REVIEW: “Young People, Ethics, and the New Digital Media”

BKYPENDM.RVW   20120125

“Young People, Ethics, and the New Digital Media: A Synthesis from the
GoodPlay Project”, Carrie James et al, 2009, 978-0-262-51363-0
%A   Carrie James
%A   Katie Davis
%A   Andrea Flores
%A   John M. Francis
%A   Lindsay Pettingill
%A   Margaret Rundle
%A   Howard Gardner
%C   55 Hayward Street, Cambridge, MA   02142-1399
%D   2009
%G   978-0-262-51363-0 0-262-51363-3
%I   MIT Press
%O   +1-800-356-0343 fax: +1-617-625-6660 www-mitpress.mit.edu
%O  http://www.amazon.com/exec/obidos/ASIN/0262513633/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0262513633/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0262513633/robsladesin03-20
%O   Audience n Tech 1 Writing 1 (see revfaq.htm for explanation)
%P
%T   “Young People, Ethics, and the New Digital Media”

It is not until more than a tenth of this book has passed before the authors admit that this is, in essence, only a proposal for a study which they hope will be carried out in future.  No actual research or interviews have been conducted, so there aren’t really any results to be reported.  The authors hypothesize that five factors are involved in “media-identity”: “privacy, ownership and authorship, credibility, and participation.”  (Yes, I agree that it looks like four factors, expressed that way.  But the authors repeatedly express it in exactly that way, and insist that it makes five.)

The authors note that social networking (or social media, or new digital media) is a frontier, and thus lacks comprehensive and well-enforced rules and regulations.  Social media permits and encourages “participatory cultures,” with relatively low barriers to artistic expression and “civic” engagement, strong support for creating and sharing creations, and some type of informal mentorship whereby what is  known by the most experienced is passed along to novices.  The goals of the project are to investigate the ethical values and structures of new media and to create entities to promote ethical thinking and conduct.

The project is also to focus on “play,” with a fairly broad definition of that term, including gaming, instant messaging, social networking, participation in fan fiction groups, blogging, and content creation including video sharing.  Some of these activities may lead to employment, but are undertaken without support, rewards, and constraints of adult supervisors, and without explicit standards of conduct and quality.  “Good play” is defined as online conduct that is both meaningful and engaging to the participant and responsible to others in the community in which it is carried out.

A number of questions are raised in this book, but few are answered in any way at all.  While there is some review of existing work in related areas, it is hardly comprehensive, convincing, or useful.  It is difficult to say what the intent of publishing this book was.

copyright, Robert M. Slade   2012     BKYPENDM.RVW   20120125

Share

REVIEW: “Eleventh Hour CISSP Study Guide”, Eric Conrad

BK11HCSG.RVW 20120210

“Eleventh Hour CISSP Study Guide”, Eric Conrad, 2011,
978-1-59749-566-0, U$24.95
%A Eric Conrad
%C 800 Hingham Street, Rockland, MA 02370
%D 2011
%G 978-1-59749-566-0 1-59749-566-2
%I Syngress Media, Inc.
%O U$24.95 781-681-5151 fax: 781-681-3585 www.syngress.com
%O http://www.amazon.com/exec/obidos/ASIN/1597495662/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/1597495662/robsladesinte-21
%O http://www.amazon.ca/exec/obidos/ASIN/1597495662/robsladesin03-20
%O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P 196 p.
%T “Eleventh Hour CISSP Study Guide”

“Eleventh Hour” would seem to imply that this is a last minute option.  I would not rely on this book as a last ditch option if you haven’t studied. It’s a reviewers dream (or nightmare): an embarrassment of riches in terms of errors. But I should keep this review to a reasonable size, so I’ll only mention a few illustrative goofs.

Chapter one addresses security management. The coverage of risk management is superficial, facile, and disjointed. The author adds extra factors into the CBK (Common Body of Knowledge). He stresses ”return on investment” without addressing the controversy over whether ”return on security investment” actually exists. There are some references based on the NIST (US National Institute of Standards and Technology) which are good, but insufficient. Each chapter ends with a list of the “Top Five Toughest Questions” for that domain. Usually one (20%) is flatly wrong, and the rest address trivia, missing the concepts and ramifications which are the real objectives of the CISSP examination.

Chapter two looks at access control. No, integrity concerns are not limited to authorization issues. “Counter-based synchronous dynamic token” makes no sense: both counter and dynamic obviate the need for synchronization. No, most keyboard dynamics systems would not measure pressure. In regard to cryptography, in chapter three, yes, CBC (Cipher Block Chaining) would propagate errors, which is why it is only used with self-correcting algorithms (which DES – Data Encryption Standard – is). And, yes, using ECB (Electronic Code Book) identical data blocks produce identical cipher blocks, but similar data blocks produce vastly dissimilar cipher blocks. (That is part of the measure of a good cipher algorithm.) Chapter five deals with physical security. If you can still find a soda/acid extinguisher don’t try to use it on burning liquids: it doesn’t produce much foam, mostly a simple stream of water. And merely because a CRT (Cathode Ray Tube) is analogue does not mean it is incompatible with digital devices such as CCD (Charge Coupled Device) cameras: until I got my first laptop, all the monitors for my (digital) computers were CRTs. Respecting architecture (chapter five), “open systems” refers to the use of standard protocols, not parts. TOC/TOU (Time Of Check vs Time Of Use) is not a race condition, and does not require a change of state.  Polyinstantiation is not related to entity integrity. Chapter six reviews Business Continuity Planning: RPO (Recovery Point Objective) is the minimal level of operation the business needs to function, not the time taken to get there, and a hot site is not a mirror.

Studying telecommunications? It is the domain with the largest mass of information, and chapter seven is pathetically small: there is no mention of topologies, telephony, routing, and details of the protocols are scant to the point of being non-existent. The OSI (Open Systems Interconnection) model is a model, not a network protocol (although there is, also, an OSI suite of protocols), and can therefore be used to analyze any protocol suite. Neither ATM (Asynchronous Transfer Mode) nor Ethernet are restricted to the physical (which, in any case, does not deal with data, but with signals).

Chapter eight takes a stab at applications security. SDL (System Life Cycle) is not identical to SDLC (System Development Life Cycle) but contains it. The explanations in this domain are particularly poor, even by the low standards of this work. Similarly, the material on operations security, in chapter nine, is more random than in other chapters, and duplicates more content found elsewhere.

I was surprised to find that chapter ten, on law and investigations, wasn’t all that bad. There are still plenty of errors (no, only one of the four points given is one of the seven basics of the European Directives on privacy), but many of the base concepts are there, and presented reasonably. There is, however, almost nothing on management of investigations, and incident response isn’t even mentioned.

There are at least a dozen other options I’ve reviewed at http://victoria.tc.ca/techrev/mnbkscci.htm, and this actually isn’t the worst. But maybe I was a bit too hard at the beginning. You could use this book for a bit of last minute studying. If you can find at least one error per page, you are in good shape to write the exam.

copyright, Robert M. Slade 2012 BK11HCSG.RVW 20120210

Share

REVIEW: “Dark Market: CyberThieves, CyberCops, and You”, Misha Glenny

BKDRKMKT.RVW 20120201

“Dark Market: CyberThieves, CyberCops, and You”, Misha Glenny, 2011,
978-0-88784-239-9, C$29.95
%A   Misha Glenny
%C   Suite 801, 110 Spadina Ave, Toronto, ON Canada  M5V 2K4
%D   2011
%G   978-0-88784-239-9 0-88784-239-9
%I   House of Anansi Press Ltd.
%O   C$29.95 416-363-4343 fax 416-363-1017 www.anansi.ca
%O  http://www.amazon.com/exec/obidos/ASIN/0887842399/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0887842399/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0887842399/robsladesin03-20
%O   Audience n Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   296 p.
%T   “Dark Market: CyberThieves, CyberCops, and You”

There is no particular purpose stated for this book, other than the vague promise of the subtitle that this has something to do with bad guys and good guys in cyberspace.  In the prologue, Glenny admits that his “attempts to assess when an interviewee was lying, embellishing or fantasising and when an interviewee was earnestly telling the truth were only partially successful.”  Bear in mind that all good little blackhats know that, if you really want to get in, the easiest thing to attack is the person.  Social engineering (which is simply a fancy way of saying “lying”) is always the most effective tactic.

