Slashdot Mirror
Web Security, Privacy and Commerce
My single biggest problem is typically that, while highly technical , I don't do security as a full time job. Reading the literature needed to become really expert just isn't in the cards. It's enough to keep up with Java, Python, C++ and grid computing stuff. Even though there is substantial overlap between grids and security, much of grid thought is separate from the implementations that are dealt with in this book. Besides, my group does large-scale data storage. We leave the security infrastructure to specialists.
Garfinkel's book is great for a guy like me. They take every subject from a level that is trivial to understand down to as much detail as you need. Even in areas that I understand pretty well, I found this book taught me new stuff. For example, in their section dealing with the history of browsers I had a handful of false memories corrected, despite having been around for longer than the web.
They've broken the book down into four sections, Web Technology, Privacy and Security for Users, Web Server Security and Security for Content Providers.
Web Technology
This section deals with the pieces that all the other sections depend on. Particularly interesting are the parts about the different kinds of cryptographic systems. They talk about symmetric and public key systems and message digest functions. These building blocks are then put to use in chapters on SSL/TLS and digital identification. This section also gives a brief history of the web and how it was assembled.
Privacy and Security for Users
These chapters are split between mobile code, Java, ActiveX, Flash and such and all other safety/privacy issues. In the chapter on backups, the authors tell an amusing story about backups that were being done by someone who hadn't been properly trained. She would start the job, then go and read a book. The backup would throw errors, but when the session timed out the errors were lost and the screen looked like a normal termination when she returned. This apparently went on for quite some time before being caught. So check your backups, kids!
This sections also has an interesting chapter on email privacy and a couple different services/methods for using encryption to secure your mail and, better yet, send email that cannot be read after a certain date.
Web Server Security
Every sysad in the business should make sure to read this section, which starts out talking about physical security (because if you don't have that the rest may not matter), and continues all the way down to deploying certificates.
Security for Content Providers
Finally, the book finishes up with a few chapters that are mostly about the legalities of running a site. This combines client authentication with privacy policies, digital payments and intellectual property into a good if less technical ending.
Overall
One interesting aspect of the authors' overall approach is that they are so platform neutral. I didn't expect this from a team that wrote books on Unix security, but they have chapters on ActiveX issues and it isn't dealt with in the flip manner that Unix people often use toward other OSes. Even their screen shots are in Windows. You definitely get the feeling these guys know there stuff from more than one perspective.
We happen to be talking a lot about public key infrastructures at work lately, and the chapters on digital certificates were quite handy in getting up to speed on the different issues. As with other sections, they deal not only with the bit twiddling involved but also with history and policy. The human issues. Very useful stuff about an area that not many think about and about which the existing writing is fairly opaque.
So, if you're needing to learn more about this subject I can't think of another book I would recommend before it. I've been motivated enough to write a review on it, and for most of us that's probably a ringing endorsement by itself!
You can purchase Web Security, Privacy and Commerce at Fatbrain.
First Panda.
