Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

Book Review: Architecting the Cloud

benrothke Re:Real world example .. (75 comments)

If you start a dialogue with a sales rep at AWS, they have a log of diagrams and detailed technical material they will share.

You can also look around at http://aws.amazon.com/document..., as there is a lot of good technical material there.

about a week ago
top

Book Review: Architecting the Cloud

benrothke Re:The cloud (75 comments)

::::First and foremost, the cloud is not in any way shape or form secure.Any thing you put there is there to share.

It’s as secure as you want to make it.

Many firms that take security seriously use the cloud. :::::Second, it is a buzzword that is used to get gullible suits to think that they can get rid of their IT depatments.

You do have a good point there.

about a week ago
top

Book Review: Architecting the Cloud

benrothke Re:Either (75 comments)

You are correct about my not getting the first sentence right.

With that, don’t let defective sentence stop you from reading a very good book.

about a week ago
top

Book Review: Architecting the Cloud

benrothke Re:More details please... (75 comments)

:::::Will an experienced admin (20+ years *NIX) that's currently using RackSpace (dedicated and cloud) learn anything from this book? It's so hard to tell from this review.

I think so. :::I've been using RackSpace for a few months now and I find that it's not much different than hosting the servers myself except I don't have to deal with things like router/switch configuration and hardware replacements.

From a hosting and sys admin perspective, it is not a radical difference.

But from a cloud application perspective, there is a lot to learn.

about a week ago
top

Book Review: Architecting the Cloud

benrothke Re:Standards Standards Standards (75 comments)

Excellent point.

Lack of standardization is one of the biggest problems facing cloud computing.

It’s inevitable a few standards will eventually emerge. But until then, there’s a lot of uncertainty.

about a week ago
top

Book Review: Architecting the Cloud

benrothke Re:a solution in search of a problem (75 comments)

:::entrust their data to some unknown and unmonitored external entity such as the 'cloud'.

Do you really consider Amazon Web Services unknown and unmonitored?

The granularity of what they can report on shows their monitoring capabilities are quite sophisticated. :::Until that time, safe and productive cloud computing is just a fantasy. It's a solution in search of problem. Avoid it.

I think the facts speak for themselves. There are thousands of examples of safe and productive instances of cloud computing,

But there are also tens of thousands of examples of insecure and unproductive instances of cloud computing,

about a week ago
top

Book Review: Architecting the Cloud

benrothke Re:Sounds like a good read (75 comments)

The book doesn’t deal with acceptable use per se, as much of acceptable use is determined by the specific user of the cloud.

As I wrote about “almost any security regulation or standard can be met in the cloud. As none of the regulations and standard dictates where the data must specifically reside”.

So if you define what the with acceptable use is and build that into your cloud policy and contract, that would be acceptable.

about a week ago
top

Book Review: Social Engineering In IT Security Tools, Tactics, and Techniques

benrothke Re:Edit check (45 comments)

I stand corrected.

Thanks.

about a month ago
top

Book Review: Introduction To Cyber-Warfare: A Multidisciplinary Approach

benrothke Re:Just one correction (27 comments)

Thanks. Good point worth reiterating. It was a management decision to design it like that.

Bruce Schneier wrote about that issue a few times in reference to the Predator design, noting that security is a cost/benefit equation.

about a month and a half ago
top

Book Review: Security Without Obscurity

benrothke Re:Meta-review (51 comments)

Thanks for the helpful comments.

about 3 months ago
top

Book Review: Security Without Obscurity

benrothke Re:Either Ben or Stapleton is missing something (51 comments)

I think everyone outside of the NSA wanted a longer key length than 56-bits.

But the main comment from the book was that the DEA withstood the test of time, aside from hardware catching up to it and making exhaustive key attack quite practical.

about 3 months ago
top

Book Review: Security Without Obscurity

benrothke Re:Either Ben or Stapleton is missing something (51 comments)

::: Why do you think we created Triple-DES?

Because 56-bit DES was indeed weak. But aside from an exhaustive key attack as noted; do you know of any DES flaws? It seems like there are none. :::Supposedly the NSA made it more difficult to use differential calculus against DES by changing the S-Box permutations but it is still possible.

Let me check that out and see if that is indeed the case.

about 3 months ago
top

Book Review: Hacking Point of Sale

benrothke Re:Very Easy (56 comments)

Excellent points.

When it comes to targeted advertising and big data analytics, seems like security will always get the short shrift.

about 4 months ago
top

Book Review: Hacking Point of Sale

benrothke Re:Very Easy (56 comments)

I agree with you.

The issue thought is that these ‘purpose designed networks’ can at limited times, be created with a small set of requirements (purposes).

But in large e-commerce settings, with multiple suppliers, inputs, etc., the purpose expands significantly, with complexity that quickly becomes unmanageable; and quickly insecure.

about 4 months ago
top

Book Review: Hacking Point of Sale

benrothke Re:Torching the house rather than lighting a candl (56 comments)

Interesting point.

But that is the same admonition was used when the first ‘Hacking Exposed’ book came out. Which is similar to the argument that terrorists will use strong encryption.

Ultimately, it simply makes it that the white hats should read these books more of an imperative.

Full list of the series here:

http://www.amazon.com/s/?_enco...

about 4 months ago
top

Book Review: How I Discovered World War II's Greatest Spy

benrothke Re:WW2's greatest spy? (102 comments)

Ok, thanks.

Who would you suggest is the greatest one?

about 5 months ago
top

Book Review: The Digital Crown

benrothke Re:Flash...? (69 comments)

:::People need to know that some books are not worth buying to save wasting their money.

Agreed.

As to your bike analogy, you mentioned a commercial magazine; where people get paid. I do not get paid to review books.

If I was a professional review, then perhaps would have more time to review a wider quality range of books. :::So some may ask "what style of writing does

Thanks for the recommendation. Will try to use it for future reviews.

about 8 months ago

Submissions

top

Book review: Architecting the Cloud

benrothke benrothke writes  |  about two weeks ago

benrothke (2577567) writes "Architecting the Cloud: Design Decisions for Cloud Computing Service Models (SaaS, PaaS, and IaaS

Author: Michael Kavis

Pages: 224

Publisher: Wiley

Rating: 9/10

Reviewer: Ben Rothke

ISBN: 978-1118617618

Summary: Extremely honest and enlightening book on how to effectively use the cloud





Most books about cloud computing are either extremely high-level quasi-marketing tomes about the myriad benefits of the cloud without any understanding of how to practically implement the technology under discussion. The other type of cloud books are highly technical references guides, that provide technical details, but for a limited audience.



In Architecting the Cloud: Design Decisions for Cloud Computing Service Models, author Michael Kavis has written perhaps the most honest book about the cloud. Make no doubt about it; Kavis is a huge fan of the cloud. But more importantly, he knows what the limits of the cloud are, and how cloud computing is not a panacea. That type of candor makes this book an invaluable guide to anyone looking to understand how to effective deploy cloud technologies.



The book is an excellent balance of the almost boundless potential of cloud computing, mixed with a high amount of caution that the potential of the cloud can only be manifest with effective requirements and formal security architecture.



The full title of the book is: Architecting the Cloud: Design Decisions for Cloud Computing Service Models: SaaS, PaaS, and IaaS. One of the mistakes of using the cloud is that far too many decision makers rush in, without understanding the significant differences (and they are significant) between the 3 main cloud service models.



The book crams a lot in under 200 pages in the following 16 chapters:

1 Why Cloud, Why Now?

2 Cloud Service Models

3 Cloud Computing Worst Practices

4 It Starts with Architecture

5 Choosing the Right Cloud Service Model

6 The Key to the Cloud: RESTful Services

7 Auditing in the Cloud

8 Data Considerations in the Cloud

9 Security Design in the Cloud

10 Creating a Centralized Logging Strategy

11 SLA Management

12 Monitoring Strategies

13 Disaster Recovery Planning

14 Leveraging a DevOps Culture to Deliver Software Faster and More Reliably

15 Assessing the Organizational Impact of the Cloud Model

16 Final Thoughts



In chapter 1, he provides a number of enthusiastic cloud success stories to set the stage. He shows how a firm was able to build a solution entirely on the public cloud with a limited budget. He also showcases Netflix, whose infrastructure is built on Amazon Web Services (AWS).



Chapter 3 is titled cloud computing worst practicesand the book would be worth purchasing for this chapter alone. The author has a number of cloud horror stories and shows the reader how they can avoid failure when moving to the cloud. While many cloud success stories showcase applications developed specifically for the cloud, the chapter details the significant challenges of migrating existing and legacy applications to the cloud. Such migrations are not easy endeavors, which he makes very clear.



In the chapter, Kavis details one of the biggest misguided perceptions of cloud computing, in that it will greatly reduce the cost of doing business. That is true for some cloud initiatives, but definitely not all, as some cloud marketing people may have you believe.



Perhaps the most important message of the chapter is that not every problem is one that needs to be solved by cloud computing. He cites a few examples where not going with a cloud solution was actually cheaper in the long run.



The book does a very good job of delineating the differences between the various types of cloud architectures and service models. He notes that one reason for leveraging IaaS over PaaS, is that when a PaaS provider has an outage, the customer can only wait for the provider to fix the issue and get the services back online. With IaaS, the customer can architect for failure and build redundant services across multiple physical or virtual data centers.



For many CIO's, the security fears of the cloud means that they will immediately write-off any consideration of cloud computing. In chapter 9, the author notes that almost any security regulation or standard can be met in the cloud. As none of the regulations and standard dictate where the data must specifically reside.



The book notes that for security to work in the cloud, firm's needs to apply 3 key strategies for managing security in cloud-based applications, namely centralization, standardization and automation.



In chapter 10, the book deals with creating a centralized logging strategy. Given that logging is a critical component of any cloud-based application; logging is one of the areas that many firms don't adequate address in their move to the cloud. The book provides a number of approaches to use to create an effective logging strategy.



The only issue I have with the book is that while the author is a big fan of Representational state transfer (REST), many firms have struggled to obtain the benefits he describes. RESTful is an abstraction of the architecture of the web; namely an architectural style consisting of a coordinated set of architectural constraints applied to components, connectors and data elements, within a distributed hypermedia system. REST ignores the details of component implementation and protocol syntax in order to focus on the roles of components, the constraints upon their interaction with other components, and their interpretation of significant data elements.



I think the author places too much reliance on RESTful web services and doesn't detail the challenges in making it work properly.RESTful is not always the right choice even though it is all the rage in some cloud design circle.



While the book is part of the Wiley CIO Series, cloud architects, software and security engineers, technical managers and anyone with an interest in the cloud will find this an extremely valuable resource.



Ironically, for those that are looking for ammunition why the cloud is a terrible idea, they will find plenty of evidence for it in the book. But the reasons are predominantly that those that have failed in the cloud, didn't know why they were there in the first place, or were clueless on how to use the cloud.



For those that want to do the cloud right, the book provides a vendor neutral approach and gives the reader an extremely strong foundation on which to build their cloud architecture.



The book lists the key challenges that you will face in the migration to the cloud, and details how most of those challenges can be overcome. The author is sincere when he notes areas where the cloud won't work.



For those that want an effective roadmap to get to the cloud, and one that provides essential information on the topic, Architecting the Cloud: Design Decisions for Cloud Computing Service Modelsis a book that will certainly meet their needs.





Reviewed by Ben Rothke"
top

Book review: Social Engineering in IT Security Tools, Tactics, and Techniques

benrothke benrothke writes  |  about a month ago

benrothke (2577567) writes "Title: Social Engineering in IT Security Tools, Tactics, and Techniques

Author: Sharon Conheady

Pages: 272

Publisher: McGraw-Hill Osborne Media

Rating: 8/10

Reviewer: Ben Rothke

ISBN: 978-0071818469

Summary: Great resource on which to build a social engineering testing program



When I got a copy of Social Engineering in IT Security Tools, Tactics, and Techniquesby Sharon Conheady, my first thought was that it likely could not have much that Christopher Hadnagy didn't already detail in the definitive text on the topic: Social Engineering: The Art of Human Hacking. Obviously Hadnagy thought differently, as he wrote the forward to the book; which he found to be a valuable resource.



While there is overlap between the two books; Hadnagy's book takes a somewhat more aggressive tool-based approach, while Conheady take a somewhat more passive, purely social approach to the topic. There are many more software tools in Hadnagy; while Conheady doesn't reference software tools until nearly half-way through the book.



