bfast.com · Domains · Slashdot Mirror

Hack Attacks Revealed, Second Edition

News · Security · 2003-03-03 05:00 · posted by timothy · from the back-for-more dept. · 96 comments

Reader Bill Camarda reviewed Wiley & Sons' Hack Attacks Revealed in June, 2001. Now Tom Brays has examined the book's second edition, and concludes that it's well worth the read. Read on below for his review of the second edition (and the the linked review of the first edition) to get an idea of how the new version stacks up. Hack Attacks Revealed: A Complete Reference for UNIX, Windows, and Linux with Custom Security Toolkit, Second Edition author John Chirillo pages 960 publisher John Wiley & Sons rating 9/10 reviewer Tom Brays ISBN 0471232823 summary All things considered, Wiley should have waited and released this first; this book pans out to be more of an original than a second edition and well worth the read.

The first edition instigated quite a bit of controversy with some glaring errata and misconstrued statements, and the author claims to have alleviated them as well as accommodating critiques:

The primary difference between this second edition and the original Hack Attacks Revealed, aside from some rectified errata, is approximately 300 pages of over 170 new exploits, advanced discovery techniques, malicious code coverage of Myparty, Goner, Sircam, BadTrans, Nimda, Code Red I/II and more, current vulnerabilities, advisories, and hacking labs with additional illustrations, and techniques for routers, operating systems (including Windows 2000/Pro and XP, Solaris, LINUX), and server software daemons. You'll also find a special chapter dedicated to the Top 75 Hack Attacks.

To accommodate the new material, most of the extraneous information, lists, and most source code was moved from the book to the CD-ROM. In addition to the new material, you'll find a special single license release of the internetworking security toolkit, TigerSuite Pro 3.5. This kit contains modules to discover, scan, penetrate, expose, control, spy, flood, spoof, sniff, infect, report, monitor, and more, plus a special 60-page usage and user guide.'

This book promises quite a bit in a new edition; let's see what's really in here ...

Okay, there are 914 pages (only about 15 or so with source code this time) and the chapter layout is completely different as the book starts with a Technology section, followed by Discovery, then Penetration, Vulnerabilities, and finally the Toolbox.

The technology section is nicely abridged to about 87 pages. The Discovery part differs greatly in that the source code has been moved to the CD and the author has added more coverage and examples, plus some stealthier techniques and more recent SNMP, file sharing, DNS, NetBIOS, and CGI stuff. The ports and services sections are still there but I found them to be pretty handy references at any rate. Also, the Penetration section now contains updated material; it's nice to see IDS stuff added in here too.

In addition, the Vulnerabilities section is promising. There's an excellent chapter in which Chirillo identifies what he considers the top 75 exploits -- examples that have certainly proven to be persistent examples of security weaknesses -- and the newer material especially makes this chapter significant. It contains thorough coverage as well as countermeasures for the listed exploits.

The CD contains some of the same plus full licensed software, an updated repository and all of the source code moved from the original text.

All things considered, Wiley should have waited and released this first; this book pans out to be more of an original than a second edition and well worth the read.

You can purchase Hack Attacks Revealed, 2nd Edition from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Half Mast

2003-02-28 04:00 · posted by ryuzaki0 · from the collective-nouns dept. · 400 comments

PCM2 writes "The Columbine tragedy planted the idea of a certain kind of 'bad kid' into the American consciousness. He isn't social, he doesn't play sports, doesn't dress right. Maybe he spends more time with his computer than with the other kids in his class. It makes sense that he'd be a threat to his classmates, because he's weird. The consequences of this stereotype for the geek culture have already gotten a lot of air time on Slashdot -- most notably Jon Katz's Hellmouth series. So I immediately thought of Slashdot when I read Christopher Null's novel, Half Mast." Read on for the rest of PCM2's review. Half Mast author Christopher Null pages 219 publisher Sutro Press rating 7 reviewer PCM2 ISBN 0972098100 summary An interesting novel of murder among high school outsiders.

Alex, the protagonist of the story, is a geeky kid. He gets picked on. And he kills somebody because of it. But that's pretty much where the similarities between Alex and Dylan Klebold end.

What's refreshing about Half Mast is how the author accurately captures the world of a high-school outsider. Writers can be pretty introverted types themselves, but few of them end up killing anybody. So when they try to imagine the type of character who would, a lot of them tend to fall into the trap of inventing someone even more unfathomably nerdy than themselves. Thankfully, Null avoids this.

