BKZERODY.RVW   20111213

“Zero Day”, David Baldacci, 2011, 978-1-4555-0414-5, U$29.99/C$32.99
%A   David Baldacci www.DavidBaldacci.com
%C   237 Park Ave, New York, NY   10017
%D   2011
%G   978-1-4555-0414-5 0446573019
%I   Hachette Book Group
%O   U$29.99/C$32.99
%O   Audience n- Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   643 p.
%T   “Zero Day”

At one time, in information security terminology, “zero day” meant a measure of difficulty or vulnerability.  That meaning has been largely destroyed by overexposure in the media.  Today it simply means “we want to scare you.”

To top it all off, here is this book by David Baldacci.  As a common-or-garden thriller it is OK.  But it has nothing to do with computers.  Nothing to do with information security.  Zip.  Zero (you should pardon the expression).  Zilch.  Nada.  Null.  None.  Nugatory.  Not a sausage.  The titular phrase isn’t even used anywhere in the book.  It seems to have been used as a title simply to say “we want you to think this is really, really scary.”

copyright, Robert M. Slade   2011     BKZERODY.RVW   20111213

BKZERDAY.RVW   20111109

“Zero Day”, Mark Russinovich, 2011, 978-0-312-61246-7, U$24.99/C$28.99
%A Mark Russinovich www.zerodaythebook.com markrussinovich@hotmail.com
%C   175 Fifth Ave., New York, NY   10010
%D   2011
%G   978-0-312-61246-7 0-312-61246-X
%I   St. Martin’s Press/Thomas Dunne Books
%O   U$24.99/C$28.99 212-674-5151 fax 800-288-2131
%O   josephrinaldi@stmartins.com christopherahearn@stmartins.com
%O  http://www.amazon.com/exec/obidos/ASIN/031261246X/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/031261246X/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/031261246X/robsladesin03-20
http://www.amazon.com/gp/mpd/permalink/m3CQBX46DOK0AK/ref=ent_fb_link
%O   Audience n Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   328 p.
%T   “Zero Day”

Mark Russinovich has definitely made his name, in technical terms, with Winternals and Sysinternals.  There is no question that he knows the insides of computers.

What is less certain is whether he knows how to write about it within the strictures of a work of fiction.  The descriptions of digital forensics and computer operation in this work are just as confusing, to the technically knowledgeable, as those we regularly deride from technopeasant authors.  “[T]he first thing Jeff noted was that he couldn’t detect any data on the hard disk.”  (Emphasis in the book.)  Jeff then goes on to find some, and notes that there are “bits and pieces of the original operating system.”  Now there is a considerable difference between not finding any data, and having a damaged filesystem, and Russinovich knows this perfectly well.  Our man Jeff is a digital forensics hacker of the first water, and wouldn’t give a fig if he couldn’t see “the standard C: drive icon.”

Generally, you would think that the reason a technically competent person would write a novel about cyberwar would be in order to inject a little reality into things.  Well, reality seems to be in short supply in this book.

First of all, this is the classic geek daydream of being the ultimate ‘leet hacker in the world.  The Lone Hacker.  Hiyo SysInfo, away!  He has all the tools, and all that smarts, about all aspects of technology.  Sorry, just not possible any more.  This lone hacker image is unrealistic, and the more so because it is not necessary.  There are established groups in the malware community (among others), and these would be working together on a problem of this magnitude.  (Interestingly, these are generally informal groups, not the government/industry structures which the book both derides and relies upon.)

Next, all the female geeks (and there are a lot) are “hot.”  ‘Nuff said.

The “big, bad, new” virus is another staple of the fictional realms which does not exist in reality.  Viruses can be built to reproduce rapidly.  In that case, they get noticed quickly.  Or, they may be created to spread slowly and carefully, in which case they can take a while to be detected, but they also take a long time to get into place.

Anti-malware companies don’t necessarily rely on honeypots (which are usually there to collect information on actual intruders), but they do have bait machines that sit and wait to be infected (by worms) or emulate the activity of users who are willing to click on any link or open any file (for viruses).  Malware can be designed to fail to operate (or even delete itself) under certain conditions, and those conditions could include certain indications of a test environment.  However, the ability to actively avoid machines that might be collecting malware samples would be akin to a form of digital mental telepathy.

Rootkits, as described in the novel, are no different than the stealth technology that viruses have been using for decades.  There are always ways of detecting stealth, and rootkits, and, generally speaking, as soon as you suspect that one might be in operation you start to have ideas about how to find it.

A backup is a copy of data.  When it is restored, it is copied back onto the computer, but there is no need for the backup copy to be destroyed by that process.  Therefore, if a system-restored-from-backup crashes, nothing is lost but time.  You still have the backup, and can try again (this time with more care).  In fact, the first time you have any indication that the system might be corrupted enough to crash, you would probably try to recover the files with an alternate operating system.  (But, yes, I can see how that might not occur to someone who works for Microsoft.)  After all, the most important thing you’ve got on your system is the data, and the data can usually be read on any system, and with a wide variety of programs.  (Data files from a SQL Server database could be retrieved not only with other SQL programs, but with pretty much any relational database.)

Some aspects are realistic.  The precautions taken in communications, with throwaway email addresses and out-of-band messaging, are the type that would be used in those situations.  There is a lot of real technology described in the book.  (Although I was slightly bemused by the preference for CDs for data and file storage: that seems a bit quaint now that everyone is using USB drives.)  The need, in this type of work, for a level of focus that precludes all other distractions, and the boredom of trying step after step and possibility after possibility are real.  The neglect of security and the attendant false confidence that one is immune to attack are all too real.  But in a number of the technical areas the descriptions are careless enough to be completely misleading to those not intimately familiar with the technology and the information security field.  Which is just as bad as not knowing what you are talking about in the first place.

Other forms of technology should have had a little research.  Yes, flying an airliner across an ocean is boring.  That’s why the software designers behind the interface on said airliners have the computer keep asking the pilots to check things: keeps the pilots from zoning out.  I don’t know how quickly you can “reboot” the full control system in an airplane, but the last one I was on that did it took about fifteen minutes to even get the lights back on.  I doubt that would be fast enough to do (twice) in order to pull a plane out of a dive.  And if you are in a high-G curve to try and keep the plane out of the water, a sudden cessation of G-forces would mean that a) the plane had stalled (again) (very unlikely), or b) the wings had come off.  Neither of which would be a good thing.  (And, yes, the Spanair computer that was tracking technical problems at the time was infected with a virus, but, no, that had nothing to do with the crash.)

