVW 20120210

“Eleventh Hour CISSP Study Guide”, Eric Conrad, 2011,
978-1-59749-566-0, U$24.95
%A Eric Conrad
%C 800 Hingham Street, Rockland, MA 02370
%D 2011
%G 978-1-59749-566-0 1-59749-566-2
%I Syngress Media, Inc.
%O U$24.95 781-681-5151 fax: 781-681-3585 www.syngress.com
%O http://www.amazon.com/exec/obidos/ASIN/1597495662/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/1597495662/robsladesinte-21
%O http://www.amazon.ca/exec/obidos/ASIN/1597495662/robsladesin03-20
%O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P 196 p.
%T “Eleventh Hour CISSP Study Guide”

“Eleventh Hour” would seem to imply that this is a last minute option.  I would not rely on this book as a last ditch option if you haven’t studied. It’s a reviewers dream (or nightmare): an embarrassment of riches in terms of errors. But I should keep this review to a reasonable size, so I’ll only mention a few illustrative goofs.

Chapter one addresses security management. The coverage of risk management is superficial, facile, and disjointed. The author adds extra factors into the CBK (Common Body of Knowledge). He stresses ”return on investment” without addressing the controversy over whether ”return on security investment” actually exists. There are some references based on the NIST (US National Institute of Standards and Technology) which are good, but insufficient. Each chapter ends with a list of the “Top Five Toughest Questions” for that domain. Usually one (20%) is flatly wrong, and the rest address trivia, missing the concepts and ramifications which are the real objectives of the CISSP examination.

Chapter two looks at access control. No, integrity concerns are not limited to authorization issues. “Counter-based synchronous dynamic token” makes no sense: both counter and dynamic obviate the need for synchronization. No, most keyboard dynamics systems would not measure pressure. In regard to cryptography, in chapter three, yes, CBC (Cipher Block Chaining) would propagate errors, which is why it is only used with self-correcting algorithms (which DES – Data Encryption Standard – is). And, yes, using ECB (Electronic Code Book) identical data blocks produce identical cipher blocks, but similar data blocks produce vastly dissimilar cipher blocks. (That is part of the measure of a good cipher algorithm.) Chapter five deals with physical security. If you can still find a soda/acid extinguisher don’t try to use it on burning liquids: it doesn’t produce much foam, mostly a simple stream of water. And merely because a CRT (Cathode Ray Tube) is analogue does not mean it is incompatible with digital devices such as CCD (Charge Coupled Device) cameras: until I got my first laptop, all the monitors for my (digital) computers were CRTs. Respecting architecture (chapter five), “open systems” refers to the use of standard protocols, not parts. TOC/TOU (Time Of Check vs Time Of Use) is not a race condition, and does not require a change of state.  Polyinstantiation is not related to entity integrity. Chapter six reviews Business Continuity Planning: RPO (Recovery Point Objective) is the minimal level of operation the business needs to function, not the time taken to get there, and a hot site is not a mirror.

Studying telecommunications? It is the domain with the largest mass of information, and chapter seven is pathetically small: there is no mention of topologies, telephony, routing, and details of the protocols are scant to the point of being non-existent. The OSI (Open Systems Interconnection) model is a model, not a network protocol (although there is, also, an OSI suite of protocols), and can therefore be used to analyze any protocol suite. Neither ATM (Asynchronous Transfer Mode) nor Ethernet are restricted to the physical (which, in any case, does not deal with data, but with signals).

Chapter eight takes a stab at applications security. SDL (System Life Cycle) is not identical to SDLC (System Development Life Cycle) but contains it. The explanations in this domain are particularly poor, even by the low standards of this work. Similarly, the material on operations security, in chapter nine, is more random than in other chapters, and duplicates more content found elsewhere.

I was surprised to find that chapter ten, on law and investigations, wasn’t all that bad. There are still plenty of errors (no, only one of the four points given is one of the seven basics of the European Directives on privacy), but many of the base concepts are there, and presented reasonably. There is, however, almost nothing on management of investigations, and incident response isn’t even mentioned.

