Slashdot Mirror

brothke writes "The Myths of Security: What the Computer Security Industry Doesn't Want You to Know is an interesting and thought-provoking book. Ultimately, the state of information security can be summed up in the book's final three sentences, in which John Viega writes that 'real, timely improvement is possible, but it requires people to care a lot more [about security] than they do. I'm not sure that's going to happen anytime soon. But I hope it does.'" Read on for the rest of Ben's review. The Myths of Security: What the Computer Security Industry Doesn't Want You to Know author John Viega pages 260 publisher O'Reilly Media rating 8 reviewer Ben Rothke ISBN 978-0596523022 summary A contrarian provides an interesting look at the information security industry The reality is that while security evangelists such as Viega write valuable books such as this, it is for the most part falling on deaf ears. Most people don't understand computer security and its risks, and therefore places themselves and the systems they are working in danger. Malware finds computers to load on, often in part to users who are oblivious to the many threats.

Much of the book is made up of Viega's often contrarian views of the security industry. With so much hype abound, many of the often skeptical views he writes about, show what many may perceive are information security truths, are indeed security myths.

From the title of the book, one might think that there is indeed a conspiracy in the computer security industry to keep users dumb and insecure. But as the author notes in chapter 45 — An Open Security Industry, the various players in the computer security industry all work in their own fiefdoms. This is especially true when it comes to anti-virus, with each vendor to a degree reinventing the anti-virus wheel. The chapter shows how sharing amongst these companies is heavily needed. With that, the book's title of What the Computer Security Industry Doesn't Want You to Know is clearly meant to be provocative, but not true-life.

The book is made up of 48 chapters, on various so called myths. Most of the chapter are 2-3 pages in length and tackle each of these myths. The range of topics covers the entire security industry, with topics spanning from various security technologies, issues, risks, and people.

While not every chapter is a myth per se, many are. Perhaps the most evocative of the security myth is chapters 10 — Four Minutes to Infection and chapter 22 — Do Antivirus Vendors Write their own Viruses?. But the bulk of the book is not about myths per se, rather an overview of the state of information security, and why it is in such a state.

In chapter 16, The Cult of Schneier [full disclosure — Bruce Schneier and I work for the same company], Viega takes Schneier to task for the fact that many people are using his book Applied Cryptography, even though it has not been updated in over a decade. It is not fair to blame him for that. While Viega admits that he holds Schneier in high esteem, the chapter reads like the author is somehow jealous of Schneier's security rock star status.

Chapter 18 is on the topic of security snake oil, ironically a topic Schneier has long been at the forefront of. The chapter gives the reader sage advice that it is important to do their homework on security products you buy and to make sure you have at least a high-level understanding of the technical merits and drawbacks of the security product at hand. The problem though is that the vast majority of end-users clearly don't have the technical wherewithal to do that. It is precisely that scenario that gives rise to far too many security snake-oil vendors.

Perhaps the best chapter in the book, and the one to likely get the most comments, is chapter 24 — Open Source Security: A Red Herring. Viega takes on Eric Raymond's theory of open source security that "given enough eyeballs, all bugs are shallow." Viega notes that a large challenge with security and open source is that a lot of the things that make for secure systems are not well defined. Viega closes with the argument that one can argue open versus closed source forever, but there isn't strong evidence to suggest that it is the right question to be asking in the first place.

Overall, The Myths of Security: What the Computer Security Industry Doesn't Want You to Know is good introduction to information security. While well-written and though provoking, the book may be too conceptual and unstructured for an average end-user, and too basic for many experienced information security professionals. But for those that are interested, the book covers the entire gamut of the information security, and the reader, either security pro or novice, comes out much better informed.

While the author makes it clear he works for McAfee, and at times takes the company to task; the book references McAfee far too many times. At times the book seems like it is an advertisement for the company.

Viega does give interesting and often entertaining overviews of what we often take for granted. Some of the books arguments are debatable, but many more are a refreshing look at the dynamic information security industry. Viega has sat down and written his observations of what it going on. They are worth perusing, and the book is definitely worth reading.

Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know .

You can purchase The Myths of Security: What the Computer Security Industry Doesn't Want You to Know from amazon.com. Slashdot welcomes readers' book reviews — to see your own review here, read the book review guidelines, then visit the submission page.

brothke writes "Imagine for a moment what his novels would read like if Dan Brown got his facts correct. The challenge Brown and similar authors face is to write a novel that is both compelling and faithful to the facts. In Tetraktys, author Ari Juels is able to weave an interesting and readable story, and stay faithful to the facts. While Brown seemingly lacks the scientific and academic background needed to write such fiction, Juels has a Ph.D. in computer science from Berkeley and is currently the Chief Scientist and director at RSA Laboratories, the research division of RSA Security." Read below for the rest of Ben's review. Tetraktys author Ari Juels pages 351 publisher Emerald Bay Books rating Excellent debut novel by Ari Juels reviewer Ben Rothke ISBN 978-0982283707 summary Intriguing cryptographic thriller The book, which might be the world's first cryptographic thriller, tells the story of Ambrose Jerusalem, a gifted computer security expert, still haunted by his father's death, a few months shy of his doctorate, who has a beautiful and loving girlfriend, and a bright future ahead of him. This is until the government gets involved and Jerusalem's plans are put on hold when the NSA asks him to join them to track down a strange and disturbing series of computer breaches.

Tetraktys, like similar thrillers, has its standard set of characters; from corrupt State Department and World Bank officials, a dashing protagonist with a long-suffering girlfriend, to mysterious and obscure terrorist groups. This terrorist group is in the book is comprised of followers of Pythagoras.

As to the title, a tetraktys is a triangular figure of ten points arranged in four rows, with one, two, three, and four points in each row. It is a mystical symbol and was most important to the followers of Pythagoras. While mainly known as the creator of the Pythagorean theorem, Pythagoras of Samos was an influential Greek mathematician and founder of the religious movement of Pythagoreanism. Those wanting more information can watch a video about the symbol.

As to the storyline, the NSA is trying to recruit Ambrose as they feel that the terrorists, who form a secret cult of followers of Pythagoras have broken the RSA public-key algorithm. Breaking RSA is something that is not expected for many decades, but if a revolution in factoring numbers were to occur sooner, RSA's demise could happen that much quicker. And if RSA was indeed broken by the antagonists, it would undermine the security of nearly every government and financial institution worldwide and create utter anarchy.

A good part of the book centers on the cult of Pythagoras. Its followers believe that truth and reality can only be understood via their system of numbers. The NSA needs Jerusalem's assistance as he is one of the few people who have the mathematical, classical and philosophical background to help them. It is he who ultimately connects the dots that the Pythagoreans have left, which leads to the books dramatic conclusion.

The book is a most enjoyable read and one is hard pressed to put it down once they start reading it. The reader gets a good understanding of who Pythagoras was and his worldview via Juels weaving of Pythagorean philosophy into the storyline.

While the book is not autobiographical, there are many similarities between Ambrose Jerusalem and Ari Juels. From identical initials, to their lives in events in Berkeley and Cambridge, to RSA and more.

For a first book of fiction, Tetraktys is a great read. As a novelist, Juels style approaches that of Umberto Eco, in that he weaves numerous areas of thought into an integrated story. Like Eco's works, Tetraktys has an arcane historical figure as part of it storyline, and an intricate plot that takes the reader on many, and some unexpected, turns. While not as complex and difficult to read as Eco, Tetraktys is a remarkable work of fiction for someone with a doctorate in computer science, not literature.

The book though does have some gaps, but that could be expected for a first novel. The reader is never sure what the Pythagoreans are really after or why they have resurfaced, and one of the characters is killed, for reasons that are not apparent. Readers who want more information can visit the Tetraktys web site.

As to the book's protagonist, Ambrose Jerusalem is to Juels what Jack Ryan is to Tom Clancy, meaning that his adventures are just beginning, and that is a good thing.

For those interested in a cryptographic thriller, Tetraktys is an enjoyable read. The book interlaces Greek philosophy, mathematics, and modern crime into a cogent theme that is a compelling read. And if the exploits of Ambrose Jerusalem continue, we may have found the successor to Umberto Eco.

Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.

You can purchase Tetraktys from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

brothke writes "A recent search on Amazon for travel guides returned over 30,000 results. Most of these are standard travel guides to popular tourist destinations which advise the reader to go to the typical tourist sites. The Geek Atlas: 128 Places Where Science and Technology Come Alive is a radically different travel guide. Rather than recommending the usual trite destinations, which are often glorified souvenir stores, the book takes the reader to places that make science real and exciting, and hopefully those who exit such places are more knowledgeable than when they went in." Read on for the rest of Ben's review. The Geek Atlas: 128 Places Where Science and Technology Come Alive author John Graham-Cumming pages 542 publisher O'Reilly Media rating 10/10 reviewer Ben Rothke ISBN 978-0596523206 summary A fascinating and enjoyable read Irrespective of its travel content, The Geek Atlas is a unique and fascinating read for the information and overview of its wide range of topics. If there is a fault in the book, it is with its title. When people see Geek Atlas, they might think that this is a book that takes the reader to boring and obscure places, which is the exact opposite of its intent.

Author John Graham-Cumming writes that you won't find tedious, third-rate museums, or a tacky plaque stuck to a wall stating that "Professor X slept here." Every place he recommends is meant to have real scientific, mathematical, or technological interest.

Each of the books 128 chapters is separated into 3 parts: a general introduction to the place with an emphasis on its scientific, mathematical or technological significance; a related technical subject covered in greater detail, and practical visiting information. So while you may not be able to make it to the Escher Museum (chapter 29) in The Hague, Netherlands; the information on how M.C. Escher used impossible shapes in which the chapter describes is a fascinating read on its own.

Graham-Cumming notes that a disappointing trend with science museums today is a tendency to emphasize the wow factor without really explaining the underlying science. He notes the following 3 attributes of such museums: a short name ending with an exclamation mark, a logo featuring pastel colors or a cuddle cartoon mascot, or an IMAX theater.

Why does the book specifically have 128 places listed? See chapter 58, for the National Museum of Computing in Bletchley, UK. Graham-Cumming notes that your average travel guide would have listed perhaps 100 or 125 places. 128 is a round binary number (10000000). Of course, those who are binary obsessed might wonder why this book is not titled 10000000 Places Where Science and Technology Come Alive.

The 128 places listed are for the most part divided equally between sites in Europe and the USA, with a few in the Far East and Russia. A complete listing of the sites is mapped on the books web site. Africa for some reason seems to be left out and perhaps a follow-up volume will fill that void. Of course, one could argue that Africa has had a minimal contribution to the world of science, mathematics and technology. Nigeria for example is famous for its 419 advance-fee fraud, but not its overabundance of contributors to physics.

For the US locations, there are locations for 25 states, with California being the biggest with 7 suggested places to visit. With that, it is surprising that the book lists the HP Garage, given that it is not open to the public and only serves as a shack to be photographed. Other places such as the US Navy Submarine Force Museum and MIT Museum are indeed more visit worthy.

The tours of some of the sites, like the HP Garage will take less than an hour or so (chapter 42 — Bunhill Fields Cemetery, London, UK), while others one can spend a half or full-day at the site.

While The Geek Atlas is touted as a travel guide, it is much more than that. Its 128 chapters are a wide-ranging overview of science and mathematics. Topics run the gamut from physics and pharmacology to transistors and optics. In fact, the book would make a superb syllabus for an introduction to science course. The plethora of subject covered, combined with its easy to read and absorbing style makes it a fantastic book for both those that are scientifically challenged, yet curious, and those that have a keen interest in the sciences.

The Geek Atlas is a fascinating and enjoyable read; in fact, it I found it hard to put down. Lets hope the author is working on a sequel with the next 256 additional places where science and technology come alive.

Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.

You can purchase The Geek Atlas: 128 Places Where Science and Technology Come Alive from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

brothke writes "Books that collect chapters from numerous expert authors often fail to do more than be a collection of disjointed ideas. Simply combining expert essays does not always make for an interesting, cohesive read. Beautiful Security: Leading Security Experts Explain How They Think is an exception to that and is definitely worth a read. The book's 16 chapters provide an interesting overview to the current and future states of security, risk and privacy. Each chapter is written by an established expert in the field and each author brings their own unique insights and approach to information security." Keep reading for the rest of Ben's review. Beautiful Security: Leading Security Experts Explain How They Think author Andy Oram and John Viega pages 300 publisher O'Reilly Media rating 9/10 reviewer Ben Rothke ISBN 978-0596527488 summary An eye-opening book that will challenge you A premise of the book is that most people don't give security much attention until their personal or business systems are attacked or breached. The book notes that criminals often succeed by exercising enormous creativity when devising their attacks. They think outside of the box which the security people built to keep them out. Those who create defenses around digital assets must similarly use creativity when designing an information security solution.

Unfortunately, far too few organizations spend enough time thinking creatively about security. More often than not, it is simply about deploying a firewall and hoping the understaffed security team can deal with the rest of the risks.

The 16 essays, arranged in no particular theme, are meant to show how fascinating information security can be. This is in defense to how security is often perceived, as an endless series of dialogue boxes and warnings, or some other block to keep a user from the web site or device they want to access. Each of the 16 essays is well-written, organized and well-argued. The following 4 chapters are particularly noteworthy.

Chapter 3 is titled Beautiful Security Metrics and details how security metrics can be effectively used, rather than simply being a vehicle for creating random statistics for management. Security metrics are a critical prerequisite for turning IT security into a science, instead of an art. With that, author Elizabeth Nichols notes that the security profession needs to change in ways that emulate the medical professional when it comes to metrics. She notes specifically that security must develop a system of vital signs and generally accepted metrics in the same way in which physicians work. The chapter also provides excellent insights on how to use metrics, in addition to high-level questions that can be used to determine how effective security is within an organization.

Chapter 6 deals with online-advertising and the myriad problems in keeping it honest. Author Benjamin Edelman observed a problem with the online supply chain world, as opposed to brick and mortar (BAM) world, in that BAM companies have long-established procurement departments with robust internal controls, and carefully trained staff who evaluate prospective vendors to confirm legitimacy. In the online world, predominantly around Google AdSense, most advertisers and advertising networks lack any comparable rigor for evaluating their vendors. That has created a significant avenue for online advertising fraud, of which the online advertising is a victim too.

Edelman writes that he has uncovered hundreds of online advertising scams defrauding hundreds of thousands of users, in addition to the merchants themselves. The chapter details many of the deceptive advertisements that he has found, and shows how often web ads that tout something for free are most often far from it.

Chapter 7 is about the PGP and the evolution of the PGP web of trust scheme. The chapter is written by PGP creator Phil Zimmerman, and current PGP CTO Jon Callas. It has been a long while since Zimmerman has written anything authoritative about PGP, so the chapter is a welcome one. Zimmerman and Callas note that while a lot has been written about PGP, much of it contains substantial inaccuracies. The chapter provides invaluable insights into PGP and the history and use of cryptography. It also gives a thorough overview of the original PGP web of trust model, and recent enhancements bring PGP's web of trust up to date.

Chapter 9 is one of the standout chapters in the book. Mark Curphrey writes about the need to get people, processes and technology to work together so that the humans involved in information security can make better decisions. In the chapter, Curphrey deals with topical issues such as cloud computing, social networks, security economics and more. Curphrey notes that when he starts giving a presentation, he does it with the following quotation from Upton Sinclair — "it's difficult to get a man to understand something when his salary depends on him not understanding it." He uses the quote to challenge listeners (and readers in this case) to question the reason why they are being presented the specific ideas, which serves as a reminder of common, subtle biases for thoughts and ideas presented as fact.

In its 250 pages, Beautiful Security is both a fascinating an enjoyable read. There are numerous security books that weigh a few pounds and use reams of paper which don't have a fraction of the real content that Beautiful Security has. With other chapters from industry luminaries such as Jim Routh, Randy Sabett, Anton Chuvakin and others, Beautiful Security is a required read.

For those that have an interest in information security or those that are frustrated by it, Beautiful Security is an eye-opening book that will challenge you, and change the way you think about information security. It is a good book for those whose who think information security is simply about deploying hardware, and an even better book for those who truly get information security.

Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.

You can purchase Beautiful Security: Leading Security Experts Explain How They Think from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

brothke writes "In The Road to Big Brother: One Man's Struggle Against the Surveillance Society, Ross Clark journals his struggles to avoid the myriad CCTV cameras in his native England. That's difficult given the millions of cameras in public locations there. Before going forward, the use of the term 'Big Brother' in both the title and throughout the book is erroneous. Big Brother has its roots in George Orwell's novel 1984 and refers to an omnipresent, seemingly benevolent figure representing the oppressive control over individual lives exerted by an authoritarian government. The term has been misappropriated to describe everything from legitimate crime-fighting, to surveillance cameras, to corporate e-mail and network usage monitoring. Localities that deploy CCTV cameras in public thoroughfares in the hope of combating crime are in no way indicative of the oppressive control of Orwell's Big Brother. Should we be concerned that such a scenario play itself out in Ross Clark's UK or in the US? Likely no, as US government agencies are widely decentralized and isolated. Just getting the networks within a single federal agency unified is a daunting task; getting all of the agencies to have a single unified data sharing mechanism is a pipe-dream. Look at it this way: the US Department of Defense has more networks than some countries have computers." Read below for the rest of Ben's review. The Road to Big Brother: One Man's Struggle Against the Surveillance Society author Ross Clark pages 200 publisher Encounter Books rating Powerful topic, but poor delivery and answers. reviewer Ben Rothke ISBN 978-1594032486 summary One man's account of how to dodge Britain's million of CCTV cameras and other forms of surveillance The Road to Big Brother details Clark's attempt to be invisible to the millions of CCTV cameras in Britain, and details other types of national & agency databases and how they can be misused. Clark notes astutely that while much data is being gathered, often the most important clues are missed, and a lack of proportion often is the result.

Some of the books observations are flawed. In chapter two, Clark writes that VeriChip markets its RFID chips with the aim of speeding the passage of authorized people through security checks. But its Verimed chip is made for patient identification and emergency patient management in hospitals. In Chapter 11, Clark comments that Facebook is essentially a forum for drunken college students who cannot conceive that any harm could come from disporting themselves in semi-naked poses for everyone to see. There is no indication that the comment was meant to be humorous, and there are many legitimate sober uses for Facebook.

Perhaps the worst distortion of the Big Brother hysteria, of which the book provides no source, is the claim that the CIA and FBI appears to know what airline meals a person chooses when they cross the Atlantic. Terrorists do their best to be stealthy, and will likely opt to bring their own special meal, rather than stand out and request a special one. It is not clear what the CIA and FBI hope to gain with such data.

The book documents numerous CCTV failures, from Brighton, England to Baltimore, Maryland. Chapter 3 has a 2005 quote from the Maryland Attorney General stating that CCTV's had yet to solve a single crime. The book also repeats the problem of fuzzy CCTV images and highlights other technology failures as far back as 1998. Surveillance technology has significantly advanced in the last 3 years, let alone decade. Focusing on failures from a decade ago is in no way indicative of the state of the art, nor does it do anything to solve the problem Clark addresses.

In the last 60 days alone, CCTV has been used to identify the alleged Craigslist Killer and shooter at Wesleyan University. While Clark may not realize it, CCTV and other related technologies has indeed revolutionized law enforcement. The underlying problem is that Britain's millions of cameras were deployed in the hope that they could magically solve crime. Cameras alone achieve nothing; but CCTV combined with trained humans and other crime prevention and detection methods are a powerful set of tools that many police departments are embracing.

The book notes that two CCTV schemes were sold to UK police in 2001 with the premise that they would eliminate crime and increase the number of visitors by 225,000 a year. Any police department that would believe such a marketing claim, without pilot testing and proof of concept should themselves be arrested for ineptitude.

The book would be better off quoting this year's CCTV successes, rather than those of obsolete equipment. As to the fuzzy image problem; newer, more powerful and often inexpensive cameras easily and quickly solves that predicament.

All is not lost on the book. Chapter 8 — Me and My ID, in which Clark documents how ineffective national identification cards are. National ID cards are all the rage and are being deployed in the hope that they will reduce terrorism, illegal immigration and other of society's ills. Clark notes that even if national ID cards were able to identify everyone correctly, and that is a huge assumption, it is still not clear what they would achieve. National ID's have been touted to reduce insurance fraud, but medical insurance fraud is often executed not by false identification, rather by patients lying about their circumstances.

The book touches upon, but does not really answer, nor go into enough details on why people allow such pervasive use of electronic surveillance technologies to seamlessly enter society. Be it CCTV cameras that film public parks or attempt to catch speeding drivers; many are deployed with little to no protestations.

While Big Brother achieved oppressive control over individuals, the real danger of surveillance systems is that they can easily be misused. Rather than achieving their crime fighting goals, they will mislead police with myriad false positives. Part of Clark's frustration is likely that the UK Police believe in some sort of CCTV Kool-Aid that their collogues in the US have not consumed. Why that is so prevalent in the UK is something that Clark doesn't address.