Russinovich’s writing is much the same as that of many mid-level thriller writers.  His plotting is OK, although the attempt to heighten tension, towards the end, by having “one darn thing after another” happen is a style that is overused, and isn’t very compelling in this instance.  On the down side, his characters are all pretty much the same, and through much of the book the narrative flow is extremely disjointed.

Overall, this is a reasonable, though unexceptional, thriller.  He was fortunate in being able to get Bill Gates and Howard Schmidt to write blurbs for it, but that still doesn’t make it any more realistic than the mass of cyberthrillers now coming on the market.

copyright, Robert M. Slade   2011     BKZERDAY.RVW   20111109

The Girls, who have been having a grand time in recent years finding interesting high tech goodies that I never even knew existed, got me a Kindle for Christmas.  So, of course, I’m going to review the Kindle.

I had been putting off the idea of getting one for myself.  I do a lot of reading, but that’s primarily because I do a lot of reviewing, and for that you need the ability to make notes, and transfer said notes back to the computer for writing up.  So far, I haven’t seen an awful lot that convinces me the e-readers are there yet.

But, I do have to say that, right off the top, the idea of having 60 books (so far) in something that is lighter than a paperback definitely has its attractions.  So far I’ve been able to load the Bible, some tech articles, my own security dictionary, a dozen Sherlock Holmes stories, Don Quixote (both of which I have read), The Divine Comedy, War and Piece (both of which I intend to read–sometime), a fair amount of poetry, and an egalley for Bruce Schneier’s latest (sent along by his publicist).

Unfortunately, all this fun exploring has me somewhat behind in news and email, so I’ll have to start putting together my observations of the Kindle, itself, a bit later.

BKSRCYWR.RVW   20110325

“Surviving Cyberwar”, Richard Stiennon, 2010, 978-1-60590-688-1
%A   Richard Stiennon
%C   4501 Forbes Blvd, #200, Lanham, MD   20706
%D   2010
%G   978-1-60590-688-1 1-60590-674-3
%I   Government Institutes/Scarecrow Press/Rowman & Littlefield Publ.
%O   800-462-6420 www.govinstpress.com
%O  http://www.amazon.com/exec/obidos/ASIN/1605906743/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/1605906743/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1605906743/robsladesin03-20
%O   Audience n- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   180 p.
%T   “Surviving Cyberwar”

The introduction is the customarily (for books on currently “hot” topics) vague warning that there is danger out there.

Chapter one, according to the title, is supposed to talk about the “Titan Rain” attacks.  In reality it concentrates on Shawn Carpenter and his personal problems, and says very little either about details of the technology, or ideas for defence.  China, and various activities in espionage (and diplomatic disagreements with the US), is the topic of chapter two.  (One story is not about China.)  Although entitled “Countering Cyber Espionage,” chapter three is just about security tools and malware.  Chapter four lists random aspects of, and attacks on, email.  The Pentagon is dealt with, in similarly haphazard fashion, in chapter five.

A few wars, or tense “situations,” are mentioned in chapter six, along with some possibly related computer involvement.  Chapter seven titularly promises DDoS defence, but mostly just talks about distributed denial of service attacks, along with a mention of the error of using BGP (Border Gateway Protocol) as a routing protocol.  Aspects of social networking, mostly in support of activism, are noted in chapter eight.  Chapter nine is a not-very-useful account of the Estonian cyber-attack of 2007, ten briefly mentions some others in eastern Europe, and eleven mentions the Georgian attack.  There is a rambling dissertation on war and various computer security problems in chapter twelve.  Chapter thirteen appears to be an attempt to provide some structure to the concept of cyberwar, but establishes very little of any significance.  Preparations, by some nations, for cyberwarfare are mentioned in chapter fourteen.  Most of the detail is for the US, and there isn’t much even for them.  A final chapter says that the existence of cyberwarfare could cause troubles for lots of people.

The content and writing is rambling and disorganized.  This reads more like a collection of fifteen lengthy, but not terribly well researched, magazine articles than an actual book.  There are many more informative resources, such as Dorothy Dennings’ “Information Warfare and Security” (cf. BKINWRSC.RVW) (which, despite predating this work by a dozen years, still manages to present more useful information).  Stiennon does not add anything substantial to the literature on this topic.

copyright, Robert M. Slade   2011     BKSRCYWR.RVW   20110325

BKGNOM.RVW   20111128

“Good Night Old Man”, George Campbell, 2011, 978-9878319-0-3, C$19.95
%A   George Campbell georgeca@telus.net http://is.gd/x28QRz
%C   PO Box 57083 RPO Eastgate, Sherwood Park, AB Canada T8A 5L7
%D   2011
%G   978-9878319-0-3
%I   Dream Write Publishing dreamwrite10@hotmail.com
%O   C$19.95 http://www.dreamwritepublishing.ca  780-445-0991
%O http://www.dreamwritepublishing.ca/retail/books/good-night-old-man
%O   Audience i+ Tech 2 Writing 3 (see revfaq.htm for explanation)
%P   342 p.
%T   “Good Night Old Man”

On page 114 the author asserts that even learning to use Morse code “bestowed on us instant acceptance into a society whose members regularly performed tasks too difficult for most others to even attempt.”  This statement will be instantly recognizable by anyone in any technical field.  This is because in the beginning was the telegraph.  And the telegraph begat teletype (and baudot code) and the telephone.  And telephone company research labs (in large measure) begat computers.  And teletype begat the Internet.  And wireless telegraphy begat radio.  And radio and the telephone and the Internet and computers begat 4G.  (Or, at least, it will begat it once they get it right.)  But it all started with the telegraph.

As the author states, any communications textbook will mention the telegraph.  Most will tell you Morse code began on May 24th, 1844.  Some might mention that it isn’t in use anymore.  A few crypto books might let you know that commercial nomenklators were used not just for confidentiality, but to reduce word counts (and thus costs) when sending telegrams.  (The odd data representation text might relay the trivium that Morse code is not a binary code of dots and dashes, but a trinary code of dots, dashes, and silence.)

But they won’t tell you anything about what it was like to be a telegrapher, to actually communicate, and help other people communicate with Morse code.  How you got started, what the work was, and what your career might be like.  This book does.

