Slashdot Mirror

benrothke writes: Large enterprises have numerous information security challenges. Aside from the external threats; there's the onslaught of security data from disparate systems, platforms and applications. Getting a handle on the security output from numerous point solutions (anti-virus, routers/switches, firewalls, IDS/IPS, ERP, access control, identity management, single sign on and others), often generating tens of millions of messages and alerts daily is not a trivial endeavor. As attacks becoming more frequent and sophisticated and with regulatory compliance issues placing an increasing burden, there needs to be a better way to manage all of this. Getting the raw hardware, software and people to create a SOC is not that difficult. The challenge, and it's a big challenge, is integrating those 3 components to ensure that a formal SOC can operate effectively. In Security Operations Center: Building, Operating, and Maintaining your SOC, authors Joseph Muniz, Gary McIntyre and Nadhem AlFardan have written an indispensable reference on the topic. The authors have significant SOC development experience, and provide the reader with a detailed plan on all the steps involved in creating a SOC. Keep reading for the rest of Ben's review. Security Operations Center: Building, Operating, and Maintaining your SOC author Joseph Muniz, Gary McIntyre, Nadhem AlFardan pages 448 publisher Cisco Press rating 10/10 reviewer Ben Rothke ISBN 978-0134052014 summary Indispensable guide for those designing and deploying a SOC As Mike Rothman notedabout managed services providers, and something that is relevant to a SOC, you should have no illusions about the amount of effort required to get a SOC up and running, or what it takes to keep one current and useful. Many organizations have neither the time nor the resources to implement a SOC, but do, and are then trapped on the hamster wheel of pain, reacting without sufficient visibility, but without time to invest in gaining that much-needed visibility into threats that the SOC had the potential to provide them with, had they done it right. Those considering deploying a SOC and not wanting to be in the hamster wheel of pain will need this book.

The authors have done a great job in covering every phase and many details required to build out a SOC. After going through the book, some readers will likely reconsider deploying an internal SOC given the difficulties and challenges involved. This is especially true since SOC design and deployment is something not many people have experience with.

The book is written for an organization that is serious about building an enterprise SOC. The authors spend much of the book focusing on the myriad requirements for creation of a SOC. They constantly reiterate about details that need to be determined before moving forward.

Chapter 4 on SOC strategy is important as the way in which a firm determines their strategy will affect every aspect of the outcome. The authors wisely note that an inadequate or inaccurate SOC strategy, and the ensuing capabilities assessment exercises would produce a SOC strategy that does not properly address the actual requirements of the organization.

Ultimately, failing to adequately plan and design is a guarantee for SOC failure. That in turn will affect and impact deployment timelines, budgets and cause frustration, dissatisfaction and friction between the different teams involved in the SOC program.

The author's expertise is evident in every chapter, and their real-world expertise quite obvious in chapter 5 on facilities, which is an area often neglected in SOC design. The significant issue is that if the facility in which the SOC team operates out of does meet certain baseline requirements, the SOC effectiveness will be significantly and often detrimentally impacted. The chapter details many overlooked topics such as: acoustics, lighting, ergonomics, and more.

Staffing a SOC is another challenge, and the book dedicates chapter 8 to that. The SOC is only as good as the people inside it, and the SOC staff requires a blend of skills. If the organization wants their SOC to operate 24x7, it will obviously require a lot more manpower of these hard to find SOC analysts.

Another helpful aspect is found in chapter 10 which has a number of checklists you can use to verify that all the required pieces are in place prior to a go live data, or be able to identify area that many not be completed as expected.

With Muniz and AlFardan being Cisco employees and this being a Cisco Press title, the book has a strong emphasis towards Cisco hardware and software. Nonetheless, the book is still quite useful even for those who won't be using Cisco products.

Building a SOC is an arduous process which takes a huge amount of planning and of work. This work must be executed by people from different teams and departments, all working together. Based on these challenges, far too many SOC deployments fail. But for anyone who is serious about building out a SOC, this book should be a part of that effort.

The reason far too many, perhaps most SOC deployments fail is that firms makes the mistake of obsessing on the hardware and software, without adequately considering the security operations functions. The authors make it eminently clear that such an approach won't work, and provide you with the expert guidance to obviate that.

For anyone considering building a SOC, or wants to understand all of the details involved in building one, Security Operations Center: Building, Operating, and Maintaining your SOC, is an absolute must read.

Reviewed by Ben Rothke.

You can purchase Security Operations Center: Building, Operating, and Maintaining your SOC from amazon.com. Slashdot welcomes readers' book reviews (sci-fi included) -- to see your own review here, read the book review guidelines, then visit the submission page. If you'd like to see what books we have available from our review library please let us know.

benrothke writes: It wasn't that long ago that building a full network security test lab was an expensive prospect. In The Network Security Test Lab: A Step-by-Step Guide, author Michael Gregg has written a helpful hands-on guide to provide the reader with an economical method to do that. The book is a step-by-step guide on how to create a security network lab, and how to use some of the most popular security and hacking tools. Read below for the rest of Ben's review. The Network Security Test Lab: A Step-by-Step Guide author Michael Gregg pages 480 publisher Wiley rating 9/10 reviewer Ben Rothk ISBN 978-1118987056 summary Good reference to use to build out home test lab for information security The book is a straightforward guide that will help the reader in their quest to master the art of effective use of security and hacking tools. The reader that can put in the time and plow through the 400 pages will certainly come out with a strong understanding of how to run the most common set of popular security tools.

The book is written for the reader on the budget. In the introduction, Gregg writes how one can easily find inexpensive networking equipment at budget prices on eBay. While brand new hardware devices can cost in the thousands; one can find Cisco Catalyst switches, and Nokia IP and Check Point firewalls for under $50. Combined with his emphasis on open source software and tools, this is a most practical reference for those looking to increase their security skills without breaking the bank.

The Network Security Test Lab is meant for the reader with a strong technical background looking to gain experience with network security and related security tools. Other similar books will often waste paper and the reader's time by devoting the first 50 to 100 pages with unwanted introductory text. This book hits the ground running and by page 100, the reader is already analyzing network packets with Wireshark.

As to Wireshark, the book references often. The books online site includes 6 pcap files that can be downloaded and used by the tool in order to analyze various attacks.

The book provides a good balance of coverage between Windows and Linux, and details the use of the many tools for each operating system. Each chapter ends with a series of exercises which can be used to help the reader put the information covered into practice. Those looking to gain experience on a wide variety of tools will enjoy the book. It covers a wide-range of tools and utilities.

The Network Security Test Lab is in the same genre as books such as Hacking Exposed 7: Network Security Secrets and Solutions. The difference is that Hacking Exposed focuses more on the tools, while this book shows the reader how to build a lab to mimic a real world environment. In addition, this book focuses a bit more on using a holistic approach to creating a secure network, as opposed to just hacking in.

In the effort to make the test lab as inexpensive to build as possible, the book places on emphasis on using virtualization. The book focuses on using the VMware Player; a free virtualization software toolkit for Linux and Windows.

The book is a straightforward read for the serious reader. Those willing to put in the effort and the time, to learn through the various tools will find The Network Security Test Lab: A Step-by-Step Guide a great resource in which to build and develop their information security skills.

Reviewed by Ben Rothke.

You can purchase The Network Security Test Lab: A Step-by-Step Guide from amazon.com. Slashdot welcomes readers' book reviews (sci-fi included) -- to see your own review here, read the book review guidelines, then visit the submission page. If you'd like to see what books we have available from our review library please let us know.

New submitter sh0wstOpper writes: The topic of the Internet of Things (IoT) is gaining a lot of attention because we are seeing increasing amounts of "things", such as cars, door locks, baby monitors, etc, that are connected and accessible from the Internet. This increases the chances of someone being able to "attack" these devices remotely. The premise of Abusing the Internet of Things is that the distinction between our "online spaces" and our "physical spaces" will become harder to define since the connected objects supporting the IoT ecosystems will have access to both. Keep reading for the rest of sh0wstOpper's review. Abusing the Internet of Things: Blackouts, Freakouts, and Stakeouts author Nitesh Dhanjani pages 296 publisher O'Reilly rating 9/10 reviewer Dan Smith ISBN 1491902337 summary Attack & penetration techniques for the Internet of Things In chapter one the author takes apart the popular Philips hue lighting systems by examining the various types of communication protocols (Zigbee, TCP/IP). Packet captures of communications between various systems are presented in an easy to understand fashion. An actual vulnerability that can be abused to cause a blackout is also described.

This chapter also discusses how the lighting system and other IoT objects are starting to integrate with each other using the If This Then That (IFTTT) platform. As such, cross-platform vulnerabilities are discussed. I appreciated this section in particular because it did a good job of helping me think of how attackers are likely to leverage the fact that various IoT devices will want to integrate with each other and the compromise of one device can give someone access to other devices.

There has been a lot of research in the area of wireless door locks. It is easy to see how a simple vulnerability in such a device can compromise physical safety. Chapter 2 clearly articulates vulnerabilities in popular door locks in hotel rooms and how they have been already abused for theft. This chapter also discusses security issues in the Bluetooth Low Energy protocol and closes with good recommendations for consumers as well as for people responsible for designing locks.

I found chapter 3 interesting because it covers the "saga" of popular audio and video monitors manufactured by a company called Foscam. Many researchers have published multiple vulnerabilities in these monitors and this chapter shows how to actually locate hundreds of thousands of exploitable monitors on the Internet. This chapter shows how discussion on Foscam's own user forums have exploded vulnerabilities.

The Belkin WeMo baby monitor (audio only) is discussed next along with packet captures to show communication details. I like that this book lists such details because it helped me understand how the IoT devices are designed and that made me easier to understand the cause of vulnerabilities.

Real stories of concerned parents as well as incidents of how pranksters have been able to scare parents are also discussed. This really drives home the fact that security issues in these products are being exploited.

The topic of concern of chapter 4 is IoT based devices that can be leveraged to protect physical safety. The popular SmartThings suite of IoT devices are the scope of this chapter. Security issues that include hijacking credentials, abusing SmartThings' own IDE platform, and SSL validation vulnerabilities are described.

I enjoyed chapter 5 in particular because it walks through multiple security vulnerabilities targeting multiple products of one vendor: Samsung. The chapter describes the "TOCTTOU" attack and how it's exploited. I've tried to read the original researcher's white paper on this attack and found it confusing but this chapter described it elegantly and I was then able to go back and read the white paper easily.

Bad encryption is the focus of this chapter and I laughed at the heading "You call that encryption?" followed by the sub-heading "I call that encraption". These sections talk about how badly encryption (using XOR) by Samsung have been used to reverse engineer code. The section ends with the line "The slang term *encraption* (with the emphasis on *crap*) is affectionately used by the cyber- security community to call out badly implemented encryption. As this case shows, the title of this section is entirely justified."

Since the chapter is focused on one company, the author does a good job of equating the situation to other companies in the past (such as Microsoft) and how systemic security issues like these should ultimately be addressed by the leadership so that security is embedded into the DNA of the company. I found this perspective valuable.

The topic of car hacking is one of the reasons I bought this book. I have heard of the author in the past based on his research on the Tesla Model S since I came across his presentation at the Black Hat conference last year. Chapter 6 includes emphasis on the Tesla along with how the back end API works to support features such as locating the car remotely, unlocking it, and even starting it. The lack of 2 factor authentication is an an issue that gives rise to simple technique like phishing that can be used to steal a Tesla. Developers are insecurely leveraging Tesla's API in a way that is making car owners send over their clear-text credentials to them. I am amazed that this is currently happening and most Tesla owners don't even know that they are basically handing over their keys to people who they don't know.

This chapter also covers popular research by Chris Vaslek and Charlie Miller, along with remotely exploitable vulnerabilities in telematics systems which has gained a lot of media attention and concern recently.

I found chapter 7 refreshing because it approaches security from the eyes of someone who wants to design a new IoT product. The chapter walks though a design of a wireless door bell using the littleBits IoT platform which is primarily focused on prototyping. The main point of this chapter is that it is much more valuable to design security earlier on in the prototyping stage than deal with security bugs later on in the process. I liked that the chapter uncovered security flaws earlier on in the prototyping of the wireless door bell and tied it back to vulnerabilities found in previous chapters in existing IoT products.

A comprehensive list of threat agents, i.e. the types of entities that may attack an IoT device is presented. This list includes nation states, terrorists, criminal organizations, disgruntled employees, hacktivists, vandals, cyberbullies, and predators. The author does a good job of demonstrating that it is useful to take the use cases of IoT devices and see how each of these threat agents may want to leverage vulnerabilities to achieve their own goals.

The last topic covered here is the concept of bug bounty programs and why it is important for IoT companies to reward researchers who submit security bugs to them for free. I'm close to implementing such a program in my organization so I felt the content in this section was spot on.

Looking into the future, chapter 8 goes through very interesting methods in ways IoT ecosystems can be exploited, starting with the deployment of drones to track individuals, a group of people, or even take over a city. A 'cross-device' attack scenario (with code) to show how a website on a victim's laptop can verbally instruct the Amazon echo to turn lights off was fun an thought provoking, i.e. the fact that IoT devices around us will be able to tell each other what to do and how this can lead to chaos. In addition to other threats in our future, this chapter opens up discussion on the security of interspace communication (with respect to our goals to send manned spacecraft to mars) and also the importance of treading carefully when it comes to super intelligence.

Chapter 9 includes 2 short stories, i.e. "hypothetical scenarios" of an security executive abusing the "buzz" around IoT and failing to think of how to secure his company because of lack of strategical thinking. The second short story demonstrates how IoT companies also need to think of human elements, emotions, and public relations in addition to the technical content in this book.

Overall, I enjoyed this book and I would recommend it to others. I do feel that a lot of the content can be absorbed even if the reader isn't technical, but there may be some parts that may be frustrating to someone who doesn't understand basic concepts of HTTP, TCP/IP, and/or some coding. After reading this book, I feel I have a better grasp of what IoT means to us and what security issues we are facing, and will face.

You can purchase Abusing the Internet of Things: Blackouts, Freakouts, and Stakeouts from amazon.com. Slashdot welcomes readers' book reviews (sci-fi included) -- to see your own review here, read the book review guidelines, then visit the submission page. If you'd like to see what books we have available from our review library please let us know

MassDosage writes: If you are familiar with the "Effective" style of books then you probably already know how this book is structured. If not here's a quick primer: the book consists of a number of small sections each of which focus on a specific problem, issue or idea and these are discussed in a "here's the best way to do X" manner. These sections are grouped into related chapters but can be read in pretty much any order and generally don't depend on each other (and when they do this will be called out in the text). The idea is that you can read the book from cover to cover if you want but you can also just dip in and out and read only the sections that are of interest to you. This also means that you can use the book as a reference in future when you inevitably forget the details or want to double check something. Read below for the rest of Mass Dosage's review. Effective Python: 59 Specific Ways To Write Better Python author Brett Slatkin pages 227 publisher Addison-Wesley rating 9/10 reviewer Mass Dosage ISBN 978-0-13-403428-7 summary helps you harness the full power of Python to write exceptionally robust, efficient, maintainable, and well-performing code. Effective Python stays true to this ethos and delivers 59 (not 60, nope, not 55) but 59 specific ways to write better Python. These are logically grouped into chapters covering broader conceptual topics like "Pythonic thinking", general technical features like "Concurrency and parallelism" as well as nitty gritty language details like "Meta classes and attributes". The range of topics is excellent and cover relevant aspects of the language that I'd imagine pretty much any developer will encounter at some point while developing Python programs. Even though there is no required order to reading the various sections if you want to read the book from cover to cover it's organized in such a way that you can do this. It starts off with getting your head around coding in Python before moving on to specifics of the language and then ending with advice on collaboration and setting up and running Python programs in production environments.

I really enjoyed the author's approach to each of the topics covered. He explains each item in a very thorough and considered manner with plenty of detail but manages to do this while still being clear and concise. Where relevant he describes multiple ways of achieving a goal while contrasting the pros and cons of various alternative solutions, ending off with what he considers the preferred approach. The reader can then make up their own mind based on the various options which applies best in a given situation instead of just being given one solution. The author clearly understand the internals of the Python language and the philosophy behind some of the design decisions that have resulted in certain features. This means that instead of just offering a solution he also gives you the context and reasoning behind things which I found made it a lot easier to understand. The discussions and reasoning feel balanced and informed by the experience of a developer who has been doing this "in the trenches" for years as opposed to someone in an ivory tower issuing dictates which sound good in theory but don't actually work in the real world. The vast majority of the topics are illustrated through code samples which are built on and modified at each stage along the way to a final solution. This gives the reader something practical they can take away and use and experiment with and clearly shows how something is done. The code samples are easily comprehensible with just enough code to demonstrate a point but not so much that you get distracted by unnecessary additions.