There are at least a dozen other options I’ve reviewed at http://victoria.tc.ca/techrev/mnbkscci.htm, and this actually isn’t the worst. But maybe I was a bit too hard at the beginning. You could use this book for a bit of last minute studying. If you can find at least one error per page, you are in good shape to write the exam.

copyright, Robert M. Slade 2012 BK11HCSG.RVW 20120210

BKDRKMKT.RVW 20120201

“Dark Market: CyberThieves, CyberCops, and You”, Misha Glenny, 2011,
978-0-88784-239-9, C$29.95
%A   Misha Glenny
%C   Suite 801, 110 Spadina Ave, Toronto, ON Canada  M5V 2K4
%D   2011
%G   978-0-88784-239-9 0-88784-239-9
%I   House of Anansi Press Ltd.
%O   C$29.95 416-363-4343 fax 416-363-1017 www.anansi.ca
%O  http://www.amazon.com/exec/obidos/ASIN/0887842399/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0887842399/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0887842399/robsladesin03-20
%O   Audience n Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   296 p.
%T   “Dark Market: CyberThieves, CyberCops, and You”

There is no particular purpose stated for this book, other than the vague promise of the subtitle that this has something to do with bad guys and good guys in cyberspace.  In the prologue, Glenny admits that his “attempts to assess when an interviewee was lying, embellishing or fantasising and when an interviewee was earnestly telling the truth were only partially successful.”  Bear in mind that all good little blackhats know that, if you really want to get in, the easiest thing to attack is the person.  Social engineering (which is simply a fancy way of saying “lying”) is always the most effective tactic.

It’s hard to have confidence in the author’s assessment of security on the Internet when he knows so little of the technology.  A VPN (Virtual Private Network) is said to be a system whereby a group of computers share a single address.  That’s not a VPN (which is a system of network management, and possibly encryption): it’s a description of NAT (Network Address Translation).  True, a VPN can, and fairly often does, use NAT in its operations, but the carelessness is concerning.

This may seem to be pedantic, but it leads to other errors.  For example, Glenny asserts that running a VPN is very difficult, but that encryption is easy, since encryption software is available on the Internet.  While it is true that the software is available, that availability is only part of the battle.  As I keep pointing out to my students, for effective protection with encryption you need to agree on what key to use, and doing that negotiation is a non-trivial task.  Yes, there is asymmetric encryption, but that requires a public key infrastructure (PKI) which is an enormously difficult proposition to get right.  Of the two, I’d rather run a VPN any day.

It is, therefore, not particularly surprising that the author finds that the best way to describe the capabilities of one group of carders was to compare them to the fictional “hacking” crew from “The Girl with the Dragon Tattoo.”  The activities in the novel are not impossible, but the ability to perform them on demand is highly
unlikely.

This lack of background colours his ability to ascertain what is possible or not (in the technical areas), and what is likely (out of what he has been told).  Sticking strictly with media reports and indictment documents, Glenny does a good job, and those parts of the book are interesting and enjoyable.  The author does let his taste for mystery get the better of him: even the straight reportage parts of the book are often confusing in terms of who did what, and who actually is what.

Like Dan Verton (cf BKHCKDRY.RVW) and Suelette Dreyfus (cf. BKNDRGND.RVW) before him, Glenny is trying to give us the “inside story” of the blackhat community.  He should have read Taylor’s “Hackers” (cf BKHAKERS.RVW) first, to get a better idea of the territory.  He does a somewhat better job than Dreyfus and Verton did, since he is wise enough to seek out law enforcement accounts (possibly after reading Stiennon’s “Surviving Cyberwar,” cf. BKSRCYWR.RVW).

Overall, this work is a fairly reasonable updating of Levy’s “Hackers” (cf. BKHACKRS.RVW) of almost three decades ago.  The rise of the financial motivation and the specialization of modern fraudulent blackhat activity are well presented.  There is something of a holdover in still portraying these crooks as evil genii, but, in the main, it is a decent picture of reality, although it provides nothing new.

copyright, Robert M. Slade   2012    BKDRKMKT.RVW 20120201

BKSTVJBS.RVW 20111224

“Steve Jobs”, Walter Isaacson, 2011, 978-1-4104-4522-3
%A   Walter Isaacson pat.zindulka@aspeninstitute.org
%C   27500 Drake Road, Farmington Hills, MI   48331-3535
%D   2011
%G   978-1-4104-4522-3 1451648537
%I   Simon and Schuster/The Gale Group
%O   248-699-4253 800-877-4253 fax: 800-414-5043 galeord@gale.com
%O  http://www.amazon.com/exec/obidos/ASIN/1451648537/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/1451648537/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1451648537/robsladesin03-20
%O   Audience n+ Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   853 p.
%T   “Steve Jobs”

I have read many fictional works that start off with a list of the cast of characters, but this is the first biography I’ve ever read that started in this way.