I am not going to pretend to be objective with this review.  George Campbell is my wife’s (favourite) uncle.  He’s always liked telling stories, has a fund of stories to tell, and tells them well.  For example, he was the first person in North America to know about the German surrender in Europe, since he was the (Royal Canadian Naval Volunteer Reserve) telegrapher who received the message from Europe and passed it on.  Of course, the message was in code.  But everyone knew it was coming, and he knew who the message was from, and who it was going to.  You can learn a lot with simple traffic analysis.

There are lots of good stories in the book.  There are lots of funny stories in the book.  If you know technology, it is intriguing to see the beginnings of all kinds of things we use today.  Standard protocols, flow control, error correction, and data compression.  Oh, and script kiddies, too.  (Well, I don’t know what else you would call people who don’t understand what they are working with, but do know that if you follow *this* script, then *that* will happen.)  It is fascinating to see all of this being developed in an informal fashion by people who are just trying to get on with their jobs.

The title, “Good Night Old Man,” comes from a code the telegraphers themselves used.  “GN” (and a “call sign”) was sent when the telegrapher signed off his station for the night.  Morse code is no longer used commercially.  Within a few years, the last of the “native” speakers will have died off.  Morse will become a dead language, possibly studied by some hobbyists and academics, who can tease legibility out of a sample, or laboriously create a message in that form, but without anything like the facility achieved by those who had to use it day in and day out.

This is a last chance to learn a part of history.

copyright, Robert M. Slade   2011     BKGNOM.RVW   20111128

BKMXSLMM.RVW   20110202

“Mac OS X Snow Leopard: The Missing Manual”, David Pogue, 2009, 978-0-596-15328-1, U$34.99/C$43.99
%A   David Pogue david@pogueman.com
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2009
%G   978-0-596-15328-1 0-596-15328-7
%I   O’Reilly & Associates, Inc.
%O   U$34.99/C$43.99 800-998-9938 fax: 707-829-0104 nuts@ora.com
%O  http://www.amazon.com/exec/obidos/ASIN/0596153287/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0596153287/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0596153287/robsladesin03-20
%O   Audience i+ Tech 3 Writing 2 (see revfaq.htm for explanation)
%P   885 p.
%T   “Mac OS X Snow Leopard: The Missing Manual”

The introduction to the book states that it is intended for all levels of users, although it is primarily directed at those with an intermediate level of familiarity with previous Mac versions.

Part one introduces the Desktop, and general interface functions.  Chapter one is about folders and windows.  It definitely provides the information necessary to begin to operate the computer, but it also gives the lie to the statement that the Mac is easy to use.  There are a huge number of options for different functions, so many that it is impossible to remember them all.  The material is generally organized by topic, but there are notes, tips, and mentions buried in the text, and it is almost impossible to find these again, when you go back to look for them.  (Given the size of the book, I hesitate to suggest an expansion, but a page or two, at the end of each chapter, listing the points made, would probably be quite helpful.  And the “delete” key definitely needs to be listed in either the index or the key shortcuts appendix.)  The descriptions of operations are also incomplete in some cases.  There is mention of an indicator under Dock items which have open windows, but not that processes with no open windows may still show this indicator.

Chapter two proceeds in much the same way, dealing with the filesystem, and a great deal of trivia related to the associated windows.  The search function, referred to as Spotlight, is very, very detailed in chapter three.  The Dock and Desktop, further aspects of the operating interface, are described in chapter four.  The review of the functions is sometimes annoying in terms of the jargon used: does “go straight to the corresponding window” mean that the window becomes active, or comes to the foreground?  Does it open a window if it doesn’t exist?  Does it relate to programs, or just folders?  You need to work through the material with the book in one hand, and the Mac under the other.  (This process is not aided by inconsistencies in the operation of the Mac itself.  As I was working through this content I tried to create a new document from within the TextEdit program, and found that I did not have any options to create a file in any of the new folders I had established previously.  Later in the chapter there was mention of dragging folders to the Dock, and so I tried that to see whether it would allow me to use that folder.  Lo and behold, now I could create files in any of the new folders I had made, not just the one I dragged to the Dock.  Handy for my purposes, but not very informative in terms of why it worked that way.)

Part two deals with applications and utilities that ship with the Mac.  Chapter five outlines programs in general, along with documents (in terms of association with specific programs) and spaces (virtual, multiple, or external screens).  (More inconsistency: hiding the Finder behaves differently from hiding other applications.  And hiding used with Expose can give you some very … interesting effects.  The book warns you about neither.)  There is also an overview of the Dashboard and “widgets.”  Various aspects of data (entering, checking and moving it) are addressed in chapter six.  At this point in the book, items and tips start to repeat in the content, which possibly addresses the shortcomings in organization and the index.  Scripting (AppleScript) and mechanization (Automator) of common operations are dealt with in chapter seven, along with a set of somewhat related functions known as services.  As could be expected with an activity of the complexity of programming, the description of the associated applications is unclear, but there are some examples that take the reader in lock step through the process, and this exploration should provide a better understanding.  Chapter eight discusses the installation of the Microsoft Windows operating system on a Mac.  The review of Boot Camp (multi-boot installation) is detailed, but the outline of the virtualization options is limited to a mention of functions.

Part three is entitled “The Components of Mac OS X,” which sounds odd in view of the pieces that have already been covered.  Chapter nine addresses System Preferences, which are fundamental and significant settings and operations.  The programs generally provided along with a new Mac are described (in varying levels of detail) in chapter ten.  Removable storage, such as CDs and DVDs, are outlined in chapter eleven, which also notes the iTunes system.

Part four is entitled the technologies of Mac OS X (which sounds a bit odd given that the whole book would be about said technologies).  Chapter twelve deals with account aspects and functions.  Given the importance of access control, it is a bit disappointing to see security factors dispersed throughout, and not presented clearly.  Networks and sharing are discussed in chapter thirteen, with an odd gap in terms of sharing a wired Internet connection.  Printing, in fourteen, misses out on the sharing of printers in a mixed environment.  Chapter fifteen lists some aspects of multimedia, but is strangely reticent about video capture.  Some commands from the default UNIX bash shell are described in chapter sixteen.  Chapter seventeen notes a few customizations, mostly dealt with via outside programs.

