bfast.com · Domains · Slashdot Mirror

Wi-Fi Toys

News · Wireless · 2004-11-11 11:20 · posted by timothy · from the xmas-time dept. · 71 comments

prostoalex writes "A lot of avid PC users got first introduced to the computers through games. Some later turned their hobbies into full-time jobs. The ExtremeTech series of Wiley books aims at the readers who are curious about technology and are willing to dedicate some time to personal to projects that educate and develop skills. Before this review starts reading as a press release, I will throw in a link to my review of another title, Linux Toys, the book that pioneered the series." Read on for Alex's review of Wi-Fi Toys. Wi-Fi Toys author Mike Outmesguine pages 408 publisher Wiley rating 9 reviewer Alex Moskalyuk ISBN 0764558943 summary 15 cool wireless projects for home, office and entertainment

Wi-Fi Toys by Mike Outmesguine offers 15 projects for radio enthusiasts and those, who have never dealt with wireless networking beyond buying an 802.11 access point at local electronics store. Former US AirForce and National Guard engineer, the author is currently running a technology services company.

Assume for a minute that you have had limited experience with wireless technologies, but are young, ambitious, and eager to dive into the deep sea of wireless data. What kind of projects would be fun to play with? What kind of projects would be educational as well as useful? Probably improving the reception via various antenna hacks would be a cool thing to do, and improving access point to increase coverage would be another way to wow the neighbors with your wireless skills. Discovering other people's networks and wardriving is a must for any wireless security beginner. The author dedicates the first three parts of the book (table of contents here) to building antennas, wardriving and hacking access points. Yes, the book requires toying with hardware and occasionally being outside in the fresh air.

The first chapter, Building Your Own Wi-Fi Antenna Cable, is available online in PDF format and it talks about building your own antenna cable. The rest of the chapters in Part 1 take the reader through building a paperclip antenna, creating a tin can antenna, and modifying the existing access point with a high gain antenna.

Probably there are some people that read the last sentence and asked themselves, "So what is a high gain antenna?" Which brings us to the next point - the readability of the book. Outmesguine did a really nice job outlining the projects step by step and supplying all the major steps with the photos. The pictures are black-and-white, and so are the diagrams. Overall the pictures turned out nicely, but I wish the author had the color version on the Web site, since some of the images (like on page 79), displaying computer graphics on dark backgrounds, did not turn out very detailed. Everything essential to the project is there, but still, color photos and screenshots would have made the difference in some cases.

The author does a good job of explaining terminology before launching into the project. Where needed, Mike Outmesguine provides helpful diagrams, that any radio amateur is probably already aware of, but they still make a nice and readable book for the rest of us. Also, the goal of the chapters is not just build the toy and get done with it as soon as possible. For example, in chapter 4 when talking about modifying the existing access point, the author understands that the only reason you want to do that is to increase the WiFi coverage in your house. So a few pages are dedicated to propagation losses, interference and everything radio-related that the reader needs to take into account before strengthening the access point with a high-gain antenna.

Chapter 14 is probably the coolest in the book, as it talks about creating a car-to-car wireless link for the purpose of... videoconferencing involving two Webcams and Microsoft NetMeeting. Naturally, this is not for driver-to-driver communication, but in case you've got two cars on the road trip, the passengers now can use their WiFi-enabled laptops (and by now everyone should have one) to launch a video conference.

Overall the book reads great, even if you're not serious about doing some projects, it's still fun to follow photographs and see what Mike and the contributors have done in terms of wireless projects. Each chapter is presented as a single project, so with the exception of terminology knowledge there's no preceding knowledge that needs to be there, so one could theoretically start with a digital picture frame (Chapter 15) that hangs on the wall, downloading the pictures via the wireless link and playing occasional videos.

Overall, this is an interesting book to read, and if you've been looking for simple and intermediate projects involving radio technologies and WiFi, the Wi-Fi Toys is packed with useful information.

You can purchase Wi-Fi Toys from bn.com. Slashdot welcomes readers' book reviews. To see your own review here, carefully read the book review guidelines, then visit the submission page.

Cube Farm

Books · Books · 2004-11-10 07:50 · posted by timothy · from the square-pegs dept. · 306 comments

Sarusa writes "Stop me if you've heard this one: Bright, innocent, bushytailed overachiever geek, inexorably crushed by the harsh realities of corporate America, turns into paranoid shaven-headed slacker (and Church of the Subgenius minister) who sees conspiracy theories under every rock. 'Heard it?' you sneer, 'I've lived it!' So why would you want to read a book about it? Cube Farm by Bill Blunden proves that if nothing else, you can always serve as a bad example." Read on for the rest of Sarusa's review. Cube Farm author Bill Blunden pages 150 publisher Apress rating 7 reviewer Sarusa ISBN 1590594037 summary Welcome to Hell, here's your cube.

The book chronicles Blunden's travails as a fresh Cornell grad finding out his degree is useless. After waiting tables, he discovers Java is hot, and gets a job in the incredibly dysfunctional R&D department of Lawson Software, one of those companies that makes horribly dull but necessary business software. Young Blunden is shunted from one doomed project to the next as internal divisions compete with each other (and internally) for territory. The code base is millions of lines of ancient K&R C with all the comments stripped out (!) for speed of compilation. Only a few people understand the entire system to any degree, and these Illuminati crush any attempt to create or disseminate any documentation since that would erode their power base. Any projects that might threaten their monopoly are dispatched by the simple expedient of not responding to any emails or phone calls or attending meetings.

Cube Farm is written in a conversational, semi-edgy style that I found very easy to read, though occasionally annoying when it gets too hip. The subject is technical, but the theme is purely human foible, and Blunden makes an effort to make things understandable even by the non-geeky. So you don't have to be a nerd to understand the book - it would sure help you appreciate it, though.