What's black, blue and green and doesn't like sex? The Girl Scout locked in my basement. What's the worst part about having sex with a six-year-old? Getting the blood out of your clown suit. What's the best thing about getting a hand job from a five-year-old? That little hand makes your thing look really huge. Guy comes home from work to find his girlfriend sitting on the porch, crying. "What's wrong, honey?" "I'm leaving you!! I just found out you're a pedophile!!!" "Pedophile?? Why, that's a pretty big word for a ten-year old..." How can you tell when your sister's on her period? When your dad's dick tastes like blood! Two pedophiles are lying on a beach tanning, one turns to the other and says, "excuse me, you're in my son." What's 18 inches long, blue, veiny, and makes a woman cry? Crib death. How could the man's 7-year-old son tell that his dad has farked his 8-year-old sister? His dad's weiner tasted like blood! Watson returns home to find Holmes in bed with a child. He shouts, "Is this some sort of a schoolgirl?" Holmes replies, "Elementary, my dear Watson." So I was having sex with my girlfriend, and I decided I wanted to get kinky and try and do her in the ass. So I slipped around back, she looked over her shoulder at me and said... "My, how presumptious of you." And I said "presumptious? That's a big word for a 10-year-old." Two guys are walking down the street when a beautiful woman passes. The first guy says, "Damn! I'd love to tear her clothes off, do her in the rear, smear my feces all over her, slice off her breasts, chop her into little pieces, put her in a garbage bag and toss her into the river!" Second guy says, "Yuck! You're a sick bastard!" First guy says, "What're you? A fag?" The kidergarden teacher is asking the kids what their father does for a living. All the kids answer except for Little Johnny. The teacher asks Little Johnny what his Dad does and Johnny replies "My dad is dead." The teacher say's "That is terribile, but what did he do before he died?" Little Johnny replies, "He turned blue and shit all over himself!" A guy calls in sick to work. "What's wrong?" asks the boss. "I'm sick," the guy replies. "You sound all right." "No, I'm really sick. Believe me." "Listen, you were fine yesterday, and we have a lot of work today. I want you in here. You can't be that sick!" "Dude, I just banged my sister. Don't tell me I'm not sick." A little girl accompanied her father to the barbershop. While her dad received a haircut, the little girl stood next to the barber chair, enjoying a snack cake. The barber smiled at her and said, "Sweetheart, you're going to get hair on your Twinkie." "I know," the little girl replied. "I'm gonna get tits, too." An older man and a small boy walk hand in hand through the woods. Boy: "These woods sure are spooky!" Man: "You think you're scared, I've gotta walk out of here alone." What's the difference between Neil Armstrong and Michael Jackson? One walked on the moon, and the other rapes little boys. Has anyone read Michael Jackson's new book, "The Ins and Outs of Child Rearing"? Q: What's the difference between a dead baby and a golden delicious apple? A: I don't cum all over the golden delicious apple before I take a bite out of it. Q: What's the difference between a dead baby and my girlfriend? A: I don't kiss my girlfriend after sex. Q: What is special about a dead baby over all other forms of life? A: You can achieve deep throat from whichever way you enter. Q: What do you have when you have 4 dead babies, take away two, and add 5 more? A: An orgy! Q: What's the difference between a dead baby and a table? A: You can't fark a table. Q: Whats white and bobs up and down in a baby's crib? A: A pedophile's ass. Q: Whats the safest way to play with a baby? A: With a condom. Q: Whats more fun than feeling up a dead baby? A: Feeling up a dead baby with three nipples. Q: What does a baby and a Pinto have in common? A: They're fun to ride until they die. Q: What do you get whan you dislocate a dead baby's jaw? A: Deep Throat. Q: Whats the difference between a baby and a grandmother? A: Grandmothers dont die when you fark them in the ass Q: What's the best sound in the world? A: Hearing dead baby's hips crack under pressure! Q: Whats worse than a having sex with a dead baby? A: Having sex with a dead baby filled with razor blades. Q: How do you stop a baby from choking? A: Take your dick out of its mouth. Q: What's worse than finding a dead baby on your pillow in the morning? A: Realizing you were drunk and made love to it the night before. Q: How do you make a baby cry twice? A: Wipe your bloody cock on his teddy bear. What's better than sex with a 12-year-old boy? Absolutely nothing.Thanks, Fark.com!
________________________________________J. Wipo Troll, Esq.
Crapflooder Associates
Slashdot.org
Are you experienced?
-1: 6 comments.
0: 0 comments.
1: 0 comments.
2: 0 comments.
3: 0 comments.
4: 0 comments.
5: 0 comments.
J. Wipo Troll, Esq.
Crapflooder Associates
Slashdot.org
!(!)
Are you experienced?
really!
Are you experienced?
I can't believe they didn't use the obviously superior title: WEBCURITY!