Part five stresses the Mac OS online.  Chapter eighteen examines the setup of an Internet connection (and the discussion of sharing it is still limited and confusing).  Setup and operation of the Mail program is covered in chapter nineteen.   The Safari Web browser is dealt with in chapter twenty, and, as usual, there are a number of little tricks which would probably take you years to find out (by accident) on the “intuitive” Mac.  Chapter twenty-one explains iChat, the networks you need to make it run, and an enormous number of tweaks for such a simple function.  Some Internet server programs are listed in chapter twenty-two.  They are given the level of detail that any average computer user would need–except that the average computer user would have no idea of the network connections needed to set up a server on the Internet.

Part six is a set of appendices.  The dialogues for basic installation are listed in the first, but I was sorry not to see anything about installation on non-Apple hardware.  Appendix B has handy tips and suggestions for troubleshooting the most common types of problems.  One of the appendices is a Windows-to-Mac dictionary, which can be
quite handy for those who are used to Microsoft systems.  It could use work in many areas: the entry for “Copy, Cut, Paste” says they work “exactly” as they do in Windows, but does not give the key equivalent of “Command” (the “clover” symbol) -C rather than Ctrl-C.  You also need to know that what the book, and most Apple keyboards, describes as the “option” key is portrayed, in Mac menus, with a kind of bashed “T.”  Appendix D has URLs for a number of resources.  A set of keyboard shortcuts is given in the last.  This can be handy, but I found, in trying to rediscover keystroke combinations that I vaguely recalled from somewhere in the book, that I could not find many of them in the appendix.

There is a style issue in the written material of the book: the constant assertions that the Mac is better than everything, for anything.  The first sentence of chapter one says “When you first turn on a Mac running OS X 10.6, an Apple logo greets you, soon followed by an animated, rotating `Please wait’ gear cursor–and then you’re in.  No progress bar, no red tape.”  Well, if the gear cursor isn’t an analogue of a progress bar, I don’t know what it’s supposed to be.  (While we’re at it, I’m not sure what the difference is between the “gear cursor” and the “spinning beachball of death/SBOD.”)  Also, this statement is false: when you first turn on a Snow Leopard Mac, you have to go through some red tape and questions.  This is only one example of many.  This style may have some validity.  After all, anyone who does not use a Mac comes across the same attitude in any Mac fanatic, and, even without the system chauvinism, a positive approach to teaching about the computer system is likely helpful to the novice user.  However, the style should not get in the way of factual information.

For those using the Mac, this book is enormously helpful, and contains a wealth of information.  It’s not limited to the novice, or even the intermediate user: I found items in the work that none of my Mac support contacts knew.  With some minor quibbles I can definitely say that it is a worthwhile purchase.

copyright, Robert M. Slade   2011     BKMXSLMM.RVW   20110202

BKESCFTE.RVW   20110323

“Enterprise Security for the Executive”, Jennifer L. Bayuk, 2010,
978-0-313-37660-3
%A   Jennifer L. Bayuk www.bayuk.com
%C   130 Cremona Dr., P.O. Box 1911, Santa Barbara, CA   93116-1911
%D   2010
%G   978-0-313-37660-3 0-313-37660-3
%I   ABC-CLIO, LLC/Praeger
%O   CustomerService@abc-clio.com
%O  http://www.amazon.com/exec/obidos/ASIN/0313376603/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0313376603/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0313376603/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   175 p.
%T   “Enterprise Security for the Executive: Setting the Tone from the
Top”

In the introduction, Bayuk argues against security planning based on FUD (Fear, Uncertainty, and Doubt) and piecemeal implementation of security tools, and for a holistic and systemic approach to security.  She also recommends the promotion of a security culture in the top ranks of management, setting the “tone at the top” to consider security in a rational and realistic manner.

In chapter one, the author stresses that every organization has a culture, and that the actions (and particularly consistency of actions) by senior management set it, regardless of formal statements.  She also raises interesting points, such as that separation of security from the operational units creates perceptions which may be at odds with the security policy.  (I appreciate her championing of “no exceptions,” although I would argue that a formal exception policy could work as well.)  The discussion of threats and vulnerabilities, in chapter two, is weaker (and the questionable etymology of the term “patch” does not increase confidence in Bayuk’s technical background): ultimately it just seems to day that there are threats.  The title “Triad and True,” for chapter three, may refer to “protect, detect, correct” or the more conventional confidentiality, integrity, and availability.  In fact there are a number of other “triads” mentioned, and the text raises a number of good security concepts generally related to safeguards, but is somewhat scattered and incomplete.  Chapter four talks about risk management, but the process of using it to define a security program remains unclear.  Security factors related to organizational governance structure are examined in chapter five.  Standards, compliance and audit issues are discussed in chapter six.  Chapter seven reviews monitoring, incident response, and investigation.  Requirements for candidates for the position of CSO (Chief Security Officer) are noted in chapter eight.  A template job description is included, but the document is perhaps too narrowly specified to be applicable in many situations.

A fictional case study concludes the book.  (In the introduction, the author promised that all “security horror stories” would be true, but I assume reality is less important in case studies.)  This recapitulates, in narrative form, much of the content of the work.

There is much of value in the text, and it is useful to present that content as it relates to senior management.  Senior management support is, after all, the single most important factor in a successful security program.  However, as noted above, much important material is missing, along the way, and the volume appears to be focussed at a particular type of industry or corporation, and so be less useful to those outside that sphere.

copyright, Robert M. Slade   2011     BKESCFTE.RVW   20110323

BKABVCLD.RVW   20110323

“Above the Clouds”, Kevin T. McDonald, 2010, 978-1-84928-031-0,
UK#39.95
%A   Kevin T. McDonald
%D   2010
%G   978-1-84928-031-0 1-84928-031-2
%I   IT Governance
%O   UK#39.95
%O  http://www.amazon.com/exec/obidos/ASIN/1849280312/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/1849280312/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1849280312/robsladesin03-20
%O   Audience n+ Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   169 p.
%T   “Above the Clouds: Managing Risk in the World of Cloud Computing”

The preface does a complicated job of defining cloud computing.  The introduction does provides a simpler description: cloud computing is the sharing of services, at the time you need them, paying for the services you need or use.  Different terms are listed based on what services are provided, and to whom.  We could call cloud computing time-sharing, and the providers service bureaus.  (Of course, if we did that, a number of people would think they’d walked into a forty-five year time-warp.)