Important characters are assigned descriptive names such as the Puppet Master, the Godfather, the Wax Master, Mike and Ike, and the Mad Hungarian. This may sound a bit cheap, but works well and makes it easy to keep track of the defectis personae. Everything is well partitioned, and Dance of Death woodcuts enliven the pages.

The obvious question, Why you would read something so horribly depressing? There are only negative lessons to be learned here. Well, in many ways Cube Farm is the informal, nasty version of what you'd get by reading books like Death March (Yourdon, 2003 2nd ed), Herding Cats (Rainwater, 2002), and Software Runaways (Glass, 1997). You can learn a lot from a bad example, like what it means if they won't say Yes or No. Perhaps it'll make you feel better about your own company, which is probably not quite this screwed up. Or there's always good ol' schadenfreude.

Would you give this book to an eager young programmer? Either it would be a bit like taking a sledgehammer to a kitten, or (more likely) it would just all cascade off, unheeded -- "obviously, this could never happen to me." For everyone else, if you've had at least one job or failed project under your belt you might find this horrifically fascinating, similar to watching Repligator. It might help with your next (knock on wood) fine project. Finally, it's a quick read, so I felt my time was well (or at least enjoyably) spent.

You can purchase Cube Farm from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, carefully read the book review guidelines, then visit the submission page.

Windows Forensics and Incident Recovery

News · Books · 2004-11-09 09:26 · posted by timothy · from the windows-is-a-big-pain dept. · 142 comments

dba599 (Mark McKinnon) submits this review of Harlan Carvey's Windows Forensics and Incident Recovery, writing "This book takes an unusual approach to computer forensics in that it deals only with live analysis of the system: the compromised computer is left powered on and everything is running. (Compare to a dead analysis, for which the computer is powered off and the hard drive's contents are then analyzed.)" Read on for the rest of McKinnon's review. Windows Forensics and Incident Recovery author Harlan Carvey pages 460 publisher Addison Wesley rating 9 reviewer Mark McKinnon ISBN 0321200985 summary Forensic analysis and incident recovery on a live Microsoft Windows is explained for the system administrator, security administrator and knowledgeable home user.

The intended audience, according to the author, is "anyone with an interest in Windows security, which includes Windows system and security administrators, consultants, incident response team members, students and even home users." The author assumes the reader is familiar with basic networking (including TCP/IP) and has some Windows administration skills. Some programming ability, though not actually required, will help out greatly with reading and understanding the many examples provided, and will let you make your own modifications (this is encouraged by the author throughout the book).

The chapter on data hiding was a real eye-opener -- it's amazing the things Microsoft has implemented as part of the operating system (and included applications) that can be used to hide things. Discovering the hidden information is talked about, as well how it is hidden. Sample topics include file attributes, alternate data streams, OLE and stenography. This is an excellent chapter with many examples; I found myself stopping after each subject to try out each of the discussed techniques.

The next chapter delves into incident preparation. Carvey addresses some of the things that administrators can do to harden their systems. He goes over the application of security policies in general, as well as intelligent assignment of file permissions. He then covers Windows File Protection and how it is implemented, and includes a perl script to implement your own file watcher. He touches briefly on patch management and anti-virus programs, then moves into monitoring. He provides quite a few scripts, and discusses other means by which you can monitor your system.

The next chapter describes tools that can be used in incident response. This chapter has quite a lot of information and took me the longest to get through, because of all the tools mentioned that I had to download and check while I was reading the book. Carvey uses a mixture of his own perl scripts and programs that can be downloaded from places like Sysinternals, Foundstone, DiamondCS and others. All of the tools used are open source (or are at least freely available). That equips the reader with a low-cost toolkit, especially important to the home user or small business owner who cannot afford to buy the commercial equivalent. Carvey does acknowledge, though, that there are quite a few commercial tools with great functionality out there.

The first part of the incident-response tools chapter deals with the collection of volatile information (processes, services, etc.); this is a vital part of live analysis. The second part deals with the collection of non-volatile information (the content of the Windows registry, file MAC times and hashes, etc.) and tools for analyzing files. Carvey also shows how some of the tools complement each other, and that there is not one almighty tool that will find all the data you need. (This is also proven by example in a later chapter when he talks about rootkits.)

The next chapter deals with developing a security methodology, and it's handled differently than in most books: the author presents the material as a series of dreams that a Windows system administrator has, showing how an individual can come up with and fine tune a methodology as incidents happen. Carvey has used this approach before in a series of articles entitled "No Stone Unturned" for SecurityFocus.com, and the creative approach appeals to me. As he moves from dream to dream, you can relate to the admin's circumstances (and mistakes), and how be and becomes better at responding to different incidents.

The next chapter talks about what to usefully look for with the tools the book has introduced. It discusses infection vectors, types of malware and rootkits, and demonstrates tools and techniques for detecting them. This is where the author makes a clear point of why you would need to run several different tools, even if some overlap. His example uses an installed rootkit; running a particular program from a previous chapter, he shows that it fails to find that anything untoward is running -- it takes another program from the same chapter to actually reveal the rootkit's presence. By cross referencing the output for both programs, you can see why you should run more then one type of analysis tool for certain areas to make sure you are not missing anything.