This book provides an extensive introduction to the topic and details how social engineering has evolved through the centuries. Conheady writes how the overall tactics and goals have stayed the same; while the tools and techniques have been modified to suit the times.



The following are the chapters in the book:



1. Social Engineerings Evolution

2. The Ethical and Legal Aspects of Social Engineering

3. Practical Social Engineering and Why it Works

4. Planning Your Social Engineering Test

5. Reconnaissance & Information Gathering

6. Scenario Creation & Testing

7. Executing Your Social Engineering Test

8. Reporting

9. The Social Engineering Arsenal & Tools of the Trade

10. Defense Against Social Engineering Attacks

11. Tomorrows Social Engineering Attacks



Coming in at about 250 pages, the book finds a good balance between high-level details and actionable tactical things to execute on. Without getting bogged down in filler.



Since the social engineering tools and techniques only get better, the advantage Conheady's book has it that it details a lot that has changed in the 4 years since Hadnagy's book came out.



In chapter 1, she writes about mumble attacks, which are telephone-based social engineering attacks that are targeted at call center agents. The social engineer will pose as a speech-impaired customer or as a person calling on behalf of the speech-impaired customer. The goal of this method is to make the victims; in this case call center agents feel awkward or embarrassed and release the desired information. Given the pressure in which most call center agents are under; this is a simple yet highly effective attack.



Like Hadnagy, this also has a detailed social engineering test methodology. Conheady details a methodology with 5 stages: planning and target identification, research and reconnaissance, scenario creation, attack execution and exit, and reporting. She notes that one does not have to be a slave to the methodology, and it can be modified depending on the project.



Social engineering can often operate on the limit of what is legal and ethical. The author goes to great lengths to write what the ethical and legal obligations are for the tester.



The book is filled with lots of practical advice as Conheady is seasoned and experienced in the topic. From advice to dealing with bathrooms as a holding location, gaining laptop connectivity and more; she writes of the many small details that can make the difference between a successful social engineering test and a failed one.



The book also details many areas where the job of the social engineer is made easy based on poor security practices at the location. Chapter 7 details how many locations have access codes on doors often don't do much to keep social engineers out. Many doors have 4-character codes, and she writes that she has seen keypads where the combination numbers have been so worn down that you can spot them straightaway.



As noted earlier, the book focuses more on the human techniques of social engineering than on software tools. She does not ignore that tools and in chapter 9 provides a list of some of the more popular tools to use, including Maltego, Cree.py and others. She also has lists of other tools to use such as recording devices, bugging devices, phone tools and more.



With all those, she still notes that the cell phone is the single most useful item you can bring with you on a social engineering test. She writes that some of the many uses a cell phone has is to discourage challengers, fake a call to look busy, use the camera and more.



While most of the book is about how to execute a social engineering test, chapter 10 details how you can defend against social engineering. She notes that it is notoriously difficult to defend against social engineering because it targets the weakest link in the security chain: the end-user. She astutely notes that a firm can't simply roll out a patch and immunize its staff against the latest social engineering attack. Even though there are vendors who make it seem like you can.



The chapter also lists a number of indicators that a firm may be experiencing a social engineering attack.



Hadnagy's book is still the gold-standard on the topic. But Social Engineering in IT Security Tools, Tactics, and Techniquescertainly will give it a run for the money.



Hadnagy's approach to social engineering is quite broad and aggressive. Conheady takes more of a kinder, gentler approach to the topic.



For those that are looking for an effective guide on which to build their social engineering testing program on, this certainly provides all of the core areas and nearly everything they need to know about the fundamentals of the topic.







Reviewed by Ben Rothke"
top

Book review: Introduction to Cyber-Warfare: A Multidisciplinary Approach

benrothke benrothke writes  |  about 1 month ago

benrothke (2577567) writes "Introduction to Cyber-Warfare: A Multidisciplinary Approach

Author: Paulo Shakarian, Jana Shakarian and Andrew Ruef

Pages: 336

Publisher: Syngress

Rating: 9/10

Reviewer: Ben Rothke

ISBN: 978-0124078147

Summary: Outstanding overview and guide to cyberwarfare





Cyberwarfare is a controversial topic. At the 2014 Infosec World Conference, Marcus Ranum gave a talk on Cyberwar: Putting Civilian Infrastructure on the Front Lines, Again.



Whether it was the topic or just Marcus being Marcus, about a third of the participants left within the first 15 minutes. They should have stayed, as Ranum, agree with him or not, provided some riveting insights on the topic.



While a somewhat broad term, in Wikipedia, cyberwarfare (often called information warfare)is definedas politically motivated hacking to conduct sabotage and espionage. It is a form of information warfare sometimes seen as analogous to conventional warfare.



The authors define cyber war as an extension of policy by actions taken in cyber space by state or nonstate actors that either constitute a serious threat to a nation's security or are conducted in response to a perceived threat against a nation's security.



As to a book on the topic, for most readers, cyberwarfare is something that they may be victims of, but will rarely be an actively part of.



In Introduction to Cyber-Warfare: A Multidisciplinary Approach, authors Paulo Shakarian, Jana Shakarian and Andrew Ruef provide an excellent overview of the topic. The book takes a holistic, or as they call it multidisciplinary, approach to the topic. It looks at the information security aspect of cyberwarfare, as well the military, sociological and other aspects of the topic.



The book is divided into 3 parts and 13 densely packed and extremely well-researched and footnoted chapters, namely:



Part I: Cyber Attack

Chapter 2: Political Cyber Attack Comes of Age in 2007

Chapter 3: How Cyber Attacks Augmented Russian Military Operations

Chapter 4: When Who Tells the Best Story Wins: Cyber and Information Operations in the Middle East

Chapter 5: Limiting Free Speech on the Internet: Cyber Attack Against Internal Dissidents in Iran and Russia

Chapter 6: Cyber Attacks by Nonstate Hacking Groups: The Case of Anonymous and Its Affiliates



Part II: Cyber Espionage and Exploitation

Chapter 7: Enter the Dragon: Why Cyber Espionage Against Militaries, Dissidents, and Nondefense Corporations Is a Key

Component of Chinese Cyber Strategy

Chapter 8: Duqu, Flame, Gauss, the Next Generation of Cyber Exploitation

Chapter 9: Losing Trust in Your Friends: Social Network Exploitation

Chapter 10: How Iraqi Insurgents Watched U.S. Predator Video—Information Theft on the Tactical Battlefield



Part III: Cyber Operations for Infrastructure Attack

Chapter 11: Cyber Warfare Against Industry

Chapter 12: Can Cyber Warfare Leave a Nation in the Dark? Cyber Attacks Against Electrical Infrastructure

Chapter 13: Attacking Iranian Nuclear Facilities: Stuxnet





The book provides numerous case studies of the largest cyberwarfare events to date. Issues around China and their use of cyberwarfare constitute a part of the book. Chapter 7 details the Chinese cyber strategy and shows how the Chinese cyber doctrine and mindset is radically different from that of those in the west.



The book compares the board games of chess (a Western game) and Go (a Chinese game) and how the outcomes and strategies of the games are manifest in each doctrine.



The chapter also shows how the Chinese government outlawed hacking, while at the same time the military identified the best and most talented hackers in China, and integrated them into Chinese security firms, consulting organizations, academia and the military.



One of the more fascinating case studies details the cyber war against the corporate world from China. The book provides a number of examples and details the methodologies they used, in addition to providing evidence of how the Chinese were involved.



For an adversary, one of the means of getting information is via social networks. This is often used in parallel by those launching some sort of cyberwarfare attack. LinkedIn is one of the favorite tools for such an effort. The authors write of the dangers of transitive trust; where user A trusts user B, and user B trusts user C. Via a transitive trust, user A will then trust user C based simply on the fact that user B does. This was most manifest in the Robin Sageexercise.



This was where Thomas Ryan created a fictitious information security professional names Robin Sage. He used her fake identity and profile to make friends with others in the information security world, both commercial, federal and military and he was able to fool even seasoned security professionals. Joan Goodchild wrote a good overview of the experiment here.



In chapter 10, the book details how Iraqi insurgents viewed Predator drones video feeds. Woody Allen said that eighty percent of success is just showing up. In this case, all the insurgents had to do was download the feed, as it was being transmitted unencrypted. Very little cyberwarfare required.



When the drone was being designed, the designers used security by obscurity in their decision not to encrypt the video feed. They felt that since the Predator video feeds were being transmitted on frequencies that were not publically known, no access control, encryption or other security mechanisms would be needed.



The downside is that once the precise frequency was determined by the insurgency, in the case of the Predator drone, the Ku-band, the use of the SkyGrabber satellite internet downloader made it possible for them to effortless view the video feeds.



The only negative about the book is a minor one. It has over 100 pictures and illustrations. Each one states: for the color version of this figure, the reader is referred to the online version of the book. Having that after every picture is a bit annoying. Also, the book never says where you can find the online version of the book.



How good is this book? In his review of it, Krypt3ia said it best when he wrote: I would love to start a kickstarter and get this book into the hands of each and every moron in Congress and the House. The reality is that this book should indeed be read by everyone in Washington, as they are making decisions on the topic, without truly understanding it.



For most readers, this will be the book that tells them everyone they need to know that their congressman should know. Most people will never be involved with any sort of warfare, and most corporate information security professional will not get involved with cyberwarfare. Nonetheless, Introduction to Cyber-Warfare: A Multidisciplinary Approachis a fascinating read about a most important subject.







Reviewed by Ben Rothke"
top

Book review: Data-Driven Security: Analysis, Visualization and Dashboards

benrothke benrothke writes  |  about 2 months ago

benrothke (2577567) writes "Data-Driven Security: Analysis, Visualization and Dashboards

Author: Jay Jacobs and Bob Rudis

Pages: 352

Publisher: Wiley

Rating: 10/10

Reviewer: Ben Rothke

ISBN: 978-1118793725

Summary: Superb book for effective use of data for information security





There is a not so fine line between data dashboards and other information displays that provide pretty but otherwise useless and unactionable information; and those that provide effective answers to key questions. Data-Driven Security: Analysis, Visualization and Dashboardsis all about the later.



In this extremely valuable book, authors Jay Jacobs and Bob Rudis show you how to find security patterns in your data logs and extract enough information from it to create effective information security countermeasures. By using data correctly and truly understanding what that data means, the authors show how you can achieve much greater levels of security.



The book is meant for a serious reader who is willing to put in the time and effort to learn the programming necessary (mainly in Python and R) to truly understand what information exists deep in the recesses of their logs. As to R, it is a GNU project and a free software programming language and software environment for statistical computing and graphics. The R language is widely used among statisticians and data miners for developing statistical software and data analysis. For analysis the level of which Jacobs and Rudis prescribe, R is a godsend.



The following are the 12 densely packed chapters in the book:



1 : The Journey to Data-Driven Security

2 : Building Your Analytics Toolbox: A Primer on Using R and Python for Security Analysis

3 : Learning the "Hello World" of Security Data Analysis

4 : Performing Exploratory Security Data Analysis

5 : From Maps to Regression

6 : Visualizing Security Data

7 : Learning from Security Breaches

8 : Breaking Up with Your Relational Database

9 : Demystifying Machine Learning

10 : Designing Effective Security Dashboards

11 : Building Interactive Security Visualizations

12 : Moving Toward Data-Driven Security





After completing the book, the reader will have the ability to know which questions to ask to gain security insights, and use that data to ensure the overall security of their data and networks. Getting to that level is not a trivial at all a trivial task; even if there are vendors who can promise to do that.





For many people performing data analysis, the dependable Excel spreadsheet is their basic choice for data manipulation. The book calls the spreadsheet a gateway tool between a text editor and programming. The book notes that spreadsheets work as long as the data is not too large or complex. The book quotes a 2013 report to shareholders from J.P. Morgan in which parts of their 2012 $6 billion in losses was due in part to problems with their Excel spreadsheets.





The authors suggest using Excel as a temporary solution for quick one-shot tasks. For those that have repeating analytical tasks or models that are used repeatedly, it's best to move to some type of structured programming language, specifically those that the book suggest and for provides significant amounts of code examples; all of which are available on the companion website here.





The goal of all data extraction is to use data analysis to answer real questions. A large part of the book focuses on how to ask the right question. In chapter 1, the authors write that every good data analysis project begins with setting a goal and creating one or more research questions. Without a well-formed question guiding the analysis, you may wasting time and energy seeking convenient answers in the data, or worse, you may end up answering a question that nobody was asking in the first place.





