Firewalls and Internet Security, 2nd Ed.

Eater writes "Over the last decade, we've seen an explosion in the area of books dealing with the subject of Internet security. Few have defined the genre as well as Firewalls and Internet Security: Repelling the Wily Hacker by Bill Cheswick and Steve Bellovin. Security gurus rejoice... the 2nd edition is finally here!" Eater compares this new version to the original in his review below. Firewalls and Internet Security: Repelling the Wily Hacker, 2nd Ed. author William Cheswick, Steven Bellovin, Aviel Rubin pages 455 publisher Addison-Wesley rating 9 reviewer Eater ISBN 020163466X summary Long-awaited second edition of the security administrator's favorite classic.

Those familiar with this classic have undoubtedly recommended it to other hackers seeking a definitive text. Firewalls and Internet Security has provided a roadmap for security conscious sysadmins since its publication in 1994. It mixed sound policy recommendations with examples of UNIX-based implementations, all rooted in experience from working in AT&T corporate security.

Although many of the ideas laid out in the original edition are just as relevant in today's Internet, much has changed technically since 1994. Alas, this month Addison-Wesley has released a new second edition ... nearly complete rewrite (and 135 page expansion) of the original classic.

A glance at the new edition indeed reveals significant changes. Avi Rubin has been added as an author. The preface details some of the predictions made from the first edition... some of which came true, and others that didn't. Most sections have been vastly expanded, if not completely restructured.

Denial-of-services (DoS) attacks, infamous in the previous decade, are explored in greater depth. Replacements of deprecated tools have been given new sections (ssh is detailed following the chapter on the "r" commands, for example.) The myriad of enumeration tools available today are discussed (i.e., Nessus, hping, nmap).

Intrusion-detection tools, almost completely absent from the first edition, are given space in the new book, although not nearly as much as I would have liked. Much has been added on the subject of cryptography and authentication. Forthcoming standards like IPV6 and DNSsec are discussed.

Those who've read the original will recall the "Evening with Berferd." the chapter detailing a break-in the authors were able to watch and analyze in real-time. This inspired more than a few honeypot oriented projects. The second edition introduces a second real-world scenario, the "Taking of Clark," which illustrates forensic measures to be taken after after a host is compromised. Fans of Foundstone's Hacker's Challenge will find it familiar.

The defining thread across all of these topics is what makes this book a classic: the emphasis of the "why," not just the "how." Although the examples are mostly geared towards UNIX users, the guidance and policy suggestions are directly applicable to any platform where the reader is responsible for making security decisions.

Perhaps the greatest aspect of this book is its availability: it's on the web here. Those who are working in the security field, or those interested in it, will benefit from owning the hard-copy available from Addison-Wesley.

You can also purchase Firewalls and Internet Security, 2nd Edition from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

A must read?

Does the reviewer ever state that this is a must read?

Sounds like I will have to read it to find out, hopefully its not too expensive.

Hey anyone want to go in together and buy a copy? After I read it I will pass it on to someone else (who of course helped pay for the book)

-out-
www.jamesmcmurry.com

How does it stack up against...

[ratbag]

O'Reilly's Building Internet Firewalls (Zwicky, Cooper & Chapman)?

Rob. (In the spirit of complete disclosure, I used to work with Simon Cooper's mum)

Re:How does it stack up against...

[gmuslera]

Or with Practical Unix and Internet Security, that in this month was released the 3rd edition.

I know, this one could talk less about firewalls and windows and more about unix, but anyway, is good to see in what is better and in what not.

Re:How does it stack up against...

[REBloomfield]

different league. This is about security from the ground up, such as choosing passwords, where holes lie, even how they traced a real live hacker ("berferd"). How services are installed, AT&T Research's real life setup etc etc... Read this one first, then get the O'Reilly one.

Re:How does it stack up against...

[SuiteSisterMary]

Oooh, a third edition of the Big Yellow Safe book? I'm there.

Re:How does it stack up against...

[ThirdEdition]

I don't think any one book is a good way to have an overall picture of security. Just like you need defense in depth, you need investigation/learning in depth.