The Road to Big Brother: One Man's Struggle Against the Surveillance Society should have been a book that details the problems with a surveillance society, but often reads like it emanates from the ministry of misinformation.

Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.

You can purchase The Road to Big Brother: One Man's Struggle Against the Surveillance Society from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

brothke writes "The Shadow Factory: The Ultra-Secret NSA from 9/11 to the Eavesdropping on America is the third of James Bamford's trilogy. Bamford started this with The Puzzle Palace in 1982 and Body of Secrets: Anatomy of the Ultra-Secret National Security Agency in 2001. The Shadow Factory is likely the last book Bamford will find the NSA cooperative to, given his often harsh treatment of the agency and its directors. It is also doubtful that former NSA Director Lt. Gen. Michael Hayden will grant Bamford additional dinner invitations, given his portrayal of Hayden as a weakling who could not stand up to Dick Cheney and other in the Bush administration." Read below for the rest of Ben's review. The Shadow Factory: The Ultra-Secret NSA from 9/11 to the Eavesdropping on America author James Bamford pages 416 publisher Doubleday rating When sticking to facts: 9. When digressing: 2 reviewer Ben Rothke ISBN 0385521324 summary Good overview of the NSA post-9/11, but some of the author's biases get in the way The book can be summed up with two basic themes: The top management of the NSA and CIA has not made the fundamental changes needed post 9/11, as the politicking and inter-agency squabbles are seemingly alive and well. Bamford's other premise continues to be his contempt towards Israel.

Often bands produce abysmal releases in order to fulfill contractual requirements. In some ways, The Shadow Factory is reminiscent of that; at almost half the size of Body of Secrets, and 2/3 the size of The Puzzle Palace. When the book sticks to the facts and avoids conspiracy theories, it is a fascinating read.

If nothing else, Bamford knows how to turn often mundane aspects of wiretapping and supercomputers into a gripping read. Divided into five interwoven sections, the book starts out with a fascinating account of how two of the 9/11 hijackers lived the American dream, all the while planning their devious acts. Had there been some semblance of interagency cooperation and shared databases, Khalid Al-Midhar and Nawaf al-Hazmi would have been identified in seconds.

Not only that, in the book, Bamford writes that many of the 9/11 terrorists set-up shop within miles of the NSA headquarters in Maryland, communicated with their counterparts in the Middle East, at the same time the NSA was searching the world over for them. Bamford makes the NSA seem like the keystone cops searching for these terrorists, while they were literally a par 5 away.

A number of the chapters details the Bush administration forays into its illegal wiretapping adventures and how Counsel Alberto Gonzales and Chief of Staff Andrew Card manipulated a sick and barely lucid Attorney General John Ashcroft into signing on to the program.

It has long been known that Bamford has no love lost for Israel. His previous books have incorrectly written of the details around Israel's attack of the Liberty, a US Navy technical research ship, which was sailing in the Mediterranean Sea during the Six-Day War.

The book details how Israeli high-tech data mining and surveillance companies such as Comverse, Verint, NICE and more have become indispensable to the US intelligence community. Bamford asserts that the vast majority of surveillance of telephone transmissions are done via technology from Israeli companies. He then makes the jump that the American intelligence community is placing itself as risk and that the Israeli companies will access this same information.

Such conspiracy theories are tired and old. For the longest time, there were claims that every Check Point FireWall-1 had a backdoor which the Mosad could tap into. Some years ago, the NSA even sent out a memo denying that fact, as it was getting in the way of firewall deployments at the agency.

As to Bamford's assertion of Israeli control of American intelligence, it makes great fodder for the conspiracy theory community, but lacks any sort of real evidence. What Bamford does is show that many of the founders of these companies are graduates of programs from the Israeli military, served in the same intelligence corps unit and therefore, guilty by some sort of association.

Irrespective of Bamford's deep hostility towards Israel, there is not the slightest indication that the American intelligence community was forced to purchase these Israeli products. They purchased these due to their superior capabilities produced by one of its closest allies. What Bamford fails to mention, is that Israeli and US intelligence groups have a long history of mutual cooperation. Much of the US success in its war against terror and monitoring of Iran are only due to help from Israel.

If the Shadow Factory is meant to be a critique of the NSA, then Bamford's unsubstantiated allegations about Israel and the Mosad show the agency to be a bastion of utter incompetency. Irrespective of problems with management at the NSA, it is utterly incredulous that the Mosad could single-handedly undermine the entire US intelligence effort, filling it with back doors and secret agents.

Bamford seems to be confused on his approach to the NSA. On one side, the NSA are the smartest guys in the room, successfully, surreptitiously and often illegally monitoring nearly every telephone call on the planet. They push supercomputers to the envelope and optimize ever CPU cycle. Yet simultaneously, these smart guys are simply pawns of a small group of Israeli intelligence agents who have managed to develop and get their software on various NSA projects.

In his review of the book in the New York Times, Christopher Dickey sums it up best when he writes of Bamford's habit of such conspiracy theories that "it's a fair bet that Bamford will find a way to work the bloodbath at the Taj Mahal hotel into the long NSA narrative that he began with "The Puzzle Palace" in 1982, followed up with "Body of Secrets" in 2001, and may well continue with paperback updates and further sequels after the present book. These are the kinds of details, or coincidences, that Bamford loves. In "The Shadow Factory" he piles one on top of another — events, addresses, room numbers — in a slapped-together text that often blends facts with speculation to evoke a pervasive atmosphere of conspiracy".

When Bamford is able to stick to the facts, which is about 2/3 of the book, he paints a frightening picture of the threats that the US is facing. Equally frightening was the response of the Bush administrations to the threats and attacks, which in some cases turned mince meat out of the Constitution. Bamford writes of Dick Cheney's attempt to give the President significant more control, while ignoring the need for separation of powers. There are many other such instances in the book. Yet when Bamford takes off his hat of reason and attempts to connect invisible dots, Christopher Dickey's observation should be kept in mind.

Seemingly on the brink of failure, the events of 9/11 recycled the NSA. For the astute reader who is able to discern between fact and fiction, The Shadow Factory is a fascinating read into an agency that still exists in the shadows. With a budget larger than the GDP of some countries, and a workforce that spans the globe, the NSA has long existed and thrived in the shadows that Bamford often describes so well.

Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.

You can purchase The Shadow Factory: The Ultra-Secret NSA from 9/11 to the Eavesdropping on America from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

brothke writes "The recent collapse of financial companies occurred in part because their operations were run like a black box. For many years, alternative medicine has similarly operated in the shadows with its own set of black boxes. In Trick or Treatment: The Undeniable Facts about Alternative Medicine, Simon Singh and Edzard Ernst, MD, break open that box, and show with devastating clarity and accuracy, that the box is for the most part empty." Keep reading for the rest of Ben's review. Trick or Treatment: The Undeniable Facts about Alternative Medicine author Simon Singh and Edzard Ernst pages 352 publisher W. W. Norton rating 9 reviewer Ben Rothke ISBN 978-0393066616 summary Peels away the fallacies of acupuncture, homeopathy, chiropractic and herbal medicine I first encountered co-author Simon Singh at the 2005 RSA Conference. In his presentation, he included a demonstration of the human brains unique capability for pattern matching when specific patterns are expected, and used Led Zeppelins Stairway to Heaven as an example. Stairway has long been rumored to have subliminal satanic messages. When played backwards, it is impossible to decipher any message. But when the message is known in advance, one can then hear the message imploring the listener to go to Satans tool shed. Once Singh put the subliminal lyrics on the overhead, the subliminal message was now clear, not due to a subliminal message, rather via pattern matching.

While no reasonable person can believe in Stairways subliminal lyrics, far too many people do believe in equally implausible things in the realm of alternative medicine. In the book, the authors tackle four main areas: acupuncture, homeopathy, chiropractic and herbal medicine. The books conclusion is that acupuncture, homeopathy, chiropractic are essentially worthless, while herbal medicine has limited value.

Chapter 1 starts with an overview of evidence-based medicine (EBM), of which the authors are staunch believers. EBM applies evidence gained via the scientific method and assesses the quality of the evidence relevant to the risks and benefits of the treatments. The foundation of EBM is the systematic review of evidence for particular treatments via mainly randomized controlled trials. In the chapter, the authors reiterate the concept that the plural of anecdote is not data. Acupuncture, homeopathy, chiropractic have plenty of first-person anecdotes, but a lack of controlled studies with real data to back up their spurious claims.

EBM shows that homeopathy and other bogus cures are of no value, yet the public is oblivious to those facts. In a piece I wrote on this topic, New York News Radio" The voice of bad science, its shows that cheap radio advertising (with its mishmash of pseudo-scientific claims) combined with a public that is ignorant of basic scientific facts, creates a perfect storm for the continuation of homeopathy and other bogus cures.

A recurring theme the book stresses is that acupuncture, homeopathy, chiropractic and other alternative therapies are scientifically impossible, and often will violate fundamental scientific principles. A perfect example of this implausibility is with homeopathy. Contrary to what common sense and basic science, in homeopathy, a solution that is more diluted is considered stronger and as having a higher potency. The issue is that the end result is a product that is so diluted, that its contents when in solid form is pure sugar, and when in liquid form; 100% H20. When a homeopathic liquid is in its most diluted state, there is not a single molecule of the active ingredient. Therein lays the scientific implausibility of homeopathy.

Chapter 1 also asks one of the books fundamental questions: how do you determine the truth? The authors answer that it is via the scientific method. This is determined only after strict and careful analysis of a clinical study, of which the most effective is double-blind and randomized.

In chapter 3, the book jokingly notes that since homeopathic liquid remedies are so diluted that they contain only water; their only use would be for dehydration. And since homeopathy is based on the fact that the strength of a remedy is based on its dilution, one could conceivably overdose on a homeopathic remedy by forgetting to take a dose.

The chapter concludes with perhaps the strongest indictment against homeopathy; namely its content. If one looks at the content of oscillococcinum, a homeopathic alternative marketed to relieve influenza-like symptoms, the packaging states that each gram of medication contains 0.85 grams of sucrose and 0.15 grams of lactose. Sucrose and lactose are simply forms of sugar, of which oscillococcinum is nothing more than am expensive sugar pill.

In chapter 4, the authors write that while homeopathy is nothing more than a placebo, the added danger with it is that patients will often forgo real medications to take a homeopathic one. It reports of a study in Britain, which demonstrated that the most benign alternative medicine can become dangerous if the therapist who administers it advises a patient not to follow an effective conventional medical treatment. The study demonstrated that alternative medical practitioners often recommend homeopathic remedies for malaria, and ignore proven conventional medicines. Such an approach can often mean a death sentence for the person taking the homeopathic remedy.

Chapter 5 deals with herbal medicine. The chapter is somewhat different in that the previous chapters about acupuncture, homeopathy and chiropractic showed them to be useless, herbal medicine does have value. The book notes that herbal medicine has been embraced by science to a far greater extent than acupuncture, homeopathy and chiropractics. The chapter lists over 30 herbal medicines and their levels of efficacy. An irony of herbal medicine is that some exotic ones, such as those with tiger bone or rhino horn are pushing the species to the brink of extinction, due to their level of popularity in certain parts of the world.

Chapter 5 concludes with on why smart people believe such odd things? Alternative medicine has failed to deliver the health benefits that it claims, so why are millions of patients wasting their money and risking their lives by turning towards a snake-oil industry? The authors provide numerous reasons for this, from the concepts such as natural, traditional and holistic, to attacks on the scientific method by the alternative medical community and more.

The appendix is a rapid guide to alternative therapies and lists over 30 new treatments with their benefits and potential dangers. The appendix gives single page summaries of the plethora other alternative therapies, from ear candles, colonic irrigation, reiki, to leech therapy and more. The authors write that most of these are bogus, many violate fundamental laws of sciences, and but a few have real, but limited value.

Alternative medicine operates in the shadows, blithely touting that their products have not been evaluated by the Food and Drug Administration, and that they are not intended to diagnose, treat, cure or prevent any disease. While these products are not intended to diagnose, treat, cure or prevent any disease; consumers nonetheless spends billions of dollars per year on unproven supplements. Consumers can be quite fickle. On one side they are furious at the SEC for their lack of oversight around Madoff Investments Securities. Yet when the FDA requires products use their disclaimer of how ineffective the item is, consumers will throw billions of dollars on ineffective products.

Trick or Treatment: The Undeniable Facts about Alternative Medicine is an incredibly important and eye-opening book. While Singh is a physicist and Ernst a medical doctor, the book is written in a clear and compelling style, avoids technical jargon, and sticks to the facts. In the spirit of the scientific method, the authors scrutinize alternative and complementary cures and the results show that the snake oil is still selling.

Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.

You can purchase Trick or Treatment: The Undeniable Facts about Alternative Medicine from amazon.com. Slashdot welcomes readers' book reviews — to see your own review here, read the book review guidelines, then visit the submission page.

brothke writes "The 1962 song Wipe Out, with its energetic drum solo started, was the impetus for many people to take up playing the drums. Similarly, Nmap, the legendary network scanner, likely interested many in the art of hacking, and for some, started a career for security professionals and hackers. Nmap and its creator Fyodor need no introduction to anyone on Slashdot. With that, Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning, is a most useful guide to anyone interested in fully utilizing Nmap." Read on for the rest of Ben's review. Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning author Gordon Lyon (Fyodor) pages 468 publisher Nmap Project rating 9 reviewer Ben Rothke ISBN 978-0979958717 summary Valuable book about an invaluable security tool One may ask, why spend $50 on this book, when the Nmap Reference Guide provides a significant amount of the basic information needed to use the tool, especially since the reference guide is both free, and well written. The reference guide is included in the book in chapter 15, and takes up 41 pages. And for those that are cash strapped, the free reference guide is the way to go.

In addition, the web site for the book notes that about half of the content is available in the free online edition. The most useful information is in the book in chapters exclusive to the print edition, which includes Detecting and Subverting Firewalls and Intrusion Detection System, Optimizing Nmap Performance, Port Scanning Techniques and Algorithms, Host Discovery, and troubleshooting.

The main benefit of the buying the book is that it has the collected wisdom of Fyodor's, in addition to numerous real-world scenarios, and Nmap commands not documented elsewhere. At over 400 pages, the books 15 chapters provide the reader with everything they need to know about using Nmap to the fullest.

Chapter 1 starts with an overview of the history of Nmap and how it came to be. As to the question of whether port scanning is legal, the author writes that it is best to avoid the debate and its associated analogies. He advises that it's best to avoid ISP abuse reports and criminal charges, by not annoying the target network administrators in the first place. Chapter 1 provides a number of practical suggestions on just how to do that.

A complaint against Nmap it that is has often been blamed for crashing systems. Chapter 1 shows that the reality is that Nmap will rarely be the primary cause of a system crash. The truth is that many of the systems that crashed as a result of an Nmap scan were likely unstable from the outset, and Nmap either pushed them over the top or they coincidentally crashed at the same time as the Nmap scan.

An ironic incident detailed in chapter 3 is when someone from the information security department of Target Corp. complained to the author that he felt the Nmap documentation was particularly directed at his organization; given the use of the term target. He requested that the Nmap documentation be changed from targetto example. The section on target enumeration in the book shows the author did not take that request to heart.

Another example of where the book goes beyond what is in the reference guide is where the author shows the most valuable TCP ports via his probe of tens of millions of IP addresses across the internet. Not surprisingly, ports 80 23 and 443 were the top three most commonly open TCP ports. It is surprising that other ports, which should have been secured long ago, are still as vulnerable as ever.

For the serious Nmap user, the book is worth purchasing just for the indispensable information in chapter 16, which is about optimizing Nmap performance. The author writes that one of his highest priorities in the creation of Nmap has been performance. Nmap uses parallelism and numerous advanced algorithms to execute its blazingly fast scans. This chapter shows how to create Nmap commands to obtain only the information you care about and significantly sped up the scan. The chapter details numerous scan time reduction techniques, and strategies on how to deal with long scans. The chapter concludes with the output of a user who, with a customized Nmap command, was able to reduce his scan of a 676,352 IP address network from nearly a week to 46 hours.

Chapter 10 is also a fascinating chapter on the topic of detection and subverting of firewalls and IDS. The function of such tests on an internal network is to help an organization understand the dangers and risks of a real attack. Since it is not uncommon for firewalls to be accidentally misconfigured, or have rule bases that leak from far too many rules; such a test can be quite useful to any network.

Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning is the guide for anyone who wants to get more out of Nmap. It is useful whether one is a novice and only getting into basic security testing, or an advanced user looking for ways to optimize Nmap.

The book takes a real-world approach on how to use the tool and clearly documents every Nmap feature and option. It also shows how the tool should be correctly used in various settings.

What is unique about is that this is a rare book in which the creator of the program wrote it. Linus Torvalds never got around to writing a Linux reference, nor did the creators of the Check Point firewall. In Nmap Network Scanning, the reader gets the story from the creator of the code itself. This then is the ultimate Nmap reference guide.

Aside from the history and use of the program in the first chapter, the rest of the book is an extreme guide to maximizing the use of Nmap. It is written by a programmer and written for the technically astute. Anyone who wants to maximize their use of Nmap will find no better reference.

Ben Rothke manages the Bright Hub Enterprise Security channel and is the author of Computer Security: 20 Things Every Employee Should Know.

You can purchase Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

brothke writes "It has been suggested that if one was somehow able to change history so that aspirin had never been discovered until now, it would have died in the lab and stand no chance of FDA approval. Similarly, if we knew the power that Google would have in 2008 with its ability to aggregate and correlate personal data, it is arguable that various regulatory and privacy bodies would never allow it to exist given the extensive privacy issues." Read below for the rest of Ben's review. Googling Security: How Much Does Google Know About You? author Greg Conti pages 360 publisher Addison-Wesley Professional rating 9 reviewer Ben Rothke ISBN 978-0321518668 summary Explores the many security risks around Google and other search engines In a fascinating and eye-opening new book Googling Security: How Much Does Google Know About You?, author Greg Conti explores the many security risks around Google and other search engines. Part of the problem is that in the rush to get content onto the web, organizations often give short shrift to the security and privacy of their data. At the individual level, those who make use of the innumerable and ever expanding amount of Google free services can end up paying for those services with their personal information being compromised, or shared in ways they would not truly approve of; but implicitly do so via their acceptance of the Google Terms of Service.

While the book focuses specifically on Google, the security issues detailed are just as relevant to Yahoo, MSN, AOL, Ask and the more than 50 other search engines.

My friend and SEO guru Shimon Sandler has a blog around search engine optimization (SEO). In the over three years that his blog has been around, my recent post on The Need for Security in SEO was the first on the topic of SEO security. Similar SEO blogs have a very low number (and often no) articles on SEO and security. Sandler notes that when he mentions privacy issues around search to his clients, it is often the first time they have thought of it.

The book opens with the observation that Google's business model is built on the prospect of providing its services for free. From the individual user's perspective, this is a model that they can live with. But the inherent risk is that the services really are not completely free; they come at the cost of the loss of control of one's personal information that they share with Google.

The book lists over 50 Google services and applications which collect personal information. From mail, alerts, blogging, news, desktop, images, maps, groups, video and more. People are placing a great deal of trust into Google as each time they use a Google service, they are trusting the organization to safeguard their personal information. In chapter 5, the book lists over 20 stated uses and advantages of Google Groups, and the possible information disclosure risks of each.

In the books 10 chapters, the author provides a systematic overview of how Google gets your personal data and what it does with it. In chapter 3, the book details how disparate pieces of data can be aggregated and mined to create extremely detailed user profiles. These profiles are invaluable to advertisers who will pay Google dearly for such meticulous user data. This level of personal data aggregation was impossible to obtain just a few years ago, given the lack of computing power, combined with the single point of user data. The book notes that this level of personalization, while golden to advertisers, is a privacy anathema.

Chapter 6 is particularly interesting in that it details the risks of using Google Maps. Conti explains that the privacy issue via the use of Google Maps is that it combines disclosure risks of search and connects it to mapping. You are now sharing geographic locations and the associated interactions. By clicking on a link in a Google map, the user discloses and strengthens the link between the search they performed and what they deemed as important in the result. By aggregating source IP addresses and destinations searches, Google can easily ascertain confidential data.

After detailing over 250 pages of the risks of Google and related services, Chapter 9 is about countermeasures. Short of simply not using the services, the book notes that there is no clear solution for protecting yourself and company from web-based information disclosure. Nonetheless, the chapter lists a number of things that can be done to reduce the threat. Some are easier, some are harder; but they can ultimately add up to a significant layer of protection. Chapter 9 details 11 specific steps that help users appreciate the magnitude of their disclosures and make informed decisions about which search services to use.

