Slashdot Mirror

← Back to Stories (view on slashdot.org)

Web Security, Privacy and Commerce

Posted by timothy on from the prying-eyes-need-removal-and-squashing dept.

Slashdot reader rw2 (aka Rich Wellner) writes: "I was excited about this book because rarely does one come out that so directly applies to what I do day to day. I work at a national research lab, help out at a web hosting facility and run poliglut in my spare time. So, I'm used to dealing with the cleanup that occurs after a successful attack." The book is O'Reilly's updated Web Security, Privacy and Commerce. Read on for more of Rich's take on it. Web Security, Privacy and Commerce author Simson Garfinkel, Gene Spafford (Contributor), Debby Russell pages 800 publisher O'Reillly & Associates rating 10 reviewer rw2 ISBN 0596000456 summary A needed update to a reliable classic by well respected security experts.

My single biggest problem is typically that, while highly technical , I don't do security as a full time job. Reading the literature needed to become really expert just isn't in the cards. It's enough to keep up with Java, Python, C++ and grid computing stuff. Even though there is substantial overlap between grids and security, much of grid thought is separate from the implementations that are dealt with in this book. Besides, my group does large-scale data storage. We leave the security infrastructure to specialists.

Garfinkel's book is great for a guy like me. They take every subject from a level that is trivial to understand down to as much detail as you need. Even in areas that I understand pretty well, I found this book taught me new stuff. For example, in their section dealing with the history of browsers I had a handful of false memories corrected, despite having been around for longer than the web.

They've broken the book down into four sections, Web Technology, Privacy and Security for Users, Web Server Security and Security for Content Providers.

Web Technology

This section deals with the pieces that all the other sections depend on. Particularly interesting are the parts about the different kinds of cryptographic systems. They talk about symmetric and public key systems and message digest functions. These building blocks are then put to use in chapters on SSL/TLS and digital identification. This section also gives a brief history of the web and how it was assembled.

Privacy and Security for Users

These chapters are split between mobile code, Java, ActiveX, Flash and such and all other safety/privacy issues. In the chapter on backups, the authors tell an amusing story about backups that were being done by someone who hadn't been properly trained. She would start the job, then go and read a book. The backup would throw errors, but when the session timed out the errors were lost and the screen looked like a normal termination when she returned. This apparently went on for quite some time before being caught. So check your backups, kids!

This sections also has an interesting chapter on email privacy and a couple different services/methods for using encryption to secure your mail and, better yet, send email that cannot be read after a certain date.

Web Server Security

Every sysad in the business should make sure to read this section, which starts out talking about physical security (because if you don't have that the rest may not matter), and continues all the way down to deploying certificates.

Security for Content Providers

Finally, the book finishes up with a few chapters that are mostly about the legalities of running a site. This combines client authentication with privacy policies, digital payments and intellectual property into a good if less technical ending.

Overall

One interesting aspect of the authors' overall approach is that they are so platform neutral. I didn't expect this from a team that wrote books on Unix security, but they have chapters on ActiveX issues and it isn't dealt with in the flip manner that Unix people often use toward other OSes. Even their screen shots are in Windows. You definitely get the feeling these guys know there stuff from more than one perspective.

We happen to be talking a lot about public key infrastructures at work lately, and the chapters on digital certificates were quite handy in getting up to speed on the different issues. As with other sections, they deal not only with the bit twiddling involved but also with history and policy. The human issues. Very useful stuff about an area that not many think about and about which the existing writing is fairly opaque.

So, if you're needing to learn more about this subject I can't think of another book I would recommend before it. I've been motivated enough to write a review on it, and for most of us that's probably a ringing endorsement by itself!

You can purchase Web Security, Privacy and Commerce at Fatbrain.

68 comments

  1. Web security? by brand+bendy · · Score: 0, Offtopic

    I can't believe they didn't use the obviously superior title: WEBCURITY!