I use phrases like "darn good" and "rootin' tootin'", but only when there's a darn good, rootin tootin' reason!
as amazing and helpful as these books are, and other great online resources not to mention, a majority of sys admins don't apply what they've learned on their servers... at the last company I worked for... our department specifically hired a "security" guy... of course he was just a guy who just got his MCSE 2000 :-P but that's another thing... the thing is, the guy knew squat.. in the time we hired this guy, till the company i worked for went out of business... 2 servers in the company got hacked (NT boxes.. nothing special).. he did nothing about it... maybe it was just where i worked.. but it's just sad how anyone can just get some sort of a certificate and automatically classify them as a "sys admin" or something ridiculous like that
;-)
*sigh* just my 2 cents as always
MCSE = Microsoft Certified Solitaire Expert
"The ones who dont do anything are always the ones who try to pull you down" -- Henry Rollins
Magic 8-ball says:
"Outlook not so good"
koffie !
problem is, how often are you going to have to buy the update to the book to stay on top of things, and how far behind 'the scene' is the book already by the time it's published? I would think the dynamic nature of these things would make books on web security a trifle behind the times and impractical, kind of like a dictionary of street slang: It'll get the general stuff right, but the details and inflection are always changing, and the world's in the details.
However, this ringing review would indicate otherwise. please enlighten?
As a senior web and database developer, I'm probably more likely to check into security mailing lists and watch out for advisories about the core products of my service delivery systems (whether PHP, JSP, Vignette, Apache, IAS, or whatever). Still, any book that raises awareness of security issues and introduces key concepts in an easy to understand manner is to be applauded.
Of course, that is likely why most folks will need this, and why many sites are deficient on security. You need to be fairly expert to run a secure site, and this is an area where alot of folks sorta fall down.
"It is a greater offense to steal men's labor, than their clothes"
You definitely get the feeling these guys know there stuff from more than one perspective.
Grammar aside, that's a good recommendation for the book. I'm getting tired of all the dismissals of anything Windows with flippant, often incorrect, remarks. (For example, it seems that many Slashdotters don't realize that Windows XP is based on Windows NT, not Windows 95.) When you expand your horizons, you expand your knowledge. And as a bonus it makes you less bitter.
...to buy such a book at all ?
The information in there would be outdated in a couple of months, and the new version would be aviable in some years.
You can get decent security information on the net why even brother to buy a book ?
(Ha, you can even get the tools to test your security on the net...just ask some script kiddie)
Owner of a Mensa membership card.
you have spam in the ads! I just saw an ad on slashdot that said rent all the dvds you want for 20 bucks! ITS FUCKING SPAM! Malda is a hypocrite
I'm definitely going to check this one out, as I'm something of a security freak. I'm currently reading "Security Engineering" by Ross Anderson (Wiley) and while the author has an obvious bias in favor of Windows, it is a great look at designing security for distributed systems.
this is getting old and so are you
blog
Garfinkel's book is great for a guy like me. They take every subject from a level that is trivial to understand down to as much detail as you need.
One interesting aspect of the authors' overall approach is that they are so platform neutral. I didn't expect this from a team that wrote books on Unix
I believe there is only so much that this book (which I have not seen yet) can cover. If there were "levels" of detail regarding a book, this sounds like it covers the first three, and leave the bottom two to that of the reader to explore furthor.
As for being "platform neutral", it should be. The "web" was never designed to be used for a particular OS or browser (though Microsoft would like to believe otherwise).
The book covers "web" issues and not OS issues.
-- Knowing too much can get you killed, but knowing who knows too much can make you rich.
I just wanted to quickly say that I'm not wearing any pants.
Ronco Pocket TrollMan - Leave off the last N for Savings!
when discussing hacking what's important is the target resource. This is the data / resources that you intend to acquire.
methods change of protecting data common exploits
change.