It is fairly obvious that Isaacson has done extensive research, talked to many people, and worked very hard in preparation for this book.  At the same time, it is clear that many areas have not been carefully analyzed.  Many Silicon Valley myths (such as the precise formulation of Moore’s Law, or John Draper’s status with regard to the Cap’n Crunch whistle) are retailed without ascertaining the true facts.  The information collected is extensive in many ways, but, in places (particularly in regard to Jobs’ earlier years) the writing is scattered and disjointed.  We have Jobs living with his girlfriend in a cabin in the hills, and then suddenly he is in college.

Material is duplicated and reiterated in many places.  Quotes are frequently repeated word-for-word in relation to different situations or circumstances, so the reader really cannot know the original reference.  There are also contradictions: we are told that Jobs could not stand a certain staffer, but 18 pages later we are informed that the same person often enthralled Jobs.  (Initially, this staffer is introduced as having been encountered in 1979, but it is later mentioned that he worked for Jobs and Apple as early as 1976.)  At one point we learn that an outside firm designed the Mac mouse: four pages further on we ascertain that it was created internally by Apple.  The author seems to have accepted any and all input, perspectives, and stories without analysis or assessment of where the truth might lie.

It is possible to do a biography along a timeline.  It is possible to do it on a thematic basis.  Isaacson follows a timeline, but generally only covers one subject during any “epoch.”  From the first time Jobs sees a personal computer until he is dismissed from Apple, this is less of a biography and more the story of the development of the company.  There is a short section covering the birth of Jobs’ daughter, we hear of the reality distortion field, and terse mentions of vegan diets, motorcycles, stark housing, and occasional girlfriends, but almost nothing of Jobs away from work.  (Even in covering Apple there are large gaps: the Lisa model is noted as an important development, but then is never really described.)

In fact, it is hard to see this book as a biography.  It reads more like a history of Apple, although with particular emphasis on Jobs.  There are sidetrips to his first girlfriend and daughter, NeXT, Pixar, miscellaneous girlfriends, his wife and kids, Pixar again, and then cancer, but by far the bulk of the book concentrates on Apple.

The “reality distortion field” is famous, and mentioned often.  Equally frequently we are told of a focused and unblinking stare, which Jobs learned from someone, and practiced as a means to intimidate and influence people.  Most people believe that the person who “doesn’t blink” is the dominant personality, and therefore the one in charge.  It is rather ironic that research actually refutes this.  Studies have shown that, when two people meet for the first time, it is actually the dominant personality that “blinks first” and looks away, almost as a signal that they are about to dominate the conversation or interaction.  Both “the field” and “the stare” seem to tell the same story: they are tricks of social engineering which can have a powerful influence, but which are based on an imperfect understanding of reality and people, don’t work with everyone, and can have very negative consequences.

(The chapters on Jobs’ fight with cancer are possibly the most telling.  For anyone who has the slightest background in medicine it will be apparent that Jobs didn’t know much in that field, and that he made very foolish and dangerous decisions, flying in the face of all advice and any understanding of nutrition and biology.)

Those seeking insight into the character that built a major corporation may be disappointed.  Like anybody else, Jobs is a study in contradictions: the seduction with charm and vision, then belittlement and screaming at people; the perfectionist who obsessed on details, but was supposedly a visionary at the intersection of the arts and technology who made major decisions based on intuitive gut feelings with little or no information or analysis; the amaterialistic ascetic who made a fortune selling consumer electronics and was willing to con people to make money; the Zen meditator who never seemed to achieve any calm or patience; the man who insisted that “honesty” compelled him to abuse friends and colleagues, but who was almost pathological in his secrecy about himself and the company; and the creative free-thinker who created the most closed and restricted systems extent.

There is no attempt to find the balance point for any of these dichotomies.  As a security architect I can readily agree with the need for high level design to drive all aspects of the construction of a system: a unified whole always works better and more reliably.  Unfortunately for that premise, there are endless examples of Jobs demanding, at very late points in the process, that radically new functions be included.  Then there is Jobs’ twin assertions that the item must be perfect, but that ship dates must be met.  One has to agree with Voltaire: the best is the enemy of the good, and anyone trying to be good, fast, *and* cheap may succeed a time or two, but is ultimately headed for failure.

Several times Isaacson repeats an assertion from Jobs that money is not important: it is merely recognition of achievements, or a resource that enables you to make great products.  The author does not seem to understand that an awful lot of money is also another resource, one that allows you to make mistakes.  He only vaguely admits that Jobs made some spectacular errors.

