Slashdot Mirror

First time accepted submitter tookul03 writes "I'm a graduating senior from a small New England liberal arts college, and have secured a spot in a Biological Science Ph.D. program for the next five years. I realize this coming summer will be my last out of the lab for a long time and am not sure If I am interested in doing something related to my research interests or use it as an opportunity to find some new hobbies/interests. I figured the Slashdot community had a number of individuals who were/are in a similar position (albeit different fields) and could shed some light on things they (or others) had done. Thanks."

New submitter haberb writes "I always thought my HTC phones were of average or above average quality, and certainly no less secure than an vanilla Android install, but it turns out someone was still not impressed. 'Mobile device manufacturer HTC America has agreed to settle Federal Trade Commission charges that the company failed to take reasonable steps to secure the software it developed for its smartphones and tablet computers, introducing security flaws that placed sensitive information about millions of consumers at risk.' Perhaps this will push HTC to release some of the ICS upgrades they promised a few months ago but never delivered, or perhaps the reason they fell through in the first place?"

SternisheFan writes in with this Times article about more trouble brewing between the U.S. and Iran. "American intelligence officials are increasingly convinced that Iran was the origin of a serious wave of network attacks that crippled computers across the Saudi oil industry and breached financial institutions in the United States, episodes that contributed to a warning last week from Defense Secretary Leon E. Panetta that the United States was at risk of a 'cyber-Pearl Harbor.' After Mr. Panetta's remarks on Thursday night, American officials described an emerging shadow war of attacks and counterattacks already under way between the United States and Iran in cyberspace. Among American officials, suspicion has focused on the 'cybercorps' that Iran's military created in 2011 — partly in response to American and Israeli cyberattacks on the Iranian nuclear enrichment plant at Natanz — though there is no hard evidence that the attacks were sanctioned by the Iranian government. The attacks emanating from Iran have inflicted only modest damage. Iran's cyberwarfare capabilities are considerably weaker than those in China and Russia, which intelligence officials believe are the sources of a significant number of probes, thefts of intellectual property and attacks on American companies and government agencies."

SternisheFan writes "Google Maps has been updated with what's described as the 'biggest ever" increase in Street View photography, with more than 250,000 miles of road around the world gaining street-level imagery. Street View coverage has been boosted in eleven countries, with new 'special collections' of photography, giving more insight into particular landmarks. Google has also sent its cameras inside some landmarks, so you can now step into Kronborg castle in Denmark, for instance. The search giant uses a combination of Street View photography cars, bikes, and even individually-work camera backpacks to gather its footage. Support for viewing Street View on mobile devices has been contentious in recent weeks, with Apple's decision to oust Google Maps from iOS 6 and replace it with its own Apple Maps app. Google re-added access by updating its webapp, however, and has promised a native version of Google Maps for iOS by the end of the year."

On the anniversary of Steve Jobs' death, reader SternisheFan sends in a story from CNN about how the Apple co-founder's legacy has changed since then. "... in the 12 months since, as high-profile books have probed Jobs' life and career, that reputation has evolved somewhat. Nobody has questioned Jobs' seismic impact on computing and our communication culture. But as writers have documented Jobs' often callous, controlling personality, a fuller portrait of the mercurial Apple CEO has emerged. 'Everyone knows that Steve had his "rough" side. That's partially because he really did have a rough side and partially because the rough Steve was a better news story than the human Steve,' said Ken Segall, author of Insanely Simple: The Obsession That Drives Apple's Success.' ... In Steve Jobs, Isaacson crafted a compelling narrative of how Jobs' co-founded Apple with Steve Wozniak, got pushed out of the struggling company a decade later and then returned in the late 1990s to begin one of the most triumphant second acts in the annals of American business. But he also spent many pages chronicling the arrogant, cruel behavior of a complicated figure who could inspire people one minute and demean them the next. According to the book, Jobs would often berate employees whose work he didn't like. He was notoriously difficult to please and viewed people and products in black and white terms. They were either brilliant or 'sh-t.' 'Among Apple employees, I'd say his reputation hasn't changed one bit. If anything, it's probably grown because they've realized how central his contributions were,' Lashinsky said. 'History tends to forgive people's foibles and recognize their accomplishments. When Jobs died, he was compared to Edison and Henry Ford and to Disney. I don't know what his place will be in history 30, 40, 50 years from now. And one year is certainly not enough time (to judge).'" Apple has posted a tribute video on their homepage today.

SternisheFan sends this excerpt from ZDNet: "Regulators from five countries joined together in an operation to crack down on a series of companies orchestrating one of the most widespread Internet scams of the decade. The U.S. Federal Trade Commission (FTC) and other international regulatory authorities today said they shut down a global criminal network that bilked tens of thousands of consumers by pretending to be tech support providers. FTC Chairman Jon Leibowitz, speaking during a press conference with a Microsoft executive and regulators from Australia and Canada, said 14 companies and 17 individuals were targeted in the investigation. In the course of the crackdown, U.S. authorities already have frozen $188,000 in assets, but Leibowitz said that would increase over time thanks to international efforts."

brumgrunt writes "Not every sci-fi film released in 2013 will be a sequel or franchise movie. Den Of Geek has highlighted the ten sci-fi movies that might just offer something a little different from the PG-13, family-centric norm." The list includes Elysium, from the writer/director of District 9. It's "set in 2159, where Earth has become so hopelessly overcrowded that the richest members of society live on a luxurious orbiting space station." There's also After Earth, directed (but not written) by M. Night Shyamalan, which stars Will Smith and his son Jaden. They "crash land on Earth at some point in the future, by which time it's become a dangerous place devoid of human life." And, of course, there's Ender's Game.

SternisheFan writes with news of a settlement in a case of Rent-to-Own firms grossly violating the privacy of their customers. From the article: "Seven rent-to-own companies and a software developer have settled federal charges that they spied on customers, ... The companies captured screenshots of confidential and personal information, logged keystrokes, and took webcam pictures of people in their homes. Their aim was to track the computers belonging to customers who were behind with their payments. 'An agreement to rent a computer doesn't give a company license to access consumers' private emails, bank account information, and medical records, or, even worse, webcam photos of people in the privacy of their own homes,' says FTC chairman Jon Leibowitz. 'The FTC orders today will put an end to their cyber spying.' Developer DesignerWare produced the software that was used to gather the information, PC Rental Agent. The package included a 'kill switch' designed to disable a computer of it was stolen, or if payments weren't made. However, an add-on program called Detective Mode could log key strokes, capture screen shots and take photographs using a computer's webcam, says the FTC in its complaint (PDF)."

SternisheFan writes with a bit of maintenance saving tech for drivers. From the article: "When was the last time you checked your tire pressure? If you're scratching your head, you might want to put a set of Goodyear's new self-inflating tires on your ride. The company's Air Maintenance Technology was rolled out of the lab this week for debut at a car show in Germany. Commercial truckers will be the first to put the rubber to test, but a consumer version is in the works. A regulator in the tire senses when tire-inflation pressure drops below a pre-set point and opens to allow air flow into the pumping tube. As the tire rolls, deformation flattens the tube, pushing air through the tire to the inlet valve and then into the tire cavity. All this technology, in Goodyear's words, eliminates the need for 'external inflation pressure intervention.'"

SternisheFan writes with an AP story as carried by Yahoo that illustrates one of the boundaries of free speech online: "A California man accused of posting comments on ESPN's website saying he was watching kids and wouldn't mind killing them was in jail Tuesday on $1 million bail after he was arrested for investigation of making terrorist threats, authorities said. Several guns were found Monday at the home of former Yale University student Eric Yee, said Los Angeles County sheriff's Lt. Steve Low. Yee was arrested after the sports network ESPN reported threatening posts were made in a reader response section to an online ESPN story on Thursday about new Nike sneakers named after LeBron James that cost $270 a pair. Some of the nearly 3,000 reader comments on the story talked about children possibly getting killed over the sneakers because of how expensive they are, said ESPN spokesman Mike Soltys. 'What he was posting had nothing to do with sports," Soltys said Tuesday. "We closely monitor the message boards and anytime we get a threat, we're alerting law enforcement officials.' An employee at ESPN headquarters in Bristol, Conn., notified local police the same day and they linked the posting to Yee's home in Santa Clarita in northern Los Angeles County."

SternisheFan sends this excerpt from Wired: "For the second time this year, self-proclaimed Anonymous spokesman Barrett Brown was raided by the FBI. The latest dramatic incident occurred late Wednesday evening while Brown and another woman identified by some as his girlfriend were participating in an online chat on TinyChat with other individuals. Two minutes into the recorded chat session, loud voices could be heard in the background of Brown's residence in Texas while the woman in the room with him was in front of the computer screen. She quickly closed the computer screen, but the audio continued to capture events in the room as the FBI appeared to strong-arm Brown to put handcuffs on him. Brown could be heard yelling in the background. A spokeswoman in the Dallas County sheriff's office confirmed to Wired that Brown was raided last night and was booked into the county jail around 11 p.m." (Warning: the video embedded with the article contains mature language.)

New submitter Isara writes "GigaOm's Jeff John Roberts has a compelling writeup about patent trials and how juries are detrimental to justice in such cases. Roberts uses the recent Apple-Samsung trial as the backdrop for his article; although the trial lasted three weeks, during which hundreds of documents were presented and the finer points of U.S. patent law were discussed, the jury only took 2-3 days to deliberate. 'Patents are as complex as other industrial policies like subsidies or regulatory regimes. When disputes arise, they should be put before an expert tribunal rather than a jury that is easily swayed by schoolyard "copycat" narratives.'"

SternisheFan snips this news from Tech Radar: "The Surface tablets that Microsoft will start selling on 26 October at Microsoft Stores (and in temporary 'holiday stores' in twelve US cities including New York) are only the first of a planned family of Windows devices and Surface 2.0 is already under development. Although Microsoft corporate communications chief Frank Shaw said recently that calling Surface 'our new family of PCs built to be the ultimate stage for Windows' was no more than 'literary licence' and that there was nothing more than the two tablets already announced, the Surface team is 'currently building the next generation' of 'devices that fully express the Windows vision' — according to more than a dozen job adverts posted on the Microsoft Careers site between June and August."

