Book Reviews

REVIEW: “Cloud Crash”, Phil Edwards

BKCLDCRS.RVW   20101009

“Cloud Crash”, Phil Edwards, 2011, 978-1466408425, U$9.99
%A   Phil Edwards PhilEdwardsInc.com philipjedwards@gmail.com
%C   Seattle, WA
%D   2011
%G   978-1466408425 1466408421
%I   CreateSpace Independent Publishing Platform/Amazon
%O   U$9.99
%O  http://www.amazon.com/exec/obidos/ASIN/1466408421/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/1466408421/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1466408421/robsladesin03-20
%O   Audience n Tech 2 Writing 1 (see revfaq.htm for explanation)
%P   386 p.
%T   “Cloud Crash”

To a background of the Internet crashing, and opposed by a conspiracy that has penetrated the highest levels of government, two (no, make that three … err … four … better say five …) groups of individuals race to save the world from … a stock market fraud?  hostile takeover? aliens?  (No, I’m pretty sure the aliens were a red
herring.)

The story and inconsistent characterizations could use some work, and the plot twists don’t make it very easy to follow what is going on.  It’s fairly easy to tell who the good and bad guys are: the politics and philosophy of the book are fairly simple, and one is reminded of the scifi and comics of the 30s and 40s, with heavily anti-fascist and (ironically) right-wing rhetoric.

It would be tempting to dismiss the work as a simple “jump on the latest buzzword” potboiler, were it not for the fact that the technology is fairly realistic.  Yes, right now everyone is jumping on the cloud bandwagon without much regard for real security.  Yes, if you wanted to make a big (and public) splash on the Internet, without doing too much permanent damage, taking down power supplies would still leave the data intact.  (Of course, an axe would do just as good a job as bombs …)

So, while the story isn’t great, at least the technology is less annoying than is normally the case …

copyright, Robert M. Slade   2012     BKCLDCRS.RVW   20101009

REVIEW: “Security and Privacy for Microsoft Office 2010 Users”, Mitch Tulloch

BKSCPRO2.RVW   20121122

“Security and Privacy for Microsoft Office 2010 Users”, Mitch Tulloch,
2012, 0735668833, U$9.99
%A   Mitch Tulloch info@mtit.com www.mtit.com
%C   1 Microsoft Way, Redmond, WA   98052-6399
%D   2012
%G   0735668833
%I   Microsoft Press
%O   U$9.99 800-MSPRESS fax: 206-936-7329 mspinput@microsoft.com
%O  http://www.amazon.com/exec/obidos/ASIN/0735668833/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0735668833/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0735668833/robsladesin03-20
%O   Audience n- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   100 p.
%T   “Security and Privacy for Microsoft Office 2010 Users”

Reducing the complex jargon in the introduction to its simplest terms, this book is intended to allow anyone who uses the Microsoft Office 2010 suite, or the online Office 365, to effectively employ the security functions built into the software.  Chapter one purports to present the “why” of security, but does a very poor job of it.  Company policy is presented as a kind of threat to the employee, and this does nothing to ameliorate the all-too-common perception that security is there simply to make life easier for the IT department, while it makes work harder for everyone else.

Chapter two examines the first security function, called “Protected View.”  The text addresses issues of whether or not you can trust a document created by someone else, and mentions trusted locations.  (Trusted locations seem simply to be defined as a specified directory on your hard drive, and the text does not discuss whether merely moving an unknown document into this directory will magically render it trustworthy.  Also, the reader is told how to set a trusted location, but not an area for designating untrusted files.)  Supposedly “Protected View” will automatically restrict access to, and danger from, documents you receive from unknown sources.  Unfortunately, having used Microsoft Office 2010 for a couple of years, and having received, in that time, hundreds of documents via email and from Web sources, I’ve never yet seen “Protected View,” so I’m not sure how far I can trust what the author is telling me.  (In addition, Tulloch’s discussion of viruses had numerous errors: Concept came along five years before Melissa, and some of the functions he attributes to Melissa are, in fact, from the CHRISTMA exec over a decade earlier.)

Preparation of policy is promised in chapter three, but this isn’t what most managers or security professionals would think of as policy: it is just the provision of a function for change detection or digital signatures.  It also becomes obvious, at this point, that Microsoft Office 2010 and Office 365 can have significantly different operations.  The material is quite confusing with references to a great many programs which are not part of the two (2010 and 365) MS Office suites.

Chapter four notes the possibility of encryption with a password, but the discussion of rights is unclear, and a number of steps are missing.

An appendix lists pointers to a number of references at Microsoft’s Website.