    --
    I use phrases like "darn good" and "rootin' tootin'", but only when there's a darn good, rootin tootin' reason!
  2. the problem i've noticed.. by MoceanWorker · · Score: 2, Troll

    as amazing and helpful as these books are, and other great online resources not to mention, a majority of sys admins don't apply what they've learned on their servers... at the last company I worked for... our department specifically hired a "security" guy... of course he was just a guy who just got his MCSE 2000 :-P but that's another thing... the thing is, the guy knew squat.. in the time we hired this guy, till the company i worked for went out of business... 2 servers in the company got hacked (NT boxes.. nothing special).. he did nothing about it... maybe it was just where i worked.. but it's just sad how anyone can just get some sort of a certificate and automatically classify them as a "sys admin" or something ridiculous like that

    *sigh* just my 2 cents as always ;-)

    MCSE = Microsoft Certified Solitaire Expert

    --


    "The ones who dont do anything are always the ones who try to pull you down" -- Henry Rollins
    1. Re:the problem i've noticed.. by HMC+CS+Major · · Score: 3, Interesting

      Maybe instead of flaming an obviously standardized course known to produce a lot of windows admins, most of who know only what the book says and nothing more, you should flame those in charge of hiring at your company, for choosing someone from that course rather than someone with proven experience?

      I'm all up for microsoft bashing in some situations. Bitching about security caused by poor admins is not one of them. Fix the admins, by not hiring the bad ones, and maybe they'll realize that if none of the brand new MCSE's can get a job, there's something wrong with the course.

      --
      Video for Online Dating Profiles
    2. Re:the problem i've noticed.. by Anonymous Coward · · Score: 0

      our department specifically hired a "security" guy... of course he was just a guy who just got his MCSE 2000

      I know this sounds like a joke or a flame or something, but it really isn't. I am dead serious: the MCSE certification should have set off warning sirens in people's heads that this guy was likely to be "challenged." While there are exceptions, generally a clueful person is not going to get a MCSE.

    3. Re:the problem i've noticed.. by chrismcc@netus.com · · Score: 1

      I like this better:

      MCSE = Must Call Someone Experienced

      --
      Christopher McCrory "The guy that keeps the servers running" chrismcc@gmail.com http://www.pricegrabber.com
    4. Re:the problem i've noticed.. by BigBir3d · · Score: 2, Interesting

      There are a few good reasons people do get an MCSE:

      1. Pay is generally increased
      2. Easy to do, if you know your stuff.
      3. Resume fluff.
      4. In a crappy economy, if you don't have one, the person who does, gets the job :-(

    5. Re:the problem i've noticed.. by Anonymous Coward · · Score: 0

      Yeah, it's sort of a "negative" certification, in the same way "convicted felon" is. (Note: I'm not calling MCSEs criminals! I'm just saying that MSCE is to clueless, as convicted felon is to untrustworthy.) It's not that MSCE indoctrination can really harm the competence of someone who already knows what they're doing. It's just that the desire to obtain MCSE certification is an indicator of having warped values. And warped values lead to bad judgement. So the relationship is indirect and not completely reliable, but there is a correlation.

    6. Re:the problem i've noticed.. by Anonymous Coward · · Score: 0

      There are a few good reasons people do get an MCSE:

      1. Pay is generally increased

      Well, the original poster wasn't a MSCE, he was a guy at a company that hired one. What I'm saying is that, by now, everyone should know the trend: MSCEs are worth less than non-MSCEs. So, looking at it from the employer's viewpoint, he should have paid less.

      And then, by extension, in a "crappy economy", computer experts should hide or not draw attention to their being a MSCE. In a buyer's market, employers can afford to hire clueful people, instead of settling for MSCEs.

    7. Re:the problem i've noticed.. by Anonymous Coward · · Score: 0

      Not all MCSE's are clueless.

      Most? Maybe.

      Just cuz you think you are the shit, and that you are too cheap too pay to take the courses/tests, you dont have an MCSE. this somehow, I AM SURE, makes you better than people who might have a lot more book knowlegde than you...

      it all boils down to one thing: EXPERIENCE

      at least the MCSE's of the world are trying, or tried in the past.