The data to go after is always research data as it's most valuable. prime targets are small players researching 'edge' technology that will get to market b 4 the big boys.
the big boys will pay a lotta dosh for that kind of info.
remember as well that all fortune 500 companies are always monitoring each other some ways legal
i.e what colour is the smoke coming out of your factory what trucks are delivering where are the company execs travelling to etc. seems like small things but i promise you it's done all the time.
perl -MIO::Socket -e 'IO::Socket::INET-new(PeerAddr="some.windoze.box:1
What's black, blue and green and doesn't like sex? The Girl Scout locked in my basement. What's the worst part about having sex with a six-year-old? Getting the blood out of your clown suit. What's the best thing about getting a hand job from a five-year-old? That little hand makes your thing look really huge. Guy comes home from work to find his girlfriend sitting on the porch, crying. "What's wrong, honey?" "I'm leaving you!! I just found out you're a pedophile!!!" "Pedophile?? Why, that's a pretty big word for a ten-year old..." How can you tell when your sister's on her period? When your dad's dick tastes like blood! Two pedophiles are lying on a beach tanning, one turns to the other and says, "excuse me, you're in my son." What's 18 inches long, blue, veiny, and makes a woman cry? Crib death. How could the man's 7-year-old son tell that his dad has farked his 8-year-old sister? His dad's weiner tasted like blood! Watson returns home to find Holmes in bed with a child. He shouts, "Is this some sort of a schoolgirl?" Holmes replies, "Elementary, my dear Watson." So I was having sex with my girlfriend, and I decided I wanted to get kinky and try and do her in the ass. So I slipped around back, she looked over her shoulder at me and said... "My, how presumptious of you." And I said "presumptious? That's a big word for a 10-year-old." Two guys are walking down the street when a beautiful woman passes. The first guy says, "Damn! I'd love to tear her clothes off, do her in the rear, smear my feces all over her, slice off her breasts, chop her into little pieces, put her in a garbage bag and toss her into the river!" Second guy says, "Yuck! You're a sick bastard!" First guy says, "What're you? A fag?" The kidergarden teacher is asking the kids what their father does for a living. All the kids answer except for Little Johnny. The teacher asks Little Johnny what his Dad does and Johnny replies "My dad is dead." The teacher say's "That is terribile, but what did he do before he died?" Little Johnny replies, "He turned blue and shit all over himself!" A guy calls in sick to work. "What's wrong?" asks the boss. "I'm sick," the guy replies. "You sound all right." "No, I'm really sick. Believe me." "Listen, you were fine yesterday, and we have a lot of work today. I want you in here. You can't be that sick!" "Dude, I just banged my sister. Don't tell me I'm not sick." A little girl accompanied her father to the barbershop. While her dad received a haircut, the little girl stood next to the barber chair, enjoying a snack cake. The barber smiled at her and said, "Sweetheart, you're going to get hair on your Twinkie." "I know," the little girl replied. "I'm gonna get tits, too." An older man and a small boy walk hand in hand through the woods. Boy: "These woods sure are spooky!" Man: "You think you're scared, I've gotta walk out of here alone." What's the difference between Neil Armstrong and Michael Jackson? One walked on the moon, and the other rapes little boys. Has anyone read Michael Jackson's new book, "The Ins and Outs of Child Rearing"? Q: What's the difference between a dead baby and a golden delicious apple? A: I don't cum all over the golden delicious apple before I take a bite out of it. Q: What's the difference between a dead baby and my girlfriend? A: I don't kiss my girlfriend after sex. Q: What is special about a dead baby over all other forms of life? A: You can achieve deep throat from whichever way you enter. Q: What do you have when you have 4 dead babies, take away two, and add 5 more? A: An orgy! Q: What's the difference between a dead baby and a table? A: You can't fark a table. Q: Whats white and bobs up and down in a baby's crib? A: A pedophile's ass. Q: Whats the safest way to play with a baby? A: With a condom. Q: Whats more fun than feeling up a dead baby? A: Feeling up a dead baby with three nipples. Q: What does a baby and a Pinto have in common? A: They're fun to ride until they die. Q: What do you get whan you dislocate a dead baby's jaw? A: Deep Throat. Q: Whats the difference between a baby and a grandmother? A: Grandmothers dont die when you fark them in the ass Q: What's the best sound in the world? A: Hearing dead baby's hips crack under pressure! Q: Whats worse than a having sex with a dead baby? A: Having sex with a dead baby filled with razor blades. Q: How do you stop a baby from choking? A: Take your dick out of its mouth. Q: What's worse than finding a dead baby on your pillow in the morning? A: Realizing you were drunk and made love to it the night before. Q: How do you make a baby cry twice? A: Wipe your bloody cock on his teddy bear. What's better than sex with a 12-year-old boy? Absolutely nothing.Thanks, Fark.com!