Googling Security: How Much Does Google Know About You? is an important book given that far too many people do not realize how much personal information they are disclosing on a daily basis. An important point that the book makes is that small information disclosures are not truly small when they are aggregated over the course of years. Advances in data mining and artificial intelligence are magnifying the importance of the threat, all under the guise of improving the end-user experience. The book emphasizes the need to evaluate the short-term computing gains with the long-term privacy losses.

The final chapter notes that apathy is the enemy. As a user becomes aware of the magnitude of the threat, they will see it grow every day. But the next step is to take action. Be it with technical countermeasures, taking your business where privacy is better supported, or petitioning lawmakers.

As to the underlying question, "how much does Google know about you?", the answer is that it is a colossal amount, far more than most people realize. For anyone who uses the Internet, Googling Security should be on their list of required reading. The risks that Google and other search engines present are of great consequence and can't be overlooked. If not, privacy could slowly be a thing of the past.

Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.

You can purchase Googling Security: How Much Does Google Know About You? from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

brothke writes "There is a perception in both the private and government sector, that security, both physical and digital, is something you can buy. Witness the mammoth growth of airport security products following 9/11, and the sheer number of vendors at security conferences. With that, government officials and corporate executives often think you can simply buy products and magically get instant security by flipping on the switch. The reality is that security is not something you can buy; it is something you must get." Keep reading for the rest of Ben's review. Schneier on Security author Bruce Schneier pages 336 publisher Wiley rating 10 reviewer Ben Rothke ISBN 978-0470395356 summary The best articles from one of security's best Perhaps no one in the world gets security like author Bruce Schneier does. Schneier is a person who I am proud to have as a colleague [Schneier and I are both employed by the same parent company, but work in different divisions, in different parts of the country]. Schneier on Security is a collection of the best articles that Bruce has written from June 2002 to June 2008, mainly from his Crypto-Gram Newsletter, his blog, and other newspapers and magazine. The book is divided into 12 sections, covering nearly the entire range of security issues from terrorism, aviation, elections, economics, psychology, the business of security and much more.

Two of the terms Schneier uses extensively throughout the book are intelligence and economics. From an intelligence perspective, he feels that Washington has spent far too much on hardware and other trendy security devices that create a sense of security theater. The security theater gives an aura and show of security, but in reality, has little real effect.

The lack of intelligence is most manifest with airports, which are a perfect example of misguided security. Schneier notes that current trends in US airport security requires that people remove their shoes, due to a one-time incident with shoe-based explosive. Such an approach completely misses the point. Also, Schneier notes that the attempt to create a no-fly list, by feeding a limited set of characteristics into a computer, which is somehow expected to divine a person's terrorist leaning, is farcical.

Schneier therefore feels that the only way to effectively uncover terrorist plats is via intelligence and investigations, not via large-scale processing of everyone. Intelligence is an invaluable tool against terrorism, and the beauty of it is that it works regardless of what the terrorists are plotting. The bottom line according to Schneier in the book is that too much of the United State's counterterrorism security spending is not designed to protect us from the terrorists; but instead to protect public officials from criticism when another attack occurs.

Schneier also astutely notes that for the most part, security is not really so much of a technical issue, rather one of economics. A perfect example he gives is that of bulletproof vests. Since they are so effective, why doesn't everyone wear them all of the time? The reason people don't is that they do not think they are worth the cost. It is not worth the money or inconvenience, as the risk of being shot for most people is quite low. As a security consumer, people have made the calculation that not wearing a bulletproof vest is a good security trade-off. Schneier also notes that much of what is being proposed as national security is a bad security trade-off. It is not worth it and as consumers, the public is being ripped off.

Another recurring theme throughout the book is how the Bush administration has little by little eroded the Constitution, all in the name of fighting terrorism. Schneier notes that the brilliant framework the founding fathers created by creating divisions of power (executive, legislative, judicial) with checks and balances violates a basic unwritten rule, that the government should be granted only limited powers, and for limited purposes. Since there is a certainty that government powers will be abused.

Schneier observes that the USA PATRIOT is a perfect example of this abuse. The Constitution was designed and carefully outlines which powers each branch may exercise. While Schneier is best-known as a cryptographer and security expert, Schneier on Security also shows him to be a defender of the Constitution. In a number of essays in the book, he shows how unchecked presidential powers is bad not only for security, but for the preservation of democracy.

In chapter 8, on the topic of the economics of security, Schneier suggests a three-step program for improving computer and network security. He notes that none of them have anything to do with technology; they all have to do with businesses, economics, and people.

In chapter 9, on the psychology of security, Schneier writes that he tells people that if something is in the news, then they do not have to worry about it. He writes that the very definition of news is something that hardly ever happens. It's when something is not in the news, when it is so common that it is no longer news, drunk drivers killing people, domestic violence, deaths from diabetes, etc., that is when you should start worrying. And much of the terrorist threats that the Department of Homeland Security is spending tens of billions of dollars on, are those news threats, such as shoe bombers and liquid explosives that present very little real threat to the people of the US.

A fundamental theme of the book is that security is a trade-off. And far too many people have made the security trade-off without thinking if it is truly worth it. In essay after essay, Schenier challenges those assertions. Since 9/11, much has been given up in the name of terrorism, and that has been personal privacy and security. Schenier asks, has it been worth it?

Schneier on Security is an exceptionally important book that is overflowing with thought-provoking articles. Schneier gets above vague adages such as the war on terror and gets to the heart of the matter. His insight details what the real threats are, and what we should really be worrying about. The irony is that what Washington does is often the exact opposite of what should be done.

Much of the security carried out in the name of 9/11 has proven to be infective in the seven years since the attack. Schneier on Security is a manifesto of what should have been done, and what should be done. The book is eye-opening from the first page to the last. It lets you know that the next time you see grandma asked to take her shoes off by a TSA agent at the airport, why she is simply a bit player in the large security theater. And why spending tens of billions on a charade like that, makes that a tragedy of epic proportions.

Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.

You can purchase Schneier on Security from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

brothke writes "In the TV show House, M.D., a premise that protagonist Dr. Greg House holds dear is that people are liars and stupid. Real life is often not far from House's observation. At the general public level, people are often misled by their lack of common sense, their deficiency in understanding statistics and basic science, and therefore fall victim to the lies of the myriad charlatans that claim to have something that fixes everything. A piece I wrote on that issue, New York News Radio — The voice of bad science, details that. While it is too broad to call the authors of Fuel efficiency of commercial aircraft: An overview of historical and future trends liars; their mediocre research created the scenario that far too many took their research as reality. Known as the Peeters report, after lead author P.M. Peeters, the authors of Plane Simple Truth refute the wide-spread belief that the fuel efficiency gains in the commercial aviation sector are erroneous, which is the principle theme of the Peeters report." Keep reading for the rest of Ben's review. Plane Simple Truth author Geoffrey Thomas pages 208 publisher Aerospace Technical Publications rating 9 reviewer Ben Rothke ISBN 978-0975234167 summary Valuable book in the important debate over greenhouse gases and aviations contribution to it The aviation industry is often an environmental pariah, with environmentalists crying foul at the industry. But it is only a pariah due to flawed data that negatively influences the public debate, and this book attempts to set the record straight. Plane Simple Truth is an articulate and extremely well-written and researched rebuttal to the Peeters report, and other flawed studies.

The Peeters report flies in the face of reality, in which gains in jet engine efficiency over the last 40 years have been astounding. Contrast those gains with the popular Cadillac Escalade and similar SUV's whose mileage per gallon is often measured in single digits, and whose efficiencies have gone in the opposite direction.

The authors wrote Plane Simple Truth as they felt that never in recent history has an industry been so maligned and the public so misled by so much falsehood and distortion. With the Peeters report and climate activists pointing the accusing finger at the aviation industry, Plane Simple Truth is their defense.

The reality is that while the Detroit automakers were making huge gas guzzling SUV's well into 2008, companies such as Lockheed had fuel efficiency on their mind back to the 1970's. In fact, fuel efficiency has been a key factor in the aviation industry since the early days. This is based on simple economics and physics in that every pound of fuel, is a pound of payload that the airline cannot carry, which costs the airline money as fuel economy is a major driver in the industry. The bottom line is that fuel economy is absolutely critical in commercial aviation. Witness the number of aviation bankruptcies in 2008 when fuel prices soured.

Like a first-rate defense attorney, the book defends the industry against its charges. In every chapter, the authors show the errors, both intentional and those errors of omission, where incorrect reporting and research have negatively affected public opinion.

While not a book about the history of jet engines; the book details the fascinating and phenomenal improvement into the efficiency of the technology. But the underlying theme of the book is that of the environmental issues.

The book details the fundamental errors in the Peters and other environmental reports that have been often taken as the unquestionable truth. Rather than analyzing the facts like the book authors have done, the media often creates sensationalist headlines with an emphasis on short sound bites, often at the cost of scientific fact. Not only do the authors refute the Peeters report, they show in detail how important aviation is to the global economy. In fact, the aviation industry is critical to every growing economy.

The books 18 chapters cover the entire spectrum of jet emissions and their incredible development in detail. Current topics such as bio fuels and their promise, new engine technology, aerodynamic gains, green airlines and more are discussed. The book makes ample use of charts and photographs to illustrate its points.

Plane Simple Truth is a fascinating book that exposes the myriad errors of the flawed environmental studies. It is also a fascinating look at the development and history of jet engines, and the amazing progress that has come about in the last few decades. Huge strides have been made that increase power by significant amounts, while simultaneously cutting emissions. In fact, there are less environmental issues to worry about in the future due to aviation, given the significant strides that are being made.

The book makes many of its valuable points via the approach of letting charts and diagrams do the talking of often dry statistical facts. Be it fuel efficiency, less emissions, or toxic gases, the book shows that misplaced myths and the smoke and mirror games that are often used by those with an agenda, have negatively affected the public's view of aviation.

We have seen that a single bad piece of research is enough to derail an entire industry and mislead the press and politicians. Plane Simple Truthis an important book that has relevance to everyone, as there is no one that is not positively affected by the aviation industry.

While the industry still has a long way to go in other areas such as passenger satisfactions, lost luggage, air traffic control delays and much more, the engine makers have continually pushed the envelope in terms of fuel efficiency and environmental concerns, and they have done this for well over half a century. This was long before the environment was a cool topic. It was also done when jet fuel was still quite cheap.

While the book's authors are intimately involved in the airline industry and clearly pro-airline, and the book's publisher is Aerospace Technical Publications; the authors let the facts speak for themselves. While greenhouse gases and their potential negative effects are part of the public and scientific debate, the ability of modern jet-engines to minimize those effects is clear. Plane Simple Truth is a valuable book in the important debate over greenhouse gases and aviation's contribution to it.

Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.

You can purchase Plane Simple Truth from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Ben Rothke writes "Zero Day Threat: the Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity is an interesting and eye-opening look at how banks and credit card companies make ID theft and fraud rather elementary. But with all that, this book must be read in the larger context of how today's society deals with, and is often oblivious to, risk. When is comes to risk, American society tolerates tens of thousands of drunk-driving deaths, gives millions in federal tobacco subsidies, and is oblivious about near-epidemics such as heart disease, obesity, and diabetes. With all that, it is doubtful that the myriad horror stories Zero Day Threat details will persuade Congress or the other players to do anything to curtail the problem with identity theft and internet fraud." Keep reading for the rest of Ben's review. Zero Day Threat: the Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity author Byron Acohido & Jon Swartz pages 304 publisher Union Square Press rating 9 reviewer Ben Rothke ISBN 978-1402756955 summary Excellent overview on the epidemic of indent theft The internet and web have indeed revolutionized society, and there is hardly an industry that has not been positively affected by the net. On the down side, the net is the new conduit for criminals. For example, in the few years before the web became ubiquitous, U.S. and international law enforcement nearly had a noose around the child pornography industry and brought it to a near standstill. After the web, authorities have given up hope that child pornography can ever be contained.

Similarly, white-collar crime and fraud has been exacerbated by the net. Zero Day Threat details the various loopholes that criminals use to carry out their attacks and crimes. Each of the book's 18 chapters is divided into 3 section, exploiters — which details how the crime lords and their teams carry out the crimes, enablers — which details the history and current practices of credit card companies, banks, credit bureaus, and data brokers, and expediters — which recounts how technology and technologies enable these crimes. I found that the breaking up of the chapters into such triplets is occasionally confusing, and you are left wondering what story you are in.

The book is based on the premise that the payment industry, namely the credit card companies, banks, credit bureaus and data brokers have created an infrastructure that is pliable, nearly endlessly extendable, but paper-thin when it comes to security. The system is built for ease of access, ease of granting credit, but without a robust security infrastructure or privacy controls.

Consider that the PCI Security Standards Council was not created until late 2004, and that will give you an idea how security is anathema to the industry. The outgrowth of PCI is the PCI Data Security Standard which is the first uniformly created set of comprehensive security requirements for enhancing payment account data security. While the industry debates the efficacy of PCI, attackers are busy at work running innumerable fraudulent schemes.

The authors paint an honest appraisal of the lack of security in the industry and have their facts in order, although an occasional hyperbole does creep in, for instance when the authors repeatedly state that the hackers in question went weeks without sleep. But a huge error is where they state in chapter 11 that PCI is controversial, with some merchants complaining that it is too costly to implement. There is nothing controversial about PCI, and the security controls it requires are sorely needed. While merchants express their discontent about security and its associated costs, attackers steal from underneath them. The quicker the merchants get that they needed security, the quicker the attacks will stop. But as the book shows, that will not happen anytime soon.

Part of the reason why identity theft will not go away anytime soon is similar to the problem in the air traffic control industry, as detailed in Terminal Chaos: Why U.S. Air Travel Is Broken and How to Fix It. There are too many players in the game, all of which focus on their own interests, and no one wants to take responsibility for the problem. The fact that the Social Security number (SSN) is still used as a key personal identifier, combined with the ease at which an individual 's SSN can be obtained and misused should be enough to give anyone pause.

The primary purpose of a SSN has been to track individuals for taxation purposes. But in the last decade, the SSN has become a de facto national identification number. When established in the 1930s, the Social Security Administration meant for the SSN to be used as a way to track a person's earnings for Social Security benefits. Despite its narrowly intended purpose, the SSN is now used more for non-Social Security purposes, than for the reason it was created. Today, SSNs are used for identity verification, and are the de facto identifier for the credit and financial services industry. With SSNs being aggregated by the millions, they are the fodder for the stories in the book.

Book such as Silent Spring, which helped launch the environmental movement, and The Jungle, which exposed the corruption of the American meatpacking industry, were watershed books that changed America. While Zero Day Threat is not in the same category as either of these books, it is highly unlikely that the level of outrage it will create will be much, nor the indignation significant. Because as bad as identity theft is, and as much grief as it causes, there are far too many politicians, powerful companies, lobbyists and more that are in the way of any change.

Nonetheless, Zero Day is a most interesting look at the many players that work together to facilitate the countless identity theft rings. The book is an absorbing look at the many international players and their enablers involved. While identity theft is not going away anytime soon, Zero Day Threat details the problem, and shows what you can do to ensure that you are not a victim.

Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.

You can purchase Zero Day Threat: the Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Ben Rothke writes "For those who want to stay current in information security, Stepping Through the InfoSec Program is a great book to read after The Pragmatic CSO: 12 Steps to Being a Security Master. While The Pragmatic CSO provides a first-rate overview of the higher-level steps to being a CSO and building an information security program, Stepping Through the InfoSec Program provides the low-level details and nitty-gritty elements on just how to do that." Keep reading for the rest of Ben's review. Stepping Through the InfoSec Program author J.L. Bayuk pages 238 publisher ISACA rating 9 reviewer Ben Rothke ISBN 1604200308 summary The low-down on how to build an information security program Author Jennifer Bayuk spent over a decade at a large brokerage firm building their information security program. Her experience in managing and designing security there is manifest in the book and it is clear throughout the book that she is writing a deep pool of from real-world experience.

The first part of the book contains 3 sections and in just under 150 densely packed pages, the book walks you through the process in which to build an effective information security program. The book details 6 steps in which to facilitate this, namely: strategy, policy, awareness, implementation, monitoring and remediation.

The book starts out and begins to develop the context for an information security program. It astutely notes that an information security program exists only in the context of an organizational management structure. Anyone building an information security program for its own sake, removed from the organizational management structure will quickly find themselves devoid of a budget, and often shortly after that, out of a job.

The books attention to detail and specific definitions are superb. In the opening section, it defines the objectives, prerequisites, typical tasks and performance measures for over 10 different jobs within information security. It then creates a segregation of duties matrix for these jobs. Such detailed information is invaluable to anyone attempting to build a security program.

The main part of the book is in section 2 which steps through what an information security program is, how it is created, how it operates and what resources are required to maintain it. The beauty of the book is that the author understands that information security is not a monolithic undertaking. Rather it must be developed and customized according to the specific needs and requirements of the particular organization. These differences are made clear in the chapter when it details 9 unique information security reporting hierarchies; and deciding on the appropriate reporting hierarchy is not a trivial undertaking.

The book writes that successful information security program development, by definition, must align with organization goals. This alignment can only be achieved if the CISO has an open, two-way communication path to each manager with information security responsibilities. While this is a necessary and realistic goal, far too few CISO's have such communications paths at their disposal, and even less have constituent ears that are receptive to such communications.

Section two provides an excellent overview of metrics and how they can be effectively used. In the last few years, metrics has been the rage in the security community. Individuals such as Pete Lindstrom and groups such as Security Metrics have been at the forefront of such efforts.

But the book notes that metrics for their own sake can also be taken too far. The book references a volume on metrics that has over 900 possible things to measure that would provide security metrics, including such silly metrics as "number of times, by fiscal year, that fines and jail sentences were imposed for altering, destroying, mutilating, concealing or falsifying financial records". Bayuk perceptively observes that any CISO who is measuring these types of concerns and analyzing them for feedback on how to improve their information security program should realistically look for a different job.

Section 3 concludes the main part of the book with a security program case study. The point of the case study is to show how an information security program evolves around changes in the organization it supports. The case study shows that all of the six steps on which the book is premised are indeed necessary.

The final 100 pages of the book detail various sample security policies, standards, procedures and guidelines. All of the policies, standards, procedures and guidelines are well-written and it would have been nice if these would have been available in electronic format.

The book notes that the information security professional has evolved from computer operator to chief information security officer; from controlling punched cards to negotiating strategic plans, defining policies, documenting processes, managing technology, measuring performance, controlling costs, supporting business recovery and demonstrating regulatory compliance. For those that want to make that transition, Stepping Through the InfoSec Program is a most valuable guide to get you there.

The book is written by an author who has significant amounts of real-world experience in a leading edge organization. That unique knowledge and experience is evident after reading the first few pages of the book. The book provides the reader with a comprehensive overview of how to build an effective information security organization.

One final note, don't judge a book by the cover. On the cover are three busy looking executives, all smiling and looking refreshed. The reality is that most people who have taken the time to build effective security programs often emerge from that battle exhausted and battle weary.

For anyone contemplation entering the information security field, or those in it already that need effective direction, Stepping Through the InfoSec Program should be on their required reading list.

Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.

You can purchase Stepping Through the InfoSec Program from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Ben Rothke writes "The Pragmatic CSO: 12 Steps to become a Pragmatic CSO is worth reading for one sentence on page 12 which states: It's not about technology — it's about business. The even better news is that the book is full of insightful ideas like that, on how information should work, and how to make it work in today's large enterprise organizations. One of the mistakes many security professionals make is that they think of security for its own sake, when security is simply meant to support the business. CxO's could care less about encryption key lengths and operating systems. While they don't care about the technical details, the people from information security often mistakenly communicate to them in those terms." Keep reading for the rest of Ben's review. The Pragmatic CSO: 12 Steps to become a Pragmatic CSO author Mike Rothman pages 235 publisher Security Incite rating 9 reviewer Ben Rothke ISBN None - self published summary Pragmatic, insightful and valuable looking into making security work The book notes that there are three main causes to the poor state that information security finds itself in today in far too many organizations: Security is viewed as a technical function - Security staff are often part of the technical teams, but not members of the management team. The bad guys are getting better - In years past, attackers would get your attention by playing music in the background as their virus infected your workstation. Today's attacks are built around stealth techniques. Attackers do their best to hide from your IDS, and often easily do so. Auditors are tougher- Both internal and external auditors are finally getting the power they deserve. The days of having them rubber stamp the audit are slowly coming to a close. The Pragmatic CSO:12 Steps to become a Pragmatic CSO details a 12-step program, which is a structured program on which to build a strong information security program. The book goes through those steps as a way to keep you, as the CSO, focused on the goal. That goal is to demonstrate the value of information security management and the level of security to the internal and external auditors.