This second edition super does a job of updating the original, and it's about time. For unix security people I'd suggest you also read Hacking Linux Exposed because it has very in depth coverage of everything from a Linux standpoint. (Unix really, but they focus on Linux for their answers about how you fix things. Pathnames may differ for other Unix systems, like BSD.)

O'Reilly's BIF is good, but I'd suggest a Linux-specific firewall book too, like Linux Firewalls, Second Edition.

For those people not familiar with Hacker's Challenge (1st and 2nd editions) it's a book chock full of real-world (presumably sanitized) cracking examples where they tell you what happened, copies of of log data, and you try to figure out what happened. Very good book.

I'd also like to note that Hacker's Challenge (and Hacking Linux Exposed, for that matter) are not Foundstone books. Hacker's Challenge's lead author is Mike Schiffman, director of security at @stake, which is definately not Foundstone. Foundstone is doing poorly, going so far as to patent port scanning.

Correction

[arvindn]

The first edition is available online. Of the second edition, a couple of chapters are available (in pdf, one in html). It does not say if the remaining chapters will become available. Anyone has information on this?

Re:Correction

[ches]

It took us about 8 years to put the full text of the first edition on line. It's a marketing call, which we mostly leave up to our publishers. I don't think we will be putting the full text of the second edition up for quite some time.

ches

Re:Correction

[freeweed]

Just wanted to say thanks a ton for putting up the first edition (if it was even partly your decision). I've kept a hard copy around for what seems like ever now, and it's been perused many a time by friends/co-workers (is this even legal these days?). Both for people just starting out, and historical interest, it's really quite cool to have your book available anywhere, anytime, for free.

The new edition is rather nice, too :)

Kudos for at least some content owners having some brains in their heads.

It's on the web . . .

[patch-rustem]

"Perhaps the greatest aspect of this book is its availability: it's on the web here." That should put that in the article.

Re:It's on the web . . .

It is on the web - as you pointed out - BUT not the whole book (although the complete text of the original is in fact online)

-out-
www.jamesmcmurry.com

well..

[REBloomfield]

This is, without a doubt *the* bible for the subject. Got mine 2nd hand from a car boot years ago, and it lives on my desk permanently. I'd love to see how it's been updated, and whether there are any new additions similar to the Berferd tracing story. The short scripts for scanning subnets etc were great too. Well, well, worth reading.

One of the reference books for tcpip today...

[DeHar]

Edition one of this book has a permanent place on the reference shelf of my tcpip classroom. Anytime you're talking about tcpip connectivity these days, you are also talking about securing that connectivity.

The content may be beyond a lot of beginners, but folks need to look at what is possible.

Re:One of the reference books for tcpip today...

[jez_f]

The content may be beyond a lot of beginners, but folks need to look at what is possible

Does anyone have suggestions on what would be a good newbie firewall and security book (or site). This is tempting but if it is too deap then I may not get time to read it. Would prefer something accessable, but if this is the best by far I will go for it.

Re:One of the reference books for tcpip today...

[REBloomfield]

Personally, i think it's one of those books that grows with you. I got when i was just starting network administration, and things like the Berferd story, and what DMZ's were, etc, though just out of my grasp, interested me enough to find out what terms meant, and it's certainly easy enough to skip sections as you go along. The shell script examples are easy enough to follow, and should be fairly simple to modify for a beginner. Take the plunge, i promise you won't regret it. (it also has one of the clearest explanations of public key crypography too...)

Cartoons?

[YellowSnow]

Have they put in any new cartoons since the first edition, some were very memorable and very appropriate. With the intervening years of IT tomfoolery there must be a few candidates.

Re:Cartoons?

[REBloomfield]

I think the quotes were the best bits, things like :

Sed quis custodiet ipsos custodes (but who will guard the guards themselves?)

have been recited by me to many colleagues over the past few years.....

Re:Cartoons?

[sigsegv]

Yes. Well, at least the cover cartoon is new.

http://www-fp.aw.com/bigcovers/020163466X.jpg

-sig

Re:Cartoons?