________________________________________J. Wipo Troll, Esq.
Crapflooder Associates
Slashdot.org
There is no expectation of privacy on the Internet. Just as I don't expect privacy when I walk down the street, order a burger from McDonalds, etc, nor do I expect privacy when I surf to the GE website, Slashdot, etc. (And if you don't think Slashdot collects information from you, you are sadly mistaken.)
No matter how hard you try to remain anonymous, you will not be able to. In fact, it's easier to remain anonymous in real life than it is online. Even if you're transmitting information through proxies, traffic analysis can yield a great amount of information about your doings. There is nothing to prevent Sprint, Verizon, or any other backbone provider from monitoring the flow of information from your system to another system. Hell, your ISP does it all the time.
The Internet is not like a super-secret technocracy where everyone minds their own business. It is a big huge conference room where anyone has the ability to see what anyone else is doing. (Yes, if you work hard enough, you can figure out my surfing habits from my apartment.) Just remember that your computer is built to give away as much information as it can, and it will do so any chance it gets.
So if you want "Webcurity," do what I do. If you wouldn't do it on a stage in front of millions of people, don't do it on the Internet!
I'm the tasty treat nobody can resist!
IM Me! AOL IM:Tasty Beef Jerky
I took one quick look at the first author's name and thought it said:
"Simon & Garfunkel"
-bigginal
It's not just Microsoft's own sites that have locked out non-Microsoft browsers--the UK government's Microsoft-commissioned site for electronic filing of tax returns was in the news earlier this year when non-MSIE users found themselves locked out. Fortunately, the British have shown some sense, and a recent report acknowledged that "Properly configured open source software can be at least as secure as proprietary systems, and open source software is currently subject to fewer Internet attacks."
The government is set to conform to an EU strategy to make more use of open source software.
note: parent post should be modded UP, not down, its true, not a troll
I like Garfinkel's writing style. His
O'Reilly manual on PGP was very approachable and useful. I'm looking forward to this book.
..remove the words "Well, it's okay because that box is sitting behind our firewall" from everybodys lexicon.
;-)
The point was raised above about how out of date this book would be by the time it was released. I honestly don't believe that's as big of an issue as people seem to think, 99% of the battle with keeping our networks secure is just getting people to consider the issue in the first place. Any book I can throw at our apps developers that gets them even thinking about the broad issues is a good thing, because once the seed is planted, then they come over and ask us what we would reccomend as they're working on their apps. Over the past six months we've seen the 'Ooops, you mean that travel site with the form for people to put their CC number in should be SSL'd?' to almost daily informal meetings about what they're doing and how we can support them.
Our biggest nightmare has been the sysadmins. The NT sysadmin refuses to apply any patches, 'because then things break', and won't close a single port, 'if you want features, you have to leave things open'. Lots of guerilla midnight work going on behind that boy.
Our solaris sysadmin is no better, if you could take the words 'Well, back at Siemans..' out of his vocabulary, he wouldn't have anything to say. Yet, he's very good at the above mentioned meetings for arguing that we're too paranoid, 'Only a very skilled attacker could sniff passwords of our switched network,' and this after multiple times of showing him dsniff and ettercap in action, complete with grabbing his passwords several times. Once again, lots of midnight cowboy fixes behind the back.