The text is oddly structured: indeed, it is hard to find any organization in the material at all.  Chapter one states that the cloud allows you to do rapid prototyping because you can use patched operating systems.  I would agree that properly up-to-date operating systems are a good thing, but it isn’t made clear what this has to do with either prototyping or the cloud.  There is a definite (and repeated) assertion that “bigger is better,” but this idea is presented as an article of faith, rather than demonstrated.   There is mention of the difficulty of maintaining core competencies, but no discussion of how you would determine that a large entity has such competencies.  Some of the content is contradictory: there are many statements to the effect that the cloud allows instant access to services, but at least one warning that you cannot expect cloud services to be instantly accessible.  Various commercial products and services are noted in one section, but there is almost no description or detail in regard to actual services or availability.

Chapter two does admit that there can be some problems with using cloud services.  Despite this admission some of the material is strange.  We are told that you can eliminate capacity planning by using the cloud, but are immediately warned that we need to determine service levels (which is just a different form of capacity planning).  In terms of preparation and planning, chapter three does mention a number of issues to be addressed.  Even so, it tends to underplay the full range of factors that can determine the success or failure of a cloud project.  (Much content that has been provided previously is duplicated here.)  There is a very brief section on risk  management.  The process outline is fine, but the example given is rather flawed.  (The gap analysis fails to note that the vendor does not actually answer the question asked.)  SAS70 and similar reports are heavily emphasized, although the material fails to mention that many of the reasons that small businesses will be interested in the cloud will be for functions that are beyond the scope of these standards.  Chapter four appears to be about risk assessment, but then wanders into discussion of continuity planning, project management, testing, and a bewildering variety of only marginally related topics.  There is a very terse review of security fundamentals, in chapter five, but it is so brief as to be almost useless, and does not really address issues specifically related to the cloud.  The (very limited) examination of security in chapter six seems to imply that a good cloud provider will automatically provide additional security functions.  In certain areas, such as availability and backup, this may be true.  However, in areas such as access control and identity management, this will most probably involve additional charges/costs, and it is not likely that the service provider will be able to do a better job than you can, yourself.  A final chapter suggests that you analyze your own company to find functions that can be placed into the cloud.

Despite the random nature of the book, the breadth of topics means it can be used as an introduction to the factors which should be considered when attempting to use cloud computing.  The lack of detail would place a heavy burden of research and work on those charged with planning or implementing such activities.  In addition, the heavily promotional tone of the work may lead some readers to underestimate the magnitude of the task.

copyright, Robert M. Slade   2011     BKABVCLD.RVW   20110323

BKBLKSWN.RVW   20110109

“The Black Swan”, Nassim Nicholas Taleb, 2007, 978-1-4000-6351-2,
U$26.95/C$34.95
%A   Nassim Nicholas Taleb
%C   One Toronto Street, Unit 300, Toronto, ON, Canada  M5C 2V6
%D   2007
%G   978-1-4000-6351-2 1-4000-6351-5
%I   Random House/Vintage/Pantheon/Knopf/Times/Crown
%O   U$26.95/C$34.95 800-733-3000 randomhouse.ca www.atrandom.com
%O  http://www.amazon.com/exec/obidos/ASIN/1400063515/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/1400063515/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1400063515/robsladesin03-20
%O   Audience n- Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   366 p.
%T   “The Black Swan: The Impact of the Highly Improbable”

I was irritated into reviewing this book.  I knew that the title referred to events which are rare, and therefore seen as unlikely or impossible, but which, once observed, are obviously true.  I had heard this book (and idea) discussed in terms of risk analysis, but the mere fact didn’t strike me as terribly useful.  To a certain extent we deal with such issues all the time in business continuity planning.  So, when, during yet another conversation on risk analysis, one participant insisted that we should all read this text, I responded that the earth might fall into the sun, soon, and therefore I couldn’t see risking what little time I had left reading Taleb’s work.

The participant insisted that we weren’t going to fall into the sun for a long while, and therefore I should read the book.  Having now read it, I can say that this person didn’t understand one of the author’s main points.

In the prologue, Taleb describes a Black Swan event as one which is rare, has an enormous impact on the world, and is explainable after the fact.  During the course of the work he presents a number of examples.  A great deal of the text, though, discusses, disparages, and even rants against efforts to predict future events or outcomes, particularly those which rely on models.  The author notes that many of these models fail to take certain factors into account.  This is quite true: a model, by its very nature, must be limited.  A map of Canada, the full size of Canada, would be accurate, but not very portable, and thus not useful.  In the same way, any model is a heuristic, giving a quick indication of operation on the basis of a very limited set of factors.  Taleb’s thesis about rare events seems to take second place to his assertion that you can go badly awry by relying on a model which fails to take all factors into account.

My “earth into the sun” example, therefore, fits well into the theme of the book.  As far as we understand, we have probably billions of years before we spiral into the sun.  On the other hand, some rare event may make this happen much sooner, and we’ll all be impacted (if you’ll pardon the expression).  And, if it does happen, you can bet that, in the few weeks or hours between the event and our incineration, there will be plenty of people who will be building models to explain why it did happen.

This statement is undoubtedly true.  But is it helpful?  Much of the author’s work is addressed at the issue of investment, and particularly “playing” the stock market.  He notes that an investor, by betting on black swan events, can make a large return (since black swan events have a large impact).  This declaration is also true, but you can’t bet on all possible events, so which ones do you choose?  For example, computer equipment retailers who “bet” on tablet computers last year would, this year, be in a very strong position.  Those who did the same thing twenty-three years ago would have been stuck supporting the Newton.

Taleb keeps repeating (and repeating, and repeating, and repeating: his few points are duplicated many times over through nineteen chapters) that just about everyone tries to avoid risk on the basis of what they have seen in the past.  In fact, not only many studies but also common observation show that this isn’t the case.  The general public loves to gamble.  Studies of “successful” people (business leaders, etc.) indicate that they are more prone to gambling and risk-taking than the general public, and, in fact, foolishly so.  (“Leaders” have a strong tendency to gamble even when it is quite clear that taking the small but sure return is the better deal.)

Is this, in fact, evidence that Taleb is correct, and that we all should be risk-takers, betting on black swans?  No.  As he, himself, points out in a different context, some risk-takers win, and become “successful,” while a lot of risk-takers lose, but disappear into the general population.  (Or just disappear.)