The books 4 sections and 12 steps are structured similarly, beginning with what you will learn in the specific step, a dialogue-based introduction akin to an AA (Alcoholics Anonymous) session, and an action plan for each step. Personally, I found the AA dialogues a bit cheesy, and by step 6, found them a bit annoying. Aside from that issue, the book is a highly valuable guide in which a new CSO can use to directly assist them in their job. A new CSO is recommended to use the guide in their first 100 days in office. Such an approach can spell the difference between success and failure.

As its title implies, the book is all bout being pragmatic. This practical approach is needed, as step 2 notes that it is hard for many security professionals to get beyond the typical vulnerability-centric definition of success. It is not about how many vulnerabilities are found, rather the pragmatic way in which their are handled.

Part of this pragmatic approach is being realistic of the state of security in your origination. Step 7 underscores this when it shows how a CSO should never underestimate to things : the ability of the bad guys to make you look bad, and the ability of users to do something really stupid. The preceding is just one example of many where the book shows the reader what security is like in the real-world, as opposed to the often described pristine cryptographic world of security when Alice and Bob are involved.

Perhaps the most important point the book makes is that pragmatic CSO's have no religion when it comes to security and technology, besides doing the right thing for their business and protecting their assets. Far too many people in security and technology turn technology choices into religious wars, most of which center around Windows, Linux, Cisco and Juniper.

Step 11 details metrics and benchmarks and has a number of constructive questions in which to benchmark against. The areas of questions include effectiveness, awareness, attitude and financial. This is needed as metrics and benchmarking are needed to measure how you and your security team are doing, and to identify areas in need of improvement. Benchmarking can also point out areas which your organization differs from the norm. While that is not necessarily a bad thing, it is necessary to know when to follow so-called best practices, or whether to do what is specifically right for your organization.

The Pragmatic CSO:12 Steps to become a Pragmatic CSO is a most valuable book in that it provides fresh, real-world advice, as opposed to generics rehashed best practices. Author Mike Rothman's premise is that today's CSO's need to act more like business people in order to thrive. With firms laying-off back-office technology staff by the thousands, having this front-office approach is not only timely, it may just save your job.

Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.

Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Ben Rothke writes "While Terminal Chaos should be shelved in the current events or business section of a bookstore, it could also be placed in the modern crime section. After reading it, one gets the impression that the state of air traffic today could only come due to criminal neglect or mischief. If one looks at pictures of airline flights from the 1960s, you will see well-dressed passengers enjoying their flight. In 2008, barely a day goes by without an incident of air rage, from irate passengers in the terminal, to those in the air causing flights to be diverted. Today's airline traveler considers it a near miracle if his flight arrives on time with his baggage." Keep reading for the rest of Ben's review. Terminal Chaos: Why U.S. Air Travel Is Broken and How to Fix It author George Donohue and Russell Shaver pages 240 publisher Amer Inst of Aeronautics rating 10 reviewer Ben Rothke ISBN 978-1563479496 summary Fascinating look at the current state and problems with the US air traffic system The reasons for the meltdown in the air traffic system are complex. The book names a number of reasons for today's chaos. Some of these include airline deregulation, multiple governmental agencies with no central oversight or responsibility, multiple corporate entities with conflicting agendas, an air traffic controllers union resisting change, a technologically outdated air traffic control system, and more.

While the public perception in the US is that somewhere out there, government officials are looking out for passenger's rights, the reality is there is no one looking out for them. Unlike their European counterparts, air travelers in the US have very few rights. This lack of passenger advocacy along with the other reasons has a huge impact on the economy, in addition to the costs that flight delays and cancellations cost U.S. travelers, which are estimated annually at over $3 billion.

Terminal Chaos: Why U.S. Air Travel Is Broken and How to Fix It is a fascinating book. The authors show a number of ways to fix the current problems. While the book is part case-study, it is also part tragedy, given the tragedy is that Washington lacks anyone with the pragmatism, willpower and audacity to stand up to the unions and powers that be to fix the system. The book lays out in 7 concise chapters the problems, ringleaders, obstacles and challenges that brought us to the state that we are in today.

The authors sum it up best when they note that the distance from New York to Chicago is 635 nautical miles, and when flown by a piston-powered DC-6 with a cruise speed of 315 MPH over 50 years ago, the scheduled flight time was a little longer than two hours. Today, scheduled airlines fly Boeing 737 turbofans at 511 MPH, but book this as a 3-hour flight.

In chapter 4, the authors note that while some flight delays are the result of post-9/11 security issues, the main reason why flying has become so arduous is that the air transportation system, as it is now structured in the US, is untenable from a fundamental business point of view. The government regulated business model is unstable and irrational and planes are purposely overbooked, flights are cancelled for no publicly explainable reason, and no one will offer the flier a sound reason for why these events occur.

Both authors are professors at the Center for Air Transportation Systems research at George Mason University. The book quotes from research done there, which includes suggestions such as to use larger aircraft (something Continental is doing at Newark), along with other market mechanisms. Other research shows that slot exemption, weight-based landing fees and other issues combine to lead to inefficient use of airport capacity, especially as slot-controlled airports, such as O'Hare, Kennedy, Newark, LaGuardia and Atlanta.

In chapter 6, the authors take a no-holds barred approach to NATCA, which is the National Air Traffic Controllers Association. They view NATCA as a stumbling block to modernization, and an organization whose goal is to protect their members, over the public they are supposed to serve. They also question how NATCA gets away with constantly stating that the US air traffic control system is the safest in the world, when it is actually behind Europe when it comes to safety metrics (Europe has .032 hull losses per 1 million departures vs. .049 in North America).

Ultimately, the book notes that the air traffic control problems exist in the fact that there is a perfect storm of airlines, airports, government agencies (FAA, DOT, OMB, DHS), White House and Congress, all of which seem to believe that they don't have the responsibility to fix the problem. Each seems to be waiting for someone else to take charge.

Chapter 7 lists a number of practical ways in which the air traffic control system can be modernized. Some of the suggestions would require significant financial outlays; others simply require all of the parties involved to play nicely together.

Overall, Terminal Chaos is a landmark book, in that it cuts through the complexity of the air traffic mess, and clearly lays out the problem, and possible solutions.

It is a very well-written and extremely well-researched book. It does have a few slight errors. Most noticeably on page 73 when it says that Continental has been in and out of bankruptcy court, while the table on the next page shows that Continental has been out of bankruptcy court for over 15 years. Also, one of the travel tips the authors give is to have a traveler consider using a private aircraft out of smaller, less congested airports. That is indeed a good suggestion, albeit extremely costly, and not financially feasible for most of the flying public.

Terminal Chaos is a book that should be required reading for anyone involved in air traffic and aviation, from passengers to every employee at the FAA. The authors have innovative ideas that should be listened to and implemented; from holding the government decision-makers responsible, to realistic ways to modernizing the air traffic control system. The book is a fascinating overview of what goes on in the skies above us, and in the air traffic control towers around us.

Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.

You can purchase Terminal Chaos: Why U.S. Air Travel Is Broken and How to Fix It from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Ben Rothke writes "Security policies are like fiber, that is, the kind you eat. Everyone agrees that fiber is good for you, but no one really wants to eat it. So too with information security policies. They are sorely needed, but most users don't go out of their way to comply with them. And in many firms, they are not even trained in what they have to do. But failure to have adequate information security policies can lead to myriad risks for an organization." Keep reading for the rest of Ben's review. Building an Effective Information Security Policy Architecture author Sandy Bacik pages 340 publisher CRC rating 8 reviewer Ben Rothke ISBN 978-1420059052 summary Good book for information security policy development For the sake of a basic definition, a policy is a formal, brief, and high-level statement or plan that embraces an organization's general beliefs, goals, objectives, and acceptable procedures for a specified subject area. The purpose of information security is to protect an organization's resources. The cornerstone of any information security strategy is a robust set of policies, procedures, standards and guidelines.

There are many reasons what information security policies are needed. Some of the most imperative reasons are:

• To inform users of their information protection duties
• Advise them what they can and cannot do with respect to sensitive information.
• Define how users are permitted to represent the organization, what they may disclose publicly, and how they may use organizational computer resources for personal purposes.
• To clearly define protective measures for these special information assets. The existence of a policy may be a decisive factor in a court of law, showing that the organization took steps to protect its intellectual property.
• Define both acceptable and unacceptable behavior. For example, spending a lot of time surfing the web and downloading videos off the net are both generally unacceptable.
• Policies are needed to establish the basis for disciplinary action, up to and including termination.

Building an Effective Information Security Policy Architecture does a good job of showing the reader how to start from scratch and build their security policy infrastructure. The book starts off at a high-level about the need for policies, and then goes into details on how to develop, write and sell these policies to management.

The book is a good guide to the entire policy lifecycle, and how to use various means to get to the ultimate goal. At 340 pages, the first ten chapters comprise 155 pages and deal with creating the policy infrastructure, communicating with management, and putting the entire policy puzzle together. The final 185 pages comprise 21 appendices of various examples of different policies.

A most significant downside and frustrating part to the book is that there is no CD-ROM with it, or companion website in which to download and use the numerous policy and process examples. At $80.00, such an option should be de rigueur. The lack of electronic versions of the policies in a book such as this is senseless.

Also, this is the first technology book that I have ever seen that did not cite a single reference. It is hard to imagine writing a book on this topic without using some sort of external reference. While the author may not want to quote sources, she should at least point the reader to other sources of information about security policies. Two notable and essential sources in the information security policy space are the SANS Institute — SANS Security Policy Project, which is free, and Information Security Policies Made Easy from Information Shield, Inc., which is $795.00, but worth every penny for a serious security policy effort. Full disclosure: I am on the Information Shield Expert Panel, but get no financial incentives or compensation.

Overall, Building an Effective Information Security Policy Architecture is a good resource to use if you are tasked to create or modify your organizations set of information security policies. The book will likely find itself on the desk of many information security professionals.

While it is frustrating that the book makes you reinvent the wheel by not having electronic versions of the polices, its value still can't be underestimated. Let's hope future versions of the book will fix that anomaly.

Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.

You can purchase Building an Effective Information Security Policy Architecture from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Ben Rothke writes "There are two types of writers about terrorism, experts such as Daniel Pipes and Steven Emerson who write from a distance and others that write graphic tales of first-hand from the trenches war stories. Terrorist Recognition Handbook: A Practitioner's Manual for Predicting and Identifying Terrorist Activities, is unique in that author Malcolm Nance is a 20-year veteran of the U.S. intelligence community and writes from a first hand-perspective, but with the organization and methodology of writers such as Pipes and Emerson. Those combined traits make the book extraordinarily valuable and perhaps the definitive text on terrorist recognition." Read below for the rest of Ben's review Terrorist Recognition Handbook: A Practitioner's Manual for Predicting and Identifying Terrorist Activities, Second Edition author Malcolm Nance pages 480 publisher CRC rating 10 reviewer Ben Rothke ISBN 978-1420071832 summary Perhaps the definitive text on terrorist recognition.

Ben Rothke writes "It is 2008 and never has so much been spent in information security. Year after year, more and more security hardware and software is purchased, more and more security professionals are hired, and more security is done; yet things are not getting better. Every indicator, every pundit, everything points to more security breaches, vulnerabilities and incidents. Large amounts of proprietary data are compromised on a daily basis. Obviously something is wrong, yet the entire industry goes along thinking things are getting better and more secure. Obviously something needs to change. And that new change is what The New School of Information Security attempts to conceive." The New School of Information Security author Adam Shostack and Andrew Stewart pages 288 publisher Addison-Wesley rating 9 reviewer Ben Rothke ISBN 978-0321502780 summary Information security is highly broken; this book suggests a realistic fix. Far too much of the security industry has its roots in FUD. Billions of dollars of information security products have been sold, and for what? The book asks why is information security so dysfunctional and why companies are often wasting so much money on security. So what is this thing called the new school? The authors define it as neither a service nor a product; rather it is a new approach that uses the scientific method and objective data. This in turn gives an entirely new perspective from diverse fields to make effective security decisions. The authors rightly believe that when objective data is used, it enables better decision-making.

The New School of Information Security is a ground-breaking text in that it attempts to remove the reader from the hype of information security, and enables the reader to focus on the realities of security. The fact that such a book needs to be written in 2008 shows the sorry state of information security.

The book starts out with observations of why there are so many failures within information security. Anyone with experience in security can easily relate to these issues. One recurring theme throughout the book is that poor data, be it research or advertising negatively effects the state of security. The authors astutely note that security advertising often does a disservice to the security field because it glosses over complex problems and presents the illusions of a reality in which a security panacea exists. It makes the buyer believe they can reach that panacea by using their service or purchasing their product.

In creating their new school, the authors have no qualms in attacking the dogma of the current state of information security. From Gartner to the Executive Alliance and more, the authors show that these groups and more often suffer from issues such as bias, lack of a scientific method and more. The book notes that the search for objective data on information security is at the heart of the philosophy of the new school. Since there is a drought of objective data today, the book asks how can we know that the conventional wisdom is the right thing to do? The observation is that the current state of affairs is unsustainable for the commercial security industry and for security practitioners.

The title of chapter 5 gives away the theme of the book — Amateurs Study Cryptography — Professionals Study Economics. The idea is that information security must do a better job of embracing such diverse fields as economics, psychology, sociology and more, to make effective decisions.

In some ways, the authors are perhaps too aggressive in their desire for security statistics. One of the most scientific approaches to information security is from CERT (www.cert.org). Yet the authors are not satisfied with CERT's findings that the majority of incidents appear to be insider based. Given what data and statistics we have in 2008, the figures from CERT are certainly good enough. Yes, they could be better, and yes, breach data is not actuarial data, but given the data from CERT, combined with recent news and court cases (UBS, Société Générale,etc.) clearly show that insiders are the most insidious threat.

Also, while the current state of information security is indeed less than perfect, the authors are a bit too condescending of areas where security is formalized (ISO 27001, etc.), yet not perfect.

After years of countless 1,000+ page massive security books, The New School of Information Security succinctly spreads its message in a brief 160 pages. In those 160 pages, the author's detail at a high-level what needs to be done to create this new school. Therein lays the books only flaw, its brevity. The authors want to get the concept of the new school out there, but they do not detail enough of the necessary requirement to make it work. They show with clarity how things are broken, but don't do enough to show how to fix it. Let's hope the authors are at work on a follow-up writing those necessary additions.

Some Slashdot readers are likely to question how an author (Shostack) can write a book on security while being employed by Microsoft. Even with all its security issues, what many do not realize is that no software company has spent more on security in the past decade than Microsoft. Indeed they have a lot of catching up to do, but it is being done. Put another way, Microsoft has likely spent more on security than China has spent on democracy.

Too much of information security is clearly broke and The New School of Information Security is about fixing it. The author's pragmatic approach is a refreshing respite from years of security product based FUD and silver-bullet solutions. The approach of the new school is one that screams out to be put into place. It is the job of today's CISO's and CIO's to heed that call, take the initiative, and lead their organizations there. Either they graduate their staff from the new school, or we are faced with more decades of information security failures.

Let's hope The New School of Information Security is indeed a new start for information security. The book is practical and pragmatic, and one of the most important security books of the last few years. Those serious about information security should definitely read it, and encourage others to do the same.

Ben Rothke is a security consultant with BT and the author of Computer Security: 20 Things Every Employee Should Know.

You can purchase The New School of Information Security from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Ben Rothke writes "First the good news — in a fascinating and timely new book Geekonomics: The Real Cost of Insecure Software, David Rice clearly and systematically shows how insecure software is a problem of epic proportions, both from an economic and safety perspective. Currently, software buyers have very little protection against insecure software and often the only recourse they have is the replacement cost of the media. For too long, software manufactures have hidden behind a virtual shield that protects them from any sort of liability, accountability or responsibility. Geekonomics attempts to stop them and can be deemed the software equivalent of Unsafe at Any Speed. That tome warned us against driving unsafe automobiles; Geekonomics does the same for insecure software." Read on for Ben's take on this book. Geekonomics: The Real Cost of Insecure Software author David Rice pages 362 publisher Addison-Wesley rating 9 reviewer Ben Rothke ISBN 978-0321477897 summary How insecure software costs money and lives Now the bad news — we live in a society that tolerates 20,000 annual alcohol-related fatalities (40% of total traffic fatalities) and cares more about Brittany Spears' antics than the national diabetes epidemic. Expecting the general public or politicians to somehow get concerned about abstract software concepts such as command injection, path manipulation, race conditions, coding errors, and myriad other software security errors, is somewhat of a pipe dream.

Geekonomics is about the lack of consumer protection in the software market and how this impacts economic and national security. Author Dave Rice considers software consumers to be akin to the proverbial crash test dummy. This combined with how little recourse consumers have for software related errors, and lack of significant financial and legal liability for the vendors, creates a scenario where computer security is failing.

Most books about software security tend to be about actual coding practices. Geekonomics focuses not on the code, but rather how insecurely written software is an infrastructure problem and an economic issue. Geekonomics has 3 main themes. First — software is becoming the foundation of modern civilization. Second — software is not sufficiently engineered to fulfill the role of foundation. And third — economic, legal and regulatory incentives are needed to change the state of insecure software.

The book notes that bad software costs the US roughly $180 billion in 2007 alone (Pete Lindstrom's take on that dollar figure). Not only that, the $180 billion might be on the low-end, and the state of software security is getting worse, not better, according the Software Engineering Institute. Additional research shows that 90% of security threats exploit known flaws in software, yet the software manufacturers remain immune to almost all of the consequences in their poorly written software. Society tolerates 90% failure rates in software due to their unawareness of the problem. Also, huge amount of software problems entice attackers who attempt to take advantage of those vulnerabilities.

The books 7 chapters are systematically written and provide a compelling case for the need for security software. The book tells of how Joseph Bazalgette, chief engineer of the city of London used formal engineering practices in the mid-1800's to deal with the city's growing sewage problem. Cement was a crucial part of the project, and the book likens the development of secure software to that of cement, that can without decades of use and abuse.

One reason software has significant security vulnerabilities as noted in chapter 2, is that software manufacturers are primarily focused on features, since each additional feature (whether they have real benefit or not) offers a compelling value proposition to the buyer. But on the other side, a lack of software security functionality and controls imposes social costs on the rest of the populace.

Chapter 4 gets into the issues of oversight, standards, licensing and regulations. Other industries have lived under the watchful eyes of regulators (FAA, FDA, SEC, et al) for decades. But software is written removed from oversight by unlicensed programmers. Regulations exist primarily to guard the health, safety and welfare of the populace, in addition to the environment. Yet oversight amongst software programmers is almost nil and this lack of oversight and immunity breeds irresponsibility. The book notes that software does not have to be perfect, but it must rise to the level of quality expected of something that is the foundation of an infrastructure. And the only way to remove the irresponsibility is to remove the immunity, which lack of regulation has created a vacuum for.

Chapter 5 gets into more detail about the need to impose liability on software manufacturers. The books premise is that increased liability will lead to a decrease in software defects, will reward socially responsible software companies, and will redistribute the costs consumers have traditionally paid for protecting software from exploitation, shifting it back to the software manufacturer, where it belongs.

Since regulations and the like are likely years or decades away, chapter 7 notes that short of litigation, contracts are the best legal option software buyers can use to leverage in address software security problems. Unfortunately, most companies do not use this contractual option to the degree they should which can benefit them.

Overall, Geekonomics is an excellent book that broaches a subject left unchartered for too long. The book though does have its flaws; its analogies to physical security (bridges, cars, highways, etc.) and safety events don't always coalesce with perfect logic. Also, the trite title may diminish the seriousness of the topic. As the book illustrates, insecure software kills people, and I am not sure a corny book title conveys the importance of the topic. But the book does bring to light significant topics about the state of software, from legal liability, licensing of computer programmers, consumers rights, and more, that are imperatives.

It is clear the regulations around the software industry are inevitable and it is doubtful that Congress will do it right, whenever they eventually get around to it. Geekonomics shows the effects that such lack of oversight has caused, and how beneficial it would have been had such oversight been there in the first place.

To someone reading this review, they may get the impression that Geekonomics is a polemic against the software industry. To a degree it is, but the reality is that it is a two-way street. Software is built for people who buy certain features. To date, security has not been one of those top features. Geekonomics notes that software manufacturers have little to no incentive to build security into their products. Post Geekonomics, let's hope that will change.

Geekonomics will create different feelings amongst different readers. The consumer may be angry and frustrated. The software vendors will know that their vacation from security is over. It's finally time for them to get to work on fixing the problem that Geekonomics has so eloquently written about.

Ben Rothke is a security consultant with BT INS and the author of Computer Security: 20 Things Every Employee Should Know.