Alex isn't a complete, pathetic loner. He has friends. And together, Alex, Travis and James aren't the typical cookie-cutter stereotypes of kids too terminally dorky to get with the program. They're not so trollish that they can't get within booger-flicking distance of a girl, or so chess-club square that they wouldn't touch a drop of alcohol at a party (in fact, they spend much of their summers doing just the opposite). Null gets it: that most geeks aren't necessarily "deprived," and being an outsider isn't always about being excluded. It's about being different -- and that, in and of itself, can have its consequences.

In Alex's case, his nemesis is Steve Williams: hometown hero, star athlete, the pride and joy of Fall Valley High -- if you care about that sort of thing, that is. Alex doesn't, particularly. He fails to kowtow to Steve the way the way Fall Valley's golden boy thinks he deserves -- and here's where his proverbial troubles begin. Steve subjects Alex to a series of humiliating tortures that should have even the most picked-on geek cringing.

When Alex does finally strike back, it isn't with a hail of gunfire, either. He's calculating about it. I must admit, I'm not really convinced that Alex's modus operandi would actually pan out the way it does in Half Mast. But it certainly makes for more interesting reading than your standard shoot-out, and in its way, it's much more sinister. Also, because Alex doesn't have the option of the Columbine killers' quick way out, he's forced to live with his actions and their impact on his own life.

That's the book's focus, and what saves it from being just another wannabe crime thriller. Christopher Null cares about his characters, and he's taken care to depict them in a way that geeks will find sympathetic and (mostly) believable.

While a lot of Null's characters and situations were amusingly familiar, others rang less true. The Steve Williams character was a little too prone to making speeches about the relationship between bullies and their victims, for example, instead of just knocking Alex into the dirt the way the kids at my school would have done. There were also a few too many end-of-chapter "zinger" one-liners for my taste, and the novel uses the awkward device of a present-day journal talking about events that took place several years in the past.

Still, it's an impressive debut novel about an uncommon subject matter, and one I think a lot of Slashdotters would get a kick out of. Half Mast is a fast read, and an enjoyable one. It's also notable because the author chose to self-publish rather than go the traditional route. (Or maybe the topic was too "troublesome" for mainstream publishers in a post-Columbine world?)

You can purchase Half Mast from bn.com as well as from Null's own Web site at sutropress.com, which also has some excerpts from the book. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Storage Security

It · Security · 2003-02-24 03:58 · posted by timothy · from the place-for-your-stuff dept. · 125 comments

shiroi_kami writes "What does Information Security mean to you? To many, it means firewalls and encryption. To some, it means intrusion detection systems. Chances are the words "file servers" weren't high on your list, but they probably should be. After all, information security is about information, and when it's not flying across the network it's got to be stored somewhere, right? In fact, the security of the storage mechanism is often overlooked, which makes it an attractive target for attackers. In their new book, Storage Security, the authors take a comprehensive look at this often-ignored subject. Update: 03/26 05:44 GMT by T : Please note, this review was written by David Bianco under the handle shiroi_kami as an Amazon.com review, and also appears at InfosecBooks.com. Apologies to David for the misplaced and delayed attribution. Storage Security: Protecting, SANs, NAS and DAS author John Chirillo, Scott Blaul pages 408 publisher John Wiley & Sons rating 9.8 reviewer David Bianco ISBN 0764516884 summary A storage security handbook that examines strengths and weaknesses, describes architectural security concerns and considerations, and identifies ways to implement and design more secure storage systems.

Storage Security is not about turning on the right configuration options on your XYZ brand server appliance. It's about applying solid, methodical security practices to your storage systems, regardless of whether they are disks directly attached to a single computer, Network Attached Storage or part of a Storage Area Network. The authors address the full security cycle, too, starting with evaluating the security of proposed new storage solutions. Comparative data in hand, the book shows you how to narrow the field to a single solution that offers the best balance between functionality and security.

And once the system is selected, you can't stop there. You've got to decide on appropriate security policies for the new storage system, draft and implement a backup and restore plan, deal with disaster recovery and take care of a host of other issues. In short, this is a good guide to an entire range of considerations necessary to select, deploy and manage a secure storage solution.

The book's evaluation methodology is particularly valuable. Each type of storage (directly attached, NAS and SAN) is covered in a chapter of its own. Within each chapter, the authors address specific technologies used to implement that type of storage. For example, the direct-attach chapter discusses such common storage technologies as SCSI and IDE, moderately exotic systems like USB and Firewire drives, and some more advanced solutions like HiPPI and SSA. Each technology is then placed in a matrix and scored in 11 different categories, including popularity and industry acceptance, built-in data protection features, typical fault tolerance and physical security characteristics.

The authors assign each rating on a scale of 1 (poor) to 5 (the best). This gives a good general indication of how each technology measures up, but they tend to rely on a straight average of the ratings when determining the best technology. Although it's true that the average allows you to make a quick ballpark comparison, there are many other factors to consider as well, such as the suitability for your particular environment and the way in which your users need to access their data. The matrixes are quite useful, but just remember that you can't always boil things down to a simple numerical score.