Finally, the author dedicates an entire chapter to his own Forensic Server Project, a two-pronged approach to live forensic analysis which uses two machines simultaneously. The first piece, the Forensic Server Module, is the listener software; this runs on a clean PC where the data will be sent from the compromised system. The other piece, called the First Responder Utility, runs several of the programs and scripts from the incident tools chapter on the compromised system . After installing everything needed for both parts of this system, I followed the author's instructions on how to run it. What a slick tool! I ran it from a couple of PCs on my home network and was able to get a lot of the information that was described in the book as well as hash values for each log file that was produced, and a general log of everything the First Responder Unit did. The whole principle of this is that when you have an incident there will be very little interaction with the compromised system, since everything is scripted to begin with.

The framework that this software constitutes is very flexible. I was able to add two new features to the Forensic Server Module and the First Responder Utility with very little code. The first addition I made was to mark all the logs as read-only on the file system after they were written from the Forensic Server module. The next addition I made was to add a perl script to scan the c:\ drive of the PC that the First Responder Utility was running on. After I made both additions, I tested everything out, and it worked great. I had my extra log files and they were all read-only. My hat goes off to the author for coming up with and including this in the book, a really nice piece of software.

You can purchase Windows Forensics and Incident Recovery from bn.com. Slashdot welcomes readers' book reviews. To see your own review here, carefully read the book review guidelines, then visit the submission page.

Digital Retro

News · Books · 2004-11-05 09:40 · posted by timothy · from the perusal-of-happiness dept. · 111 comments

I spent several hours this week poring through Gordon Laing's beautiful book Digital Retro , and it's one I'm sure to return to at odd moments, the same way I like to flip through old copies of The Whole Earth Catalog. Digital Retro represents years of research into a 14-year stretch of personal computing history, distilling that effort into a work that is graphically appealing, but also an informative, informal historical look at the machines it celebrates (all 40 of them). Depending in part on what year you were born (and at what age computers entered the picture) you may recognize most of these machines, or only a few -- it's an equally fun read either way. Read on for the rest of my review. Digital Retro: The Evolution and Design of the Personal Computer author Gordon Laing pages 192 publisher Sybex rating 9 reviewer timothy ISBN 078214330X summary Eye-candy mixed with a good dose of history, perfect for the library of a modern techno fetishist.

Digital Retro is about personal-use (though not necessarily home-use) machines: there are no PDP11's or mainframes represented, nor devices like the DECWriter, which gave computer access to individuals but required a mainframe or minicomputer in the background. The book covers hardware that was sold at retail (barring the Altair and a few other mail-order-only kit machines), at prices householders could afford for their hobby use, including gaming, or that businesses could afford for their executives and other knowledge workers. All the same, the prices are sure to make you calculate every so often things like how many BogoMIPS could be had today for the $3,250 that a 613KHz HP-85 cost in 1980 -- and those are 1980 dollars. Early adoption has its risks as well as its rewards.

From iconic to obscure

Too many computer makers (and even more computers) came and went in the decade-plus spanned by this book for it to cover all of them; Laing's list of chosen machines is representative rather than comprehensive. More than 30 of the machines came from the The Museum of Computing in Swindon, and despite their age most look like they just popped out of their delivery boxes.

Digital Retro's central section starts out with a MITS Altair, the machine generally considered the first computer practical for a hobbyist to buy. (And the buyer had to be a dedicated hobbyist; the Altair was sold in kit form for home-assembly, and its display was a series of winking lights, its input facilities a row of toggle switches.) "Practical" in the case of the Altair meant affordable and accessible -- there wasn't much of a practical nature for the solder-weary user to actually do with an Altair once it was assembled; the chicken and the egg of availability and usefulness were still fighting it out at this point in computer history. The Altair also has another interesting spot in personal computer history: it provided the first platform for an operating system from Bill Gates and Paul Allen.

(There's an Apple I in homemade wooden raiment snuck into the book's introduction -- an Apple I proved too difficult to find for a full writeup and photoshoot, however, and no Apple II clones made the cut.)

From the Altair to the NeXT cube which caps off the Digital Retro's collection, the 38 machines (and in some cases machine families, such as the MSX computers mentioned below) are presented in order of appearance. The book presents too many interesting machines to give each a proper summary, but here are a few to whet your appetite:

The Sharp MZ-80K (December, 1978) -- with its 10" screen and built-in drive (tape drive, though -- the 3.5" diskette wasn't invented yet), the MZ-80K seems ahead of its time; the choice of a Zilog Z80 processor didn't do much for its longevity as a business system, though; Z80 systems were soon eclipsed by other choices.
The GCE/MB Vectrex (June, 1982) -- the only video game system I really wanted as a kid, and one of the seeming few I've never encountered used in thrift stores. Bright vector graphics, built-in screen and a quality joystick gave it the same kind of appeal that the arcade-console versions of Asteroids and Battlezone had for me.
The Jupiter ACE (September, 1982) -- an impossibly simply looking machine, a terraced slab of white plastic with a minimalist typewriter layout (just 40 grey keys). The ACE was aimed at programmer-hobbyists, though, like the similar-looking Sinclair ZX-80, but the ACE ran a version of FORTH and had raised keys rather than the Sinclair's flat membrane.
The Sinclair QL (January, 1984) -- one of which, Laing notes, was Linus Torvalds' machine (between a VIC-20 and the 386 with which Torvalds started a quaint Unix-like operating system).

Game consoles are also well represented; six dedicated game machines, starting with the Atari VCS (1977) are included; a whole book could be devoted to consoles, but the ones chosen for Digital Retro (besides Atari and the Vectrex mentioned above, the others come from Colleco, Mattel, Nintendo, Sega) are an eclectic bunch, and a good use of space.

Because Laing is based in the UK, the book features quite a few machines that most Americans have probably never encountered in person, like the Acorn Atom, the Dragon 32 (a Welsh-made near-clone of the Tandy TRS-80) and the Grundy NewBrain. If this book had been an American production, many of these UK-made machines might have gone overlooked.