[ches]

I saw the new cover cartoon a couple of years ago, and _had to have it._ Fortunately, Wiley was amenable. We gotta send him a signed copy.

There are lots of new epigrams. Ever done a bibliographic entry for a Bugs Bunny cartoon? 8-)

ches

only 1st Ed available in full

[rakerman]

Only the first edition of the book is available on the web in full at http://www.wilyhacker.com/1e/

The second edition appears to be only available in hard copy, for the full purchase price, although there are some chapter excerpts available for download.

Re:only 1st Ed available in full

[ksw2]

Ah, yes. Unfortunately I missed this fact until after the story was posted. Perhaps a human wave of Slashdotters can convince Addison-Wesley to make the 2nd addition available online as well?

What about patched for human security holes?

[Limburgher]

Specifically, the one which makes lusers write their UserIDs and passwords on Post-It(c) notes on their monitors? You'd be amazed how many times I had to send people emails from themselves before they got the message. . .

Re:What about patched for human security holes?

[Bazzargh]

The surest patching technique is, counterintuitively, to introduce another hole. Using your own choice of weapon.

Re:What about patched for human security holes?

[Zathrus]

That patch will be issued immediately after the patch that causes asshole sysadmins to stop requiring a new password every 30 days that doesn't match any of the previous 11 passwords, is at least 8 characters long containing mixed case, a number, and a non-alphanumeric character.

I've had to deal with such systems before and my passwords rapidly degraded from secure, non-dictionary crackable "phrases" to stupid crap like "Abcdef1", "aBcdef1", or "FuckYou2".

Of course, I've also known people that did just write their passwords down on a piece of paper, even if you didn't have to change them. The best one was a Unix sysadmin at a place I used to work. He was incompetent, so we would just get stuff done ourselves by going over to his cube and reading the appropriate root password off the bottom of his wrist rest.

Re:What about patched for human security holes?

There are some MCSE guys where I work, and they always use these lame passwords where the format is like: "syspassYY" where YY is the year the system went live. It's ridiculous.

Re:What about patched for human security holes?

[koreth]

Tell me about it. At work there's a Windows fileserver I use once a month or so. The password expiration time is set to less than the average amount of time between my uses of the server -- so every single time I want to access the thing, I have to not only choose a new password (which I'll only ever use twice) but also remember the previous password (which I've only used once before.)

The irony is that this has caused me to use much less secure passwords on that host than I use elsewhere -- my usual passwords are based on made-up phrases and would be pretty tough to crack even if you knew other passwords of mine (an old one was wh2EaTB for "we hate to eat at Taco Bell") but on this server I use a more predictable scheme that lets me figure out what I most likely chose as the password last month.

The bigger irony is that I'm told the sysadmin of this particular server has his password set to never expire! Apparently he can pick a good one but nobody else can.

Re:What about patched for human security holes?

[Wee]

That patch will be issued immediately after the patch that causes asshole sysadmins to stop requiring a new password every 30 days that doesn't match any of the previous 11 passwords, is at least 8 characters long containing mixed case, a number, and a non-alphanumeric character.

I just did a web-based auth system at work. We have a new web site structure, and we wanted to protect an area for faculty and staff only (I work at a university, in the CS department). I had to come up with a scheme to "force" good passwords for use with the web site (since there will be stuff in that private area that students should never be able to see). It's harder to do than you might think. There's a very fine line between pissing people off with strong passwords and letting them slide by using things like "qwerty".

In the end, I came up with this:

• >=6 characters
• At least one non-alphanumeric character
• Cannot be based on username (forward or backward)

That's it. Pretty easy going, right? Not really. I've had a couple people complain already (it's been two days since we went live). I even removed the "Cannot be based on a dictionary word" requirement. We also removed the "Cannot be the same as your Unix system password" requirement (over my loud protestations).