It’s hard to have confidence in the author’s assessment of security on the Internet when he knows so little of the technology.  A VPN (Virtual Private Network) is said to be a system whereby a group of computers share a single address.  That’s not a VPN (which is a system of network management, and possibly encryption): it’s a description of NAT (Network Address Translation).  True, a VPN can, and fairly often does, use NAT in its operations, but the carelessness is concerning.

This may seem to be pedantic, but it leads to other errors.  For example, Glenny asserts that running a VPN is very difficult, but that encryption is easy, since encryption software is available on the Internet.  While it is true that the software is available, that availability is only part of the battle.  As I keep pointing out to my students, for effective protection with encryption you need to agree on what key to use, and doing that negotiation is a non-trivial task.  Yes, there is asymmetric encryption, but that requires a public key infrastructure (PKI) which is an enormously difficult proposition to get right.  Of the two, I’d rather run a VPN any day.

It is, therefore, not particularly surprising that the author finds that the best way to describe the capabilities of one group of carders was to compare them to the fictional “hacking” crew from “The Girl with the Dragon Tattoo.”  The activities in the novel are not impossible, but the ability to perform them on demand is highly
unlikely.

This lack of background colours his ability to ascertain what is possible or not (in the technical areas), and what is likely (out of what he has been told).  Sticking strictly with media reports and indictment documents, Glenny does a good job, and those parts of the book are interesting and enjoyable.  The author does let his taste for mystery get the better of him: even the straight reportage parts of the book are often confusing in terms of who did what, and who actually is what.

Like Dan Verton (cf BKHCKDRY.RVW) and Suelette Dreyfus (cf. BKNDRGND.RVW) before him, Glenny is trying to give us the “inside story” of the blackhat community.  He should have read Taylor’s “Hackers” (cf BKHAKERS.RVW) first, to get a better idea of the territory.  He does a somewhat better job than Dreyfus and Verton did, since he is wise enough to seek out law enforcement accounts (possibly after reading Stiennon’s “Surviving Cyberwar,” cf. BKSRCYWR.RVW).

Overall, this work is a fairly reasonable updating of Levy’s “Hackers” (cf. BKHACKRS.RVW) of almost three decades ago.  The rise of the financial motivation and the specialization of modern fraudulent blackhat activity are well presented.  There is something of a holdover in still portraying these crooks as evil genii, but, in the main, it is a decent picture of reality, although it provides nothing new.

copyright, Robert M. Slade   2012    BKDRKMKT.RVW 20120201

Share

REVIEW: “Steve Jobs”, Walter Isaacson

BKSTVJBS.RVW 20111224

“Steve Jobs”, Walter Isaacson, 2011, 978-1-4104-4522-3
%A   Walter Isaacson pat.zindulka@aspeninstitute.org
%C   27500 Drake Road, Farmington Hills, MI   48331-3535
%D   2011
%G   978-1-4104-4522-3 1451648537
%I   Simon and Schuster/The Gale Group
%O   248-699-4253 800-877-4253 fax: 800-414-5043 galeord@gale.com
%O  http://www.amazon.com/exec/obidos/ASIN/1451648537/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/1451648537/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1451648537/robsladesin03-20
%O   Audience n+ Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   853 p.
%T   “Steve Jobs”

I have read many fictional works that start off with a list of the cast of characters, but this is the first biography I’ve ever read that started in this way.

It is fairly obvious that Isaacson has done extensive research, talked to many people, and worked very hard in preparation for this book.  At the same time, it is clear that many areas have not been carefully analyzed.  Many Silicon Valley myths (such as the precise formulation of Moore’s Law, or John Draper’s status with regard to the Cap’n Crunch whistle) are retailed without ascertaining the true facts.  The information collected is extensive in many ways, but, in places (particularly in regard to Jobs’ earlier years) the writing is scattered and disjointed.  We have Jobs living with his girlfriend in a cabin in the hills, and then suddenly he is in college.

Material is duplicated and reiterated in many places.  Quotes are frequently repeated word-for-word in relation to different situations or circumstances, so the reader really cannot know the original reference.  There are also contradictions: we are told that Jobs could not stand a certain staffer, but 18 pages later we are informed that the same person often enthralled Jobs.  (Initially, this staffer is introduced as having been encountered in 1979, but it is later mentioned that he worked for Jobs and Apple as early as 1976.)  At one point we learn that an outside firm designed the Mac mouse: four pages further on we ascertain that it was created internally by Apple.  The author seems to have accepted any and all input, perspectives, and stories without analysis or assessment of where the truth might lie.

It is possible to do a biography along a timeline.  It is possible to do it on a thematic basis.  Isaacson follows a timeline, but generally only covers one subject during any “epoch.”  From the first time Jobs sees a personal computer until he is dismissed from Apple, this is less of a biography and more the story of the development of the company.  There is a short section covering the birth of Jobs’ daughter, we hear of the reality distortion field, and terse mentions of vegan diets, motorcycles, stark housing, and occasional girlfriends, but almost nothing of Jobs away from work.  (Even in covering Apple there are large gaps: the Lisa model is noted as an important development, but then is never really described.)

In fact, it is hard to see this book as a biography.  It reads more like a history of Apple, although with particular emphasis on Jobs.  There are sidetrips to his first girlfriend and daughter, NeXT, Pixar, miscellaneous girlfriends, his wife and kids, Pixar again, and then cancer, but by far the bulk of the book concentrates on Apple.

The “reality distortion field” is famous, and mentioned often.  Equally frequently we are told of a focused and unblinking stare, which Jobs learned from someone, and practiced as a means to intimidate and influence people.  Most people believe that the person who “doesn’t blink” is the dominant personality, and therefore the one in charge.  It is rather ironic that research actually refutes this.  Studies have shown that, when two people meet for the first time, it is actually the dominant personality that “blinks first” and looks away, almost as a signal that they are about to dominate the conversation or interaction.  Both “the field” and “the stare” seem to tell the same story: they are tricks of social engineering which can have a powerful influence, but which are based on an imperfect understanding of reality and people, don’t work with everyone, and can have very negative consequences.

(The chapters on Jobs’ fight with cancer are possibly the most telling.  For anyone who has the slightest background in medicine it will be apparent that Jobs didn’t know much in that field, and that he made very foolish and dangerous decisions, flying in the face of all advice and any understanding of nutrition and biology.)

Those seeking insight into the character that built a major corporation may be disappointed.  Like anybody else, Jobs is a study in contradictions: the seduction with charm and vision, then belittlement and screaming at people; the perfectionist who obsessed on details, but was supposedly a visionary at the intersection of the arts and technology who made major decisions based on intuitive gut feelings with little or no information or analysis; the amaterialistic ascetic who made a fortune selling consumer electronics and was willing to con people to make money; the Zen meditator who never seemed to achieve any calm or patience; the man who insisted that “honesty” compelled him to abuse friends and colleagues, but who was almost pathological in his secrecy about himself and the company; and the creative free-thinker who created the most closed and restricted systems extent.

There is no attempt to find the balance point for any of these dichotomies.  As a security architect I can readily agree with the need for high level design to drive all aspects of the construction of a system: a unified whole always works better and more reliably.  Unfortunately for that premise, there are endless examples of Jobs demanding, at very late points in the process, that radically new functions be included.  Then there is Jobs’ twin assertions that the item must be perfect, but that ship dates must be met.  One has to agree with Voltaire: the best is the enemy of the good, and anyone trying to be good, fast, *and* cheap may succeed a time or two, but is ultimately headed for failure.