While most of the topics are Python specific plenty of the best practices and advice apply equally well to other programming languages. For example in one section the author recommends resisting some of the brevity offered by the Python where this can lead to unreadable code that is hard to understand but the same could be said of writing code in many other languages (I'm looking at you, Perl). This also applies to a section related to choosing the best data structure for the problem at hand — if you end up nesting Maps within Maps in your code then you're probably doing something wrong regardless of the language. Still, the main focus here is Python and the author does not shy away from going deep into technical details so you'll definitely need some knowledge of the language and ideally some experience using it in order to get the most out of it.

Effective Python is not a book for complete newbies to Python and I think it's suited more to intermediate users of the language wanting to take their skills to the next level or advanced programmers who might need some fresh takes on the way they do things. The subjects and opinions in this book could either convince you to do something differently or reassure you of the reasons why you're already doing things a certain way (external affirmation that you're right is also useful at times!) I'm no Python expert but I found the book drew me in and kept my attention and I certainly learnt a lot which will come in handy the next time I put on my Pythonista hat and do some Python coding. Highly recommended.

You can purchase Effective Python: 59 Specific Ways to Write Better Python from amazon.com. Slashdot welcomes readers' book reviews (sci-fi included) -- to see your own review here, read the book review guidelines, then visit the submission page. If you'd like to see what books we have available from our review library please let us know.

benrothke writes: Far too many technology books take a Hamburger Helper approach, where the first quarter or so of the book is about an introduction to the topic, and filler at the end with numerous appendices of publicly available information. These books end up being well over 800 pages without a lot of original information, even though they are written an advanced audience. In software engineering, a design pattern is a general repeatable solution to a commonly occurring problem in software design. A design pattern isn't a finished design that can be transformed directly into code. It is a description or template for how to solve a problem that can be used in many different situations. Using that approach for the cloud, in Cloud Computing Design Patterns, authors Thomas Erl, Robert Cope and Amin Naserpour have written a superb book that has no filler and fully stocked with excellent and invaluable content. Keep reading for the rest of Ben's review. Cloud Computing Design Patterns author Thomas Erl, Robert Cope, Amin Naserpour pages 592 publisher Prentice Hall rating 9/10 reviewer Ben Rothke ISBN 0133858561 summary Provides well-explained vendor-agnostic patterns to the challenges of providing or using cloud solutions from PaaS to SaaS. The authors use design patterns to refer to different aspects of cloud architectures and its design requirements. In the cloud, just as in software, design patterns can speed up the development process by providing tested, proven development paradigms. The book contains over 100 different design pattern scenario templates that are common to a standard enterprise cloud roll-out. Each scenario uses a common template which starts with a question or specific requirement. It then details the problem, solution, application and the mechanisms used to solve the problem.

The authors build on the notion that for anyone who wants to architect a large cloud solution, they need to have a broad understanding of the many factors involved with the real-world usage of cloud services. Because cloud services are so easy to deploy, they are often incorrectly misconfigured during roll-out and deployment. The authors write that its crucial have a strong background in cloud services before doing any sort of a rollout. Because it's often so easy to deploy cloud services, this results in far too many failed cloud projects. And when the project is poorly implemented, it can actually cause the business to be in a far worse point from where it was before the cloud rollout.

The authors deserve credit for writing a completely vendor agnostic reference, even though there are many times you would appreciate it if they could suggest a vendor for a specific solution. Some of the more interesting patterns detailed in the book are:

• Hypervisor clustering – how can a virtual server survive the failure of its hosting hypervisor or physical server?
• Stateless hypervisor – how can a hypervisor be deployed with a minimal amount of downtime, while allowing for quick updating and upgrading?
• Trusted platform BIOS – how can the BIOS on a cloud-based environment be protected from malicious code?
• Trusted cloud resource pools – how can cloud-based resource pools be secured and become trusted?
• Detecting and mitigating user-installed VMs – how can user installed VMs from non-authorized templates be detected and secured?

The book is replete with these scenarios, and each scenario includes downloadable figures that effectively illustrate the mechanisms used to solve the problem.

Chapter 3 provides a number of first-rate architectural ideas on how to design a highly resilient cloud solution. Much of the promise of the cloud is built on scalability, elasticity and overall optimization. These chapters show how to take those possibilities from conceptual to a working implementation.

Cloud failures are inevitable and chapter 4 details how to build failover, redundancy and recovery of IT resources for the cloud environment.

Chapter 9 is particularly important, as far too many designers think that since the underlying cloud abstraction layer is highly secure, everything they build on top of that will have the same level of security. The book details a number of design patterns that are crucial to ensuring the cloud design is securing that data at rest and is resistant against specific cloud attacks.

With a list price of $49.99, the book is a bargain considering the amount of useful information it provides. For anyone involved with cloud computing design and architecture, Cloud Computing Design Patterns, is an absolute must read.

Reviewed by Ben Rothke.

You can purchase Cloud Computing Design Patterns from amazon.com. Slashdot welcomes readers' book reviews (sci-fi included) -- to see your own review here, read the book review guidelines, then visit the submission page. If you'd like to see what books we have available from our review library please let us know.

benrothke writes: The infinite monkey theorem states that a monkey hitting random typewriter keys for an infinite amount of time will eventually be able to create the complete works of Shakespeare. Various scientists such as Nobel laureate Arno Penzias have shown how the theorem is mathematically impossible. Using that metaphor, if you took every member of United States Congress and House of Representatives and wrote their collected wisdom on Iraq, it's unlikely they could equal the astuteness of even a single chapter of author Malcolm W. Nance in The Terrorists of Iraq: Inside the Strategy and Tactics of the Iraq Insurgency 2003-2014. It's Nance's overwhelming real-world experiential knowledge of the subject, language, culture, tribal affiliations and more which make this the overwhelming definitive book on the subject. Read below for the rest of Ben's review. The Terrorists of Iraq: Inside the Strategy and Tactics of the Iraq Insurgency 2003-2014, 2nd Edition author Malcolm W. Nance pages 404 publisher CRC Press rating 10/10 reviewer Ben Rothke ISBN 978-1498706896 summary Definitive text on the Iraq War written by one of the few Americans who truly understand the issue Nance is a career intelligence officer, combat veteran, author, scholar and media commentator on international terrorism, intelligence, insurgency and torture. In 2014 he became the executive director of the counter-ideology think tank the Terror Asymmetrics Project on Strategy, Tactics and Radical Ideologies (TAPSTRI).

While it's debatable if most members of Congress could elucidate the difference between the Sunnis and Shiites; Nance knows all of the players in depth. He understands and describes who there are, what they are and how their methods work. His unique analysis provides an in-depth understanding of who these groups are and what they are fighting about.

The book details how the many terror groups formed to create the Iraqi insurgency that led to the rise of the Islamic State of Iraq and Syria (ISIS). Nance places the blame on the Bush administrations 2003 invasion of Iraq that lead to the destabilization of the country. While the war was based on faulty evidence, the insurgency was created by myriad mistakes, misperceptions and miscalculations by L. Paul Bremer, who lead the occupational authority of Iraq during the war.

A common theme Nance makes throughout the book is that the US ignored history and didn't learn the lessons of the Iraqi revolt against the British in 1920 or the events of the Vietnam War. Those lessons being that insurgents and foreign terrorist operations were much more effective despite the enormous manpower and firepower that the U.S. troops brought to bear in Iraq.

Nance details how much of the coalition's strategy was based on wishful thinking. He writes that Washington never had a realistic plan for post-war Iraq. Only Saddam Hussein, Abu Musab al-Zarqawi and the ex-Ba'athists has a definitive strategy for what to do in post-war Iraq. Unlike the Americans, they mobilized the right resources and persons for the job, with devastating and horrifying effects.

The book writes of the utterly depravity and evil nature of Saddam Hussein and his sons Uday and Qusay. Following the first Gulf War. Qusay revealed a brutality to match both his father's and brother's. The Hussein family was responsible for the death and torture of hundreds of thousands of innocent Iraq's and others.

The insurgency was and is made up of countless different groups. Some of these groups number under a hundred members, others in the tens of thousands. Nance details who these groups are, their makeup and leadership structure and what they hope to achieve.

Nance quotes Donald Rumsfeld and General Tommy Franks who described the insurgency as dead-enders; namely small groups dedicated to Hussein, and not large military formations or networks of attackers. Yet the reality was that Hussein started creating the insurgency in the months before the invasion. Rather than being a bunch of dead-enders, the insurgency was a group that was highly organized, heavily armed, with near unlimited funds based on looting hundreds of millions of dollars.

From a reporting perspective, the book details how the U.S. government made the same mistakes in Iraq as it did in Iran. Underreporting U.S. casualties, over reporting enemy losses, and obfuscating how terrible the situation on the ground was.

The term IED (improvised explosive device) became part of the vernacular during the Iraq War. The book details how the insurgency used the many different types of IED's (including human-based IED) at specific times and places for their political and propaganda goals.

Nance writes that the biggest gift the U.S. gave to Osama bin Laden was to invade Iraq. The invasion provided him with an opportunity for inspirational jihad. bin Laden envisioned a holy war with heroic men fights against desperate odds in the heart of historic Islam, just like the first battles of the Prophet Mohammed.

Nance spends a few chapters dealing with ISIS and how it came to be. There are multiple iterations of the group, which developed as the Iraq mess evolved.

The book closes with a disheartening overview of the current state. Nance writes that the Middle East is in far more danger from destabilizing collapse of states due to the effects of the American invasion today than it has ever been.

As ISIS is currently the dominant force in Iraq; Nance states that he fears ISIS will have no intention of going back to being a small insurgent group. It will attempt to consolidate captured terrain. It will offer the Sunni a chance to rule under it at the technocrat level, but that is when the pogroms will start.

In the end, Nance writes, the Islamic caliphate will attempt and fail at creating a popular Iraqi-Syrian nation out of stolen governorates. But unless confronted quickly and forcefully, it may become an isolated jihadistan from which no end of terror will spawn.

For those that want to truly understand the Iraq conflict, Nancy is eminently qualified and this book is uniquely superb. There is no better book than The Terrorists of Iraq: Inside the Strategy and Tactics of the Iraq Insurgency 2003-2014 on the subject.

Reviewed by Ben Rothke.

You can purchase The Terrorists of Iraq: Inside the Strategy and Tactics of the Iraq Insurgency 2003-2014, 2nd Edition from amazon.com. Slashdot welcomes readers' book reviews (sci-fi included) -- to see your own review here, read the book review guidelines, then visit the submission page. If you'd like to see what books we have available from our review library please let us know.

Saint Aardvark writes Michael W. Lucas has been writing technical books for a long time, drawing on his experience as both a system and a network administrator. He has mastered the art of making it both easy and enjoyable to inhale large amounts of information; that's my way of saying he writes books well and he's a funny guy. Networking for System Administrators, available both in DRM-free ebook and dead tree formats, is his latest book, and it's no exception to this trend. Keep reading for the rest of Saint Aardvark's review. Networking for Systems Administrators author Michael W. Lucas pages 206 publisher Tilted Windmill Press rating 9/10 reviewer Saint Aardvark ISBN 0692376941 summary Explains networking to sysadmins - both juniors new to this career, and those who have been around for a while Like the title suggests, this book explains networking to sysadmins — both juniors new to this career, and those who have been around for a while but don't understand how those network folks live or what they need to do their job. If you're one of the latter, you might think "Oh I've read 'TCP/IP Illustrated' — I don't need another networking book." And it's true that there is overlap between these two books. But Lucas also explains about how to work with network folks: dealing with areas of shared responsibility, how to understand where your side ends, and how to talk to a network admin so that everyone understands each other — and more importantly, is both able and happy to help the other. This is something that is out-of-scope for a network textbook, and it's valuable.

So what's in this book? Lucas takes us through all the network layers, explaining how everything fits together. From physical ("If you can trip over it, snag it, break the stupid tab off the plastic connector at its end, or broadcast static over it, it's the physical layer.") to transport and application, he shows practical examples of how the OSI model maps (or doesn't) to the world of TCP/IP. He shows the happy path and the sad path at each layer, explaining how to understand what's going on and troubleshooting failures. This is the part with the strongest overlap with those other network textbooks. If system administration is a side gig (maybe you're a developer who has to maintain your own server), you'll have enough in this book to deal with just about anything you're likely to trip over. But if you're early in your sysadmin career, or you find yourself making the jump to Ops, you will want to follow it up with TCP/IP Illustrated for the additional depth.

Since you'll be troubleshooting, you'll need to know the tools that let you dump DNS, peer into packets, and list what's listening (or not) on the network. Lucas covers Linux and Unix, of course, but he also covers Windows — particularly handy if, like me, you've stuck to one side over the course of your career. Tcpdump/Windump, arp, netstat, netcat and ifconfig are all covered here, but more importantly you'll also learn how to understand what they tell you, and how to relay that information to network administrators.

That thought leads to the final chapter of this book: a plea for working as a team, even when you're not on the same team. Bad things come from network and systems folks not understanding each other. Good things — happy workplaces, successful careers, thriving companies and new friends — can come from something as simple as saying "Well, I don't know if it is the network's fault...why don't we test and find out?"

After reading this book, you'll have a strong footing in networking. Lucas explains concepts in practical ways; he makes sure to teach tools in both Unix/Linux and Windows; and he gives you the terms you'll use to explain what you're seeing to the network folks. Along the way there's a lot of hard-won knowledge sprinkled throughout (leave autonegotiation on — it's a lot better than it used to be; replace cables if there's any hint of flakiness in a server's network connection) that, for me at least (and be honest, you too) would have saved a lot of time over the years.

Who would I recommend this book to?

• If you're a sysadmin at the beginning of your career, this book is an excellent beginning; take it, read it, and build on it — both with practical experience and further reading.
• If you're coming into system administration the back way (as a developer who has to manage their own server, say, or who shares responsibility for a networked service with other admins), I can't think of a better single source for the practical knowledge you need. You'll gain an understanding of what's going on under the hood, how to diagnose problems you encounter, and how to talk to either system or network administrators about fixing those problems.
• If you're a manager or senior sysadmin, buy this book and read it through before handing it to the juniors on your team, or that dev who keeps asking questions about routing and the firewall; you may learn a few things, and it's always good to read fine technical writing.

You can purchase Networking for Systems Administrators from amazon.com. Slashdot welcomes readers' book reviews (sci-fi included) -- to see your own review here, read the book review guidelines, then visit the submission page. If you'd like to see what books we have available from our review library please let us know.

Michael Ross writes As with any content management system, building a website using Drupal typically requires extensive use of its administrative interface, as one navigates through its menus, fills out its forms, and reads the admin pages and notifications — or barely skims them, as they have likely been seen by the site builder countless times before. With the aim of avoiding this tedium, speeding up the process, and making it more programmatic, members of the Drupal community created a "shell" program, Drush, which allows one to perform most of these tasks on the command line. At this time, there is only one current print book that covers this tool, Drush for Developers, Second Edition, which is ostensibly an update of its predecessor, Drush User's Guide. Read below for the rest of Michael's review. Drush For Developers, 2nd Edition author Juampy Novillo Requena pages 180 publisher Packt Publishing rating 7/10 reviewer Michael Ross ISBN 978-1784393786 summary Recommendations for improving Drupal development with Drush. Both editions were written by Juampy Novillo Requena, although in the transition from the first edition to the second, both the author's name and the book title were changed. The most recent edition's title seems redundant, because of course such a book is going to be "for developers"; after all, who but Drupal developers would have an interest in Drush? The edition under review was published on 29 January 2015 by Packt Publishing, under the ISBN 978-1784393786. (My thanks to the publisher for a review copy.) At 180 pages, this edition is longer than its predecessor, but still a manageable size. Its content is divided among half a dozen chapters. Anyone interested in learning more about the book may wish to visit the publisher's website, which provides a brief description of the book, the table of contents, free sample content (Chapter 3), and the source code files.

The first chapter begins by presenting a brief comparison of the steps needed to run database updates on a Drupal website, using the GUI versus using Drush. As expected, the latter requires fewer steps. The author then discusses the prerequisites for installing Drush in a Linux or OS X environment. For Windows, the given download URL, http://www.drush.org/drush_win..., is incorrect and should instead be http://drush.readthedocs.org/e.... The author states that "the installer installs an older version of Drush," but actually the installer has disappeared from its former locations. Fortunately, the current Windows archive file has the latest version as of this writing, 7.0.0-alpha7. This version is more recent than the alpha5 used in the book, but the commands and their options seem identical. On the other hand, it is a large archive file containing the Drush application files, Msys, PHP, and parts of PEAR and Symfony's YAML — but no helpful installer. The chapter continues with explication of Drush command invocation, arguments, options, aliases, and context. The only apparent blemish is that the variable name "site-name" (page 14) should instead read "site_name."

After this introductory material, one would expect the next chapter or so to explain and illustrate the details of Drush commands frequently used by site developers, such as those for installing, enabling, and updating modules and themes. Instead, the author jumps far ahead to much more advanced topics (more on this below). In the case of the second chapter, the goal is to learn how to synchronize code, database configuration, and content among different server environments, including capturing database configuration settings in files so they can be version controlled in Git. This is arguably worthwhile knowledge, but certainly not what the average reader would expect so early in the book.