The book is not a hagiography.  Isaacson is at pains to point out that he notes Jobs’ weaknesses of character and action.  At the same time, Isaacson is obviously proud of being a personal friend, and, I suspect, does not realize that, while he may mention Jobs’ flaws, he also goes to great lengths to excuse them.

Was Steve Jobs a great man?  He was the driving force behind a company which had, for a time, the largest market capitalization of any publicly traded company.  He was also, by pretty much all accounts, an arrogant jerk.  He had a major influence on the design of personal electronics, although his contribution to personal computing was mostly derivative.  We are conventionally used to saying that people like Napoleon, Ford, and Edison are great, even thought they might have been better at social engineering than the softer people skills.  By this measure Jobs can be considered great, although not by the standards by which we might judge Ghandi, Mother Teresa, and the Dalai Lama (which is rather ironic, considering Jobs’ personal philosophy).

Those who hold Jobs, Apple, or both, in awe will probably be delighted to find a mass of stories and trivia all in one place.  Those who want to know the secrets of building a business empire may find some interesting philosophies, but will probably be disappointed: the book tends to take all positions at once.  For those who have paid much attention to Apple, and Jobs’ career, there isn’t much here that is novel.  As Jobs himself stated to a journalist, “So, you’ve uncovered the fact that I’m an *sshole.  Why is that news?”

Having all of the material in one book does help to clarify certain issues.  Personally, I have always fought with the Macs I used, struggling against the lock step conformity they enforced.  It was only in reviewing this work that it occurred to me that Apple relies upon a closed system that makes Microsoft appear open by comparison.  So, I guess, yes, there is at least one insight to be gained from this volume.

copyright, Robert M. Slade   2011     BKSTVJBS.RVW 20111224

BKLRSOTL.RVW   20120104

“Liars and Outliers: Enabling the Trust that Society Needs to Thrive”,
Bruce Schneier, 2012, 978-1-118-14330-8, U$24.95/C$29.95
%A   Bruce Schneier www.Schneier.com
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2012
%G   978-1-118-14330-8 1-118-14330-2
%I   John Wiley & Sons, Inc.
%O   U$24.95/C$29.95 416-236-4433 fax: 416-236-4448 www.wiley.com
%O  http://www.amazon.com/exec/obidos/ASIN/1118143302/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/1118143302/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1118143302/robsladesin03-20
%O   Audience n+ Tech 2 Writing 3 (see revfaq.htm for explanation)
%P   365 p.
%T   “Liars and Outliers: Enabling the Trust that Society Needs to
Thrive”

Chapter one is what would ordinarily constitute an introduction or preface to the book.  Schneier states that the book is about trust: the trust that we need to operate as a society.  In these terms, trust is the confidence we can have that other people will reliably behave in certain ways, and not in others.  In any group, there is a desire in having people cooperate and act in the interest of all the members of the group.  In all individuals, there is a possibility that they will defect and act against the interests of the group, either for their own competing interest, or simply in opposition to the group.  (The author notes that defection is not always negative: positive social change is generally driven by defectors.)  Actually, the text may be more about social engineering, because Schneier does a very comprehensive job of exploring how confident we can be about trust, and they ways we can increase (and sometimes inadvertantly decrease) that reliability.

Part I explores the background of trust, in both the hard and soft sciences.  Chapter two looks at biology and game theory for the basics.  Chapter three will be familiar to those who have studied sociobiology, or other evolutionary perspectives on behaviour.  A historical view of sociology and scaling makes up chapter four.  Chapter five returns to game theory to examine conflict and societal dilemmas.

Schneier says that part II develops a model of trust.  This may not be evident at a cursory reading: the model consists of moral pressures, reputational pressures, institutional pressures, and security systems, and the author is very careful to explain each part in chapters seven through ten: so careful that it is sometimes hard to follow the structure of the arguments.

Part III applies the model to the real world, examining competing interests, organizations, corporations, and institutions.  The relative utility of the four parts of the model is analyzed in respect to different scales (sizes and complexities) of society.  The author also notes, in a number of places, that distrust, and therefore excessive institutional pressures or security systems, is very expensive for individuals and society as a whole.

Part IV reviews the ways societal pressures fail, with particular emphasis on technology, and information technology.  Schneier discusses situations where carelessly chosen institutional pressures can create the opposite of the effect intended.