The value of the book is that it shows the reader how to focus on context and purpose of the data analysis by setting the research question appropriately; rather than simply parsing large amounts of data. It's ultimately irrelevant if you can use Hadoop to process petabytes of data if you don't know what you are looking for.





Visualization is a large part of what this book is about, and in chapter 6 — Visualizing Security Data, the book notes that the most efficient path to human understanding is via the visual sense. It goes on to details the many advantages data visualization has, and the key to making it work.





As important as visualization is, describing the data is equally important. In chapter 7, the book introduces the VERIS(Vocabulary for Event Recording and Incident Sharing) framework. VERIS is a set of metrics designed to provide a common language for describing security incidents in a structured and repeatable manner. VERIS helps organizations collect useful incident-related information and to share that information, anonymously and responsibly with others.





The book shows how you can use dashboards for effective data visualization. But the authors warn that a dashboard is notan art show. They caution that given the graphical nature of dashboards, it's easy to fall into the trap of making them look like pieces of modern or fringe art; when they are far more akin to architectural and industrial diagrams that require more controlled, deliberate and constrained design.





As to dashboards the authors do not like, they consider the Cyber Security Situational Awarenessto be glitzy but not informative. Personally, I thought the dashboard has a lot of good information.





The book uses the definition of dashboardaccording to Stephen Few, in that it's a "visual display of the most important information needed to achieve one or more objectives that has been consolidated in a single computer screen so it can be monitored at a glance". The book enables the reader to create dashboards like that.





Data-Driven Security: Analysis, Visualization and Dashboardsis a superb book written by two experts who provide significant amounts of valuable information in every chapter. For those that are willing to put the time and effort into the serious amount of work that the book requires, they will find it a vital resource that will certainly help them achieve much higher levels of security.







Reviewed by Ben Rothke"
top

Book review: Security without Obscurity

benrothke benrothke writes  |  about 3 months ago

benrothke (2577567) writes ": Security without Obscurity: A Guide to Confidentiality, Authentication and Integrity

Author: J.J. Stapleton

Pages: 355

Publisher: Auerbach Publications

Rating: 8/10

Reviewer: Ben Rothke

ISBN: 978-1466592148

Summary: Great guide to enterprise authentication from an expert







Having worked at the same consulting firm and also on a project with author J.J. Stapleton (yes, that was full disclosure); I knew he was a really smart guy. In Security without Obscurity: A Guide to Confidentiality, Authentication and Integrity, Stapleton shows how broad his security knowledge is to the world.



When it comes to the world of encryption and cryptography, Stapleton has had his hand in a lot of different cryptographic pies. He has been part of cryptographic accreditation committees for many different standard bodies across the globe.



The premise of the author and the need for the book is that the traditional information security CIA triad (confidentiality, integrity, availability) has led to the situation where authentication has to a large part gotten short shrift. This is a significant issue since much of information security is built around the need for strong and effective authentication. Without effective authentication, networks and data are at direct risk for compromise.



The topic itself is not exactly compelling (that is, unless you like to read standards such as ANSI X9.42-2003: Public Key Cryptography for the Financial Services Industry: Agreement of Symmetric Keys Using Discrete Logarithm Cryptography, ISO/IEC 9798-1:2010: Information technology — Security techniques — Entity authentication,etc.), so the book is more of a detailed technical reference. Those looking for a highly technical overview, interoperability guidance, and overall reference will find the book most rewarding.



For those who don't have a general background on the topic; it may be a book too deep and technical for those looking for something more in line of a CISSP preparation guide.



For those that want to know the deep underpinnings of how encryption algorithms work; they can simply read the RFC's and standards themselves. What the book brings to the table are details about how to effectively implement the standards and algorithms in the enterprise; be it in applications, policies; or the specific procedures to meet compliance and standards requirements. And that is where Stapleton's many decades of experience provide significant and inestimable value.



There are many reasons why authentication systems fail and many times it is due to interoperability issues. Stapleton details how to ensure to minimize those faults in order to achieve seamless authentication across multiple technologies and operating systems.



The 7 chapters cover a dense amount of information around the 3 core topics. The book is for the reader with a solid technical background. While it may be listed as an exploratory text, it is not like a For Dummies title.



As per its title, it covers confidentiality, authentication and integrity; in addition to other fundamental topics of non-repudiation, privacy and key management.



One of the ways Stapleton brings his broad experience to the book is in the many areas where he compares different types of cryptosystems, technologies and algorithms. This enables the reader to understand what the appropriate type of authentication is most beneficial for the specific requirement.



For example, in chapter 7, the book provides a really good comparison and summary of different cryptographic modules, including how they are linked to various standards from NIST, NSA, ANSI and ISO. It does the same for a comparison of cryptographic key strengths against various algorithms.



An interesting observation the book makes when discussing the DES encryption algorithm, is that all of the talk of the NSA placing backdoors in it are essentially false. To date, no known flaws have been found against DES, and that after being around for over 30 years, the only attack against DES is an exhaustive key attack. This type of attack is where an adversary has to try each of the possible 72 quadrillion key (256permutations – as the key is 56 bits long) until the right key is discovered.



That means that the backdoor rumors of the NSA shortening the length of the substitution ciphers (AKA s-boxes), was not to weaken it necessarily. Rather it was meant to block DES against specific types of cryptanalytic attacks.



While the book is tactical; the author does bring in one bit of trivia when he writes that the ISO, often known as the International Organization for Standardization, does not in truth realty stand for that. He notes that the organizations clearly states on its web pagethat because International Organization for Standardizationwould have different acronyms in different languages (IOS in English, OIN in French for Organisation internationale de normalization, etc.); its founders decided to give it the short form ISO. ISO is derived from the Greek isos, meaning equal. Whatever the country, whatever the language, the short form of the name is always ISO.



While that is indeed ultimately a trivial issue, I have seen certification exams where they ask what that acronym stands for. Perhaps a lot of CISSP's need to have their credentials revoked.



While Stapleton modifies the CIA triad, the book is not one of a security curmudgeon, rather of a security doyen. For anyone looking for an authoritative text on how to fully implement cross-platform security and authentication across the enterprise, this is a valuable reference to get that job done.







Reviewed by Ben Rothke"
top

Book review: Hacking Point of Sale:

benrothke benrothke writes  |  about 4 months ago

benrothke (2577567) writes "Title:Hacking Point of Sale: Payment Application Secrets, Threats, and Solutions

Author: Slava Gomzin

Pages: 312

Publisher: Wiley

Rating: 10/10

Reviewer: Ben Rothke

ISBN: 978-1118810118

Summary: Superb book on POS, PCI and payment security





The only negative thing to say about Hacking Point of Sale: Payment Application Secrets, Threats, and Solutionsis its title. A cursory look at it may lead the reader that this is a book for a script kiddie, when it is in fact a necessary read for anyone involved with payment systems. The book provides a wealth of information that is completely pragmatic and actionable. The problem is, as the book notes in many places, that one is constantly patching a system that is inherently flawed and broken.



Often after a major information security breach incidents, a public official (always in front of cameras and with many serious looking people standing in the wings) will go on TV and say something akin to "we have to make sure this never happens again".



Last year, Target was the major victim. This month, it's eBay. But after hundreds of millions of records breached, it's not that anyone is saying it won't happen again. Rather, it's inevitable it will happen many more times.



There are a number of good books on PCI, but this is the first one that looks at the entire spectrum of credit card processing. Author Slava Gomzin is a security and payments technologist at HP and as evident in the book, he lives and breathes payment technology and his expert knowledge is manifest in every chapter. His technical expertise is certain to make the reader much better informed and understand the myriad issues involved.



The book provides an excellent overview to the workings of payment systems and Gomzin is not shy about showing how insecure many payment systems are. Its 9 chapters provide a good combination of deep technical and general detail.



The reader comes out with a very good overview of how payment systems work and what the various parts of it are. For many people, this may be the first time they are made aware of entities such as processors, acquirers and gateways.



An interesting point the book raises is that it has been observed there are less breaches in Europe since they use EMV (also known as chip and pin) instead of insecure magnetic-stripe cards which are used in the US. This leads to a perception that EMV is by default much stronger. But the book notes that EMV was never designed to secure the cardholder data after the point of sale. The recent breaches at Target and Neiman Marcus were such that cardholder data was pilfered after it was in the system.



Another major weakness with EMV is it doesnt provide added security to web and online transactions. When a customer goes to a site and makes a transaction with an EMV card, it is fundamentally the same as if they would have used a magnetic stripe card. What many people don't realize also is that EMV is not some new technology. It's been around for a while. What it did was reduce the amount of fraud for physical use amongst European merchants. But the unintended consequence was that it simply moved the fraud online, where EMV is powerless.



As noted, the book provides the details and vulnerabilities of every aspect of the life of a payment card, including physical security. In chapter 4, he notes that there are numerous features that are supposedto distinguish between a genuine payment card from a counterfeited one. These include logo, embossed primary account number (PAN), card verification values and ultraviolet (UV) marks. Each one of them has their own set of limits. For the supposed security of UV marks, these are relatively easily replicated by a regular inkjet printer with UV ink.



In fact, Gomzin writes that all payment cards as they are in use today are insecure by design due to the fact that there are multiple physical security features that don't provide adequate protection from theft, and that the sensitive cardholder data information is encoded on a magnetic strip in clear text.



Gomzin has numerous PCI certifications and with all that, doesn't see PCI as the boon to payment card security as many do. He astutely observes that PCI places a somewhat myopic approach that data at rest is all that matters. Given that PCI doesn't require payment software vendors or users to encrypt application configuration data, which is usually stored in plaintext and opened to uncontrolled modification; this can allow payment application to be compromised through misconfiguration.



Even with PCI, Gomzin shows that credit card numbers are rather predictable in that their number space is in truth rather small, even though they may be 15-19 digits in length. This is due to the fact that PCI allows the first 6 and last 4 digits to be exposed in plaintext, so it's only 6 digits that need to be guessed. This enables a relatively easy brute force attack, and even easier if rainbow tables are used.



The Target breach was attributed to memory scraping and the book notes that as devastating an attack memory scraping is, there are no existing reliable security mechanisms that would prevent memory scraping.



The appendix includes a POS vulnerability rank calculator which can provide a quick and dirty risk assessment of the POS and associated payments application and hardware. The 20 questions in the calculator can't replace a formal assessment. But the initial results would likely mimic what that formal assessment would enumerate.



So what will it take to fix the mess that POS and payment systems are in now? The book notes that the system has to be completely overhauled for POS security to truly work. He notes that point-to-point encryption is one of the best ways to do that. What is stopping that is the huge costs involved in redoing the payment infrastructure. But until then, breaches will be daily news.



Hacking Point of Saleis an invaluable resource that it highly relevant to a wide audience. Be it those in compliance, information security, development, research or in your payment security group. If you are involved with payment systems, this is a necessary book.



When an expert like Slava Gomzin writes, his words should be listened to. He knows that payment breaches are inevitable. But he also shows you how to potentially avoid that tidal wave of inevitability.







Reviewed by Ben Rothke"
top

Book review: Designing with the Mind in Mind

benrothke benrothke writes  |  about 5 months ago

benrothke (2577567) writes "Designing with the Mind in Mind, a Simple Guide to Understanding User Interface Design Guidelines

Author: Jeff Johnson

Pages: 240

Publisher: Morgan Kaufmann

Rating: 9/10

Reviewer: Ben Rothke

ISBN: 978-0124079144

Summary: Excellent reference on the integration of user interface design and the min





Neurologists and brain scientists are in agreement that in truth, we know very little about how the brain works. With that, in the just released second edition of Designing with the Mind in Mind, a Simple Guide to Understanding User Interface Design Guidelines, author Jeff Johnson provides a fascinating introduction on the fundamentals of perceptual and cognitive psychology for effective user interface (UI) design and creation. UI is a facet of human–computer interaction (HCI), of which HCI involves the study, planning, design and uses of the interaction between people and the computers and devices they are using.



Johnson heads up a consulting firm that specialized in evaluating and designing UI and brings significant experience to every chapter. He writes that following user-interface design guidelines is not as straightforward as something like following a cooking recipe; even though people often compare the two. Design rules often describe goals rather than actions, as they are purposefully very general to make them broadly applicable. The downside to that is that it means that their exact meaning and applicability to specific design situations is open to interpretation.



With that, the book provides an exceptional foundation on how to ensure effective usability is successfully implemented. The book spends a long time detailing how users make decisions and choices.