No incentive to work together

In the wilder days of the personal computer's adolescence, the quest for compatibility and standardization among machines was anything but a top priority -- and when it was a factor at all, it was usually about software compatibility between sibling computers (like the TI 99/4 and its 99/4A successor) or at most within a single model line.

As the book's back cover points out, "Compatibility? Forget it! Each of these computers was its own machine and had no intention of talking to anything else." An overstatement, but not much of one.

Laing covers an intriguing exception to this one-off philosophy, a multi-manufacturer line of machines that appeared in 1983 (starting a 5-year run), sharing a Zilog processor and adherence to an early Microsoft attempt at standardization called MSX. Mostly-compatible machines were launched by JVC, Hitachi, Sony (a name that didn't pop up in the American computer market for quite a few more years) and 18 other Japanese manufacturers as well as SpectraVideo, the only non-Japanese maker. Each manufacturer tweaked their entries in the line to distinguish themselves, adding features like (in Pioneer's case) control of laser-disc players. The differences soon rendered the attempt at standardization moot, and the MSX standard fell from grace. And if you're wondering what MSX stands for, you'll have to choose from the three possibilities listed: I prefer "Matsushita Sony X, where X could stand for any other company."

Get a good look

The photographs dominate; they give external views of each machine from several angles, over two two-page spreads apiece. (The pictures are well-chosen, but not exhaustive: there are no shots from the underside, and in only a few cases are internals exposed. Don't expect to replicate the innards of an Altair from the photographs.) You can make out what sort of ports each device provided, see what kind of display it used in most cases, and look at the included input peripherals. (Many of these machines, though, were hooked to televisions, and only the main unit and its input devices are pictured.)

Speaking of peripherals, one of the nice things about a photo book like this is for the mugshots it provides of unique physical arrangements tried by computer manufacturers: the integrated tape drive of the black-clad Amstrad CPC-464 (which sits to the right of the keyboard) makes it one of the most interesting to me; it sure is a lot neater arrangement than the cassette drive linked messily to the family C64 in the early '80s.

Besides the photographs, though, the spreads devoted to each computer provide a compact history of the machine, list its country of origin, and give a rundown of the most important specs (processor type and available I/O ports).

Practical Upshot

Digital Retro is a coffee-table book which happens to have quite a bit of interesting history, not a deep historical text. For each machine displayed, though, a chunk of text titled "What happened next" gives an idea of what developments each one led to (or prevented); some of these are only a paragraph or two, others are mini-essays in themselves. If you crave more technical and historical details, Laing's book makes an excellent companion volume to narrative-centric books which cover the same period of computer history though, like Fire in the Valley and Steven Levy's Hackers. It's a perfect way to appreciate the aesthetic appeal (and exuberant variety) of personal computers from the mid '70s to the late '80s.

You can purchase Digital Retro from bn.com. Slashdot welcomes readers' book reviews. To see your own review here, carefully read the book review guidelines, then visit the submission page.

Outsourcing Information Security

Books · Books · 2004-11-04 10:30 · posted by timothy · from the the-data-is-where-now dept. · 196 comments

Ben Rothke writes "Outsourcing information technology has been the rage over the last decade, to the degree that there are not enough bodies in Bangalore and Mumbai for companies such as Wipro, Infosys and Tata to hire. The problem is that many companies have gone down the road of outsourcing without performing the proper due diligence. Rather than saving money, many organizations have found that outsourcing ultimately is much more expensive than keeping security functions in-house, in addition to other negative consequences." Read on for the rest of Rothke's review of Outsourcing Information Security. Outsourcing Information Security author C. Warren Axelrod pages 248 publisher Artech House rating 10 reviewer Ben Rothke ISBN 1580535313 summary Examines security risks related to IT security outsourcing

When it comes to the outsourcing of information security functions specifically, the situation is even worse. Far too few organizations know the inherent risks involved with outsourcing security, and don't properly investigate what they are getting into. The same company that makes it nearly impossible for an employee to enter the office supply closet to get much needed toner cartridge will outsource their intrusion detection, email and firewall systems without a blink.

One of the many reasons companies turn to security outsourcing and managed security services providers (MSSP) is to use their limited internal security staff for more interesting areas such as web development, VPN and e-commerce applications. They will then outsource the boring activities such as firewall and IDS monitoring and maintenance to a MSSP.

Given that activities such as firewall monitoring and administering an IDS in large enterprise requires 24/7 support, it is not unusual for a company to want to outsource such activities; monitoring and administering are not core functions of most organizations.

The trouble comes from the lack of due care often given to choosing a MSSP. With that, Outsourcing Information Security is a long-overdue book that asks the questions that are necessary before an organization decides to outsource any information security function.

The author's general tone is against the outsourcing of information security; but provides readers with the various benefits and risks involved in outsourcing security, and let's them ultimate decide if outsourcing security is right for their organization. It is the reader who must define, evaluate and manage those risks and determine if outsourcing is a viable solution. These include technology, business and legal risks.

The book comprises nine chapters and three appendices totaling a bit under 250 pages. The first two chapters provide a good introduction to and overview of outsourcing and information security, and the associated security risks.

Chapter 3 details various reasons why outsourcing information security makes sense. The chapter includes various tables and references to the many reasons why a company would want to outsource security.

Chapter 4 takes the other side and analyzes the risks of outsourcing. The chapter details the traditional risks, in addition to other factors such as hidden costs, broken promises, phantom benefits and more. The book shows that while many organizations hand over information security responsibility to their MSSP, when things go wrong, they can't effectively blame the MSSP. When things go wrong -- and they will -- all of the fingers in the world can be pointed at the MSSP, but the ultimate responsibility falls on the organization itself. With outsourced security, if something goes wrong, those fingers will point back to the company's security manager, not the incompetent firewall administrator in Bangalore.

