×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

Book Review: How I Discovered World War II's Greatest Spy

benrothke Re:WW2's greatest spy? (102 comments)

Ok, thanks.

Who would you suggest is the greatest one?

about two weeks ago
top

Book Review: The Digital Crown

benrothke Re:Flash...? (69 comments)

:::People need to know that some books are not worth buying to save wasting their money.

Agreed.

As to your bike analogy, you mentioned a commercial magazine; where people get paid. I do not get paid to review books.

If I was a professional review, then perhaps would have more time to review a wider quality range of books. :::So some may ask "what style of writing does

Thanks for the recommendation. Will try to use it for future reviews.

about 3 months ago
top

Book Review: The Digital Crown

benrothke Re:Flash...? (69 comments)

Your observation that I write anodyne book is accurate. With the exception of this review from September - http://books.slashdot.org/story/13/09/30/1314232/book-review-latest-two-books-by-peter-loshin – I prefer to write reviews of books that I think are exceptionally good. I come across plenty of titles that are rubbish, but prefer not to review them. When I come across a book that I think is a great resource, I will try to share that.

about 3 months ago
top

Book Review: Present Yourself - Using SlideShare To Grow Your Business

benrothke Re:slashdot book reviews (40 comments)

As a matter of fact, I have a number of books that are would be a 2.0 out of 10. Just don't want to waste my time reviewing them.

about 9 months ago
top

Book Review: Going Clear: Scientology, Hollywood, and the Prison of Belief

benrothke Re:Hey Ben (353 comments)

Thank you for the comments. In my haste to get this review out, I was not as diligent in proofreading as I should have. With that, you are correct that information is their enemy. I hope my grammatical errors in the review don’t get in the way of Mr. Wrights important message. Thanks again.

about a year ago

Submissions

top

Book review

benrothke benrothke writes  |  about three weeks ago

benrothke (2577567) writes "Title: How I Discovered World War IIs Greatest Spy and Other Stories of Intelligence and Code

Author: David Kahn

Pages: 469

Publisher: Auerbach Publications

Rating: 8/10

Reviewer: Ben Rothke

ISBN: 978-1466561991

Summary: Very good collection of a large number of excellent articles from David Kahn





When it comes to documenting the history of cryptography, David Kahn is singularly one of the finest, if not the finest writers in that domain. For anyone with an interest in the topic, Kahn's works are read in detail and anticipated.



His first book was written almost 50 years ago: The Codebreakers – The Story of Secret Writing; which was a comprehensive overview on the history of cryptography. Other titles of his include Seizing the Enigma: The Race to Break the German U-Boats Codes, 1939-1943. The Codebreakers was so good and so groundbreaking, that some in the US intelligence community wanted the book banned. They did not bear a grudge, as Kahn became an NSA scholar-in-residence in the mid 1990's.



With such a pedigree, many were looking forward, including myself, to his latest book "How I Discovered World War IIs Greatest Spy and Other Stories of Intelligence and Code". While the entire book is fascinating, it is somewhat disingenuous, in that there is no new material in it. Many of the articles are decades old, and some go back to the late 1970's. From the book description and cover, one would get the impression that this is an all new work. But it is not until ones reads the preface, that it is detailed that the book is simple an assemblage of collected articles.



For those that are long-time fans of Kahn, there is nothing new in the book. For those that want a wide-ranging overview of intelligence, espionage and codebreaking, the book does provide that.



The book gets its title from a 2007 article in which Kahn tracked down whom he felt was the greatest spy of World War 2. That was none other than Hans-Thilo Schmidt, who sold information about the Enigma cipher machine to the French. That information made its way to Marian Rejewski of Poland, which lead to the ability of the Polish military to read many Enigma-enciphered communications.



An interesting question Kahn deals with is the old conspiracy theory that President Franklin Roosevelt and many in is administration knew about the impending attack on Pearl Harbor. He writes that the theory is flawed for numerous reasons. Kahn notes that the attack on Pearl Harbor succeeded because of Japan's total secrecy about the attack. Even the Japanese ambassador's in Washington, D.C., whose messages the US was reading were never told of the attack.



Chapter 4 from 1984 is particularly interesting which deals with how the US viewed Germany and Japan in 1941. Kahn writes that part of the reason the US did not anticipate a Japanese attack was due to racist attitudes. The book notes that many Americans viewed the Japanese as a bucktoothed and bespectacled nation.



Chapter 10 Why Germany's intelligence failed in World War II, is one of the most interesting chapters in the book. It is from Kahn's 1978 book "Hitlers Spies: German Military Intelligence In World War II".



In the Allies vs. the Axis, the Allies were far from perfect. Battles at Norway, Arnhem and the Bulge were met with huge losses. But overall, the Allies enjoyed significant success in their intelligence, much of it due to their superiority in verbal intelligence because of their far better code-breaking. Kahn writes that the Germans in contrast, were glaringly inferior.



Kahn writes that there were five basic factors that led to the failure of the Germans, namely: unjustified arrogance, which caused them to lose touch with reality; aggression, which led to a neglect of intelligence; a power struggle within the officer corps, which made many generals hostile to intelligence; the authority structure of the Nazi state, which gravely impaired its intelligence, and anti-Semitism, which deprived German intelligence of many brains.



The Germans negative attitude towards intelligence went all the way back to World War I, when in 1914 the German Army was so certain of success that many units left their intelligence officers behind. Jump to 1941 and Hitler invaded Russia with no real intelligence preparation. This arrogance, which broke Germany's contact with reality, also prevented intelligence from seeking to resume that contact.



Other interesting stories in the book include how the US spied on the Vatican in WW2, the great spy capers between the US and Soviets, and more.