Probably the biggest problem with this book is that it's pretty dry. As a reference book, the writing style is fine, since it's easy to find what you're looking for, and the chapters are concise. It's difficult to read from cover-to-cover, though, which is a shame because that's what you should probably do the first time through. Take it in small doses, a chapter or so at a time, and you should be fine.

Storage Security is about just what you'd think: the security of your data as it's being stored on your server(s). It's not a detailed look at the configuration of any one product, but rather a comprehensive, theory-based approach to managing the security of your storage subsystem from evaluation to purchase to daily operations. If you manage a small or mid-size network, you may or may not need this book. If you have a larger network, though, or have significant data-storage needs, this deserves a space on your shelf.

You can purchase Storage Security: Protecting, SANs, NAS and DAS from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Fooled by Randomness

Science · Money · 2003-02-20 04:00 · posted by timothy · from the likely-story dept. · 214 comments

Max Tardiveau writes "I just finished Nassim Nicholas Taleb's Fooled by Randomness. It is an enjoyable book, written engagingly by an interesting character -- the kind of book that makes you think twice about certain things (for instance, the fact that you're not dead: is that really because you're so darn good, or does dumb luck play a part?) Although written all the way back in 2001, this book is more relevant than ever, since one of its major topics is the impact of unpredictable events on markets, insurance, and our perception of life in general. In fact, Taleb makes a living from unforeseen events; these days, that seems like a rather cunning niche." Read on for the rest of his review of this book. Fooled by Randomness author Nassim Nicholas Taleb pages 220 publisher Texere rating 8 reviewer Max Tardiveau ISBN 1587990717 summary Debunking fallacies of observation, Taleb reminds us of the pervasive ineffables that complicate life at every turn.

The main topic of the book is the fact that all humans are simply terrible at judging probabilities. Taleb is a securities trader, so a lot of the book revolves around financial probabilities, but his argument is mainstream and requires absolutely no knowledge of the markets. The book details examples of people wildly misjudging risks and probabilities in many contexts. Often that misestimation is understandable in advance of certain events, but harder to excuse after they've occurred; Taleb hits pretty hard on what he calls "data snoopers," his term for people who back-fit theories to existing data.

One of the most notorious examples is the Bible code (which has been thoroughly debunked), but Taleb argues that analysts who spend their time trying to find patterns in historical market data are no different: if you try long enough and hard enough, you will unavoidably find apparent regularities, which can be extremely compelling when seen in isolation. In context, though, they dissolve into nothing but meaningless statistical anomalies. Taleb rightfully compares these searches for meaning to the famous monkeys and typewriters parable.

Taleb's best example of poor probability intuition is probably the infamous survivor bias, which is our tendency to be disproportionately impressed by success. We almost always ignore the fact that, for one success story, there are many failures. But we seldom hear about the failures (just like we never hear about the many theories that didn't fit the data). So it's all a game of numbers: out of 10,000 traders, a few are statistically bound to be successful, even if they are nothing more than lucky idiots. The fact that they succeeded does not mean anything. It doesn't mean that they are bad traders, but it doesn't mean that they are good traders either, because on average somebody had to succeed.

One of Taleb's hot buttons is that people tend to be too confident in what they know. He argues convincingly that we should take everything, including science, with a grain of salt. Writing about Karl Popper, he points out that there are only two kinds of scientific theories: those that are demonstrably false, and those that are not yet demonstrably false. An irksome (but sadly true) observation, yet most people behave as if what they know is eternal truth. One could of course argue that Popper's observation is but another kind of truth, but I tend to put a lot more trust in people who question what they know than in people who don't.

Another of Taleb's peeves is the human tendency to over-attribute every random event (the old post hoc, ergo propter hoc). For instance, a commentator saying that "the Dow went down ten points today on concerns about Iraq" is talking nonsense: there is no way anyone can tie such a small market move to any particular reason. I found this specific point (which in retrospect is blindingly obvious) especially enlightening, as I am embarrassed to admit that, until now, I just accepted those market comments at face value.

Taleb also has some fun at the expense of economists and analysts, especially those whose predictions turned out wrong, but who claim that the theories were in fact right, and that the facts simply weren't supposed to be that way. This is what he calls denial of history, and is common among investors and gamblers (the two being of course close cousins).

The style of the book is informal and funny, and often meandering. We hop from one topic to the next, which occasionally may detract from the book's continuity, but overall the author's points come through loud and clear. Ironically for a man who advocates self-doubt, Taleb is starkly self-confident, though not in an irritating way.