Readers attempting to follow and replicate the demonstrations in the book, may become frustrated with the pitfalls in the second chapter — such as the instances where it does not provide all the needed instructions, or they don't match the example code. When readers starting from scratch encounter the Drush script (page 23), they may be tempted to try it right away on their own test sites, but this would be ill-advised because the first command will fail until the Registry Rebuild command is installed (later in the chapter), and the fourth command will fail if the chosen website does not have the Features module already installed and enabled. When learning about database updates, the reader is instructed to create a new Boolean field, but only later learns that the test website should have contained nodes of the "Basic Page" content type. When readers learn these things the hard way, they must circle back and redo steps or, even worse, try to revert the state of files or the database.

The mymodule custom module found in the downloadable archive does not match what the reader will need on page 30, so she will need to modify mymodule.install to match that listed in the book, and also presumably comment out the last two lines in mymodule.info related to the Features module — but not the first two, because that would result in worse problems later. This initial code should have been included in the downloadable archive. Before running the command drush --verbose updatedb, should she have enabled the mymodule custom module? Apparently so, since the expected output includes "Executing mymodule_update_7100," but when I tried it, the provided module's update hook was not recognized as a database update, using Drush or the admin interface (update.php). On page 32, the reader is told to download and enable the Features module, but that must have been done already because the mymodule module required it earlier. Lastly, the book's preface states that PHP version 5.2 (or higher) would be sufficient, but 5.5 is needed, otherwise a fatal PHP error is generated by the empty() call on line 29 of the "7101" example code.

The third chapter covers the use of Drush for running and monitoring a variety of tasks in a Drupal website, such as updating the database or reindexing the searchable content in Apache Solr. The author begins by briefly describing the uses for the cron utility, and some advantages of executing it from Drush. A technique shown for preventing Drupal from running cron automatically, is to set the cron_safe_threshold variable to 0, export it to code (as a Features module), and then deploy it to the target environments. The author also demonstrates how to use Jenkins in conjunction with Drush to periodically run and monitor cron jobs. As an example of running a task without using cron, a Feeds importer is set up to work with Drush, using a custom module and a Drush command to trigger the Feeds importer. It's not mentioned in the book, but for the importer, in the settings for the node processor, be sure to assign the bundle, otherwise there will be EntityMalformedException errors; also, map the essential feed and node elements, otherwise the nodes created will be empty.

The book then explores a number of topics that are somewhat related to one another: how to use Drush and the Drupal Batch API to run time-consuming tasks so as to avoid PHP and database limits of memory and time; how to run PHP code after Drupal has been bootstrapped; how to best log messages using the drush_log() function; how to capture Drush output in a file; how to implement your own logging mechanism by overriding the Drush default logging function; and how to run Drush commands in the background. Despite the complexity of the processing implemented in this chapter, readers should encounter few problems trying it out. For the drush php-eval commands, Windows command line users will need to replace the single quotes with double quotes. In the section titled "The php-script command," two of the three "php-eval" terms should instead read "php-script" (page 65).

Debugging and error handling are addressed in detail in the fourth chapter: how to validate user input values and Drush command line options prior to passing them to a command's callback; how to define custom validation within a command; how to discover all of the available hooks for any given Drush command; utilizing the Devel module, how to discover all of the Drupal modules that use a given hook, and how to find the location of a given function or class method. In the midst of all this, readers get a detailed tour of the steps that Drush executes when bootstrapping Drupal. Readers should note that, as with the second chapter, some of the code in the downloadable archive does not match the initial code presented in the text, but rather its final state. As readers may have been seen in earlier chapters, the "-- verbose" versions of the Drush commands can produce a lot more informational output than what is presented in the text, including the MySQL commands (that may be a consequence of, in this case, the Windows command line). In the case of drush --debug testhooks, the output is remarkably different, but at least all of the commands are executed.

The penultimate chapter explores techniques for leveraging Drush to better manage Drupal websites on local and remote servers, utilizing site aliases. Developers will undoubtedly be intrigued if not thrilled with the possibilities of being able to execute Drush, Linux, and MySQL commands within remote environments from the local command line. The only questionable aspect is that in the first chapter it is claimed that one "does not even have to open an SSH connection" to perform these feats of digital derring-do, and yet all of them presented in this chapter seem to depend upon an SSH connection — if not explicitly on the command line, then at least established and used in the background by Drush. Nonetheless, the potential power of using Drush in this manner is clearly significant for Drupal site builders and maintainers, and thus the author wisely shows how to avoid inadvertently corrupting the files or database of a target installation.

The final chapter blends and builds upon most if not all of the topics addressed in the earlier chapters, to show how Drush can be used to set up an effective development workflow for teams building Drupal websites. To this end, the author demonstrates how to move Drush commands out of a project's web document root, and how to use Drupal Boilerplate to achieve this and more. The instructions employ wget to download Boilerplate, but other readers as well may encounter an error of wget not being able to verify github.com's certificate. Readers learn how to use Jenkins to synchronize the Drupal files and databases in disparate environments, how to use Drush commands to improve database synchronization and sanitization, and how to prevent inadvertently emailing production addresses.

Like seemingly any Packt Publishing book, this one has plenty of errata relative to its length: "OSX" (page 9; should read "OS X"), "an input data" (page 14; should read "an input datum"), "inform [Drush] where" (page 19), "Dated" (page 21; should read "It is dated"), "sites/all/drush/command[s]" (page 28), "type Page" (page 29; should read "type Basic Page"), "PHP.ini" (page 34; should read "php.ini"), "cover [the] Queue API" (page 58), "context" (page 66; probably should read "content"), "run[ning]" (page 66), "straight brackets" (page 68; just "brackets"), "thanks to [']allow-additional-options'" (page 83), "require [the] minimum" (page 94), "a valid Drupal's root directory" (page 94; no "'s"), "point [to] our local Drupal project" (page 117), "logged as message" (page 120), "our the $HOME path" (page 139), "password;." (page 149), and "offers [a] hook" (ditto). Some of the phrasing is odd, e.g., "output can be logged in to" (page 34), "tasks running at cron" (page 52), and "equals to 1" (page 61). Some of the sentences are incomplete, e.g., "Importing configuration into the database." (page 34). Fortunately, none of the narrative is incomprehensible, and it is generally smoother in this edition than in the first.

The structure of this book is more logical than that of its predecessor. As Drupal expert Mike Anello correctly pointed out in his review of the first edition, "the book could have easily been improved by splitting out various sections of chapters into their own stand-alone chapters." The same criticism still holds true for this second edition, particularly the third chapter, though to a much lesser extent overall.

As with most if not all titles offered by Packt Publishing, this book's chapters are lengthened with summaries, none of which serve any useful purpose, since they repeat what was presented just pages earlier, but do not include enough detail to be of any value.

One major problem with the book is that it is billed as a second edition to the earlier user guide, which covered introductory and intermediate topics; yet this second edition does not, and instead is almost entirely devoted to advanced topics. In fact, much of the material is preparatory for the final chapter, on utilizing Drush to improve a team's project workflow. This is not made clear to the prospective buyer. This is truly a new book, and not an update of the first edition. Furthermore, it is more focused on specific uses of Drush.

Whether this book could be recommended to any potential reader, depends upon what that individual is hoping to learn. For anyone who wishes full coverage of the beginner and intermediate topics of Drush, this book would be completely inappropriate, and the individual would be best pointed to the Drush documentation. On the other hand, the book would be much better suited for a Drupal developer looking to improve his or her understanding of using Drush for managing database configuration settings and other topics related to project workflow, particularly in team settings — in which case it could be extremely valuable.

Michael Ross is a freelance web developer and writer.

You can purchase Drush For Developers, 2nd Edition from amazon.com. Slashdot welcomes readers' book reviews (sci-fi included) -- to see your own review here, read the book review guidelines, then visit the submission page. If you'd like to see what books we have available from our review library please let us know.

benrothke writes Technology is neutral and amoral. It's the implementers and users who define its use. In Future Crimes: Everything Is Connected, Everyone Is Vulnerable and What We Can Do About It, author Marc Goodman spends nearly 400 pages describing the dark side of technology, and those who use it for nefarious purposes. He provides a fascinating overview of how every major technology can be used to benefit society, and how it can also be exploited by those on the other side. Keep reading for the rest of Ben's review. Future Crimes: Everything Is Connected, Everyone Is Vulnerable and What We Can Do About It author Marc Goodman pages 400 publisher Doubleday rating 9/10 reviewer Ben Rothke ISBN 978-0385539005 summary In the rush to get everyone wired, they forget to secure it Technology breeds crime and in the book, Goodman users Crime, Inc. as a metaphor for the many entities and organizations that exist in the dark web and fringes of the Internet. Towards the end of the book, after describing all of the evils that the Internet creates, he suggests creation of a modern day Manhattan Project for cyber security. He writes that a major initiative such as that is what is required to secure the Internet and emerging technologies.

As to Crime, Inc., Goodman shows how they use technologies such as distributed computing, satellite communications, crowdsourcing, encrypted channels and other sophisticated mechanisms to carry out their actions. The premise of the book, and it's a compelling one, is that in the rush to wire every classroom, person and organization, we have failed to secure it appropriately.

The books 18 chapters are an easy and fascinating read. Goodman writes in detail about many major technologies trends and how its benefits can be subverted. The book is written for the non-technical reader and Goodman does an admirable job of minimize tech-talk and gibberish.

While the book obsesses on the dark side, it's important to note that Goodman is not an anti-technologist. The goal of the book is to make people aware of what they are clicking on, and how they often give away their personal life when using free mobile applications.

Chapter 6 on the surveillance economy is particularly interesting. While Snowden brought attention to the NSA's wholesale spying, what has gone under the radar is the lucrative surveillance economy that has developed. Goodman writes how firms like Acxion, Epsilon and others are part of the over $150 billion data brokerage industry. Their power is that they correlate information from myriad disparate sources, to create a powerful dossier that marketers are willing to pay for.

The chapter articulately details the unprecedented amounts of data people have shared with third-parties; that once shared, is almost impossible to control. The privacy implications are huge and the problem is only getting worse. Data brokers have no privacy incentives as they make money when they sell data, not when they protect it.

The book is a fascinating read, albeit a bit wordy at times. The book contains so many horror stories and examples of software and hardware gone badly, that the reader can be overwhelmed. Goodman on occasion makes some errors, such as when he writes that a six-terabyte hard drive could hold all of the music ever recorded anywhere in the world throughout history. At times, he overemphasizes things, such as when he writes that one billion users have posted their most intimate details on Facebook. While Facebook recently passed the 1 billion user mark, not every user posts intimate details of their live.

The book provides a superb overview of the security implications of the Internet of Things (IoT). Goodman details how the IoT can be used to create intelligent systems and networks that can detect and shutdown adversaries. But to secure the IoT will require an effort akin to the Manhattan Project. With that, Goodman advocates that the government fund a digital Manhattan Project, getting the best and brightest minds in the information security space together, to create a framework to better secure the Internet.

The problem is as he notes, that Washington simply does not see the need nor can they comprehend the urgency of the situation. It's only the government that can ostensibly get the private and public sectors together to work in concert, but that is unlikely to happen anytime soon. Which only serves to exacerbate an already tenuous information security problem.

An additional issue the book grapples with, it that the while government wants its citizens to be secure and touts the importance of personal privacy, it simultaneously spies on them. Also, providers such as Google and Facebook provide free services, at the cost of turning the user into a data customer. It's not just the criminals and terrorists the book warns about, rather government and free data collection services.

While the book paints an overly depressing picture of what the future holds for personal privacy, Goodman closes the book with his UPDATE protocol. He writes that while the worst is yet to come and that it's getting more and more difficult to gain control you're your personal data and metadata; there are six steps you can do. Goodman claims that these 6 steps can prevent 85% of digital attacks. The UPDATE steps are: Update frequently, Passwords, Download from safe sites only, Administrator accounts used with care, Turn off computers and Encrypt data.

Much of the problem is that people are clueless to what is going on. They use free services not knowing their data and personal privacy is what they are giving away. Finally, users don't know what good security looks like. The book is a valiant attempt to show users that while they think they are using the Internet in a pristine environment, it is simply a cesspool of malware, scammers and miscreants. Future Crimes: Everything Is Connected, Everyone Is Vulnerable and What We Can Do About It is a great wake-up call. Let just hope everyone wakes up and read it.

Reviewed by Ben Rothke.

You can purchase Future Crimes: Everything Is Connected, Everyone Is Vulnerable and What We Can Do About It from amazon.com. Slashdot welcomes readers' book reviews (sci-fi included) -- to see your own review here, read the book review guidelines, then visit the submission page. If you'd like to see what books we have available from our review library please let us know.

Michael Ross writes In recent years, JavaScript has enjoyed a dramatic renaissance as it has been transformed from a browser scripting tool primarily used for special effects and form validation on web pages, to a substantial client-side programming language. Similarly, on the server side, after years as the target of criticism, the PHP computer programming language is seeing a revival, partly due to the addition of new capabilities, such as namespaces, traits, generators, closures, and components, among other improvements. PHP enthusiasts and detractors alike can learn more about these changes from the book Modern PHP: New Features and Good Practices, authored by Josh Lockhart. Keep reading for the rest of Michael's review. Modern PHP: New Features and Good Practices author Josh Lockhart pages 268 publisher O'Reilly Media rating 8/10 reviewer Michael Ross ISBN 978-1491905012 summary Solid advice on some state-of-the-art PHP tools and techniques. Programmers familiar with the language and its community may recognize the author's name, because he is the creator of PHP The Right Way, a website which he describes as "an easy-to-read, quick reference for PHP popular coding standards, links to authoritative tutorials around the Web and what the contributors consider to be best practices at the present time," in 21 different languages.

Yet rest assured that the book under review is not merely a dead-tree version of the website. Instead, the book covers the more recent advancements within the language, while the website covers best practices and standards. This should be borne in mind, otherwise the reader may be baffled by the absence from the book of certain topics on the website essential to the language, such as SPL, PEAR, and PHPDoc. Moreover, of the topics shared between the book and the website, the information is generally organized quite differently, with more example code in the book.

This title was published on 1 March 2015, under the ISBN 978-1491905012, by O'Reilly Media, who kindly provided me with a review copy. Its material is presented in 268 pages, organized into 13 chapters (The New PHP; Features; Standards; Components; Good Practices; Posting; Provisioning; Tuning; Deployment; Testing; Profiling; HHVM and Hack; Community), which are grouped into three parts (Language Features; Good Practices; Deployment, Testing, and Tuning) — as well as two appendices (Installing PHP; Local Development Environments) and an index. The publisher's page does not offer much of interest. However, all of the example code is available from the book's GitHub repository. There are differences between the GitHub code and what is printed in the book, e.g., a baffling require 'vendor/autoload.php'; in the first example code file. The author claims that the reader does not need to know PHP, but at least "a basic understanding of [] fundamental programming concepts" (page xiv). However, anyone without at least intermediate skills and experience with PHP could conceivably struggle with these more advanced subjects.

The first chapter is only a brief overview of the history of PHP, its current state, and some possible future changes to the language's engine. The real content starts in the second chapter, in which the author gives the reader a fast-paced introduction to his seven favorite major new features in PHP: namespaces, class interfaces, traits, generators, closures, Zend OPcache, and the built-in HTTP server. In some regards, the coverage is a bit too fast-paced, as some topics and questions likely in the reader's mind are not addressed — for instance, namespace case-sensitivity and techniques for ensuring that a chosen namespace is globally unique (page 9). For each topic, its purpose and advantages are explained, and sometimes illustrated with code examples, although none are extensive.

The second part of the book opens with a chapter on some of the new standards in the PHP ecosystem that are intended to move the common development process from a reliance upon one isolated framework, with an idiosyncratic coding style, to distributed components that can interoperate through the use of interfaces, industry-wide coding standards, and the use of autoloaders for finding and loading classes, interfaces, and traits at runtime. Components are covered in more detail in the subsequent chapter, as is Composer, for installing components and managing dependencies. The fifth chapter is a lengthy but information-packed exposition of numerous best practices regarding input data sanitization, password handling, dates and times, and safe database queries, among other topics. Some of the advice can be found in other PHP books and online, but all of this is neatly explained, updated with the newer PHP versions, and worthwhile as a refresher.

Deployment, testing, and tuning are the broad subject areas of the third and final part of the book. The author discusses the options for hosting your PHP applications, as well as provisioning any self-managed web server and tuning a server for optimal performance. All of the instructions assume you are using Linux and nginx, and thus would be of less value to those using Windows or Apache, for instance. The material on application deployment is relatively brief, and focuses on use of the Capistrano tool. Testing is often neglected in real-world projects, but certainly not in this book, as the author explains unit and functional testing, illustrated through the use of PHPUnit. This is followed by information on how to use a development or production profiler to analyze the performance of your application, with detailed coverage of Xdebug and XHProf, among other tools. The next two chapters dive into topics related to the (possible) future of PHP — specifically, Facebook's HHVM PHP interpreter and their Hack derivative language. The final chapter briefly discusses the PHP community. The two appendices explain how to install PHP on Linux or OS X for commandline use, and how to set up a local development environment. The author mentions a free edition of Zend Server, but the vendor page mentions no such pricing.