Reader SternisheFan links to a press release at UCLA, and excerpts from it another bit of Mars news: "For years, many scientists had thought that plate tectonics existed nowhere in our solar system but on Earth. Now, a UCLA scientist has discovered that the geological phenomenon, which involves the movement of huge crustal plates beneath a planet's surface, also exists on Mars. 'Mars is at a primitive stage of plate tectonics. It gives us a glimpse of how the early Earth may have looked and may help us understand how plate tectonics began on Earth,' said An Yin, a UCLA professor of Earth and space sciences and the sole author of the new research."

SternisheFan tips news that William Shatner and Wil Wheaton have each narrated a NASA video titled "Grand Entrance," which documents the upcoming descent and landing of Mars rover Curiosity onto the Red planet. Curiosity is the nickname for the Mars Science Laboratory, the largest rover ever sent to another world. It is scheduled to land on Mars on August 5 at 10:31PM PDT (August 6 at 05:31 UTC), and the event will be broadcast live on NASA TV. The landing process documented in the video will take about 7 minutes, and it has to go perfectly all on its own — the time delay caused by the 154-million-mile distance to Earth means that signals will take 14 minutes to even reach us. For further details, check out Wil's video or William's. NASA's fact sheet (PDF) has more information as well.

New submitter SternisheFan tips this quote from an article at Ars: "The latest release of Google's Android mobile operating system has finally been properly fortified with an industry-standard defense. It's designed to protect end users against hack attacks that install malware on handsets. In an analysis published Monday, security researcher Jon Oberheide said Android version 4.1, aka Jelly Bean, is the first version of the Google-developed OS to properly implement a protection known as address space layout randomization. ASLR, as it's more often referred to, randomizes the memory locations for the library, stack, heap, and most other OS data structures. As a result, hackers who exploit memory corruption bugs that inevitably crop up in complex pieces of code are unable to know in advance where their malicious payloads will be loaded. When combined with a separate defense known as data execution prevention, ASLR can effectively neutralize such attacks."

New submitter halcyon1234 writes "I'm currently cutting the webhost cord, and setting up a simple webserver at home to host a couple hobby websites and a blog. The usual LAMP stuff. I have just enough knowledge to be dangerous; I know how to get everything set up and get it up to date, but not enough to be sure I'm not overlooking common, simple security configurations. And then there's the issue of new vulnerabilities being found that I'm not even aware of. The last thing I want is to contribute to someone's botnet or spam relay. What readings/subscriptions would you recommend for security discussions/heads up? Obviously I already read (too much) Slashdot daily, which I credit for hearing about some major security issues. Are there any RSS feeds or mailing lists you rely on for keeping up to date on security issues?"

jkauzlar writes "Believe it or not, it's been 18 years since Design Patterns by Gamma, et al, first began to hit the desks of programmers world-wide. This was a work of undeniable influence and usefulness, but there is criticism however that pattern-abuse has lead to over-architected software. This failure is perhaps due to wide-spread use of patterns as templates instead of understanding their underlying 'grammar' of this language such that it may be applied gracefully to the problem at hand. What's been missing until now is a sufficiently authoritative study of design patterns at this 'grammatical' level of abstraction. Jason McC. Smith, through a surprisingly captivating series of analytic twists and turns, has developed a theory of Elemental Design Patterns that may yet rejuvenate this aging topic." Keep reading for the rest of Joe's review. Elemental Design Patterns author Jason McC. Smith pages 368 publisher Addison-Wesley Professional rating 9/10 reviewer Joe Kauzlarich ISBN 978-0321711922 summary Software Design Much as developing a large taxonomy of star-types in astronomy lead to and enabled theories of star formation, or a classification of organic life lead to studies of genetics, it makes sense that the large volumes of collected object-oriented design patterns should somehow lead to a generic understanding of them. Smith actually approached this in an attempt to solve a very practical problem: given the variety of ways a particular pattern can be implemented, how can one be recognized programmatically with a degree of certainty?

What's most fascinating about Elemental Design Patterns is the analysis performed in working out a solution to the question of how a pattern may be defined in a way that's language-agnostic and flexible to differing implementations. This was a success: his resulting pattern recognition tool even found unintentional usages of well-known design patterns in a large legacy code base, which could then be refactored from the ugly 'accidental usage' to transform apparent chaos into maintainable order.

The basic idea is that every pattern is composed of elemental patterns. For example, the 'Factory Method' pattern may be decomposed into four EDPs (elemental design patterns): 'Create Object', 'Fulfill Method', 'Conglomeration' and 'Retrieve'. The 'Pattern Instance Notation', introduced in this book, and which serves as an extension to UML, helps visualize the relationships between the four sub-patterns and the larger pattern. No doubt readers will find the notation useful in their own work.

This premise's success or failure hinges on two questions: are the set of patterns really elemental? and can the set of patterns be complete? Oddly, the patterns listed in the book are NOT complete: "this book touches on only one-quarter, at best, of the possible EDPs that exist" (p. 107). The fact that this book (which defines 16 patterns in depth) is only the beginning of a project is not well-communicated. Those who might benefit from a complete listing of EDPs (i.e. analysis tool makers) might be puzzled at how to immediately put this book to use if it's not complete. After all, Smith insists in the Preface that "this book is meant to be used." To me, this implies it should serve as more than a basis for research or design-skills edification.

As for them being elemental, in the sense that all possible 'macro-patterns' may be built from them, Smith backs up this claim with the help of a mathematical formal system called rho-calculus, which is introduced in some depth in the appendix, but avoided in the body of the text for readability's sake. Readers wanting a full mathematical treatment are referred to Smith's Ph.D thesis.

What makes the book worth reading and re-reading is in the methods employed to analytically derive EDPs. As dull as I probably make it sound, Smith gives the entertaining first half of the book an almost 'novelistic', first-person quality in which the reader is engaged to experience Smith's insights first-hand. In a sense, the EDPs are 'unfolded' from simple concepts like the degrees of method or object similarity in a method-call relationship.

Understanding this point is important to understanding EDPs: a method call is not just a method call from a 'micro-patterns' perspective. Calling a very different method on the same object is semantically distinct from calling a very similar method on a very different object. The first is described by the EDP 'Conglomeration' (breaking larger tasks into subtasks); the second, by the EDP 'Redirection' (redirecting a process to another object). Of course, the terms 'similar' and 'different' are fuzzy qualifiers to programmers and there's bound to be some debate on how these terms are applied. Smith, in order to make this distinction, puts faith in the developer's ability to name classes and methods. But anyway, such 'semantic' relationships are the real building-blocks of the higher-level patterns. Once other object-oriented principles are considered, like inheritance, the EDP list grows.

The importance of Elemental Design Patterns from a designer's perspective should now be more clear. I kept stressing the word 'semantic' in the last paragraph because what this book strives to do is provide a *language* for describing object-oriented structure that, first of all, doesn't rely on the OO language itself (C++, Smalltalk, Java, Javascript, etc), and more notably, which takes into account the designer's purpose for employing simple devices like method calls and class extension. As I said earlier, a method call is not just a method call. There may be a dozen or so 'structural' reasons to call a method, and each reason is given it's own 'word' (i.e. EDP) in Smith's language. It stands to reason that a designer with a firmer grasp on his own intentions is a more effective designer.

You can purchase Elemental Design Patterns from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

ericjones12398 writes "The Food and Drug Administration is proposing that manufacturers of X-ray machines and CT scanners do more to protect children from radiation exposure. If companies don't take steps to limit X-ray doses, the agency may require a label on their new equipment recommending it not be used on children. X-rays and CT scans can provide doctors with lots of useful information. But the radiation that creates the helpful images also increases a person's risk for cancer. There's been an explosion in the use of imaging tests. And rising radiation doses, particularly from CT scans, have drawn concern. The cancer risk increases with the dose of X-rays received during a person's lifetime, so kids' exposure is particularly important. It's also the case that children are more sensitive to X-ray damage. The FDA is also telling parents to speak up. If a doctor orders a test or procedure that uses X-rays, parents shouldn't be afraid to ask if it's really necessary. Also, it doesn't hurt to ask if there's an acceptable alternative, such as ultrasound or MRI, that doesn't rely on X-rays."

yuhong writes "On April 10, the second Tuesday of April, Windows Vista will exit Mainstream Support and enter Extended Support. This means that no-charge (free) support will end, no further service packs will be created, nor will future IE versions (such as IE10) be available for Vista. Also, no new non-security hotfixes will be created or be available without an Extended Hotfix Support Agreement (EHSA). This will last for 5 years before support for Vista completely ends in 2017."

Gaygirlie writes "An article over at Gizmag says: 'It's a meme that's been doing the rounds on the internet in recent years: multi-word pass-phrases are as secure as long strings of gibberish but with the added benefit of being easy to remember. But research from Cambridge University suggests that this may not be the case. Pass-phrases comprised of dictionary words may not be as vulnerable as individual passwords, but they may still succumb to dictionary attacks, the research finds.' I find this to be twisting of words and general consensus; of course any password whatsoever is going to be insecure against offline attack, and using common, popular words is going to make guessing the password much easier. But is this really an issue in a world where most attacks are done online? Should general populace still be coaxed into using randomly generated passwords?"

superglaze writes "The Anti-Counterfeiting Trade Agreement is to get an extra level of scrutiny in the EU after the European Commission said it would refer ACTA to the European Court of Justice, to check that it really does comply with fundamental freedoms in the union. This obviously follows mass protests over ACTA, and it seems justice commissioner Viviane Reding was the one who pushed for ECJ scrutiny. It's not currently clear if this will delay the European Parliament ratification process, but it is hard to imagine the parliament voting on ACTA (scheduled for June at the moment) before the ECJ has had its say — and no-one can say right now how long that will take to happen."

jkauzlar writes "The standard Oracle JVM has about sixty 'developer' (-XX) options which are directly related to performance monitoring or tuning. With names such as 'UseMPSS' or 'AllocatePrefetchStyle', it's clear that Joe Schmo Code Monkey was not meant to be touching them, at least until he/she learned how the forbidding inner recesses of the JVM work, particularly the garbage collectors and 'just-in-time' compiler. This dense, 600-page book will not only explain these developer options and the underlying JVM technology, but discusses performance, profiling, benchmarking and related tools in surprising breadth and detail. Not all developers will gain from this knowledge and a few will surrender to the book's side-effect of being an insomnia treatment, but for those responsible for maintaining production software, this will be essential reading and a useful long-term reference." Keep reading for the rest of jkauzlar's review. Java Performance author Charlie Hunt and Binu John pages 693 publisher Addison Wesley rating 9/10 reviewer Joe ISBN 0-13-290525-6 summary Java performance monitoring and tuning In my experience, performance tuning is not something that is given much consideration until a production program blows up and everyone is running around in circles with sirens blaring and red lights flashing. You shouldn't need a crisis however before worrying about slow responsiveness or long pauses while the JVM collects garbage at inconvenient times. If there's an opportunity to make something better, if only by five percent, you should take it, and the first step is to be aware of what those opportunities might be.