Taleb is an intriguing, multi-cultural, iconoclastic character that has been around Wall Street for a while, and now runs his own small firm. Malcolm Gladwell (author of The Tipping Point, an absolute must-read for anyone who owns a brain) has written an excellent article that shows how Taleb's reasoning runs counter to just about every bit of conventional Wall Street wisdom. If you're interested in the markets, especially derivatives, and how Taleb trounces most of Wall Street's voodoo doctors, this moderately technical interview from 1996 is worth reading too.

Overall, a warmly recommended book.

You can purchase Fooled by Randomness from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Hacker's Challenge 2

It · Security · 2003-02-19 04:45 · posted by timothy · from the where's-robert-redford dept. · 95 comments

Francis White writes "Hacker's Challenge 2 is the second volume in a series of books that present a series of real-world security scenarios and their solutions. For each scenario, information is given, clues are presented and questions are asked of the reader. Turning to the back of the book reveals what really happened along with suggestions and tips for how to respond to and possibly even prevent each presented attack." Read on for the rest of his review. Hacker's Challenge 2 author Mike Schiffman, Bill Pennington, Adam J. O'Donnell, David Pollino pages 352 publisher McGraw-Hill Osborne Media rating 9 reviewer Francis (Frank) White ISBN 0072226307 summary A computer security puzzle book with interesting challenges and detailed solutions

What It Covers

The scenarios in the book cover a wide range of current attacks. There are a few scenarios involving wireless access that each manage to point out a different facet of wireless security. Also, the book includes a few examples of network penetrations, a man in the middle attack, a bit of forensic analysis and the highly popular (in the media at least) "insider attack." One chapter focuses on exploit development using a simple stack overflow, which is a nice diversion.

The book's format is identical to that of the previous volume. Each challenge is rated Low, Medium, or High for Attack Complexity, Prevention and Mitigation. An account of each problem is presented (organized by date and time), often from the point of view of the person charged with figuring out what is happening or has happened. Logs are presented as they are requested by the investigator; the authors do a great job of following the thought processes and actions of the people responding to the incident as they discover each clue and take their steps forward.

At the end of each scenario description, there are a number of questions that generally help focus the reader's attention on the relevant parts of the scenario. After the reader comes up with some likely answers, he can turn to the back of the book where the solutions are found. Each solution is broken down into an explanation of the attack, how the attack could have been prevented, and steps to take to mitigate the effects of the attack after it has occurred.

The explanation highlights the clues that were presented, how they could have been used to solve the challenge, and the right (or wrong) steps the investigator took and why. Links to additional information and references are provided at the end of each solution.

The Authors

Hacker's Challenge 2 is written by Mike Schiffman (@stake), Bill Pennington (WhiteHatSec), Adam J. O'Donnell (working towards PhD at Drexel), and David Pollino (@stake). From the material presented, if not from their reputations and contributions to the computer security field (some of them under other names), the authors are obviously very familiar with analyzing and responding to security incidents. All of them contributed to the previous volume in the series. The book does not identify who wrote each chapter, unlike the first volume.

Why I Gave This Book A 9 I have read the previous volume in the series. I liked this volume a lot more, and while I was reading it, I tried to work out why. One of the possibilities I came up with is that they trimmed the number of authors from somewhere around ten, as they had used for the previous volume. The consistency of the writing and scenarios is greatly improved. The scenarios in this book are also much more interesting to me than in the previous book. It feels much more current than the previous volume. (I still recommend the previous volume, however, if you haven't been following possible attacks and countermeasures for a while. - I'd say I'd give it a 7.)

From the first chapter which opens with a still under-publicized layer-2 802.11 attack, it grabbed my attention. This is a great book for seeing not just what attacks are out there, but what attacks people in the security industry think are likely in the real world.

Like the previous volume, there doesn't appear to be much vendor bias in this book, which is always a welcome sight to me. Also, although the authors work in the security industry, they stay away from promoting themselves or their companies. (They do include links to some documents on company web sites, but they are technical documents, not marketing fluff.)

This volume is also packed with humor, although perhaps not everyone will appreciate or catch all of the jokes. My favorite quote in the book is from the chapter where "d4rkl0rd", a young novice hax0r who only speaks in l33t speak, is at the dinner table : "n0 m0m, 3y3 h4t3 gr33n b34ns, dUh!"