You can purchase Geekonomics: The Real Cost of Insecure Software from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Ben Rothke writes "Information security is a hot career area and is among the strongest fields within IT for growth and opportunity. With excellent long-term career prospects, increasing cybersecurity vulnerabilities and an increase in security & privacy regulations and legislation, the demand for security professionals is significant. Even with a bright future, that does not necessarily mean that a career in information security is right for everyone. What differentiates an excellent security professional from a mediocre one is their passion for the job. With that, IT Security Interviews Exposed is a mixed bag of a book. For those that are looking for an information security spot and have the requisite passion for the job, much of the information should already be known. For someone who lacks that passion and simply wants a security job, their lack of breadth will show and the information in the book likely won't be helpful, unless they have a photographic memory to remember all of the various data points." Read below for the rest of Ben's review. IT Security Interviews Exposed: Secrets to Landing Your Next Information Security Job author Chris Butler pages 218 publisher Wiley rating 8 reviewer Ben Rothke ISBN 0471779873 summary Good review for a pro, but not for newbies. If you find information security challenging and either want a job in the field or are looking for a better job in the field, the book will be quite valuable. But for those looking for a hot security job, their lackings will likely show through on in interview, even with the help of this book.

As to the actual content, chapter 1 provides a good overview of how to find, interview and get a security job. The chapter contains many bits of helpful information, especially to those whose job seeking skills are deficient. A good piece of advice the author's state is that one should never pay a fee for headhunting services. There are many people that call themselves recruiters, but are nothing more than fax servers who charge for the service. The burden to pay is always on the hiring firm, and a job seeker should be extremely suspicious of anyone requesting a fee to find them a position.

I would hope that in future editions of the book, the authors expand on chapter one. The chapter itself in fact could easily me made into a book in its own right. As part of the job search process, many job searchers often do not ask themselves enough fundamental questions if they are indeed in the right place in their career. Such an approach is taken by Lee Kushner, founder and CEO of the information security recruitment firm LJ Kushner and Associates. Kushner formulated the following 7 questions that every information security job candidate should ask themselves:

1. What are my long and short term plans?

2. What are my strengths and weaknesses?

3. What skills do I need to develop?

4. Have I acquired a new skill during the past year?

5. What are my most significant career accomplishments and will I soon achieve another one?

6. Have I been promoted over the past three years?

7. What investments have I made in my own career?

The other 9 chapters of the book all have the same format; an overview of the topic, and then various questions and interviewer may pose. The reality that these topics of network and security fundamentals, firewalls, regulations, wireless, security tools, and more, are essential knowledge for a security professional. Anyone trying to go through a comprehensive information security interview and wing it by reviewing the material will likely only succeed if the interviewer is inept. Anyone attempting to mimic the questions and answers in the book in a real-world interview will immediately be found to be a sham if the interviewer deviates even slightly from the script, which should be expected.

What really separates a good candidate from a great candidate is hands-on, practical and real-world security experience. Such a candidate won't need a question and answer format to showcase themselves in an interview. Their experience should shine, and not their ability to rattle of security acronyms.

If a company is serious about hiring qualified people, the interview process should not be about short technical questions and acronym definitions. It should entail an open discussion with significant give and take. Having a candidate detail their methodology for deploying and configuring a firewall should be given more credence than their ability to define the TCP the three-way handshake.

Ultimately, the efficacy of the book is in the disposition of the reader. For the security newbie who wants a crash course in security in order to quickly land a security job, heaven help the company that would hire such a person. While one should indeed not judge a book by its cover; this book's cover and title may lead some readers to think that the book is their golden ticket to a quick landing into a great career. The breadth of information that a security professional needs to know precludes and short of cramming or quick introductions. Those with a lack of security experience attempting to use this book to hide their shortcomings will only embarrass themselves on an interview.

On the other hand, for the reader who has a background in information security who wants an update on network and security fundamentals, they will find IT Security Interviews Exposed a helpful title. The book contains a plethora of valuable information written in a clear and easy to read style. In a little over 200 pages, the book is able to provide the reader with a good review of what they know or may have forgotten. Used in such a setting by such a reader makes the book a most helpful tool for the serious security professional looking to advance their career.

Ben Rothke is a security consultant with BT INS and the author of Computer Security: 20 Things Every Employee Should Know.

You can purchase IT Security Interviews Exposed: Secrets to Landing Your Next Information Security Job from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Ben Rothke writes "One of the mistakes many organizations make when it comes to information security is thinking that the firewall will do it all. Management often replies incredulously to a hacking incident with the thought "but don't we have a firewall". Organizations need to realize a single appliance alone won't protect their enterprise, irrespective of what the makers of such appliances suggest and promise. A true strategy of security defense in depth is required to ensure a comprehensive level of security is implemented. Defense in depth uses multiple computer security technologies to keep organizations risks in check. One example of defense in depth is having an anti-virus and anti-spyware solution both at the user's desktop, and also at the gateway." Read on for the rest of Ben's review. End-to-End Network Security: Defense-in-Depth author Omar Santos pages 480 publisher Cisco Press rating 9 reviewer Ben Rothke ISBN 1587053322 summary Excellent and comprehensive look at how to secure a Cisco infrastructure End-to-End Network Security: Defense-in-Depth provides an in-depth look at the various issues around defense in depth. Rather than taking a very narrow approach to security, the book focuses on the comprehensive elements of designing a secure information security infrastructure that can really work to ensure an organization is protected against the many different types of threats it will face on a daily basis.

The books 12 chapters provide a broad look at the various ways in which to secure a network. Aside from a minor mistake in chapter 1 where the author confuses encryptions standards and encryption algorithms (but then again, many people make the same mistake), the book provides a clear and to the point approach to the topic at hand. After reading the book, one will have a large amount of the information needed to secure their Cisco-based network.

While it is not in the title, the book is completely centered on Cisco hardware, software, and Cisco IOS. It is a Cisco Press title written by a Cisco employee, as you would expect, it has a heavy Cisco slant. For those that do not work in a Cisco environment, the information in the book will likely be far too Cisco centric for their needs. A review of the index shows that the book provides a near A-Z overview of information security. One of the only missing letters is 'J', but then again, that would require writing about Juniper.

Chapter 1 starts off with a detailed overview of the fundamentals of network security technologies. Chapter 2 details the various security frameworks and methodologies around securing network devices. The six-step methodology that the author writes of is comprised of preparation, identification, classification, traceback, reaction and postmortem.

The author mistakenly writes that manual analysis of complex firewall policies is almost impossible because it is very time-consuming. The truth is that the time-consuming aspect does not make it impossible. It can be done, but the author is correct that the use of automated tools makes such analysis much quicker and easier.

Chapters 5 and 6 provide an excellent overview of reacting to information security incidents. The chapters cover all of the necessary details, from laws, log finals, postmortem and more.

Chapter 9 provides and extensive overview of the various elements of IPT security. It includes various ways to protect the many parts of a Cisco IPT infrastructure. In this chapter and the others, the author does a very good job of detailing the various configurations steps necessary to secure a Cisco device, both at the graphical level and also at the ISO command line level.

Chapter 12 concludes the book with 3 case studies of using defense in depth a small, medium and large enterprise networks. Different size networks have different requirements and constraints and are not secured in the same manner.

Overall, End-to-End Network Security: Defense-in-Depth is an excellent and comprehensive book on how to secure a Cisco infrastructure. It details the many threats such an environment will face, and lists countermeasures to mitigate each of those threats. Anyone involved in securing Cisco-based networks will find this book to be quite helpful in their effort to secure their network.

Ben Rothke is a security consultant with BT INS and the author of Computer Security: 20 Things Every Employee Should Know.

You can purchase End-to-End Network Security from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Ben Rothke writes "It has long been rumored that manufacturers of items such as razors and batteries specifically produce their products to an inferior level in order to ensure repeat business. A similar paradox is occurring in the information security space where many are complaining that the PCI Data Security Standard (PCI DSS) is too complex and costly. What is most troubling is that such opinions are being written in periodicals and by people that should know better." Read on for the rest of Ben's review. PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance author Tony Bradley pages 352 publisher Syngress rating 9 reviewer Ben Rothke ISBN 1597491659 summary Great for anyone who has PCI responsibilities or wants to gain a quick understanding of the PCI DSS requirements.

PCI came to life when Visa, MasterCard, American Express, Diner's Club, Discover, and JCB collaborated to create a new set of standards to deal with credit card fraud. PCI requires that all merchants and service providers that handle, transmit, store or process information concerning any of these cards, or related card data, be required to be compliant with the PCI DSS. If they are not compliant, they can face monetary penalties and/or have their card processing privileges terminated by the credit card issuers.

The primary purpose of PCI is to force organizations to embrace common security controls to protect credit card data and reduce fraud and theft. The following are the six primary control areas and 12 specific requirements of the PCI DSS:

Build and maintain a secure network

1. Install and maintain firewall configurations

2. Do not use vendor-supplied or default passwords

Protect cardholder data

3. Protect stored data

4. Encrypt transmissions of cardholder data across public networks

Maintain a vulnerability management program

5. Use and regularly update anti-virus software

6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7. Restrict access to need-to-know

8. Assign unique IDs to each person with computer access

9. Restrict physical access to cardholder data

Regularly monitor and test networks

10. Monitor and track all access to network resources and cardholder data

11. Regularly test security systems and processes

Maintain an information security policy

12. Maintain a policy that addresses information security

A quick review of these 12 items shows that PCI is a textbook example of the fundamentals of information security. With that, PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance is an excellent resource that provides the reader with all of the fundamental information needed to understand and implement PCI DSS.

The books 13 chapters provide the reader with a comprehensive overview of all of the details and requirements of PCI. The first three chapters provide an overview of the basics about PCI and the basic requirements of the standard. The following six chapters go into detail about each of the primary control areas.

In particular, chapter 6 provides a good overview of the PCI logging requirements. This requirement can be time-consuming to put into place. The author notes that a commonly overlooked but essential requirement, namely that of accurate and synchronized time on network devices. Enterprise information network and security infrastructure devices are highly dependent on synchronized time and PCI recognizes that correct time is critical for transactions across a network.

In a further discussion about synchronized time in chapter 9, the author unfortunately makes an error when he states that local hardware is considered a stratum 1 time source since it gets its time from its own CMOS. From an NTP perspective, only a device that is directly linked to a stratum-0 device is called a stratum-1. CMOS clocks are notoriously inaccurate and can't be relied upon.

The title of chapter 12 is both amusing and accurate 'Planning to fail your first Audit'. The irony is that so many organizations lack a CISO or formal business security program in place designed to protect corporate information assets. They don't focus on information security as a process, rather as a set of products or regulatory items to be checked-off. Yet, these same organizations are surprised when they fail an audit.

The book concludes in chapter 13 with the well-known observation that security is a process, not an event. The book astutely notes that it is impossible to be PCI compliant without approaching security as a process. Trying to achieve compliance without integrating the various aspects in an integrated fashion is bound to fail.

Overall, PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance is a great book for one of the most sensible security standards ever. Anyone who has PCI responsibilities or wants to gain a quick understanding of the PCI DSS requirements will find the book to be quite valuable.

Ben Rothke is a security consultant with BT INS and the author of Computer Security: 20 Things Every Employee Should Know

You can purchase PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Ben Rothke writes "It's a fallacy that our elected officials take forever to get things done. Two examples where Washington acted with speed are with the National Do Not Call Registry and the Sarbanes-Oxley Act. The National Do Not Call Registry was slated to take effect on October 1, 2003, but various marketing associations challenged its legitimacy and even if the FTC had the jurisdiction to enforce it. Notwithstanding, President Bush speedily signed the bill authorizing the no-call list to go into effect in September 2003 and the United State Court of Appeals upheld the constitutionality of the registry in February 2004. On June 25, 2002, WorldCom revealed it had overstated its earnings by more than $7 billion by improperly accounting for its operating costs. Senator Paul Sarbanes then introduced Senate Bill 2673 that same day where it passed 97-0 less than three weeks later. The House and Senate formed a Conference Committee to reconcile the differences between Sarbanes's bill and Representative Michael Oxley's bill (HR 3763) and on July 24, 2002, the Sarbanes-Oxley Act of 2002 was passed." Read on for the rest of Ben's review. Stealing Your Life: The Ultimate Identity Theft Prevention Plan author Frank W. Abagnale pages 256 publisher Broadway Books rating 8 reviewer Ben Rothke ISBN 0767925866 summary exposes the tactics of today's identity theft criminals and offers strategies to thwart them

The bottom line is that when politicians really want votes and PR, they can act swiftly. The frustration is exacerbated when politicians choose to do nothing when it comes to identity theft. In Stealing Your Life: The Ultimate Identity Theft Prevention Plan, Frank Abagnale details the frustration that consumers face (and will face in the years to come) when their identities are stolen, the ease at which the criminals carry out such crimes, and the months and often years of effort required to regain ones identity.

Abagnale's tenure on the criminal side long ago gives him the advantage that he knows firsthand how criminals think and such an outlook is pervasive throughout the book. Looking at the current state of identity protection, he states that he is personally horrified at how easy identity theft is. In fact, he calls it "a crook's dream come true". The book details incident after incident where criminals and criminal gangs obtained credit in someone else's name with ease.

What makes this worse is that the book shows how we haven't even scratched the surface of the identity theft problem. Everyone, including the FTC agrees that current identity theft figures are quite low, due to the fact that so many cases go unreported or undetected.

The book notes that lenders often miscategorize a good deal of identity theft because it looks like delinquent bills, as opposed to a crime. Only later does the victim realize what has been going on and complains, at which time it becomes apparent that fraud was involved. But by that time, the money has been written off as a credit loss and then appears as negative information on the victim's credit report.

Like many other books on the subject of identity theft, Stealing Your Life: The Ultimate Identity Theft Prevention Plan covers the main issues, and makes numerous suggestions on how to control your identity. What is interesting about the book is that Abagnale also focuses on why identity theft is so popular for today's criminals. One of the main reasons it that the person committing the crime has the odds significantly stacked in their favor. The book quotes a Gartner study that found that identity thieves have roughly a 1 in 700 chance of getting caught by law enforcement, which is a figure any criminal would jump at.

The books 13 chapters are written in an easy to read and compelling style. The early chapters detail the prime causes of what makes identity theft such a problem and astutely notes that a large part of the problem is that financial services companies are conducting business today by doling out credit like candy and do almost nothing to ascertain that people really are who they say they are when applying for credit. In addition, issuers of credit in their haste to rack up more business frequently accept a social security number from an applicant at face value, without demanding proof. The book lists many examples of where children and dead people have been given credit.

In chapter 6, the book lists 20 steps one can take in the hope of preventing identify theft. The author notes that since the punishment for identity theft, and the recovery of stolen goods from identity theft are so low, the only viable source of action is prevention by the individual. All 20 steps are fundamental, from protecting your social security number and examining your financial statements, to using a shredder and more.

Chapter 8 lists one of the more important points of the book, in which Abagnale writes that all credit and personal information should be opt-in based, as opposed to the prevalent opt-out requirement. Such an approach is what one would hope Congress would mandate, but does not have the tenacity to do. The problem is that if a consumer does not opt-out, they are giving the financial institution permission to share their personal information with the hundreds and often thousands of affiliates they share data with.

Companies obviously prefer opt-out, which shifts the burden to the consumer to take action to keep their information from being shared. With opt-in, the burden shifts and the financial services company has to prove that consumers granted their consent to have their personal information shared. National opt-in requirements would significant stem the flow of personal information, which is in part why identity theft is so easy to carry out.

Aside from a glaring error in chapter 12 where Abagnale erroneously writes that true authentication is impossible on the Internet and occasionally hawking companies he has financial dealings with, Stealing Your Life: The Ultimate Identity Theft Prevention Plan is an interesting and entertaining book on a subject of the fasting growing crime in the USA.

The book details what happens when an apathetic Congress and financial services industry do almost nothing to protect their constituents, and the thieves who have never had it easier. These identity thieves are able to acquire gigabytes of personal information without ever having to leave their workstations. When you factor in that the odds are in their favor of never being prosecuted, it leaves nearly every individual at risk for identity theft.

With Congress dropping the ball and doing nothing, Abagnale shows that it is up to each individual to take responsibility for protecting their own personal information. Stealing Your Life: The Ultimate Identity Theft Prevention Plan is indeed a great place to start such an approach.

Ben Rothke is a security consultant with BT INS and the author of Computer Security: 20 Things Every Employee Should Know

You can purchase Stealing Your Life: The Ultimate Identity Theft Prevention Plan from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Ben Rothke writes "The goal of security metrics is to replace fear, uncertainty, and doubt (FUD) with a more formalized and meaningful system of measurement. The FUD factor is the very foundation upon which much of information security is built, and the outcome is decades of meaningless statistics and racks of snake oil products. Let's hope that Andrew Jaquith succeeds, but in doing so, he is getting in the way of many security hardware and software vendors whose revenue streams are built on FUD." Read below for the rest of Ben's review. Security Metrics: Replacing Fear, Uncertainty, and Doubt author Andrew Jaquith pages 336 publisher Addison-Wesley rating 10 reviewer Ben Rothke ISBN 0321349989 summary Authoritative text on information security metrics

One could write a book on how FUD sells security products. One of the most memorable incidents was in 1992 when John McAfee created widespread panic about the impending Michelangelo virus. The media was all over him as he was selling solutions for the five million PCs worldwide he said would be affected. The end result is that the Michelangelo virus was a non-event. Nonetheless, it was far from the last time that FUD was used to sell security.

The allure of FUD is that companies can spend huge amounts of money fighting nebulous digital adversaries and feel good about it. They can then put all of that fancy hardware in dedicated racks in their data center, impressing the auditors with the flashing lights giving off an aroma of security and compliance.

And that is the chaos that security metrics comes to solve. Security metrics, if done right, can help transform a company from a nebulous perspective on security to an effective one based on formal security risk metrics.

Security Metrics is a fabulous book that should be in the hands of every security professional. The book demonstrates that companies must establish metrics based on their unique requirements, as opposed to simply basing their requirements on imprecise industry polls, best-practices and other ill-defined methods.

So why don't companies do that in the first place? If security metrics can provide even a quarter of the benefits that Jaquith states, companies should run to implement them. Real security metrics require an organization to open up their security hood and dig deep into the engine that runs their security infrastructure. It necessitates understanding the internal requirements, unique organizational risks, myriad strengths and weaknesses, and much more. Very few companies are willing to dedicate the time and resources for that, and would rather build their security infrastructure on thick layers of FUD. History has shown that the security appliance of the month almost always beats a formal risk and needs assessment.

Chapter 1 lays out the problem with approaches that most companies take to risk management. The main problem is that traditional risk management is far too dependant on identification and fixing, as opposed to quantification and triage based on value. Quantifying and valuing risk is much more difficult than simply identifying, since the software tools used do not have an organization context or knowledge of the specific business domain.

Chapter 2 sets out the foundation of security metrics. The goal of these metrics are to provide a framework in which organizations can quantify the likelihood of danger, estimate the extent of possible damage, understand the performance of their security organizations and weigh the costs of security safeguards against their expected effectiveness.

The time has come for security metrics since information security is one of the few management disciplines that have yet to submit itself to serious analytical scrutiny. The various chapters provide many different metrics that can be immediately used in most organizations to address that.

The author defines various criteria for what makes a good metric. One of his pet peeves is the use of the traffic light as a metaphor for compliance. Jaquith feels that traffic lights are not metrics at all, since they don't contain a unit of measure or are a numerical scale. He suggests using traffic lights colors sparingly, and only to supplement numerical data or draw attention to outliers. He astutely notes that if your data contains more precision than three simple gradations, why dilute their value by obscuring them with a traffic light.

The chapter concludes on what makes a bad metric, defined as any metric that relies too much on the judgment of a person. These metrics can't be relied on since the results can't be guaranteed to be the same from person to person. Also, security frameworks such as ISO-17799 should not be used for metrics. The book also tackles the sacred cow of risk management, namely ALE (annualized loss expectancy), and how it is significantly misused and misunderstood in the industry.

The book states that in developing metrics, there must be formal collaboration between the business units and the security staff. This collaboration serves to increase awareness and acceptance of security. In addition, it ensures that security requirements are incorporated into the lifecycle early on. This is needed as business units generally have no clue as to what the needed security requirements are.

Chapter 5 is a short course on analysis techniques and statistics. The author quotes George Colony who stated that "any idiot can tell you what something is. It is much harder to say what that thing means". With that, the book details a number of techniques for analyzing security data (average, median, time series, etc.) and how each one should be used.

Chapter 6 is about visualization and notes that most information security professionals have no real idea how to show security, both literally and figuratively. Part of the problem is that security is proliferated with esoteric terminology and concepts, and the lack of understanding risk management amongst the masses. Part of the reason for this difficulty in sharing the security message with management is that many security practitioners lack simple metaphors for communicating priorities. This is compounded by the fact that the message is often focused exclusively on technical security issues, as opposed to the underlying business issues, which is was management is concerned with. The chapter is invaluable as it weans one off the malevolent pie chart and traffic light PowerPoint presentation.