There's a really good book out, Building Secure Software where he brings out some very good points. The best one being that security is put on networkings shoulders, when the real problem is that the developers don't build their applications with security in mind. Therefore, the strategy is to deny attackers access to the errors in the code, when the best practice would be to remove those errors in the first place. That and the quote about ecrypting information in transit is like a guy living on the sidewalk using an armored car to send his credit card information to a man living on the beach in a cardboard box is simply priceless.
Our car-manufacturing company has developed a new revolutionary business model for making cars.
We give away the cars for free and then we sell services for those cars! If you want to we can clean your car, wax it or you can use some of our other services.
We get cash from a couple of VC's, the rest of them simple don't "get it". If we need more we just call "the suits".
If you are not a security guru and know some things about security, you need to know a good primary source for information. The book's data may get dated very quickly but the data sources you derive from the book will be current. Some books are good for the data others are good for directing you to a current reference. Having an author do 90% of the leg work and sorting of trash sources from golden ones is important.
The book is nice and all, but in 3 years it will be as obsolete as a Macintosh Classic. You're better off spending your time doing well...anything else...than reading it.
"I only speak the truth"
Karma: null(Mostly affected by an unassigned variable)
talking weird grammar you are, yes.
ancient wizard, you?
Jedi mind tricking your way past security, yes.
I received an advance copy of this book from Simson. I agree that it is a very good book. However there is one topic that was not discussed. I've emailed Simson about this and if another revision is done, they will include more info on it.
The topic left out is the issue of third-party servers. Many companies, particularly small business, use third party hosting. As such, the SSL provided for their form submission process only protects the information from the client computer (the consumer) to the web server (at the third party location). It does nothing to protect how that information gets from that third-party server back to the company. You would be surprised how many companies simply take that sensitive information (credit card numbers, etc.) and package it into an email message and send it to the company via plaintext email. Not very secure.
I wrote a paper on this subject in 1999 which is still posted at http://jsweb.net/paper.htm entitled "Are Secure Internet Transactions Really Secure?" I encourage you to take a look at it to learn more about how many companies are only providing a false sense of security, and not really protecting your information as it transits the Internet.
What's your point? In 10 years everything anyone does in computers today will be obsolete. Does that mean nobody should bother? If nobody bothered then nobody would make the advances...
There is no perfect security. That doesn't mean you should just be happy with no security.
Man I love their music, esp "The Sound of Science".
-- www.globaltics.net
Political discussion for a new world
Social hacking. "Hey yeah, this is uh, Joe from finance. What's the password to log into the database again? Thanks." No use building million dollar impregnable walls if the gatekeeper waves the invading hordes right on through....
I agree that SSL does give a false sense of security, especially with credit card numbers. Truly private info like credit card numbers should always be stored in ecrypted form, not just transmitted in encrypted form. I'm amazed especially at stories of dot-coms where a hacker managed to penetrate a database and then have access to a million credit cards. Ridiculous. You can keep 9 out of 10 hackers out with good external security. Out of the ones that get thru, the 1 in 100 who could deal with and decrypt the card numbers in the database will probably decide it's not worthwhile and go steal them from someone less cautious.
this is a more detailed article.
"The book will be outdated in (insert your favorite timetable here)" should all be moderated as obvious. I mean, really, there are people out there trying to make sex itself outdated sometime in the future, but I live in the here and now. What this or any well-written book does is it gives us an understanding of the issues and a foundation for future learning. Read it and forget it is no more a stragegy than not reading it at all.
If it is a good read that makes the complicated less intimidating, I would consider it an excellent foundation for those who aren't up on the issues but want to get started.
I HATE that term as much as anyone - so let's kill it once and for all and chalk it up to a very BAD typo.