The author lists, and proposes, a number of additional models.  There are Ostrom’s rules for managing commons (a model for self-regulating societies), Dunbar’s numbers, and other existing structures.  But Schneier has also created a categorization of reasons for defection, a new set of security control types, a set of principles for designing effective societal pressures, and an array of the relation between these control types and his trust model.  Not all of them are perfect.  His list of control types has gaps and ambiguities (but then, so does the existing military/governmental catalogue).  In his figure of the feedback loops in societal pressures, it is difficult to find a distinction between “side effects” and “unintended consequences.”  However, despite minor problems, all of these paradigms can be useful in reviewing both the human factors in security systems, and in public policy.

Schneier writes as well as he always does, and his research is extensive.  In part one, possibly too extensive.  A great many studies and results are mentioned, but few are examined in any depth.  This does not help the central thrust of the book.  After all, eventually Schneier wants to talk about the technology of trust, what works, and what doesn’t.  In laying the basic foundation, the question of the far historical origin of altruism may be of academic philosophical interest, but that does not necessarily translate into an
understanding of current moral mechanisms.  It may be that God intended us to be altruistic, and therefore gave us an ethical code to shape our behaviour.  Or, it may be that random mutation produced entities that acted altruistically and more of them survived than did others, so the population created expectations and laws to encourage that behaviour, and God to explain and enforce it.  But trying to explore which of those (and many other variant) options might be right only muddies the understanding of what options actually help us form a secure society today.

Schneier has, as with “Beyond Fear” (cf. BKBYNDFR.RVW) and “Secrets and Lies” (cf. BKSECLIE.RVW), not only made a useful addition to the security literature, but created something of value to those involved with public policy, and a fascinating philosophical tome for the general public.  Security professionals can use a number of the models to assess controls in security systems, with a view to what will work, what won’t (and what areas are just too expensive to protect).  Public policy will benefit from examination of which formal structures are likely to have a desired effect.  (As I am finishing this review the debate over SOPA and PIPA is going on: measures unlikely to protect intellectual property in any meaningful way, and guaranteed to have enormous adverse effects.)  And Schneier has brought together a wealth of ideas and research in the fields of trust and society, with his usual clarity and readability.

copyright, Robert M. Slade   2011     BKLRSOTL.RVW   20120104

BKIMCTAS.RVW   20110326

“Identity Management: Concepts, Technologies, and Systems”, Elisa
Bertino/Kenji Takahashi, 2011, 978-1-60807-039-8
%A   Elisa Bertino
%A   Kenji Takahashi
%C   685 Canton St., Norwood, MA   02062
%D   2011
%G   978-1-60807-039-8 1-60807-039-5
%I   Artech House/Horizon
%O   800-225-9977 fax: +1-617-769-6334 artech@artech-house.com
%O  http://www.amazon.com/exec/obidos/ASIN/1608070395/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/1608070395/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1608070395/robsladesin03-20
%O   Audience i- Tech 2 Writing 1 (see revfaq.htm for explanation)
%P   196 p.
%T   “Identity Management: Concepts, Technologies, and Systems”

Chapter one, the introduction, is a review of general identity related issues.  The definition of identity management, in chapter two, is thorough and detailed, covering the broad range of different types and uses of identities, the various loci of control, the identity lifecycle (in depth), and a very effective technical definition of privacy.  (The transactional attribute is perhaps defined too narrowly, as it could relate to non-commercial activities.)
“Fundamental technologies and processes” addresses credentials, PKI (Public Key Infrastructure), single sign-on, Kerberos, privacy, and anonymous systems in chapter three.  The level of detail varies: most of the material is specific with limited examples, while attribute federation is handled quite abstractly.  Chapter four turns to standards and systems, reviewing SAML (Security Assertion Markup Language), Web Services Framework, OpenID, Information Card-Based Identity Management (IC-IDM), interoperability, other prototypes, examples, and projects, with an odd digression into the fundamental confidentiality, integrity, and availability concepts.  Challenges are noted in chapter five, briefly examining usability, access control, privacy, trust management, interoperability (from the human, rather than machine, perspective, particularly expectations, experience, and jargon), and finally biometrics.

This book raises a number of important questions, and mentions many new areas of work and development.  For experienced security professionals needing to move into this area as a new field, it can serve as an introduction to the topics which need to be discussed.  Those looking for assistance with an identity management project will probably need to look elsewhere.

copyright, Robert M. Slade   2011     BKIMCTAS.RVW   20110326