For those that want a broad overview of the recent history of cryptography, spying and military intelligence, How I Discovered World War IIs Greatest Spy and Other Stories of Intelligence and Code, is an enjoyable, albeit somewhat disjointed summary of the topic.



The best part of the book is its broad scope. With topics from Edward Bell and his Zimmermann Telegram memoranda, cryptology and the origins of spread spectrum, to Nothing Sacred: The Allied Solution of Vatican Codes in World War II and a historical theory of intelligence, the book provides a macro view of the subject. The down side is that this comes at the cost of the 30 chapters being from almost as many different books and articles, over the course of almost 40 years.



For those that are avid readers of David Kahn, of which there are many, this title will not be anything new. For those that have read some of Kahn's other works and are looking for more, How I Discovered World War IIs Greatest Spywill be an enjoyable read.





Reviewed by Ben Rothke"
top

Book review: Threat Modeling: Designing for Security

benrothke benrothke writes  |  about a month and a half ago

benrothke (2577567) writes "Title: Threat Modeling: Designing for Security

Author: Adam Shostack

Pages: 624

Publisher: Wiley

Rating: 10/10

Reviewer: Ben Rothke

ISBN: 978-1118809990

Summary: Invaluable guide to create a formal threat modeling program







Full disclosure: The author of this book and I are friends.





When it comes to measuring and communicating threats, perhaps the most ineffective example in recent memory was the Homeland Security Advisory System; which was a color-coded terrorism threat advisory scale.



The system was rushed into use and its output of colors was not clear or intuitive. What exactly was the difference between levels such as high, guarded and elevated? From a threat perspective, which color was more severe — yellow or orange? Former DHS chairman Janet Napolitano even admitted that the color-coded system presented "little practical information" to the public



While the DHS has never really provided meaningful threat levels, in Threat Modeling: Designing for Security, author Adam Shostack has done a remarkable job in detailing an approach that is both achievable and functional. More importantly, he details a system where organizations can obtain meaningful and actionable information, rather than vague color charts.



Rather than letting clueless Washington bureaucrats define threats, the book details a formal system in which you can understand and particularize the unique threats your organizations faces.



In the introduction, Shostack sums up his approach in four questions:



1. What are you building?

2. What can go wrong with it once it's built?

3. What should you do about those things that can go wrong?

4. Did you do a decent job of analysis?



The remaining 600 densely packed pages provide the formal framework needed to get meaningful answers to those questions. The book sets a structure in which to model threats, be it in software, applications, systems, software or services, such as cloud computing.



While the term threat modelingmay seem overly complex, the book notes that anyone can learn to threat model. Threat modeling is simply using models to find security problems. The book notes that using a model means abstracting away a lot of the details to provide a look at the bigger picture, rather than the specific item, or piece of software code.



An important point the book makes is that there is more than one way to model threats. People often place too much emphasis on the specifics of how to model, rather than focusing on what provides them the most benefit. Ultimately, the best model for your organization is the one that helps you determine what the main threats are. Finally, the point is not just to find the threats; the key is to address them and fix them.



The beauty of the book is that it focuses on gaining empirical data around threats for your organization. Rather than simply taking an approach based on Gartner, USA Today or industry best practices.



While the author states a few times that threat modeling is not necessarily a complex endeavor, it nonetheless does take time. He writes that threat modeling requires involvement from many players from different departments in an organization to provide meaningful input. Without broad input, the threat model will be lacking, and the output will be incomplete.



For those organizations that are willing to put the time and effort into threat modeling, the benefits will be remarkable. At the outset, they will have confidence that they understand the threats their organization is facing, likely spend less on hardware and software, and will be better protected.



Chapter 18 quotes programmer Henry Spencer who observed that "those who do not understand Unix are condemned to reinvent it, poorly". Shostack writes that the same applies to threat modeling. The point he is making is that there are ways to fail at threat modeling. The first is simply not trying. The chapter then goes on into other approaches which can get in the way of an effective threat modeling program.



Why should you threat model for your IT and other technology environments? It should be self-evident from an architecture perspective. When an architect is designing an edifice, they first must understand their environment and requirements. A residence for a couple in Manhattan will be entirely different from the design for a residence for a family in Wyoming. But far too many IT architects take a monolithic approach to threats and that's precisely the point the book is attempting to obviate.



As noted, threat modeling is not overly complex. But even if it was indeed complex, it is far too important not to be done. The message of the book is that organizations need to stop chasing vague threats and industry notions of what threats are, and customize things so they deal with their threats.



For those that still think the topic is complex, the book references Elevation of Privilege(EoP), an easy way to get started threat modeling. EoP is a card game that developers, architects or security teams can play to easily understand the rudiments of threat modeling.



Risk modeling is so important that it must be seen as an essential part of a formal and mature information security program. Having firewalls, IDS, DLP and myriad other infosec appliances can be deceptive in thinking they provide protection. But if they are deployed in an organization that has not defined the threats these devices are expected to address, they only serve the purpose of giving an aura of infosec protection, and not real protection itself.



Amazon has over 800 Disney World guide books. Anyone who is going to invest their time and money to spend a few days at Disney World knows they have to do their research in order to get the most out of their visit.



There are only a handful of books on this topic and Threat Modeling: Designing for Securityis perhaps the finest of them. No tourist would be so naïve to go to Disney World uninformed. And conversely, no one should go into the IT world without adequate threat information.



Threat modeling provides compelling benefits in the ability to make better information security decisions, better focus on often limited resources, all while designing a model to protect against current and future threats.



For those serious about the topic, Threat Modeling: Designing for Securitywill be one of the most rewarding information security books they could hope for.