First off, here's a summary of the different themes covered:

The JVM technology: Chapter 3 in particular is dedicated to explaining, in gory detail, the internal design of the JVM, including the Just-In-Time Compiler and garbage collectors. Being requisite knowledge for anyone hoping to make any use of the rest of the book, especially the JVM tuning options, a reader would hope for this to be explained well, and it is.

JVM Tuning: Now that you know something about compilation and garbage collection, it's time to learn what control you actually have over these internals. As mentioned earlier, there are sixty developer options, as well as several standard options, at your disposal. The authors describe these throughout sections of the book, but summarize each in the first appendix.

Tools: The authors discuss tools useful for monitoring the JVM process at the OS level, tools for monitoring the internals of the JVM, profiling, and heap-dump analysis. When discussing OS tools, they're good about being vendor-neutral and cover Linux as well as Solaris and Windows. When discussing Java-specific tools, they tend to have bias toward Oracle products, opting, for example, to describe NetBean's profiler without mentioning Eclipse's. This is a minor complaint.

Benchmarking: But what good would knowledge of tuning and tools be without being able to set appropriate performance expectations. A good chunk of the text is devoted to lessons on the art of writing benchmarks for the JVM and for an assortment of application types.

Written by two engineers for Oracle's Java performance team (one former and one current), this book is as close to being the de facto document on the topic as you can get and there's not likely to be any detail related to JVM performance that these two men don't already know about.

Unlike most computer books, there's a lot of actual discussion in Java Performance, as opposed to just documentation of features. In other words, there are pages upon pages of imposing text, indicating that you actually need to sit down and read it instead of casually flipping to the parts you need at the moment. The subject matter is dry, and the authors thankfully don't try to disguise this with bad humor or speak down to the reader. In fact, it can be a difficult read at times, but intermediate to advanced developers will pick up on it quickly.

What are the book's shortcomings?

Lack of real-world case studies: Contrived examples are provided here and there, but I'm really, seriously curious to know what the authors, with probably two decades between them consulting on Java performance issues, have accomplished with the outlined techniques. Benchmarking and performance testing can be expensive processes and the main question I'm left with is whether it's actually worth it. The alternatives to performance tuning, which I'm more comfortable with, are rewriting the code or making environmental changes (usually hardware).

3rd Party tool recommendations: The authors have evidently made the decision not to try to wade through the copious choices we have for performance monitoring, profiling, etc, with few exceptions. That's understandable, because 1) they need to keep the number of pages within reasonable limits, and 2) there's a good chance they'll leave out a worthwhile product and have to apologize, or that better products will come along. From my point of view, however, these are still choices I have to make as a developer and it'd be nice to have the information with the text as I'm reading.

As you can see, the problems I have with the book are what is missing from it and not with what's already in there. It's really a fantastic resource and I can't say much more than that the material is extremely important and that if you're looking to improve your understanding of the material, this is the book to get.

You can purchase Java Performance from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

superglaze writes "Following its takedown earlier this week of the music blog RnBXclusive, the UK's Serious Organised Crime Agency (SOCA) has claimed that "a number of site users have deleted their download histories" in response. Given that the site didn't host copyright-infringing files itself, how do they know? We've asked, but SOCA refuses to discuss its methods. A security expert has pointed out that, if they were hacking using Trojans, the police would themselves have been breaking the law. Added fun fact: SOCA readily admits that the scare message it showed visitors to the taken-down site was written 'with input from industry.'"

superglaze writes "Poland has suspended its ratification process for ACTA, throwing the copyright crackdown into doubt for the whole European Union. ACTA is being handled as a 'mixed agreement' in the EU due to its criminalization clauses, so if a single EU member state (such as Poland) fails to ratify it, it is null and void across the entire union. If that were to happen, at least six of the remaining international signatories would have to ratify ACTA for it to apply anywhere in the world. Outside the EU, only eight countries — including the U.S. — have signed."

brothke writes "In the classic poem Inferno, Dante passes through the gates of Hell, which has the inscription abandon all hope, ye who enter here above the entrance. After reading The Tangled Web: A Guide to Securing Modern Web Applications, one gets the feeling the writing secure web code is akin to Dante's experience." Read below for Ben's review. The Tangled Web: A Guide to Securing Modern Web Applications author Michal Zalewski pages 320 publisher No Starch Press rating 10/10 reviewer Ben Rothke ISBN 1593273886 summary Incredibly good and highly technical book on browser security coding In this incredibly good and highly technical book, author Michal Zalewski writes that modern web applications are built on a tangled mesh of technologies that have been developed over time and then haphazardly pieced together. Every piece of the web application stack, from HTTP requests to browser-side scripts, comes with important yet subtle security consequences. In the book, Zalewski dissects those subtle security consequences to show what their dangers are, and how developers can take it to heart and write secure code for browsers.

The Tangled Web: A Guide to Securing Modern Web Applications is written in the same style as Zalewski's last book - Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks, which is another highly technical and dense book on the topic. This book tackles the issues surrounding insecure web browsers. Since the browser is the portal of choice for so many users; its inherent secure flaws leaves the user at a significant risk. The book details what developers can do to mitigate those risks.

This book starts out with the observation that while the field of information security seems to be a mature and well-defined discipline, there is not even a rudimentary usable framework for understanding and assessing the security of modern software.

In chapter 1, the book provides a brief overview of the development of the web and how so many security issues have cropped in. Zalewski writes that perhaps the most striking and nontechnical property of web browsers is that most people who use them are overwhelmingly unskilled. And given the fact that most users simply do not know enough to use the web in a safe manner, which leads to the predicament we are in now.

Zalewski then spends the remainder of the book detailing specific problems, how they are exploited, and details the manner in which they can be fixed.

In chapter 2, the book details that something as elementary as how the resolution of relative URL's is done isn't a trivial exercise. The book details how misunderstandings occur between application level URL filters and the browser when handling these types of relative references can lead to security problems.

For those that want a feel for the book, chapter 3 on the topic of HTTP is available here.

Chapter 4 deals with HTML and the book notes that HTML is the subject of a fascinating conceptual struggle with a clash between the ideology and the reality of the on-line world. Tim Berners-Lee had the vision of a semantic web;namely a common framework that allows data to be shared and reused across applications, companies and the entire web. The notion though of a semantic web has not really caught on.

Chapter 4 continues with a detailed overview of how to understand HTML parser behavior. The author writes that HTML parsers will second-guess the intent of the page developer which can leads to security problems.

In chapter 12, the book deals with third-party cookies and notes that since their inception, HTTP cookies have been misunderstood as the tool that enables online advertisers to violate users privacy. Zalewski observes that the public's fixation on cookies is deeply misguided. He writes there is no doubt that some sites use cookies as a mechanism for malicious use. But that there is nothing that makes it uniquely suited for this task, as there are many other equivalent ways to sore unique identifiers on visitor's computes, such as cache-based tags.

Chapter 14 details the issue of rogue scripts and how to manage them. In the chapter, the author goes slightly off-topic and asks the question if the current model of web scripting is fundamentally incompatible with the way human beings works. Which leads to the question of it if is possible for a script to consistently outsmart victims simply due to the inherent limits of human cognition.

Part 3 of the book takes up the last 35 pages and is a glimpse of things to come. Zalewski optimistically writes that many of the battles being fought in today's browser war is around security, which is a good thing for everyone.

Chapter 16 deals with new and upcoming security features of browsers and details many compelling security features such as security model extension frameworks and security model restriction frameworks.

The chapter deals with one of the more powerful frameworks is the Content Security Policy (CSP) from Mozilla. CSP is meant to fix a large class of web application vulnerabilities, including cross site scripting, cross site request forgery and more. The book notes that as powerful as CSP is, one of its main problems is not a security one, in that it requires a webmaster to move all incline scripts on a web page to a separately requested document. Given that many web pages have hundreds of short scripts; this can be an overwhelmingly onerous task.

The chapter concludes with other developments such as in-browser HTML sanitizers, XSS filtering and more.

Each chapter also concludes with a security engineering cheat sheetthat details the core themes of the chapter.

For anyone involved in programming web pages, The Tangled Web: A Guide to Securing Modern Web Applications should be considered required reading to ensure they write secure web code. The book takes a deep look at the core problems with various web protocols, and offers effective methods in which to mitigate those vulnerabilities.

Michal Zalewski brings his extremely deep technical understanding to the book and combines it with a most readable style. The book is an invaluable resource and provides a significant amount of information needed to write secure code for browsers. There is a huge amount of really good advice in this book, and for those that are building web applications, this is a book they should read.

Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.