I actually had a professor (a computer science professor, mind you) ask that I make it more lenient. He lamented to me that because he had to choose a "strange" password (since his "normal" password didn't pass my tests), he had already forgotten what he had chosen. He then asked me to email him and let him know what his password is. After I got done laughing, I prepared a carefully-worded LARTish email explaining to him what a one-way hash is and why I wasn't able to tell him what his word was, even if I wanted to send it to him in email. I also threw in a little bit of "weak passwords are the #1 security hole" boilerplate and explained that I was glad that his normal system password wasn't able to be used on the web site.

I haven't sent the email yet; I thought it might be too harsh so I decided to sit on it overnight. I think on one hand that anyone clueless enough to use a password that can't pass even my lame scheme deserves to be cut down a notch or two. Then I think that he's a tenured prefessor, and I should be more respectful. Then I think that he's a tenured professor, and yet is a complete idiot, and I go back to #1. I've always wanted to give a prof what-for.

-B

Re:What about patched for human security holes?

Tenured, or not, if hes a prof of C/S, He KNOWS THIS ALREADY. Abosolutely no excuse. Give him the gears! he needs a serious memory adjustment!

Wheres my gun? I wanna go hunting!

I hear idiot C/S profs taste damn good. mmm poprkchops...

Re:What about patched for human security holes?

[andrewski]

I don't know, is your current IasomAar5aw ( I am sitting on my ass and reading 5lashdot at work) ?

Fawlty Towers Flashback..

A guy called "O'Reilly" and he's building walls??

It gets me laughing every time I think of the ending to that episode.. Basil walking out of the hotel with the garden gnome under his arm..
"Where are you going Basil??!?"
"I'm just going to see Mr O'Reilly dear. Then I think I might go to Canada.."

(sick, just sick.. maybe even worse mental imagery than the goatse trolls can think up..)

Intelligent IDS

[MarauderJr]

For anyone looking for more information on IDS's or Intelligent IDS's than is covered in the new book, take a look at the white paper on Intelligent IDS's at SecurityProfiling.

Re:Intelligent IDS

[Mothra+the+III]

Have you implemented this? It looks like a nice improvement for Snort, but I am wary of the automatic patching capabilities.

Re:Intelligent IDS

[MarauderJr]

I have had the chance to play with it some over the past month. I am planning on putting in an Intelligent IDS on a new networking project that I am currently working on. Mainly for these reasons:

• I will not be onsite. I do not want to drive for a couple of hours every time there is a potential problem such as, "I think someone has hacked our network!"
• SecurityProfiling's Intelligent IDS and SysUpdate work on most major OS's (Windows, Linux variants, Irix, Apple's OS's).
• The intelligent IDS solution will be able to watch all incoming traffic on the network for me and e-mail me if it catches any potentially malicious activity.
• The Intelligent IDS will be able to check all the systems on the network if an attack is occuring against known security flaw and check to see if all systems have the proper patches in place to make the the attack unsuccessful against known security flaw.
• If a system is not patched against known security flaw, the Intelligent IDS will go out and get the security patch and install it on all systems that are not already patched.
• The Intelligent IDS will report less false positives and less false negitaves than current IDS's.

Overall, I believe that the Intelligent IDS can be a wonderful solution for almost any type of network. I'm setting up one for my office and my apt.

Alexander Harrison
Nocturn Designs

Re:Intelligent IDS

[gid-goo]

It seems like an interesting product. Doesn't seem overly useful for environments where folks are installing lots of new stuff. But for a production server environment where stuff doesn't change without multiple levels of approval it seems like a cool product. I don't believe the "virtually eliminates false positives" stuff, but I haven't used the product. Just a lot of other IDS' and they all claim to reduce false positives.

It appears to still have the fundamental problem with all IDS' (see this). In summary, without the IDS being aware of minutae of the protocol stack of the target machine, it can't actually detect intrusions, not to mention IDS' can easily be overwhelmed. IMHO IDS' are dangerous, IT folks develop a sense of invulnerability. While they're useful for the run of the mill crap that most kids spew, someone who's committed can open a can and the IDS will just stand around and look dumb. If you're the IT guy who told everyone that they could sleep at night because the IDS was taking care of business, then you look dumb.