The utility of this work is compromised by the fact that it provides instructions for functions, but doesn’t really explain how, and in what situations, the functions can assist and protect the user.  Any employee using Microsoft Office will be able to access the operations, but without understanding the concepts they won’t be able to take advantage of what protection they offer.

copyright, Robert M. Slade   2012     BKSCPRO2.RVW   20121122

REVIEW: “World War Hack”, Ethan Bull/Tsubasa Yozora

BKWWHACK.RVW   20121009

“World War Hack”, Ethan Bull/Tsubasa Yozora, 2012, 978-0-9833670-8-6
%A   Ethan Bull
%A   Tsubasa Yozora
%C   9400 N. MacArthur Blvd., Suite 124-215, Irving, TX   75063
%D   2012
%E   Gwendolyn Borgen
%G   978-0-9833670-8-6 0-9833670-8-6
%I   Viper Entertainment Inc./Viper Comics
%O   U$7.95 wyatt@worldwarhack.com www.worldwarhack.com
%O  http://www.amazon.com/exec/obidos/ASIN/0983367086/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0983367086/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0983367086/robsladesin03-20
%O   Audience n- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   72 p.
%T   “World War Hack”

Someone (eventually we find out they are backed by the Chinese) has hacked into the United States military and government control systems.  Fortunately, despite being in complete control and untraceable, all they seem to want to do is make one military drone act up.

The US government immediately swings into action, and sponsors a hacking contest, to try and identify suitably talented young geniuses (genii?) to find out what is going on.

It’s hard to follow what is going on, since the artwork makes it difficult to differentiate between characters.  There are young people with bad haircuts, and there are other people with suits.  Some people are female.  After that, it gets hard to tell who’s who.  One of the hackers is a government agent, another one has a criminal record but seems to be a son of a suited government agent.

Some of the technical and hacking activity is somewhat realistic, but other aspects are bizarre, and betray a complete lack of understanding of basic technology.  For example, at different times a programming language gets “hacked” (in the sense of breaking into it), and at another time a government administrator can’t tell what computer language has been used to write a specific program.  In the real world of programming and hacking neither of these scenarios makes any sense.  Absent Ken Thompson’s famous speech nobody “hacks” a language, and generally nobody cares what language has been used to write a utility once it is operating.  (By the way, no programmer ever said LISP was a concise language, and there is no way that even a “skin” on top of LISP would look like C.)  At another point two devices “piggyback” on the same IP address, which simply does not work in networking terms.

There are aspects of this story that are realistic.  One is that, if you are not careful with your systems, someone can penetrate them and mess with you.  If there are any other useful factors in this story, I can’t think of them offhand.

(As usual, the draft of this review was submitted to the author/publisher for comment prior to publication.  I often get rude email in response, sometimes threats of physical harm, and once even a death threat.  [Yes, really.]  In this case the publisher has threatened unspecified legal action “to protect the copyright on our work.”  I would be interested to see the publisher’s reaction to counsel explaining the “commentary” aspect of the concept of “fair use.”)

copyright, Robert M. Slade   2012     BKWWHACK.RVW   20121009

Read this book. If you have anything to do with security, read this book.

I have been reviewing security books for over twenty years now.  When I think of how few are really worthwhile that gets depressing.

However, Ross Anderson is always worth reading.  And when Ross Anderson first published “Security Engineering” I was delighted to be able to tell everyone that it was a worthwhile read.  If you are, in any way, interested in, or working in, the field of security, there is something there for you.  Probably an awful lot.

When Ross Anderson made the first edition available online, for free, and then published the second edition, I was delighted to be able to tell everyone that they should buy the second edition, but, if they didn’t trust me, they should read the first edition free, and then buy the second edition because it was even better.

Now Ross has made the second edition available, online, for free.

Everyone should read it, if they haven’t already done so.

(I am eagerly awaiting the third edition  :-)

REVIEW: Identity Theft Manual: Practical Tips, Legal Hints, and Other Secrets Revealed, Jack Nuern

BKIDTHMA.RVW   20120831

“Identity Theft Manual: Practical Tips, Legal Hints, and Other Secrets Revealed”, Jack Nuern, 2012
%A   Jack Nuern http://www.idtheftadvocates.com
%C   4901 W. 136 St., Leawood, KS, USA   66224
%D   2012
%G   ASIN: B0088IG92E
%I   Roadmap Productions
%O   fax 866-594-2771
%O  http://www.amazon.com/exec/obidos/ASIN/B0088IG92E/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/B0088IG92E/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/B0088IG92E/robsladesin03-20
%O   Audience n- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   128 p.
%T   “Identity Theft Manual: Practical Tips, Legal Hints, and Other Secrets Revealed”

Despite the implications of the title, this is not a primer for performing identity theft, but a guide to preventing and recovering from it.  The information, unfortunately, is fairly pedestrian, and most of it could be obtained from any magazine article on the topic.

Chapter one is a (very) basic introduction to identity theft, with a rather odd emphasis on the use of medical information.  Methods of identity theft are described in chapter two.  Unfortunately, this is where the book starts to show signs of serious disorganization, and some of the material is more sensational than helpful.  Chapter three lists some steps you can take to attempt to prevent identity theft.  The suggestions are the usual standards of not giving out any information to anyone, and the book tacitly admits that protection is not assured.