You can purchase The Tangled Web: A Guide to Securing Modern Web Applications from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

New submitter rivin2e writes "SOPA has been sent back to the drawing board. 'The move came shortly after the Senate postponed a key vote on the companion PIPA bill scheduled for next week and amid calls for consensus before Congress moves forward on any legislation to address the problem of foreign piracy websites,' as written by the Los Angeles Times today. Hopefully the next draft of this bill will create a better foundation to stop piracy and not just assert control over the internet." Support for the bill eroded on Wednesday as several of its co-sponsors withdrew their support. The issue is not over, however; statements were issued by both Senator Patrick Leahy and Rep. Lamar Smith indicating that they still want to find solutions to online piracy, and Smith also wrote an editorial piece for CNN to explain why he thinks such legislation is necessary. The SOPA issue was raised at the recent GOP debate, and all four candidates spoke against it.

brothke writes "If there ever was a book that should not be judged by its title, Defense against the Black Arts: How Hackers Do What They Do and How to Protect against It, is that book. Even if one uses the definition in The New Hackers Dictionary of 'a collection of arcane, unpublished, and (by implication) mostly ad-hoc techniques developed for a particular application or systems area', that really does not describe this book. The truth is that hacking is none of the above. If anything, it is a process that is far from mysterious, but rather aether to describe. With that, the book does a good job of providing the reader with the information needed to run a large set of hacking tools." Read below for the rest of Ben's review. Defense against the Black Arts: How Hackers Do What They Do and How to Protect against It author Jesse Varsalone, Matthew Mcfadden, Michael Schearer, Sean Morrissey pages 412 publisher CRC Press rating 7/10 reviewer Ben Rothke ISBN 1439821194 summary Good reference for someone experienced in the topic who wants to improve their skills Defense against the Black Arts is another in the line of hacking overview books that started with the first edition of Hacking Exposed. Like Hacking Exposed, the book walks the reader through the process of how to use hacking tools and how to make sense of their output.

Defense against the Black Arts is written for the reader with a good technical background who is looking for a nuts and bolts approach to ethical hacking. Its 14 chapters provide a comprehensive overview of the topic, with an emphasis on Windows.

But for those looking for an introductory text, this is not the best choice out there. The book is written for the reader that needs little hand-holding. This is in part due to its somewhat rough around the edges text and the use of more advanced hacking tools and techniques.

By page 4, the author has the reader downloading BackTrack Linux. BackTrack is a Ubuntu distro which has a focus on digital forensics and penetration testing. BackTrack is currently in a 5 R1 release, based on Ubuntu 10.04 LTS and Linux kernel 2.6.39.4. BackTrack comes with a significant amount of security and hacking tools preloaded, which the authors reference throughout the book.

After showing how to install BackTrack, chapter 1 shows how to log into Windows without knowing the password. Much of that is around the Kon-Boot tool, which allows you to change the contents of the Windows kernel in order to bypass the administrator password. Tools like Kon-Boot though will only work when you have physical access to the machine.

Chapter 3 gets into the details of digital forensics and highlights a number of popular tools for forensic imaging. While the book provides a good overview of the topic, those looking for the definitive text on the topic should read Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet.

Chapter 5 deals with web application penetration testing. The authors describe a number of tools that can be used to assess the security of web sites, and offer ways to attempts to manipulate data from a web page or web application.

One is likely hard pressed to find a large web site that will be vulnerable to such web attacks, given that most of them have already checked for those errors via validation control testing. Smaller vendors may not be so proactive, and find out that those $99- items are being sold for .99 cents. With that, the chapter details a number of tools developers can use to test for SQL injection, XSS and other types of web vulnerabilities.

Chapter 8 is about capturing network traffic. There are two perspective to collecting traffic. For the attacker, it is about identifying holes and avenues for attack. For those trying to secure a network, collecting network traffic is an exercise in identifying, thwarting and defending the network against attacks.

Chapter 10 provides a brief overview of Metasploit. For those looking for a comprehensive overview of Metasploit, Metasploit: The Penetration Testers Guide is an excellent resource. This chapter like many of the others provides the reader with detailed step-by-step instructions, including screen prints, on how to use the specific tool at hand.

Chapter 11 provides a long list of attack and defense tools that can be used as a larger part of a penetration tester's toolkit.

Chapter 12 is interesting is that it details how social engineering can be used. The authors show how public domain tools like Google Maps can be used in to mount an attack.

Chapter 13 – Hack the Macs– is one of the shorter chapters in the book and should really be longer. One of the reasons pen testers are increasingly using Macs is that the newer Macs run on the Intel platform, and can run and emulate Windows and Linux. The increasing number of tools for the Mac, and significant Mac vulnerabilities, mean that the Mac will increasingly be used and abused in the future.

Just last week, Dr. Mich Kabay wrote in Macintosh Malware Erupts that malware specifically designed for Mac is on the rise. This is based on progressively more and more serious malware for the Mac since 2009 where given that Apple products have been increasing their market share for laptops and workstations but especially for tablets and phones.

The article notes that one of the reasons Mac OS X is perceived as superior to Windows is because of its appearance of having integrated security. But although the design may be sound, the operating system does not prevent people from being swayed into thinking that the malicious software they are downloading is safe. With that, Apple will have to concentrate more on security and vulnerability within their operating system.

The book ends with about 30 pages on wireless hacking. The chapter provides an overview of some of the weaknesses in Wi-Fi technology and how they can be exploited. The chapter focuses on the airmon tool, part of BackTrack that you can use to set your wireless adapter into monitor mode, to see all of the traffic traversing the wireless network.

Overall, Defense against the Black Arts: How Hackers Do What They Do and How to Protect against It is a really good reference for someone experienced in the topic who wants to improve their expertise.

Ben Rothkei s the author of Computer Security: 20 Things Every Employee Should Know.

You can purchase Defense against the Black Arts: How Hackers Do What They Do and How to Protect against It from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

superglaze writes "The European Union is asking companies that sell surveillance and law enforcement tech to repressive regimes to stop doing so. The EU is not taking concrete action yet, but has warned that sanctions may be applicable. All this comes little more than a week after Wikileaks published the Spy Files, a name-and-shame list of the companies offering tools for mass surveillance and interception to despotic regimes, but also to Western governments."

brothke writes "It has been a decade since Oracle started their unbreakable campaign touting the security robustness of their products. Aside from the fact that unbreakable only refers to the enterprise kernel; Oracle still can have significant security flaws. Even though Java supports very strong security controls including JAAS (Java Authentication and Authorization Services), it still requires a significant effort to code Java securely. With that The CERT Oracle Secure Coding Standard for Javais an invaluable guide that provides the reader with the strong coding guidelines and practices in order to reduce coding vulnerabilities that can lead to Java and Oracle exploits." Read on for the rest of Ben's review. The CERT Oracle Secure Coding Standard for Java author Fred Long, Dhruv Mohindra, Robert Seacord, Dean Sutherland, David Svoboda pages 744 publisher Addison-Wesley Professional rating 10/10 reviewer Ben Rothke ISBN 0321803957 summary Definitive guide on the topic The book is from CERT, and like other CERT books, provides both the depth and breadth necessary to gain mastery on the topic.

The first 100 pages of the book are available here. After reading it, you will be likely to want to see the next 650 pages.

This book provides a set of guidelines for secure programming in Java SE 6 and 7 environments. It is primarily targeted at software developers and computer security practitioners. While Java is inherently designed to be relatively secure as compared with other languages, it requires the developer to understand the security controls and language features thoroughly before he can implement them correctly. The book illustrates insecure coding practices and suggests corresponding safe alternatives to enable a developer to have an optimal blueprint.

Software developers are constantly under pressure to accommodate feature requests and have to strike a fine balance between enhancing delivery excellence and releasing a software product in consonance with deadlines. At the same time they routinely tackle technical challenges and often document their experience for the benefit of others. This book is one such effort, in that, several programmers and reviewers have contributed the contents. It encourages a developer to think beyond programming logic and enables him to produce clear, concise, maintainable and secure code – a mandatory requirement for today's dynamic software industry which is plagued by a spectrum of security threats and attrition's.

This book isn't for a Java beginner. The introductory chapter expects an intermediate or seasoned Java professional to identify the gamut of security vulnerabilities that frequently manifest in code and design. The chapter briefly explains injections attacks, unintended information disclosure, denial of service and issues involving concurrency and class loaders. Summary tables have been provided to assist the reader to easily locate representative secure coding rules for each category.

The examples presented primarily encompass the lang and util libraries of Java SE and also cover collections, concurrency, logging, management, reflection, regex, zip, I/O, JMX, JNI, math, serialization and JAXP libraries. No particular Java platform or technology has been favored; the set of rules is generic and independent of whether a mobile, enterprise, desktop or web application is being developed.

Notably, the layout enables the practitioner to pick up any chapter or rule at random without requiring him to read the preceding pages. Each rule has a short description of a unique problem and one or more non-compliant and compliant code examples. Risk assessment and references to other coding standards along with bibliography are also provided.

Unfortunately, the suggested tips for automatic detection of described problems aren't very practical because no automated bug detection tools have been vetted. Some rules also have a related vulnerabilities section that preys on weaknesses in commonplace software in context of the described problem.

Chapter 2 focuses on input validation and data sanitization. It highlights attacks such as SQL, XML, and OS injection and XML External Entity (XXE) and suggests corresponding mitigation techniques. It mentions but doesn't elaborate on web-based attacks such as cross-site scripting and CSRF, to avoid being too domain specific. The chapter advises developers to normalize strings, canonicalize and validate path names, refrain from logging unsanitized input, use appropriate internationalization and globalization APIs, avoid string encoding misgivings and other issues.

Chapters 3, 4 and 5 deal with declarations and class initialization, expressions, and numeric operations respectively. Dangers of auto-boxing, side-effects in assertions, integer overflow, and vagaries of floating point arithmetic are discussed at length.

The examples are short, to the point and intellectually challenging for the advanced reader. For example, one rule – don't use denormalized numbers dissects a vulnerability in Java 1.6 and earlier that allows an attacker to perform a denial of service attack by sending a crafted input to the JVM.

The book devotes a chapter to object-oriented programming and stresses on limiting extensibility of classes, encapsulating data, ensuring that code refactoring doesn't result in broken class hierarchies, using generics for fun and profit and so on.

Another chapter discusses Java methods, for example, one rule suggests that subclasses mustn't increase the accessibility of an overridden method. There is some useful information about using methods of Object class properly. This information is standard advice that can also be found in other books. This book offers all that and more. For example, one rule documents a convincing and exhaustive list of reasons why you shouldn't use finalizers.