Reviewed by Ben Rothke."
top

Book review: The Art of the Data Center

benrothke benrothke writes  |  about 2 months ago

benrothke (2577567) writes "The Art of the Data Center: A Look Inside the Worlds Most Innovative and Compelling Computing Environments

Author: Douglas Alger

Pages: 368

Publisher: Prentice Hall

Rating: 9/10

Reviewer: Ben Rothke

ISBN: 978-1587142963

Summary: Some of the smartest guys in the data center share their build and design advice





At first glance, The Art of the Data Center: A Look Inside the Worlds Most Innovative and Compelling Computing Environmentsappears like a standard coffee table book with some great visuals and photos of various data centers throughout the world. Once you get a few pages into the book, you see it is indeed not a light-read coffee table book, rather a insightful book where some of the brightest minds in the industry share their insights on data center design and construction.



The book takes a holistic view of how world-class data centers are designed and built. Many of the designers were able to start with a greenfield approach without any constraints; while others were limited by physical restrictions.



Some of the firms profiled in the book are Citi, Digital Realty Trust (who run the world's largest data center in Chicago), eBay, Facebook, IBM, Intel and Yahoo!.



One of the interesting things about hearing 18 different viewpoints, both from the US and Europe-based firms, is that it shows there is not just one way to build a data center. Fundamental data center components such as raised floors are reconsidered in some of the data centers in the book. From UPS, to cooling systems and more, Alger details how the nuances of various data centers have influenced their design.



It is an unfortunate reality that many expensive data center builds and expansions fail.The book profiles those that have succeeded, and it is hoped the reader will take the advice to heart in their build and design.



The book is written in an interview style, where Alger asked the designers various question on how their came to their design, the rationale behind it, what their strategy was, what constraints they ran into, and more



The book highlights a broad range of data centers; from those built into a century old church in Spain, a former Swedish underground military bunker renovated into a modern data center with artificial daylight, manmade waterfalls and submarine engines providing standby power, to those powered by all solar energy.



Many of the data centers that he showcases are designed in order to be LEED (Leadership in Energy and Environmental Design) and Energy Star certified. LEED is a rating systems for the design, construction, operation and maintenance of green buildings, homes and neighborhoods, created by the US Green Building Council (USGBC). It should be noted that as of now, the USGBC hasn't set specific criteria for data center LEED certification.



An important point about LEED made in the book is that for those designers that are thinking about LEED certification, it mustbe done in the design stage and not as an addendum. Obtaining LEED certification must start at design and end with a formal certification after project completion. It was noted that consulting with a qualified LEED professional or consulting firm at the start of the planning process is a must.



While this is not a coffee table book, it does make good use of photos to highlight the nuances and layouts of the various data centers. There are many pictures that show the various types of equipment in use.



As noted, the book showcases many different aspects and often counterintuitive notions of data center design. One of the most significant is ACT, Inc., a nonprofit that runs the ACT test – a college admissions and placement test taken by more than 1.3 million high school graduates every year, who decided to runs their active and backup data centers in Iowa City, Iowa just 5 miles apart. The book details the designer's rationale behind that. Similar case studies are detailed in the book.



One of the major methods in the book used to reduce power consumption and cost is via the use of virtualization, which many of the data centers have used and optimized.



One topic lacking in the book is that Alger did not ask detailed questions around the physical security of the buildings. Why power, UPS, flooring and the like are critical to the efficacy of a data center; physical security components such as mantraps, access control systems, bollards, surveillance and the like are necessary to ensure all of the previous design items are not placed at risk.



One of the questions he asked every designer is if they could go back and design the data center all over again, what; if anything would they do different. Surprisingly, everyone one of them said that they put a lot of planning in and there was nothing major they would change. Most of the designers did though say each data center had small items though could have been revisited to make the center better. Bu most agreed that many of them are so minor in some respects, that it would not be meaningful to go through them.



An interesting point the data venter architect at Syracuse University stated is that one of the things they did in constructing their data center was to not necessarily be driven by rules of thumb or best practices. Rather they looked at their own requirements and how they could best optimize everything that they could in the design of the facility.



One common metric used throughout the book is power usage effectiveness (PUE). It is a measure of how efficiently a computer data center uses energy; specifically, how much energy is used by the computing equipment, as opposed to cooling and other data center overhead. The lower the number, closest to 1.0, the more of its power is used for computing.



Poor data center planning leads to poor use of valuable capital, can significantly increase operational expense and obviate any computation gains. Many organizations get overwhelmed on the design and focus far too much on speed and power, without taking a larger holistic view of their data center needs.



For those looking for guidance on how to design a world-class data center, The Art of the Data Center: A Look Inside the Worlds Most Innovative and Compelling Computing Environmentsshould be the place you start.









Reviewed by Ben Rothke."
top

Book review: The Digital Crown

benrothke benrothke writes  |  about 3 months ago

benrothke (2577567) writes "Title: The Digital Crown: Winning at Content on the Web

Author: Ahava Leibtag

Pages: 358 pages

Rating: 10/10

Reviewer: Ben Rothke

ISBN: 978-0124076747

Summary: Invaluable resource and reference for building an effective web content strategy







With Adobe Flash, it's possible to quickly get a pretty web site up and running; something that many firms do. But if there is no content behind the flashy web page, it's unlikely anyone will return.



In The Digital Crown: Winning at Content on the Web, author Ahava Leibtag does a fantastic job on showing how to ensure that your web site has what it takes to get visitors to return to the website, namely great content.



Make no mistake, creating good content for a large organization is a massive job. But for those organizations that are serious about doing it right, the book provides the extensive details all of the steps required to create content that will bring customers back to your web site.



Leibtag writes in the introduction that the reason so many websites and other digital strategy projects fail is because the people managing them don't focus on what really matters. They begin changing things for the sake of change and to simply update, without first asking why. They also forget to ask what the updates will accomplish. What this does is create a focus on the wrong priorities. Leibtag notes that the obvious priority is content.