    8. Re:the problem i've noticed.. by gustar · · Score: 1

      Why would anyone with even basic intelligence automatically assume that a candidate with an MCSE certification (or any other cert for that matter) is worth less then a candidate without such a certificate?

      This has to be one of the most backwards lines of thought I've heard in a while.

      First off, in a correctly conducted job search a candidate's worth would be based on their actual experience as determined by a hopefully extensive interview process and not judged on the alphabet soup of buzzwords they have on their resume.

      There are many extremely experienced technical folks out there that are smart enough to realize that certifications (MSCE or other) can be very helpful in securing employment, which is why they get them!

      In addition, many companies are able to maintain reseller agreements, and other business partnerships with vendors based on having a certain number of certified staff on board, thus making the hire of a person who is already certified even more attractive.

      So I would say the implicit assumption that someone with an MCSE is inherently less "cluefull" then someone without is just another line of clap-trap from the cro-mags that expound other useless philosophies such as "real men don't read manuals."

      Blah to the lot of ya.

  3. Web-security by tomcio.s · · Score: 0, Offtopic

    Magic 8-ball says:
    "Outlook not so good"

  4. dynamic-ness by kresmoi · · Score: 4, Insightful

    problem is, how often are you going to have to buy the update to the book to stay on top of things, and how far behind 'the scene' is the book already by the time it's published? I would think the dynamic nature of these things would make books on web security a trifle behind the times and impractical, kind of like a dictionary of street slang: It'll get the general stuff right, but the details and inflection are always changing, and the world's in the details.

    However, this ringing review would indicate otherwise. please enlighten?

  5. Interesting review, but... by CatherineCornelius · · Score: 4, Insightful
    What that review doesn't tell me is whether the book addresses security as a software issue. Many system exploits can be traced to specific programming practices, often to kernel level, but more often in userspace code. The above review tells me it's that kind of book I might take a look at, but I'm left wondering if perhaps the book that would give me an insight into how to produce more secure system configurations and help my team to write more secure code has not yet been written.

    As a senior web and database developer, I'm probably more likely to check into security mailing lists and watch out for advisories about the core products of my service delivery systems (whether PHP, JSP, Vignette, Apache, IAS, or whatever). Still, any book that raises awareness of security issues and introduces key concepts in an easy to understand manner is to be applauded.

    1. Re:Interesting review, but... by rw2 · · Score: 3, Informative

      What that review doesn't tell me is whether the book addresses security as a software issue. Many system exploits can be traced to specific programming practices, often to kernel level, but more often in userspace code.

      This book is not a programmers manual, so you will have to keep looking if that's what you want.

      I understand what you are looking for, but I wonder if it isn't too language specific to be a practical seller.

    2. Re:Interesting review, but... by Crispin+Cowan · · Score: 2, Informative
      For a good book on security and programming, try "Building Secure Software" by John Viega and Gary McGraw. I am going to use this book as the course text in the next offering of my graduate security course.

      Crispin
      ----
      Crispin Cowan, Ph.D.
      Chief Scientist, WireX Communications, Inc.
      Immunix: Security Hardened Linux Distribution
      Available for purchase

  6. Eyes Glazing Over by Alien54 · · Score: 2
    While this obviously is important, still we can see plenty of people with their eyes glazing over, even as we type.

    Of course, that is likely why most folks will need this, and why many sites are deficient on security. You need to be fairly expert to run a secure site, and this is an area where alot of folks sorta fall down.

    --
    "It is a greater offense to steal men's labor, than their clothes"
    1. Re:Eyes Glazing Over by 4of12 · · Score: 3, Funny

      still we can see plenty of people with their eyes glazing over, even as we type.

      There are a lot of analogies between doing proper computer security and life in the Army.

      Mind numbing bureaucracy, paperwork, jargon, 98% of the time you are bored stiff, and, then, 2% of the time is pure terror.

      --
      "Provided by the management for your protection."
  7. Knowing multiple platforms is a good thing by Junks+Jerzey · · Score: 3, Insightful

    You definitely get the feeling these guys know there stuff from more than one perspective.