What's really good about the book is that Johnson provides ample details about the topic, but doesn't reduce it to so just a set of rules or mind-numbing (and thusly unreadable) checklists. His synopsis of the topics provides the reader with a broad understanding of the topic and what they need to do in order to ensure effective UI design is executed.



While the focus in the book is heaving on general and cognitive psychology, the book is written for the reader who is a novice in the area, and stays quite practical, without getting in the vague theoretical areas.



The book provides scores of examples of how people relate to an interface, and how to design accordingly. One of many fascinating examples is when the author details the notion of attentional blink. After we see or hear something, either in real-life or on a monitor, for a very brief amount of time following the recognition, between .15 and .45 of a second; we are nearly deaf and blind to other visual stimuli, even though our eyes and ears stay functional. Researchers call this attentional blinkand it is thought to be caused by the brain's perceptual and attentional mechanism being briefly fully occupied with processing the first recognition.



What this means for a UI designer is that attentional blink can cause the user to miss information or events if things appear in rapid succession. The book then goes on to describe techniques in which to create an effective UI to deal with the effects of attentional blink. And he does this for scores of other similar issues.



Another fascinating example is around visual hierarchy, which lets people focus on the relevant information. The book notes that one of the most important goals in arranging information presentations is to provide a visual hierarchy, an arrangement that breaks the information into distinct sections, labels each section prominently, and presents the sections and subsections as a hierarchy.



The book details the myriad areas which are crucial for an effective interface. Chapters 4 and 5 provide significant detail about the importance of color for effective visual representation.



As the title suggests, the book takes a deep approach to the neuroscience and psychology in UI design. Other chapters include topics on human vision, sound, task, cognition, memory and more.



As to memory, chapter details issues around the working memory of a user. He gives numerous examples of error boxes and help screens that work and are epic failures, and how to do it right. The classic example he provides is a 4-step Windows XP wireless error message. If the user were to follow the directions, the instructions would close after step 1.



Each chapter provides numerous implications of proper and improper design, and provides the needed recommendations. While the topics may sound dry, Johnson writes in an engaging and often humorous style.



The book clearly and empirically shows how effective UI design makes all the difference on how users interact with an application or web site. The book will certainly be an important reference to software designers, web designers, web application designers and those interested in HCI, and usability.



For the designers that can't understand why their users are frustrated, they can understand why here. For designers that really want to know what is going on in their users minds, one is hard pressed to find a better reference than this.



As the subtitle of the book is Simple Guide to Understanding User Interface Design Guidelines, the book is an invaluable resource for those serious about effective UI design.





Reviewed by Ben Rothke"
top

Book review

benrothke benrothke writes  |  about 6 months ago

benrothke (2577567) writes "Title: How I Discovered World War IIs Greatest Spy and Other Stories of Intelligence and Code

Author: David Kahn

Pages: 469

Publisher: Auerbach Publications

Rating: 8/10

Reviewer: Ben Rothke

ISBN: 978-1466561991

Summary: Very good collection of a large number of excellent articles from David Kahn





When it comes to documenting the history of cryptography, David Kahn is singularly one of the finest, if not the finest writers in that domain. For anyone with an interest in the topic, Kahn's works are read in detail and anticipated.



His first book was written almost 50 years ago: The Codebreakers – The Story of Secret Writing; which was a comprehensive overview on the history of cryptography. Other titles of his include Seizing the Enigma: The Race to Break the German U-Boats Codes, 1939-1943. The Codebreakers was so good and so groundbreaking, that some in the US intelligence community wanted the book banned. They did not bear a grudge, as Kahn became an NSA scholar-in-residence in the mid 1990's.



With such a pedigree, many were looking forward, including myself, to his latest book "How I Discovered World War IIs Greatest Spy and Other Stories of Intelligence and Code". While the entire book is fascinating, it is somewhat disingenuous, in that there is no new material in it. Many of the articles are decades old, and some go back to the late 1970's. From the book description and cover, one would get the impression that this is an all new work. But it is not until ones reads the preface, that it is detailed that the book is simple an assemblage of collected articles.



For those that are long-time fans of Kahn, there is nothing new in the book. For those that want a wide-ranging overview of intelligence, espionage and codebreaking, the book does provide that.



The book gets its title from a 2007 article in which Kahn tracked down whom he felt was the greatest spy of World War 2. That was none other than Hans-Thilo Schmidt, who sold information about the Enigma cipher machine to the French. That information made its way to Marian Rejewski of Poland, which lead to the ability of the Polish military to read many Enigma-enciphered communications.



An interesting question Kahn deals with is the old conspiracy theory that President Franklin Roosevelt and many in is administration knew about the impending attack on Pearl Harbor. He writes that the theory is flawed for numerous reasons. Kahn notes that the attack on Pearl Harbor succeeded because of Japan's total secrecy about the attack. Even the Japanese ambassador's in Washington, D.C., whose messages the US was reading were never told of the attack.



Chapter 4 from 1984 is particularly interesting which deals with how the US viewed Germany and Japan in 1941. Kahn writes that part of the reason the US did not anticipate a Japanese attack was due to racist attitudes. The book notes that many Americans viewed the Japanese as a bucktoothed and bespectacled nation.



Chapter 10 Why Germany's intelligence failed in World War II, is one of the most interesting chapters in the book. It is from Kahn's 1978 book "Hitlers Spies: German Military Intelligence In World War II".



In the Allies vs. the Axis, the Allies were far from perfect. Battles at Norway, Arnhem and the Bulge were met with huge losses. But overall, the Allies enjoyed significant success in their intelligence, much of it due to their superiority in verbal intelligence because of their far better code-breaking. Kahn writes that the Germans in contrast, were glaringly inferior.



Kahn writes that there were five basic factors that led to the failure of the Germans, namely: unjustified arrogance, which caused them to lose touch with reality; aggression, which led to a neglect of intelligence; a power struggle within the officer corps, which made many generals hostile to intelligence; the authority structure of the Nazi state, which gravely impaired its intelligence, and anti-Semitism, which deprived German intelligence of many brains.



The Germans negative attitude towards intelligence went all the way back to World War I, when in 1914 the German Army was so certain of success that many units left their intelligence officers behind. Jump to 1941 and Hitler invaded Russia with no real intelligence preparation. This arrogance, which broke Germany's contact with reality, also prevented intelligence from seeking to resume that contact.



Other interesting stories in the book include how the US spied on the Vatican in WW2, the great spy capers between the US and Soviets, and more.



For those that want a broad overview of the recent history of cryptography, spying and military intelligence, How I Discovered World War IIs Greatest Spy and Other Stories of Intelligence and Code, is an enjoyable, albeit somewhat disjointed summary of the topic.



The best part of the book is its broad scope. With topics from Edward Bell and his Zimmermann Telegram memoranda, cryptology and the origins of spread spectrum, to Nothing Sacred: The Allied Solution of Vatican Codes in World War II and a historical theory of intelligence, the book provides a macro view of the subject. The down side is that this comes at the cost of the 30 chapters being from almost as many different books and articles, over the course of almost 40 years.



For those that are avid readers of David Kahn, of which there are many, this title will not be anything new. For those that have read some of Kahn's other works and are looking for more, How I Discovered World War IIs Greatest Spywill be an enjoyable read.





Reviewed by Ben Rothke"
top

Book review: Threat Modeling: Designing for Security

benrothke benrothke writes  |  about 6 months ago

benrothke (2577567) writes "Title: Threat Modeling: Designing for Security

Author: Adam Shostack

Pages: 624

Publisher: Wiley

Rating: 10/10

Reviewer: Ben Rothke

ISBN: 978-1118809990

Summary: Invaluable guide to create a formal threat modeling program







Full disclosure: The author of this book and I are friends.





When it comes to measuring and communicating threats, perhaps the most ineffective example in recent memory was the Homeland Security Advisory System; which was a color-coded terrorism threat advisory scale.



The system was rushed into use and its output of colors was not clear or intuitive. What exactly was the difference between levels such as high, guarded and elevated? From a threat perspective, which color was more severe — yellow or orange? Former DHS chairman Janet Napolitano even admitted that the color-coded system presented "little practical information" to the public



While the DHS has never really provided meaningful threat levels, in Threat Modeling: Designing for Security, author Adam Shostack has done a remarkable job in detailing an approach that is both achievable and functional. More importantly, he details a system where organizations can obtain meaningful and actionable information, rather than vague color charts.



Rather than letting clueless Washington bureaucrats define threats, the book details a formal system in which you can understand and particularize the unique threats your organizations faces.



In the introduction, Shostack sums up his approach in four questions:



1. What are you building?

2. What can go wrong with it once it's built?

3. What should you do about those things that can go wrong?

4. Did you do a decent job of analysis?



The remaining 600 densely packed pages provide the formal framework needed to get meaningful answers to those questions. The book sets a structure in which to model threats, be it in software, applications, systems, software or services, such as cloud computing.



While the term threat modelingmay seem overly complex, the book notes that anyone can learn to threat model. Threat modeling is simply using models to find security problems. The book notes that using a model means abstracting away a lot of the details to provide a look at the bigger picture, rather than the specific item, or piece of software code.



An important point the book makes is that there is more than one way to model threats. People often place too much emphasis on the specifics of how to model, rather than focusing on what provides them the most benefit. Ultimately, the best model for your organization is the one that helps you determine what the main threats are. Finally, the point is not just to find the threats; the key is to address them and fix them.



The beauty of the book is that it focuses on gaining empirical data around threats for your organization. Rather than simply taking an approach based on Gartner, USA Today or industry best practices.



While the author states a few times that threat modeling is not necessarily a complex endeavor, it nonetheless does take time. He writes that threat modeling requires involvement from many players from different departments in an organization to provide meaningful input. Without broad input, the threat model will be lacking, and the output will be incomplete.



For those organizations that are willing to put the time and effort into threat modeling, the benefits will be remarkable. At the outset, they will have confidence that they understand the threats their organization is facing, likely spend less on hardware and software, and will be better protected.



Chapter 18 quotes programmer Henry Spencer who observed that "those who do not understand Unix are condemned to reinvent it, poorly". Shostack writes that the same applies to threat modeling. The point he is making is that there are ways to fail at threat modeling. The first is simply not trying. The chapter then goes on into other approaches which can get in the way of an effective threat modeling program.



Why should you threat model for your IT and other technology environments? It should be self-evident from an architecture perspective. When an architect is designing an edifice, they first must understand their environment and requirements. A residence for a couple in Manhattan will be entirely different from the design for a residence for a family in Wyoming. But far too many IT architects take a monolithic approach to threats and that's precisely the point the book is attempting to obviate.



As noted, threat modeling is not overly complex. But even if it was indeed complex, it is far too important not to be done. The message of the book is that organizations need to stop chasing vague threats and industry notions of what threats are, and customize things so they deal with their threats.



For those that still think the topic is complex, the book references Elevation of Privilege(EoP), an easy way to get started threat modeling. EoP is a card game that developers, architects or security teams can play to easily understand the rudiments of threat modeling.



Risk modeling is so important that it must be seen as an essential part of a formal and mature information security program. Having firewalls, IDS, DLP and myriad other infosec appliances can be deceptive in thinking they provide protection. But if they are deployed in an organization that has not defined the threats these devices are expected to address, they only serve the purpose of giving an aura of infosec protection, and not real protection itself.



Amazon has over 800 Disney World guide books. Anyone who is going to invest their time and money to spend a few days at Disney World knows they have to do their research in order to get the most out of their visit.



There are only a handful of books on this topic and Threat Modeling: Designing for Securityis perhaps the finest of them. No tourist would be so naïve to go to Disney World uninformed. And conversely, no one should go into the IT world without adequate threat information.



Threat modeling provides compelling benefits in the ability to make better information security decisions, better focus on often limited resources, all while designing a model to protect against current and future threats.



For those serious about the topic, Threat Modeling: Designing for Securitywill be one of the most rewarding information security books they could hope for.



Reviewed by Ben Rothke."
top

Book review: The Art of the Data Center

benrothke benrothke writes  |  about 7 months ago

benrothke (2577567) writes "The Art of the Data Center: A Look Inside the Worlds Most Innovative and Compelling Computing Environments

Author: Douglas Alger

Pages: 368

Publisher: Prentice Hall

Rating: 9/10

Reviewer: Ben Rothke

ISBN: 978-1587142963

Summary: Some of the smartest guys in the data center share their build and design advice





At first glance, The Art of the Data Center: A Look Inside the Worlds Most Innovative and Compelling Computing Environmentsappears like a standard coffee table book with some great visuals and photos of various data centers throughout the world. Once you get a few pages into the book, you see it is indeed not a light-read coffee table book, rather a insightful book where some of the brightest minds in the industry share their insights on data center design and construction.