Conclusion I definitely recommend Hacker's Challenge 2 to anyone interested in, or responsible for, computer security. Even if you are very familiar with the subject, it's worthwhile to look over the attacks and solutions presented, and to compare the suggested response with the one you would use if presented with a similar scenario. The book is worth picking up even if you have read the previous volume, as it is of even higher quality, and covers, for the most part, completely different attacks. The format is easy to read and the real-world problem scenarios presented are interesting enough to keep you reading. The solutions are well presented and thorough, covering not just what happened in the attack and how to put the course of events together from the clues, but also ways to prevent and mitigate the attacks. Highly recommended. You can purchase Hacker's Challenge 2 from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Agile Software Development with Scrum

Developers · Programming · 2003-02-18 03:30 · posted by timothy · from the don't-break-your-nose dept. · 168 comments

bADlOGIN writes "Anyone and everyone on Slashdot probably knows that business-driven software development efforts all too often end up as a mess. After a number of years of observation, research, and fine tuning, Ken Schwaber and Mike Beedle have released a book that makes a subtle but vital revelation about the nature of software projects and how to better run them. Learning what Scrum is and how to practice it is not all that profound. However, sitting back and realizing why Scrum works and how it addresses the fundamental flaws of the last 20 years of software engineering is. This book could be viewed as the "why" component to all of Extreme Programming's "how." Agile Software Development with Scrum author Ken Schwaber and Mike Beedle pages 158 publisher Prentice Hall rating 9/10 reviewer bADlOGIN ISBN 0130676349 summary This book could be viewed as the Why component to all of Extreme Programming's Hows. It explains managing software development as an empirical process.

What it's all about:

Books that claim to hold the keys to developing software the right way are most often: a) a dime a dozen, b) self-serving vendor drivel, or c) all of the above. While this book is fairly new on the shelf (Copyright October 2001), it has a level of research, professionalism, and effort towards being tool- and language-agnostic that may place it in a fourth category of being: d) none of the above. Agile Software Development with Scrum is a complete picture of the Scrum process from theory to practice in real life examples. The name Scrum was chosen because the process is similar in nature to rugby play where success is built upon being quick, adaptive, and self-organizing. The target audience for the book is "executives, software managers, project leaders, and programmers." While the authors make no assumptions directly, being familiar with Extreme Programming, "classic" waterfall methodology, and having hands-on experience with the chaos of software development is indeed helpful.

The primary theme of the book is simple, but the impact is profound: software development is an empirical rather than a defined process. That's a nice big sweeping claim to make: fortunately, the authors spends a lot of time making sure that you as the reader understand what they mean by the statement and that they're serious about it. Comparisons to other empirical processes are illustrated with examples of changing, complex problems. The authors seek out and provide unique insights from process dynamics experts on the nature of empirical versus defined processes, and cite profound supporting work regarding the limitations of algorithms in complex systems with external inputs (e.g. Wegner's Lemma).

Along with a good dose of theory, there is a generous helping of practice and how-to. Agile Software Development with Scrum covers the basic practices and concepts needed to manage software development in an empirical fashion. The authors do a good job of addressing the classic "but what about..." questions on the spot in a conversational manner and include anecdotes throughout to make specific points and include full process examples towards the end.

What's good about the book?

Scrum is the missing "why" to Extreme Programming's "how." By it's nature, Extreme Programming incorporates all of Scrum's spirit, and vice versa. This book has a foundation of ideas and an explanation of what it takes to seriously improve the state of the practice of software engineering. The order is reasonable, and the depth of information should give any determined individual the ammo they need to make a change in how software is developed in their current job or their next.

What could have been better? There are only three things worth mentioning for improvement, all of which could be easily done. First, there were occasional typographical and formatting errors -- places where indentation, capitalization, or bullets were missing broke the flow. Second, the graphics in more than one section were blocky, low resolution circa 1987. And last, the $30.95 list price was a bit steep for 158 pages. It should be noted that the typographical and graphics issues were the only thing that prevented me from rating this 10 out of 10.

Summary In my opinion, this book has been needed for a long time. The issues and failures of defined processes such as the "classic" waterfall methodology can't be set aside until there is an approach that can justify itself both in theory and in practice to replace it. Extreme Programming has gained much attention, but tends to depend too much on the fact that "it works because it works." Scrum gives you a way to fix your development efforts without as much culture shock or risk. It's worth considering implementing before your competition does.

You can purchase Agile Software Development with Scrum from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Mission Critical Security Planner

News · Security · 2003-02-17 03:15 · posted by timothy · from the wear-your-mithril dept. · 45 comments

Kerberos99 writes "Mission Critical Security Planner is a timely and important book from Eric Greenberg, author of Network Application Frameworks (reviewed on Slashdot and used as a text in many CS courses). In Mission Critical Security Planner (MCSP),Greenberg advocates an actionable, meaningful security approach that doesn't get hung up on methodology or reliance on abstract standards, like DoD and other common standards." Read on for the rest of Kerberos99's review. Mission Critical Security Planner author Eric Greenberg pages 416 publisher Wiley rating 9.5 reviewer Kerberos99 ISBN 0471211656 summary Provides an innovative approach to create a customized security improvement plan, including analyzing needs, justifying budgets, and selecting technology, while reducing time and cost.