The book also highlights misconstrued exception handling practices through examples akin to the shortcuts programmers invent, to save themselves from the trouble of having to handle exceptions. It explains why doing that can be insidious. Information disclosure arising from ill-conceived exception handling strategies is also discussed. Some may disagree with the advice on the pretext that exception handling when done the right way leads to unreadable code, however, the features presented from Java 7 convincingly offer a middle path. Further, when compliance with a certain rule is believed to be challenging and costly, the standard allows documented deviations and even lists valid exceptions for each rule.

Chapters 9, 10, 11, 12 and 13 are reserved for concurrency related issues. There are more than 30 rules in these chapters; the set could qualify as a handbook of concurrency issues and solutions. At a high level, the chapters cover visibility and atomicity, locking, thread class APIs, thread pools and thread safety in multi-threaded Java programs. The chapters don't assume that the reader has any familiarity with multi-threaded programming.

The next few chapters highlight input-output (I/O) risks such as working with shared directories, using files securely, closing resource handles properly, serialization and more. The book doesn't assume that the reader has a sophisticated background in serialization and builds from the basics. It cites examples of vulnerabilities that necessitate understanding the role of serialization.

A chapter on platform security follows, and is meant for advanced Java users. This chapter leads to another on runtime environment that cautions against signing code, granting permissions frivolously and permitting insecure deployment configurations. The final chapter captures miscellaneous rules that forbid hardcoding sensitive information, leaking memory, generating weak random numbers and writing insecure singletons among other topics.

Many other leading security standards delineate high-level measures that must be taken to ensure compliance but most fall short of prescribing the exact recipe to get there. This book fills that gap by approaching security from the ground-zero level upwards. However, it doesn't clearly specify to what extent the rules will help organizations meet the compliance goals proposed by other security standards. All the same, the eighteen crisp chapters of this book undeniably have the potential to help the software developer win the battle against software insecurity on his own terms.

For those using Java on Oracle and hoping to build secure applications, The CERT Oracle Secure Coding Standard for Javais a very useful resource that no programmer should be without.

Ben Rothkeis the author of Computer Security: 20 Things Every Employee Should Know.

You can purchase The CERT Oracle Secure Coding Standard for Java from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

superglaze writes "Having got BT, one of the biggest ISPs in the UK, to block the Newzbin2 Usenet site, the Motion Picture Association is now trying to get the same result from all the other major service providers in the country. As this is likely to go through, it won't be long before most people in the UK will be unable to visit file-sharing sites at all, without using a proxy, VPN, or special client."

brothke writes:"The book Digital Assassination: Protecting Your Reputation, Brand, or Business Against Online Attacks says businesses that take days to respond to social media issues are way behind the curve. Social media operates in real-time, and responses need to be almost as quick. In a valuable new book on the topic, Securing the Clicks Network Security in the Age of Social Media, Gary Bahadur, Jason Inasi and Alex de Carvalho provide the reader with a comprehensive overview on how not to be a victim of social media based security problems." Read on for the rest of Ben's review. Securing the Clicks Network Security in the Age of Social Media author Gary Bahadur, Jason Inasi and Alex de Carvalho pages 368 publisher McGraw-Hill Osborne Media rating 9/10 reviewer Ben Rothke ISBN 0071769056 summary Definitive guide around social network security Social media is now mainstream in corporate America, and even though it is hot, the security and privacy issues around it are even hotter. In the past, many firms simply said no to social media at the corporate level. But as Natalie Petouhoff of Weber Shandwick has observed, that will no longer work, as "social media isn't a choice anymore; it's a business transformation tool".

The main security and privacy issue around social media is that users will share huge amounts of highly confidential personal and business information with people they perceive to be legitimate. Besides that, issues such as malware, vulnerabilities (cross site scripting, cross site request forgery, etc.), corporate espionage, phishing, spear phishing and more; are just a few of the many security risks around social media that need to be taken into consideration.

In the book, the authors detail a framework for analyzing the corporate threats that arise from social media. The book uses the H.U.M.O.R methodology (Human resources, Utilization of resources and assets, Monetary considerations, Operations management, Reputation management) a matrix that outlines a systematic approach for developing the necessary security plans, policies and processes to mitigate social media risks.

At 325 pages, the books 5 parts and 18 chapters provide the reader with a comprehensive overview of all of the critical areas around social media secure, that can be used to safeguard its assets and digital rights, in addition to defending their reputation from social network-based attacks. The book covers all of the core topic areas, from assessing social media security, to monitoring in the social media landscape, threat assessments, reputation management: strategy and collaboration and more; the authors provide the reader with an enlightening overview of all of the core areas.

In chapter 1 the authors astutely note that no company today is immune to the many threats posted by a single individual, let alone a socially engaged and networked population. No firm should engage in social media before they fully understand the security and privacy risks that are being introduced. This book not only effectually does that; it also provides an all-inclusive framework around social media security.

As to the notion of the inherent security risks around social media, this was recently proven when Chris Hadnagy (author of Social Engineering: The Art of Human Hacking) and James O'Gorman detailed in their Social Engineering Capture the Flag results from Defcon 19 observed that information leakage via social media is a difficult problem to solve due to how it is used and the frequency it is used in today's society. Having access to social media from computers and cell phones means that people can update their accounts instantaneously, from anywhere. The ease of which an employee can share data can contribute heavily to information leakage.

Chapter 4 on threat assessments provides an exhaustive list of the different types of attackers and threat vectors that need to be considered when using social media. The attacks in the social media space are often different from typical IT attackers. As to threat vectors, there are a number of different vectors, both internal and external that can impact an organization. The chapter lists those vectors and details them.

Chapter 9 – monetary considerations – strategy and collaboration– is a fascinating chapter in that it notes that in many firms, IT security budgets have not yet clearly defined the line item for social media security. In addition, trying to retrofit the IT security budget by assuming that tools already purchased for data loss prevention will also cover social media security concerns will likely be inadequate.

Chapter 11 deals with reputation management – which has the goal to build and protect a positive Internet-based reputation, and not let it get subterfuge via social media. This is a significant issue as the risk to a firm's reputation is significant and growing with the increased use of social networks.

One very helpful feature of the book that effectively brings home the message is numerous real-world case studies in every chapter. One fascinating example in chapter 13 is about the Cooks Source infringement controversy and the nature of how notto respond to a social media issue.

The book also lists numerous amounts of tools. Chapter 13 has a comprehensive list of monitoring tools and the appendix has a list of nearly 100 tools for activity tracking, analytics, geolocation, plagiarism checking and more. These lists are extremely helpful, and the reader can start using many of these tools to get an initial pulse on the level of security around how their firm uses social media.

Chapter 14 provides excellent guidance on how to execute social media security on a limited budget. The authors suggest the use of free or inexpensive software and other resources that can be used to help a company monitor the impact of their social media infrastructure. The chapter also details how social media security can be executed on a bugger budget, via the use of more sophisticated tools that can be used to secure manage the data flows within an organization.

It will not be long until Facebook has its 1 billionth user. Given that a New York court recently referred to a user's reasonable expectation of privacy on sites like Facebook and MySpace as wishful thinking, the importance of Securing the Clicks Network Security in the Age of Social Media can't be overemphasized.

For those firms that are looking to securely use social media, and not get abused by it, this book should be required reading.

Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.

You can purchase Securing the Clicks Network Security in the Age of Social Media from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

First time accepted submitter recrudescence writes "Slashdot readers might remember the Touchbook announcement from Always Innovating stirring up a lot of excitement in the Slashdot community back in 2009 (almost a year before the iPad was announced and essentially killed this off, and way before the Asus Transformer, which is essentially the same idea). The company's new product seems to support Hot multi-OS switching, supposedly with a minimal performance penalty. What seems strange to me is, why haven't other developers jumped in on this already? Macs, for instance, made a huge campaign of their products' new ability to finally support Microsoft Windows, yet (disregarding emulation options) they're still limited to booting to a single working system at any time."

brothke writes "When it comes to a physical crime scene and the resulting forensics, investigators can ascertain that a crime took place and gather the necessary evidence. When it comes to digital crime, the evidence is often at the byte level, deep in the magnetics of digital media, initially invisible from the human eye. That is just one of the challenges of digital forensics, where it is easy to destroy crucial evidence, and often difficult to preserve correctly." Read on for the rest of Ben's review. Digital Evidence and Computer Crime: Forensic Science, Computers, and the Internet author Eoghan Casey pages 840 publisher Academic Press rating 10/10 reviewer Ben Rothke ISBN 978-0123742681 summary Definitive reference on the subject of digital evidence and computer crime For those looking for an authoritative guide,Digital Evidence and Computer Crimeis an invaluable book that can be used to ensure that any digital investigation is done in a formal manner, that can ultimately be used to determine what happened, and if needed, used as evidence in court.

Written by Eoghan Casey, a leader in the field of digital forensics, in collaboration with 10 other experts, the book's 24 chapters and nearly 800 pages provide an all-encompassing reference. Every relevant topic in digital forensics is dealt with in this extraordinary book. Its breadth makes it relevant to an extremely large reading audience: system and security administrators, incident responders, forensic analysts, law enforcement, lawyers and more.

In the introduction, Casey writes that one of the challenges of digital forensics is that the fundamental aspects of the field are still in development. Be it the terminology, tools, definitions, standards, ethics and more, there is a lot of debate amongst professionals about these areas. One of the book's goals is to assist the reader in tackling these areas and to advance the field. To that end, it achieves its goals and more.

Chapter 1 is appropriately titled Foundation of Digital Forensics,and provides a fantastic overview and introduction to the topic. Two of the superlative features in the book are the hundreds of case examplesand practitioners' tips. The book magnificently integrates the theoretical aspects of forensics with real-world examples to make it an extremely decipherable guide.

Casey notes that one of the most important advances in the history of digital forensics took place in 2008 when the American Academy of Forensic Sciences created a new section devoted to digital and multimedia sciences. That development advanced digital forensics as a scientific discipline and provided a common ground for the varied members of the forensic science community to share knowledge and address current challenges.