Re:Review?

[REBloomfield]

To be fait, i think the fact that you can go and read it for free means that very little has to be said, other than "go see". And it's well worth it too :)

Web security documents

www.cgisecurity.com/lib

Alas?

[sulli]

Alas, this month Addison-Wesley has released a new second edition ... nearly complete rewrite (and 135 page expansion) of the original classic.

Is the author really lamenting the release of the new book? (Perhaps Eater is actually a Wily Hacker?)

Re:Alas?

[ksw2]

Amazing how one can misuse a word without correction for years, until of course the word is misused on Slashdot in front of millions of people :-)

Eater

Did you even read the review?

It got a "9." Therefore, it is an average book.

Re:Did you even read the review?

Yes I read the review - and the rating number - but didnt see the obligatory "This is a MUST read"

(sorry - I was trying to be funny in the original post - bad idea, I am not very funny)

-out-
www.jamesmcmurry.com

Re:Did you even read the review?

sorry - I was trying to be funny in the original post - bad idea, I am not very funny

That's OK. So was I, as I was going for the "every book is a 9" angle. I guess I'm not so funny either.

Security

[RedWolves2]

Man what is with the rash of security books out lately? It's like as if there is a new sendmail bug out or something...what?....Oh.

Well then go here to get the book and secure up your networks! Entertainment News anyone?

Sure!

Slashdot readers got Microsoft to GPL Windows, for example. Very effective sort we are!

Social eng beats firewall, you need log analysis

[GringoGoiano]

Firewalls are great when you can trust all your insiders. That's rarely the case. Real-time intrusion detection systems also help out, but fail when:

• attacks are diffuse, slow and patient, and seemingly random -- there's no way a real-time detection system will connect the activity
• insiders do the job -- they're not "intruding"

To really address security of corporate data you need to:

• log all activity on all servers and hardware surrounding your vital data
• store that log data in a centralized location
• periodically analyze that data for abnormal patterns of activity within or across logged systems
• some analysis will be boilerplate, other analysis will be highly customized to a specific site's data architecture

This log analysis approach complements the others, and will catch more insidious, long term, and more damaging violations of critical data. Most corporations have the firewall angle covered well, but can't address social engineering or misbehaving insiders.

Of course, the big problem here is storing all that log data. Security analysis companies have been around but either can't perform analysis at the detail required, or charge too much (that log data is huge and Oracle isn't cheap).

Addamark Technologies has a security event logging and analysis tool that seems to address this problem though. They sell a product that uses a cluster of cheap Linux PCs to store all that data, and a SQL/Perl query interface (for those that want to query data directly without web-UI tools), some good web-UI tools. Data loading performance and query performance is out of this world. They've got a great customer list, too.

What my parents thought

[MichaelCrawford]

I bought the first edition just before going to visit my parents for Christmas. I read the book at their house.

At the time I was thinking of going into security consulting. I thought it would be best to really study up.

They live near Portland, Oregon, which is the home of the famous Powells bookstore, and Powells Technical Books, probably the best technical bookstore in the world. It's worth visiting Portland just to go to Powell's technical books.

So on a visit to the bookstore I bought a copy of 2600 just to see what the bad guys were up to. You know, so I'd be a better security expert.

Well, this got my parents really worried. They thought I was going to start cracking people's boxes. My mother, in a very frightened tone of voice, asked me to promise never to do that. I don't think they really believed that I was trying to learn about it so I could do a better job as a consultant.

Considering that the government can now force bookstores to reveal book purchases without either a search warrant or your knowledge, I would suggest purchasing the book (and any security books) from a brick & mortar bookstore, and paying cash.

If my mother thought I was studying it so I could become 31337, imagine what John Ashcroft might think.

Re:What my parents thought

[alienmole]

If my mother thought I was studying it so I could become 31337, imagine what John Ashcroft might think.