The chapter provides a balanced look at the risk of outsourcing, and while calm in its overall approach, the chapter should at least make the person considering outsourcing information security think twice. In fact, the author concludes the chapter by stating "when all of the risks of outsourcing are considered, one wonders how anyone ever makes the decision to use a third party." Nonetheless, there is plenty of evidence that many security activities are indeed outsourced to MSSP, and are often satisfactory from both the buyer's and seller's perspective.

Chapters 5 and 6 provide a thorough summary of the costs and benefits of outsourcing, and provides a method with which to categorize them. The chapter is well suited for a CFO with its discussion of direct vs. indirect costs, controllable vs. non-controllable costs, and much more. These two chapters show that creating meaningful financial numbers to see if outsourcing makes financial sense is not such an easy task. It is important to understand that outsourcing sometimes makes financial sense, but certainly not all the time. For those organizations that don't crunch the numbers seriously at the beginning, these costs can later come back to haunt them in a big way.

Chapters 7 and 8 detail the processes involved in commencing an outsourcing project, from requirements gathering to placing policy against the outsourced company. A mistake many organizations make is failure to ensure that the MSSP is abiding by the client's information security policies, rather than their own.

Similarly, one of the most overlooked areas of outsourcing information security functionality is regulation. A U.S. company may be under numerous regulations, from HIPAA to Sarbanes-Oxley, GLBA, SEC and more; when they outsource their security functionality, the remote technician may not be under the jurisdiction of the SEC; but the corporate data still must be protected according to those regulations.

The main part of the book concludes with chapter 9, which provides a 20-step process to determine if an outsourced security solution is appropriate. In seven pages, the author specifies the various events, tasks and steps that make up the typical outsourcing project.

Appendix A provides a breakdown of the various services that can be outsourced, with Appendices B & C providing brief histories of IT Outsourcing and Information Security.

The only downside to the book is its $85.00 price, which is at the high-end for technology and business books. While the price is high, the book is a huge value for anyone considering outsourcing security. The book asks the questions that are often never asked, and details how the outsourcing of information security is not the slam-dunk that the MSSPs often portray it to be.

For those who know what their security issues are and look to outsource their security functionality to a trusted MSSP, Outsourcing Information Security shows how it can be done. On the other side, for those who are drunk with the panacea that outsourcing security is supposed to provide, Outsourcing Information Security will be a sobering wake-up call.

You can purchase Outsourcing Information Security from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, carefully read the book review guidelines, then visit the submission page.

Decompiling Java

Books · Books · 2004-11-03 07:50 · posted by timothy · from the it'll-be-your-unbrewing dept. · 221 comments

Richard Rodger writes with a review of Godfrey Nolan's Decompiling Java. "I've just put this book down after reading it right through non-stop for four days. I haven't done that with a technical book since Learning Perl. Most techie book these days are quickie grab-bags, and you end up paying for a lot of dead trees that you aren't interested in." Read on for the rest of his review. Decompiling Java author Godfrey Nolan pages 264 publisher apress rating 8/10 reviewer Richard Rodger ISBN 1590592654 summary Learn how decompilation works in order to properly protect your intellectual property.

If you are interested in Decompiling Java, then this book tell you exactly how to do that. There's no fluff and every chapter counts. I can safely concur that Fiachra's observations are indeed correct. You'd better be prepared for some serious hard core details, but then that's what you'd paid for. It is really great to read a book that doesn't end each chapter with a few links to the real material because the author couldn't be bothered to write it up.

So what do you get? As a battle-hardened Java coder of not a few years programming, I wanted to find out about the gory details of bytecodes and how to get at them. Now it's a subject I always knew I should know about, but never took the time to read up on it. Decompiling Java puts all that knowledge into one place.

Here's a quick run-through of the chapters so you know what you're getting:

Ch.1 Introduction
Decompilation isn't just another coding tool - there are other, real world issues like ending up in jail to think about. Godfrey proposes a sort of code-of-honour for decompilers. This book could so easily have been positioned for the fr33ky kod3r skript kiddie market, and I'm glad that the author and publishers took a mature and sensible approach to the subject. I have had to decompile purchased code because of bugs and I'm glad that someone took the time to think about an ethical framework for doing this.

Ch.2 Ghost in the Machine
A good and solid introduction to the JVM and the classfile format. If you're in the market for this book, you probably already know most of this, but a refresher course is always good. For me, it definitely sorted out a lot on internal hand-waving on the subject. Just remember kids, the only thing to fear is fear itself - it's only binary data after all.

Ch.3 Tools of the Trade
Although the author builds his only decompiler later in the book, it nice to get a chapter devoted to the existing toolset and the Java decompiler scene.

Ch. 4 Protecting your Source
For the honest developer, knowing how to decompile code is more about protecting your own source code than breaking someone else's (who wants to read other people's smelly code anyway!). This chapter is one of the most directly practical. I had always assumed that obfuscation was a magic fix that I could apply if necessary. In reality, good obfuscation is just like good encryption (that is, uncommon, difficult to verify, and still subject to lateral attacks). Even compiled bytecode has relatively low entropy, so the value of obfuscation must be considered carefully.

Ch.5 Decompiler Design
This is were it starts getting a wee bit technical. Decompilation, as you can imagine, is a bit of a black art, and there are many ways of doing it. Some of them involve scary maths and some involve scary coding and the rest both. But that's why you don't meet many people who can write decompilers. Godfrey does a great job of taking you on a practical run through this fog of decompilers. At the end of this chapter you will be able to decide for yourself what approach is best suited to your problem domain. Again, this material can be challenging but it's like boot camp: You just gotta.