Several times Isaacson repeats an assertion from Jobs that money is not important: it is merely recognition of achievements, or a resource that enables you to make great products.  The author does not seem to understand that an awful lot of money is also another resource, one that allows you to make mistakes.  He only vaguely admits that Jobs made some spectacular errors.

The book is not a hagiography.  Isaacson is at pains to point out that he notes Jobs’ weaknesses of character and action.  At the same time, Isaacson is obviously proud of being a personal friend, and, I suspect, does not realize that, while he may mention Jobs’ flaws, he also goes to great lengths to excuse them.

Was Steve Jobs a great man?  He was the driving force behind a company which had, for a time, the largest market capitalization of any publicly traded company.  He was also, by pretty much all accounts, an arrogant jerk.  He had a major influence on the design of personal electronics, although his contribution to personal computing was mostly derivative.  We are conventionally used to saying that people like Napoleon, Ford, and Edison are great, even thought they might have been better at social engineering than the softer people skills.  By this measure Jobs can be considered great, although not by the standards by which we might judge Ghandi, Mother Teresa, and the Dalai Lama (which is rather ironic, considering Jobs’ personal philosophy).

Those who hold Jobs, Apple, or both, in awe will probably be delighted to find a mass of stories and trivia all in one place.  Those who want to know the secrets of building a business empire may find some interesting philosophies, but will probably be disappointed: the book tends to take all positions at once.  For those who have paid much attention to Apple, and Jobs’ career, there isn’t much here that is novel.  As Jobs himself stated to a journalist, “So, you’ve uncovered the fact that I’m an *sshole.  Why is that news?”

Having all of the material in one book does help to clarify certain issues.  Personally, I have always fought with the Macs I used, struggling against the lock step conformity they enforced.  It was only in reviewing this work that it occurred to me that Apple relies upon a closed system that makes Microsoft appear open by comparison.  So, I guess, yes, there is at least one insight to be gained from this volume.

copyright, Robert M. Slade   2011     BKSTVJBS.RVW 20111224

Share

REVIEW: “Liars and Outliers: Enabling the Trust that Society Needs to Thrive”, Bruce Schneier

BKLRSOTL.RVW   20120104

“Liars and Outliers: Enabling the Trust that Society Needs to Thrive”,
Bruce Schneier, 2012, 978-1-118-14330-8, U$24.95/C$29.95
%A   Bruce Schneier www.Schneier.com
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2012
%G   978-1-118-14330-8 1-118-14330-2
%I   John Wiley & Sons, Inc.
%O   U$24.95/C$29.95 416-236-4433 fax: 416-236-4448 www.wiley.com
%O  http://www.amazon.com/exec/obidos/ASIN/1118143302/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/1118143302/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1118143302/robsladesin03-20
%O   Audience n+ Tech 2 Writing 3 (see revfaq.htm for explanation)
%P   365 p.
%T   “Liars and Outliers: Enabling the Trust that Society Needs to
Thrive”

Chapter one is what would ordinarily constitute an introduction or preface to the book.  Schneier states that the book is about trust: the trust that we need to operate as a society.  In these terms, trust is the confidence we can have that other people will reliably behave in certain ways, and not in others.  In any group, there is a desire in having people cooperate and act in the interest of all the members of the group.  In all individuals, there is a possibility that they will defect and act against the interests of the group, either for their own competing interest, or simply in opposition to the group.  (The author notes that defection is not always negative: positive social change is generally driven by defectors.)  Actually, the text may be more about social engineering, because Schneier does a very comprehensive job of exploring how confident we can be about trust, and they ways we can increase (and sometimes inadvertantly decrease) that reliability.

Part I explores the background of trust, in both the hard and soft sciences.  Chapter two looks at biology and game theory for the basics.  Chapter three will be familiar to those who have studied sociobiology, or other evolutionary perspectives on behaviour.  A historical view of sociology and scaling makes up chapter four.  Chapter five returns to game theory to examine conflict and societal dilemmas.

Schneier says that part II develops a model of trust.  This may not be evident at a cursory reading: the model consists of moral pressures, reputational pressures, institutional pressures, and security systems, and the author is very careful to explain each part in chapters seven through ten: so careful that it is sometimes hard to follow the structure of the arguments.

Part III applies the model to the real world, examining competing interests, organizations, corporations, and institutions.  The relative utility of the four parts of the model is analyzed in respect to different scales (sizes and complexities) of society.  The author also notes, in a number of places, that distrust, and therefore excessive institutional pressures or security systems, is very expensive for individuals and society as a whole.

Part IV reviews the ways societal pressures fail, with particular emphasis on technology, and information technology.  Schneier discusses situations where carelessly chosen institutional pressures can create the opposite of the effect intended.

The author lists, and proposes, a number of additional models.  There are Ostrom’s rules for managing commons (a model for self-regulating societies), Dunbar’s numbers, and other existing structures.  But Schneier has also created a categorization of reasons for defection, a new set of security control types, a set of principles for designing effective societal pressures, and an array of the relation between these control types and his trust model.  Not all of them are perfect.  His list of control types has gaps and ambiguities (but then, so does the existing military/governmental catalogue).  In his figure of the feedback loops in societal pressures, it is difficult to find a distinction between “side effects” and “unintended consequences.”  However, despite minor problems, all of these paradigms can be useful in reviewing both the human factors in security systems, and in public policy.

Schneier writes as well as he always does, and his research is extensive.  In part one, possibly too extensive.  A great many studies and results are mentioned, but few are examined in any depth.  This does not help the central thrust of the book.  After all, eventually Schneier wants to talk about the technology of trust, what works, and what doesn’t.  In laying the basic foundation, the question of the far historical origin of altruism may be of academic philosophical interest, but that does not necessarily translate into an
understanding of current moral mechanisms.  It may be that God intended us to be altruistic, and therefore gave us an ethical code to shape our behaviour.  Or, it may be that random mutation produced entities that acted altruistically and more of them survived than did others, so the population created expectations and laws to encourage that behaviour, and God to explain and enforce it.  But trying to explore which of those (and many other variant) options might be right only muddies the understanding of what options actually help us form a secure society today.

Schneier has, as with “Beyond Fear” (cf. BKBYNDFR.RVW) and “Secrets and Lies” (cf. BKSECLIE.RVW), not only made a useful addition to the security literature, but created something of value to those involved with public policy, and a fascinating philosophical tome for the general public.  Security professionals can use a number of the models to assess controls in security systems, with a view to what will work, what won’t (and what areas are just too expensive to protect).  Public policy will benefit from examination of which formal structures are likely to have a desired effect.  (As I am finishing this review the debate over SOPA and PIPA is going on: measures unlikely to protect intellectual property in any meaningful way, and guaranteed to have enormous adverse effects.)  And Schneier has brought together a wealth of ideas and research in the fields of trust and society, with his usual clarity and readability.

copyright, Robert M. Slade   2011     BKLRSOTL.RVW   20120104

Share

REVIEW: “Identity Management: Concepts, Technologies, and Systems”, Elisa Bertino/Kenji Takahashi

BKIMCTAS.RVW   20110326

“Identity Management: Concepts, Technologies, and Systems”, Elisa
Bertino/Kenji Takahashi, 2011, 978-1-60807-039-8
%A   Elisa Bertino
%A   Kenji Takahashi
%C   685 Canton St., Norwood, MA   02062
%D   2011
%G   978-1-60807-039-8 1-60807-039-5
%I   Artech House/Horizon
%O   800-225-9977 fax: +1-617-769-6334 artech@artech-house.com
%O  http://www.amazon.com/exec/obidos/ASIN/1608070395/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/1608070395/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1608070395/robsladesin03-20
%O   Audience i- Tech 2 Writing 1 (see revfaq.htm for explanation)
%P   196 p.
%T   “Identity Management: Concepts, Technologies, and Systems”