Greenberg delights in skewering bureaucracies that believe planning and methodology is an end in itself, yet recognizes key business realities facing security advocates and suggests practical approaches to "selling security" within an organization -- an important topic given tight or shrinking budgets.

Greenberg is clearly a security guy and writes with experience and authority -- at times the style is conversational and humorous and at others professorial -- it is a good read for a security-focused text. While providing a strong overview of sound security planning and risk management concepts, MCSP also digs down and provides details where it counts regarding filters, proxies, IDS/VA, configuration management, content management (ActiveX, etc), and so forth yet consistently presents this low-level detail within the framework of an actionable security planning methodology that will be relevant five or even ten years from now. MCSP is anything but a security cookbook of technology discussions gleaned from public sources, although many basic concepts and topics are explained in the book's comprehensive glossary. Instead, the book presents the strengths and weaknesses of various technologies and approaches as they relate to the security improvement process.

MCSP utilizes a sequence of sophisticated worksheets to guide the reader through the security planning process and create a dynamic, actionable security plan -- not a plan that lives on the shelf. Using Greenberg's approach there are three components to the Security Plan: Security Stack (physical, network, application, OS), Life-Cycle Stack (technology selection, implementation, operations, incident response), and Business (information, infrastructure, people). Interestingly, you may have noticed that the Security Stack is similar to the OSI model -- this is typical of the rational and logical approach throughout the book. Using the worksheet approach as a guide, the Security Plan is mapped to 28 pre-defined security elements addressing the core security planning challenges of a distributed computing environment. Based on the worksheets, the impact analysis method approach provides a readily understandable plan that reflects the specific business, technical, and lifecycle tradeoffs in your organization.

Greenberg keeps it interesting with many anecdotes illustrating key points and thought-provoking arguments. For example, he advocates an approach that will hold vendors accountable for poor security by providing a quantifiable method for business software users to track security. The final chapter covers strategic security planning with PKI and provides a roadmap for selling an organization on the benefits of PKI when appropriate.

MCSP is an innovative and useful security book. The book provides security staffers and planners with the logical framework and tools they need to create a comprehensive, living, and actionable security plan enabling the organization to shift from a reactive security posture to a more pro-active approach. Highly recommended.

Online reader resources are available and chapter one maybe downloaded from http://www.criticalsecurity.com.

Table of Contents

Chapter 1: Setting the Stage For Successful Security Planning.
Chapter 2: A Security Plan That Works
Chapter 3: Using the Security Plan Worksheets: The Fundamentals
Chapter 4: Using the Security Plan Worksheets: The Remaining Core and Wrap-Up Elements
Chapter 5: Strategic Security Planning with PKI
Chapter 6: Ahead of the Hacker: Best Practices and a View of the Future

You can purchase Mission Critical Security Planner from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

The Making of the Atomic Bomb

News · Technology · 2003-02-14 03:30 · posted by chrisd · from the smart-people-building-gadgets dept. · 298 comments

chrisd has taken time off from polls and posting to both read and review Richard Rhodes' The Making of the Atomic Bomb. Read on for his impressions of the book, which he says is "not really a story about the men so much as the science they pursued." The Making of the Atomic Bomb author Richard Rhodes pages 886 Pages publisher Touchstone/Simon and Schuster rating 5 out of 5 uh, somethings reviewer Chris DiBona ISBN 0684813785 summary How the bomb came to be.

Lansing Lamont's Day of Trinity was the first book I read about the Manhattan Project. In what turns out to be a decent if uncritical look at the pursuit of atomic weaponry, Lansing was given exclusive access throughout the life of the Manhattan Project. In reading the book you feel like you have a fly-on-the-wall view of the process of producing the first uranium and plutonium bombs.

Lamont's telling is a bit thin though, not going into the motivations of the scientists and only barely touching on the geopolitical situation at the time. This not to say that it is craven, but it is overly sympathetic and a bit too rah-rah about atomic weaponry and their usefulness.

In the book, Mr. Rhodes takes the time to explore the base motivations of the scientists. Ever wonder exactly what motivated Teller's bloodthirstiness? What inspired the scientists to continue driving toward the atomic prize even after the fall of Germany? Rhodes has spent the time researching exactly what made the major players tick.

This is all well and good, but probably the most enjoyable thing about the book is how it's not really a story about the men so much as the science they pursued. The book is not really about the bombs, either, but more the history of physics and physicists.