Despite its technical subject matter, this book is not a difficult read. The author's writing style is usually light and friendly, especially in the preface. In a few places, the phrasing is a bit too terse, which might prove momentarily confusing to some readers, e.g., "Function and constant aliases work the same as [those of] classes" (page 11). The text has some errata (aside from the two, as of this writing, already reported): "curl" (pages 15, 220, and 222; should read "cURL"), "a an argument" (page 33), "Prepared statement [to] fetch" (pages 99 and 100), "with [the] php://filter strategy" (page 110), "2 Gb" (page 129; should read "2 GB"), "the the" (page 154), "path to a the code" (page 176), and "Wordpress" (page 190; should read "WordPress").

One weakness with the book is that for several of the topics — including some critical ones — there is not enough detailed information provided that would allow one to begin immediately applying that technique or resource to one's own coding, but instead just enough information to whet one's appetite to learn more (presumably from another book or a website). Secondly, some of the narrative — particularly near the end of the book, when discussing various tools — would be of less value to anyone not developing analytics environment. Beware that some of the tools require numerous dependencies. For instance, do you have Composer, Git, MongoDB, and its PHP extension installed? If not, then you won't be using XHGUI. Also, some of the installation and configuration steps are quite lengthy, with no details provided for troubleshooting issues that might arise. Lastly, despite the promise that any reader with only basic programming knowledge will be able to fully understand the book, such a reader would likely find much of its contents mystifying without further preparation from other sources.

Nonetheless, the book has much to offer, despite its slender size. Numerous resources are recommended — most if not all apparently vetted by the author, who clearly has considerable experience in this arena. Some valuable techniques are presented, such as those instances in the text where the author shows how to use iteration on large data sets to minimize memory usage. In addition, the example code demonstrates that the author has made the effort to produce quality code that can serve as a model to others. Modern PHP does a fine job overall of explaining and advocating the newer capabilities of PHP that would attract developers to choose the language for building state-of-the-art websites and web applications.

Michael Ross is a freelance web developer and writer.

You can purchase Modern PHP: New Features and Good Practices from amazon.com. Slashdot welcomes readers' book reviews (sci-fi included) -- to see your own review here, read the book review guidelines, then visit the submission page. If you'd like to see what books we have available from our review library please let us know.

benrothke writes Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World, author Bruce Schneier could have justifiably written an angry diatribe full of vitriol against President Obama and the NSA for their wholesale spying on innocent Americans and violations of myriad laws. Instead, he was written a thoroughly convincing and brilliant book about big data, mass surveillance and the ensuing privacy dangers facing everyone. A comment like what's the big deal? often indicates a naiveté about a serious significant underlying issue. The idea that if you have nothing to hide you have nothing to fear is a dangerously narrow concept on the value of privacy. For many people the notion that the NSA was performing spying on Americans was perceived as not being a big deal, since if a person is innocent, then what do they have to worry about. In the book, Schneier debunks that myth and many others, and defends the importance of privacy. Keep reading for the rest of Ben's review. Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World author Bruce Schneier pages 400 publisher W. W. Norton and Company rating 10/10 reviewer Ben Rothke ISBN 978-0393244816 summary Important defense of privacy and expose on the dangers of NSA domestic mass surveillance Schneier writes that privacy is an essential human need and central to our ability to control how we relate to the world. Being stripped of privacy is fundamentally dehumanizing and it makes no difference whether the surveillance is conducted by an undercover police officer following us around or by a computer algorithm tracking our every move.

The book notes that much of the data sharing is done voluntarily from users via social media and other voluntary sharing methods. But the real danger is that the NSA has unlawfully been conducting mass surveillance on Americans, in violation of the Constitution and other Federal laws. And with all of that, the book observed that after spending billions doing it, the NSA has very little to show for its efforts.

While the NSA has often said they were just collecting metadata; Schneier writes that metadata can often be more revealing than the data itself, especially when it's collected in the aggregate. And even more so when you have an entire population under surveillance. How big of a deal is metadata? Schneier quotes former NSA and CIA director Michael Hayden that "we kill people based on metadata".

The book spends chapters detailing the dangers of mass data collection and surveillance. It notes that the situation is exacerbated by the fact that we are now generating so much data and storing it indefinitely. People can now search 20 years back and find details that were long thought to have been forgotten. Today's adults were able to move beyond their youthful indiscretions; while today's young people will not have that freedom. Their entire life histories will be on the permanent record.

Another harm of mass government surveillance is the way it leads to people being categorized and discriminated against. Since much of the data is gathered in secret, citizens don't have the right to see or refute it. Schneier notes that this will intensify as systems start using surveillance data to make decisions automatically.

Schneier makes numerous references to Edward Snowden and views him as a hero. He views Snowden's act as being courageous since it resulted in the global conversation about surveillance being made available. Had it not been for Snowden, this book would never have been written.

Schneier does a good job of showing how many of the methods used by the NSA were highly questionable, and based on extremely broad readings of the PATRIOT ACT, Presidential directives and other laws.

The book notes that not only has mass surveillance on US citizens provided extremely little return on the tens of billions of dollars spent; the very strategy of basing security on irrational fears is dangerous. The book notes that many US agencies were faulted after 9/11 and the Boston Marathon bombing for not connecting the dots. But connecting the dots against terrorist plots is extraordinarily difficult, if not impossible. Given the rarity of these events, the book notes that they current systems produce so many false positives as to render them useless.

Schneier straight-out says that ubiquitous surveillance and data minding are not suited for finding dedicated criminals or terrorists. The US is wasting billions on these programs and not getting the security they have been promised. Schneier suggests using the money on investigations, intelligence and emergency response; programs whose tactics have been proven to work.

Schneier makes many suggestions on how to stop the mass surveillance by the NSA. His biggest suggestion is to separate espionage agencies from the surveillance agencies. He suggests that government surveillance of private citizens should only be done as part of a criminal investigation. These surveillance activities should move outside of the NSA and the military and should instead come under the auspices of the FBI and Justice Department, which will apply rules of probable cause, due process and oversight to surveillance activities in regular open courtrooms. As opposed to the secret United States Foreign Intelligence Surveillance courts.

Schneier notes that breaking up the NSA is a long-range plan, but it's the right one. He also suggests reducing the NSA's budget to pre-9/11 levels, which would do an enormous amount of good.

While Schenier comes down hard on mass surveillance, he is also rational enough to know that there are legitimate needs for government surveillance, both law enforcement and intelligence needs to do this and we must recognize that. He writes that we must support legitimate surveillance and work on ways for these groups to do what they need without violating privacy, subverting security and infringing on citizens' rights to be free of unreasonable suspicion and observation.

The book concludes with a number of things that can be done. At the personal level there is a lot people can legitimately do to stop sharing so much personal information. But for most people, they would rather reap the short-term benefits of sharing information on social media, with retailers and more; than the long-term privacy benefits.

The book also notes that much of the problem stems with federal agencies since keeping the fear stoked is big business. For those in the intelligence agencies, that is the basis of their influence and power. Schneier also lays some of the blame on the media who stoke the irrational fears in the daily news. By fixating on rare and spectacular events, the media conditions us to behave as if terrorism were much more common than it is and to fear it far out of proportion to its actual incidence.

This is an incredibly important book. Schenier is passionate about the subject, but provides an extremely reasonably set of arguments. Superbly researched, Schneier lays out the facts in a clear, concise and extremely readable manner. The book is at times disturbing, given the scope and breadth of the NSA surveillance program.

This is the perfect book to take with you on a long flight. It's a compelling and engrossing read, and important book and a major wake-up call. The NSA knows all about you via its many total information awareness programs. In Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World, Bruce Schneier provides the total information awareness about what the NSA is doing, how your personal data is being mined, and what you can do about it.

While the NSA was never able to connect the dots of terrorists, Schneier has managed to connect the dots of the NSA. This is a book that must be read, for your freedom.

Reviewed by Ben Rothke.

You can purchase Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World from amazon.com. Slashdot welcomes readers' book reviews (sci-fi included) -- to see your own review here, read the book review guidelines, then visit the submission page. If you'd like to see what books we have available from our review library please let us know.

MassDosage writes As the full title to Lauren Ipsum: A story about Computer Science and Other Improbable Things indicates, this is a book about Computer Science but what's surprising about it is that it manages to be about Computer Science without actually ever directly referring to the subject or even to computers at all. It is in fact a fictional story about a young girl called Lauren who gets lost after wandering into a forest near her house after an argument with her mother. She stumbles into a world populated with all kinds of strange creatures and colorful characters some of whom she befriends in order to figure out how to get back to her home. The "figuring out" part of the plot is where things get interesting as she has many attempts at solving this problem with different characters giving her often contradictory advice and Lauren then has to decide what exactly she's trying to do and which of the various possible solutions is the best. This involves a fair amount of trial and error, learning from certain mistakes and trying different approaches. If this is starting to sound familiar to those who have written software then that's the whole point. Lauren Ipsum is cunningly littered with references to Computer Science and in particular to things like algorithms, logic puzzles and many other of the theoretical underpinnings of the subject. Read below to see what MassDosage has to say about the book. Lauren Ipsum: A Story About Computer Science and Other Improbable Things author Carlos Bueno pages 182 publisher No Starch Press rating 8/10 reviewer Mass Dosage ISBN 978-1-59327-574-7 summary A whimsical journey through a land where logic and computer science come to life. In the course of her adventures Lauren encounters characters like Xor the chameleon, Hugh Rustic the shop owner, a flock of round Robins and a Wandering Salesman. Anyone who knows a bit about computer science will be aware of the topics that are being alluded to here. This is also evident in some of the places she visits — a forest made up of red and black trees, the Island of Byzantium and a Garden of Forking Paths. All these insider references are obviously more enjoyable if you know the subject but it doesn't really matter if you don't get them as the story itself is separate from all the in-jokes. It's also almost certainly the intention of the authors to stimulate people to look up some of the things they refer to and thus learn more about computer science. Lauren Ipsum can thus be read on two levels — one as a straightforward adventure story and the other as a "find and research the hidden references" book. The title of the book is itself a play on words of "Lorem Ipsum" which I'll leave you to read up on on your own.

The chapter I enjoyed the most was one that covered building up a solution to a problem by breaking it down into smaller pieces and then combining these to come up with the final answer. In the book Lauren first learns how to draw a line and then that she can then draw and connect four of these to make a square. Even better is the discussion of the seemingly simple task of how to draw a circle which demonstrates that there are different ways of doing this, each having their own pros and cons. The solutions can be easily described as a set of steps and the question of how to control the size of the circle can be specified separately from the steps themselves. This is done without referring to any of the technical terms directly (one of the first chapters in the book is all about avoiding jargon) however what is actually being described will be instantly recognizable to anyone who has written some code — namely algorithms,algorithmic complexity, variables and parameter passing. This is quite a different way of illustrating programming concepts instead of the usual manner which involves lots of theory and code examples. Lauren Ipsum's approach offers a much lower learning curve with simple story driven metaphors that can then be applied practically later.

The target audience of the book is probably children from around the age of 8 and up with the intention being to spark an interest in computers without the intimidation and possible connotations of boredom that a textbook might evoke. The story is entertaining but relatively simple and most of the more serious subject matter is just touched on in passing. There is an Appendix at the end which covers a few of the topics in more technical and mathematical detail but there is plenty that isn't covered and it is up to the reader whether they want to find out more in their own way.

I found Lauren Ipsum an entertaining read, even though some of the computer science references are a bit forced. I ended up looking up a few things I wasn't entirely sure about and learnt something new in the process and I can imagine this being even more the case for someone new to the subject. Even if the reader isn't an aspiring geek-to-be there should be enough in the story here for them to enjoy and maybe help convince them that Computer Science can actually be fun or at the very least give them a taste for why problem solving is interesting and useful.

You can purchase Lauren Ipsum: A Story About Computer Science and Other Improbable Things from amazon.com. Slashdot welcomes readers' book reviews (sci-fi included) -- to see your own review here, read the book review guidelines, then visit the submission page. If you'd like to see what books we have available from our review library please let us know.

eldavojohn writes Core HTML5 2D Game Programming details a journey through creating Snail Bait in well defined steps. This simple two dimensional platform game works as a great starting point for anyone interested in making their very first game targeting many desktop and mobile platforms. This incremental process is expertly segmented into logical lessons with the only prerequisite being fluency in JavaScript. One of the most attractive aspects of this book is that the core concepts of this book don't rely on some flavor of the week JavaScript library or framework. Read below for the rest of eldavojohn's review. Core HTML5 2D Game Programming author David Geary pages 615 pages publisher Prentice Hall rating 9/10 reviewer eldavojohn ISBN 9780133564242 summary An exercise in 2D game development and mechanics in HTML5 and JavaScript. First, this book isn't for people who do not recognize HTML5 and JavaScript as a valid development platform for games. I know you're out there, you can stop reading here and move on to the next article. This book isn't for you. If you have no programming experience this book is likely not for you either. This book dives into concepts faster than Geary's last book on game development in Canvas. You should also be familiar with JavaScript if you want to effortlessly start on this book. Throughout the book, Geary utilizes object's JavaScript prototypes to add functions, uses anonymous functions and refers to common programming patterns.

It is worth repeating that the implementation in this book does not rely on a framework or library that could change or go defunct. The game runs entirely on code covered in the book accessing W3C standard specifications like requestAnimationFrame(). As long as JavaScript interpreters don't change core things like timing control, this book should be relevant to developers for years to come.

The reason this book gets a nine is it accomplishes everything it sets out to do and Geary does a great job dividing up task after incremental task of setting sprite sheets and backgrounds into motion. The reason it doesn't get a ten is that I was personally disappointed with the the author devoting little time to physics and their simulations.

The book is laid out to enable its use as two kinds of resources: cover to cover and chapter specific topics. Reading this straight through, there were only a few times where it felt like I was needlessly being reminded of where I had already read about tangential topics. On the plus side if you ever want to see how Snail Bait implemented something like sound, you need only spend time on the chapter devoted to sound sprites. One mild annoyance I had with the text was that the author seems to always refer to Snail Bait as "Snail Bait" which leads to a Ralph Wiggum-like aversion to pronouns or saying "the game" instead occasionally. It might only be me but it can become tiresome to read "Snail Bait" five or six times on the same page.

You can read a sample chapter here that shows how to implement sprite behaviors.

The first two chapters of the book focus on a set of basic guidelines to follow when doing game development in HTML5 and JavaScript — like keeping certain UI display elements in CSS instead of rendering them as paths or objects in the Canvas. Geary also covers the very absolute simplest concepts of how graphics are going to be displayed and how the background is going to move. He also spends time in Chapter Two showing how to best set up the development environment. It is demonstrated how shortening your cycle of deployment saves you tons of time and the author does a great job on letting you know what tools to use to debug throughout the whole text.

The third chapter delves into draw and rendering graphics in the canvas as well as introducing the reader to the game loop. It spends a good amount of time explaining the use of animation frame control in a browser to keep animations running smoothly. It also begins the auditing of frame rates so that the game can respond to and display things normalized at the rate the user is experiencing them. It also touches on how parallax can be employed to show things closer up moving faster than those further back in the background. This illusion of depth has long been popular and is even finding its way into scrolling on blogs and I wish that Geary would have spent more time on this perhaps in a later chapter but offer the reader more on how to do multiple levels of depth.

The next chapter tackles the core infrastructure of Snail Bait and discusses at length encapsulation of certain functionalities (instead of globals) in the source code as well as Snail Bait's 2300 line prototype. It bothers me that one file is 2300 lines and I wish there was a better way to do this but as a learning tool, it works even if it is daunting to scroll through. The book adds some helpful pointers about how utterly confusing the "this" keyword can be in JavaScript. Chapter Four really sets the pace for the rest of the book by introducing the use of event listeners and illustrating how the game loop is going to continually be extrapolated.

The next three chapters cover the use of loading screens, sprites and their behaviors. Snail Bait uses all its graphics from an open source game (Replica Island). But if you were to design your own graphics for your game, these chapters do a great job of showing how to construct sprite sheets and how to use tools to construct metadata in the code so that the sprites are usable by the sprite artists. Using the flyweight pattern, Geary sets the stage for more complex behaviors and actions to come in the following chapters.

The next three chapters cover time, stopwatches and their effects on motions and behaviors within the game. The author starts and works from linear motion to non-linear motion and then using transducer functions to affect the time system. The game now has bouncing coins, a jumping player and Geary does a good job of showing the reader how to emulate behaviors in the code.