Chapter one, the introduction, is a review of general identity related issues.  The definition of identity management, in chapter two, is thorough and detailed, covering the broad range of different types and uses of identities, the various loci of control, the identity lifecycle (in depth), and a very effective technical definition of privacy.  (The transactional attribute is perhaps defined too narrowly, as it could relate to non-commercial activities.)
“Fundamental technologies and processes” addresses credentials, PKI (Public Key Infrastructure), single sign-on, Kerberos, privacy, and anonymous systems in chapter three.  The level of detail varies: most of the material is specific with limited examples, while attribute federation is handled quite abstractly.  Chapter four turns to standards and systems, reviewing SAML (Security Assertion Markup Language), Web Services Framework, OpenID, Information Card-Based Identity Management (IC-IDM), interoperability, other prototypes, examples, and projects, with an odd digression into the fundamental confidentiality, integrity, and availability concepts.  Challenges are noted in chapter five, briefly examining usability, access control, privacy, trust management, interoperability (from the human, rather than machine, perspective, particularly expectations, experience, and jargon), and finally biometrics.

This book raises a number of important questions, and mentions many new areas of work and development.  For experienced security professionals needing to move into this area as a new field, it can serve as an introduction to the topics which need to be discussed.  Those looking for assistance with an identity management project will probably need to look elsewhere.

copyright, Robert M. Slade   2011     BKIMCTAS.RVW   20110326

Share

REVEIW: “Zero Day”, David Baldacci

BKZERODY.RVW   20111213

“Zero Day”, David Baldacci, 2011, 978-1-4555-0414-5, U$29.99/C$32.99
%A   David Baldacci www.DavidBaldacci.com
%C   237 Park Ave, New York, NY   10017
%D   2011
%G   978-1-4555-0414-5 0446573019
%I   Hachette Book Group
%O   U$29.99/C$32.99
%O   Audience n- Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   643 p.
%T   “Zero Day”

At one time, in information security terminology, “zero day” meant a measure of difficulty or vulnerability.  That meaning has been largely destroyed by overexposure in the media.  Today it simply means “we want to scare you.”

To top it all off, here is this book by David Baldacci.  As a common-or-garden thriller it is OK.  But it has nothing to do with computers.  Nothing to do with information security.  Zip.  Zero (you should pardon the expression).  Zilch.  Nada.  Null.  None.  Nugatory.  Not a sausage.  The titular phrase isn’t even used anywhere in the book.  It seems to have been used as a title simply to say “we want you to think this is really, really scary.”

copyright, Robert M. Slade   2011     BKZERODY.RVW   20111213

Share

“Zero Day”, Mark Russinovich

BKZERDAY.RVW   20111109

“Zero Day”, Mark Russinovich, 2011, 978-0-312-61246-7, U$24.99/C$28.99
%A Mark Russinovich www.zerodaythebook.com markrussinovich@hotmail.com
%C   175 Fifth Ave., New York, NY   10010
%D   2011
%G   978-0-312-61246-7 0-312-61246-X
%I   St. Martin’s Press/Thomas Dunne Books
%O   U$24.99/C$28.99 212-674-5151 fax 800-288-2131
%O   josephrinaldi@stmartins.com christopherahearn@stmartins.com
%O  http://www.amazon.com/exec/obidos/ASIN/031261246X/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/031261246X/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/031261246X/robsladesin03-20
http://www.amazon.com/gp/mpd/permalink/m3CQBX46DOK0AK/ref=ent_fb_link
%O   Audience n Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   328 p.
%T   “Zero Day”

Mark Russinovich has definitely made his name, in technical terms, with Winternals and Sysinternals.  There is no question that he knows the insides of computers.

What is less certain is whether he knows how to write about it within the strictures of a work of fiction.  The descriptions of digital forensics and computer operation in this work are just as confusing, to the technically knowledgeable, as those we regularly deride from technopeasant authors.  “[T]he first thing Jeff noted was that he couldn’t detect any data on the hard disk.”  (Emphasis in the book.)  Jeff then goes on to find some, and notes that there are “bits and pieces of the original operating system.”  Now there is a considerable difference between not finding any data, and having a damaged filesystem, and Russinovich knows this perfectly well.  Our man Jeff is a digital forensics hacker of the first water, and wouldn’t give a fig if he couldn’t see “the standard C: drive icon.”

Generally, you would think that the reason a technically competent person would write a novel about cyberwar would be in order to inject a little reality into things.  Well, reality seems to be in short supply in this book.

First of all, this is the classic geek daydream of being the ultimate ‘leet hacker in the world.  The Lone Hacker.  Hiyo SysInfo, away!  He has all the tools, and all that smarts, about all aspects of technology.  Sorry, just not possible any more.  This lone hacker image is unrealistic, and the more so because it is not necessary.  There are established groups in the malware community (among others), and these would be working together on a problem of this magnitude.  (Interestingly, these are generally informal groups, not the government/industry structures which the book both derides and relies upon.)

Next, all the female geeks (and there are a lot) are “hot.”  ‘Nuff said.

The “big, bad, new” virus is another staple of the fictional realms which does not exist in reality.  Viruses can be built to reproduce rapidly.  In that case, they get noticed quickly.  Or, they may be created to spread slowly and carefully, in which case they can take a while to be detected, but they also take a long time to get into place.

Anti-malware companies don’t necessarily rely on honeypots (which are usually there to collect information on actual intruders), but they do have bait machines that sit and wait to be infected (by worms) or emulate the activity of users who are willing to click on any link or open any file (for viruses).  Malware can be designed to fail to operate (or even delete itself) under certain conditions, and those conditions could include certain indications of a test environment.  However, the ability to actively avoid machines that might be collecting malware samples would be akin to a form of digital mental telepathy.

Rootkits, as described in the novel, are no different than the stealth technology that viruses have been using for decades.  There are always ways of detecting stealth, and rootkits, and, generally speaking, as soon as you suspect that one might be in operation you start to have ideas about how to find it.

A backup is a copy of data.  When it is restored, it is copied back onto the computer, but there is no need for the backup copy to be destroyed by that process.  Therefore, if a system-restored-from-backup crashes, nothing is lost but time.  You still have the backup, and can try again (this time with more care).  In fact, the first time you have any indication that the system might be corrupted enough to crash, you would probably try to recover the files with an alternate operating system.  (But, yes, I can see how that might not occur to someone who works for Microsoft.)  After all, the most important thing you’ve got on your system is the data, and the data can usually be read on any system, and with a wide variety of programs.  (Data files from a SQL Server database could be retrieved not only with other SQL programs, but with pretty much any relational database.)

Some aspects are realistic.  The precautions taken in communications, with throwaway email addresses and out-of-band messaging, are the type that would be used in those situations.  There is a lot of real technology described in the book.  (Although I was slightly bemused by the preference for CDs for data and file storage: that seems a bit quaint now that everyone is using USB drives.)  The need, in this type of work, for a level of focus that precludes all other distractions, and the boredom of trying step after step and possibility after possibility are real.  The neglect of security and the attendant false confidence that one is immune to attack are all too real.  But in a number of the technical areas the descriptions are careless enough to be completely misleading to those not intimately familiar with the technology and the information security field.  Which is just as bad as not knowing what you are talking about in the first place.