So what is this thing called content? The book defines it as all of the information assets of your company that you want to share with the world.



The book is based around 7 rules, which form the foundation of an effective and comprehensive content strategy, namely:



1. Start with Your Audience

2. Involve Stakeholders Early and Often

3. Keep it Iterative

4. Create Multidisciplinary Content Teams

5. Make Governance Central

6. Workflow that Works

7. Invest in Professionals and Trust Them





Chapter 1 (freely available here) takes a high-level look at where branding and content meet, and details the need for a strategic content initiative.



An interesting point the book makes in chapter 2 which is pervasive throughout the book is to avoid using the term users. Rather refer to them as customers. Leibtag feels that the term users as part of a content strategy, makes them far too removed and abstract. Dealing with them as customers makes them real people and changes the dynamics of the content project. Of course, this transition has to be authentic. Simply performing a find/replace of user/customer in your documentation is not what the author intended; nor will such an approach work.



The book is heavy on understanding requirements and has hundreds of questions that need to be asked before creating content. The book is well worth it for that content alone.



It also stresses the importance of getting all stakeholders involved in the content creation process. As part of the requirements gathering process, the book details 3 roadmap steps which much be done in order to facilitate an effective strategy.



The book notes that content is much more than web pages. Content includes various formats, platforms and channels. An effective strategy must take allof these into account. The book notes that there are hundreds of possible formats for content. While it is impossible to deal with every possible option; an organization must know what they are in order to ensure they are creating content that is appropriate for their customers.



By the time you hit page 100, it becomes quite clear that content is something that Leibtag is both passionate about and has extensive experience with. An important point she makes is that it is crucial not for focus on design right away in the project, as it eats up way too much time. The key is to focus the majority of your efforts on the content.



The dilemma that the book notes is that during the requirements gathering process, far too many organizations are imagining a gorgeous web site with all kinds of bells and whistles, beautiful colors and pictures. That in turn moves them to spend (i.e., waste) a tremendous amount of time on design; which leads them to neglect contact creation and migration.



The book details multichannel publishing, which is the ability to publish your content on any device and any channel. This is a significant detail, as customers will be accessing your site from desktops with huge screens and bandwidth to mobile devices with smaller screens and often limited bandwidth. This requires you to adapt and change your content publishing process. This is clearly not a trivial endeavor. But doing it right, which the book shows how to do, will payoff in the long run.



Another mistake firms make is that they often think content can be done by just a few people. The book notes that it is an imperative to create multidisciplinary content teams, since web content will touch every part of the organization, and needs their respective input.



One of the multidisciplinary content teams that must be involved is governance. The book notes that governance standards help you set a consistent customer experience across all channels. By following them, you can avoid replicating content, muddying your main messages and confusing your customers. Governance is also critical in setting internal organizational controls.



Leibtag lays out what needs to be done in extreme detail. She makes it quite clear that there are no quick fixes that can be done to create good content. Creating an effective content marketing strategy and architecture is complex, expensive and challenging. But for most organizations, it is also absolutely necessary for them in order to compete.



The author is the head of a content strategy and content marketing consultancy firm. Like all good consultants, they focus on getting answers to the questions clients often don't even know to ask. With that, the book has myriad questions and requirements that you must answer before you embark on getting your content online.



The book also provides numerous case studies of sites that understand the importance of content and designed their site accordingly. After reading the book, the way you look at web sites will be entirely different. You will likely find the sites you intuitively return to coincidentally happened to be those very sites that have done it right and have the content you want.



My only critique of the book is that the author quotes herself and references other articles she wrote far too often. While these articles have valid content, this can come across as somewhat overly promotional. Aside from that, the book is about as good as anything could get on the topic.



For firms that are serious about content and looking for an authoritative reference on how to build out their content and do it right, The Digital Crown: Winning at Content on the Web is certain to be an invaluable resource.







Reviewed by Ben Rothke."
top

Book review: Digital Archaeology: The Art and Science of Digital Forensics

benrothke benrothke writes  |  about 4 months ago

benrothke (2577567) writes "Title: Digital Archaeology: The Art and Science of Digital Forensics

Author: Michael Graves

Pages: 600

Publisher: Addison-Wesley Professional

Rating: 9/10

Reviewer: Ben Rothke

ISBN: 978-0321803900

Summary: Excellent introductory text to digital forensics





The book Digital Archaeology: The Art and Science of Digital Forensicsstarts as yet another text on the topic of digital forensics. But by the time you get to chapter 3, you can truly appreciate how much knowledge author Michael Graves imparts.



Archaeology is definedas the study of human activity in the past, primarily through the recovery and analysis of the material culture and environmental data that they have left behind, which includes artifacts, architecture, biofacts and cultural landscapes.



The author uses archeology and its associated metaphors as a pervasive theme throughout the book. While most archeology projects require shovels and pickaxes; digital archeology requires an entirely different set of tools and technologies. The materials are not in the ground, rather on hard drives, SD cards, smartphones and other types of digital media.



In the preface, Graves writes that in performing an investigation that explores the use of computers or digital data, the investigator is embarking on an archaeological expedition. In order to extract useful artifacts, information when dealing with our topic at hand; the investigator must be exceedingly careful in how he approaches the site. The similarities between a digital investigation and an archaeological excavation are much closer than you might imagine. Data, like physical artifacts, gets dropped into the oddest places. The effects of time and environment are just as damaging, if not more so, to digital artifacts as they are physical mementos.



The book shows you precisely how to extract those artifacts effectively. And in a little over 500 pages, the books 21 chapters, provides a comprehensive overview of every area relevant to digital forensics. The author brings his experience to every page and rather than being a dry reference, Graves writes an interesting reference guide for the reader who is serious about becoming proficient in the topic.