Naturally what follows next is collision detection and gravity. The collision detection strategies were adequate but I wish that there was more depth at least referenced in the text. This isn't a simple problem and I did like how Geary referenced back to chapter two's profile and showed how collision detection performance as you implement and refine and optimize your algorithm. The nice thing about this book is that it often tackles problems with a general solution in the code (runner/sprite collision) and then provides the edge case solutions.

In the fourteenth chapter, the author tackles something that has long been a plague in HTML5 games: sound and music. The author doesn't sugarcoat this citing the long history of problems the vendors have had trying to support this in browsers. There's a great explanation of how to create and handle "sound sprites" (similar to sprite sheets) so that there is only one download for background music and one download for audio sprites.

Next Geary covers the problem of multiple viewport sizes with a focus on mobile devices. Of course this is one of the biggest issues with mobile gaming today. The chapter is lengthy and deals with the many intricacies of scaling, sizing and touch events. This chapter is long but the highly detailed support of multiple platforms and resolutions is a justified discussion point.

In sixteen, the reader gets a treatment of utilizing sprites and their artists to simulate sparks and smoking holes. The book calls this chapter "particle systems" but I don't think that's a very good title as the code isn't actually dealing with things at the particle level. Instead this chapter focuses on using sprites to simulate those behaviors via animation. This is completely necessary on a computation inexpensive platform but it is misleading to call these particle systems.

Now that the game looks and functions appropriately, the book covers UI elements like player scores and player lives. The auditing of these metrics are covered in the code as well as warnings when the game begins to run to slowly. It also covers the 'edge' condition of winning in the game and the routine that is followed when the user wins the game.

The next chapter introduces the concept of a developer backdoor so that the reader can manually speed up or slow down the game while playing it or even test special cases of the runner sprite interacting with other elements. It's a useful trick for debugging and playing around but does devote a lot of time to the specialized UI like the speed slider and other things that won't (or rather shouldn't) be seen by a common player.

Chapter nineteen really felt out of place and very inadequate on important details. It's a blind rush through using node.js and socket.io to implement server side high scores. The way it's implemented would make it trivial for someone to submit a high score of MAX_INT or whatever to the server. The metrics reporting is done in a manner that (in my opinion) breaks from long established logging structure one would be familiar with. While it covers important things to record from your users in order to tweak your game, the inadequacy of discussions about shortcomings makes it feel out of place in this text. It's a topic of great depth and I have no problem with an author touching on something briefly in one chapter — this chapter does lack the warnings and caveats found in other chapters though.

Contrary to the previous chapter, the final chapter is a fast application of the entire book's principles applied to a new game (Bodega's Revenge). Geary gives a final run through showing how the lengthy prior discussions quickly translate to a new set of sprite sheets and game rules. If this book is ever expanded, I think it would be great to include additional chapters like this although I would pick a more distinct and popular two dimensional game format like a tower defense game or a bejeweled knockoff.

Overall, Core HTML5 2D Game Programming is a great book for a JavaScript developer looking to dabble in game development. You can purchase Core HTML5 2D Game Programming from amazon.com. Slashdot welcomes readers' book reviews (sci-fi included) -- to see your own review here, read the book review guidelines, then visit the submission page. If you'd like to see what books we have available from our review library please let us know.

benrothke writes Many organizations are overwhelmed by the onslaught of security data from disparate systems, platforms and applications. They have numerous point solutions (anti-virus, firewalls, IDS/IPS, ERP, access control, IdM, single sign-on, etc.) that can create millions of daily log messages. In addition to directed attacks becoming more frequent and sophisticated, there are regulatory compliance issues that place increasing burden on security, systems and network administrators. This creates a large amount of information and log data without a formal mechanism to deal with it. This has led to many organizations creating a security operations center (SOC). A SOC in its most basic form is the centralized team that deals with information security incidents and related issues. In Designing and Building a Security Operations Center, author David Nathans provides the basics on how that can be done. Keep reading for the rest of Ben's review Designing and Building a Security Operations Center author David Nathans pages 276 publisher Syngress rating 8/10 reviewer Ben Rothke ISBN 978-0128008997 summary Good introduction to those looking to build their own security operations center An effective SOC provides the benefit of speed of response time to a security incident. Be it a DDoS attack or malware which can spread throughout a corporate network in minutes, and potentially knock out the network, every second counts in identifying these attacks and negating them before they can cause additional damage. Having a responsive SOC can make all the difference in how a firms deals with these security issues.

The book notes that the SOC is akin to an enterprise nervous system that can gather and normalize vast amounts of log and related data. This can provide continuous prevention, protection and detection by providing response capabilities against threats, remotely exploitable vulnerabilities and real-time incidents on the monitored network.

The 11 chapters provide a start for anyone considering building out their own SOC. Topics include required infrastructure, organizational structure, staffing and daily operations, to training, metrics, outsourcing and more.

When building a SOC, the choices are for the most part doing it yourself (DIY) or using an outsourced managed security service provider (MSSP). The book focuses primarily on the DIY approach, while chapter 10 briefly details the issues and benefits of using a MSSP. The book provides the pros and cons of each approach. Some firms have a hybrid approach where they perform some SOC activities and outsource others. But the book doesn't details that approach.

The book provides a large amount of details on the many tasks needed to create an internal SOC. The truth is that many firms simply don't have the staff and budget needed to support an internal SOC. They also don't have the budget for an MSSP. With that, Mike Rothman of Securosis noted that these firms are "trapped on the hamster wheel of pain, reacting without sufficient visibility, but without time to invest in gaining that much-needed visibility into threats without diving deep into raw log files".

One important topic the book does not cover is around SIM/SIEM/SEM software. SIEM software can provide a firm with real-time analysis of security alerts generated by network and security hardware, software and other applications.

Many benefits come from an effective SIEM tool being the backbone of the SOC. A SIEM tool consolidates all data and analyzes it intelligently and provides visualization into the environment. But selecting the appropriate SIEM and correctly deploying it is not a trivial endeavor.

Those looking for a good reference on SIEM should read: Security Information and Event Management (SIEM) Implementation, which I reviewed on Slashdot. That book does provide an excellent overview of the topic and will be of value to those reading looking for answer around SIEM. Those looking for a solid introduction to the world of SIEM should definitely get a copy.

The book notes that the most important part of a SOC, and often the most overlooked, is that of the SOC analyst. And with that, the book writes how it's important to be cognizant of the fact of SOC analyst burnout. SOC analysts can burnout and it's important for an organization to have a plan to address this, including aspects of training, management opportunities and job rotation.

Building an in-house SOC takes significant planning an attention to detail and the book details a lot of the particulars that are required for an effective SOC design.

The implementation of a SOC will cost a significant amount of money and management will often want to have metrics to let them know what the SOC is doing. The book spends a brief amount of time on SOC metrics; which is a topic that warrants a book in its own right. There are many metrics that can be created to measure SOC efficacy. Effective SOC metrics will measure how quickly incidents are handled by the SOC, and how incident are identified, addressed and handled.

The downside to metrics is that they must be used judiciously. It's important not to measure base performance of a SOC analyst simply on the number of events analyzed or recommendations written. Metrics used in that manner are akin to help desk where analysts are only concerned about getting calls finished, in order to meet their calls completed metrics.

As important as a SOC is, this is surprisingly the first book written on the topic. At under 250 pages, the book provides an introduction to the topic, but is not a comprehensive work on the topic. There are areas in SOC management that the book doesn't cover, such as SOC documentation, creating and using SOC operation run books, and more.

But even with those missing areas, Designing and Building a Security Operations Center is a good reference to start with. A SOC is a security component most organizations are in dire need of, and the book is a good way to get them started on that effort.

Reviewed by Ben Rothke.

You can purchase Designing and Building a Security Operations Center from amazon.com. Slashdot welcomes readers' book reviews (sci-fi included) -- to see your own review here, read the book review guidelines, then visit the submission page. If you'd like to see what books we have available from our review library please let us know.

Saint Aardvark writes If, like me, you administer FreeBSD systems, you know that (like Linux) there is an embarrassment of riches when it comes to filesystems. GEOM, UFS, soft updates, encryption, disklabels — there is a *lot* going on here. And if, like me, you're coming from the Linux world your experience won't be directly applicable, and you'll be scaling Mount Learning Curve. Even if you *are* familiar with the BSDs, there is a lot to take in. Where do you start? You start here, with Michael W. Lucas' latest book, FreeBSD Mastery: Storage Essentials. You've heard his name before; he's written Sudo Mastery (which I reviewed previously), along with books on PGP/GnuPGP, Cisco Routers and OpenBSD. This book clocks in at 204 pages of goodness, and it's an excellent introduction to managing storage on FreeBSD. From filesystem choice to partition layout to disk encryption, with sidelong glances at ZFS along the way, he does his usual excellent job of laying out the details you need to know without every veering into dry or boring. Keep reading for the rest of Saint Aardvark's review. FreeBSD Mastery: Storage Essentials author Michael W. Lucas pages 240 publisher Tilted Windmill Press rating 9/10 reviewer Saint Aardvark ISBN 0692343202 summary FreeBSD Mastery: Storage Essentials takes you on a deep dive into FreeBSD’s disk management systems. Do you need to know about GEOM? It's in here: Lucas takes your from "What *is* GEOM, anyway?" (answer: FreeBSD's system of layers for filesytem management) through "How do I set up RAID 10?" through "Here's how to configure things to solve that weird edge-case." Still trying to figure out GUID partitions? I sure was...and then I read Chapter Two. Do you remember disklabels fondly, and wonder whatever happened to them? They're still around, but mainly on embedded systems that still use MBR partitions — so grab this book if you need to deal with them.

The discussion of SMART disk monitoring is one of the best introductions to this subject I've ever read, and should serve *any* sysadmin well, no matter what OS they're dealing with; I plan on keeping it around for reference until we no longer use hard drives. RAID is covered, of course, but so are more complex setups — as well as UFS recovery and repair for when you run into trouble.

Disk encryption gets three chapters (!) full of details on the two methods in FreeBSD, GBDE and GELI. But just as important, Lucas outlines why disk encryption might *not* be the right choice: recovering data can be difficult or impossible, it might get you unwanted attention from adversaries, and it will *not* protect you against, say, an adversary who can put a keylogger on your laptop. If it still make sense to encrypt your hard drive, you'll have the knowledge you need to do the job right.

I said that this covers *almost* everything you need to know, and the big omission here is ZFS. It shows up, but only occasionally and mostly in contrast to other filesystem choices. For example, there's an excellent discussion of why you might want to use FreeBSD's plain UFS filesystem instead of all-singing, all-dancing ZFS. (Answer: modest CPU or RAM, or a need to do things in ways that don't fit in with ZFS, make UFS an excellent choice.) I would have loved to see ZFS covered here — but honestly, that would be a book of its own, and I look forward to seeing one from Lucas someday; when that day comes, it will be a great companion to this book, and I'll have Christmas gifts for all my fellow sysadmins.

One big part of the appeal of this book (and Lucas' writing in general) is that he is clear about the tradeoffs that come with picking one solution over another. He shows you where the sharp edges are, and leaves you well-placed to make the final decision yourself. Whether it's GBDE versus GELI for disk encryption, or what might bite you when enabling soft updates journaling, he makes sure you know what you're getting into. He makes recommendations, but always tells you their limits.

There's also Lucas' usual mastery of writing; well-written explanations with liberal dollops of geek humor that don't distract from the knowledge he's dropping. He's clear, he's thorough, and he's interesting — and that's an amazing thing to say about a book on filesystems.

Finally, the technical review was done by Poul Henning-Kamp; he's a FreeBSD developer who wrote huge parts of the GEOM and GBDE systems mentioned above. That gives me a lot of warm fuzzies about the accuracy of this book.

If you're a FreeBSD (or Linux, or Unix) sysadmin, then you need this book; it has a *lot* of hard-won knowledge, and will save your butt more than you'll be comfortable admitting.

You can purchase FreeBSD Mastery: Storage Essentials from amazon.com. Slashdot welcomes readers' book reviews (sci-fi included) -- to see your own review here, read the book review guidelines, then visit the submission page. If you'd like to see what books we have available from our review library please let us know.

MassDosage writes "At the the risk of exposing my age I remember building my first website using a rudimentary Unix text editor (Joe) and carefully handcrafting the Hypertext Markup Language (HTML) while directly logged on to the web server it was being served from. Back then Cascading Style Sheets (CSS) weren't even a glint in the eyes of their creators. A lot has changed and there's now a world of fancy WYSIWYG web page editors to choose from as well as Content Management Systems that allow you to create websites without looking at the underlying code at all. While this is all very useful and allows less technical people to create websites I still feel that having at least some knowledge of how everything works under the hood is empowering — especially in situations where you want to go beyond the limits placed on you by a certain tool. This is where Build Your Own Website: A comic guide to HTML, CSS and Wordpress comes into the picture. Its aim is to enable people new to web development to learn the subject by teaching the fundamentals of HTML and CSS first and only then describing how to use a Content Management System (CMS) — in this case Wordpress. While Wordpress might not be everyone's kettle of fish it's a good choice as an example of a modern CMS that is easily accessible and very popular. The concepts presented are simple enough that it should be easy enough for a reader to apply them to a different CMS should they want to. Read below for The rest of MassDosage's review. Build Your Own Website: A Comic Guide to HTML, CSS, and WordPress author Nate Cooper and Kim Gee pages 264 publisher No Starch Press rating 7.5/10 reviewer MassDosage ISBN 1593275226 summary An illustrated introduction to the basics of creating a website To be clear, this book is intended for people who have little to no experience building websites and it is appropriately written in a non-formal, fun and non-threatening manner. Each chapter has the same format where a topic is initially covered at a high level in the form of a cartoon that is really easy to grasp. This is then followed by a more in-depth repetition of the same content using more "traditional" text and diagrams. Most chapters then end with a summary of the key points which can be used as a simple reference. This layout means that if you're a quick learner or are familiar with some of the concepts you can just read the comic section and then try implementing the material covered on your own. On the other hand if you want more information and depth you can read the text that follows.The material is presented in such a way that it should be easy for the reader to "learn by doing" as they copy or modify what the main character in the cartoon does (in this case building a website for her photography portfolio). All that's needed to get started is a browser, a text editor and some knowledge of how to organize files on a file system. This coverage of raw HTML and CSS may sound off-putting to non-technical people but it's presented in such a simple manner that pretty much anyone should be able to follow along. The benefit of this "back to the basics" approach is that one is not limited to using only a certain piece of software and instead the fundamentals can be applied to other tools later.

The book provides a good introduction to HTML and describes some useful tags that can be used to start creating a simple website. CSS are explained in a similar manner and the reader is shown how they can be used to easily change the look of a website. These two technologies are the bedrock on top of which pretty much all web development rests and thus understanding them is a prerequisite for anyone wanting to create their own websites. The book also does a good job of showing how a content management system like Wordpress builds on top of these foundations and how you can still get to the underlying HTML and CSS should you want to (as well as why this might be useful if you want to modify something that Wordpress does or doesn't do). On the Wordpress front the basics are covered — from creating pages and page hierarchies to how these can be categorized and grouped. Unfortunately when going into more detail on this topic things lose a bit of coherence. Wordpress is obviously a big beast which has entire books devoted to it and cramming in a summary of it means having to leave out a lot. It seems as if the author might have had to trim these sections down and this has resulted in the text feeling a bit rushed and confusing which is in contrast with the rest of the book where the topics are covered in a slower and more detailed manner. Any book that describes using a piece of software like Wordpress to the level of explaining how to point and click one's way through certain step risks becoming outdated as the software changes in future. For the most part this shouldn't be too much of an issue as Wordpress isn't covered in too much detail but it does mean that this book probably won't be a reference you still use in five year's time.

On the whole Build Your Own Website: A Comic Guide to HTML, CSS, and WordPress succeeds in its goal of presenting a gentle learning curve and guiding people through what is needed to create a website from scratch. It is just technical enough that readers should be able to understand the fundamentals of what they are doing while being non-intimidating and introducing concepts at a relaxed and fun pace via the comic format. By the end of this book readers should have a solid grasp of the basics of website creation and be able to set up a simple site themselves, either by coding this up in HTML and CSS directly or by using Wordpress. For anything more advanced one would need to move on to other books or self-teaching but this book is a great starting point if you're new to the subject.