You have a good point. I'd like to add to that, that you're doing 2600 a bit of a disservice by characterizing it or its contributors so glibly as "bad guys". There's plenty of questionable stuff in 2600, but the point of it all is to encourage curiosity about, and understanding of, actual systems in the world - things you won't necessarily ever learn about in school etc. Since it's targeted mainly towards a young audience (afaict), this naturally gets bound up in a certain amount of rebelliousness and so on. But a thinking adult can see past this.

There's a really fundamental point here, which is that if you're surrounded by black boxes that you don't understand, you become a helpless consumer, unable to understand or effectively deal with the world around you except in a second-class citizen sort of way. That's what many corporations would like to be the case, of course, and it's the direction that consumer culture naturally gravitates towards - but not everybody buys into that, and wanting to find out more about the world around you, and the technology on which so much depends, is not a crime.

Re:What my parents thought

"...but not everybody buys into that, and wanting to find out more about the world around you, and the technology on which so much depends, is not a crime."

Some days its seems like your last sentence should end like so "is not a crime... yet."

With the "Total Information Awareness" program that Mr. Bush is both promoting and funding the ability for the government to track the purchasing history of Joe citizen would reach an invasive level.

With increased capabilities to track the activities of individuals who knows what steps certain overzealous factions of our government would be emboldened to take.

Re:What my parents thought

[andrewski]

I'll second that. Powell's is my Mecca. Luckily for me I live a short (and free) streetcar ride or walk (depending on laziness) away. What a sweet place. They also have a cat named "FUP" and a good collection of ancient computers there.

Of particular interest is the huge collection of used, and hard-to-find books interspersed with the new books. There are no 'used' and 'new' sections at Powell's tech books.

Everything old is new again

[NearlyHeadless]

From Chapter 10 of the first edition:

But he attempted to fetch it using the old sendmail DEBUG hole. (This is not to be confused with new sendmail holes, which are legion.)

...
He knew obscure sendmail parameters and used them well. (Yes, some sendmails have security holes for logged-in users, too. Why is such a large and complex program allowed to run as root?)

Sendmail bugs, anyone?

Say, have I ever told you about the time I hacked Steve Bellovin? I did? Oh, well, never mind.

I smell a shill

You did not just "try this yourself"... you're obviously either a home-town "beta" or a buddy (or even developer) for the product....

a simple whois tells me:

$>whois nocturndesign.com
Registrant:
*******
#### Soldiers Home Rd. ### ###
West Lafayette, IN 47906
US

$>whois securityprofiling.com
Registrant:
Security Profiling (SECURITYPROFILING-DOM)
#### Kenwood Dr.
Lafayette
IN,47905
US

Directions to work?

Re:I smell a shill

more than a shill! this is the "new marketing" at its best! lol

IPv6 has been around since 1996

[d2k297]

IPv6 isn't a forthcoming standard as the review would have you believe. I have the 1996 edition of a book by Christan Huitema, a former chairperson of the IAB, detailing the IPv6. Anyhow, the review seems useful...

Re:IPv6 has been around since 1996

[ksw2]

By forthcoming, I mean "to be widely adopted", not "to be standardized". Hope that clarifies a bit.

Eater

A Zen story (Re:Security Gurus?)

[slouie]

After ten years of apprenticeship, Tenno achieved the rank of Zen teacher. One rainy day, he went to visit the famous master Nan-in. When he walked in, the master greeted him with a question, "Did you leave your wooden clogs and umbrella on the porch?"

"Yes," Tenno replied.

"Tell me," the master continued, "did you place your umbrella to the left of your shoes, or to the right?"

Tenno did not know the answer, and realized that he had not yet attained full awareness. So he became Nan-in's apprentice and studied under him for ten more years.

That is why gurus rejoice a good security book.

Re:A Zen story (Re:Security Gurus?)

[jaunty]

During that time, Nan-in and Tenno went out occasionally for lunch, usually to a street food vendor who was along their route.

One day, Tenno ordered a hamburger with the works, then stood back, and waited for Nan-in to place his order. Nan-in looked at the menu of choices available, then pointed at what he wanted, and said, "Make me one with everything".