    Grammar aside, that's a good recommendation for the book. I'm getting tired of all the dismissals of anything Windows with flippant, often incorrect, remarks. (For example, it seems that many Slashdotters don't realize that Windows XP is based on Windows NT, not Windows 95.) When you expand your horizons, you expand your knowledge. And as a bonus it makes you less bitter.

    1. Re:Knowing multiple platforms is a good thing by haus · · Score: 1

      Although I know what XP is based off of, I am still capable to being very bitter.

    2. Re:Knowing multiple platforms is a good thing by HMC+CS+Major · · Score: 1
      perhaps you should hire a therapist to look into it .....

      1. Are you jealous because microsoft makes more money than you do?
      2. Are you mad that the microsoft code is more functional than anything you'll ever write?
      3. Are you upset because microsoft wouldnt hire you?
      4. Are you still mad because win95 crashed once and lost your homework and you'll forever curse the windows of the past rather than looking at the current incarnation, forever insisting that microsoft sux0rs?


      I've seen it said, a few times, that linux is for those who hate microsoft, while bsd is for those who love unix. The more anti-microsoft posts I see on this site, the more I'm convinced that this saying is absolutely true.
      --
      Video for Online Dating Profiles
    3. Re:Knowing multiple platforms is a good thing by haus · · Score: 1

      Perhaps you should get out more often. The point was simply that people, including myself, can find plenty of things to be bitter about that origins of some silly program. Maybe you can discuss your need to jump to conclusions in your next therapy session.

  8. Makes it sense... by Krapangor · · Score: 1

    ...to buy such a book at all ?
    The information in there would be outdated in a couple of months, and the new version would be aviable in some years.
    You can get decent security information on the net why even brother to buy a book ?
    (Ha, you can even get the tools to test your security on the net...just ask some script kiddie)

    --
    Owner of a Mensa membership card.
  9. Another good resource by the_rev_matt · · Score: 2

    I'm definitely going to check this one out, as I'm something of a security freak. I'm currently reading "Security Engineering" by Ross Anderson (Wiley) and while the author has an obvious bias in favor of Windows, it is a great look at designing security for distributed systems.

    --
    this is getting old and so are you

    blog

  10. You made two statements ... by TheViffer · · Score: 3, Insightful

    Garfinkel's book is great for a guy like me. They take every subject from a level that is trivial to understand down to as much detail as you need.

    One interesting aspect of the authors' overall approach is that they are so platform neutral. I didn't expect this from a team that wrote books on Unix

    I believe there is only so much that this book (which I have not seen yet) can cover. If there were "levels" of detail regarding a book, this sounds like it covers the first three, and leave the bottom two to that of the reader to explore furthor.

    As for being "platform neutral", it should be. The "web" was never designed to be used for a particular OS or browser (though Microsoft would like to believe otherwise).

    The book covers "web" issues and not OS issues.

    --
    -- Knowing too much can get you killed, but knowing who knows too much can make you rich.
  11. only certain security issues date by K7001 · · Score: 1

    when discussing hacking what's important is the target resource. This is the data / resources that you intend to acquire.
    methods change of protecting data common exploits
    change.
    The data to go after is always research data as it's most valuable. prime targets are small players researching 'edge' technology that will get to market b 4 the big boys.
    the big boys will pay a lotta dosh for that kind of info.
    remember as well that all fortune 500 companies are always monitoring each other some ways legal
    i.e what colour is the smoke coming out of your factory what trucks are delivering where are the company execs travelling to etc. seems like small things but i promise you it's done all the time.

    --
    perl -MIO::Socket -e 'IO::Socket::INET-new(PeerAddr="some.windoze.box:1
  12. Simson Garfinkel? by bigginal · · Score: 1

    I took one quick look at the first author's name and thought it said:

    "Simon & Garfunkel"

    -bigginal

  13. Open source "at least as secure as proprietary" by CatherineCornelius · · Score: 1
    As for being "platform neutral", it should be. The "web" was never designed to be used for a particular OS or browser (though Microsoft would like to believe otherwise.