Chapter four gets to the real intent of the work: actions to take when your identity has been stolen and misused.  There is a great deal of useful content at this point, limited by two factors.  One is that everything discussed is restricted to institutions in the United States.  The other is that there is almost no discussion of what the entities mentioned can do for you or what they can’t or won’t.

As one could expect from a book written by a law firm, chapter five addresses the liability that the victim of identity theft faces.  The answer, unsurprisingly, is “it depends,” backed up with a few stories.  (Pardon me: “case studies.”)

There are some appendices (called, predictably, “Exhibits”).  Again, most of these will only be of use to those in the United States, and some, sections of related laws, will be of very little use to most.  There is a victim complaint and affidavit form which would probably be very helpful to most identity theft victims, reminding them of information to be collected and presented to firms and authorities.

The book is not particularly well written, and could certainly use some better structure and organization.  However, within its limits, it can be of use to those who are in the situation, and who frequently have nowhere to turn.  As the book notes, authorities are often unhelpful and take limited interest in identity theft cases.   And, as the book also (frequently) notes, the book is cheaper than hiring a law firm.

copyright, Robert M. Slade   2012     BKIDTHMA.RVW   20120831

Official (ISC)2 Guide to the CISSP CBK

Recently, on the CISSPforum, there was some discussion of the new, third edition of the Official (ISC)2 Guide to the CISSP CBK (which, I note, is pretending to be available as an ebook for only ten bucks).  At the end of one post, one of the correspondents stated that he was “leaning towards buying the new book.”

First, lemme say that, for those who haven’t yet got the cert, I do recommend the “Official Guide” as my first choice.  (Harris is easier to read, but does contain *lots* of errors, and I tell my seminar candidates that I refuse to answer any question that starts out “Shon Harris says …”   :-)

However, on the other hand … why would anyone who has the cert buy the guide?  Of course, I am speaking from the perspective of someone who does read the source literature (and I am aware that all too many of my colleagues do not).

I also recall at least two seminar attendees who actually did have the cert.  Furthermore, they were consultants, and thus going on their own dime for the course.  The reason given was the same: they charged by the hour, so any time spent upgrading was time they could not charge.  Therefore, regularly attending the seminar was the fastest, and therefore, in their situation cheapest, way to ensure they were current.

So, yes, I can see that some people would want to get the guide as a quick check.  (In that regard, I would tend to recommend ISMH instead of the guide, but …)  But I still find it kind of odd …

REVIEW: “The Quantum Thief”, Hannu Rajaniemi

BKQNTTHF.RVW   20120724

“The Quantum Thief”, Hannu Rajaniemi, 2010, 978-1-4104-3970-3
%A   Hannu Rajaniemi
%C   175 Fifth Avenue, New York, NY  10010
%D   2010
%G   978-1-4104-3970-3 0765367661
%I   Tor Books/Tom Doherty Assoc.
%O   pnh@tor.com www.tor.com
%O  http://www.amazon.com/exec/obidos/ASIN/0765367661/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0765367661/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0765367661/robsladesin03-20
%O   Audience n Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   466 p.
%T   “The Quantum Thief”

This is the type of space opera that creates whole worlds, technologies, and languages behind it.  The language or jargon makes it hard to read.  The worlds are confusing, especially since some are real, and some aren’t.  The technologies make it way too easy to pull huge numbers of deuses ex way too many machinas, which strain the ability to follow, or even care about, the plot.  In this situation, the plot can be random, so the impetus for continued reading tends to rely on the reader’s sympathy for the characters.  Unfortunately, in this work, the characters can also have real or imagined aspects, and can change radically after an event.  It was hard to keep going.

Some of the jargon terms can be figured out fairly easily.  An agora, as it was in Greece, is a public meeting place.  Gogol wrote a book called “Dead Peasants,” so gogols are slaves.  Gevulot is the Hebrew word for borders, and has to deal with agreed-upon privacy deals.  But all of them have quirks, and a number of other terms come out of nowhere.

I was prompted to review this book since it was recommended as a piece of fiction that accurately represented some interesting aspects of information security.  Having read it, I can agree that there are some cute descriptions of significant points.  There is mention of a massive public/asymmetric key infrastructure (PKI) system.  There is reference to the importance of social engineering in breaking technical protection.  There is allusion to the increased fragility of overly complex systems.  But these are mentions only.  The asymmetric crypto system has no mention of a base algorithm, of course, but doesn’t even begin to describe the factors in the PKI itself.

If you know infosec you will recognize some of the mentions.  If you don’t, you won’t learn them.  (A specific reference to social engineering actually relates to an implementation fault.)  Otherwise, you may or may not enjoy being baffled by the pseudo-creativity of the story.

copyright, Robert M. Slade   2012     BKQNTTHF.RVW   20120724