The central point about making predictions on the basis of insufficient knowledge is emphasized most repetitively in regard to investments and finance.  The author does suggest a method for ventures: keep 90% of your funds in the most conservative undertakings, and invest the 10% in wildly speculative “positive” black swans.  Of course, this doesn’t guarantee that any of your wild investments do pay off, but at least you will have your 90%.  Unless a “negative” black swan comes along and wipes them out.

The book is, actually, fairly fun to read, but annoying to review.  Taleb has good facility with language, and writes in an amusing, if scattered, manner.  As a means of passing the time, the text is fluid, entertaining, and even has some points worth thinking about.  However, in terms of this review series, I must consider whether the tome is useful or not, and I’m not certain that it is.  Taleb presents some salient warnings, but makes any number of statements ( several of them outrageous) without going to the trouble of backing them up.  (This fact is rather ironic in view of his repeated denigration of academics and technical authors who cannot write clearly and “properly.”  He even admits, almost up front, that a friend “caught [him] red-handed” by challenging him to “justify the use of the precise metaphor of a Black Swan,” and he had to confess “this book is a story.”)

To take a page from the way Taleb writes, I could point out that his “Extremistan” bears a strong resemblance to the age of the dinosaurs.  They developed the largest land-dwelling creatures ever to walk on earth, lasted much longer than we humans have, and, some models show, were able, simply because of their immense numbers, to effect climate in ways that we have only recently been able to do by pumping their remains out of the earth and burning them.  They were also subject to a black swan event in the shape of an asteroid, which left, as their descendants, only Taleb’s much maligned turkeys.

There are certainly holes in this argument, but it is as entertaining, and as valid, as much of what Taleb writes in the book.

In the end, I have to agree with Taleb’s mother: there is some use in this book, but an enormous disparity between what the author thinks it is worth, and what it is actually worth.

(No ballet dancers were mentally harmed in the reviewing of this book.)

copyright, Robert M. Slade   2011     BKBLKSWN.RVW   20110109

BKEISCPR.RVW   20101023

“Enterprise Information Security and Privacy”, C. Warren Axelrod/Jennifer L. Bayuk,Daniel Schutzer, 2009, 978-1-59693-190-9, U$99.00
%E   C. Warren Axelrod Warren.Axelrod@usccu.us
%E   Jennifer L. Bayuk www.bayuk.com
%E   Daniel Schutzer Dan.Schutzer@fstc.org
%C   685 Canton St., Norwood, MA   02062
%D   2009
%G   978-1-59693-190-9 1-59693-190-6
%I   Artech House/Horizon
%O   U$99.00 800-225-9977 fax: +1-617-769-6334 artech@artech-house.com
%O  http://www.amazon.com/exec/obidos/ASIN/1596931906/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/1596931906/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1596931906/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   231 p.
%T   “Enterprise Information Security and Privacy”

The authors of this collection of papers were told to examine and challenge current and traditional approaches to information security and suggest alternatives overcoming noted deficiencies.

Part one looks at history and trends.  Chapter one traces privacy attitudes and legislation in the United States over the past century, and suggests that privacy and information security are related.  Data protection should be supported by a defined, multi-factor, holistic security system, says chapter two.  (As the editorial comment notes, this is hardly surprisng news to security professionals.)  Security faces pressure from operational concerns, and chapter three states that security departments that help the business rather than hindering (in other words, planning security properly) are more likely to succeed.  Chapter four notes that information classification based solely upon confidentiality concerns is limited, but the suggested structure still relates only to that aspect.  The article singularly fails to examine any possible form of multilateral classification scheme, incorporating integrity and availability issues.  Chapter five delves into human factors, which are vitally important to security, but limits the discussion to privacy, which is already pretty human.

That piece finishes off with some examination of risk, although it doesn’t say much about human factors in risk, but I suppose makes a nice lead in to the fact that part two is concerned with risk.  Donn Parker makes his usual contrarian argument against risk-based security in chapter six.  The author of chapter seven notes this objection, but claims that it is only applicable if you fail to account for all the proper factors (totally missing Parker’s point that you can never know all the factors).  A hodge-podge of legal topics goes into chapter eight, but the emphasis (if there is any) seems to be on new “compliance” standards such as the Payment Card Industry Data Security Standard (PCI-DSS or just PCI).  Chapter nine takes a brief and focussed look at the most important changes in the telecommunications arena.

Part three turns to specific idustries: finance, energy, transportation, and academia.  Chapter ten lists US financial regulations, and then offers vague suggestions of new regulations.  A number of questions about the security of enegery providers or infrastructure are raised in chapter eleven, but there are few answers.  In terms of transport, chapter twelve mentions SCADA (Supervisory Control And Data Aquisition) systems and alarm sensors.  Chapter thirteen doesn’t really appear to examine academia: the “case studies” may be formal, but are really just reports of malware similar to those in the general user population.

If the authors were supposed to present new ideas for security, they have failed.  There is nothing wrong with any of the pieces contained in the book, but they are simply “more of the same.”

copyright, Robert M. Slade   2011     BKEISCPR.RVW   20101023

BKMABRCO.RVW   20101128

“Making, Breaking Codes: An Introduction to Cryptology”, Paul Garrett, 2001, 978-0-13-030369-1
%A   Paul Garrett Garrett@math.umn.edu Paul.Garrett@acm.org
%C   One Lake St., Upper Saddle River, NJ   07458
%D   2001
%G   978-0-13-030369-1 0-13-030369-0
%I   Prentice Hall
%O   800-576-3800 416-293-3621 +1-201-236-7139 fax: +1-201-236-7131
%O  http://www.amazon.com/exec/obidos/ASIN/0130303690/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0130303690/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0130303690/robsladesin03-20
%O   Audience a- Tech 2 Writing 1 (see revfaq.htm for explanation)
%P   523 p.
%T   “Making, Breaking Codes: An Introduction to Cryptology”

The preface states that this book is intended to address modern ideas in cryptology, with an emphasis on the mathematics involved, particularly number theory.  It is seen as a text for a two term course, possibly in cryptology, or possibly in number theory itself.  There is a brief introduction, listing terms related to cryptology and some aspects of computing.