Marcus Ranum notes that people seem to want to treat computer security like its rocket science or black magic. In fact, computer security is nothing but attention to detail and good design. FUD is all about emphasizing the black magic aspect of hackers and other rogue threats. Metrics are all about the attention to detail that FUD lives to obfuscate.

Security Metrics: Replacing Fear, Uncertainty, and Doubt is one of the more important security books of the last few years. Jaquith turns much of the common security wisdom on its head, and the world will be a better place for it. Security metrics are a necessity whose time has come and this invaluable book shows how it can be done.

Ben Rothke, CISSP is a security consultant with BT INS and the author of Computer Security: 20 Things Every Employee Should Know.

You can purchase Security Metrics: Replacing Fear, Uncertainty, and Doubt from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Ben Rothke writes "In Search of Stupidity gets its title from the classic, albeit infamous business book In Search of Excellence: Lessons from America's Best-Run Companies, by Tom Peters and Robert Waterman. In Search of Excellence quickly became a best-seller when it came out in 1988 and launched a new era of management consultants and business books. But in 2001, Peters admitted that he falsified the underlying data. Librarians have been slow to move the book to the fiction section." Read the rest of Ben's review. In Search of Stupidity: Over Twenty Years of High Tech Marketing Disasters, Second Edition author Merrill Chapman pages 373 publisher Apress rating 9 reviewer Ben Rothke ISBN 1590597214 summary Excellent analysis of hi-tech software marketing disasters

In Search of Stupidity is not a traditional business book; rather, it's a high-level analysis of marketing mistakes made by some of the biggest and most well-known high-tech companies over the last 20 years. The book contains numerous stories of somewhat smart companies that have made stupid marketing mistakes. The catastrophe is that these mistakes have led to the demise of many of these companies.

For those who have been in technology for a while, the book will be a somewhat nostalgic look at what has happened over the years from the world of high-tech marketing. Combined with Chapman's often hilarious observations, the book is a most enjoyable and fascinating read and is hard to put down once you start.

The first chapters of the book discuss the story and mythology around the origins of DOS. It details such luminaries as Digital Research, IBM, Microsoft, Bill Gates and Gary Kildall and more. The first myth about Microsoft is the presumption that the original contract with IBM for MS-DOS gave Microsoft an immediate and unfair advantage over its competitors. The reality is that over time, MS-DOS did indeed become Microsoft's cash cow; but it took the idiocy of Apple, IBM and others to make this happen.

The book also notes that throughout its history, Microsoft would consistently make the most of its competitor's mistakes and stupidity to its advantage. The book repeatedly notes that yes, Microsoft has not always been ethical or nice; but the reality is that such behavior has also been practiced by many in the software industry. Not that it rationalizes what Microsoft has done, and to a degree still does. But it is unfair to pinpoint Microsoft as the sole miscreant in the dirty software waters.

For the better part of the last decade, Microsoft has owned the desktop. But that was not always the case. In the early 1990's IBM was frantically working on its nascent OS/2 operating system, working alongside Microsoft as a trusted partner. IBM had the cash and talent to ensure that OS/2 would own the desktop. So why did OS/2 miserably fail? It was primarily IBM's own ineptitude in marketing OS/2 which led to Windows 95 taking over the desktop. The desktop was IBM's to lose and that is precisely what it did.

Microsoft at one point was working with IBM to develop OS/2 and many have written that Microsoft took advantage of IBM in that joint effort. But Chapman writes that complete and direct responsibility for the failure of OS/2 falls completely on IBM. He notes that it is difficult to find a marketing mistake around OS/2 that IBM did not make. At the time, the market was ready to accept almost any GUI and it was Microsoft that gave the people what they wanted. It was not so much that Microsoft beat IBM; rather that IBM imploded with OS/2 and Microsoft was there to pick up the pieces.

As to ownership of the desktop, Chapman notes that even with Microsoft's near endless budget, bullying tactics, and use of the FUD factor, those alone did not enable Microsoft to monopolize the desktop operating system market. Chapman notes that the following key factors, all which are unrelated and out of Microsoft's control had to take place in order for that to happen.

First, Xerox, the original inventor of the GUI had to never develop a clue about how to commercialize the groundbreaking product that came out of its own labs. Digital Research then had to blow off IBM when it came calling to them for an operating systems for the original IBM PC. IBM would then have to fall victim to Microsoft during its joint development of OS/2.

Finally, Apple would have to decide not to license the Macintosh operating system. That decision led Apple to have a 30% share of the desktop market in the early 1990's to its current irrelevant 4% share.

Chapman lists numerous secondary factors that also contributed to Microsoft's dominance. While the accepted wisdom is that Microsoft single-handedly cornered the desktop operating system market; the reality is that the ultimate success of Microsoft is as much a result of their near endless good luck combined with the recurring stupidity of its competition.

The stupidity of IBM and Apple gave the desktop market to Microsoft. Similarly, Novell gave the NOS market to them. In the mid-1990's, Novell owned the NOS market. Netware along with myriad CNE's (Certified Network Engineerswere the dominant force in network computing. When Windows NT version 3.1 shipped (it was really version 1.0), it was clearly inferior to Netware, as myriad product reviews stated.

Yet a few years later, Windows NT was the dominant NOS and Novell was struggling. While Netware was clearly superior to NT from a functionality perspective, the genius of Microsoft was that it knew better how to deal and communicate with its development community. Today, Netware is an irrelevant NOS and Novell has effectively abandoned it to primarily focus on its Linux strategy.

Exactly at the same time Microsoft was pushing Windows NT and wooing developers, Novell shutdown its third-party development center in Austin, TX. Novell also became preoccupied with its misguided purchase of WordPerfect. Novell developers were left hanging until Microsoft came calling with its promises of NT development and marketing support. Similarly, it was Novell failures that directly lead to the success of Windows NT.

Novell had myriad chances to decimate Windows, but it never stepped up to the plate. Novell's inexperienced marketing department thought that "if you built a great NOS, they would come." But come they did not, and leave Netware they did.

It is chapter 10 that will likely give Slashdot readers a fit. The author attempts to set straight additional myths around Microsoft: that their products are of poor quality, that they have only succeeded because of its market monopolies, that they are not innovative, and more. For those who want all of the details, they should read the book. But the authors notes for example that while Microsoft has been widely criticized for not being an innovative company, it is no different from companies such as Lotus, Borland, Xerox and more.

Most recently, when Microsoft found itself behind the 8-ball and lacking a browser, Internet Explorer was quickly developer and in time, surpassed the capability of Netscape Navigator. By 1998, most reviews were giving IE a higher rating than Navigator. Of course, Microsoft has more cash and developers than Netscape, but that alone was not what doomed them. Simultaneously, Netscape derailed itself in an attempt to completely rewrite Navigator in Java. This led them to the state where they would permanently fall behind Microsoft in the development race.

The book contains 12 chapters each with a different set of stupid marketing actions. Rather than simply being a Monday morning quarterback, chapter 14 contains an analysis of each scenario and what the respective companies should have done.

In Search of Stupidity: Over Twenty Years of High Tech Marketing Disasters is a most valuable book and is a wonderful read for anyone in the software industry. For those in sales and marketing, it is clearly required reading, and in fact, should be reread periodically. While In Search of Excellence turned out to be a fraud, In Search of Stupidity is genuine, and no names have been changed to protect the guilty.

You can purchase In Search of Stupidity: Over Twenty Years of High Tech Marketing Disasters, Second Edition from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Ben Rothke writes "Mark Osborne doesn't like auditors. In fact, after reading this book, one gets the feeling he despises them. Perhaps he should have titled this book 'How I learned to stop worrying and hate auditors'. Of course, that is not the main theme of How to Cheat at Managing Information Security, but Osborne never hides his feeling about auditors, which is not necessarily a bad thing. In fact, the auditor jokes start in the preface, and continue throughout the book." Read the rest of Ben's review. How to Cheat at Managing Information Security author Mark Osborne pages 302 publisher Syngres rating 8 reviewer Ben Rothke ISBN 1597491101 summary The adventures of an information security professional and his efforts to secure corporate networks

The subtitle of the book is 'Straight talk from the loud-fat-bloke who protected Buckingham Palace and ran KPMG's security practice'. Essentially, the book is Osborne's reminiscence of his years in information security; including the good, the bad, and more often then not, the ugly.

The book is written for someone looking to develop an information security program, or strengthen an existing program, to ensure that all of the critical technology areas are covered.

The thirteen chapters of the book cover the main topics that an information security manager needs to know to do their job. The author candidly notes that this book is not the most comprehensive security book ever written, but contains most of the things a security manager needs to get their job done. The author also observes that information security is different from other disciplines in that there are many good books about disconnected subjects. The challenge is getting the breadth of knowledge across these many areas, which is quite difficult. The challenge of information security is to effectively operate across these many areas.

Chapters 1 and 2 deal with the information security organization as a whole, and the need for information security policy. Chapter 1 details the various areas where a security group should be placed, and describes the pros and cons of each scenario. As one of the scenarios which place information security below the head of audit, Osborne notes that 'if you have any sort of life, you don't want to spend it with the auditors, I promise you'.

Wherever the security group is placed in an organization, its ultimate success or failure is likely to be determined by its level of autonomy and independence. Unfortunately, in far too many organizations, information security is not given that liberty. It is often placed in a subservient role to groups with opposing interests. Any security group or security manager placed in such a situation should likely start working on their resume.

The scenario is described in 'Practical Unix and Internet Security' where author Professor Gene Spafford spells out Spaf's first principle of security administration. This principle states that 'if you have responsibility for security but have no authority to set rules or punish violators, your own role in the organization is to take the blame when something big goes wrong'. Spaf's principle is a cruel reality faced by many of those responsible for information security.

Between those chapters and a few more auditor jokes, Osborne makes the blatently obvious observation that wherever possible, one should eradicate single points of failure. As a corollary to this, Osborne notes that while trying to eliminate these failure points, companies will often build redundant systems. Part of their admiration for these redundant systems is the hope that this will simultaneously reduce performance bottlenecks. But these companies do not realize that the routers, firewalls and switches are not the bottleneck, rather it is the software application which is the bottleneck.

Osborne plays the role of contrarian in chapter 8 when he asks why we need firewalls. He notes that if every database maker, operating system programmer and CRM/ERM vendor put as much effort into security as the firewall vendors do, then there would be no need for firewalls. Furthermore, if each system administrator worked as hard on security as the typical firewall administrator did, and devoted as much time to hardening their servers and laptops as they did; then centralized firewalls would likely not be needed. Given that the firewall-free reality is not happening any time soon, chapter 8 provides a lot of good information on everything you need to know about firewalls.

Chapter 9 is about one of the most maligned security tools, the IDS. After providing an anecdote about a network manager who did not understand the fundamentals of how DHCP operates, and how he used Snort to debug the problem; Osborne provides a meaningful piece of security wisdom when he notes that IDS can help any network or security person understand network traffic. These devices can even give you information on new attacks and how they can be mitigated. But for an IDS (or any security hardware or software device for that matter) to be truly useful, a security professional needs to understand their IT infrastructure, the mechanics of networks and applications and the risks involved. Those who don't understand those three things will only be able to use these security technologies with minimal benefit.

Overall, How to Cheat at Managing Information Security, is an informative and often entertaining introduction to information security. For those that want to get a good overview of the core elements of information security, or strengthen their existing knowledge base, they will find this book to be an informative and valuable read."

You can purchase How to Cheat at Managing Information Security from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Ben Rothke writes "In an important new book Brave New Ballot: The Battle to Safeguard Democracy in the Age of Electronic Voting, Avi Rubin writes 'too often in American life, when it comes to divisive issues, the facts can be less important than the weight of public opinion'. That basically sums up Rubin's story in this fascinating story of his frustrations in dealing with government and corporate officials in his quest to show that e-voting was not as secure as it was originally made out to be." Read the rest of Ben's review. Brave New Ballot: The Battle to Safeguard Democracy in the Age of Electronic Voting author Aviel Rubin pages 272 publisher Morgan Road Books rating 10 reviewer Ben Rothke ISBN 0767922107 summary Electronic voting systems are being deployed with inadequate levels of trust and security

Brave New Ballot (BNB) is Rubin's story of how in 2003, he and his graduate students at Johns Hopkins University demonstrated that the Diebold Election Systems electronic voting technology in wide use was full of security problems. It was just in 2002 that Sherron Watkins of Enron was named Time magazine person of the year for her work in uncovering fraud at Enron. It would have been thought that Rubin's work would have immediately won him some sort of patriot of the year award for his work.

While the accolades were indeed many, his team's research was maligned as being that of a homework assignment, and the Administrator for Elections for the state of Maryland (where Rubin lives and works) publicly stated that 'computer scientists (a direct reference to Rubin and his team) who question the security of electronic voting machines are undermining our democracy.' Such a scenario makes up much of the story that the book tells in Rubin's team's efforts to blow the whistle on unsecure e-voting machines.

As to the Administrator for Elections for the state of Maryland and her disdain for computer scientists, she would likely find constituents such as the zombie-like Stepford wives more to her liking. Unfortunately, she ended up with Professor Rubin.

It is not that secure electronic voting is inherently unattainable. Rather, nearly all of the commercial solutions that have shipped to date have not been adequate designed with security in mind. This is due to many factors, some of which are that the makers of these devices do not completely understand the security risks and countermeasures, in addition to public officials who are far too trusting of these commercial e-voting vendors.

The early chapters of the book detail how Rubin's team analyzed the security and cryptography used within extremely sloppy coding of the Diebold Accuvote-TS director recording electronic device. One particularly humorous incident is when the Diebold programmers reference Bruce Schneier's Applied Cryptography in their C++ code for their decision of which algorithm to use of a for pseudorandom number generation. The only problem is that Applied Cryptography states that the specific algorithm they used should specifically not be utilized for random number generation. Rubin comically states about that incident that Diebold should have consulted with Schneier, rather than have their staff misunderstand what they read in his book.

I had a similar frustrating incident when consulting on an e-voting systems some years ago. The lead developer (who obviously was no expert in cryptography) documented that the e-voting system used 120-bit encryption. Upon analysis, we found that the system was using 40-bit encryption. When countered about that, the developer replied that they perform the 40-bit encryption routine three times using the same key, for an effective 120-bit key length. Of course, 40-bit encryption will always be (insecure) 40-bit encryption, no matter how many iterations he put it through; but it is frightening that he did not know that.

After his team presented their report in 2003, Rubin writes in detail how Diebold started a smear campaign against him. Not only was it Diebold, but also election officials in municipalities that had deployed the Accuvote-TS system that also maligned Rubin. This was done primarily by misinterpreting his objections, and also by refusing to pay attention to other independent reports on the insecurity of the devices.

For a more timely and somewhat humorous account of how insecure Diebold really is, see 'Hotel Minibar Key Opens Diebold Voting Machines'.

Being a whistle-blower always takes a toll on a person and Rubin was no different. He work on e-voting consumed him and took a toll on his family, career and his students. The book chronicles how Rubin found himself caught in a crossfire between big business, partisan politics, and overworked election officials. Rubin also found himself between the crosshairs of the ITAA (Information Technology Association of America), powerful vendor-based lobbying group. The ITAA, of which Diebold was a client, attempted to discredit him on many occasions, but their evidence was always weak and reckless, and in the end only served to bolster Rubin's claims against the Diebold systems.

Part of the absurd claims of the ITAA was that the open-source movement is using the issue of e-voting security to wage a 'religious war' that pits open-source software against proprietary software. Rubin could have filed chapters with similar ITAA absurdities, but wisely chose not to.

Similarly, an article I wrote 'E-Voting: It's Security, Stupid' also was the recipient of the wrathful ITAA reply. In their so-called rebuttal mistakenly titled 'E-Voting Does Work', Harris Miller of the ITAA follows his modus operandi of first attacking the person, avoiding the issue, stating vague meaningless comments, and concluding the issue by missing the point.

99% of the voting public does not know about backdoors, insecure code, Trojan Horses, insider threats, and scores of other security issues that the e-voting vendors have yet failed to fully address. The election process as we know it is rapidly being migrated to these electronic voting machines that are replacing the older, but more reliable mechanical systems.

BNB is a timely and important book as it details the very real defects on which these e-voting systems are built on (and Windows is only one of them). The ITAA made claims such that the only vulnerability within e-voting is that of a rogue programmer conspiring to steal public office. Such politicking only serves to confuse the issue for a public that is inherently trustful of these voting machines. Yet if these e-voting machines were built to the same stringencies and regulations that the aviation and pharmaceutical industry faces, they would never make it within a mile of a voting booth.

Brave New Ballot is to e-voting what Rachel Carson's Silent Spring is to the global environmental movement. It is a vitally important book that details the problem of e-voting and what can be done in the future to make certain that it can one day be carried out in a secure manner.

Of course, the image of an embedded crypto key or plaintext password in an e-voting system does not convey the same impact on the public as that of a thalidomide baby. Pictures of thalidomide babies caused heads to roll at the FDA, and one should hope the that the publication of Brave New Ballot will awaken the public from their slumber on the topic of electronic voting, and encourage the Election Assistance Commission to immediately ban electronic voting until it can be secured.

Deforest Soaries, the first Chairman of the United States Election Assistance Commission sums it up best when he states 'If the integrity of our sacred right of voting is less important than partisan politics, corporate interests, or bureaucratic systems, then shame on us for presenting ourselves as the global standard bearers of democracy. As Brave New Ballot shows, there is a lot of shame going around.

You can purchase Brave New Ballot: The Battle to Safeguard Democracy in the Age of Electronic Voting from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Ben Rothke writes "PGP (Pretty Good Privacy), as most Slashdot readers know, is one of the most popular software encryption programs ever. It is so good and so effective that in the early 1990s the FBI launched a multi-year investigation against Phil Zimmerman, the creator of PGP, for possible violation of federal export laws, especially ITAR (International Traffic in Arms Regulation). After many years of investigation, the FBI ultimately dropped its case against Zimmerman. Even though PGP is synonymous with end-user encryption, there have only been a few books written on the subject. Jump to 2006, and PGP & GPG: Email for the Practical Paranoid is a welcome title." Read the rest of Ben's review. PGP & GPG: Email for the Practical Paranoid author Michael Lucas pages 216 publisher No Starch Press rating 8 reviewer Ben Rothke ISBN 1593270712 summary Pretty good overview of PGP & GPG

On page 167 in Appendix A of the book, the author candidly writes that PGP "comes with a very good and complete manual at over 300 pages". With that, one may question why one would spend $24.95 on a book which covers much of the same information as the bundled documentation.

The reality is that there is a large class of people that will simply not read any form of documentation. Rather, they prefer something with an ISBN number. Such people are a boon to authors (of which I am one) and publishers. For that group, PGP & GPG: Email for the Practical Paranoid provides a pretty good overview of how to use PGP.

The book is written for an end-user who, while comfortable with the workings of technology, is new to the sometimes strange world of public key cryptography. The author writes in an easy-to-read style and, through repetition, inculcates the principal ideas of encryption and cryptography to the reader.

The introduction and first chapter provide a good presentation of the concepts of encryption, cryptography and public-key cryptography. The idea of public-key cryptography, on which PGP is based, is not so intuitive, and many people struggle with the basic concepts. The first chapter, appropriately titled 'Cryptography Kindergarten' is a good read for those who are public-key cryptography challenged.

On a side note, the notion that even smart end-users can be intimidated by public key cryptography was detailed in a now seminal research paper 'Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0.'

The premise of the paper is that user errors cause or contribute to most computer security failures, yet user interfaces for security still tend to be clumsy, confusing, or near-nonexistent. The authors argue that effective security requires a different usability standard, and that it will not be achieved through the user interface design techniques appropriate to other types of consumer software. The authors conclude that PGP 5.0 is not usable enough to provide effective security for most computer users despite its attractive graphical user interface. Even though PGP is in version 9.x, it still suffers from usability flaws.

Cryptography purists may recoil when the author repeatedly uses the term 'military-grade encryption.' Military-grade encryption and military-grade cryptography are overused terms, most often by marketing departments, but there is no real definition of 'military-grade encryption' -- and even if there were, it would be classified. Most people use 'military-grade encryption' to mean really strong crypto, much like those who use the term 'Olympic-size swimming pool' to refer to a really large pool. But the term 'military-grade encryption' is so misused by so many people that it is a lost cause to try to fight it.

In the rest of the book, chapters 2 - 11, the author details the varied usages of PGP & GPG. The book also details the differences between OpenPGP, PGP and GPG.
The difference between them is that PGP is a commercial piece of software, GPG (Gnu Privacy Guard) is open source, and OpenPGP is a protocol that defines a standard format for encrypted messages, signatures, and certificates for exchanging public keys.

The author astutely writes that while PGP provides really strong security, this is only if, and this is a huge if, it is implemented correctly. Chapter 11 notes that although OpenPGP provides a reliable method of authentication and encryption, it is also not unbreakable. OpenPGP can be vulnerable to many different types of attacks and weaknesses, including poor implementation, hardware or software compromise, fake keys and more. It is important to realize that OpenPGP provides significant, but not unbreakable security.