    It's not just Microsoft's own sites that have locked out non-Microsoft browsers--the UK government's Microsoft-commissioned site for electronic filing of tax returns was in the news earlier this year when non-MSIE users found themselves locked out. Fortunately, the British have shown some sense, and a recent report acknowledged that "Properly configured open source software can be at least as secure as proprietary systems, and open source software is currently subject to fewer Internet attacks."

    The government is set to conform to an EU strategy to make more use of open source software.

  14. Simpson Garfinkel by gentlewizard · · Score: 1

    I like Garfinkel's writing style. His
    O'Reilly manual on PGP was very approachable and useful. I'm looking forward to this book.

    1. Re:Simpson Garfinkel by Brummund · · Score: 3, Informative
      Also, the slightly (ahem) outdated Practical Unix & Internet Security is also recommended. A good walk-through of all things related to security, from social hacking to securing NFS. It's a bit outdated, but it will give you a good start on security basics.

      (And as always with books from Garfinkel, a good and fun read)

  15. To Improve Security 100%...... by tagplazen · · Score: 5, Interesting

    ..remove the words "Well, it's okay because that box is sitting behind our firewall" from everybodys lexicon.

    The point was raised above about how out of date this book would be by the time it was released. I honestly don't believe that's as big of an issue as people seem to think, 99% of the battle with keeping our networks secure is just getting people to consider the issue in the first place. Any book I can throw at our apps developers that gets them even thinking about the broad issues is a good thing, because once the seed is planted, then they come over and ask us what we would reccomend as they're working on their apps. Over the past six months we've seen the 'Ooops, you mean that travel site with the form for people to put their CC number in should be SSL'd?' to almost daily informal meetings about what they're doing and how we can support them.

    Our biggest nightmare has been the sysadmins. The NT sysadmin refuses to apply any patches, 'because then things break', and won't close a single port, 'if you want features, you have to leave things open'. Lots of guerilla midnight work going on behind that boy. ;-)

    Our solaris sysadmin is no better, if you could take the words 'Well, back at Siemans..' out of his vocabulary, he wouldn't have anything to say. Yet, he's very good at the above mentioned meetings for arguing that we're too paranoid, 'Only a very skilled attacker could sniff passwords of our switched network,' and this after multiple times of showing him dsniff and ettercap in action, complete with grabbing his passwords several times. Once again, lots of midnight cowboy fixes behind the back.

    There's a really good book out, Building Secure Software where he brings out some very good points. The best one being that security is put on networkings shoulders, when the real problem is that the developers don't build their applications with security in mind. Therefore, the strategy is to deny attackers access to the errors in the code, when the best practice would be to remove those errors in the first place. That and the quote about ecrypting information in transit is like a guy living on the sidewalk using an armored car to send his credit card information to a man living on the beach in a cardboard box is simply priceless.

  16. Want a free car?!? by Anonymous Coward · · Score: 1, Funny

    Our car-manufacturing company has developed a new revolutionary business model for making cars.

    We give away the cars for free and then we sell services for those cars! If you want to we can clean your car, wax it or you can use some of our other services.

    We get cash from a couple of VC's, the rest of them simple don't "get it". If we need more we just call "the suits".

  17. dynamic-ness yes out of date no by BobBoring · · Score: 1

    If you are not a security guru and know some things about security, you need to know a good primary source for information. The book's data may get dated very quickly but the data sources you derive from the book will be current. Some books are good for the data others are good for directing you to a current reference. Having an author do 90% of the leg work and sorting of trash sources from golden ones is important.

  18. Big deal... by Joe+the+Lesser · · Score: 0, Flamebait

    The book is nice and all, but in 3 years it will be as obsolete as a Macintosh Classic. You're better off spending your time doing well...anything else...than reading it.

    --
    "I only speak the truth"
    Karma: null(Mostly affected by an unassigned variable)
  19. yoda? by MemeRot · · Score: 2

    talking weird grammar you are, yes.
    ancient wizard, you?
    Jedi mind tricking your way past security, yes.