Rather than provide dry overview of the topics and associated hardware and software tools. The books take a real-world approach and provides a detailed narrative of real-world scenarios.



An important point Graves makes is that a digital investigator who does not understand the basic technology behind the systems they are investigating is going to be at a distinct disadvantage. Understanding the technology assists in the investigative process and ensures that the evidence can be held up in court.



The need to a proficiency in digital forensics is manifest in the recent attack against Target stores. After an aggressive attack, the store called in external digital forensics consultants to help them make sense of what happened.



The book starts with an anatomy of a digital investigation, including the basic model an investigator should use to ensure an effective investigation. While the author is not a lawyer; the book details all of the laws, standards, constitutional issues and regulations that an investigator needs to be cognizant of.



The author notes that Warren Kruse and Jay Heiser wrote in Computer Forensics: Incident Response Essentialsthat the basic computer investigation model was a four-part model with the following steps: assess, acquire, analyze and report. Graves breaks those into more detailed and granular level levels that represent processes that occur within each step. These steps are: identification and assessment, collection and acquisition, preservation, examination, analysis and reporting.



Chapter 2 has a section on the constitutional implications of forensic investigation, of which is the topic is also pervasive throughout the book.



As noted, a significant portion of the book is dedicated to the legal aspects around digital investigations. Graves spends a lot of time on these needed issues such as search warrants and subpoenas, basic elements of obtaining a warrant, the plain view doctrine, admissibility of evidence, keeping evidence authentic, defining the scope of the search, and when the Constitution doesn't apply.



The only chapter that was deficient was chapter 13 – Excavating a Cloud. Graves writes that the rapid emergence of cloud computing has added a number of new challenges for the digital investigator. The chapter does a good job of detailing the basic implications of cloud forensics. But it unfortunately does not dig any deeper, and does not provide the same amount of extensive tool listings as do other chapters.



Each chapter closes with a review of the topic and various exercises. Those wanting to see a sample chapter can do so here.



For those looking for an introductory text on the topics of digital forensics, Digital Archaeology: The Art and Science of Digital Forensicsis an excellent read. Its comprehensive overview of the entire topic combined with the authors excellent writing skills and experience, make the book a worthwhile reference.







Reviewer: Ben Rothke"
top

Book review: Digital Outcasts

benrothke benrothke writes  |  about 5 months ago

benrothke (2577567) writes "Untitled documentTitle: Digital Outcasts: Moving Technology Forward without Leaving People Behind

Author: Kel Smith

Pages: 288

Publisher: Morgan Kaufmann

Rating: 9/10

Reviewer: Ben Rothke

ISBN: 978-0124047051

Summary: Manifesto for technology accessibility for all





Many of us have experimented what it means to be disabled, by sitting in a wheelchair for a few minutes or putting a blindfold over our eyes. In Digital Outcasts: Moving Technology Forward without Leaving People Behind, author Kel Smith details the innumerable obstacles disabled people have to deal with in their attempts to use computers and the Internet.



The book observes that while 1 in 7 people in the world have some sort of disability, (including the fact that 1 in every 10 U.S. children has been diagnosed with ADHD), software and hardware product designers, content providers and the companies who support these teams often approach accessibility as an add-on, not as a core component. Adding accessibility functionality to support disabled people is often seen as a lowest common denominator feature. With the companies unaware of the universal benefit their solution could potentially bring to a wider audience.



One of the many examples of this which the book provides is how sidewalk ramps are often an easier access method to streets; not just for those in wheelchairs, but for those simply walking and desiring an easier method.



In the book, Smith details how digital outcastsoften rely on technology for everyday things that we take for granted. The problem is that poorly designed products create an abyss for these outcasts, who number in the hundreds of millions.



So just what is this digital outcast? Smith notes that the term was first introduced by Gareth White of the University of Sussex to describe people who are left behind the innovation curve with respect to new advances in technology. The term is also relevant to today's Internet user who can't perform a simple function such as making an e-commerce purchase or checking their financial statement; due to inaccessibility of the content, platform or device. These outcasts represent large swaths of forgotten populations.



In the first chapter, Smith makes the chilling observation that all of us, at some point or another, will find that our capabilities have diminished. Today's disabled users are not outliers of the able-bodied population – they are a prototype of what our future looks like.



The book provides a detailed overview of how people with disabilities use technology. More importantly, it shows that creating effective user interfaces for those with disabilities is beneficial for all users.



It showcases numerous application and case studies, including how iPad apps have been used for cognitive therapy, video games to help many types of illnesses and more.



An important point the book makes is that there are no easy answers or silver-bullet solutions. There are no quick add-ons which a firm can use to quickly make their user interfaces outcast compliant. Rather it takes a concerted effort from senior management to make accessibility work.



A key point Smith makes many times is that students with disabilities are left behind. There are many students who fail in antiquated educational systems since the administration can't restructure their curricula around a child's individual talents or aptitudes. He writes that students with disabilities get stigmatized into special educationprograms, some of which are very good, but can be socially ostracizing.



Throughout the book, Smith quotes many studies and significant amounts of data that shows the power of how software can make significantly positive impacts on the lives of those with disabilities. In chapter 7, he writes that at the Center for BrainHealth at The University of Texas, they used virtual worlds and avatars to help autistic children. That form of therapy has proven to be successful and that 4 or 5 sessions using that technology, is worth 2 or 3 years of real world training.



As detailed in many parts of the book, many doctors say the best high-tech treatments are in fact the ones you can download from an app store.



As the end of the book, Smith writes that for accessibility to work, it has to be an enterprise initiative. He provides 8 strategic steps to doing that, including creating an accessibility task force (and engaging them from the very beginning of the project), knowing the legal landscape (and not to be driven solely by law), to designing mobile applications to be run universally, and more.