The book takes a holistic view of how world-class data centers are designed and built. Many of the designers were able to start with a greenfield approach without any constraints; while others were limited by physical restrictions.



Some of the firms profiled in the book are Citi, Digital Realty Trust (who run the world's largest data center in Chicago), eBay, Facebook, IBM, Intel and Yahoo!.



One of the interesting things about hearing 18 different viewpoints, both from the US and Europe-based firms, is that it shows there is not just one way to build a data center. Fundamental data center components such as raised floors are reconsidered in some of the data centers in the book. From UPS, to cooling systems and more, Alger details how the nuances of various data centers have influenced their design.



It is an unfortunate reality that many expensive data center builds and expansions fail.The book profiles those that have succeeded, and it is hoped the reader will take the advice to heart in their build and design.



The book is written in an interview style, where Alger asked the designers various question on how their came to their design, the rationale behind it, what their strategy was, what constraints they ran into, and more



The book highlights a broad range of data centers; from those built into a century old church in Spain, a former Swedish underground military bunker renovated into a modern data center with artificial daylight, manmade waterfalls and submarine engines providing standby power, to those powered by all solar energy.



Many of the data centers that he showcases are designed in order to be LEED (Leadership in Energy and Environmental Design) and Energy Star certified. LEED is a rating systems for the design, construction, operation and maintenance of green buildings, homes and neighborhoods, created by the US Green Building Council (USGBC). It should be noted that as of now, the USGBC hasn't set specific criteria for data center LEED certification.



An important point about LEED made in the book is that for those designers that are thinking about LEED certification, it mustbe done in the design stage and not as an addendum. Obtaining LEED certification must start at design and end with a formal certification after project completion. It was noted that consulting with a qualified LEED professional or consulting firm at the start of the planning process is a must.



While this is not a coffee table book, it does make good use of photos to highlight the nuances and layouts of the various data centers. There are many pictures that show the various types of equipment in use.



As noted, the book showcases many different aspects and often counterintuitive notions of data center design. One of the most significant is ACT, Inc., a nonprofit that runs the ACT test – a college admissions and placement test taken by more than 1.3 million high school graduates every year, who decided to runs their active and backup data centers in Iowa City, Iowa just 5 miles apart. The book details the designer's rationale behind that. Similar case studies are detailed in the book.



One of the major methods in the book used to reduce power consumption and cost is via the use of virtualization, which many of the data centers have used and optimized.



One topic lacking in the book is that Alger did not ask detailed questions around the physical security of the buildings. Why power, UPS, flooring and the like are critical to the efficacy of a data center; physical security components such as mantraps, access control systems, bollards, surveillance and the like are necessary to ensure all of the previous design items are not placed at risk.



One of the questions he asked every designer is if they could go back and design the data center all over again, what; if anything would they do different. Surprisingly, everyone one of them said that they put a lot of planning in and there was nothing major they would change. Most of the designers did though say each data center had small items though could have been revisited to make the center better. Bu most agreed that many of them are so minor in some respects, that it would not be meaningful to go through them.



An interesting point the data venter architect at Syracuse University stated is that one of the things they did in constructing their data center was to not necessarily be driven by rules of thumb or best practices. Rather they looked at their own requirements and how they could best optimize everything that they could in the design of the facility.



One common metric used throughout the book is power usage effectiveness (PUE). It is a measure of how efficiently a computer data center uses energy; specifically, how much energy is used by the computing equipment, as opposed to cooling and other data center overhead. The lower the number, closest to 1.0, the more of its power is used for computing.



Poor data center planning leads to poor use of valuable capital, can significantly increase operational expense and obviate any computation gains. Many organizations get overwhelmed on the design and focus far too much on speed and power, without taking a larger holistic view of their data center needs.



For those looking for guidance on how to design a world-class data center, The Art of the Data Center: A Look Inside the Worlds Most Innovative and Compelling Computing Environmentsshould be the place you start.









Reviewed by Ben Rothke."
top

Book review: The Digital Crown

benrothke benrothke writes  |  about 8 months ago

benrothke (2577567) writes "Title: The Digital Crown: Winning at Content on the Web

Author: Ahava Leibtag

Pages: 358 pages

Rating: 10/10

Reviewer: Ben Rothke

ISBN: 978-0124076747

Summary: Invaluable resource and reference for building an effective web content strategy







With Adobe Flash, it's possible to quickly get a pretty web site up and running; something that many firms do. But if there is no content behind the flashy web page, it's unlikely anyone will return.



In The Digital Crown: Winning at Content on the Web, author Ahava Leibtag does a fantastic job on showing how to ensure that your web site has what it takes to get visitors to return to the website, namely great content.



Make no mistake, creating good content for a large organization is a massive job. But for those organizations that are serious about doing it right, the book provides the extensive details all of the steps required to create content that will bring customers back to your web site.



Leibtag writes in the introduction that the reason so many websites and other digital strategy projects fail is because the people managing them don't focus on what really matters. They begin changing things for the sake of change and to simply update, without first asking why. They also forget to ask what the updates will accomplish. What this does is create a focus on the wrong priorities. Leibtag notes that the obvious priority is content.



So what is this thing called content? The book defines it as all of the information assets of your company that you want to share with the world.



The book is based around 7 rules, which form the foundation of an effective and comprehensive content strategy, namely:



1. Start with Your Audience

2. Involve Stakeholders Early and Often

3. Keep it Iterative

4. Create Multidisciplinary Content Teams

5. Make Governance Central

6. Workflow that Works

7. Invest in Professionals and Trust Them





Chapter 1 (freely available here) takes a high-level look at where branding and content meet, and details the need for a strategic content initiative.



An interesting point the book makes in chapter 2 which is pervasive throughout the book is to avoid using the term users. Rather refer to them as customers. Leibtag feels that the term users as part of a content strategy, makes them far too removed and abstract. Dealing with them as customers makes them real people and changes the dynamics of the content project. Of course, this transition has to be authentic. Simply performing a find/replace of user/customer in your documentation is not what the author intended; nor will such an approach work.



The book is heavy on understanding requirements and has hundreds of questions that need to be asked before creating content. The book is well worth it for that content alone.



It also stresses the importance of getting all stakeholders involved in the content creation process. As part of the requirements gathering process, the book details 3 roadmap steps which much be done in order to facilitate an effective strategy.



The book notes that content is much more than web pages. Content includes various formats, platforms and channels. An effective strategy must take allof these into account. The book notes that there are hundreds of possible formats for content. While it is impossible to deal with every possible option; an organization must know what they are in order to ensure they are creating content that is appropriate for their customers.



By the time you hit page 100, it becomes quite clear that content is something that Leibtag is both passionate about and has extensive experience with. An important point she makes is that it is crucial not for focus on design right away in the project, as it eats up way too much time. The key is to focus the majority of your efforts on the content.



The dilemma that the book notes is that during the requirements gathering process, far too many organizations are imagining a gorgeous web site with all kinds of bells and whistles, beautiful colors and pictures. That in turn moves them to spend (i.e., waste) a tremendous amount of time on design; which leads them to neglect contact creation and migration.



The book details multichannel publishing, which is the ability to publish your content on any device and any channel. This is a significant detail, as customers will be accessing your site from desktops with huge screens and bandwidth to mobile devices with smaller screens and often limited bandwidth. This requires you to adapt and change your content publishing process. This is clearly not a trivial endeavor. But doing it right, which the book shows how to do, will payoff in the long run.



Another mistake firms make is that they often think content can be done by just a few people. The book notes that it is an imperative to create multidisciplinary content teams, since web content will touch every part of the organization, and needs their respective input.



One of the multidisciplinary content teams that must be involved is governance. The book notes that governance standards help you set a consistent customer experience across all channels. By following them, you can avoid replicating content, muddying your main messages and confusing your customers. Governance is also critical in setting internal organizational controls.



Leibtag lays out what needs to be done in extreme detail. She makes it quite clear that there are no quick fixes that can be done to create good content. Creating an effective content marketing strategy and architecture is complex, expensive and challenging. But for most organizations, it is also absolutely necessary for them in order to compete.



The author is the head of a content strategy and content marketing consultancy firm. Like all good consultants, they focus on getting answers to the questions clients often don't even know to ask. With that, the book has myriad questions and requirements that you must answer before you embark on getting your content online.



The book also provides numerous case studies of sites that understand the importance of content and designed their site accordingly. After reading the book, the way you look at web sites will be entirely different. You will likely find the sites you intuitively return to coincidentally happened to be those very sites that have done it right and have the content you want.



My only critique of the book is that the author quotes herself and references other articles she wrote far too often. While these articles have valid content, this can come across as somewhat overly promotional. Aside from that, the book is about as good as anything could get on the topic.



For firms that are serious about content and looking for an authoritative reference on how to build out their content and do it right, The Digital Crown: Winning at Content on the Web is certain to be an invaluable resource.







Reviewed by Ben Rothke."
top

Book review: Digital Archaeology: The Art and Science of Digital Forensics

benrothke benrothke writes  |  about 9 months ago

benrothke (2577567) writes "Title: Digital Archaeology: The Art and Science of Digital Forensics

Author: Michael Graves

Pages: 600

Publisher: Addison-Wesley Professional

Rating: 9/10

Reviewer: Ben Rothke

ISBN: 978-0321803900

Summary: Excellent introductory text to digital forensics





The book Digital Archaeology: The Art and Science of Digital Forensicsstarts as yet another text on the topic of digital forensics. But by the time you get to chapter 3, you can truly appreciate how much knowledge author Michael Graves imparts.



Archaeology is definedas the study of human activity in the past, primarily through the recovery and analysis of the material culture and environmental data that they have left behind, which includes artifacts, architecture, biofacts and cultural landscapes.



The author uses archeology and its associated metaphors as a pervasive theme throughout the book. While most archeology projects require shovels and pickaxes; digital archeology requires an entirely different set of tools and technologies. The materials are not in the ground, rather on hard drives, SD cards, smartphones and other types of digital media.



In the preface, Graves writes that in performing an investigation that explores the use of computers or digital data, the investigator is embarking on an archaeological expedition. In order to extract useful artifacts, information when dealing with our topic at hand; the investigator must be exceedingly careful in how he approaches the site. The similarities between a digital investigation and an archaeological excavation are much closer than you might imagine. Data, like physical artifacts, gets dropped into the oddest places. The effects of time and environment are just as damaging, if not more so, to digital artifacts as they are physical mementos.



The book shows you precisely how to extract those artifacts effectively. And in a little over 500 pages, the books 21 chapters, provides a comprehensive overview of every area relevant to digital forensics. The author brings his experience to every page and rather than being a dry reference, Graves writes an interesting reference guide for the reader who is serious about becoming proficient in the topic.



Rather than provide dry overview of the topics and associated hardware and software tools. The books take a real-world approach and provides a detailed narrative of real-world scenarios.



An important point Graves makes is that a digital investigator who does not understand the basic technology behind the systems they are investigating is going to be at a distinct disadvantage. Understanding the technology assists in the investigative process and ensures that the evidence can be held up in court.



The need to a proficiency in digital forensics is manifest in the recent attack against Target stores. After an aggressive attack, the store called in external digital forensics consultants to help them make sense of what happened.



The book starts with an anatomy of a digital investigation, including the basic model an investigator should use to ensure an effective investigation. While the author is not a lawyer; the book details all of the laws, standards, constitutional issues and regulations that an investigator needs to be cognizant of.



The author notes that Warren Kruse and Jay Heiser wrote in Computer Forensics: Incident Response Essentialsthat the basic computer investigation model was a four-part model with the following steps: assess, acquire, analyze and report. Graves breaks those into more detailed and granular level levels that represent processes that occur within each step. These steps are: identification and assessment, collection and acquisition, preservation, examination, analysis and reporting.



Chapter 2 has a section on the constitutional implications of forensic investigation, of which is the topic is also pervasive throughout the book.



As noted, a significant portion of the book is dedicated to the legal aspects around digital investigations. Graves spends a lot of time on these needed issues such as search warrants and subpoenas, basic elements of obtaining a warrant, the plain view doctrine, admissibility of evidence, keeping evidence authentic, defining the scope of the search, and when the Constitution doesn't apply.