In chapter 3 – Digital Evidence in the Courtroom– Casey notes that the most common mistake that prevents digital evidence from being admitted in court is that it is obtained without authorization. Generally, a warrant is required to search and seize evidence. This and other chapters go into detail on how to ensure that evidence gathered is ultimately usable in court.

Chapter 6 – Conducting Digital Investigations – is one of the best chapters in the book. Much of this chapter details how to apply the scientific method to digital investigations. The chapter is especially rich with tips and examples, which are crucial, for if an investigation is not conducted in a formal and consistent manner, a defense attorney will attempt to get the evidence dismissed.

Chapter 6 and other chapters reference the Association of Chief Police Officer's Good Practice Guide for Computer-Based Electronic Evidence as one of the most mature and practical documents to use when handling digital crime scenes. The focus of the guide is to help digital investigators handle the most common forms of digital evidence, including desktops, laptops and mobile devices.

The Good Practice Guideis important in that digital evidence comes in many forms, including audit trails, application, badge reader and ISP and IDS logs, biometric data, application metadata, and much more. The investigator needs to understand how all of these work and interoperate to ensure that they are collecting and interpreting the evidence correctly.

Chapter 9 — Modus Operandi — by Brent Turvey is a fascinating overview of how and why criminals commit crimes. He writes that while technologies and tools change, the underlying psychological needs and motives of the offenders and their associated criminal behavior has not changed through the ages.

Chapter 10 – Violent Crime and Digital Evidence — is another extremely fascinating and insightful chapter. Casey writes that whatever the circumstances of a violent crime, information is key to determining and thereby understanding the victim-offender relationship, and to developing an ongoing investigative strategy. Any details gleaned from digital evidence can be important, and digital investigators must develop the ability to prioritize what can be overwhelming amounts of evidence.

Chapter 13 – Forensic Preservation of Volatile Data — deals with the age-old forensic issue: to shut down or not to shut down? It provides a highly detailed sample volatile data preservation process for an investigator to follow to preserve volatile data from a system. There is also a fascinating section on the parallels between arson and digital intrusion investigations.

Part 4 of the book is Computers, in which the authors note that although digital investigators can use sophisticated software to recover deleted files and perform advanced analysis of computer hard drives, it is important for them to understand what is happening behind the scenes. A lack of understanding of how computers function and the processes that sophisticated tools have automated make it more difficult for digital investigators to explain their findings in court and can lead to incorrect interpretations of digital evidence.

Chapter 17 – File Systems– has an interesting section on dates and times. Given the importance of dates and times when investigating computer-related crimes, investigators need an understanding of how these values are stored and converted. The chapter has a table of the date-time stamp behavior on both FAT and NTFS file systems. Time stamps are not a trivial issue, as there are many different actions involved (file moved, deletion, copy, etc.) that can affect the date-time stamp in very different ways.

A better title for Digital Evidence and Computer Crime might be the Comprehensive Guide to Everything You Need to Know About Digital Forensics. One is hard pressed to find another book overflowing with so many valuable details and real-world examples.

The book is also relevant for those who are new to the field, as it provides a significant amount of introductory material that delivers a broad overview to the core areas of digital forensics.

The book progresses to more advanced and cutting-edge topics, including sections on various operating systems, from Windows and Unix to Macintosh.

This is the third edition of the book and completely updated and reedited. When it comes to digital forensics, this is the reference guide that all books on the topic will be measured against.

With a list price of $70.00, this book is an incredible bargain given the depth and breadth of topics discussed, with each chapter written by an expert in the field. For those truly serious about digital forensics,Digital Evidence and Computer Crime is an equally serious book.

Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.

You can purchase Digital Evidence and Computer Crime: Forensic Science, Computers, and the Internet from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

brothke writes "During the 1990's when Kevin Mitnick was on the run, a cadre of people were employed to find him and track him down. Anyone who could have an angle on Mitnick was sought after by the media to provide a sound bite on the world's most dangerous computer hacker. Just one example is John Markoff, who became a star journalist for his work at The New York Times, and a follow-up book and series of articles based on Mitnick. In Ghost in the Wires: My Adventures as the Worlds Most Wanted Hacker, the first personal account of what really happened; Mitnick says most of the stories around him were the result of the myth of Kevin Mitnick, and nothing more. In the book, he attempts to dispel these myths and set the record straight." Read below for the rest of Ben's review. Ghost in the Wires: My Adventures as the World's Most Wanted Hacker author Kevin Mitnick pages 432 publisher Little, Brown and Company rating 9/10 reviewer Ben Rothke ISBN 0316037702 summary Kevin Mitnick's fascinating firsthand story Some of the myths were that he was responsible for the phone of actress Kristy McNichol to be disconnected, and perhaps the most preposterous of them all, that he could whistle into a telephone and launch missiles from NORAD. The latter myth was responsible for him spending a year in solitary confinement. Mitnick notes that he thinks it was the federal prosecutor who got that idea from the movie WarGames.

But no one really knew Mitnick or what he was about. Left on his own, he would likely have been harmless. All he wanted to do was get into corporate sites, download code, play with the code and then move on to the next target. It is undeniable that Mitnick committed crimes; but it was unreasonable for the FBI to have made him a top priority for capture.

Perhaps the most widely stated myth about him is that he was strictly a social engineer without significant technical experience. While it was his gift of social engineering that facilitated his ability to get a significant amount of information from unsuspecting individuals; in many places in the book, Mitnick details technical Unix exploits that he carried out. The book makes it clear that Mitnick had the deep technical skills necessary to execute on the information he illicitly obtained.

While the book does have a lot of technical details, it mainly is about the human side of Mitnick. Chapter 1 is appropriately titled "Rough Start." He details his early days of growing up in the Los Angeles area.

These formative years as a hyperactive child, growing up with a single mom who had boyfriends that abused him and one who worked in law enforcement that molested him; may have been what led Mitnick to find solace behind a keyboard.

Mitnick writes how his first hack and entry into the world of dumpster diving was to forge bus transfers so he could ride around Los Angeles to occupy his time while his mother was at work.

In numerous places, Mitnick sincerely expresses his contrition for the pain he subjected his mother, grandmother, aunt, wife and others to.

Above and beyond his rough start, Mitnick also notes how he had his share of bad luck. He writes that too many times when he was growing up, including having to deal with various probation officers, unexplained failures in technology anywhere would be attributed to him. When the phone of his probation officers went dead, he was assumed to be the culprit.

The reality is that the world did not know what to make of Mitnick or what to do with him. It is pretty clear from the book and from every other account that Mitnick was never it in for the money. He simply was a hacker whose goal was to gain root, and nothing more. Such a notion was incredulous to law enforcement, and even to Ivan Boesky who Mitnick met in prison. When he briefly sat with Boesky on a prison bench, he writes that when Boesky found out he did it for the hacking thrill, Boesky replied that "you're in prison and you didn't make any money. Isn't that stupid?"

It is worthy to point out that Mitnick's escapades were radically different from that of Frank Abagnale, whom Mitnick is often compared to. In Catch Me If You Can: The True Story of a Real Fake, Abagnale writes that he impersonated an airline pilot, masqueraded as the supervising resident of a hospital, practiced law without a license, passed himself off as a college sociology professor and cashed over $2.5 million in forged checks; all before he was twenty-one. For those myriad offenses, Abagnale served five years in prison, roughly the same amount of time that Mitnick served.

In chapter 31, it details how Mitnick's world turned upside down and the myth of Kevin Mitnick took hold with the now infamous Markoff 1994 New York Times article Cyberspaces Most Wanted: Hacker Eludes F.B.I. Pursuit. Mitnick writes that the article is what put the myth of Kevin Mitnick into overdrive, and would later embarrass the FBI into making the search for him a top priority. It also provided a fictional image that would later influence prosecutors and judges into treating him as a danger to national security.

Mitnick's eventual capture is detailed in chapter 35 — "Game Over." He notes that Assistant US attorney Kent Walker made a secret arrangement to provide Tsutomu Shimomura with confidential trap-and-trace information as well as confidential information from Mitnick's FBI file. This was done so Shimomura could intercept Mitnick's communications without a warrant, under the premise that Shimomura was not assisting the agency, rather he was working for the ISP.

Mitnick writes that he was never charged with hacking Shimomura, as it would have exposed the gross misconduct of the FBI, who apparently violated Federal wiretapping statues in the rush to track him down.

Overall, Ghost in the Wires: My Adventures as the Worlds Most Wanted Hacker is a most interesting read. While the book does goes into technical details of how Mitnick carried out his attacks, editor William Simon provides the editorial assistance needed and makes the book extremely readable and enjoying. Much of the books readability is due to Simon, and Mitnick acknowledges this.

When a convicted felon writes a book emotions run high. In some ways, Mitnick's story is that of redemption. He did wrongs, paid his dues and is trying to move forward. Something like that should be admired. Never does Mitnick downplay his guilt or make Dan White-like excuses.

But some people will never let a person like Mitnick let go of the past. In his review of the book, Rich Jaroslovsky, a technology columnist for Bloomberg News shows no sympathy for Mitnick when he pretentiously writes that "genius comes in many forms. Kevin Mitnick has at least two, neither particularly admirable".

The book ends with Mitnick's release from prison and provides the reader with a fascinating story of one of the most recognized information security personalities. Ghost in the Wires is an interesting account of one of the most well-known information security personalities.

Mitnick's years on the run were simply a media circus and the years after his parole he found the terms of his probation so restricted that he could not touch a keyboard. Ghost in the Wires: My Adventures as the Worlds Most Wanted Hackeris an autobiography long in coming and worth the wait.

Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.

You can purchase Ghost in the Wires: My Adventures as the World's Most Wanted Hacker from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Joining the ranks of accepted submitters, Gaygirlie writes "Michael Robertson, the owner and founder of the MP3Tunes music locker service, has been locked in a copyright infringement case with EMI Records for a while now, especially because of the Sideloading search engine that is tacked along with the locker service. Now the case has been resolved though: EMI Records won. But lost on all the accounts that actually really matter." The important parts here are that MP3Tunes was granted safe harbor protection under the DMCA, and that merging multiple copies of the same file doesn't make distributing that master copy a public performance.