Chapter one describes simple substitution ciphers and the one time pad.  The relevance to the process of the sections dealing with mathematics is not fully explained (and neither is the affine cipher).  Probability is introduced in chapter two, and there is some discussion of the statistics of the English language, and letter frequency attacks on simple ciphers.  This simple frequency attack is extended to substitution ciphers with permuted (or scrambled, but still monoalphabetic) ciphers, in chapter three.  There is also mention of basic character permutation ciphers and multiple anagramming attacks.  Chapter four looks at polyalphabetic ciphers and attacks on expected patterns.  More probability theory is added in chapter five.

Chapter six turns to modern symmetric ciphers, providing details of the DES (Data Encryption Standard) as examples of the principles of confusion, diffusion, and avalanche.  Divisibility is important not only to the RSA (Rivest-Shamir-Adlemen) algorithm, but, in modular arithmetic, to modern cryptography as a whole, and so gets extensive treatment in chapter seven.  The Hill cipher is used, in chapter eight, to demonstrate that simple diffusion is not sufficient protection.  Complexity theory is examined, in chapter nine, with a view to determining the work factor (and sometimes practicality) of a given cryptographic algorithm.

Chapter ten turns to public-key, or asymmetric, algorithms, detailing aspects of the RSA and Diffie-Hellman algorithms, along with a number of others.  Prime numbers (important to RSA) and their characteristics are examined in chapter eleven, and roots in twelve and thirteen.  Multiplicativity, and its weak form, are addressed in fourteen, and quadratic reciprocity (for quick primality estimates) in fifteen.  Chapter sixteen notes pseudoprimes, which can complicate the search for keys.  Basic group theory, covered in chapter seventeen, relates to Diffie-Hellman and a variety of other algorithms.  Diffie-Hellman, along with some abstract algorithms, is reviewed in chapter eighteen.  Rings and fields (in groups) are noted in chapter nineteen, and cyclotomic polynomials in twenty.

Chapter twenty-one examines a few pseudo-random number generation algorithms.  More group theory is presented in twenty-two.  Chapter twenty-three looks at proofs of pseudoprimality.  Factorization attacks are addressed in basic (chapter twenty-four), and more sophisticated forms (twenty-five).  Finite fields are addressed in chapter twenty-six and discrete logarithms in twenty-seven.  Some aspects of elliptic curves are reviewed in chapter twenty-eight.  More material on finite fields is presented in chapter twenty-nine.

Despite the title, this is a math textbook.  You will need to have, at the very least, a solid introduction to number theory to get the benefit from it.  Even at that, the application, and implications, of the mathematical material to cryptology is difficult to follow.  The organization probably also works best in a math course: it certainly seems to skip around in a disjointed manner when trying to follow the crypto thread, and apply the math to it.  For all its faults, “Applied Cryptography” (cf. BKAPCRYP.RVW) is still far superior in explaining what the math actually does.

copyright, Robert M. Slade   2010     BKMABRCO.RVW   20101128

BKEXTDET.RVW   20101023

“Extrusion Detection”, Richard Bejtlich, 2006, 0-321-34996-2,
U$49.99/C$69.99
%A   Richard Bejtlich www.taosecurity.com taosecurity.blogspot.com
%C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario  M3C 2T8
%D   2006
%G   0-321-34996-2
%I   Addison-Wesley Publishing Co.
%O   U$49.99/C$69.99 416-447-5101 800-822-6339 bkexpress@aw.com
%O  http://www.amazon.com/exec/obidos/ASIN/0321349962/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0321349962/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0321349962/robsladesin03-20
%O   Audience a+ Tech 3 Writing 2 (see revfaq.htm for explanation)
%P   385 p.
%T   “Extrusion Detection:Security Monitoring for Internal Intrusions”

According to the preface, this book explains the use of extrusion detection (related to egress scanning), to detect intruders who are using client-side attacks to enter or work within your network.   The audience is intended to be architects, engineers, analysts, operators and managers with an intermediate to advanced knowledge of network security.  Background for readers should include knowledge of scripting, network attack tools and controls, basic system administration, TCP/IP, as well as management and policy.  (It should also be understood that those who will get the most out of the text should know not only the concepts of TCP/IP, but advanced level details of packet and log structures.)  Bejtlich notes that he is not explicitly addressing malware or phishing, and provides references for those areas.  (It appears that the work is not directed at information which might detect insider attacks.)

Part one is about detecting and controlling intrusions.  Chapter one reviews network security monitoring, with a basic introduction to security (brief but clear), and then gives an overview of monitoring and listing of some tools.  Defensible network architecture, in chapter two, provides lucid explanations of the basics, but the later sections delve deeply into packets, scripts and configurations.  Managers will understand the fundmental points being made, but pages of the material will be impenetrable unless you have serious hands-on experience with traffic analysis.  Extrusion detection itself is illustrated with intelligible concepts and examples (and a useful survey of the literature) in chapter three.   Chapter four examines both hardware and software instruments for viewing enterprise network traffic.  Useful but limited instances of layer three network access controls are reviewed in chapter five.

Part two addresses network security operations.  Chapter six delves into traffic threat assessment, and, oddly, at this point explains the details of logs, packets, and sessions clearly and in more detail.   A decent outline of the advance planning and basic concepts necessary for network incident response is detailed in chapter seven (although the material is generic and has limited relation to the rest of the content of the book).  Network forensics gets an excellent overview in chapter eight: not just technical points, but stressing the importance of documentation and transparent procedures.

Part three turns to internal intrusions.  Chapter nine is a case study of a traffic threat assessment.  It is, somewhat of necessity, dependent upon detailed examination of logs, but the material demands an advanced background in packet analysis.  The (somewhat outdated) use of IRC channels in botnet command and control is reviewed in chapter ten.

Bejtlich’s prose is clear, informative, and even has touches of humour.  The content is well-organized.  (There is a tendency to use idiosyncratic acronyms, sometimes before they’ve been expanded or defined.)  This work is demanding, particularly for those still at the intermediate level, but does examine an area of security which does not get sufficient attention.

copyright, Robert M. Slade   2010     BKEXTDET.RVW   20101023

BKCYWRFR.RVW   20101204

“Inside Cyber Warfare”, Jeffrey Carr, 2010, 978-0-596-80215-8,
U$39.99/C$49.99
%A   Jeffrey Carr greylogic.us
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2010
%G   978-0-596-80215-8 0-596-80215-3
%I   O’Reilly & Associates, Inc.
%O   U$39.99/C$49.99 800-998-9938 fax: 707-829-0104 nuts@ora.com
%O  http://www.amazon.com/exec/obidos/ASIN/0596802153/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0596802153/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0596802153/robsladesin03-20
%O   Audience n Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   212 p.
%T   “Inside Cyber Warfare: Mapping the Cyber Underworld”

The preface states that this text is an attempt to cover the very broad topic of cyber warfare with enough depth to be interesting without being technically challenging for the reader.