Smith sadly writes at the end of the book that while Apple has been at the forefront of accessibility, in 2012, despite having no legal mandate, Apple removed the Speak for Yourself (SFY) application; which was an extremely popular and helpful augmentative and alternative communication app. It seems that SFY is now once again available in the App Store, but with legal maneuvering what it is, that could change at any moment.



While the accessibility of technology is getting better every year, there are still many challenges to ahead. Digital Outcasts: Moving Technology Forward without Leaving People Behind articulately and passionately details the groundwork, itemizes what needs to be done, and implores the reader to do something to ensure this trend continues.



This book is an important read for everyone. As there are two types of people, those that are currently digital outcasts, and those that will be sometime in the future.



The book closes with a most accurate observation: digital outcasts are not a biological model for a future we should fear, they are an inspiration for what we can all become.







Reviewer: Ben Rothke"
top

Book review: Testing Cloud Services: How to Test SaaS, PaaS & IaaS

benrothke benrothke writes  |  about 6 months ago

benrothke (2577567) writes "}

Testing Cloud Services: How to Test SaaS, PaaS & IaaS

Authors: Kees Blokland, Jeroen Mengerink, Martin Pol

Pages: 184

Publisher: Rocky Nook

Rating: 9/10

Reviewer: Ben Rothke

ISBN: 978-1-937538-38-5

Summary: Brings to light the imperative of testing cloud services before deployment







David Mitchell Smith wrote in the Gartner report Hype Cycle for Cloud Computinglast year — that while clearly maturing and beyond the peak of inflated expectations, cloud computing continues to be one of the most hyped subjects in IT. The report is far from perfect, but it is accurate in the sense that while cloud computing is indeed ready for prime time, the hype with it ensures that too many firms will be using it with too much hype, and not enough reality and detailed requirements.



While there have been many books written about the various aspects of cloud computing, Testing Cloud Services: How to Test SaaS, PaaS & IaaSis the first that enables the reader to successfully make the transition from hype to actuality from a testing and scalability perspective.



The book is an incredibly effective and valuable guide that details the risks that arise when deploying cloud solutions. More importantly, it provides details on how to test cloud services, to ensure that the proposed cloud service will work as described.



At 160 pages, the book is a great start to the topic. The 6 chapters detail a paradigm that cloud architects, managers and designers can use to ensure the success of their proposed cloud deployments.



The first two chapters are a very brief introduction to cloud computing. In chapter 3, the authors detail the role of the test manager. They write that the book is meant to give substance to the broadening role of the test manager within cloud computing. They encourage firms to make sure the test manager is involved in all stages of cloud computing; from selection to implementation. In fact, they write that it is only a matter of time until this service will be available in the cloud, in the form of TaaS – Testing as a Service.



Besides the great content, the book is valuable since it has many checklists and questions to ask. One of the reasons cloud hype is so overly pervasive, is that the customers believe what the marketing people say, without asking enough questions. It would have been an added benefit if these questions and checklists would be made available in softcopy to the reader.



In chapter 4, the book details performance risks. As to performance, an important aspect of selecting the correct cloud provider is scalability of the service. This then requires a cloud specific test to determine if the scaling capacity (also known as elasticity) of the provider will work efficiently and effectively in practice.



An extremely important point the authors make is that when choosing a cloud service, many firms don't immediately think of having a test environment, because the supplier will themselves test the service. The absence of a test environment is a serious risk.



About 2/3 of the book is in chapter 5 – Test Measures. The chapter mostly details the test measures for SaaS, but also does address IaaS and PaaS testing. The chapter spends a lot of time on the importance of performance testing.



An important point detailed in the chapter is that of testing elasticity and manual scalability. This is an important topic since testing elasticity is a new aspect of performances testing. The objectives of elasticity tests are to determine if the performance of the service meets the requirements across the load spectrum and if the capacity is able to effective scale. The chapter details various load tests to perform.



In the section on guarantees and SLAs, the authors make numerous excellent points, especially in reference to cloud providers that may guarantee very high availabilities, but often hide behind contract language. They provide a number of good points to consider in regards to continuity guarantees, including determining what is meant exactly by up- and down-time; for example, is regular maintenance considered downtime or not.



Another key topic detailed is testing migration. The authors write that when an organization is going to use a service for an existing business process, a migration process is necessary. This includes the processes of going into the cloud, and backing the service out of the cloud.



With all of the good aspects to this book, a significant deficiency in it is that it lacks any mention of specific software testing tools to use. Many times the authors write that "there are many tools, both open source and commercial, that can" but fail to name a single tool. The reader is left gasping at a straw knowing of the need to perform tests, but clueless as to what the best tools to use are. Given the authors expertise in the topic, that lacking is significant.



The only other lacking in the book is in section 5.3 on testing security, the authors fail to mention any of the valuable resources on the topic from the Cloud Security Alliance. Specifically the Cloud Controls Matrix(CCM) and Consensus Assessments Initiative(CAI) questionnaire.



With that, Testing Cloud Services: How to Test SaaS, PaaS & IaaSshould be on the required reading list of everyone tasked with cloud computing. This is the first book to deal with the critical aspect of testing as it related to cloud computing. The ease of moving to the cloud obscures the hard reality of making a cloud solution work. This book details the hard, cold realities of turning the potential of cloud computing, in the reality of a working solution.



Had the designers of the Obamacare website taken into consideration the key elements of this book, it is certain that the debacle that ensued would have been minimize and the administration would not have had to send out a cry for help. The Obamacare website will turn into the poster child of how to not to create a cloud solution. Had they read Testing Cloud Services: How to Test SaaS, PaaS & IaaS, things would have been vastly different.