1800maxim writes "As it turns out, Google didn't only grab the hotspot SSIDs and MAC addresses with its Street View cars. As this article at CNET notes, Google also recorded location data of computers using wireless cards, as well as cell phones and other Wi-Fi devices. Google's explanation is that the data collection was accidental, and they declined to answer further questions from CNET."

superglaze writes "Alarmed by rumours of the UK telecoms regulator Ofcom considering a shut-down of FM radio in order to give more spectrum over to broadband, ZDNet UK's Rupert Goodwins has proposed another idea: the reuse of the mostly disused 'Band I' and the creation of a new, national open mesh network — a plan that could bring internet connectivity to everyone at very low cost."

brothke writes "Surveillance or Security?: The Risks Posed by New Wiretapping Technologies is a hard book to categorize. It is not about security, but it deals extensively with it. It is not a law book, but legal topics are pervasive throughout. It is not a telecommunications book, but extensively details telco issues. Ultimately, the book is a most important overview of security and privacy and the nature of surveillance in current times." Read below for the rest of Ben's review. Surveillance or Security?: The Risks Posed by New Wiretapping Technologies author Susan Landau pages 360 publisher MIT Press rating 10/10 reviewer Ben Rothke ISBN 9780262015301 summary Definitive text on the topic of surveillance, security and privacy read. Surveillance or Security? is one of the most pragmatic books on the topic in that the author never once uses the term Big Brother. Far too many books on privacy and surveillance are filled with hysteria and hyperbole and the threat of an Orwellian society. This book sticks to the raw facts and details the current state, that of insecure and porous networks around a surveillance society.

In this densely packed work, Susan Landau, a fellow at the Radcliffe Institute for Advanced Study at Harvard University details the myriad layers around surveillance, national security, information security and privacy. Landau writes that her concern is not about legally authorized law enforcement and nationally security wiretapping; rather about the security risks of building surveillance into communications infrastructures.

Landau details numerous reasons why communications security is hard to do right; but an imperative for our ultimate security, privacy and digital wellbeing.

In 250 pages, Landau makes a compelling case. In addition to her superb handle on the topic, the book has over 80 pages of footnotes, where everyquote, statement and claim is verified and confirmed. The book is a great launching pad for a much deeper analysis on the topic.

The main theme of the book is that digital communications have revolutionized the way in which society interacts. The Internet is now the lifeblood of many businesses and governments, including a significant part of our critical infrastructure. The fact that this infrastructure lacks comprehensive security and privacy controls are a troubling concern.

In 11 dense chapters, Landau notes that since security and privacy have not been fully integrated into this infrastructure; this leaves us exposed and vulnerable to cyberattacks.

In the introduction, Landau notes that with this new computing and telecommunications paradigm, the job of law enforcement has become much more challenging. In previous years, surveillance was relatively easy. Once law enforcement had physical access to a phone line, they were in. Today, with cell phones, VoIP, Internet cafes, anonymizing services and more, the dynamics have changed and this has caused quite a shock for law enforcement; who are often struggling to deal with this new paradigm.

Landau notes that the surveillance and eavesdropping technologies that have been deployed since 9/11 are being used to catch one set of enemies. But other antagonists may be posed to turn these tools against us, and we are putting into place something for our enemies to use that they could not afford to do on their own. As to this and other difficult questions that Landau brings up; there are no simple answers.

Chapter 3 — Securing the Internet is Difficult — notes that the original creators of TCP/IP did not have security in their design. Their concerns were more along the lines of traffic breakdowns, packet loss, robustness and more; but not security and privacy. In some ways, this may be been a blessing, as Dennis Jennings, who ran the NFSNET; states that "had we known what was to come, we'd have been terrified and the Internet would never have happened.

In chapter 5 — The Effectiveness of Wiretapping– Landau notes that the biggest use of wiretapping tools is not actually the capture of conversation. But something that is not really wiretapping at all: the capture of transactional information.

Chapter 7 – Who are the Intruders? What are They Targeting?– is one of the best chapters in the book. Landau details both the internal threat and industrial espionage, and it is not a pretty picture. Landau provides numerous cases where nation-states used networks, rather than people to infiltrate US interests, governmental, industrial and scientific areas. She notes that these insider attacks are often the most difficult to detect; the reason being that insiders know the systems, know where the important data is, and what the auditors are looking at. This ultimately makes insiders attack particularly pernicious.

So how significant are nation-states infiltrating US networks? Landau quotes a confidential government source that the NASA network was "completely open to the Chinese".

Landau makes her message loud and clear in chapter 8 when she notes that it does not help to tell people to be secure; rather security must be built into their communications systems. Security must be ubiquitous, from the phone to the central office and from the transmission of a cell phone to its base station to the communications infrastructure itself.

In chapter 9 – Policy Risks Arising from Wiretapping – Landau details how deep packing inspection (DPI) is used by ISP's. It is the ISP's who have the capability to know what you are browsing, what your email says, your VoIP conversation and much more. In a short amount of time, the ISP can develop a dossier on the user, and as noted, it has the ability to amass data to an amount that the Stasi could only dream of. This surveillance ability is what is most troubling to the author.

Landau continues that the only way for a person to avoid the risk from ubiquitous uses of DPI by an ISP would be to encrypt everything. While not completely done now, Gmail and Skype do bulk encryption.

The book closes with chapter 11 – Getting Communications Security Right– and there are no easy answers. Landau notes that across the globe, there are projects on clean-slate network architectures. But our current infrastructure is quite insecure and porous.

Surveillance or Security?: The Risks Posed by New Wiretapping Technologies is an extremely important book on the topic of the many risks posed by new wiretapping technologies. Landau has the remarkable talent of taking very broad issues and detailing them in a concise, yet comprehensive manner. The book should be seen as the starting point for discussion on a most important topic.

Landau does an excellent job of detailing how unwarranted surveillance can undermine security and affect our rights, while noting that security for every citizen is paramount to the very spirit of the Constitution.

The book closes with the very principles of what it means to get communications security rightand that adhering to these principles cannot guarantee that we will be completely secure. But failure to adhere to them will guarantee that we will not.

As to Surveillance or Security?: The Risks Posed by New Wiretapping Technologies, required reading it is, but that term does not do justice to the importance of this book. Simply put, this book is the definitive text on the topic and it is a title that needs to be read.

Reviewer Ben Rothke (@benrothke) is the author of Computer Security: 20 Things Every Employee Should Know

You can purchase Surveillance or Security?: The Risks Posed by New Wiretapping Technologies from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

superglaze writes "A high-definition streaming video camera is to be installed on the International Space Station within a year. Built in the UK, the camera will hopefully provide a Google Earth-quality view on our planet, and the stream will be viewable — complete with zooming and panning capabilities — on the web."

thewebblogger writes "In a move that more resembles 'me too' behavior rather than a well planned release, Best Buy has announced their own music cloud service, called simply Best Buy Music Cloud. The functionality is not complete yet; iOS / Android applications are not available at this point, and the only part that works is the Web Player. The premium version will cost $3.99/month and you'll have to upload your own music. iTunes is mandatory."

soricon writes "Microsoft made good on its promise to release an official Kinect SDK for Windows, opening the door for multiple educational, research and enthusiasts groups to create new and innovative uses for the popular full body movement sensor. Currently in beta, the SDK requires Windows 7 and at a minimum, a dual core machine with a DirectX 9.0c capable graphic card and it is free to download."

yuhong writes "After about a decade of development, CSS 2.1 has become a W3C recommendation. From the announcement: 'The current interoperability makes it easier than ever for developers and designers to enrich the toolkit. W3C expects future additions to CSS to be organized as independent modules, allowing smaller, more focused feature sets to progress and stabilize at their own pace. Some of these new features are already supported in browsers and other software in draft form (using the built-in CSS prefix mechanism designed for experimentation). As interoperability improves for each one, developers can transition to the standard to simplify their code. The CSS Working Group also publishes snapshots of which CSS features are supported interoperably in browsers; see, for instance, the most recent CSS Snapshot.'"

brothke writes "If Gartner were to have created the CERT-RMM framework like what is detailed in the book CERT Resilience Management Model (RMM): A Maturity Model for Managing Operational Resilience; it likely would be offered to their clients for at least $15,000. With a list price of $79.99, the book is clearly a bargain. Besides being inexpensive, it details an invaluable model that should be seriously considered by nearly every organization." Keep reading for the rest of Ben's review. CERT Resilience Management Model (RMM): A Maturity Model for Managing Operational Resilience author Richard Caralli, Julia Allen, David White pages 1056 publisher Addison-Wesley Professional rating 10/10 reviewer Ben Rothke ISBN 0321712439 summary Book details a superb method to tame the out of control world of IT operations The CERT-RMM is a capability model for operational resilience management. Put more simply; it is a method to tame the out of control world of IT operations.

CERT notes that the model has two primary objectives: to establish the convergence of operational risk and resilience management activities such as security, business continuity, and aspects of IT operations management into a single model. And to apply a process improvement approach to operational resilience management through the definition and application of a capability level scale that expresses increasing levels of process improvement.

In plain English, the model creates a formal method in which to execute IT tasks. Given the reality that most IT tasks are executed in an ad-hoc manner, the CERT-RMM should be a welcome relief to most organizations.

The CERT-RMM is a relatively new framework, with version 1.0 being issued in May 2010. Version 1.1 was made available via this book in December 2010. CERT also has a really good CERT-RMM Overview presentation available.

CERT-RMM v1.1 comprises 26 process areas that cover four areas of operations resilience management: enterprise management, engineering, operations and process management.

In chapter 1, the authors astutely note that technology can be very effective in managing risk, but technology cannot always substitute for skilled peoples and resources, procedures and methods that define and connect tasks and activities, and processes to provide structure and stability towards the achievement of common objectives and goals.

The problem is that most companies will spend huge amounts of money on these myriad technologies and seemingly expect the install routine to magically integrate the numerous processes. CERT-RMM is a comprehensive solution to a broad set of problems.