The only chapter that was deficient was chapter 13 – Excavating a Cloud. Graves writes that the rapid emergence of cloud computing has added a number of new challenges for the digital investigator. The chapter does a good job of detailing the basic implications of cloud forensics. But it unfortunately does not dig any deeper, and does not provide the same amount of extensive tool listings as do other chapters.



Each chapter closes with a review of the topic and various exercises. Those wanting to see a sample chapter can do so here.



For those looking for an introductory text on the topics of digital forensics, Digital Archaeology: The Art and Science of Digital Forensicsis an excellent read. Its comprehensive overview of the entire topic combined with the authors excellent writing skills and experience, make the book a worthwhile reference.







Reviewer: Ben Rothke"
top

Book review: Digital Outcasts

benrothke benrothke writes  |  about 10 months ago

benrothke (2577567) writes "Untitled documentTitle: Digital Outcasts: Moving Technology Forward without Leaving People Behind

Author: Kel Smith

Pages: 288

Publisher: Morgan Kaufmann

Rating: 9/10

Reviewer: Ben Rothke

ISBN: 978-0124047051

Summary: Manifesto for technology accessibility for all





Many of us have experimented what it means to be disabled, by sitting in a wheelchair for a few minutes or putting a blindfold over our eyes. In Digital Outcasts: Moving Technology Forward without Leaving People Behind, author Kel Smith details the innumerable obstacles disabled people have to deal with in their attempts to use computers and the Internet.



The book observes that while 1 in 7 people in the world have some sort of disability, (including the fact that 1 in every 10 U.S. children has been diagnosed with ADHD), software and hardware product designers, content providers and the companies who support these teams often approach accessibility as an add-on, not as a core component. Adding accessibility functionality to support disabled people is often seen as a lowest common denominator feature. With the companies unaware of the universal benefit their solution could potentially bring to a wider audience.



One of the many examples of this which the book provides is how sidewalk ramps are often an easier access method to streets; not just for those in wheelchairs, but for those simply walking and desiring an easier method.



In the book, Smith details how digital outcastsoften rely on technology for everyday things that we take for granted. The problem is that poorly designed products create an abyss for these outcasts, who number in the hundreds of millions.



So just what is this digital outcast? Smith notes that the term was first introduced by Gareth White of the University of Sussex to describe people who are left behind the innovation curve with respect to new advances in technology. The term is also relevant to today's Internet user who can't perform a simple function such as making an e-commerce purchase or checking their financial statement; due to inaccessibility of the content, platform or device. These outcasts represent large swaths of forgotten populations.



In the first chapter, Smith makes the chilling observation that all of us, at some point or another, will find that our capabilities have diminished. Today's disabled users are not outliers of the able-bodied population – they are a prototype of what our future looks like.



The book provides a detailed overview of how people with disabilities use technology. More importantly, it shows that creating effective user interfaces for those with disabilities is beneficial for all users.



It showcases numerous application and case studies, including how iPad apps have been used for cognitive therapy, video games to help many types of illnesses and more.



An important point the book makes is that there are no easy answers or silver-bullet solutions. There are no quick add-ons which a firm can use to quickly make their user interfaces outcast compliant. Rather it takes a concerted effort from senior management to make accessibility work.



A key point Smith makes many times is that students with disabilities are left behind. There are many students who fail in antiquated educational systems since the administration can't restructure their curricula around a child's individual talents or aptitudes. He writes that students with disabilities get stigmatized into special educationprograms, some of which are very good, but can be socially ostracizing.



Throughout the book, Smith quotes many studies and significant amounts of data that shows the power of how software can make significantly positive impacts on the lives of those with disabilities. In chapter 7, he writes that at the Center for BrainHealth at The University of Texas, they used virtual worlds and avatars to help autistic children. That form of therapy has proven to be successful and that 4 or 5 sessions using that technology, is worth 2 or 3 years of real world training.



As detailed in many parts of the book, many doctors say the best high-tech treatments are in fact the ones you can download from an app store.



As the end of the book, Smith writes that for accessibility to work, it has to be an enterprise initiative. He provides 8 strategic steps to doing that, including creating an accessibility task force (and engaging them from the very beginning of the project), knowing the legal landscape (and not to be driven solely by law), to designing mobile applications to be run universally, and more.



Smith sadly writes at the end of the book that while Apple has been at the forefront of accessibility, in 2012, despite having no legal mandate, Apple removed the Speak for Yourself (SFY) application; which was an extremely popular and helpful augmentative and alternative communication app. It seems that SFY is now once again available in the App Store, but with legal maneuvering what it is, that could change at any moment.



While the accessibility of technology is getting better every year, there are still many challenges to ahead. Digital Outcasts: Moving Technology Forward without Leaving People Behind articulately and passionately details the groundwork, itemizes what needs to be done, and implores the reader to do something to ensure this trend continues.



This book is an important read for everyone. As there are two types of people, those that are currently digital outcasts, and those that will be sometime in the future.



The book closes with a most accurate observation: digital outcasts are not a biological model for a future we should fear, they are an inspiration for what we can all become.







Reviewer: Ben Rothke"
top

Book review: Testing Cloud Services: How to Test SaaS, PaaS & IaaS

benrothke benrothke writes  |  about a year ago

benrothke (2577567) writes "}

Testing Cloud Services: How to Test SaaS, PaaS & IaaS

Authors: Kees Blokland, Jeroen Mengerink, Martin Pol

Pages: 184

Publisher: Rocky Nook

Rating: 9/10

Reviewer: Ben Rothke

ISBN: 978-1-937538-38-5

Summary: Brings to light the imperative of testing cloud services before deployment







David Mitchell Smith wrote in the Gartner report Hype Cycle for Cloud Computinglast year — that while clearly maturing and beyond the peak of inflated expectations, cloud computing continues to be one of the most hyped subjects in IT. The report is far from perfect, but it is accurate in the sense that while cloud computing is indeed ready for prime time, the hype with it ensures that too many firms will be using it with too much hype, and not enough reality and detailed requirements.



While there have been many books written about the various aspects of cloud computing, Testing Cloud Services: How to Test SaaS, PaaS & IaaSis the first that enables the reader to successfully make the transition from hype to actuality from a testing and scalability perspective.



The book is an incredibly effective and valuable guide that details the risks that arise when deploying cloud solutions. More importantly, it provides details on how to test cloud services, to ensure that the proposed cloud service will work as described.



At 160 pages, the book is a great start to the topic. The 6 chapters detail a paradigm that cloud architects, managers and designers can use to ensure the success of their proposed cloud deployments.



The first two chapters are a very brief introduction to cloud computing. In chapter 3, the authors detail the role of the test manager. They write that the book is meant to give substance to the broadening role of the test manager within cloud computing. They encourage firms to make sure the test manager is involved in all stages of cloud computing; from selection to implementation. In fact, they write that it is only a matter of time until this service will be available in the cloud, in the form of TaaS – Testing as a Service.



Besides the great content, the book is valuable since it has many checklists and questions to ask. One of the reasons cloud hype is so overly pervasive, is that the customers believe what the marketing people say, without asking enough questions. It would have been an added benefit if these questions and checklists would be made available in softcopy to the reader.



In chapter 4, the book details performance risks. As to performance, an important aspect of selecting the correct cloud provider is scalability of the service. This then requires a cloud specific test to determine if the scaling capacity (also known as elasticity) of the provider will work efficiently and effectively in practice.



An extremely important point the authors make is that when choosing a cloud service, many firms don't immediately think of having a test environment, because the supplier will themselves test the service. The absence of a test environment is a serious risk.



About 2/3 of the book is in chapter 5 – Test Measures. The chapter mostly details the test measures for SaaS, but also does address IaaS and PaaS testing. The chapter spends a lot of time on the importance of performance testing.



An important point detailed in the chapter is that of testing elasticity and manual scalability. This is an important topic since testing elasticity is a new aspect of performances testing. The objectives of elasticity tests are to determine if the performance of the service meets the requirements across the load spectrum and if the capacity is able to effective scale. The chapter details various load tests to perform.



In the section on guarantees and SLAs, the authors make numerous excellent points, especially in reference to cloud providers that may guarantee very high availabilities, but often hide behind contract language. They provide a number of good points to consider in regards to continuity guarantees, including determining what is meant exactly by up- and down-time; for example, is regular maintenance considered downtime or not.



Another key topic detailed is testing migration. The authors write that when an organization is going to use a service for an existing business process, a migration process is necessary. This includes the processes of going into the cloud, and backing the service out of the cloud.



With all of the good aspects to this book, a significant deficiency in it is that it lacks any mention of specific software testing tools to use. Many times the authors write that "there are many tools, both open source and commercial, that can" but fail to name a single tool. The reader is left gasping at a straw knowing of the need to perform tests, but clueless as to what the best tools to use are. Given the authors expertise in the topic, that lacking is significant.



The only other lacking in the book is in section 5.3 on testing security, the authors fail to mention any of the valuable resources on the topic from the Cloud Security Alliance. Specifically the Cloud Controls Matrix(CCM) and Consensus Assessments Initiative(CAI) questionnaire.



With that, Testing Cloud Services: How to Test SaaS, PaaS & IaaSshould be on the required reading list of everyone tasked with cloud computing. This is the first book to deal with the critical aspect of testing as it related to cloud computing. The ease of moving to the cloud obscures the hard reality of making a cloud solution work. This book details the hard, cold realities of turning the potential of cloud computing, in the reality of a working solution.



Had the designers of the Obamacare website taken into consideration the key elements of this book, it is certain that the debacle that ensued would have been minimize and the administration would not have had to send out a cry for help. The Obamacare website will turn into the poster child of how to not to create a cloud solution. Had they read Testing Cloud Services: How to Test SaaS, PaaS & IaaS, things would have been vastly different.









Reviewer: Ben Rothke"
top

Book review: Secret History: The Story of Cryptology

benrothke benrothke writes  |  about a year ago

benrothke (2577567) writes "Secret History: The Story of Cryptology

Author: Craig P. Bauer

Pages: 620

Publisher: CRC Press

Rating: 9/10

Reviewer: Ben Rothke

ISBN: 978-1466561861

Summary: Excellent comprehensive and decipherable text on the history of cryptography







Narrating a compelling and interesting story about cryptography is not an easy endeavor. Many authors have tried and failed miserably; attempting to create better anecdotes about the adventure of Alice and Bob. David Kahn probably did the best job of it when wrote The Codebreakers: The story of secret writingin 1967 and set the gold standard on the information security narrative. Kahn's book was so provocative and groundbreaking that the US Government originally censored many parts of it.



While Secret History: The Story of Cryptologyis not as groundbreaking, it also has no government censorship. With that, the book is fascinating read that provides a combination of cryptographic history and the underlying mathematics behind it.



As a preface; the book has cryptologyin its title, which is for the most part synonymous with cryptography. Since cryptography is more commonly used, I'll use it in this review.



Kahn himself wrote that he felt this book is by far the clearest and most comprehensive of the books dealing with the modern era of cryptography including classic ciphers and some of the important historical ones such as Enigma and Purple; but also newer systems such as AES and public-key cryptography.



The book claims that the mathematics detailed in it are accessible requiring minimal mathematical prerequisites. But the reality is that is does require at least a college level understanding, including algebra, calculus and more.



As an aside, nearly every book on encryption and cryptography that claims no advanced mathematical knowledge is needed doesn't meet that claim. With that, Bauer does a good job of separating the two narratives in the book (cryptography and history), so one who is not comfortable with the high-level math can easily parse through those sections.



Bauer brings an extensive pedigree to the book, as he is a former scholar-in-residence at the NSA Center for Cryptologic History. While Bauer has a Ph.D. in mathematics, that does not take away from his ability as an excellent story teller. And let's face it; telling the story of cryptography in a compelling and readable manner is not an easy task.



The 20 chapters in the book follow a chronological development of encryption and cryptography; from Roman times to current times. Each chapter has a set of exercises that can be accessed here. Besides being extremely well-researched, each chapter has numerous items for further reading and research.



Chapters 1-9 are focused on classical cryptology, with topics ranging from the Caesar cipher, Biblical cryptology, to a history of the Vigenère cipher, the ciphers of WW1 and WW2 and more.



In chapter 8 World War II: The Enigma of Germany, Bauer does a great job of detailing how the Enigma machine worked, including details regarding the cryptanalysis of the device, both in its rotor wirings and how recovering its daily keys ultimately lead to is being broken. The chapter also asked the question: what if Enigma had never been broken,and provides a provocative answer to that.