Other forms of technology should have had a little research.  Yes, flying an airliner across an ocean is boring.  That’s why the software designers behind the interface on said airliners have the computer keep asking the pilots to check things: keeps the pilots from zoning out.  I don’t know how quickly you can “reboot” the full control system in an airplane, but the last one I was on that did it took about fifteen minutes to even get the lights back on.  I doubt that would be fast enough to do (twice) in order to pull a plane out of a dive.  And if you are in a high-G curve to try and keep the plane out of the water, a sudden cessation of G-forces would mean that a) the plane had stalled (again) (very unlikely), or b) the wings had come off.  Neither of which would be a good thing.  (And, yes, the Spanair computer that was tracking technical problems at the time was infected with a virus, but, no, that had nothing to do with the crash.)

Russinovich’s writing is much the same as that of many mid-level thriller writers.  His plotting is OK, although the attempt to heighten tension, towards the end, by having “one darn thing after another” happen is a style that is overused, and isn’t very compelling in this instance.  On the down side, his characters are all pretty much the same, and through much of the book the narrative flow is extremely disjointed.

Overall, this is a reasonable, though unexceptional, thriller.  He was fortunate in being able to get Bill Gates and Howard Schmidt to write blurbs for it, but that still doesn’t make it any more realistic than the mass of cyberthrillers now coming on the market.

copyright, Robert M. Slade   2011     BKZERDAY.RVW   20111109

Share

New computers – Kindle

The Girls, who have been having a grand time in recent years finding interesting high tech goodies that I never even knew existed, got me a Kindle for Christmas.  So, of course, I’m going to review the Kindle.

I had been putting off the idea of getting one for myself.  I do a lot of reading, but that’s primarily because I do a lot of reviewing, and for that you need the ability to make notes, and transfer said notes back to the computer for writing up.  So far, I haven’t seen an awful lot that convinces me the e-readers are there yet.

But, I do have to say that, right off the top, the idea of having 60 books (so far) in something that is lighter than a paperback definitely has its attractions.  So far I’ve been able to load the Bible, some tech articles, my own security dictionary, a dozen Sherlock Holmes stories, Don Quixote (both of which I have read), The Divine Comedy, War and Piece (both of which I intend to read–sometime), a fair amount of poetry, and an egalley for Bruce Schneier’s latest (sent along by his publicist).

Unfortunately, all this fun exploring has me somewhat behind in news and email, so I’ll have to start putting together my observations of the Kindle, itself, a bit later.

Share

REVIEW: “Surviving Cyberwar”, Richard Stiennon

BKSRCYWR.RVW   20110325

“Surviving Cyberwar”, Richard Stiennon, 2010, 978-1-60590-688-1
%A   Richard Stiennon
%C   4501 Forbes Blvd, #200, Lanham, MD   20706
%D   2010
%G   978-1-60590-688-1 1-60590-674-3
%I   Government Institutes/Scarecrow Press/Rowman & Littlefield Publ.
%O   800-462-6420 www.govinstpress.com
%O  http://www.amazon.com/exec/obidos/ASIN/1605906743/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/1605906743/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1605906743/robsladesin03-20
%O   Audience n- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   180 p.
%T   “Surviving Cyberwar”

The introduction is the customarily (for books on currently “hot” topics) vague warning that there is danger out there.

Chapter one, according to the title, is supposed to talk about the “Titan Rain” attacks.  In reality it concentrates on Shawn Carpenter and his personal problems, and says very little either about details of the technology, or ideas for defence.  China, and various activities in espionage (and diplomatic disagreements with the US), is the topic of chapter two.  (One story is not about China.)  Although entitled “Countering Cyber Espionage,” chapter three is just about security tools and malware.  Chapter four lists random aspects of, and attacks on, email.  The Pentagon is dealt with, in similarly haphazard fashion, in chapter five.

A few wars, or tense “situations,” are mentioned in chapter six, along with some possibly related computer involvement.  Chapter seven titularly promises DDoS defence, but mostly just talks about distributed denial of service attacks, along with a mention of the error of using BGP (Border Gateway Protocol) as a routing protocol.  Aspects of social networking, mostly in support of activism, are noted in chapter eight.  Chapter nine is a not-very-useful account of the Estonian cyber-attack of 2007, ten briefly mentions some others in eastern Europe, and eleven mentions the Georgian attack.  There is a rambling dissertation on war and various computer security problems in chapter twelve.  Chapter thirteen appears to be an attempt to provide some structure to the concept of cyberwar, but establishes very little of any significance.  Preparations, by some nations, for cyberwarfare are mentioned in chapter fourteen.  Most of the detail is for the US, and there isn’t much even for them.  A final chapter says that the existence of cyberwarfare could cause troubles for lots of people.

The content and writing is rambling and disorganized.  This reads more like a collection of fifteen lengthy, but not terribly well researched, magazine articles than an actual book.  There are many more informative resources, such as Dorothy Dennings’ “Information Warfare and Security” (cf. BKINWRSC.RVW) (which, despite predating this work by a dozen years, still manages to present more useful information).  Stiennon does not add anything substantial to the literature on this topic.

copyright, Robert M. Slade   2011     BKSRCYWR.RVW   20110325

Share

REVIEW: “Good Night Old Man”, George Campbell

BKGNOM.RVW   20111128

“Good Night Old Man”, George Campbell, 2011, 978-9878319-0-3, C$19.95
%A   George Campbell georgeca@telus.net http://is.gd/x28QRz
%C   PO Box 57083 RPO Eastgate, Sherwood Park, AB Canada T8A 5L7
%D   2011
%G   978-9878319-0-3
%I   Dream Write Publishing dreamwrite10@hotmail.com
%O   C$19.95 http://www.dreamwritepublishing.ca  780-445-0991
%O http://www.dreamwritepublishing.ca/retail/books/good-night-old-man
%O   Audience i+ Tech 2 Writing 3 (see revfaq.htm for explanation)
%P   342 p.
%T   “Good Night Old Man”

On page 114 the author asserts that even learning to use Morse code “bestowed on us instant acceptance into a society whose members regularly performed tasks too difficult for most others to even attempt.”  This statement will be instantly recognizable by anyone in any technical field.  This is because in the beginning was the telegraph.  And the telegraph begat teletype (and baudot code) and the telephone.  And telephone company research labs (in large measure) begat computers.  And teletype begat the Internet.  And wireless telegraphy begat radio.  And radio and the telephone and the Internet and computers begat 4G.  (Or, at least, it will begat it once they get it right.)  But it all started with the telegraph.

As the author states, any communications textbook will mention the telegraph.  Most will tell you Morse code began on May 24th, 1844.  Some might mention that it isn’t in use anymore.  A few crypto books might let you know that commercial nomenklators were used not just for confidentiality, but to reduce word counts (and thus costs) when sending telegrams.  (The odd data representation text might relay the trivium that Morse code is not a binary code of dots and dashes, but a trinary code of dots, dashes, and silence.)

But they won’t tell you anything about what it was like to be a telegrapher, to actually communicate, and help other people communicate with Morse code.  How you got started, what the work was, and what your career might be like.  This book does.

I am not going to pretend to be objective with this review.  George Campbell is my wife’s (favourite) uncle.  He’s always liked telling stories, has a fund of stories to tell, and tells them well.  For example, he was the first person in North America to know about the German surrender in Europe, since he was the (Royal Canadian Naval Volunteer Reserve) telegrapher who received the message from Europe and passed it on.  Of course, the message was in code.  But everyone knew it was coming, and he knew who the message was from, and who it was going to.  You can learn a lot with simple traffic analysis.

There are lots of good stories in the book.  There are lots of funny stories in the book.  If you know technology, it is intriguing to see the beginnings of all kinds of things we use today.  Standard protocols, flow control, error correction, and data compression.  Oh, and script kiddies, too.  (Well, I don’t know what else you would call people who don’t understand what they are working with, but do know that if you follow *this* script, then *that* will happen.)  It is fascinating to see all of this being developed in an informal fashion by people who are just trying to get on with their jobs.