Always keeping the science accessible and exciting, he manages to explain concisely the process of discovery and experimentation and how the significant events of history affected both the project's progress.

The way that Mr. Rhodes tracks the movements of physicists from anti-semitic Germany to Los Alamos, Chicago and other centers of the nuclear arms program is especially compelling and lends keen insight into the motivations of the physicists involved.

One of the most important (and stomach churning) things about the book is how it shows how cheap human life became in the first half of the 20th century. I think that it is important, when considering the horror of dropping bombs on Hiroshima and Nagasaki, that people have the proper historical context before coming to one conclusion or another about the morality of the dropping of the bomb. This book gives that context.

This is not to say that this is a perfect book. Reaching as it does from the mid 1800s through to the dawn of Teller's super-bomb, the book's scope means that some discoveries and scientists don't get the in-depth coverage that Bohr, Szilard and Oppenheimer do, and he doesn't talk much at all about the espionage that surrounded nuclear development. Nor in my mind does he fully answer the question of why the scientists remained motivated to produce the weapons after Germany had been conquered.

Those caveats aside, this is a terrific book well worth checking out if you are interested in the birth of modern physics, the men and women behind it, or the most powerful weapon that has ever been used on humans.

You can purchase The Making of the Atomic Bomb from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Extreme Programming for Web Projects

Developers · Programming · 2003-02-13 03:30 · posted by timothy · from the dude-that-web-is-cyber dept. · 181 comments

PinglePongle writes with this review of Addison Wesley's Extreme Programming for Web Projects, writing "The authors work for a web shop, building websites for customers, and try to use their experience to make life easier for their readers. Their main point concerns how traditional web projects are structured to leave at least one of the parties taking a big risk on the project: if the project is 'fixed price, fixed scope' the developers take all the risk, if it's 'time & materials' the customer takes a risk -- they can not be sure their money will lead to whatever it is they want." Read on to see whether the authors have successfully outlined a fairer, more successful system in the rest of PinglePongle's review, below. Extreme Programming for Web Projects author Doug Wallace, Isobell Raggett, Joel Aufgang pages 165 publisher Addison Wesley rating Poor reviewer PinglePongle ISBN 0201794276 summary A book about applying the Extreme Programming methodology to web projects.

Can good ideas dominate the buzzwords? This risk -- the authors contend -- is the reason many web development projects fail in one way or another. The client's objective is to obtain maximum value, the developer's to incur the least cost possible without getting sued.

The authors show a way in which this risk can be shared fairly between the client and the developer, by using XP and iterative development cycles, alongside a release plan, to acknowledge the risks inherent in a development project, and manage them rather than try to pretend they don't exist. The project team -- client and developer -- work together to create an iteration plan, and use this shared understanding of the requirements to guide the project.

The book is structured into 4 parts: Part 1: XP and Web Projects explores the problems associated with web development projects. Part 2, Working on Web XP Projects explores some of the practicalities of the authors' process - iterative development cycles, the development environment, team roles, and the graphic design process. Part 3: XML and Web XP is a bit of an oddity in a methodology book -- it focuses on some technology-specific issues which the authors claim can be addressed by using XML. Part 4: Web XP Best Practices discusses planning, design, coding and testing issues.

What's good about this book? Well, there are some insights into the relationship between suppliers and customers in development projects. (I don't believe, though, that they're as specific to web projects as the authors seem to claim).

What's bad about this book? It seems to be a sales brochure for the author's web shop -- "we do things thusly, and it yields fantastic results every time." The text is full of fairly broad, even sweeping statements ("Many programmers put SQL code right on a web page" -- when was the last time you saw a select statement on a web page ?).

The authors do not really seem to be able to identify those aspects which make web development projects different from other types of development. Some of the team roles they recommend are bizarre -- the authors identify the role of "Strategist" who seems to help those poor idiot customers to understand their own business. This may be necessary on some projects, but I find this attitude very condescending -- the days when web development was portrayed as a cross between alchemy and spiritual enlightenment are long gone. Many of the sections are very superficial, but the book is littered with footnotes saying "Chapter X discusses this in detail."

In short, I'd say this book is too lightweight for people who understand XP already and want to learn how it applies to web projects, and novices are likely to get hung up on the largely redundant side tracks (CVS versus MS Sourcesafe -- Huh? How did that get past the editors?) to be able to see the extreme wood for the trees.