You can purchase Build Your Own Website: A Comic Guide to HTML, CSS, and WordPress from amazon.com. Slashdot welcomes readers' book reviews (sci-fi included) -- to see your own review here, read the book review guidelines, then visit the submission page. If you'd like to see what books we have available from our review library please let us know.

benrothke writes There are really two stories within Spam Nation: The Inside Story of Organized Cybercrime-from Global Epidemic to Your Front Door. The first is how Brian Krebs uncovered the Russian cybergangs that sent trillions of spam emails for years. As interesting and compelling as that part of the story is; the second storyline is much more surprising and fascinating. Brian Krebs is one of the premier cybersecurity journalists. From 1995 to 2009, he was a reporter for The Washington Post, where he covered Internet security, technology policy, cybercrime and privacy issues. When Krebs presented the Post with his story about the Russian spammers, rather than run with it, the Post lawyers got in the way and were terrified of being sued for libel by the Russians. Many of the stories Krebs ran took months to get approval and many were rejected. It was the extreme reticence by the Post to deal with the issue that ultimately led Krebs to leave the paper. Before Krebs wrote this interesting book and did his groundbreaking research, it was clear that there were bad guys abroad spamming American's with countless emails for pharmaceuticals which led to a global spam problem. Read below for the rest of Ben's review. Spam Nation: The Inside Story of Organized Cybercrime-from Global Epidemic to Your Front Door author Brian Krebs pages 256 publisher Sourcebooks rating 10/10 reviewer Ben Rothke ISBN 978-1402295614 summary Excellent expose on why cybercrime pays and what you can do about it Much of the story details the doings of two of the major Russian pharmacy spammer factions, Rx-Promotion and GlavMed. In uncovering the story, Krebs had the good fortune that there was significant animosity between Rx-Promotion and GlavMed, which lead to an internal employee leaking a huge amount of emails and documents. Krebs obtained this treasure trove which he used to get a deep look at every significant aspect of these spam organizations. Hackers loyal to the heads of Rx-Promotion and GlavMed leaked this information to law enforcement officials and Krebs in an attempt to sabotage each other.

Krebs writes that the databases offered an unvarnished look at the hidden but burgeoning demand for cheap prescription drugs; a demand that appears driven in large part by Americans seeking more affordable and discreetly available medications.

Like many, I had thought that much of the pharmaceutical spam it was simply an issue of clueless end-users clicking on spam and getting scammed. This is where the second storyline comes in. Krebs notes that the argument goes that if people simply stopped buying from sites advertised via the spam that floods our inboxes, the problem would for the most part go away. It's not that the spam is a technology issue; it's that the products fill an economic need and void.

Krebs shows that most people who buy from the spammers are not idiots, clueless or crazy. The majority of them are performing rational, if not potentially risky choices based on a number of legitimate motivations. Krebs lists 4 primary motivations as: price and affordability, confidentiality, convenience & recreation or dependence.

Most of the purchasers from the Russian spammers are based in the US, which has the highest prescription drug prices in the world. The price and affordability that the spammers offer is a tremendous lure to these US consumers, many of whom are uninsured or underinsured.

Krebs then addresses the obvious question that this begs: if the spammers are selling huge amounts of bogus pharmaceuticals to unsuspecting Americans, why doesn't the extremely powerful and well-to-do pharmaceutical industry do something about it. Krebs writes that the pharmaceutical industry is in fact keenly aware of the issue but scared to do anything about it. Should the reality be that the unauthorized pharmaceuticals are effective, then the pharmaceutical industry would be placed in a quandary. They have therefore decided to take a passive approach and do nothing.

The book quotes John Horton, founder and president of LegitScript, a verification and monitoring service for online pharmacies. Horton observed that only 1% of online pharmacies are legitimate. But worse than that, he believes that the single biggest reason neither the FDA nor the pharmaceutical industry has put much effort into testing, is that they are worried that such tests may show that the drugs being sold by many so-called rogue pharmacies are by and large chemically indistinguishable from those sold by approved pharmacies.

So while the Russian spammers may be annoying for many, they have found an economic incentive that is driving many people to become repeat customers.

As to the efficacy of these pharmaceuticals being shipped from India, Turkey and other countries, it would seem pretty straightforward to perform laboratory tests. Yet the university labs that could perform these tests have found their hands-tied. In order to test the pharmaceuticals, they would have to order them, which is likely an illegal act. Also, the vast amount of factories making these pharmaceuticals makes it difficult to get a consistent set of findings.

As to getting paid for the products, Krebs writes how the thing the spammers relied on most was the ability to process credit card payments. What they feared the most were chargebacks; which is when the merchant has to forcibly refund the customer. If the chargeback rate goes over a certain threshold, then the vendor is forced to pay higher fees to the credit card company or many find their merchant agreement cancelled. The spammers were therefore extremely receptive to customer complaints and would do anything to make a basic refund than a chargeback. This was yet another economic incentive that motivated the spammers.

As to the main storyline, the book does a great job of detailing how the spam operations worked and how powerful they became. The spammers became so powerful, that even with all the work firms like Blue Security Inc. did, and organizations such as Spamhaus tried to do, they were almost impossible to stop.

Krebs writes how spammers now have moved into new areas such as scareware and ransomware. The victims are told to pay the ransom by purchasing a prepaid debit card and then to send the attackers the card number to they can redeem it for cash.

The book concludes with Krebs's 3 Rules for Online Safety namely: if you didn't go looking for it, don't install it; if you installed it, update it and if you no longer need it, remove it.

The scammers and online attackers are inherent forces in the world of e-commerce and it's foolhardy to think any technology or regulation can make them go away. Spam Nation does a great job of telling an important aspect of the story, and what small things you can do to make a large difference, such that you won't fall victim to these scammers. At just under 250 pages, Spam Nation is a quick read and an important one at that.

Reviewed by Ben Rothke.

You can purchase Spam Nation: The Inside Story of Organized Cybercrime-from Global Epidemic to Your Front Door from amazon.com. Slashdot welcomes readers' book reviews (sci-fi included) -- to see your own review here, read the book review guidelines, then visit the submission page. If you'd like to see what books we have available from our review library please let us know.

benrothke writes If SSL is the emperor's new clothes, then Ivan Ristic in Bulletproof SSL and TLS has shown that perhaps the emperor isn't wearing anything at all. There is a perception that if a web site is SSL secured, then it's indeed secure. Read a few pages in this important book, and the SSL = security myth is dispelled. For the first 8 of the 16 chapters, Ristic, one of the greatest practical SSL./TLS experts around, spends 230 pages showing countless weaknesses, vulnerabilities, attacks and other SSL weaknesses. He then spends the next 8 chapters showing how SSL can, if done correctly, be deployed to provide adequate security. Keep reading for the rest of Ben's review. Bulletproof SSL and TLS: Understanding and Deploying SSL/TLS and PKI to Secure Servers and Web Applications author Ivan Ristic pages 530 publisher Feisty Duck rating 10/10 reviewer Ben Rothke ISBN 978-1907117046 summary Tremendous guide on how to correctly deploy TLS by one of the top experts in the field Ristic is the author of the SSL Labs web site; a site dedicated to everything SSL, including extensive documents and tools.

One would think that it's impossible to write an interesting book about a security protocol. But for those who use SSL or just want to understand what it's all about, the book is not only quite practical, but a very interesting read.

The book provides a good balance of overview, protocol details, summary of vulnerabilities and weaknesses, and a large chunk of practical deployment guidance.

The first three chapters provide an excellent overview to SSL, TLS, PKI and cryptography. While chapter 2 may be a bit dry, the introduction is thorough and comprehensive.

Chapter 4 is particularly interesting in that the author notes that while the cryptography behind SSL and PKI is fundamentally secure, there is an inherent flaw in how PKI operates, in that any CA (certificate authority) is able to issue a certificate for any name without have to seek approval from the domain name owner. This trust dependency creates numerous attack vectors that can be exploited.

The chapter details a number of significant incidents that arose from this flaw, from the 2001 code signing certificate mistake; where Verisign mistakenly issued Class 3 code signing certificates to someone claiming to be a Microsoft employee, to the Flame malware, which was signed with a bogus certificate that was seemingly signed by Microsoft, to a number of other issues.

In chapter 5, the book details a number of HTTP and browser issues, and related TLS threats. Attacks such as sidejacking, cookie stealing, cookie manipulation and more are detailed.

The author wisely notes that cookies suffer from two main problems: that they were poorly designed to being with, allowing behavior that encourages security weaknesses, and that they are not in sync with the main security mechanisms browsers use today, namely same-origin policy (SOP).

The chapter also details a significant TLS weakness in that that certificate warnings generated often leaves the clueless user to make the correct decision on how to proceed.

Ristic writes that if you receive an alert about an invalid TLS certificate, the right thing to do is immediately abandon the connection attempt. But the browser won't do that. Browser vendors decided not to enforce TLS connection security; rather they push the problem down to the user in the form of a certificate warning.

The problem is that when a user gets a certificate warning error, they simply don't know what to do to determine how big of an issue it really is, and will invariably choose to override the warning, and proceed to the website.

The challenge the user face is that these certificate warning errors are pervasive. In 2010, Ristic scanned about 119 million domain names (.com, .net and .org) searching for TLS enables sites. He found that over 22 million or 19% of the sites hosted in roughly 2 million IP addresses. But only about 720,000 had certificates whose names matches the intended hostname.

The chapter also details that the biggest problem with security indicators, similar to the certificate warnings, is that most users don't pay attention to them and possible don't even notice them.

As valuable as the first half of the book is, its significance really comes alive starting in chapter 8 on deployment issues. The level of security TLS offers only works when it is deployed correctly, and the book details how to do that. Given that OpenSSL, which is the most widely used SSL/TLS library, is notorious for being poorly documented and difficult to use, the deployment challenges are a significant endeavor.

Another issue with TLS, is that it can create performance issues and chapter 9 provides a lot of insight on performance optimization. The author quotes research from Google that SSL/TLS on their email systems account for less than 1% of the CPU load, less than 10kb of memory per connection, and less than 2% of the network overheard. The author writes that his goal is to enable the reader to get as close as possible to Google's performance numbers.

SSL/TLS has a reputation for being slow, but that is more a remnant of years ago when CPU's were much slower. With better CPU's and the optimization techniques the book shows, there is no reason not to use TLS.

For those that want an initial look, the table of contents, preface, and chapter 1 are available here. Once you get a taste of what this book has to offer, you will want to read the entire book.

As noted earlier, OpenSSL is poorly documented. In Bulletproof SSL and TLS, Ivan Ristic has done the opposite: he has written the most readable and insightful book about SSL/TLS to date. TLS is not so difficult to deploy, but incredibly easy to deploy incorrectly. Anyone who is serious about ensuring that their SSL/TLS deployment is effective should certainly read this book.

Reviewed by Ben Rothke.

You can purchase Bulletproof SSL and TLS: Understanding and Deploying SSL/TLS and PKI to Secure Servers and Web Applications from amazon.com. Slashdot welcomes readers' book reviews (sci-fi included) -- to see your own review here, read the book review guidelines, then visit the submission page. If you'd like to see what books we have available from our review library please let us know.

benrothke writes A word to describe the book Takedown: The Pursuit and Capture of Americas Most Wanted Computer Outlaw was hyperbole. While the general storyline from the 1996 book was accurate, filler was written that created the legend of Kevin Mitnick. This in turn makes the book a near work of historical fiction. Much has changed in nearly 20 years and Countdown to Zero Day: Stuxnet and the Launch of the Worlds First Digital Weapon has certainly upped the ante for accurate computer security journalism. The book is a fascinating read and author Kim Zetters attention to detail and accuracy is superb. In the inside cover of the book, Kevin Mitnick describes this as an ambitious, comprehensive and engrossing book. The irony is not lost in that Mitnick was dogged by misrepresentations in Markoff's book. Keep reading for the rest of Ben's review. Countdown to Zero Day: Stuxnet and the Launch of the Worlds First Digital Weapon author Author: Kim Zetter pages 448 publisher Crown rating 10/10 reviewer Ben Rothke ISBN 978-0770436179 summary Outstanding narrative about Stuxnet and how it was developed, quarantined and debugged For those that want to know the basics about Stuxnet, its Wikipedia entry will suffice. The book take a detailed look at how the Stuxnet worm of 2010 came to be, how it was written, discovered and deciphered, and what it means for the future and provides nearly everything known to date about Stuxnet.

The need to create Stuxnet was the understanding that a nuclear Iran was dangerous to the world. The book notes that it just wasn't the US and Israel that wanted a nuclear free Iran; Egypt and Saudi Arabia were highly concerned about the dangers a nuclear Iran would bring to the region.

What is eminently clear is that Iran chronically lied about their nuclear intentions and actions (chapter 17 notes that former United Kingdom Prime Minister Gordon Brown told the international community that they had to do something over Iran's serial deception of many years) and that the United Nations International Atomic Energy Agency (IAEA) is powerless to do anything, save for monitoring and writing reports.

Just last week, President Obama said a big gap remains in international nuclear negotiations with Iran and he questioned whether talks would succeed. He further said "are we going to be able to close this final gap so that (Iran) can reenter the international community, sanctions can be slowly reduced and we have verifiable, lock tight assurances that they cant develop a nuclear weapon, there's still a big gap. We may not be able to get there". It's that backdrop to which Stuxnet was written.

While some may debate if Stuxnet was indeed the worlds first digital weapon, it's undeniable that it is the first piece of known malware that could be considered a cyber-weapon. Stuxnet was unlike any other previous malware. Rather than just hijacking targeted computers or stealing information from them, it created physical destruction on centrifuges the software controlled.

At just over 400 pages, the book is a bit wordy at times, but Zetter does a wonderful job of keeping the book extremely readable and the narrative enthralling. Writing about debugging virus code, Siemens industrial programmable logic controllers (PLC) and Step7 software (which was what Stuxnet was attacking) could easily be mind-numbingly boring, save for Zetter's ability to make it a compelling read.

While a good part of the book details the research Symantec, Kaspersky Lab and others did to debug Stuxnet, the book doesn't have any software code, which makes it readable for the non-programmer. The book is technical and Zetter gets into the elementary details of how Stuxnet operated; from reverse engineering, digital certificates and certificate authorities, cryptographic hashing and much more. The non-technical reader certainly won't be overwhelmed, but at the same time might not be able to appreciate what went into designing and making Stuxnet work.

As noted earlier, the book is extremely well researched and all significant claims are referenced. The book is heavily footnoted, which makes the book much more readable than the use of endnotes. Aside from the minor error of mistakenly calling Kurt Gödel a cryptographer on page 295, he was a logician; Zetter's painstaking attention to detail is to be commended.

Whoever wrote Stuxnet counted on the Iranians not having the skills to uncover or decipher the malicious attacks on their own. But as Zetter writes, they also didn't anticipate the crowdsourced wisdom of the hive — courtesy of the global cybersecurity community that would handle the detection and analysis for them. That detection and analysis spanned continents and numerous countries.

The book concludes with chapter 19 — Digital Pandora — which departs from the details of Stuxnet and gets into the bigger picture of what cyber-warfare means and its intended and unintended consequences. There are no simple answers here and the stakes are huge.

The chapter quotes Marcus Ranum who is outspoken on the topic of cyber-warfare. At the 2014 MISTI Infosec World Conference, Ranum gave a talk on Cyberwar: Putting Civilian Infrastructure on the Front Lines, Again. Be it the topic or Marcus just being Marcus, a third of the participants left within the first 15 minutes. But they should have stayed, as Ranum, agree with him or not, provided some riveting insights on the topic.

The book leaves two unresolved questions; who did it, and how did it get into the Nantanz enrichment facility. It is thought the US with some assistance from Israel created Stuxnet; but Zetter also writes that Germany and Great Britain may have done the work or at least provided assistance.

It's also unknown how Stuxnet got into the air-gapped facility. It was designed to spread via an infected USB flash drive. It's thought that since they couldn't get into the facility, what needed to be done was to infect computers belonging to a few outside firms that sold devices that would in turn be connected to the facility. The book identified a few of these companies, but it's still unclear if they were the ones, or the perpetrators somehow had someone on the inside.

As to zero day in the title, what was unique about Stuxnet is that it contained 5 zero day exploits. Zero day is also relevant in that Zetter describes the black and gray markets of firms that discover zero-day vulnerabilities who in turn sell them to law enforcement and intelligence agencies.

Creating Stuxnet was a huge challenge that took scores of programmers from a nation state many months to create. Writing a highly readable and engrossing book about the obscure software vulnerabilities that it exploited was also a challenge, albeit one that few authors could do efficaciously. In Countdown to Zero Day: Stuxnet and the Launch of the Worlds First Digital Weapon, Kim Zetter has written one of the best computer security narratives; a book you will likely find quite hard to put down.

Reviewed by Ben Rothke.

You can purchase Countdown to Zero Day: Stuxnet and the Launch of the Worlds First Digital Weapon from amazon.com. Slashdot welcomes readers' book reviews (sci-fi included) -- to see your own review here, read the book review guidelines, then visit the submission page. If you'd like to see what books we have available from our review library please let us know.

benrothke writes It's hard to go a day without some sort of data about information security and risk. Research from firms like Gartner are accepted without question; even though they can get their results from untrusted and unvetted sources. The current panic around Ebola shows how people are ill-informed about risk. While stressing over Ebola, the media is oblivious to true public health threats like obesity, heart disease, drunk driving, diabetes, and the like. When it comes to information security, it's not that much better. With myriad statistics, surveys, data breach reports, and global analyses of the costs of data breaches, there is an overabundance of data, and an under abundance of meaningful data. In Measuring and Managing Information Risk: A FAIR Approach, authors Jack Freund and Jack Jones have written a magnificent book that will change the way (for the better) you think about and deal with IT risk. Keep reading for the rest of Ben's review. Measuring and Managing Information Risk: A FAIR Approach author Jack Freund and Jack Jones pages 408 publisher Butterworth-Heinemann rating 10/10 reviewer Ben Rothke ISBN 978-0124202313 summary Superb overview to the powerful FAIR risk management methodology The book details the factor analysis of information risk (FAIR) methodology, which is a proven and credible framework for understanding, measuring, and analyzing information risk of any size or complexity. An Open Group standard, FAIR is a methodology and a highly effective quantitative analysis tool.