Reviewer: Ben Rothke"
top

Book review: Secret History: The Story of Cryptology

benrothke benrothke writes  |  about 6 months ago

benrothke (2577567) writes "Secret History: The Story of Cryptology

Author: Craig P. Bauer

Pages: 620

Publisher: CRC Press

Rating: 9/10

Reviewer: Ben Rothke

ISBN: 978-1466561861

Summary: Excellent comprehensive and decipherable text on the history of cryptography







Narrating a compelling and interesting story about cryptography is not an easy endeavor. Many authors have tried and failed miserably; attempting to create better anecdotes about the adventure of Alice and Bob. David Kahn probably did the best job of it when wrote The Codebreakers: The story of secret writingin 1967 and set the gold standard on the information security narrative. Kahn's book was so provocative and groundbreaking that the US Government originally censored many parts of it.



While Secret History: The Story of Cryptologyis not as groundbreaking, it also has no government censorship. With that, the book is fascinating read that provides a combination of cryptographic history and the underlying mathematics behind it.



As a preface; the book has cryptologyin its title, which is for the most part synonymous with cryptography. Since cryptography is more commonly used, I'll use it in this review.



Kahn himself wrote that he felt this book is by far the clearest and most comprehensive of the books dealing with the modern era of cryptography including classic ciphers and some of the important historical ones such as Enigma and Purple; but also newer systems such as AES and public-key cryptography.



The book claims that the mathematics detailed in it are accessible requiring minimal mathematical prerequisites. But the reality is that is does require at least a college level understanding, including algebra, calculus and more.



As an aside, nearly every book on encryption and cryptography that claims no advanced mathematical knowledge is needed doesn't meet that claim. With that, Bauer does a good job of separating the two narratives in the book (cryptography and history), so one who is not comfortable with the high-level math can easily parse through those sections.



Bauer brings an extensive pedigree to the book, as he is a former scholar-in-residence at the NSA Center for Cryptologic History. While Bauer has a Ph.D. in mathematics, that does not take away from his ability as an excellent story teller. And let's face it; telling the story of cryptography in a compelling and readable manner is not an easy task.



The 20 chapters in the book follow a chronological development of encryption and cryptography; from Roman times to current times. Each chapter has a set of exercises that can be accessed here. Besides being extremely well-researched, each chapter has numerous items for further reading and research.



Chapters 1-9 are focused on classical cryptology, with topics ranging from the Caesar cipher, Biblical cryptology, to a history of the Vigenère cipher, the ciphers of WW1 and WW2 and more.



In chapter 8 World War II: The Enigma of Germany, Bauer does a great job of detailing how the Enigma machine worked, including details regarding the cryptanalysis of the device, both in its rotor wirings and how recovering its daily keys ultimately lead to is being broken. The chapter also asked the question: what if Enigma had never been broken,and provides a provocative answer to that.



Chapter 8 opens with the famous quote from Ben Franklin that "three may keep a secret if two of them are dead". He notes that the best counterexample to that is of the 10,000 people that were involved in the project to break the Enigma. They all were able to maintain their silence about the project for decades; which clearly shows that large groups can indeed keep a secret. Bauer notes that it is often a reaction to conspiracy theories that large groups of people could never keep a secret for so long.



Chapter 9 provides a fascinating account of the Navajo code talkers. These were a group of Navajo Indians who were specially recruited during World War II by the Marines to serve in their communications units. Since the Navajo language was unknown to the Axis powers; it ensured that all communications were kept completely secret.



While part 1 is quite interesting; part 2, chapters 10-20 focuses on modern cryptology and is even more fascinating. Bauer does a fantastic job of encapsulating the last 60 years of cryptography, and covers everything from the origins of the NSA, the development of DES and AES, public key cryptography and much more.



The book was printed in March 2013 just before the NSA PRISM surveillance program became public knowledge. If there is any significant mistake in the book, it is in chapter 11 where Bauer writes that "everything I've seen and heard at the NSA has convinced me that the respect for the Constitution is a key component of the culture there".



Aside from the incorrect observation about how the NSA treats the Constitution, the book does an excellent job of integrating both the history of cryptography and the mathematical element. For those that aren't interested in to the mathematics, there is plenty of narrative in the book to keep them reading.



For those looking for a comprehensive and decipherable text on the history of cryptography, this is one of the best on the topic in many years.



Kahn's book laid the groundwork that made a book like this possible and Secret History: The Story of Cryptology is a worthy follow-up to that legendary text.





Reviewed by Ben Rothke

"
top

Book review: Two books by Peter Loshin

benrothke benrothke writes  |  about 7 months ago

benrothke (2577567) writes "Two books by Pete Loshin





Simple Steps to Data Encryption: A Practical Guide to Secure Computing

Pages: 86

Publisher: Syngress

ISBN: 978-0124114838



Practical Anonymity: Hiding in Plain Sight Online

Pages: 128

Publisher: Syngress

ISBN: 978-0124104044



Reviewer: Ben Rothke

Summary: Avoid these books. Use the free and better online documentation references.





Of the books that author Pete Loshin has written in the past, a number of them are completely comprised of public domain information that he gathered. Titles such as Big book of Border Gateway Protocol (BGP) RFCs, Big Book of IPsec RFCs, Big Book of Lightweight Directory Access Protocol (LDAP) RFCs, and others, are simply bound copies of publicly available information.



In two of his latest books Practical Anonymity: Hiding in Plain Sight Onlineand Simple Steps to Data Encryption: A Practical Guide to Secure Computing, Loshin doesn't do the wholesale cut and paste like he did from the RFC books, but on the other side, doesn't offer much added information than the reader can get online.



The software tools detailed in the books are open source tools; and the open source community has done a fantastic job of not only making the software free, but creating documentation that is also free and rivals commercial technical guides.