Chapter one provides examples of cyber attacks (mostly DDoS [Distributed Denial of Service]), and speculations about future offensives.  More detailed stories are given in chapter two, although the reason for the title of “Rise of the Non-State Hacker” isn’t really clear.  The legal status of cyber warfare, in chapter three, deals primarily with disagreements about military treaties.  A guest chapter (four) gives a solid argument for the use of “active defence” (striking back at an attacker) in cyber attacks perceived to be acts of war, based on international law in regard to warfare.  The author of the book is the founder of Project Grey Goose, and chapter five talks briefly about some of the events PGG investigated, using them to illustrate aspects of the intelligence component of cyber warfare (and noting some policy weaknesses, such as the difficulties of obtaining the services of US citizens of foreign birth).  The social Web is examined in chapter six, noting relative usage in Russia, China, and the middle east, along with use and misuse by military personnel.  (The Croll social engineering attack, and Russian scripted attack tools, are also detailed.)  Ownership links, and domain registrations, are examined in chapter seven, although in a restricted scope.  Some structures of systems supporting organized crime online are noted in chapter eight.  Chapter nine provides a limited look at the sources of information used to determine who might be behind an attack.  A grab bag of aspects of malware and social networks is compiled to form chapter ten.  Chapter eleven lists position papers on the use of cyber warfare from various military services.  Chapter twelve is another guest article, looking at options for early warning systems to detect a cyber attack.  A host of guest opinions on cyber warfare are presented in chapter thirteen.

Carr is obviously, and probably legitimately, concerned that he not disclose information of a sensitive nature that is detrimental to the operations of the people with whom he works.  (Somewhat ironically, I reviewed this work while the Wikileaks furor over diplomatic cables was being discussed.)  However, he appears to have gone too far.  The result is uninteresting for anyone who has any background in cybercrime or related areas.  Those who have little to no exposure to security discussions on this scale may find it surprising, but professionals will have little to learn, here.

copyright, Robert M. Slade   2010     BKCYWRFR.RVW   20101204

BKCOCISW.RVW   20101229

“Codes, Ciphers and Secret Writing”, Martin Gardner, 1972,
0-486-24761-9, U$4.95/C$7.50
%A   Martin Gardner
%C   31 East 2nd St., Mineola, NY  11501
%D   1972
%G   0-486-24761-9
%I   Dover Publications
%O   U$4.95/C$7.50 www.DoverPublications.com
%O  http://www.amazon.com/exec/obidos/ASIN/0486247619/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0486247619/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0486247619/robsladesin03-20
%O   Audience n- Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   96 p.
%T   “Codes, Ciphers and Secret Writing”

This brief pamphlet outlines some of the simple permutation and substitution ciphers that have been used over time.  The emphasis is on the clever little tricks that go into making ciphers slightly harder to crack.  None of the algorithms are terribly sophisticated, and exercises are given at the end of each chapter.  Instructions are given for decrypting some of the ciphers, even if you don’t know the key.

Two additional chapters address related topics.  The first deals with various forms of secret writing, such as invisible inks, or steganographic messages.  The last chapter briefly examines the problem of creating messages that unknown people, with unknown languages, may be able to solve (such as sending messages to the stars).

None of the material is strenuous, but this may be a nice start before moving on to a work such as Gaines “Cryptanalysis” (cf. BKCRPTAN.RVW).

copyright, Robert M. Slade   2010     BKCOCISW.RVW   20101229

BKCVAOMS.RVW   20100607

“Computer Viruses and Other Malicious Software”, Organization for
Economic Co-operation and Development, 2009, 978-92-64-05650-3
%A   Organization for Economic Co-operation and Development
%C   2 rue Andre Pascal, 75775 Paris Cedex 16, France
%D   2009
%G   978-92-64-05650-3 92-64-05650-5
%I   OECD Publishing
%O   oecdna@turpin-distribution.com sourceoecd@oecd.org
%O  http://www.amazon.com/exec/obidos/ASIN/9264056505/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/9264056505/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/9264056505/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   244 p.
%T   “Computer Viruses and Other Malicious Software”

The executive summary doesn’t tell us much except that malware is bad, and that this report is seen as a first step in addressing the issue in a global, comprehensive manner.

Part one, entitled “The Scope of Malware,” is intended to provide background to the problem.  Chapter one, as an overview, is a random collection of technical issues, with poor explanations.  Although it is good to see that the malware situation is defined in terms that are more up-to-date than those in all too many security texts, the lack of foundational material provided by the authors will necessarily limit the perception of the issue for those readers who have not done serious research themselves.  Various stories of attacks and payloads (not all related to malware) are listed in an equally disjointed manner in chapter two.  There are numerous errors, including in simple aspects like arithmetic.  (20 million is not “5 times” one million.)   The explanation of why we should be concerned, in chapter three, boils down to the fact that the net is important, and malware imposes costs.

Part two turns to the economics of malware.  Chapter four, while it promises to deal with cybersecurity and economic incentives, merely states that security is hard.  Chapter five does deal with economic factors influencing decisions of key players on the Internet, but does so only on the basis of an opinion survey, rather than any measured costs or benefits.  Descriptions of different types of economic situations are given in chapter six, but a final set of “findings” doesn’t seem to have much background support.

Part three is supposed to contain recommendations about actions to take, or policies to follow, to address the malware issue.

Unfortunately, this work does not have sufficient technical depth on areas of malware to contribute to the literature.  The concept of addressing the economic aspects is interesting, but is not sufficiently fulfilled.  Overall, this text has nothing to add to existing information.

copyright, Robert M. Slade   2010     BKCVAOMS.RVW   20100607

Wanting something good to read, I found myself reading “Neuromancer” again, probably for the hundredth time now.

Looking around for recommendation for new books in the usual places like “NYT Best Sellers list” turned up fairly dull results. So given that the crowd that reads this blog probably shares the same preferences as me, what book did you enjoy this past year? Any genre.