  20. One subject that was left out. by mencik · · Score: 4, Informative

    I received an advance copy of this book from Simson. I agree that it is a very good book. However there is one topic that was not discussed. I've emailed Simson about this and if another revision is done, they will include more info on it.

    The topic left out is the issue of third-party servers. Many companies, particularly small business, use third party hosting. As such, the SSL provided for their form submission process only protects the information from the client computer (the consumer) to the web server (at the third party location). It does nothing to protect how that information gets from that third-party server back to the company. You would be surprised how many companies simply take that sensitive information (credit card numbers, etc.) and package it into an email message and send it to the company via plaintext email. Not very secure.

    I wrote a paper on this subject in 1999 which is still posted at http://jsweb.net/paper.htm entitled "Are Secure Internet Transactions Really Secure?" I encourage you to take a look at it to learn more about how many companies are only providing a false sense of security, and not really protecting your information as it transits the Internet.

    1. Re:One subject that was left out. by look · · Score: 1

      This definately needs to be covered. I did some (unrelated) work for a small local business who was assuring their internet customers that credit card transactions with their site were "100% secure". Which, basically, they were...until the transaction with the web server was over, and a script -- provided by the ISP, no less -- fired off an email to their POP3 account with all the credit card details.

      And don't even get me started about their pathetic passwords.

    2. Re:One subject that was left out. by Untrusted · · Score: 1

      Kind of related to this is overall security for those remote servers. If you have a site that you depend on (say a service provider hosting a shopping cart because you lack the infrastructure to do it yourself) and it's security sucks then you expose yourself to all kinds of heartache. I'm aware of a site with an outsourced e-commerce section (thankfully no account information, simply an online store) that had that e-commerce section go away when the service provider's server got Nimda.

  21. in 3 years? by MemeRot · · Score: 2

    What's your point? In 10 years everything anyone does in computers today will be obsolete. Does that mean nobody should bother? If nobody bothered then nobody would make the advances...

    There is no perfect security. That doesn't mean you should just be happy with no security.

  22. Spafford & Garfinkel !! by ReidMaynard · · Score: 0, Offtopic

    Man I love their music, esp "The Sound of Science".

    --
    -- www.globaltics.net

    Political discussion for a new world

  23. The real security hole... by MemeRot · · Score: 2

    Social hacking. "Hey yeah, this is uh, Joe from finance. What's the password to log into the database again? Thanks." No use building million dollar impregnable walls if the gatekeeper waves the invading hordes right on through....

    I agree that SSL does give a false sense of security, especially with credit card numbers. Truly private info like credit card numbers should always be stored in ecrypted form, not just transmitted in encrypted form. I'm amazed especially at stories of dot-coms where a hacker managed to penetrate a database and then have access to a million credit cards. Ridiculous. You can keep 9 out of 10 hackers out with good external security. Out of the ones that get thru, the 1 in 100 who could deal with and decrypt the card numbers in the database will probably decide it's not worthwhile and go steal them from someone less cautious.

  24. The book will be outdated? Think again. by gordguide · · Score: 3, Insightful

    "The book will be outdated in (insert your favorite timetable here)" should all be moderated as obvious. I mean, really, there are people out there trying to make sex itself outdated sometime in the future, but I live in the here and now. What this or any well-written book does is it gives us an understanding of the issues and a foundation for future learning. Read it and forget it is no more a stragegy than not reading it at all.

    If it is a good read that makes the complicated less intimidating, I would consider it an excellent foundation for those who aren't up on the issues but want to get started.

  25. Enough already! It was a typo damn it! by breillysf · · Score: 1
    I don't know how it happened, but that was a typo on the question I posed to Slashdot. It was NOT a very lame attempt to coin a bogus new term! I still don't know how the word "Network Security" got truncated to "Webcurity."



    I HATE that term as much as anyone - so let's kill it once and for all and chalk it up to a very BAD typo.