Ch.6 Decompiler Implementation
If the previous chapter hurt your brain and scared you silly then this chapter will have you weeping for joy. The author takes a practical, effective, and most importantly, understandable approach to actually implementing a compiler. Now, as he freely admits, his design may encounter difficulties with edge effects and infrequently used idioms, but it will take you to the point where you can solve them yourself. I really had to smile at how simple and effective the approach taken here is - instead of the expected multiple passes and mind bending parse tree manipulation, we have a single-pass, source-generating decompiler for Java. You won't follow it all first time, but it does work and you can verify it for yourself. Like I said at the start, you don't get that empty feeling from this book, and this chapter is pretty much why. I bought a book about decompiling Java, and now I can.

Ch.7 Case Studies
This chapter addresses the "why" of decompiling, returning again to the moral questions raised at the start. It's more food for thought than prescriptive preaching though, which again is refreshing. I have admit to dipping into this chapter while reading the rest of the book - the human interest angle always works a treat!

Of course, no book is perfect. What I think could have helped a bit overall would have been a introductory chapter to bytecode. But it's not a great loss and bytecode is actually pretty simple once you get your head around it. Still it might have lessened the learning curve somewhat.

Decompiling Java is a great addition to that section of your bookshelf dedicated to serious books that will be around for a while. The JVM specification and Java bytecode are not going to change that much, so this book is something you'll be able to use for a long time. Personally the best thing about this book for me was that it took me to the next level. Not many books can do this. As a working coder, I pretty much put things like decompilation into the "too hard, just for academics, and I could never grok it", category. It's great when a book comes along that can can you out of that comfort zone.

You can purchase Decompiling Java from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, carefully read the book review guidelines, then visit the submission page.

Assessing Network Security

Books · Books · 2004-11-02 09:40 · posted by timothy · from the what-if-you-press-this-button-here dept. · 89 comments

Anton Chuvakin writes "I've read some pretty bad books on penetration testing; till now, nobody seemed to get this fun subject right! Good news - this time somebody did. Assessing Network Security comes to us direct from the bunkers of Redmond. Written by three Microsoft security researchers, the book provides a great overview as well as an in-depth coverage of assessing security via penetration testing ('pentesting'), scanning, IT audit and other means." Read on for the rest of Chuvakin's review of the book. Assessing Network Security author Ben Smith, David LeBlanc, Kevin Lam pages 592 publisher Microsoft Press rating 8/10 reviewer Anton Chuvakin ISBN 0735620334 summary Great pentesting book

Assessing Network Security starts with a nice overview of key principles of security (definitely not news for industry practitioners, but nice anyway), and then goes on to defines vulnerability assessment, penetration testing and security audit. A critically important section on reporting the findings is also nicely written, and shows that the authors are knowledgeable, and interested in showing a complete security process rather than just the looking-for-leaks part.

The authors then go into developing and maintaining pentesting skills, including advice on choosing training and resources (nice for those starting in the field). The actual pentesting process is split into non-intrusive (combining the usual "intelligence gathering" with port scans, sweeps and various host queries) and intrusive tests (such as running a vulnerability scanner, brute-forcing passwords, DoS testing and others). Some entries seem to belong in both categories (such as sniffing) but are placed into the intrusive section, for whatever reason. Up-to-date content (wireless, Bluetooth and web assessment, for instance) is well represented.

The authors also include a fairly insightful social engineering testing section (touching on dumpster diving and other non-network assessment methods). My favorite chapter was the one presenting various case studies - examples of specific threats/tests against Web, email, VPN and domain controller systems.

Among other features that I liked in Assessing Network Security were 'notes from the field' sidebars with fun stories related by authors, and FAQs at the end of each section. On the down side, the book is somewhat Windows-focused (although it is amazingly vendor-neutral in most respects, considering the source). The book is also somewhat dry, although the sidebars provide some needed relief when the text gets too process-oriented at times.

Assessing Network Security is largely about methodology, but I'd have preferred to see a bit more technical content, since it is a 600-page volume. I think the checklists present in the Appendix are a great step in that direction.

Overall, I enjoyed the book and think it is both a great guide and a reference for most security professionals, especially for those starting to be involved with penetration testing.

Anton Chuvakin, Ph.D., GCIA, GCIH is a Security Strategist with a security information management company and maintains the security portal info-secure.org. He wrote Security Warrior and contributed to Know Your Enemy, 2nd Edition . You can purchase Assessing Network Security from bn.com. Slashdot welcomes readers' book reviews. To see your own review here, carefully read the book review guidelines, then visit the submission page.

High-Tech Crimes Revealed

Books · Books · 2004-11-01 09:30 · posted by timothy · from the alex-is-behind-all-of-them-at-once dept. · 114 comments

Alex Moskalyuk writes "When reading about the computer crimes, we are usually told the victim's point of view. We learn about the thieves stealing thousands of credit card numbers and identity theft victims, who lost their credit history with the wallet they lost at the mall. But how do criminals ever get caught? Who performs the forensic search and participates in sting operations?" Read on for Alex's review of High-Tech Crimes Revealed, which addresses these questions. High-Tech Crimes Revealed author Steven Branigan pages 448 publisher Addison-Wesley rating 9 reviewer Alex Moskalyuk ISBN 0321218736 summary Cyberwar Stories from the Digital Front Steven Branigan is a cop, a system administrator, an Internet security consultant and network security researcher. Ex-employee of Bell Labs now is a founder of a company that "specializes in solving leading edge computer and network security issues."