Chapter 8 opens with the famous quote from Ben Franklin that "three may keep a secret if two of them are dead". He notes that the best counterexample to that is of the 10,000 people that were involved in the project to break the Enigma. They all were able to maintain their silence about the project for decades; which clearly shows that large groups can indeed keep a secret. Bauer notes that it is often a reaction to conspiracy theories that large groups of people could never keep a secret for so long.



Chapter 9 provides a fascinating account of the Navajo code talkers. These were a group of Navajo Indians who were specially recruited during World War II by the Marines to serve in their communications units. Since the Navajo language was unknown to the Axis powers; it ensured that all communications were kept completely secret.



While part 1 is quite interesting; part 2, chapters 10-20 focuses on modern cryptology and is even more fascinating. Bauer does a fantastic job of encapsulating the last 60 years of cryptography, and covers everything from the origins of the NSA, the development of DES and AES, public key cryptography and much more.



The book was printed in March 2013 just before the NSA PRISM surveillance program became public knowledge. If there is any significant mistake in the book, it is in chapter 11 where Bauer writes that "everything I've seen and heard at the NSA has convinced me that the respect for the Constitution is a key component of the culture there".



Aside from the incorrect observation about how the NSA treats the Constitution, the book does an excellent job of integrating both the history of cryptography and the mathematical element. For those that aren't interested in to the mathematics, there is plenty of narrative in the book to keep them reading.



For those looking for a comprehensive and decipherable text on the history of cryptography, this is one of the best on the topic in many years.



Kahn's book laid the groundwork that made a book like this possible and Secret History: The Story of Cryptology is a worthy follow-up to that legendary text.





Reviewed by Ben Rothke

"
top

Book review: Two books by Peter Loshin

benrothke benrothke writes  |  about a year ago

benrothke (2577567) writes "Two books by Pete Loshin





Simple Steps to Data Encryption: A Practical Guide to Secure Computing

Pages: 86

Publisher: Syngress

ISBN: 978-0124114838



Practical Anonymity: Hiding in Plain Sight Online

Pages: 128

Publisher: Syngress

ISBN: 978-0124104044



Reviewer: Ben Rothke

Summary: Avoid these books. Use the free and better online documentation references.





Of the books that author Pete Loshin has written in the past, a number of them are completely comprised of public domain information that he gathered. Titles such as Big book of Border Gateway Protocol (BGP) RFCs, Big Book of IPsec RFCs, Big Book of Lightweight Directory Access Protocol (LDAP) RFCs, and others, are simply bound copies of publicly available information.



In two of his latest books Practical Anonymity: Hiding in Plain Sight Onlineand Simple Steps to Data Encryption: A Practical Guide to Secure Computing, Loshin doesn't do the wholesale cut and paste like he did from the RFC books, but on the other side, doesn't offer much added information than the reader can get online.



The software tools detailed in the books are open source tools; and the open source community has done a fantastic job of not only making the software free, but creating documentation that is also free and rivals commercial technical guides.



Practical Anonymity is basically an overview of the basics of Tor. The truth is that all that it takes to use Tor is to download it and then click on Start Tor Browser. For those that want to read the manuals, the Tor documentation repositoryhas detailed information that includes everything a user needs to know about using the product. The Tor site has numerous manuals, FAQ's and more. There is likely enough information there for about 98% of Tor and potential Tor users.



At 130 pages, the book is useful for those that want a hard copy to read on a bus or plane and for whatever reason, don't want to print out the references from the Tor site. Loshin does a decent job of presenting the topic, including why Tor is important, and who it could most benefit.



Tor was first released in 2002. But since it became known that the NSA was viewing data, Tor usage has doubled, as detailed in a recent Washington Post article.



One of the main drawbacks of Tor, as the book notes in chapter 2 (and also detailed in the Tor FAQ here) is that Tor is slow; really slow. The FAQ notes that here are many reasons why the Tor network is currently slow. It is first off important to know that Tor is never going to be extremely fast. All Tor traffic is bouncing through volunteers computers in various parts of the world, and bottlenecks and network latency will always be present. The current Tor network is small compared to the number of people trying to use it, and Tor cant always handle file-sharing traffic load.



The book also spends a large amount of space detailing Tails, which is a Linux distro that can booted as a CD or on a USB. The benefit of Tails is that no trace of it will be left on the host it was run off of.



Like Tor, the Tails documentation repositoryhas a large set of documents and FAQs covering all areas of the product. For those on a budget, this site has everything that they need to know about using Tails.



Practical Anonymity: Hiding in Plain Sight Onlineis a decent start for those who want to be more anonymous. It is far from a comprehensive guide, as using Tor is just the beginning to start being anonymous, but far from the only resource or method.



In Simple Steps to Data Encryption: A Practical Guide to Secure Computing, Loshin attempts to provide an overview of why you need encryption, and how to use it. The book barely succeeds at doing that, but there are certainly other titles that do it either more articulately or at least without charging for it. In addition, the book seems like it was rushed to print, and could have used a better technical editor.



In fact, the book starts with an overview of how to use GnuPG (Gnu Privacy Guard). And like Tor, there are numerous free references at the GnuPG documentation sitethat provide many useful references.



At $60- for the pair, the books provide little added value to the free online documentation. For those that want a bound hard copy of a book, these two titles may suit them. For other who want to save trees and their money, and get the same and improved information direct from the source, the respective documentation sites are but a click away.







Reviewer: Ben Rothke"
top

Book review: The Practice of Network Security Monitoring

benrothke benrothke writes  |  1 year,8 days

benrothke (2577567) writes "Title: The Practice of Network Security Monitoring: Understanding Incident Detection & Response

Author: Richard Bejtlich

Pages: 376

Publisher: No Starch Press

Rating: 9/10

Reviewer:Ben Rothke

ISBN: 978-1593275099

Summary:Definitive guide to the new world of Network Security Monitoring (NSM)





It has been about 8 years since my friend Richard Bejtlich's (note, that was a full disclosure 'my friend') last book Extrusion Detection: Security Monitoring for Internal Intrusionscame out. That and his other 2 books were heavy on technical analysis and real-word solutions. Some titles only start to cover ground after about 80 pages of introduction. With this highly informative and actionable book, you are already reviewing tcpdump output at page 16.



In The Practice of Network Security Monitoring: Understanding Incident Detection and Response, Bejtlich takes the approach that your network will be attacked and breached. He observes that a critical part of your security posture must be that of network security monitoring (NSM), which is the collection and analysis of data to help you detect and respond to intrusions.



In this book, Bejtlich details how to design a NSM program from the initiation state. Being a big open source proponent, the book lists no proprietary tools and myriad open source solutions. The book is designed for system and security administrators, CIRT managers and analysts with a strong background in understanding threats, vulnerabilities and security log interpretation.



The book is about the inevitable, that attackers will get inside your network. While it's foreseeable they will get in, it's not inevitable that you have to be caught off-guard. For those who are serious about securing their network, this is an invaluable book that provides a unique and very workable model to create a fully-functioning NSM infrastructure.



The book is a hands-on guide to installing and configuring NSM tools. The reader who is comfortable using tools such as Wireshark, Nmap and the like will be quite at home here.



This is a book about how not to be surprised and its 13 chapters detail how to create and manage a NSM program, what to look for, and details myriad tools to use in the process.



The focus of the book is not on the planning and defense phases of the security cycle, hopefully, that is already in place in your organization, rather on the actions to take when handling systems that are already compromised or that are on the verge of being compromised, as detailed in the preface.



In chapter 1, the book details the difference between continuous monitoring(CM) and NSM; since their terms are similar and many people confuse the two. CM is big in the federal computing space and NIST provides an overview and definition of it here. The book notes that CM has almost nothing to do with NSM or even with trying to detect and respond to intrusions. NSM is threat-centric, meaning adversaries are the discussion of the NSM operation; while CM is vulnerability-centric; focusing on configuration and software weaknesses.



Also in chapter 1, Bejtlich asks the important question: is NSM legal? He writes that there is no easy answer to that questions and anyone using or deploying an NSM solution should first consult with their legal counsel; in order not to potentially violate the US Wiretap Act and other laws and regulations. This is especially true for those who are in European Union (EU) countries, as the EU places a high threshold on information security teams who want to monitor network traffic. Something as simple as running Wireshark on a corporate network in the US, would require court approval if done on an EU-based network.



One of the main NSM tools the book references and details is Security Onion(SO). SO is a Linux distro for IDS and NSM. Its based on Ubuntu and the distro contains Snort, Suricata, Bro, Sguil, Squert, Snorby, ELSA, Xplico, NetworkMiner and many other useful security tools.



The book details and explains how use these tools in an NSM environment. An important point Bejtlich makes in chapter 9 regarding the tools, is that analysts need tools to find intruders. But methodology is more important than just software tools. Tools collect and interpret data, but methodology provides the conceptual model. He explains that CIRT analysts must understand how to use tools to achieve a particular goal, but it is imperative and important to start with a good operational model first, and then select tools to provide data supporting that model.



The book has a short discussion of how cloud computing effects NSM. In a nutshell, the cloud throws a monkey wrench into an NSM effort. For example, it is generally not an option for SaaS offerings since customers are limited to the back-end logs.



The book closes with the observation that NSM is not just about all the tools that the author spent over 300 pages discussing, rather it is more about the workflows, metrics and collaboration. Unfortunately, this title does not detail the necessary workflows for a NSM and it is hoped that the follow-up to this book will.



The only negative in the book is that as CSO of Mandiant, Bejtlich references his firm's products, mainly their MIR appliance for a CIRT. In the spirit of objectivity and not trying to have the book come across as marketing PR, if an author is going to mention a product their firm sells, they should also mention alternative solutions.



For those looking for a comprehensive guide on the topic of NSM, written by one of the experts in the field, The Practice of Network Security Monitoring: Understanding Incident Detection and Responseis an excellent reference that is certain to make the reader a better information security practitioner, and their network more secure.







Reviewed by Ben Rothke"
top

Book review: Hacking Exposed Mobile Security Secrets & Solutions

benrothke benrothke writes  |  1 year,22 days

benrothke (2577567) writes "Title: Hacking Exposed Mobile Security Secrets & Solutions.

Author: Neil Bergman, Mike Stanfield, Jason Rouse & Joel Scambray

Page: 320

Publisher: McGraw-Hill Osborne Media

Rating: 9/10

Reviewer:Ben Rothke

ISBN: 978-0071817011

Summary: Excellent resource to understand current mobile security threats





Little did anyone know that when the first Hacking Exposedbook came out over 15 years ago, that it would launch a set of sequels on topics from Windows, Linux, web development, to virtualization and cloud computing, and much more.



In 2013, the newest edition is Hacking Exposed Mobile Security Secrets & Solutions. In this edition, authors Neil Bergman, Mike Stanfield, Jason Rouse & Joel Scambray provide an extremely detailed overview of the security and privacy issues around mobile devices. The authors have heaps of experience in the topics and bring that to every chapter.



The power of mobile devices can be understood by the fact that this book came out in July 2013, and just last week, Steve Ballmer announced that he will step down as Microsoft CEO. While mobile has spelled the doom to Ballmer's career and Microsoft's bottom line, mobile has the Apple brand relevant again, and extremely dominant. More of a concern is that mobile is the new avenue of security attacks for a new generation of attackers.



The book provides a great overview of the new threats created by mobile devices. Like the other books in the series, it provides an overview of the issues, shows how attackers will use vulnerabilities to compromise and exploit mobile devices, in addition to showing you how to secure your mobile devices and enterprise mobile platforms against these threats.



One of difference between this book and other Hacking Exposed titles, especially the Windows editions, is that this has a dearth of script kiddie tools. This is due to the fact that such tools don't exist so much for the mobile platforms.



The 9 chapters in the book provide a comprehensive and meticulous synopsis of all of the core areas around security and privacy concerns about mobile computing.



The first two chapters provide a thorough analysis of the mobile risk ecosystem and how the cellular networks operate.



One of the major risks detailed in chapter 1 is that of physical risks. When data resides in physical data centers, a company can have some semblance of assurance of security given the data has multiple layers of physical controls in an enterprise data center or colocation. The authors note that physical access to mobile devices is difficult to defend against for very long, and the entire phenomenon of rooting and jailbreaking certainly proves this.



They also write that they have yet to find a mobile application that they could not defeat when given physical access, including defeating the mobile device management software.