The title, “Good Night Old Man,” comes from a code the telegraphers themselves used.  “GN” (and a “call sign”) was sent when the telegrapher signed off his station for the night.  Morse code is no longer used commercially.  Within a few years, the last of the “native” speakers will have died off.  Morse will become a dead language, possibly studied by some hobbyists and academics, who can tease legibility out of a sample, or laboriously create a message in that form, but without anything like the facility achieved by those who had to use it day in and day out.

This is a last chance to learn a part of history.

copyright, Robert M. Slade   2011     BKGNOM.RVW   20111128

Share

REVIEW: “Mac OS X Snow Leopard: The Missing Manual”, David Pogue

BKMXSLMM.RVW   20110202

“Mac OS X Snow Leopard: The Missing Manual”, David Pogue, 2009, 978-0-596-15328-1, U$34.99/C$43.99
%A   David Pogue david@pogueman.com
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2009
%G   978-0-596-15328-1 0-596-15328-7
%I   O’Reilly & Associates, Inc.
%O   U$34.99/C$43.99 800-998-9938 fax: 707-829-0104 nuts@ora.com
%O  http://www.amazon.com/exec/obidos/ASIN/0596153287/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0596153287/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0596153287/robsladesin03-20
%O   Audience i+ Tech 3 Writing 2 (see revfaq.htm for explanation)
%P   885 p.
%T   “Mac OS X Snow Leopard: The Missing Manual”

The introduction to the book states that it is intended for all levels of users, although it is primarily directed at those with an intermediate level of familiarity with previous Mac versions.

Part one introduces the Desktop, and general interface functions.  Chapter one is about folders and windows.  It definitely provides the information necessary to begin to operate the computer, but it also gives the lie to the statement that the Mac is easy to use.  There are a huge number of options for different functions, so many that it is impossible to remember them all.  The material is generally organized by topic, but there are notes, tips, and mentions buried in the text, and it is almost impossible to find these again, when you go back to look for them.  (Given the size of the book, I hesitate to suggest an expansion, but a page or two, at the end of each chapter, listing the points made, would probably be quite helpful.  And the “delete” key definitely needs to be listed in either the index or the key shortcuts appendix.)  The descriptions of operations are also incomplete in some cases.  There is mention of an indicator under Dock items which have open windows, but not that processes with no open windows may still show this indicator.

Chapter two proceeds in much the same way, dealing with the filesystem, and a great deal of trivia related to the associated windows.  The search function, referred to as Spotlight, is very, very detailed in chapter three.  The Dock and Desktop, further aspects of the operating interface, are described in chapter four.  The review of the functions is sometimes annoying in terms of the jargon used: does “go straight to the corresponding window” mean that the window becomes active, or comes to the foreground?  Does it open a window if it doesn’t exist?  Does it relate to programs, or just folders?  You need to work through the material with the book in one hand, and the Mac under the other.  (This process is not aided by inconsistencies in the operation of the Mac itself.  As I was working through this content I tried to create a new document from within the TextEdit program, and found that I did not have any options to create a file in any of the new folders I had established previously.  Later in the chapter there was mention of dragging folders to the Dock, and so I tried that to see whether it would allow me to use that folder.  Lo and behold, now I could create files in any of the new folders I had made, not just the one I dragged to the Dock.  Handy for my purposes, but not very informative in terms of why it worked that way.)

Part two deals with applications and utilities that ship with the Mac.  Chapter five outlines programs in general, along with documents (in terms of association with specific programs) and spaces (virtual, multiple, or external screens).  (More inconsistency: hiding the Finder behaves differently from hiding other applications.  And hiding used with Expose can give you some very … interesting effects.  The book warns you about neither.)  There is also an overview of the Dashboard and “widgets.”  Various aspects of data (entering, checking and moving it) are addressed in chapter six.  At this point in the book, items and tips start to repeat in the content, which possibly addresses the shortcomings in organization and the index.  Scripting (AppleScript) and mechanization (Automator) of common operations are dealt with in chapter seven, along with a set of somewhat related functions known as services.  As could be expected with an activity of the complexity of programming, the description of the associated applications is unclear, but there are some examples that take the reader in lock step through the process, and this exploration should provide a better understanding.  Chapter eight discusses the installation of the Microsoft Windows operating system on a Mac.  The review of Boot Camp (multi-boot installation) is detailed, but the outline of the virtualization options is limited to a mention of functions.

Part three is entitled “The Components of Mac OS X,” which sounds odd in view of the pieces that have already been covered.  Chapter nine addresses System Preferences, which are fundamental and significant settings and operations.  The programs generally provided along with a new Mac are described (in varying levels of detail) in chapter ten.  Removable storage, such as CDs and DVDs, are outlined in chapter eleven, which also notes the iTunes system.

Part four is entitled the technologies of Mac OS X (which sounds a bit odd given that the whole book would be about said technologies).  Chapter twelve deals with account aspects and functions.  Given the importance of access control, it is a bit disappointing to see security factors dispersed throughout, and not presented clearly.  Networks and sharing are discussed in chapter thirteen, with an odd gap in terms of sharing a wired Internet connection.  Printing, in fourteen, misses out on the sharing of printers in a mixed environment.  Chapter fifteen lists some aspects of multimedia, but is strangely reticent about video capture.  Some commands from the default UNIX bash shell are described in chapter sixteen.  Chapter seventeen notes a few customizations, mostly dealt with via outside programs.

Part five stresses the Mac OS online.  Chapter eighteen examines the setup of an Internet connection (and the discussion of sharing it is still limited and confusing).  Setup and operation of the Mail program is covered in chapter nineteen.   The Safari Web browser is dealt with in chapter twenty, and, as usual, there are a number of little tricks which would probably take you years to find out (by accident) on the “intuitive” Mac.  Chapter twenty-one explains iChat, the networks you need to make it run, and an enormous number of tweaks for such a simple function.  Some Internet server programs are listed in chapter twenty-two.  They are given the level of detail that any average computer user would need–except that the average computer user would have no idea of the network connections needed to set up a server on the Internet.

Part six is a set of appendices.  The dialogues for basic installation are listed in the first, but I was sorry not to see anything about installation on non-Apple hardware.  Appendix B has handy tips and suggestions for troubleshooting the most common types of problems.  One of the appendices is a Windows-to-Mac dictionary, which can be
quite handy for those who are used to Microsoft systems.  It could use work in many areas: the entry for “Copy, Cut, Paste” says they work “exactly” as they do in Windows, but does not give the key equivalent of “Command” (the “clover” symbol) -C rather than Ctrl-C.  You also need to know that what the book, and most Apple keyboards, describes as the “option” key is portrayed, in Mac menus, with a kind of bashed “T.”  Appendix D has URLs for a number of resources.  A set of keyboard shortcuts is given in the last.  This can be handy, but I found, in trying to rediscover keystroke combinations that I vaguely recalled from somewhere in the book, that I could not find many of them in the appendix.

There is a style issue in the written material of the book: the constant assertions that the Mac is better than everything, for anything.  The first sentence of chapter one says “When you first turn on a Mac running OS X 10.6, an Apple logo greets you, soon followed by an animated, rotating `Please wait’ gear cursor–and then you’re in.  No progress bar, no red tape.”  Well, if the gear cursor isn’t an analogue of a progress bar, I don’t know what it’s supposed to be.  (While we’re at it, I’m not sure what the difference is between the “gear cursor” and the “spinning beachball of death/SBOD.”)  Also, this statement is false: when you first turn on a Snow Leopard Mac, you have to go through some red tape and questions.  This is only one example of many.  This style may have some validity.  After all, anyone who does not use a Mac comes across the same attitude in any Mac fanatic, and, even without the system chauvinism, a positive approach to teaching about the computer system is likely helpful to the novice user.  However, the style should not get in the way of factual information.