But for those that are looking to CERT-RMM for a quick fix to a decades old problem, the authors also note in chapter 1 that CERT-RMM must be embedded within the culture and practices of an organization. The CERT-RMM practices will only make an organization more resilient to the degree to which they have been institutionalized via its processes.

At just over 1,000 pages, the book is a treasure-trove of invaluable information. While the amount of information may be overwhelming, it is manageable if used in a serious fashion. But just to reiterate, CERT-RMM should not be seen as a quick-fix solution.

The main textual part of the book covers 2 parts and 7 chapters which make up the first 120 pages. These 2 parts provide a comprehensive overview of the CERT-RMM and provides an overview of the various concepts used within the model. The authors do a superb job of showing how structure and processes need to be an integral part of enterprise operations, and note the challenges of not having such an approach.

Focusing on information security, the authors intelligently observe in chapter 2 that historically information was viewed as a technology problem and relegated to the IT department. The problem though with such an approach is that when an incident or disruption occurs, the response is generally localized and discrete; not orchestrated across all affected lines of business and organizational units. That problem is precisely what CERT-RMM comes to fix. If implemented effectively, the processes enable organizations to respond in a more formal manner, with integrated processes; resulting in operations that are quicker, cheaper, and ultimately, more resilient.

In chapter 4, the authors tell you what seems to be obvious: that the CERT-RMM in its entirety looks ominous. They note the reason is that operational resilience management encompasses many disciplines and practices. The challenge though is for the organization to be able to understand the relationships in the CERT-RMM model and connect them to their own organization. CERT-RMM is certainly not for the fainthearted. But for those that are serious about operational efficiency and resilience, CERT-RMM is certainly a godsend.

The reality is that not only does the CERT-RMM look ominous, it is. The reason is that CERT-RMM will most likely be used to retrofit an organization that has used decades of ad-hoc approaches to its IT processes. Trying to fix so much is indeed ominous. But even with that ominous cloud, it is something that must be done.

In chapter 5, the authors make an important point in that CERT-RMM is not a prescriptive model. This means that there is no guidance provided to adopt the model in any specific sequence or prescriptive path. Rather, process improvements are unique to each organization, to which the CERT-RMM provides the basic structure to enable enterprises to chart their own specific improvements paths uses the model as a guide.

Chapter 6 on Using CERT-RMM notes that the model has a strong enterprise undercurrent, due to the fact that effective operational resilience management requires capabilities that often have enterprise-wide significant. But the enterprise–wide nature of the model does not mean that it can't be adopted at more discrete levels.

Part 3 of the book is a complete listing of the 26 CERT-RMM process areas. Part 3 is where the heart of the CERT-RMM is. Each of the 26 sections has a complete set of descriptions of goals and practices and real-world examples.

Think of part 3 as The Checklist Manifesto: How to Get Things Right, but on steroids. In that book, author Atul Gawande uses the notion of a checklist as a quality-control device. He noticed that the high-pressure complexities in place today can overwhelm even the best-trained professional and that only a disciplined adherence to essential procedures can fix things. Gawande would likely be enamored by the CERT-RMM.

When the reader goes through the over 800 pages of part 3, they will see them as a set of standard operating procedures (SOP). Industries such as aviation, manufacturing and pharmaceuticals have SOP deeply embedded in their processes. The SOP in part 3 are far from rocket science. They are simply a comprehensive approach and attention to detail. Given that resilience is all about the details, part 3 can be used to take an organization to a mature state of resilience.

If nothing else, part 3 should give the reader an appreciation for the need for effective process around IT initiatives. The exacting level of detail described in part 3 displays a rigorous set of processes that if deployed, can ensure an all-embracing approach to systems management and control.

Often books with numerous authors lack a sense of style and symmetry. With 3 authors, the book suffers none of that and is completely integrated into a single unit with no disconnects. Each of the authors are CERT veterans that bring considerable experience which is pervasive throughout the book.

But as good as the CERT-RMM, we all know that it is likely to have minimal adoption. Most organizations are far too short-sighted to use a model that requires such discipline and long-term approach asCERT-RMM.

But for those organizations that are truly serious about resiliency, serious about security, serious about saving money and being more efficient, this book and the CERT-RMM is a model they will embrace warmly. This book is an important first step that can be the gateway to resiliency.

For all the others, they should at least use the CERT-RMM incident management and controlprocess area to deal with the many security incidents and breaches they will inevitably have to contend with.

Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.

You can purchase CERT Resilience Management Model (RMM): A Maturity Model for Managing Operational Resilience from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

brumgrunt submitted the latest Den of Geek compilation story: this week it's the the science fiction ray guns. From Han Solo's blaster to the Forbidden Planet, there's a lot of nostalgia to get your pew pew out.

brothke writes "Network Security Auditing is touted as the complete guide to auditing security, measuring risk, and promoting compliance. The book lives up to its promise and is a comprehensive reference to all things network security audit related." Read below for the rest of Ben's review. Network Security Auditing author Chris Jackson pages 528 publisher Cisco Press rating 9/10 reviewer Ben Rothke ISBN 1587053527 summary Excellent highly technical and detailed reference At almost 450 pages, the book covers all of the key areas around network security that is of relevance to those working in information security. As a Cisco Press title, written by a Cisco technical solutions architect, the book naturally has a heavy Cisco slant to it. Nonetheless, it is still an excellence reference even for those not working in a Cisco environment. While the first 3 chapters of the book provide an overview that is great even for a security newbie, the overall style of the book is highly technical and comprehensive.

Chapters 1-3 provide an introduction to the principles of auditing, information security and the law, and governance, frameworks and standards. Each chapter is backed with a significant amount of information and the reader is presented with a thorough overview of the concepts.

Chapter 3 does a good job of providing the reader with the details of current frameworks and standards, including PCI DSS, ITIL, ISO 17799/27001 and others. Author Chris Jackson does a good job of explaining the differences between them and where they are best used. Given this is a Cisco-centric book, he also shows how the various Cisco security products can be integrated for such regulatory and standards support.

Throughout the book, the author makes excellent use of many auditing checklists for each area that can be used to quickly ascertain the level of security audit compliance.

Chapter 6 is perhaps the best chapter in the book on the topic of Policy, Compliance and Management, and the author provides an exceptionally good overview of the need for auditing security policies. This is a critical area as far too many organizations create an initial set of information security policies, but subsequently never take the time to go back and see if they are indeed effective and providing the necessary levels of data protection.

Jackson notes that accessing the effectiveness of a policy requires the auditor to look at the policy from the viewpoint of those who will interpreting its meaning. A well intentioned policy might recommend a particular course of action, but unless specific actions are required, there is little an organization can expect the policy to actually accomplish to help the organization protect its data assets if it is misinterpreted.

The chapter suggests that the auditor ask questions such as: is the policy implementable, enforceable, easy to understand, based on risk, in line with business objectives, cost effective, effectively communicated and more. If these criteria are not well-defined and delineated, then the policies will exist in text only, offering little information security protection to the organization.

Jackson also writes of the need to measure how well policies are implemented as part of a security assessment. He suggested using a maturity model as a way to gauge if the organization is in its evolution towards fully integrating security into its business process or if it already has a formal integration process in place.

In chapter 8 on Perimeter Intrusion Prevention, Jackson writes that protecting a network perimeter used to be a relatively easy task. All an organization would have to do is stick a firewall on its Internet connection, lock down the unused ports and monitor activity. But in most corporate networks today, the perimeter has been significantly collapsed. If you compound that with increased connectivity, third-party access, and more; and then bring in advanced persistent threats into the equation, it is no longer a simple endeavor to protect a network.

Chapter 8 provides detailed framework on how to perform a perimeter design review and assessment. As part of the overall review, the chapter details other aspects of the assessment including the need for reviews of the logical and physical architectures, in addition to a review of the firewall. Jackson also lists a large number of security tools that can be used to during an audit.

Chapter 11 covers endpoint protection with a focus on the end-user. Jackson notes that users never cease to amaze with their abilities to disappoint by opening suspicious file attachments, running untrusted Facebook applications, and much more. The book notes that organizations today face significantly higher levels of risk from endpoint security breaches than ever before due to our highly mobile and connected workforce.

The chapter details an endpoint protection operational control review that can be used to assess the organizations processes for identifying threats and performing proactive management of endpoint devices. While the chapter is quite Cisco-centric, with references to the Cisco SIO (Security Intelligence Operations) and a number of other Cisco products, the chapter does provide a good overview of the fundamentals of endpoint protection and how to do it the right way.

Overall, Network Security Auditing is highly technical and detailed reference that makes for an excellent primary reference on the fundamental of information security. With ample amounts of checklist, coding references, detailed diagrams and just the right amount of screen shots, it makes an excellent guide that any member of an IT or security group should find quite informative.

Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know

You can purchase Network Security Auditing from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

brumgrunt writes "As more and more franchise movies look to cover the origin story of a character again and again, Den Of Geek wonders why film studios aren't looking a little harder for interesting stories to tell..."

H_Fisher writes "Disrespect the Chinese government at your peril ... and this includes anything you do with the past. Time magazine's Techland blog reports that China is banning references to time travel which are disrespectful to the nation's culture and history. No word on whether this includes a travel ban on time lords."

brumgrunt writes "Are science fiction TV shows and movies overusing death as a plot device? And, more crucially, do any of us believe that a dead character is really dead any more?"

brumgrunt writes "A British paper is claiming that the Nintendo 3DS poses some kind of health risk. The claim sounds interesting, until you see how that conclusion was reached. 'On the 6th of April, the paper conducted a scientific experiment in which a 22-year-old member of the staff had his blood pressure and pulse taken after playing the 3DS in different situations – at rest, while walking, or while taking a ride in a car. The Sun came to the startling conclusion that the man’s pulse and blood pressure were higher while walking than while sitting down, yet concluded, apropos of nothing, “Children should not be left to play on it for hours.” The article neglects to point out that a raised blood pressure and pulse is perfectly normal, and you’re as likely to experience such a physical response while walking and reading a book as you are when playing the 3DS.'" Pocket Gamer posted a humorous follow-up, using the Sun's own methods against it.