The power of FAIR is immense: it enables the risk practitioner to make well-informed decisions based on meaningful measurements. While that seems obvious, in practicality, it is a challenging endeavor.

FAIR is invaluable in that it helps the risk professional understand the language that the corporate board and senior executives speak. Understanding that and communicating in their language can make it much easier for information security to be perceived as a valued asset, as opposed to using Chicken Little statistics.

FAIR takes the risk professional out of the realm of the dealing with risk via the checklist; which only serves to produce meaningless measurements, into the world of quantitative, defendable results.

For those that are looking for a tool to create pretty executive summary charts with lots of colors, FAIR will sorely disappoint them. For those that are looking for a method to understand how to calculate qualitative risk to support a formal enterprise risk management program, they won't find a better guide than this book.

The book is an incredibly good reference that will force you to look again at how you view risk management. Jones writes in the preface that the book is not about checklists and formulas, but about critical thinking. The authors note that information security and operational risk has operated for far too long as an art, with not enough science. This is the gap that FAIR attempts to fill.

The authors write that risk decision making quality boils down to the quality of information decision makers are operating from, and the decision makers themselves. The book does a remarkable job of showing how a person can become a much better decision maker.

A subtle but important point the book makes early on is that many risk professionals confuse risk possibilities with risk probabilities. The FAIR method forces you to focus on probabilities and not to obsess with Ebola like possibilities. Such a quantitative analysis approach is what makes FAIR so beneficial.

The book spends a few chapters on going through FAIR risk ontology and terminology. Inconsistent and poorly defined terminology is one of the most significant challenges the information security and operational risk profession faces. Having a consistent set of logical terms and definitions that make up the FAIR framework significantly improves the quality of risk relations communications within an organization.

The value of having a consistent set of logical terms and definitions is significant. For example, the book notes that many people use the term threat. In the context of risk analysis, it might not be a real threat if there is no resulting loss. In that case, it would be considered a vulnerability event.

The challenge of FAIR is acclimating to its dialect. But once done, it creates an extremely powerful methodology for risk communication and management. And therein lays its power. Setting up a common framework for risk management becomes and invaluable tool to present risk ideas. In addition, it makes the findings much more objective and defendable.

In chapter 5, the authors address the biggest objections to quantitative risk management that it can't be measured or is simply unknowable. They agree that risk can't be measured at the micro level, but it can be effectively measured to the degree to reduce management's uncertainly about risk. They also importantly note that risk is a forward-looking statement about what may or come to pass in the future. With that, perfect accuracy is impossible; but effective quantitative risk management is very possible.

The power of FAIR is that is helps add clarity to ambiguous risk situations by giving you the tools to add data points to a situation that is purported to be unknowable.

Chapter 8 is an extremely enlightening chapter in that it provides 11 risk analysis examples. The examples do a great job of reinforcing the key FAIR concepts and methods.

In chapter 10, the authors write that the hardest part of learning FAIR is having to overcome bad habits. For most people, FAIR represents a recalibration of your mental model about what risk is and how it works. The chapter deals with common mistakes and stumbling blocks when performing a FAIR analysis. The 5 high-level categories of mistakes the chapter notes are: checking results, scoping, data, variable confusion and vulnerability analysis.

FAIR is a powerful methodology that can revolutionize risk management. The challenge is that it takes a village to make such a change. Management may be reticent to invest in what is perceived as yet another risk management framework.

But once you start using the language of FAIR and validate your findings, astute management will likely catch on. Over time, FAIR can indeed be a risk management game changer.

The book is flawless in its execution and description of the subject. The only critique is that in that the author's should have been a bit more transparent in the text when (especially in chapter 8) mentioning the FAIR software, in that it is their firm that makes the software.

For those that are willing to put in the time to understanding FAIR, this book it will make their jobs much easier. It will help them earn the trust of senior management, and make them much better risk management professionals in the process.

Reviewed by Ben Rothke.

You can purchase Measuring and Managing Information Risk: A FAIR Approach from amazon.com. Slashdot welcomes readers' book reviews (sci-fi included) -- to see your own review here, read the book review guidelines, then visit the submission page. If you'd like to see what books we have available from our review library please let us know

First time accepted submitter sobczakt writes We live in a world flooded by data and information and all realize that if we can't find what we're looking for (e.g. a specific document), there's no benefit from all these data stores. When your data sets become enormous or your systems need to process thousands of messages a second, you need to an environment that is efficient, tunable and ready for scaling. We all need well-designed search technology. A few days ago, a book called Scaling Apache Solr landed on my desk. The author, Hrishikesh Vijay Karambelkar, has written an extremely useful guide to one of the most popular open-source search platforms, Apache Solr. Solr is a full-text, standalone, Java search engine based on Lucene, another successful Apache project. For people working with Solr, like myself, this book should be on their Christmas shopping list. It's one of the best on this subject. Read below for the rest of sobczakt's review. Scaling Apache Solr author Hrishikesh Vijay Karambelkar pages 215 publisher Packt rating 9/10 reviewer sobczakt ISBN 978-1783981748 summary Get an introduction to the basics of Apache Solr in a step-by-step manner with lots of examples Karambelkar is an enterprise architect with a long history in both commercial products and open source technology. As he says, he currently spends most of his time solving problems for the software industry and developing the next generation of products.

The book is divided into 10 chapters. Basically, the first three are an introduction to Apache Solr and cover its architecture, features, configuration and setting up. Chapter One contains many practical cases of Apache Solr, to help beginners understand the topic.

Chapter Four is very interesting and describes a common pattern for enterprise search solutions. These patterns focus on data processing/integration and how to meet the requirements of users (interface, relevancy, general experience).

The rest of the book mainly refers to the central topic, that is distributing search queries and how to scale/optimize a system. The book discusses all Apache Solr concepts like replication, fault tolerance, sharding and illustrates them with helpful examples. The book precisely explains SolrCloud — a bundle of built-in distributed capabilities available from version 4.0.

Chapter 8, dedicated to optimization, drew my attention. It is full of useful tips concerning JVM parameters and manipulating data structures or caching layers as well.

Scaling Apache Solr covers both basic and advanced subjects. The information is well organized, clear and concise. Lots of examples and cases in this book can be absorbed by beginners. I was nicely surprised by the chapter describing integration possibilities. There's some great information about using Solr with Cassandra, MapReduce paradigm or R (programming language for computational statistics) although I would have preferred this subject to be covered in more detail. The book has two more advantages: first, it discusses designing an enterprise search system in general terms and second, it can be treated as an introduction to large volume data processing.

I believe I need to emphasize that many sections related to defining a schema, importing data, running SolrCloud or searching in near real time (NRT) are not just a raw documentation, they also have the author's well-judged advice and comments.

Unfortunately, I felt some of the more advanced topics were not described in enough detail. For example, index merging, documents relevance or using dynamic fields in data structure. Moreover, reading the book, I had a feeling that some parts do not fit the title, such as the section about clustering with Carrot2 or integration with PHP web portal.

I can say that I have read this book with pleasure and satisfaction, which in fact is rare regarding technology publications. For me, as a person who has been working with Solr since version 1.3, it was a great way to review and sort out some of its aspects. On the other hand, I'm pretty sure, that people starting their experience with Apache Solr will take a lot from this book. Although, it is mainly focused on advanced problems, it starts with the basics.

Despite some little imperfections I recommend this book, especially because it describes the concrete technology in an easy-to-read way and also refers to some general architectural patterns.

You can purchase Scaling Apache Solr from amazon.com. Slashdot welcomes readers' book reviews (sci-fi included) -- to see your own review here, read the book review guidelines, then visit the submission page. If you'd like to see what books we have available from our review library please let us know.

benrothke writes Most books about cloud computing are either extremely high-level quasi-marketing tomes about the myriad benefits of the cloud without any understanding of how to practically implement the technology under discussion. The other type of cloud books are highly technical references guides, that provide technical details, but for a limited audience. In Architecting the Cloud: Design Decisions for Cloud Computing Service Models, author Michael Kavis has written perhaps the most honest book about the cloud. Make no doubt about it; Kavis is a huge fan of the cloud. But more importantly, he knows what the limits of the cloud are, and how cloud computing is not a panacea. That type of candor makes this book an invaluable guide to anyone looking to understand how to effective deploy cloud technologies. Keep reading below for the rest of Ben's review. Architecting the Cloud: Design Decisions for Cloud Computing Service Models (SaaS, PaaS, and IaaS) author Michael Kavis pages 224 publisher Wiley rating 9/10 reviewer Ben Rothke ISBN 978-1118617618 summary Extremely honest and enlightening book on how to effectively use the cloud The book is an excellent balance of the almost boundless potential of cloud computing, mixed with a high amount of caution that the potential of the cloud can only be manifest with effective requirements and formal security architecture.

The full title of the book is: Architecting the Cloud: Design Decisions for Cloud Computing Service Models: SaaS, PaaS, and IaaS. One of the mistakes of using the cloud is that far too many decision makers rush in, without understanding the significant differences (and they are significant) between the 3 main cloud service models.

In chapter 1, he provides a number of enthusiastic cloud success stories to set the stage. He shows how a firm was able to build a solution entirely on the public cloud with a limited budget. He also showcases Netflix, whose infrastructure is built on Amazon Web Services (AWS).

Chapter 3 is titled cloud computing worst practices and the book would be worth purchasing for this chapter alone. The author has a number of cloud horror stories and shows the reader how they can avoid failure when moving to the cloud. While many cloud success stories showcase applications developed specifically for the cloud, the chapter details the significant challenges of migrating existing and legacy applications to the cloud. Such migrations are not easy endeavors, which he makes very clear.

In the chapter, Kavis details one of the biggest misguided perceptions of cloud computing, in that it will greatly reduce the cost of doing business. That is true for some cloud initiatives, but definitely not all, as some cloud marketing people may have you believe.

Perhaps the most important message of the chapter is that not every problem is one that needs to be solved by cloud computing. He cites a few examples where not going with a cloud solution was actually cheaper in the long run.

The book does a very good job of delineating the differences between the various types of cloud architectures and service models. He notes that one reason for leveraging IaaS over PaaS, is that when a PaaS provider has an outage, the customer can only wait for the provider to fix the issue and get the services back online. With IaaS, the customer can architect for failure and build redundant services across multiple physical or virtual data centers.

For many CIO's, the security fears of the cloud means that they will immediately write-off any consideration of cloud computing. In chapter 9, the author notes that almost any security regulation or standard can be met in the cloud. As none of the regulations and standard dictate where the data must specifically reside.

The book notes that for security to work in the cloud, firm's needs to apply 3 key strategies for managing security in cloud-based applications, namely centralization, standardization and automation.

In chapter 10, the book deals with creating a centralized logging strategy. Given that logging is a critical component of any cloud-based application; logging is one of the areas that many firms don't adequate address in their move to the cloud. The book provides a number of approaches to use to create an effective logging strategy.

The only issue I have with the book is that while the author is a big fan of Representational state transfer (REST), many firms have struggled to obtain the benefits he describes. RESTful is an abstraction of the architecture of the web; namely an architectural style consisting of a coordinated set of architectural constraints applied to components, connectors and data elements, within a distributed hypermedia system. REST ignores the details of component implementation and protocol syntax in order to focus on the roles of components, the constraints upon their interaction with other components, and their interpretation of significant data elements.

I think the author places too much reliance on RESTful web services and doesn't detail the challenges in making it work properly.RESTful is not always the right choice even though it is all the rage in some cloud design circle.

While the book is part of the Wiley CIO Series, cloud architects, software and security engineers, technical managers and anyone with an interest in the cloud will find this an extremely valuable resource.

Ironically, for those that are looking for ammunition why the cloud is a terrible idea, they will find plenty of evidence for it in the book. But the reasons are predominantly that those that have failed in the cloud, didn't know why they were there in the first place, or were clueless on how to use the cloud.

For those that want to do the cloud right, the book provides a vendor neutral approach and gives the reader an extremely strong foundation on which to build their cloud architecture.

The book lists the key challenges that you will face in the migration to the cloud, and details how most of those challenges can be overcome. The author is sincere when he notes areas where the cloud won't work.

For those that want an effective roadmap to get to the cloud, and one that provides essential information on the topic, Architecting the Cloud: Design Decisions for Cloud Computing Service Models is a book that will certainly meet their needs.

Reviewed by Ben Rothke.

You can purchase Architecting the Cloud: Design Decisions for Cloud Computing Service Models (SaaS, PaaS, and IaaS) from amazon.com. Slashdot welcomes readers' book reviews (sci-fi included) -- to see your own review here, read the book review guidelines, then visit the submission page. If you'd like to see what books we have available from our review library please let us know.

benrothke writes Cyberwarfare is a controversial topic. At the 2014 Infosec World Conference, Marcus Ranum gave a talk on Cyberwar: Putting Civilian Infrastructure on the Front Lines, Again. Whether it was the topic or just Marcus being Marcus, about a third of the participants left within the first 15 minutes. They should have stayed, as Ranum, agree with him or not, provided some riveting insights on the topic. In Introduction to Cyber-Warfare: A Multidisciplinary Approach, authors Paulo Shakarian, Jana Shakarian and Andrew Ruef provide an excellent overview of the topic. The book takes a holistic, or as they call it multidisciplinary, approach. It looks at the information security aspect of cyberwarfare, as well the military, sociological and other aspects. Keep reading for the rest of Ben's review. Introduction to Cyber-Warfare: A Multidisciplinary Approach author Paulo Shakarian, Jana Shakarian and Andrew Ruef pages 336 publisher Syngress rating 9/10 reviewer Ben Rothke ISBN 978-0124078147 summary Outstanding overview and guide to cyberwarfare The book is divided into 3 parts and 13 densely packed and extremely well-researched and footnoted chapters. The book provides numerous case studies of the largest cyberwarfare events to date. Issues around China and their use of cyberwarfare constitute a part of the book. Chapter 7 details the Chinese cyber strategy and shows how the Chinese cyber doctrine and mindset is radically different from that of those in the west.

The book compares the board games of chess (a Western game) and Go (a Chinese game) and how the outcomes and strategies of the games are manifest in each doctrine.

The chapter also shows how the Chinese government outlawed hacking, while at the same time the military identified the best and most talented hackers in China, and integrated them into Chinese security firms, consulting organizations, academia and the military.

One of the more fascinating case studies details the cyber war against the corporate world from China. The book provides a number of examples and details the methodologies they used, in addition to providing evidence of how the Chinese were involved.

For an adversary, one of the means of getting information is via social networks. This is often used in parallel by those launching some sort of cyberwarfare attack. LinkedIn is one of the favorite tools for such an effort. The authors write of the dangers of transitive trust; where user A trusts user B, and user B trusts user C. Via a transitive trust, user A will then trust user C based simply on the fact that user B does. This was most manifest in the Robin Sage exercise. This was where Thomas Ryan created a fictitious information security professional names Robin Sage. He used her fake identity and profile to make friends with others in the information security world, both commercial, federal and military and he was able to fool even seasoned security professionals. Joan Goodchild wrote a good overview of the experiment here.

In chapter 10, the book details how Iraqi insurgents viewed Predator drones video feeds. Woody Allen said that eighty percent of success is just showing up. In this case, all the insurgents had to do was download the feed, as it was being transmitted unencrypted. Very little cyberwarfare required.

When the drone was being designed, the designers used security by obscurity in their decision not to encrypt the video feed. They felt that since the Predator video feeds were being transmitted on frequencies that were not publicly known, no access control, encryption or other security mechanisms would be needed.

The downside is that once the precise frequency was determined by the insurgency, in the case of the Predator drone, the Ku-band, the use of the SkyGrabber satellite internet downloader made it possible for them to effortless view the video feeds.

The only negative about the book is a minor one. It has over 100 pictures and illustrations. Each one states: for the color version of this figure, the reader is referred to the online version of the book. Having that after every picture is a bit annoying. Also, the book never says where you can find the online version.

How good is this book? The reality is that this book should indeed be read by everyone in Washington, as they are making decisions on the topic, without truly understanding it.

For most readers, this will be the book that tells them everyone they need to know that their congressman should know. Most people will never be involved with any sort of warfare, and most corporate information security professional will not get involved with cyberwarfare. Nonetheless, Introduction to Cyber-Warfare: A Multidisciplinary Approach is a fascinating read about a most important subject.