The book is a collection of high-tech investigations performed by Branigan in cooperation with the police force and sometimes the Feds. Generally Branigan would be involved in forensic research of the evidence and be on the scene as the "computer expert" that cops would refer to when dealing with cybercrime.

Twelve chapters take us through some of the high-tech crimes that the Western world faces today. An attack on the telephone network (unauthorized access to the switches), backdoors left at the former employer, hacking into university networks and the well-publicized identity theft are all covered in the book. Branigan brings up anecdotal evidence from his own career, describes some of his cases in great detail, and provides advice for practitioners in the forensics field.

The author is a Linux/Unix/BSD guru, and he shares his methods for retrieving telltale data from the equipment that the criminals leave behind. He also talks about the generic problems that law enforcement faces when investigating a high-tech crime - how do you obtain a warrant, what's a proper way to conduct searches, how do you work with the confiscated computer so that all the data is left intact?

However, don't expect some secrets to pop-up in regards to data collection - Branigan uses commonly available Linux tools like grep for searching the suspect's hard drive for needed data. More often that not, the investigator, it turns out, depends on his experience, not the book knowledge - one has to recognize the network sniffer log when they see it, and be capable of recognizing the tools freely downloadable from security sites.

Thus it's not surprising that there are some chapters in the book dedicated purely to the author's experience in the field. He describes working with the hackers who have been arrested, discusses how rootkits are spread around, discusses the motivation behind the network attacks (it's not always money, to say the least), describes the structure of a hacking ring and their potential revenues and also talks about ways to unravel the networks. His motto? No crime is too small, and sometimes things so little as missing the rent can lead to more discoveries and tie-ins into bigger crimes.

If you're thinking about becoming a security consultant, a law enforcement officer or just a sysadmin with better than average knowledge of security, this book is an interesting read. It's not a textbook, nor it is technical by nature. It reads more like a detective story, except the stories are real, the culprits are real and so are the victims. One can read the book on two levels - as a forensics tutorial (however, don't expect extended technical tutorials and tools overview) or as an autobiography of a cop, who had to deal with high-tech crimes all his life. If you liked Art of Deception or Hacking: The Art of Exploitation , this title would be a perfect complement.

Chapter 3, If Only He Had Paid the Rent, is available online from Addison-Wesley.

Alex enjoys reading programming, technology and business tech books in his spare time. He also keeps a list of free books available on the Internet for tech readers on a budget. You can purchase High-Tech Crimes Revealed from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, carefully read the book review guidelines, then visit the submission page.

Learning PHP 5

News · Books · 2004-10-30 05:08 · posted by vroom · from the learn-to-pronounce-it-too dept. · 0 comments

John Suda writes "There are more new books being published about PHP than you can shake a joystick at. PHP (along with program friends - MySQL and Apache) has become very popular among developers and web designers, and for good reason. As a programming language, it is particularly suited to web development projects, while being relatively easy to write, use and learn. More importantly, it's open-source and free, cross-platform, and widely supported. David Sklar's Learning PHP5 is one of the latest volumes dealing with PHP. It describes itself as 'a Pain-Free Introduction to Building Interactive Web Sites,' and provides a gentle introduction to the latest version of PHP, which is version 5 and only recently available." Read on for Suda's review.

This book is not particularly useful for those experienced already with PHP, nor for those wanting to upgrade their knowledge of PHP from versions 4 and earlier to the newest version. It's also probably not particularly useful for those power programmers who need and want a deep and comprehensive coverage of the topic. But it is a very well-written and designed introduction to PHP 5 for beginning programmers or those experienced PERL, ASP, or Cold Fusion programmers who want to learn a different language. There are many illustrations and code samples sprinkled throughout the book. Sklar, however, skims over some topics, concentrating instead on practical examples.

The publisher is O'Reilly Media, Inc. which seems to have an editor's policy of covering complex computer-related topics in a comprehensive manner by publishing a range of volumes covering different aspects of a topic or from different angles or for different audiences. O'Reilly also publishes volumes on moving to PHP 5 (Upgrading to PHP 5), detailed and technical PHP (Programming PHP), and a collection of solutions to common PHP programming problems (The PHP Cookbook).

Sklar is an experienced consultant in computer software development and technical training. He is the author of Essential PHP Tools and coauthor of the aforementioned The PHP Cookbook. He takes a deliberate and comprehensive approach to explaining PHP 5, not in great depth, but with the intent of providing enough information, concepts, detail, and scope to create a pleasant and useful read of a technical subject. The basic promise of PHP is in the relatively easy creation of more dynamic and interesting web sites which would include, for example, product catalogs, blogs, photo galleries, event calendars, forms, and more.

There are 13 chapters and 3 appendices. The early chapters provide an orientation to PHP, including its place in contemporary web development, its basic rules, and its syntax. They explain the basic background of PHP and how it interacts with the browser and web server. Later chapters introduce primary concepts like loops, arrays, and functions. The idea here is to facilitate learning the fundamentals of the grammar and vocabulary. Chapters 2 through 12 have short exercises at the end of each to allow the reader to practice writing PHP code and to test learning. (The answers are contained in Appendix C.) Experienced programmers and geeks may recoil at the inclusion of these exercises, but they are useful for beginners.

Chapter 6 provides a practical exercise - how to make and use a web form. The author shows how to access form variables, how to validate user-inputted data for security and efficiency reasons, and how to process forms using functions. Chapter 7 shows how PHP interacts with database programs, like SQL and Oracle, but focuses primarily on MySQL, and demonstrates how to organize data, connect to a server-based database, create tables, and enter and retrieve data.