For those using the Mac, this book is enormously helpful, and contains a wealth of information.  It’s not limited to the novice, or even the intermediate user: I found items in the work that none of my Mac support contacts knew.  With some minor quibbles I can definitely say that it is a worthwhile purchase.

copyright, Robert M. Slade   2011     BKMXSLMM.RVW   20110202

Share

REVIEW: “Enterprise Security for the Executive”, Jennifer L. Bayuk

BKESCFTE.RVW   20110323

“Enterprise Security for the Executive”, Jennifer L. Bayuk, 2010,
978-0-313-37660-3
%A   Jennifer L. Bayuk www.bayuk.com
%C   130 Cremona Dr., P.O. Box 1911, Santa Barbara, CA   93116-1911
%D   2010
%G   978-0-313-37660-3 0-313-37660-3
%I   ABC-CLIO, LLC/Praeger
%O   CustomerService@abc-clio.com
%O  http://www.amazon.com/exec/obidos/ASIN/0313376603/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0313376603/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0313376603/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   175 p.
%T   “Enterprise Security for the Executive: Setting the Tone from the
Top”

In the introduction, Bayuk argues against security planning based on FUD (Fear, Uncertainty, and Doubt) and piecemeal implementation of security tools, and for a holistic and systemic approach to security.  She also recommends the promotion of a security culture in the top ranks of management, setting the “tone at the top” to consider security in a rational and realistic manner.

In chapter one, the author stresses that every organization has a culture, and that the actions (and particularly consistency of actions) by senior management set it, regardless of formal statements.  She also raises interesting points, such as that separation of security from the operational units creates perceptions which may be at odds with the security policy.  (I appreciate her championing of “no exceptions,” although I would argue that a formal exception policy could work as well.)  The discussion of threats and vulnerabilities, in chapter two, is weaker (and the questionable etymology of the term “patch” does not increase confidence in Bayuk’s technical background): ultimately it just seems to day that there are threats.  The title “Triad and True,” for chapter three, may refer to “protect, detect, correct” or the more conventional confidentiality, integrity, and availability.  In fact there are a number of other “triads” mentioned, and the text raises a number of good security concepts generally related to safeguards, but is somewhat scattered and incomplete.  Chapter four talks about risk management, but the process of using it to define a security program remains unclear.  Security factors related to organizational governance structure are examined in chapter five.  Standards, compliance and audit issues are discussed in chapter six.  Chapter seven reviews monitoring, incident response, and investigation.  Requirements for candidates for the position of CSO (Chief Security Officer) are noted in chapter eight.  A template job description is included, but the document is perhaps too narrowly specified to be applicable in many situations.

A fictional case study concludes the book.  (In the introduction, the author promised that all “security horror stories” would be true, but I assume reality is less important in case studies.)  This recapitulates, in narrative form, much of the content of the work.

There is much of value in the text, and it is useful to present that content as it relates to senior management.  Senior management support is, after all, the single most important factor in a successful security program.  However, as noted above, much important material is missing, along the way, and the volume appears to be focussed at a particular type of industry or corporation, and so be less useful to those outside that sphere.

copyright, Robert M. Slade   2011     BKESCFTE.RVW   20110323

Share

REVIEW: “Above the Clouds”, Kevin T. McDonald

BKABVCLD.RVW   20110323

“Above the Clouds”, Kevin T. McDonald, 2010, 978-1-84928-031-0,
UK#39.95
%A   Kevin T. McDonald
%D   2010
%G   978-1-84928-031-0 1-84928-031-2
%I   IT Governance
%O   UK#39.95
%O  http://www.amazon.com/exec/obidos/ASIN/1849280312/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/1849280312/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1849280312/robsladesin03-20
%O   Audience n+ Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   169 p.
%T   “Above the Clouds: Managing Risk in the World of Cloud Computing”

The preface does a complicated job of defining cloud computing.  The introduction does provides a simpler description: cloud computing is the sharing of services, at the time you need them, paying for the services you need or use.  Different terms are listed based on what services are provided, and to whom.  We could call cloud computing time-sharing, and the providers service bureaus.  (Of course, if we did that, a number of people would think they’d walked into a forty-five year time-warp.)

The text is oddly structured: indeed, it is hard to find any organization in the material at all.  Chapter one states that the cloud allows you to do rapid prototyping because you can use patched operating systems.  I would agree that properly up-to-date operating systems are a good thing, but it isn’t made clear what this has to do with either prototyping or the cloud.  There is a definite (and repeated) assertion that “bigger is better,” but this idea is presented as an article of faith, rather than demonstrated.   There is mention of the difficulty of maintaining core competencies, but no discussion of how you would determine that a large entity has such competencies.  Some of the content is contradictory: there are many statements to the effect that the cloud allows instant access to services, but at least one warning that you cannot expect cloud services to be instantly accessible.  Various commercial products and services are noted in one section, but there is almost no description or detail in regard to actual services or availability.

Chapter two does admit that there can be some problems with using cloud services.  Despite this admission some of the material is strange.  We are told that you can eliminate capacity planning by using the cloud, but are immediately warned that we need to determine service levels (which is just a different form of capacity planning).  In terms of preparation and planning, chapter three does mention a number of issues to be addressed.  Even so, it tends to underplay the full range of factors that can determine the success or failure of a cloud project.  (Much content that has been provided previously is duplicated here.)  There is a very brief section on risk  management.  The process outline is fine, but the example given is rather flawed.  (The gap analysis fails to note that the vendor does not actually answer the question asked.)  SAS70 and similar reports are heavily emphasized, although the material fails to mention that many of the reasons that small businesses will be interested in the cloud will be for functions that are beyond the scope of these standards.  Chapter four appears to be about risk assessment, but then wanders into discussion of continuity planning, project management, testing, and a bewildering variety of only marginally related topics.  There is a very terse review of security fundamentals, in chapter five, but it is so brief as to be almost useless, and does not really address issues specifically related to the cloud.  The (very limited) examination of security in chapter six seems to imply that a good cloud provider will automatically provide additional security functions.  In certain areas, such as availability and backup, this may be true.  However, in areas such as access control and identity management, this will most probably involve additional charges/costs, and it is not likely that the service provider will be able to do a better job than you can, yourself.  A final chapter suggests that you analyze your own company to find functions that can be placed into the cloud.

Despite the random nature of the book, the breadth of topics means it can be used as an introduction to the factors which should be considered when attempting to use cloud computing.  The lack of detail would place a heavy burden of research and work on those charged with planning or implementing such activities.  In addition, the heavily promotional tone of the work may lead some readers to underestimate the magnitude of the task.

copyright, Robert M. Slade   2011     BKABVCLD.RVW   20110323

Share

REVIEW: “The Black Swan”, Nassim Nicholas Taleb

BKBLKSWN.RVW   20110109

“The Black Swan”, Nassim Nicholas Taleb, 2007, 978-1-4000-6351-2,
U$26.95/C$34.95
%A   Nassim Nicholas Taleb
%C   One Toronto Street, Unit 300, Toronto, ON, Canada  M5C 2V6
%D   2007
%G   978-1-4000-6351-2 1-4000-6351-5
%I   Random House/Vintage/Pantheon/Knopf/Times/Crown
%O   U$26.95/C$34.95 800-733-3000 randomhouse.ca www.atrandom.com
%O  http://www.amazon.com/exec/obidos/ASIN/1400063515/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/1400063515/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1400063515/robsladesin03-20
%O   Audience n- Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   366 p.
%T   “The Black Swan: The Impact of the Highly Improbable”

I was irritated into reviewing this book.  I knew that the title referred to events which are rare, and therefore seen as unlikely or impossible, but which, once observed, are obviously true.  I had heard this book (and idea) discussed in terms of risk analysis, but the mere fact didn’t strike me as terribly useful.  To a certain extent we deal with such issues all the time in business continuity planning.  So, when, during yet another conversation on risk analysis, one participant insisted that we should all read this text, I responded that the earth might fall into the sun, soon, and therefore I couldn’t see risking what little time I had left reading Taleb’s work.