Reviewed by Ben Rothke

You can purchase Introduction to Cyber-Warfare: A Multidisciplinary Approach from amazon.com. Slashdot welcomes readers' book reviews (sci-fi included) -- to see your own review here, read the book review guidelines, then visit the submission page. If you'd like to see what books we have available for review from our library please let us know.

benrothke writes There is a not so fine line between data dashboards and other information displays that provide pretty but otherwise useless and unactionable information; and those that provide effective answers to key questions. Data-Driven Security: Analysis, Visualization and Dashboards is all about the later. In this extremely valuable book, authors Jay Jacobs and Bob Rudis show you how to find security patterns in your data logs and extract enough information from it to create effective information security countermeasures. By using data correctly and truly understanding what that data means, the authors show how you can achieve much greater levels of security. Keep reading for the rest of Ben's review. Data-Driven Security: Analysis, Visualization and Dashboards author Jay Jacobs and Bob Rudis pages 352 publisher Wiley rating 10/10 reviewer Ben Rothke ISBN 978-1118793725 summary Superb book for effective use of data for information security The book is meant for a serious reader who is willing to put in the time and effort to learn the programming necessary (mainly in Python and R) to truly understand what information exists deep in the recesses of their logs. As to R, it is a GNU project and a free software programming language and software environment for statistical computing and graphics. The R language is widely used among statisticians and data miners for developing statistical software and data analysis. For analysis the level of which Jacobs and Rudis prescribe, R is a godsend.

After completing the book, the reader will have the ability to know which questions to ask to gain security insights, and use that data to ensure the overall security of their data and networks. Getting to that level is not a trivial at all a trivial task; even if there are vendors who can promise to do that.

For many people performing data analysis, the dependable Excel spreadsheet is their basic choice for data manipulation. The book calls the spreadsheet a gateway tool between a text editor and programming. The book notes that spreadsheets work as long as the data is not too large or complex. The book quotes a 2013 report to shareholders from J.P. Morgan in which parts of their 2012 $6 billion in losses was due in part to problems with their Excel spreadsheets.

The authors suggest using Excel as a temporary solution for quick one-shot tasks. For those that have repeating analytical tasks or models that are used repeatedly, it's best to move to some type of structured programming language, specifically those that the book suggest and for provides significant amounts of code examples; all of which are available on the companion website here.

The goal of all data extraction is to use data analysis to answer real questions. A large part of the book focuses on how to ask the right question. In chapter 1, the authors write that every good data analysis project begins with setting a goal and creating one or more research questions. Without a well-formed question guiding the analysis, you may wasting time and energy seeking convenient answers in the data, or worse, you may end up answering a question that nobody was asking in the first place.

The value of the book is that it shows the reader how to focus on context and purpose of the data analysis by setting the research question appropriately; rather than simply parsing large amounts of data. It's ultimately irrelevant if you can use Hadoop to process petabytes of data if you don't know what you are looking for.

Visualization is a large part of what this book is about, and in chapter 6 — Visualizing Security Data, the book notes that the most efficient path to human understanding is via the visual sense. It goes on to details the many advantages data visualization has, and the key to making it work.

As important as visualization is, describing the data is equally important. In chapter 7, the book introduces the VERIS(Vocabulary for Event Recording and Incident Sharing) framework. VERIS is a set of metrics designed to provide a common language for describing security incidents in a structured and repeatable manner. VERIS helps organizations collect useful incident-related information and to share that information, anonymously and responsibly with others.

The book shows how you can use dashboards for effective data visualization. But the authors warn that a dashboard is not an art show. They caution that given the graphical nature of dashboards, it's easy to fall into the trap of making them look like pieces of modern or fringe art; when they are far more akin to architectural and industrial diagrams that require more controlled, deliberate and constrained design.

As to dashboards the authors do not like, they consider the Cyber Security Situational Awarenessto be glitzy but not informative. Personally, I thought the dashboard has a lot of good information.

The book uses the definition of dashboard according to Stephen Few, in that it's a "visual display of the most important information needed to achieve one or more objectives that has been consolidated in a single computer screen so it can be monitored at a glance". The book enables the reader to create dashboards like that.

Data-Driven Security: Analysis, Visualization and Dashboards is a superb book written by two experts who provide significant amounts of valuable information in every chapter. For those that are willing to put the time and effort into the serious amount of work that the book requires, they will find it a vital resource that will certainly help them achieve much higher levels of security.

Reviewed by Ben Rothke.

You can purchase Data-Driven Security: Analysis, Visualization and Dashboards from amazon.com. Slashdot welcomes readers' book reviews (sci-fi included) -- to see your own review here, read the book review guidelines, then visit the submission page. If you'd like to see what books we have available from our review library please let us know.

benrothke (2577567) writes Having worked at the same consulting firm and also on a project with author J.J. Stapleton (full disclosure); I knew he was a really smart guy. In Security without Obscurity: A Guide to Confidentiality, Authentication and Integrity, Stapleton shows how broad his security knowledge is to the world. When it comes to the world of encryption and cryptography, Stapleton has had his hand in a lot of different cryptographic pies. He has been part of cryptographic accreditation committees for many different standard bodies across the globe. Keep reading for the rest of Ben's review. Security without Obscurity: A Guide to Confidentiality, Authentication and Integrity author J.J. Stapleton pages 355 publisher Auerbach Publications rating 8/10 reviewer Ben Rothke ISBN 978-1466592148 summary Great guide to enterprise authentication from an expert The premise of the author and the need for the book is that the traditional information security CIA triad (confidentiality, integrity, availability) has led to the situation where authentication has to a large part gotten short shrift. This is a significant issue since much of information security is built around the need for strong and effective authentication. Without effective authentication, networks and data are at direct risk for compromise.

The topic itself is not exactly compelling (that is, unless you like to read standards such as ANSI X9.42-2003: Public Key Cryptography for the Financial Services Industry: Agreement of Symmetric Keys Using Discrete Logarithm Cryptography, ISO/IEC 9798-1:2010: Information technology — Security techniques — Entity authentication,etc.), so the book is more of a detailed technical reference. Those looking for a highly technical overview, interoperability guidance, and overall reference will find the book most rewarding.

For those who don't have a general background on the topic; it may be a book too deep and technical for those looking for something more in line of a CISSP preparation guide.

For those that want to know the deep underpinnings of how encryption algorithms work; they can simply read the RFC's and standards themselves. What the book brings to the table are details about how to effectively implement the standards and algorithms in the enterprise; be it in applications, policies; or the specific procedures to meet compliance and standards requirements. And that is where Stapleton's many decades of experience provide significant and inestimable value.

There are many reasons why authentication systems fail and many times it is due to interoperability issues. Stapleton details how to ensure to minimize those faults in order to achieve seamless authentication across multiple technologies and operating systems.

The 7 chapters cover a dense amount of information around the 3 core topics. The book is for the reader with a solid technical background. While it may be listed as an exploratory text, it is not like a For Dummies title.

As per its title, it covers confidentiality, authentication and integrity; in addition to other fundamental topics of non-repudiation, privacy and key management.

One of the ways Stapleton brings his broad experience to the book is in the many areas where he compares different types of cryptosystems, technologies and algorithms. This enables the reader to understand what the appropriate type of authentication is most beneficial for the specific requirement.

For example, in chapter 7, the book provides a really good comparison and summary of different cryptographic modules, including how they are linked to various standards from NIST, NSA, ANSI and ISO. It does the same for a comparison of cryptographic key strengths against various algorithms.

An interesting observation the book makes when discussing the DES encryption algorithm, is that all of the talk of the NSA placing backdoors in it are essentially false. To date, no known flaws have been found against DES, and that after being around for over 30 years, the only attack against DES is an exhaustive key attack. This type of attack is where an adversary has to try each of the possible 72 quadrillion key (256permutations – as the key is 56 bits long) until the right key is discovered.

That means that the backdoor rumors of the NSA shortening the length of the substitution ciphers (AKA s-boxes), was not to weaken it necessarily. Rather it was meant to block DES against specific types of cryptanalytic attacks.

While the book is tactical; the author does bring in one bit of trivia when he writes that the ISO, often known as the International Organization for Standardization, does not in truth realty stand for that. He notes that the organizations clearly states on its web page that because International Organization for Standardization would have different acronyms in different languages (IOS in English, OIN in French for Organization internationale de normalization, etc.); its founders decided to give it the short form ISO. ISO is derived from the Greek isos, meaning equal. Whatever the country, whatever the language, the short form of the name is always ISO.

While that is indeed ultimately a trivial issue, I have seen certification exams where they ask what that acronym stands for. Perhaps a lot of CISSP's need to have their credentials revoked.

While Stapleton modifies the CIA triad, the book is not one of a security curmudgeon, rather of a security doyen. For anyone looking for an authoritative text on how to fully implement cross-platform security and authentication across the enterprise, this is a valuable reference to get that job done.

Reviewed by Ben Rothke

You can purchase Security without Obscurity: A Guide to Confidentiality, Authentication and Integrity from amazon.com. Slashdot welcomes readers' book reviews (sci-fi included) -- to see your own review here, read the book review guidelines, then visit the submission page. If you'd like to see what books are available from our review library please let us know.

Nerval's Lobster writes "The one and only Jeff Cogswell is back with a new article comparing the two biggest competitors in the home-computing business: the Commodore 64 and the Radio Shack TRS-80. What does he have to say about these absolutely cutting-edge machines? The TRS-80 simply can't stand up to the awe-inspiring Commodore 64, which features the latest processor from MOS Technology, the 6510. Best of all, the C-64s graphics processor can display up to 16 colors simultaneously, and it can create a full screen made up of 320 x 200 'dots.' But the TRS-80 has some good points, as well, including a whopping 512 K of memory (not that you'll ever use that much, anyway). As Cogswell writes: 'Let's cover these two bad boys and provide a totally unbiased review unencumbered by any alleged kickbacks (including a brand new daisy wheel printer and a case of Schiltz Beer) from Commodore, the maker of the awesome machine known as the Commodore 64.'"

Nerval's Lobster writes "Federal regulators are starting to make noise about Bitcoin, the digital currency that's gained in recognition and value over the past few years: the Treasury Department's Financial Crimes Enforcement Network (FinCEN) is offering up 'guidance' for digital currency and those who use it as part of commerce. But the Bitcoin Foundation, which is devoted to standardizing and promoting the currency, doesn't like that idea; as Patric Murck, the organization's general counsel, wrote in a March 19 blog posting: 'If FinCEN would like to expand its statutory authority over "money transmitters" to include brand new categories such as "administrators" and "exchangers" of digital currency it must do so through proper rulemaking proceedings and not by fiat.' If Bitcoin continues to gain in value, it could spark a rise in virtual currencies—and force some very interesting discussions over regulation. But here's the question: would regulation actually be good for Bitcoin, if it made organizations and businesses more comfortable with using it as a currency?"

Nerval's Lobster writes "Microsoft might want a piece of the mini-tablet market. The company has lowered the minimum screen resolution for Windows 8 tablets, from 1,366 x 768 pixels to 1024 x 768 pixels. "This doesn't imply that we're encouraging partners to regularly use a lower screen resolution," it wrote in an accompanying newsletter. "We understand that partners exploring designs for certain markets could find greater design flexibility helpful." As pointed out by ZDNet's Ed Bott—cited by other publications as the journalist who first noticed the altered guidelines—that lowered resolution "would allow manufacturers to introduce devices that are in line with the resolutions of the iPad Mini (1024 x 768) and the Kindle Fire and Google Nexus 7 (both 1280 x 800)." Whatever the contours of the smaller-tablet market, it's certainly popular enough to tantalize any potential competitor. But if Microsoft plunges in, it will face the same challenges that confronted it in the larger-tablet arena: lots of solid competitors, and not a whole lot of time to make a winning impression. There are also not-inconsiderable hardware challenges to overcome, including processor selection and engineering for optimal battery life."

Nerval's Lobster writes "This week, Egypt caught three men in the process of severing an undersea fiber-optic cable. But Telecom Egypt executive manager Mohammed el-Nawawi told the private TV network CBC that the reason for the region's slowdowns was not the alleged saboteurs — it was damage previously caused by a ship. On March 22, cable provider Seacom reported a cut in its Mediterranean cable connecting Southern and Eastern Africa, the Middle East and Asia to Europe; it later suggested that the most likely cause of the incident was a ship anchor, and that traffic was being routed around the cut, through other providers. But repairs to the cable took longer than expected, with the Seacom CEO announcing March 23 that the physical capability to connect additional capacity to services in Europe was "neither adequate nor stable enough," and that it was competing with other providers. The repairs continued through March 27, after faults were found on the restoration system; that same day, Seacom denied that the outage could have been the work of the Egyptian divers, but said that the true cause won't be known for weeks. 'We think it is unlikely that the damage to our system was caused by sabotage,' the CEO wrote in a statement. 'The reasons for this are the specific location, distance from shore, much greater depth, the presence of a large anchored vessel on the fault site which appears to be the cause of the damage and other characteristics of the event.'"

Nerval's Lobster writes "One could argue that the University of Illinois' "Blue Waters" supercomputer, scheduled to officially open for business March 28, is lucky to be alive. The 11.6 petaflop supercomputer, commissioned by the University and the National Science Foundation (NSF), will rank in the upper echelon of the world's fastest machines—its compute power would place it third on the current list, just above Japan's K Computer. However, the system will not be submitted to the TOP500 list because of concerns with the way the list is calculated, officials said. University officials and the NSF are lucky to have a machine at all. That's due in part to IBM, which reportedly backed out of the contract when the company determined that it couldn't make a profit. The university then turned to Cray, which would have had to replace what was presumably a POWER or Xeon installation with the current mix of AMD CPUs and Nvidia GPU coprocessors. Allen Blatecky, director of NSF's Division of Advanced Cyberinfrastructure, told Fox that pulling the plug was a 'real possibility.' And Cray itself had to work to find the parts necessary for the supercomputer to begin at least trial operations in the fall of 2012."

Nerval's Lobster writes "Kickstarter has taken off in the past year, raising big money for a wide variety of projects. Look at some of their stats: in June 2012, only seven projects raised more than a million dollars apiece; in the past nine months, another 16 projects have passed that threshold. Since the site began operations in 2009, several of the 38,000 funded projects have broken out as superstars, including the Pebble Watch and a new gaming console. With all this competition, has crowdfunding gotten, well, too crowded? Is Kickstarter peaking? As the dollar amounts have grown, so has the potential for abuse. Hidden amidst all these success stories and multi-million dollar payouts are some sadder tales. The majority of the nearly 50,000 unfunded Kickstarter projects received less than 20 precent of their funding goals, with 11 percent never even getting a single pledge."

Nerval's Lobster writes "French oil conglomerate Total has inaugurated the world's ninth-most-powerful supercomputer, Panega. Its purpose: seek out new reservoirs of oil and gas. The supercomputer's total output is 2.3 petaflops, which should place it about ninth on today's TOP500 list, last updated in November. The announcement came as Dell and others prepare to inaugurate a new supercomputer, Stampede, in Texas on March 27. What's noteworthy about Pangea, however, is that it will be the most powerful supercomputer owned and used by private industry; the vast majority of such systems are in use by government agencies and academic institutions. Right now, the most powerful private supercomputer for commercial use is the Hermit supercomputer in Stuttgart; ranked 27th in the world, the 831.4 Tflop machine is a public-private partnership between the University of Stuttgart and hww GmbH. Panega, which will cost 60 million Euro ($77.8 million) over four years, will assist decision-making in the exploration of complex geological areas and to increase the efficiency of hydrocarbon production in compliance with the safety standards and with respect for the environment, Total said. Pangea will be will be stored at Total's research center in the southwestern French city of Pau."

Nerval's Lobster writes "IBM announced this week that it has developed a way to manufacture both logic and memory that relies on a small drop of 'ionic liquid' to flip oxides back and forth between an insulating and conductive state without the need to constantly draw power. In theory, that means both memory and logic built using those techniques could dramatically save power. IBM described the advance in the journal Science, and also published a summary of its results to its Website. The central idea is to eliminate as much power as possible as it moves through a semiconductor. IBM's solution is to use a bit of 'ionic liquid' to flip the state. IBM researchers applied a positively charged ionic liquid electrolyte to an insulating oxide material — vanadium dioxide — and successfully converted the material to a metallic state. The material held its metallic state until a negatively charged ionic liquid electrolyte was applied in order to convert it back to its original, insulating state. A loose analogy would be to compare IBM's technology to the sort of electronic ink used in the black-and-white versions of the Kindle and other e-readers. There, an electrical charge can be applied to the tiny microcapsules that contain the 'ink,' hiding or displaying them to render a page of text. Like IBM's solution, the e-ink doesn't require a constant charge; power only needs to be applied to re-render or 'flip' the page. In any event, IBM's technique could conceivably be applied to both mobile devices as well as power-hungry data centers."