The rest of the middle chapters cover the use and implementation of cookies and sessions, handling dates and time, and working with files. The practical exercise using dates and times is creating and displaying a monthly calendar. The final chapters provide brief but practical coverage of XML, debugging, and in Chapter 13, other PHP aspects. PHP is amazingly useful, flexible, and practical. One can deal with graphics, PDF documents, and other media like Flash and Shockwave. It also has mailing and file uploading functions, encryption capabilities, and (for more experienced coders) the ability to run shell commands. The upgraded PHP 5 has new capabilities, which now include object-oriented programming.

Appendix A covers installing and configuring PHP for Windows, Mac OS X, and Linux; Appendix B is a short primer on regular expressions and how to use them with PHP.

I found the book to be the most accessible introduction to PHP I have read. It provides the basic fundamentals, engages the reader in practical examples, reinforces learning with exercises, and provides an overall perspective on the scope of PHP programming.

You can purchase Learning PHP 5 from bn.com. (Code examples used in the book can be downloaded at the O'Reilly site for the book, linked above.) Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

The Cult of Mac

Books · Books · 2004-10-29 08:45 · posted by timothy · from the distant-drumbeats dept. · 374 comments

cgjherr (Jack Herrington) writes "The Cult of Mac, a new book by Leander Kahney, is a love letter to the Macintosh community. The book seeks to simultaneously define and evangelize the Apple cultural phenomenon. With 25 million users (in the author's estimation) there is a lot of culture to go around. The tattoos. The modified machines. The pilgrimage to MacWorld. The sub-cult of iPod. It's all here." Read on for the rest of Herrington's review. The Cult of Mac author Leander Kahney pages 268 publisher No Starch rating Excellent reviewer Jack Herrington ISBN 1886411832 summary A love letter to the Mac community

The form and structure of the book is a cross between a Wired magazine (for which Kahney has long written on Apple) and a coffee table book. There are great pictures of people, machines and art to appeal to the eye. Some pages are all pictures, while others are primarily text -- most are a combination of the two. The layout is always attractive. If this were a book from Apple, the style would be cleaner and there would be less emphasis on the past; this book is from and for the fans, though, so the style is more edgy and chaotic.

The book is divided into five large sections. The first covers the Macintosh itself, its users, its evangelists, and a little of its history. Including, to my amusement, but not surprise, its connection with pot, which occupies three pages. Wozniak is covered lovingly, and Jobs is painted with the same awe, love and hate brush that the community uses. Leander even covers the TV and movie Macintosh spotting, where the good guys always use Macs and the bad guys always use PCs.

Section two takes us into the MacWorld phenomenon. The secrecy, the crazy crowds, the keynote -- the whole shebang. We also get a look into the Mac phenomenon in Japan.

The final three sections are the most interesting to the hardware lovers. Section four covers modifying the Macintosh, futuristic designs, and the variety of things that have been built from dead Macs. The fourth section is about collecting Macintoshes; there is an excellent image here of a reception desk built entirely of old Mac Classics. Some attention is also paid to the devotees of Apple tsotchkes -- the shirts, the pins, the shoes, and other logo-branded novelties.

The final section is all about what comes next. Here Leander covers the iPod and its subculture, as well as the ongoing cultural battle between Microsoft users and the Mac world. The author even goes so far as to associate the construction of the swivel head iMac to that of a newborn baby to justify our attachment to it. And that makes my Powerbook a what?

There is a lot of great material in this book just to flip through, or to sit down for an enjoyable read. For the technically minded, there is nothing here to help you write better code or get more out of the operating system. This is a book about a culture, its icons, its people, and its ideology.

I can't recommend this book for a PC person, Unless he's interested in learning about the phenomenon or becoming part of it, I doubt there is much he'd interesting in this book. A PC user uses his machine to perform a task and thinks little of the machine itself. A Mac, on the other hand, is a key component of an integrated lifestyle. If you don't live the lifestyle and you care to know more about it, then check out the book. Otherwise, you might as well skip it.

As a Mac enthusiast myself I really enjoy this book. I started programming on the Macintosh with the first 128K machine, took a hiatus on Windows for a couple of years, and switched back with OS X. I've been to a MacWorld and seen some of the phenomenon first-hand. But it's nice to see it catalogued here in such an attractive, nicely constructed, well-written book.

In the early days of Apple versus Microsoft we had a real culture war, command line versus GUI. Windows won. Which is bad because Mac is, IMHO, better. But the Windows victory does allow us in the Mac camp to revel in our own individuality. This book is a fun way for new and old Mac fans alike to share in the common insanity which is our somewhat unrealistic love for this computer and it's company.

I'm certainly glad this book came out before Christmas. Now I know what I am going to give a couple of my fellow Macaddicts.

Reviewer Jack Herrington authored Code Generation in Action, and edits the Code Generation Network. You can purchase The Cult of Mac from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, carefully read the book review guidelines, then visit the submission page.

Learning PHP 5

News · Books · 2004-10-28 09:30 · posted by timothy · from the learn-to-pronounce-it-too dept. · 201 comments

John Suda writes "There are more new books being published about PHP than you can shake a joystick at. PHP (along with program friends - MySQL and Apache) has become very popular among developers and web designers, and for good reason. As a programming language, it is particularly suited to web development projects, while being relatively easy to write, use and learn. More importantly, it's open-source and free, cross-platform, and widely supported. David Sklar's Learning PHP5 is one of the latest volumes dealing with PHP. It describes itself as 'a Pain-Free Introduction to Building Interactive Web Sites,' and provides a gentle introduction to the latest version of PHP, which is version 5 and only recently available." Read on for Suda's review. Learning PHP 5 author David Sklar pages 432 publisher O'Reilly rating 9 reviewer John Suda ISBN 0596005601 summary An accessible introduction to the popular web scripting language PHP