After that, Tenno decided to extend his apprenticeship under the master for the next 25 years, as he realized he was just a dumb shit who still had a lot to learn

"internet security"

[josepha48]

isn't that an oxymoron like "army intelligence"?

Silly

[grub]

Security gurus rejoice... the 2nd edition is finally here!"

If the readers were "security gurus" they'd already know this stuff, silly!

Re:Social eng beats firewall, you need log analysi

[fanatic]

Firewalls are great when you can trust all your insiders. That's rarely the case.

Not exactly. Firewalls are great when you can't trust all your outsiders, which is always the case. It's just that you need more, besides the firewall, to deal with the internal problems.

Real-time intrusion detection systems also help out, but fail when:

* insiders do the job -- they're not "intruding"


The IDS belongs on the same network with the resources (servers) so that they see all activity, internal as well as external.

Cheswick lates talk

[XenoBOFH]

I had the pleasure of attending LinuxForum 2003 (in danish) this weekend, where Cheswick talked about internet security. His slides can be found here and his entire talk is here. I must say that he is a very funny and interesting person.

Re:Cheswick lates talk

[svindler]

I was there as well, bought a copy of the new book and told Cheswick about how often I had lent the old book to sysadmins who wanted to learn about security.
He wrote a dedication in my new book: "Do not lend this book!"

Re:Cheswick lates talk

[XenoBOFH]

Nice! Mine has his wet-thumbprint with a square around it and a text saying "Authors DNS. Do not duplicate"

Well duh!

[Blackneto]

Get some revenue out of it!
If you respond to this troll and say it's a great book to buy, I'll buy it!
well i'm planning on it anyway...

Secure Programming for Linux and Unix HOWTO

[dwheeler]

If you're interested in writing secure programs (instead of installing / configuring existing programs to be secure), take a look at my freely-available book: Secure Programming for Linux and Unix HOWTO.

mighty

god

suspicious things...

[zogger]

--I go to a public library occassionaly to use their computers. It's fun to be on high speed. Sometimes I use their printers when I am there, they have a modest fee on a per printed page deal. All the networked computers had their own printers until a couple of weeks ago,it was handy as you could set your own preferences and margins and copy count, etc, and not interfere with anyone else, check if you liked the results, etc. Swell. So now they switched to a print server thing, a big laser printer, but dig this! It's not out on the floor where you as a patron can just go grab your printouts, nope, it's kept inside the office, you have to go to the desk and ask the librarian to please bring your printouts.

I find this rather disturbing. The only reason I can see for this is so they can scan what you are printing. I even asked them about it, the person I asked literally flushed, then stammered then said "well, it's uhh easier this way" Uh huh If it was just to use a better printer, swell, but they have plenty of space out on the floor for it, in fact they have a few photocopiers etc aligned on the wall for public use, but NOT what you go find on the web and decide to print out, nope, that has to be done back out of view in the office.

Same library. Last summer I went in there, wires hanging from the ceiling, I traced them, saw (what I knew to be but are designed to not look like)obvious cams being installed that are aimed at the computers. I asked the same librarian then "what electronic stuff are you installing?". She said, "oh, that's just some electronic stuff". I asked again, "Exactly what kind of electronic stuff" "Just stuff".

uh huh

1st edition was pretty good

[danny]

My review of the first edition might be of interest, though a lot has changed since then! The first edition was one of the first ever books on firewalls - also the first review copy I got from a publisher, so I have fond memories of it.

I've just asked for a review copy of the new edition.

Danny.

Wow, mine aren't the only ones.....

[jayrtfm]

.....who think that way.

In the 80's I partnered with some friends to start a multi-media/DTP company, while still keeping my day job at a photo lab.
Since everyone at the lab knew about my company, someone gave me a xeroxed Forbes article on how laser printers were being used to make bogus checks. It laid out step by step on how to do it, obviously so companies could make changes to prevent this type of scam.

When my parents came across it in my home, they were convinced that this was what I was really doing with the computer equiptment, and warned me that they wouldn't give me bail money when I was arrested for it.