The book astutely notes that if your mobile risk model assumes that information can be securely stored indefinitely on a physical mobile device, then you are starting with a false assumption. The entire book is based on the assumption of an attacker gaining control of the mobile device. To compensate for that, the book provides the requisite countermeasures.



Another bit of sagacious advice in the book is ensuring your developers, and those you outsource your development to, understand the specific risks and vulnerabilities around mobile apps. It is crucial that all programmers developing mobile apps be sufficiently trained in how to write secure mobile apps.



Chapter 3 details iOS, the Apple mobile operating system. An interesting part of the chapter is on how to jailbreak Apple devices. But the authors also note that there are pros and cons to jailbreaking. The main negative is that you expose yourself to a variety of attack vectors that could lead to a complete compromise of the device. A non-jailbroken device obviates that in most cases given the security controls in place.



The book also sheds light on the fact that even those iOS is a closed system with less threat vectors, it is still far from perfect. The Apple App Store, even with its security controls, is far from impervious to attack. The chapter tells the story of a few malicious apps that slipped past security reviews and found themselves on the Apple App Store. While these malicious apps were later removed, they will there long enough to cause damage.



While the book provides ample evidence of the risk and vulnerabilities around mobile devices, it is rich in appropriate countermeasures and methods to compensate for these. The chapters on iOS and Android provide myriad ways in which to secure the devices. Chapter 8 on mobile development security details a framework in which to secure mobile devices. This framework includes requirements from secure communications, effective authentication, preventing information leakage, to platform controls and more.



Appendix A contains a checklist of options that end-users can use to ensure the security of their private data and sensitive information stored on their mobile devices.



Appendix B is a mobile application penetration testing toolkit for performing security assessment of mobile technologies.



The press is full of stories of how the demise of Microsoft is directly related to their misreading the mobile market. The public has responded to buying mobile devices in the billions, and attackers who not so long ago wrote exploits for Windows, are now putting their efforts into iOS and Android. The message is clear, mobile apps need to be written with security in mind and the mobile devices need to be secured.



For those looking for an understanding of current mobile security threats and how to counter them, Hacking Exposed Mobile Security Secrets & Solutionsis a uniquely good book.







Reviewed by Ben Rothke"
top

Book review: The Healthy Programmer

benrothke benrothke writes  |  about a year ago

benrothke (2577567) writes "Title: The Healthy Programmer: Get Fit, Feel Better, and Keep Coding

Pages: 220

Rating:9/10

Author: Joe Kutner

Publisher: Pragmatic Bookshelf

Language: English

ISBN-13: 978-1937785314

Summary: A diet and lifestyle guide that works for all, not just for programmers.





Diet books are literally a dime a dozen. They generally benefit only the author, publisher and Amazon, leaving the reader frustrated and bloated. With a failure rate of over 99%, diet books are the epitome of a sucker born every minute.



One of the few diet books that can offer change you can believe in is The Healthy Programmer: Get Fit, Feel Better, and Keep Coding. Author Joe Kutner observes that nearly every popular diet fails and the reason is that they are based on the premise of a quick fix without focusing on the long-term core issues. It is inevitable that these diets will fail and the dieters at heart know that. It is simply that they are taking the wrong approach. This book is about the right approach; namely a slow one. With all of the failed diet books, Kutner is one of the few that has gotten it right.



While the title of the book says it's for programmers, it is germane to anyone whose job requires them to be at a desk for extended amounts of time.



Kutner is himself a programmer who builds Ruby and Rails applications, and a former college athlete and Army Reserve physical fitness trainer.



The book focuses on two areas that require change: regular exercise and proper nutrition; and it details the steps necessary to create a balanced lifestyle.



While popular diet books require rapid and major lifestyle changes and promise quick weight-loss, the book notes that small changes to your habits can provide the long-term effects that can improve your health. The book focuses on incremental changes and sustainability, not about losing x pounds in x weeks.



The book is different (read: effective) as opposed to other diet and lifestyle books, in that its goal is to make your healthy lifestyle pragmatic, attainable, and fun. It is only with those aspects that long-term change be possible.



As to programmers, Kutner writes that programming requires intense concentration that often causes them to neglect other aspects of their lives; the most common of which is their health. People's bodies have not evolved to accommodate a lifestyle of sitting and there are many negative health effects from it.



The book takes a start small approach, rather than one of drastic changes. In chapter 2, it notes the myriad benefits of walking. It states that walking is a powerful activity that can stimulate creative thinking (a required trait for a good programmer) and is a great way to bootstrap your health. The chapter details the ways in which a few short walks during the day can have a dramatic positive effect on your life.



Chapter 3 is about the dangers of chairs and sitting for long periods of time. It details a number of ways to counter the dangers of sitting. It also notes that while sometimes you simply can't get away from your chair, and when that happens, you can make sitting less dangerous by forcing your muscles to contract without even getting up. It then details a number of different calisthenics to use to do this.



Chapter 4 – Agile Dieting — is perhaps the best part of the book. It details how to fight the real causes of weight gain and details proven solutions that work. That chapter repeatedly uses terms like iterative, sustainable, slow to show what it really takes to lose weight and achieve a healthy lifestyle.



Kutner notes that most of the popular fad diets are idiosyncratic and unbalanced. They will provide short-term benefits, but ultimately fail miserably. The chapter quotes research data on what needs to be in a balanced diet. It then notes that almost every fad diet violates those needs. Nutrition needs to be rounded and well-balanced and the fad diets for that reason will only work in the short term.



This book is everything the fad diet books are not and this is most manifest in chapter 4 where Kutner writes one should cut calories slowly. This is based on research which shows that quick drastic weight loss is counterproductive. While the fad diets talk about drastic caloric changes, Kutner suggests dropping your intake slower, about 100 calories every two weeks until you get you your targeted caloric intake level.



While much of the book is on fitness and nutrition, it takes a complete body approach. Chapter 5 details the importance of eye health. This is an important topic since the average programmer spends much of their week behind a monitor.



Kutner writes about computer vision syndrome (CVS); an eye condition resulting from focusing the eyes on a monitor for extended amounts of time. Symptoms of CVS include headaches, blurred vision, neck pain, redness in the eyes, fatigue, eye strain, dry eyes, irritated eyes, double vision, vertigo/dizziness, polyopia, and difficulty refocusing the eyes. The book also details methods in which to minimize the effects of CVS, and how not to become a victim of it. Kutner writes that CVS is what most programmers refer to as life. But it does not have to be that way.



The rest of the book covers other physical ailments that plague programmers. This runs the gamut from headaches, backaches, wrist problem, carpel tunnel, head strain and much more. Most of these problems can be obviated if one follows proper ergonomics practices and employs some of the physical conditioning detailed in the book.



Another theme of the book is using goals as an impetus for change. The book lists 16 goalswhich can be used as a progressive framework to improve your health. These goals include buying a pedometer, finding your resting heart rate, getting a negative result on Reverse Phalens test and other lifestyle changes.



Given the preponderance of obesity, diabetes and other maladies associated with a sedentary lifestyle, this may be one of the most important non-programming books that every developer should read and take to heart.



The book has hundreds of bits of excellent advice and subtle lifestyle suggestions that over time can make a significant difference to your health.



The author has a web siteand an iPhone appthat can be referenced for additional help. The book is full of sage and pragmatic advice. It has no celebrity endorsement, no gimmicks or false claims; meaning it has a high chance of working.



The book concludes with the observation that programmers often say the hardest part of software development begins when a product is released. The real work, maintenance, continues on, much like your health. You must sustain a stat of wellness for the rest of your life, and you need to continue setting goals, iterating and making small improvements.



For many programmers, they love their job but not the lifestyle problems that come with it. For the programmer that wants the challenges of the professional and the benefits of a healthy lifestyle, The Healthy Programmer: Get Fit, Feel Better, and Keep Coding, may be a life changing book, and should find its rightful place on every programmer's desk.





Reviewed by Ben Rothke"
top

Book review: Present Yourself - Using SlideShare to Grow Your Business

benrothke benrothke writes  |  about a year ago

benrothke (2577567) writes "Title: Present Yourself — Using SlideShare to Grow Your Business

Authors: Kit Seeborg and Andrea Meyer

Publisher: OReilly Media

Pages: 224

ISBN: 978-1-4493-4236-4

Rating: 9/10

Reviewer: Ben Rothke

Summary: Great resource for maximizing the use of SlideShare and your online presentation presence





SlideShareis a free web 2.0 based slide hosting service where users can upload presentation-based files. Launched in October 2006, it's considered to be similar to YouTube, but for slideshows. It was originally meant to be used for businesses to share slides among employees more easily, but it has since expanded to also become a host of a large number of slides which are uploaded merely to entertain. SlideShare gets an estimated 58 million unique visitors a month and has about 16 million registered users.



With such a strong user base, authors Kit Seeborg and Andrea Meyer write in Present Yourself: Using SlideShare to Grow Your Businesshow SlideShare users can use the site (including other similar collaborative sites such as Prezi and Scribd) to present their story to a worldwide audience. Given that visual presentations are the new language of business, understanding how to maximize their potential can be a valuable asset for the entrepreneur, job seeker and everyone in between.



The truth is that a book on SlideShare alone would need no more than 15 pages (20 pages if you include the Pro edition). How difficult is it to upload a PowerPoint? As an aside, the truth is that there is a huge market for publishing freely available content. Check out Emereo Publisherson Amazon. They have mastered the art of taking free Wikipedia content and charging for it. Enough digression – in this valuable book – the authors show not only how to use the product, but how to maximize its use.



Throughout the book, the authors quote liberally from science and research on the power of visualization. With that lies the inherent power of SlideShare, as humans like images and think more efficiently when they use them. The authors quote a study which shows that when carrying out routine office tasks, if the data is displayed more visually (such as through visual maps), individuals are 17% more productive and need to use 20% fewer mental resources. As to the saying that a picture is worth a thousand words; the authors show that it has a basis in biological fact.



The book is worth it just for the sage advice in the quote at the beginning of chapter 3 where Nancy Duarte, author of slide:ology: The Art and Science of Creating Great Presentations states about presentations, that "they didn't come to your presentation to see you. They came to find out what you can do for them. Success means giving them a reason for taking their time, providing content that resonates, and ensures it's clear what they are to do". Using Duarte's call to arms with the guidance in the book can hopefully start a meaningful change in how data is presented.



As to the presentation itself, the book notes that the presenter of today has a huge challenge in keeping the audience engaged. Anyone who has presently recently knows that many, often a majority of the audience will be distracted by their smartphones, Twitter, Facebook, Angry Birds and more. With that, presenters must put in extra effort to compete for the mindshare of a distracted audience. The book shows you how to overcome such obstacles and suggests that one way to win more audience attention is to include engaging visual slides with your presentation and show them intermittently instead of in parallel with your talk.



Throughout the book, it is clear that the authors are passionate about the topic and it lists many resources and uses to make presentation much more effective. The book has numerous real-world examples of such users. One is Adam Tratt of Haiku Deck; a free presentation app for the iPad that makes presentations simple, beautiful, and fun.



Another example is that of Jeremiah Owyang of the Altimeter Group, a research and advisory firm whose reports consistently rank in the top 100 most viewed documents on SlideShare. The amazing thing about their research, which competing firms charge thousands of dollars for, is that it is all free on SlideShare. The example also shows how they use SlideShare Pro for the secure creation of the reports. They view this model of open research as a core asset that has served the firm well, establishing its credibility and reputation as a trusted resource



While the book has business in its title, it still has significant relevance for end-users, specifically in chapter 7. There it details how you can use SlideShare to further your career and find a job. This is crucial regardless of your profession and industry, in that while the traditional resume is still alive and well, the ability to place your experience on-line opens up new horizons. A full professional presence requires both a paper resume and an online presence.



The chapter notes that a comprehensive online presence, especially with a compete profile on LinkedIn, is forty times more likely to receive job opportunities. The authors note that even if a person is not a presenter, there are things they can do on SlideShare to highlight themselves; including a presentation that serves as a visual resume of their career, a portfolio presentation that displays their creative work and more. Even for those who are not speakers, the authors recommend that the serious job searcher consider public speaking as part of their career strategy,



For those that want to take a look, the first chapter of the book is available here. Not surprisingly, it is on SlideShare.



For those that want to learn everything about SlideShare, from the mundane of adding a SlideShare widget to your website, sharing your presentation across social platforms, sharing your content, collaboration, finding a more rewarding job and much more, Present Yourself: Using SlideShare to Grow Your Business is a great resource.







About the review: Ben Rothke"

Journals

benrothke has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>