At 180 pages and priced at $24.95, PGP & GPG: Email for the Practical Paranoid is an excellent book that shows the end-user in an easy to read and often entertaining style just about everything they need to know to effectively and properly use PGP and OpenPGP.

For those that want to save money and perhaps save a few trees, the free documentation that comes along with the product is similarly worth reading.

You can purchase PGP & GPG: Email for the Practical Paranoid from bn.com.

Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Ben Rothke writes "For most people, having their clocks accurate to within a few millionths of a second is excessive. Yet there are plenty of reasons to ensure that clocks on networks and production systems are that accurate. In fact, the need for synchronized time is a practical business and technology decision that is an integral part of an effective network and security architecture. The reality is that an organizations network and security infrastructure is highly dependent on accurate, synchronized time." Read the rest of Ben's review. Computer Network Time Synchronization author David L. Mills pages 304 publisher CRC rating 10 reviewer Ben Rothke ISBN 0849358051 summary Definitive reference on how to deploy and use NTP

From a practical perspective, nearly every activity requires synchronized time to operate at peak levels, from plane departures and sporting events, to industrial processes, IP telephony, GPS and much more. Within information technology, technologies from directory services, collaboration, to authentication, SIM and VoIP all require accurate and synchronized time to work effectively.

Computer Network Time Synchronization: The Network Time Protocol is a valuable book for those that are serious about network time synchronization. David Mills, the author of the book, is one of the pillars of the network time synchronization community, and an original developer of the IETF-based network time protocol (NTP). The book is the summation of his decades of experience and a detailed look at how to use NTP to achieve highly accurate time on your network.

While network time synchronization is indeed crucial to corporate networks, this is only the second book on the topic. Last year saw Expert Network Time Protocol: An Experience in Time with NTP, which is a most capable title. But this book is clearly the indisputable reference on the subject, given its extraordinary depth and breadth. While Expert Network Time Protocol gets into the metaphysics of time, Mills's book takes a much more rationalist and pragmatic approach, which explains the myriad mathematical equations.

Mills is an electrical engineer by training and a significant part of the books 15 chapters involve advanced mathematics. But even for those who can't manage such equations, there is enough relevant material to make the book most rewarding.

Chapters 1 and 2 provide an excellent overview of the basics of network timekeeping and an overview of how NTP works. We often take for granted that network computers have the capabilities to set their internal clock. But while the capabilities are there, the reality is that these clocks are rarely accurate and subjected to many externalities that affect their ability to provide accurate time. The book shows how highly accurate time is easily achievable; often without the need for additional hardware. The goal of book is to show the reader how they can use NTP to synchronize the time on their network hosts to within a few milliseconds.

Chapters 3 - 11 detail the internals of NTP and time synchronization. Topics such as clock discipline algorithms, clock drivers and more are detailed. For many readers, the information may be overkill, but remember that this is not a For Dummies book.

Chapters 13 - 15 ease up on the abstract mathematics and are much more readable to newbie to the world of time synchronization. Chapter 13 is quite readable and details the metrology and chronometry of how NTP measures time as opposed to other time scales.

One of the key differences is the notion of absolute vs. relative time. Relative or astronomic time is based on the earth's rotation. Since the earth's rotation is not absolute, leap seconds are added to keep UTC (Universal Coordinated Time) synchronized with the astronomical timescale.

So what exactly is this legendary thing called the second? In 1967, the 13th General Conference on Weights and Measures defined the International System unit of time, the second, in terms of atomic time rather than the motion of the Earth. Specifically, a second was defined as the duration of 9,192,631,770 cycles of microwave light absorbed or emitted by the hyperfine transition of cesium-133 atoms in their ground state undisturbed by external fields.

Since the 17th century, time has for the most part been measured astronomically via the solar day. But in the 1940s, it was established that the earth's rotation is not constant, as the earth is spinning slower than it did years ago.

Part of what NTP provides is coordination to UTC. UTC provides operating systems and applications with a common index to synchronize events and prove that events happened when timestamps state they did. UTC is a 24-hour clock system and that any given moment, UTC is the same no matter where you are located.

For the purist, UTC really stands for Coordinated Universal Time, but both terms are used. Mills somewhat humorously notes that we follow the politically correct convention of expressing international terms in English, and their abbreviations in French.

Chapter 15 concludes the book with a fascinating look at the technical history of NTP. As of mid-2006, NTP has been in use for over 25 years and remains one of the longest, if not longest running, continuously operating application protocols in use on the Internet. Currently in version 4.2.1, NTP is a well-developed, stable protocol.

For those that are simply interested in how time synchronization works, or are responsible for time synchronization in their organization, Computer Network Time Synchronization: The Network Time Protocol is the most comprehensive guide available to using NTP.

For those that need an exhaustive tome on all of the minutiae related to NTP and synchronization, this is the source. Short of a vendor and product analysis, the book covers every detail within NTP and is the definitive title on the subject.

Two new books on the subject in a year demonstrate the importance of time synchronization. While this is not likely indicative of a flood of new books on time synchronization, this book should be considered the last word on the topic."

You can purchase Computer Network Time Synchronization from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Ben Rothke writes "Thousands of computer security books have been published that deal with every conceivable security issue and technology. But Insider Threat is one of the first to deal with one of the most significant threats to an organizations, namely that of the trusted insider. The problem is that within information technology, many users have far too much access and trust than they should truly have." Read the rest of Ben's review. Insider Threat author Eric Cole and Sandra Ring pages 397 publisher Syngress rating 9 reviewer Ben Rothke ISBN 1597490482 summary Excellent overview of the insider threat to networks and information systems

The retail and gambling sectors have long understood the danger of the insider threat and have built their security frameworks to protect against both the insider and the outsider. Shoplifters are a huge bane to the retail industry, exceeded only by thefts from internal employees behind the registers. The cameras and guards in casinos are looking at both those in front of and behind the gambling tables. Casinos understand quite well that when an employee is spending 40 hours a week at their location dealing with hundreds of thousands of dollars; over time, they will learn where the vulnerabilities and weaknesses are. For a minority of these insiders, they will commit fraud, which is invariably much worse than any activity an outsider could alone carry out.

Insider Threat is mainly a book of real-life events that detail how the insider threat is a problem that affects every organization in every industry. In story after story, the book details how trusted employees will find weaknesses in systems in order to carry out financial or political attacks against their employers. It is the responsibility to the organization to ensure that their infrastructure is designed to detect these insiders and their systems resilient enough to defend against them. This is clearly not a trivial task.

The authors note that the crux of the problem is that many organizations tend to think that once they hire an employee or contractor, that the person is now part of a trusted group of dedicated and loyal employees. Given that many organizations don't perform background checks on their prospective employees, they are placing a significant level of trust in people they barely know. While the vast majority of employees can be trusted and are honest, the danger of the insider threat is that it is the proverbial bad apple that can take down the entire tree. The book details numerous stories of how a single bad employee has caused a company to go out of business.

Part of the problem with the insider threat is that since companies are oblivious to it, they do not have a framework in place to determine when it is happening, and to deal with it when it occurs. With that, when the insider attack does occur, which it invariably will, companies have to scramble to recover. Many times, they are simply unable to recover, as the book details in the cases of Omega Engineering and Barings Bank.

The premise of Insider Threat is that companies that don't have a proactive plan to deal with insider threats will ultimately be a victim of insider threats. The 10 chapters in the book expand on this and provide analysis to each scenario described.

Chapter 1 defines what exactly insider threats are and provides a number of ways to prevent insider threats. The authors note that there is no silver bullet solution or single thing that can be done to prevent and insider threat. The only way to do this is via a comprehensive program that must be developed within the framework of the information security group. Fortunately, all of these things are part of a basic information security program including fundamental topics like security awareness, separation and rotation of duties, least privilege to systems, logging and auditing, and more.

The irony of all of the solutions suggested in chapter one is that not a single one of them is rocket science. All of them are security 101 and don't require any sort of expensive software or hardware. Part of this bitter irony is that companies are oblivious to these insider threats and will spend huge amounts of money to protect against the proverbial evil hacker, being oblivious to the nefarious accounts receivable clerk in the back office that is draining the coffers.

One example the book provides is that many companies feel they are safe because they encrypt data. An excellent idea detailed in chapter two is to set up a sniffer and examine the traffic on the internal network to ensure that the data is indeed encrypted. The reliance on encryption will not work if it is not setup or configured correctly. The only way to know with certainty is to test it and see how it is transmitted over the wire. Many companies will be surprised that data that should be unreadable is being transmitted in the clear.

Some of the suggestions that authors propose will likely ruffle some feathers. Ideas such as restricting Internet, email, IM and web access to a limited number of users may sound absurd to some. But unless there is a compelling business need for a user to have these technologies, they should be prohibited. Not only will the insider threat threshold be lowered, productivity will likely increase also.

The author's also suggest prohibiting iPods or similar devices in a corporate environment. The same device that can store gigabytes of music can also be used to illicitly transfer gigabytes of corporate data.

Insider Threat provides verifiable stories from every industry and sector, be it commercial or government. The challenge of dealing with the insider threat is that it requires most organizations to completely rethink the way they relate to security. It is a challenge that many organizations would prefer to remain obvious to, given the uncomfortable nature of the insider threat. But given that the threats are only getting worse, ignoring them is inviting peril.

The only lacking of the book is that even though it provides a number of countermeasures and suggestions, they are someone scattered and written in an unstructured way. It is hoped that the authors will write a follow-up book that details a thorough methodology and framework for dealing with the insider threat.

Overall, Insider Threat is an important work that should be required reading for every information security professional and technology manager. The issue of the insider threat is real and only getter worse. Those that choose to ignore it are only inviting disaster. Those companies that will put office supplies and coffee under double-lock and key, while doing nothing to contain the insider threat are simply misguided and putting their organization at risk.

Insider Threat is a wake-up call that should revive anyone who doubts the insider threat.

Ben Rothke, CISSP is a New York City based security consultant and the author of Computer Security 20 Things Every Employee Should Know (McGraw-Hill 2006) and can be reached at ben@rothke.com"

You can purchase Insider Threat from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Ben Rothke writes "Noted security veteran Bruce Schneier has observed that for those organizations that have incorrectly deployed cryptography, it is akin to putting a big flagpole in front of your facility and hoping that it will stop any attackers from breaking in. Of course, any attacker with intelligence will simply go around the flagpole rather than running into it." Read the rest of Ben's review. Securing IM and P2P Applications for the Enterprise author Paul Piccard pages 454 publisher Syngress rating 9 reviewer Ben Rothke ISBN 1597490172 summary How to get a handle on the increasing number of IM, P2P, and IRC applications that are found on the corporate networks

Similarly, many organizations have deployed myriad security hardware and software products in their infrastructure. But when it comes to instant messaging and peer to peer applications, these applications often execute below the radar of many security products. This is due to the fact that the security infrastructure in many organizations was not architected to deal with such applications. These applications often have so much functionality that it obviates much of the security afforded by the security hardware and software products.

Using file transfer as an example, many organizations have policies and controls in place to stop the use of protocols such as ftp and tftp. This is fine, but that will only work for the ftp protocol. File transfer can still be carried out by most instant messaging clients, and that can pose serious security risks.

With that, Securing IM and P2P Applications for the Enterprise provides an excellent overview on how to handle, manage and secure IM, P2P, and IRC applications. This book is written for security and system administrators that need specific details on how to control and secure IM, P2P and IRC applications in their organization.

The need to get a handle on IM and P2P is crucial given that IM has turned into a global communications medium with most organizations today reported that they allow it for business usage. Many marketing and technical support calls are now handled via IM and this translates in to well over 250 million IM users worldwide. P2P is great for downloading music and movies, but that that poses serious security and legal liability risks when done on most corporate networks.

But with all the benefits that IM provides, it introduces many security and privacy risks. IM viruses, identity theft issues, phishing, spyware and SPIM (SPAM over IM) are just a few of the many risks. These risks can turn into intellectual property losses and legal liability issues especially when they are combined with targeted attacks on corporate IM users. Companies that don't have an effective way in which to deal with IM and P2P are in serious danger as most IM and P2P threats fly under the radar of many traditional security solutions.

The book has a fairly straightforward approach. Chapter 1 provides an introduction to IM and the most common security issues that IM brings into an organization. The bulk of the remainder of the book details various different IM applications in Part 1 (AIM, Yahoo, MSN, ICQ, Google, Skype), P2P applications in Part 2 (Gnutella, eDonkey/eMule, BitTorrent, FastTrack) and IRC networks and applications in Part 3.

Each chapter details the specific architecture of each application, its protocols, security issues, and solutions in which to secure the application. System administrators can use many of the checklists to quickly perform the initial steps necessary to secure their organization from unauthorized IM, P2P, and IRC applications.

Each chapter also provides significant details about the internals on how each application operates. In addition, various 3rd-party tools that can be used to secure and limit the various applications are listed.

Many companies are finding that a significant amount of their bandwidth is being used by P2P applications and Part 2 describes how to secure networks from the use of P2P applications. This is not always an easy thing to carry out given that many P2P applications, such as Gnutella are designed to easily bypass many of the security control mechanisms placed against it. Administrators will find that in this case, simply blocking Gnutella ports will not block all Gnutella traffic and the application still will be able to run. What is required in this case is the use of a firewall that supports deep packet inspection. Chapter 9 helpfully lists the commands to use when using iptables to block Gnutella traffic.

Chapter 12 provides an interesting look at FastTrack, which is the P2P protocol and network used by clients such as Grokster, Morpheus and other file sharing programs. The chapter also uses Ethereal to detail the internals of FastTrack.

Part 3 deals with IRC and is the sparsest part of the book. This is due to the fact the P2P and IM are much more heavily used on enterprise networks, which this book is geared to.

The only negatives about the book are its price, and some of its formatting. At $49.95, it is on the higher-end of computer security books, with the majority of such titles being in the $25.909 - $39.99 range. The formatting uses a font size that is somewhat larger than other book. This seemingly serves to achieve a high page count.

In addition, the book often references tables of secondary information that spans a few pages (for examples see pages 72-80, 115-120 and more). Such information would be better served in a multiple-column table in a smaller font. Printing the information in such a manner can cut down on the page total, and save a few trees at the same time.

Besides those two minor issues, Securing IM and P2P Applications for the Enterprise is a most helpful guide. Security and system administrators can use the book to get a handle on the increasing number of IM, P2P, and IRC applications that are found on the corporate networks they support.

Ben Rothke, CISSP is a New York City based senior security consultant with ThruPoint, Inc. and the author of Computer Security 20 Things Every Employee Should Know (McGraw-Hill 2006) and can be reached at ben@rothke.com"

You can purchase Securing IM and P2P Applications for the Enterprise from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Ben Rothke writes "Noted security guru Marcus Ranum has observed that "these days, with the kind of plug-ins that come in your typical browser, combined with all the bizarre undocumented protocols used by new Internet applications; makes it highly unlikely that a firewall is doing anything more complex than a thin layer of policy atop routing. As such, the applications behind the firewall are now more critical to security than the firewall itself. Which should scare the holey moley out of you."" Read on for Ben's review. Cryptography in the Database : The Last Line of Defense author Kevin Kenan pages 312 publisher Addison-Wesley rating 9 reviewer Ben Rothke ISBN 0321320735 summary Excellent reference for those that are serious about securing their corporate databases

Taking Ranum's observation to the next level, it is not only the applications that need to be secured, but databases also. The theme of Cryptography in the Database - The Last Line of Defense is that databases, being the main repository for critical consumer and business data, are often not given the adequate level of security that they deserve.

Large databases often contain terabytes of data. This data often contains R&D, client, customer data and more, that if compromised, could wreak havoc on an organization; both from a public relations perspective, in addition to a regulatory perspective. In a large customer driven organization, a database breach can wreak havoc on tens of thousands of customer records. With all of that, companies will spend large amounts of money on the security appliance of the month, but often let their databases sit unprotected.

Cryptography in the Database is a valuable book in that it shows how a formal methodology is required to adequately protect large corporate databases. The emphasis of the book is on designing and integrating a cryptosystem into the database to protect it against the various threats that are specifically launched against corporate database systems.

The books 4 parts contain 21 chapters. Part one is brief overview of the need for database security, along with related threats to database, and also covers the basic concepts of cryptography and encryption.

Part two provides a comprehensive synopsis on the cryptographic infrastructure necessary to secure corporate databases. Chapter 3 goes into details on how to set up an effective key management scheme. Such a scheme is crucial as the author notes that all it takes is the loss of a single 128-bit key, and gigabytes of data can become inaccessible.

Part two also creates a sample cryptographic architecture that is flexible and modular so that it is easily adaptable to various situations. The author notes that such systems can be difficult to manage if they become overly complex, and the challenge is to find the right balance between security and complexity on one side, and usability on the other. Creating an effective cryptographic database infrastructure. is not an elementary task given the different requirements of security and functionality.

Chapter 3 details the various entities that go into a complete cryptographic architecture, including the cryptographic engine, and the various controls around the crypto keys. The chapter provides a good overview of the key life cycle. Historically, controls around the key life cycle are crucial. One of the ways the Allies were able to break the German Enigma cipher machine during World War II was that the German's reused their crypto keys, which obviates much of the security that cryptography can provide. Had the German's not done that, the outcome of the war may have been dramatically different.

Part 3 details the issues that need to go into the entire cryptography project. Kenan notes that for security to be effective, it must be dealt with at the commencement of a project and must permeate the overall design and seep into every line of code. Also, in the long term, developing a culture of security depends on looking at security as an opportunity to provide extra value. Where security fails is when it is viewed merely as a series of checklists that are meant to get in the way.

Chapter 9 shows how data flow diagrams can be used by a database analyst to better understand how a system works. These data flow diagrams are valuable as that they show the various inputs into the system and where potential failures can crop up.

Part 4 provides various Java code examples of the cryptographic infrastructure that were detailed in the previous 12 chapters. The example code is meant to show how to implement the primary functionality of the various components that the book describes.

One of the popular terms in security today is data at rest, which refers to all data in storage. Businesses, government agencies, and others need to deal with attacks on data at rest, which more often then not will be found on databases.

After reading Cryptography in the Database, the reader can understand why database cryptography must be implemented in a methodological fashion, since incorrectly implemented cryptography can often be worse than no cryptography at all. With that, database administrators, architects and others who have input into the design of database security are highly advised to read Cryptography in the Database.

Databases are far too critical to an organization to be left unsecured, or incorrectly secured. The database is indeed the last line of defense in an organization. Books such as this are thusly vital to ensure that the last line of defense is not easily breached.

You can purchase Cryptography in the Database from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Ben Rothke writes "Load up a computer today with a basic set of applications software, and there will be a de facto Microsoft tax on that computer. Add roughly $100- for the Windows XP operating systems and $350- for Microsoft office, and you have a significant initial financial outlay. If one would use an open source operating system and set of office applications, the cost savings would be enormous. That is why the option of open source is so financially compelling to the both the consumer and organizations have thousands of computers. And open source is corresponding such a threat to companies such as Microsoft. The idea of saving money and never having to worry about a blue screen of death is the proverbial win/win scenario." Read on for Ben's review. Just Say No to Microsoft: How to Ditch Microsoft and Why It's Not as Hard as You Think author Tony Bove pages 243 publisher No Starch Press rating 7 reviewer Ben Rothke ISBN 159327064X summary Open source alternatives to Microsoft operating systems and applications

With that, Just Say No to Microsoft: How to Ditch Microsoft and Why It's Not as Hard as You Think would seemingly be a most valuable book in helping consumers and corporations rid themselves of the Microsoft tax. Unfortunately, the book spends far too much time slurring Microsoft and Bill Gates.

The books main charges are that Microsoft has been far too predatory and that Bill Gates is not the technical genius that he is made out to be. Microsoft's questionable business tactics are not without ethical lapses, but it must noted that Microsoft is simply one in a long line of companies that have used their size and deep pockets to quash the competition. Microsoft is not alone and joins companies such as American Airlines, Ford and General Motors, Wal-Mart and more that have engaged in practices that while good for their stockholders, have not been good for the competition.

Bove is correct that Microsoft's practices over the years have discouraged innovation and stunted competition. But then again, that is true of Ford, GM and other such companies. The innovations of Ford and GM for example have been mostly superficial, without any significant improvement into crucial issues such as gas mileage and more.

Two of the companies that Microsoft has been accused of destroying are Novell and WordPerfect. Yet much of the blame for the demise of these two companies goes to their management that did not know how to properly market their products nor deal with a competitor such as Microsoft. This is not meant to imply that Microsoft is blameless, rather that Novell and WordPerfect had plenty of opportunities to fend off Microsoft, yet did not rise to the challenge.