You can purchase Extreme Programming for Web Projectsfrom bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Managing RAID on Linux

Linux · Linux · 2003-02-12 04:00 · posted by timothy · from the or-hardly-workin' dept. · 225 comments

rjnagle writes "The availability of HOW-TOs and newsgroups is supposed to make the sysadmin's job easier, right? Much as I am a proponent of the 'distributed learning model' for Linux, the endless searching for answers on the Web for setting up Linux RAID was getting to be a royal pain. Sure, there was a RAID how-to and an excellent newgroup, but some of the information is out of date, and the tricks suggested by people a year ago may be no longer needed today. Robert reviews the O'Reilly title Managing RAID on Linux below to see how it stacks up to HOWTOs, guesswork and anecdotal evidence. Managing RAID on Linux author Derek Vadala pages 245 publisher O'Reilly rating The best reviewer Robert Nagle (aka idiotprogrammer) ISBN 1565927303 summary This book brings RAID to the masses

A person deciding to go with RAID faces a panoply of options and gotchas. Hardware or software? How many controllers? ATA or SCSI (or ataraid)? RAID 1 or RAID 5? Which file system or distribution? Kernel options? Mdadm or raidtools? /swap or /boot on raid? Hybrid? Left or right symmetric? One poster pointed out that putting two ATA drives on the same controller could impact performance. Yikes! Didn't I do that? Upon discovering that O'Reilly had just published its Managing RAID on Linux book, looking at sample chapter , I bought the book and let my blood pressure return to normal.

RAID is one of these subjects that is really not complex; it's just very hard to find all the information in one place. This is precisely the book to solve the problem. Author Derek Vadala, sysadmin and founder of Azurance.com, an open source/security consulting firm, has gathered a lot of information and even personal anecdotes to go through the decision making process when going over to RAID. He goes step-by-step through that process, educating us about hard drives, controllers, and bottlenecks along the way. This exhaustive book may be the first to bring RAID to the masses.

Although parts of the book (RAID types, file system types) may seem already familiar to experienced Linux users, it is helpful nonetheless to have everything in a nifty little book. A section of file systems provided not only a rundown of the merits and drawbacks of each one, but also a guide to their utilities. I learned for example what "file tails" for Reiser are, and why using them causes performance to degrade after reaching 85% capacity. The book compares raidtools with mdadm as well as lovely commands like nohup mdadm -monitor -mail=paranoidsysadmin@home.com (which, if you haven't guessed, causes the system to email you RAID status reports upon boot).

People who use software RAID may skip over the chapter on RAID utilities for the leading RAID controller cards. Still, there was one interesting tidbit: Why, the author asks, do makers of controller cards put all their BIOS utilities on DOS floppies which require us to find a DOS boot disk? Seriously, how many of us carry around DOS boot disks nowadays? The book made me aware for the first time of freedos, an open source solution that solves precisely that problem.

The Software RAID stuff was pretty thorough and clarified a lot of things. The book does an excellent job in helping to identify and eliminate bottlenecks and optimizing hard drive performance (using hdparm and various monitoring commands). The anecdotes and case studies definitely clarified which RAID solution is suited for which task.

I am less impressed by the book's sections on disaster recovery and troubleshooting. Although these subjects are brought up at several places in the software RAID chapter, the book could have discussed several failure scenarios or used a fault tree (such as the famous Fault Tree in Chapter 9 of the Samba book, a marvel for any tech writer to read). The book doesn't even discuss booting with software RAID until the last 10 page of the book and then gives it only a single paragraph (even though the author acknowledges it as "one of the most frequently asked questions on the linux-raid mailing list."). Call me old-fashioned, but isn't the ability to boot into your RAID system ... kinda important? As someone who just spent a significant amount of time troubleshooting RAID booting problems in Gentoo, I for one would have liked more insight into the grub/lilo thing. Also, in the next paragraph in the last chapter on page 228, the author casually mentions that "all /boot and / partitions must be on a RAID-1." Say what? Please pity the poor newbie who religiously follows the instructions in the book but fails to read until the end. I'm not sure what the author meant by this statement, but it required a much more substantial explanation and needed to go into a much earlier chapter.

These complaints don't detract very much from this excellent book, a true O'Reilly classic and a model of clarity and helpfulness. This book provides enough knowledge to avoid the dread and uncertainty that comes with trying to tackle Linux RAID. With a book like this, a sysadmin can sleep a little easier.

Recommended Readings:

Reliable Linux , by Iaian Campbell, Wiley and Sons, Dec 2001, ISBN: 0471070408. Gives excellent information not only about RAID but on general Linux reliability issues.
Software RAID in the Linux 2.4 Kernel by Daniel Robbins. (Part Two).
Linux Journal Article on Software RAID by Joe Edwards, Audin Malmin and Ron Shaker. ( Part Two).
"How to do a gentoo install on software RAID" by Chris Atwood. Gentoo User Forum.

Robert Nagle (aka Idiotprogrammer )is a Texas technical writer, trainer and Linux aficionado. You can purchase Managing RAID on Linux from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.