The participant insisted that we weren’t going to fall into the sun for a long while, and therefore I should read the book.  Having now read it, I can say that this person didn’t understand one of the author’s main points.

In the prologue, Taleb describes a Black Swan event as one which is rare, has an enormous impact on the world, and is explainable after the fact.  During the course of the work he presents a number of examples.  A great deal of the text, though, discusses, disparages, and even rants against efforts to predict future events or outcomes, particularly those which rely on models.  The author notes that many of these models fail to take certain factors into account.  This is quite true: a model, by its very nature, must be limited.  A map of Canada, the full size of Canada, would be accurate, but not very portable, and thus not useful.  In the same way, any model is a heuristic, giving a quick indication of operation on the basis of a very limited set of factors.  Taleb’s thesis about rare events seems to take second place to his assertion that you can go badly awry by relying on a model which fails to take all factors into account.

My “earth into the sun” example, therefore, fits well into the theme of the book.  As far as we understand, we have probably billions of years before we spiral into the sun.  On the other hand, some rare event may make this happen much sooner, and we’ll all be impacted (if you’ll pardon the expression).  And, if it does happen, you can bet that, in the few weeks or hours between the event and our incineration, there will be plenty of people who will be building models to explain why it did happen.

This statement is undoubtedly true.  But is it helpful?  Much of the author’s work is addressed at the issue of investment, and particularly “playing” the stock market.  He notes that an investor, by betting on black swan events, can make a large return (since black swan events have a large impact).  This declaration is also true, but you can’t bet on all possible events, so which ones do you choose?  For example, computer equipment retailers who “bet” on tablet computers last year would, this year, be in a very strong position.  Those who did the same thing twenty-three years ago would have been stuck supporting the Newton.

Taleb keeps repeating (and repeating, and repeating, and repeating: his few points are duplicated many times over through nineteen chapters) that just about everyone tries to avoid risk on the basis of what they have seen in the past.  In fact, not only many studies but also common observation show that this isn’t the case.  The general public loves to gamble.  Studies of “successful” people (business leaders, etc.) indicate that they are more prone to gambling and risk-taking than the general public, and, in fact, foolishly so.  (“Leaders” have a strong tendency to gamble even when it is quite clear that taking the small but sure return is the better deal.)

Is this, in fact, evidence that Taleb is correct, and that we all should be risk-takers, betting on black swans?  No.  As he, himself, points out in a different context, some risk-takers win, and become “successful,” while a lot of risk-takers lose, but disappear into the general population.  (Or just disappear.)

The central point about making predictions on the basis of insufficient knowledge is emphasized most repetitively in regard to investments and finance.  The author does suggest a method for ventures: keep 90% of your funds in the most conservative undertakings, and invest the 10% in wildly speculative “positive” black swans.  Of course, this doesn’t guarantee that any of your wild investments do pay off, but at least you will have your 90%.  Unless a “negative” black swan comes along and wipes them out.

The book is, actually, fairly fun to read, but annoying to review.  Taleb has good facility with language, and writes in an amusing, if scattered, manner.  As a means of passing the time, the text is fluid, entertaining, and even has some points worth thinking about.  However, in terms of this review series, I must consider whether the tome is useful or not, and I’m not certain that it is.  Taleb presents some salient warnings, but makes any number of statements ( several of them outrageous) without going to the trouble of backing them up.  (This fact is rather ironic in view of his repeated denigration of academics and technical authors who cannot write clearly and “properly.”  He even admits, almost up front, that a friend “caught [him] red-handed” by challenging him to “justify the use of the precise metaphor of a Black Swan,” and he had to confess “this book is a story.”)

To take a page from the way Taleb writes, I could point out that his “Extremistan” bears a strong resemblance to the age of the dinosaurs.  They developed the largest land-dwelling creatures ever to walk on earth, lasted much longer than we humans have, and, some models show, were able, simply because of their immense numbers, to effect climate in ways that we have only recently been able to do by pumping their remains out of the earth and burning them.  They were also subject to a black swan event in the shape of an asteroid, which left, as their descendants, only Taleb’s much maligned turkeys.

There are certainly holes in this argument, but it is as entertaining, and as valid, as much of what Taleb writes in the book.

In the end, I have to agree with Taleb’s mother: there is some use in this book, but an enormous disparity between what the author thinks it is worth, and what it is actually worth.

(No ballet dancers were mentally harmed in the reviewing of this book.)

copyright, Robert M. Slade   2011     BKBLKSWN.RVW   20110109

Share

REVIEW: “Enterprise Information Security and Privacy”, C. Warren Axelrod/Jennifer L. Bayuk,Daniel Schutzer

BKEISCPR.RVW   20101023

“Enterprise Information Security and Privacy”, C. Warren Axelrod/Jennifer L. Bayuk,Daniel Schutzer, 2009, 978-1-59693-190-9, U$99.00
%E   C. Warren Axelrod Warren.Axelrod@usccu.us
%E   Jennifer L. Bayuk www.bayuk.com
%E   Daniel Schutzer Dan.Schutzer@fstc.org
%C   685 Canton St., Norwood, MA   02062
%D   2009
%G   978-1-59693-190-9 1-59693-190-6
%I   Artech House/Horizon
%O   U$99.00 800-225-9977 fax: +1-617-769-6334 artech@artech-house.com
%O  http://www.amazon.com/exec/obidos/ASIN/1596931906/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/1596931906/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1596931906/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   231 p.
%T   “Enterprise Information Security and Privacy”

The authors of this collection of papers were told to examine and challenge current and traditional approaches to information security and suggest alternatives overcoming noted deficiencies.

Part one looks at history and trends.  Chapter one traces privacy attitudes and legislation in the United States over the past century, and suggests that privacy and information security are related.  Data protection should be supported by a defined, multi-factor, holistic security system, says chapter two.  (As the editorial comment notes, this is hardly surprisng news to security professionals.)  Security faces pressure from operational concerns, and chapter three states that security departments that help the business rather than hindering (in other words, planning security properly) are more likely to succeed.  Chapter four notes that information classification based solely upon confidentiality concerns is limited, but the suggested structure still relates only to that aspect.  The article singularly fails to examine any possible form of multilateral classification scheme, incorporating integrity and availability issues.  Chapter five delves into human factors, which are vitally important to security, but limits the discussion to privacy, which is already pretty human.

That piece finishes off with some examination of risk, although it doesn’t say much about human factors in risk, but I suppose makes a nice lead in to the fact that part two is concerned with risk.  Donn Parker makes his usual contrarian argument against risk-based security in chapter six.  The author of chapter seven notes this objection, but claims that it is only applicable if you fail to account for all the proper factors (totally missing Parker’s point that you can never know all the factors).  A hodge-podge of legal topics goes into chapter eight, but the emphasis (if there is any) seems to be on new “compliance” standards such as the Payment Card Industry Data Security Standard (PCI-DSS or just PCI).  Chapter nine takes a brief and focussed look at the most important changes in the telecommunications arena.

Part three turns to specific idustries: finance, energy, transportation, and academia.  Chapter ten lists US financial regulations, and then offers vague suggestions of new regulations.  A number of questions about the security of enegery providers or infrastructure are raised in chapter eleven, but there are few answers.  In terms of transport, chapter twelve mentions SCADA (Supervisory Control And Data Aquisition) systems and alarm sensors.  Chapter thirteen doesn’t really appear to examine academia: the “case studies” may be formal, but are really just reports of malware similar to those in the general user population.

If the authors were supposed to present new ideas for security, they have failed.  There is nothing wrong with any of the pieces contained in the book, but they are simply “more of the same.”

copyright, Robert M. Slade   2011     BKEISCPR.RVW   20101023

Share