Aside from the pervasive anti-Microsoft tone and style and the book, Just Say No to Microsoft: How to Ditch Microsoft and Why It's Not as Hard as You Think provides a good starting point for those that are looking for a cheaper and safer alternative to Microsoft products.

Chapter 1 start with an overview of the history of Microsoft and how it grew to be the largest software company in the world. In chapter 2, All You Need is a Mac, Bove feels that the quickest route to Microsoft freedom is by purchasing a Macintosh. While a Mac is not necessarily cheaper than a Wintel system, the Mac OS X is considerably more resilient against attacks. In addition, the concern of malware such as viruses and spyware are much less of an issue on a Mac.

Chapter 3 deals with what worries Microsoft the most - Linux. Bove notes that large companies that deal with thousands of end-user desktops are discovering the advantage of migrating to Linux in a big way.

Chapters 4 and 5 deal with Microsoft Word and Excel. Word documents have become the de facto standard for document exchange and are what has locked many people into staying with Microsoft Word. Excel has a similar power in being the de facto spreadsheet. Most people think that the only alternative to Word is WordPerfect and simply don't know about OpenOffice Writer and Calc or other open source alternatives. The two chapters show how it is possible to effectively collaborate on documents without having to use Word.

While the book does not get into every open source alternative to a Microsoft product, Bove's web site has a comprehensive list of open source alternatives to Windows products at www.tonybove.com/getoffmicrosoft/home.html#windows

Chapter 4 concludes with a look at the technical and practical problems with PowerPoint. Bove notes that the corrupting power of PowerPoint is so strong that otherwise normally articulate speakers turn into zombies mumbling the bullet points that appear on the slides behind them. It is not clear though how Impress, the open source alternative to PowerPoint is necessarily better from a presentation perspective.

The next few chapters deal with Outlook, the application that has launched countless viruses and worms, and also detail other network-based problems with Microsoft protocols and applications. Issues such as the never enduing cycle of Microsoft patches are also discussed.

Chapter 10 provides a 10 step program (fashioned after the Alcoholics Anonymous 12 step program) to free the reader from their Microsoft addition. While the steps are brief and effective, it would have been better had there been more technical details on how to migrate out of a Microsoft environment. For the person with thousands of documents and files in various Microsoft formats, it is not as effortless as to simply copy your old files onto a USB drive and move it to the new open source based host.

The book contains four parts, and there are four cartoons at the begging of each part that Bove wrote. The cartoons are quite funny in their own right and Bove should also consider a career as a cartoonist.

Ned Ludd said that the machine was the enemy, and Tony Bove feels the same way about Microsoft. For evidence, check out his campaign to stop the spread of Word documents at www.tonybove.com/getoffmicrosoft/stopdoc.html.

The only negative to the book is that there are far too many anti-negative stories of Microsoft's predatory practices. A few stories would be adequate, but there is no point in belaboring the issue in a book that is meant to be more technical and practical, as opposed to political.

For many people who don't know better, they expect that a blue screen of death and monthly patching is part of a standard computing environment. Just Say No to Microsoft: How to Ditch Microsoft and Why It's Not as Hard as You Think is an interesting read that will open the eyes of those users to a cheaper, more secure and robust open source solution.

You can purchase Just Say No to Microsoft from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Ben Rothke writes " Far too many books on information security focus on security from the product point of view. They equate security with firewalls, intrusion detection systems, biometrics, and myriad other hardware and software products. But if security was really about products, corporate America would be a very safe place because never have there been so many security products in use. But the reality is that much of today's computing infrastructure is insecure, and there are plenty of products in use." Read on for Bens' review. The CISO Handbook: A Practical Guide to Securing Your Company author Michael Gentile, Ronald Collette, Thomas August pages 314 publisher Auerbach Publications rating 9 reviewer Ben Rothke ISBN 0849319528 summary A most practical guide

The CISO Handbook: A Practical Guide to Securing Your Company lives up to its title as being a practical guide to security. The book is antithetical approach to the products equal security approach, and takes a pragmatic approach to security.

The authors have extensive real-world experience and approach information security from a holistic perspective. They clearly understand what it takes to build an information security program. One of the biggest mistakes in security is that it is seen as plug and play. Buy a security product, install in, and like magic, you have this thing called data security. But that only works in the world of product brochures and marketing material, not in the real world. The book does not approach security from a plug and play perspective, but as an endeavor that requires a multi-year effort to come to fruition.

The five chapters deal with security from its true source, namely that of risk. The chapters are: Assess, Plan, Design, Execute and Report. These five areas encompass all of information security and those firms that have built an information security infrastructure all done it by focusing on these five areas.

The first area, Access, is all about risk management. Many companies will purchase security products without even knowing what their specific risks are, and have often not performed a comprehensive risk analysis. Without a comprehensive risk analysis, any security product will simply operate in a vacuum. The benefits of a risk assessment and analysis are that they ensure that an organization is worrying about the right things and dealing with real, as opposed to perceived threats. The ultimate outcome of a risk analysis should be to see if the organization can benefit from the security product.

Chapter 1 ends with an assessment checklist of various areas that go into a risk assessment. One of the questions in the checklist that you likely will not see anywhere else is "describe the political climate at your company". Too many security people think only about the technology and neglect the political implications of a security system. Not taking into consideration the politics is a surefire way to potentially doom a project. Similar questions detailed in the checklist will give the reader a good feel for how secure their organization truly is; as opposed to the often perceived view of being much more secure.

Chapter 2 is aptly titled Plan. The planning phase is meant to combine the issues of assessment and to integrate options to mitigate those risks. The way in which a specific security technology or methodology is implemented is dependent on the organization. Rather than using a cookie-cutter approach, effective planning ensures that the security technologies chosen support your security program. Far too many organizations make the mistake of simply buying products without giving enough consideration into the myriad details of how they will be deployed, managed and used.

Chapter 2 emphasizes the need for planning, and the book as a whole emphasizes the need for the use of a methodology when dealing with information security. For many security technologies, the challenges of are not so much with the technology, but rather with ensuring that the technology meets business requirements, is scalable and reliable, etc.

Building a comprehensive information security program is likely to be more complex than previous experience of typical IT projects. As well as project management, technical and operational aspects, there are many policy, legal and security issues which must be taken into consideration. By following a structured methodology based on practical experience, many of the potential traps and pitfalls can be avoided. The risks to the business and the project are reduced and those that remain are quantified at an early stage.

The planning checklist at the end of chapter 2 will helps by ensuring that the solutions identified are deployed in the context of a well designed information security program. It can also be used as a wake-up call to management that often seriously underestimates the amount of time and manpower required to create an effective information security program.

One of the added benefits of planning is that it makes it much easier to integrate new regulatory requirements into the security program. A well-planned network can retrofit new requirements much more quickly and efficiently. This is a critical need given the increasing amount of new regulations that will come into play in the coming years, in addition to current regulations such as HIPAA, Sarbanes-Oxley and much more.

Chapters 3, 4 and 5 progress in a similar manner with the topics of Design, Execute, and Report. Each chapter details the essentials of the topic and shows how it is critical to the efficacy of an successful information security program.

What the reader may find missing from the book is particulars of the various security technologies. But that is the very function of the book, to show that information security is not primarily about the products, rather the underlying infrastructure on which those products reside on. Any product that is not deployed in a methodology similar to that of The CISO Handbook is likely to find itself lacking. The product might be there and hum along; but the security that it provides will likely be negligible.

The uniqueness of The CISO Handbook is that is shows how to design and implement an effective security program based on real world scenarios, as opposed to product reviews and vendor evaluations.

The CISO Handbook: A Practical Guide to Securing Your Company is indeed a most practical guide, as its title suggests. It is quite helpful to anyone in a security organization, whether they are the CISO, system administrator, or in a different capacity.

Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Ben Rothke writes "If you review the thousands of Internet RFCs, you'd be hard pressed to find a protocol that lends itself to philosophical overtones, save for one -- the Network Time Protocol (NTP). The nature of time is abstract, difficult to measure and highly subjective. Yet time is a critical element in everyone's life, and in the effective operations of corporate networks." Read on for the rest of Rothke's review. Expert Network Time Protocol: An Experience in Time with NTP author Peter Rybaczyk pages 176 publisher Apress rating 9 reviewer Ben Rothke ISBN 1590594843 summary Expert Network Time Protocol is a fascinating look into NTP, and the stories behind the science

NTP is built on top of the TCP/IP protocol suite and is used to ensure accurate time-keeping with a trusted time reference. These references can be radio signals, GPS satellites, atomic clocks, Internet-based time servers and more. NTP is powerful enough to synchronize network clocks with millisecond accuracy.

In Expert Network Time Protocol: An Experience in Time with NTP, Peter Rybaczyk merges the philosophical aspects of time with the nuts of bolts of the NTP protocol. The book is composed of two parts, the first concerned with the meta-philosophy of time, and the second detailing the inner workings of NTP. The attempt in part one to merge technology and science with philosophy is a daunting task, and most often does not succeed. The notable exception to this is Douglas Hofstadter's Gödel, Escher, Bach: An Eternal Golden Braid.

Rybaczyk creates Sam, a fictional character who walks through the history of time. It is unclear who this Sam is -- whether he is supernatural being, or someone who got root on a time server. The author writes that the transcendental nature of time and the nuts and bolts of NTP are inseparable, but I personally found it difficult to determine what message part one was meant to convey. Fortunately, part one takes up but the first 34 pages.

Where the book shines, and where most readers will find value, is in part two, which details how to effectively design, configure, deploy and operate NTP. Where part one is conceptual, part two is extremely practical. Chapter 3 opens up with a comprehensive overview of the what, how and why effective time-keeping via NTP is needed.

The book details from a business perspective why synchronized and accurate time is a universal need. From transactional integrity, airline departures, sporting events, job shift changes, to FedEx pickups and more, nearly every activity requires time synchronization to work at peak levels. Effective network administration also requires time synchronization for network login procedures, directory synchronization, backups, and routing stability to work accurately.

From an information security perspective, password and digital ID synchronization, log file accuracy and auditing, and access control security are just a few of the areas where correct time can mean the difference between success and failure.

Where time synchronization is crucial, though, is in the realm of digital forensics. An otherwise painstaking digital forensic process might be worthless if time-related evidence from network devices is not correctly synchronized. If network devices are not correctly synchronized, you can basically forget about using them in any type of legal case.

Attorney Ronald Coleman, partner and computer law litigator at the New Jersey-based Coleman Law firm explains that in a computer law case involving serious discrepancies in network log times, the prosecution would conceivably drop the case. Similarly, a civil case to recover damages from an attacker is seriously undercut by these seemingly innocuous timing mistakes. "The network managers' lack of diligence at ensuring that the time was synchronized on their systems," explains Coleman, "opens them up to serious questions in front of a jury as to whether the logs and the system data are reliable at all -- especially with a gap of more than a couple of minutes, which might be explained away by which clocks were being relied on." In fact, an error of this magnitude would make the entire network administration suspect. That could be a disaster, Coleman says, where the network tracing record plus the human beings who sloppily set the automation in motion are going to be the chief sources of evidence against the alleged computer criminal. "A snafu such as seriously unsynchronized logs is just the sort of opening that could raise the level of doubt needed to undermine the other side's case."

Chapter 3 concludes with an interesting look at the cutting edge of time protocols, specifically the Interplanetary Internet. The Interplanetary Internet project is an attempt to synchronize computer time within the realm of deep space. NASA will in due time establish a deep space infrastructure whose purpose is to support the communication needs of multiple missions. Such an infrastructure would require time synchronization, but within a radically different framework from what exists today. The Interplanetary Internet and its underlying time synchronization are intended to solve that.

Chapter 4 brings the reader back to earth and provides vital information about how to design an effective NTP architecture. The key to designing the most appropriate NTP architecture for a given infrastructure is to first understand the different modes that NTP devices can operate in. The chapter details the five different NTP modes, the mode categories, and gives configuration information about each mode.

The chapter also provides information about NTP security. While NTP versions 3 and 4 provide added security (including symmetric private key cryptography and support of the Autokey protocol), it is ultimately up to the organization to determine what level of NTP security they need. Those organizations that don't require accurate time won't need much NTP security. But for those organizations who business requires synchronized and accurate time, such issues will drive the implementation of how they deploy NTP and its security functionality.

Chapter 5 details how organizational motivations (again, from a business perspective) will affect how you design your NTP architecture, and then describes several use scenarios. The book notes that designing an effective NTP deployment is a process that embodies four key steps: choosing a time source, deciding upon the NTP topology, determining the NTP features to configure, and then monitoring and managing the NTP operations. The chapter then goes on to describe various ways these steps can be carried out. The chapter provides a comprehensive overview on how to deploy NTP, be it on a dedicated time server, via already deployed products such as Cisco or Juniper routers, or on Unix/Linux/Windows file servers.

It is important to note that NTP is just the protocol. The actual implementation of NTP requires separate software client and server applications. The book focuses on the protocol and does not get into any specific vendors, other than a few screen shots from the configuration menu of a Symmetricom time server.

The author notes that on the surface, NTP is simple and almost inconspicuous, and overshadowed by better-known protocols such as HTTP, FTP and DNS. But once you start digging into NTP, you are dealing with one of the most pervasive elements of existence, namely time. Within NTP's scope, one could be dealing with atomic clocks, GPS satellites, clock selection, encryption algorithms and much more. So while at its heart, NTP may be a simple protocol, there is a complex infrastructure beneath it.

NTP is one of the most fundamental, yet overlooked services in the TCP/IP suite, and time synchronization is one of the most overlooked areas in networking. Hopefully, a book such as this can spark a renaissance. For far too long, time synchronization has not been afforded due diligence, and the effects have at times been disastrous. A view of the archives of the Risk Forum digest attests to this fact.

After a somewhat murky start in part one, Expert Network Time Protocol: An Experience in Time with NTP provides the reader with a superb synopsis of nearly everything he needs to know about NTP and effective time synchronization on his network, from an experienced implementer in the field. It is a fascinating look at one of the most humble, yet fundamental protocols on the Internet. For those who care about the correct time on their network, this book is required reading.

Ben Rothke, CISSP is a New-York based security consultant with ThruPoint, Inc. and the author of Computer Security: 20 Things Every Employee Should Know. He can be reached at ben@rothke.com You can purchase Expert Network Time Protocol: An Experience in Time with NTP from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Ben Rothke writes "If you review the thousands of Internet RFCs, you'd be hard pressed to find a protocol that lends itself to philosophical overtones, save for one -- the Network Time Protocol (NTP). The nature of time is abstract, difficult to measure and highly subjective. Yet time is a critical element in everyone's life, and in the effective operations of corporate networks." Read on for the rest of Rothke's review. Expert Network Time Protocol: An Experience in Time with NTP author Peter Rybaczyk pages 176 publisher Apress rating 9 reviewer Ben Rothke ISBN 1590594843 summary Expert Network Time Protocol is a fascinating look into NTP, and the stories behind the science

NTP is built on top of the TCP/IP protocol suite and is used to ensure accurate time-keeping with a trusted time reference. These references can be radio signals, GPS satellites, atomic clocks, Internet-based time servers and more. NTP is powerful enough to synchronize network clocks with millisecond accuracy.

In Expert Network Time Protocol: An Experience in Time with NTP, Peter Rybaczyk merges the philosophical aspects of time with the nuts of bolts of the NTP protocol. The book is composed of two parts, the first concerned with the meta-philosophy of time, and the second detailing the inner workings of NTP. The attempt in part one to merge technology and science with philosophy is a daunting task, and most often does not succeed. The notable exception to this is Douglas Hofstadter's Gödel, Escher, Bach: An Eternal Golden Braid.

Rybaczyk creates Sam, a fictional character who walks through the history of time. It is unclear who this Sam is -- whether he is supernatural being, or someone who got root on a time server. The author writes that the transcendental nature of time and the nuts and bolts of NTP are inseparable, but I personally found it difficult to determine what message part one was meant to convey. Fortunately, part one takes up but the first 34 pages.

Where the book shines, and where most readers will find value, is in part two, which details how to effectively design, configure, deploy and operate NTP. Where part one is conceptual, part two is extremely practical. Chapter 3 opens up with a comprehensive overview of the what, how and why effective time-keeping via NTP is needed.

The book details from a business perspective why synchronized and accurate time is a universal need. From transactional integrity, airline departures, sporting events, job shift changes, to FedEx pickups and more, nearly every activity requires time synchronization to work at peak levels. Effective network administration also requires time synchronization for network login procedures, directory synchronization, backups, and routing stability to work accurately.

From an information security perspective, password and digital ID synchronization, log file accuracy and auditing, and access control security are just a few of the areas where correct time can mean the difference between success and failure.

Where time synchronization is crucial, though, is in the realm of digital forensics. An otherwise painstaking digital forensic process might be worthless if time-related evidence from network devices is not correctly synchronized. If network devices are not correctly synchronized, you can basically forget about using them in any type of legal case.

Attorney Ronald Coleman, partner and computer law litigator at the New Jersey-based Coleman Law firm explains that in a computer law case involving serious discrepancies in network log times, the prosecution would conceivably drop the case. Similarly, a civil case to recover damages from an attacker is seriously undercut by these seemingly innocuous timing mistakes. "The network managers' lack of diligence at ensuring that the time was synchronized on their systems," explains Coleman, "opens them up to serious questions in front of a jury as to whether the logs and the system data are reliable at all -- especially with a gap of more than a couple of minutes, which might be explained away by which clocks were being relied on." In fact, an error of this magnitude would make the entire network administration suspect. That could be a disaster, Coleman says, where the network tracing record plus the human beings who sloppily set the automation in motion are going to be the chief sources of evidence against the alleged computer criminal. "A snafu such as seriously unsynchronized logs is just the sort of opening that could raise the level of doubt needed to undermine the other side's case."

Chapter 3 concludes with an interesting look at the cutting edge of time protocols, specifically the Interplanetary Internet. The Interplanetary Internet project is an attempt to synchronize computer time within the realm of deep space. NASA will in due time establish a deep space infrastructure whose purpose is to support the communication needs of multiple missions. Such an infrastructure would require time synchronization, but within a radically different framework from what exists today. The Interplanetary Internet and its underlying time synchronization are intended to solve that.

Chapter 4 brings the reader back to earth and provides vital information about how to design an effective NTP architecture. The key to designing the most appropriate NTP architecture for a given infrastructure is to first understand the different modes that NTP devices can operate in. The chapter details the five different NTP modes, the mode categories, and gives configuration information about each mode.

The chapter also provides information about NTP security. While NTP versions 3 and 4 provide added security (including symmetric private key cryptography and support of the Autokey protocol), it is ultimately up to the organization to determine what level of NTP security they need. Those organizations that don't require accurate time won't need much NTP security. But for those organizations who business requires synchronized and accurate time, such issues will drive the implementation of how they deploy NTP and its security functionality.

Chapter 5 details how organizational motivations (again, from a business perspective) will affect how you design your NTP architecture, and then describes several use scenarios. The book notes that designing an effective NTP deployment is a process that embodies four key steps: choosing a time source, deciding upon the NTP topology, determining the NTP features to configure, and then monitoring and managing the NTP operations. The chapter then goes on to describe various ways these steps can be carried out. The chapter provides a comprehensive overview on how to deploy NTP, be it on a dedicated time server, via already deployed products such as Cisco or Juniper routers, or on Unix/Linux/Windows file servers.

It is important to note that NTP is just the protocol. The actual implementation of NTP requires separate software client and server applications. The book focuses on the protocol and does not get into any specific vendors, other than a few screen shots from the configuration menu of a Symmetricom time server.

The author notes that on the surface, NTP is simple and almost inconspicuous, and overshadowed by better-known protocols such as HTTP, FTP and DNS. But once you start digging into NTP, you are dealing with one of the most pervasive elements of existence, namely time. Within NTP's scope, one could be dealing with atomic clocks, GPS satellites, clock selection, encryption algorithms and much more. So while at its heart, NTP may be a simple protocol, there is a complex infrastructure beneath it.

NTP is one of the most fundamental, yet overlooked services in the TCP/IP suite, and time synchronization is one of the most overlooked areas in networking. Hopefully, a book such as this can spark a renaissance. For far too long, time synchronization has not been afforded due diligence, and the effects have at times been disastrous. A view of the archives of the Risk Forum digest attests to this fact.

After a somewhat murky start in part one, Expert Network Time Protocol: An Experience in Time with NTP provides the reader with a superb synopsis of nearly everything he needs to know about NTP and effective time synchronization on his network, from an experienced implementer in the field. It is a fascinating look at one of the most humble, yet fundamental protocols on the Internet. For those who care about the correct time on their network, this book is required reading.

Ben Rothke, CISSP is a New-York based security consultant with ThruPoint, Inc. and the author of Computer Security: 20 Things Every Employee Should Know. He can be reached at ben@rothke.com You can purchase Expert Network Time Protocol: An Experience in Time with NTP from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.