Practical Anonymity is basically an overview of the basics of Tor. The truth is that all that it takes to use Tor is to download it and then click on Start Tor Browser. For those that want to read the manuals, the Tor documentation repositoryhas detailed information that includes everything a user needs to know about using the product. The Tor site has numerous manuals, FAQ's and more. There is likely enough information there for about 98% of Tor and potential Tor users.



At 130 pages, the book is useful for those that want a hard copy to read on a bus or plane and for whatever reason, don't want to print out the references from the Tor site. Loshin does a decent job of presenting the topic, including why Tor is important, and who it could most benefit.



Tor was first released in 2002. But since it became known that the NSA was viewing data, Tor usage has doubled, as detailed in a recent Washington Post article.



One of the main drawbacks of Tor, as the book notes in chapter 2 (and also detailed in the Tor FAQ here) is that Tor is slow; really slow. The FAQ notes that here are many reasons why the Tor network is currently slow. It is first off important to know that Tor is never going to be extremely fast. All Tor traffic is bouncing through volunteers computers in various parts of the world, and bottlenecks and network latency will always be present. The current Tor network is small compared to the number of people trying to use it, and Tor cant always handle file-sharing traffic load.



The book also spends a large amount of space detailing Tails, which is a Linux distro that can booted as a CD or on a USB. The benefit of Tails is that no trace of it will be left on the host it was run off of.



Like Tor, the Tails documentation repositoryhas a large set of documents and FAQs covering all areas of the product. For those on a budget, this site has everything that they need to know about using Tails.



Practical Anonymity: Hiding in Plain Sight Onlineis a decent start for those who want to be more anonymous. It is far from a comprehensive guide, as using Tor is just the beginning to start being anonymous, but far from the only resource or method.



In Simple Steps to Data Encryption: A Practical Guide to Secure Computing, Loshin attempts to provide an overview of why you need encryption, and how to use it. The book barely succeeds at doing that, but there are certainly other titles that do it either more articulately or at least without charging for it. In addition, the book seems like it was rushed to print, and could have used a better technical editor.



In fact, the book starts with an overview of how to use GnuPG (Gnu Privacy Guard). And like Tor, there are numerous free references at the GnuPG documentation sitethat provide many useful references.



At $60- for the pair, the books provide little added value to the free online documentation. For those that want a bound hard copy of a book, these two titles may suit them. For other who want to save trees and their money, and get the same and improved information direct from the source, the respective documentation sites are but a click away.







Reviewer: Ben Rothke"
top

Book review: The Practice of Network Security Monitoring

benrothke benrothke writes  |  about 7 months ago

benrothke (2577567) writes "Title: The Practice of Network Security Monitoring: Understanding Incident Detection & Response

Author: Richard Bejtlich

Pages: 376

Publisher: No Starch Press

Rating: 9/10

Reviewer:Ben Rothke

ISBN: 978-1593275099

Summary:Definitive guide to the new world of Network Security Monitoring (NSM)





It has been about 8 years since my friend Richard Bejtlich's (note, that was a full disclosure 'my friend') last book Extrusion Detection: Security Monitoring for Internal Intrusionscame out. That and his other 2 books were heavy on technical analysis and real-word solutions. Some titles only start to cover ground after about 80 pages of introduction. With this highly informative and actionable book, you are already reviewing tcpdump output at page 16.



In The Practice of Network Security Monitoring: Understanding Incident Detection and Response, Bejtlich takes the approach that your network will be attacked and breached. He observes that a critical part of your security posture must be that of network security monitoring (NSM), which is the collection and analysis of data to help you detect and respond to intrusions.



In this book, Bejtlich details how to design a NSM program from the initiation state. Being a big open source proponent, the book lists no proprietary tools and myriad open source solutions. The book is designed for system and security administrators, CIRT managers and analysts with a strong background in understanding threats, vulnerabilities and security log interpretation.



The book is about the inevitable, that attackers will get inside your network. While it's foreseeable they will get in, it's not inevitable that you have to be caught off-guard. For those who are serious about securing their network, this is an invaluable book that provides a unique and very workable model to create a fully-functioning NSM infrastructure.



The book is a hands-on guide to installing and configuring NSM tools. The reader who is comfortable using tools such as Wireshark, Nmap and the like will be quite at home here.



This is a book about how not to be surprised and its 13 chapters detail how to create and manage a NSM program, what to look for, and details myriad tools to use in the process.



The focus of the book is not on the planning and defense phases of the security cycle, hopefully, that is already in place in your organization, rather on the actions to take when handling systems that are already compromised or that are on the verge of being compromised, as detailed in the preface.



In chapter 1, the book details the difference between continuous monitoring(CM) and NSM; since their terms are similar and many people confuse the two. CM is big in the federal computing space and NIST provides an overview and definition of it here. The book notes that CM has almost nothing to do with NSM or even with trying to detect and respond to intrusions. NSM is threat-centric, meaning adversaries are the discussion of the NSM operation; while CM is vulnerability-centric; focusing on configuration and software weaknesses.



Also in chapter 1, Bejtlich asks the important question: is NSM legal? He writes that there is no easy answer to that questions and anyone using or deploying an NSM solution should first consult with their legal counsel; in order not to potentially violate the US Wiretap Act and other laws and regulations. This is especially true for those who are in European Union (EU) countries, as the EU places a high threshold on information security teams who want to monitor network traffic. Something as simple as running Wireshark on a corporate network in the US, would require court approval if done on an EU-based network.



One of the main NSM tools the book references and details is Security Onion(SO). SO is a Linux distro for IDS and NSM. Its based on Ubuntu and the distro contains Snort, Suricata, Bro, Sguil, Squert, Snorby, ELSA, Xplico, NetworkMiner and many other useful security tools.



The book details and explains how use these tools in an NSM environment. An important point Bejtlich makes in chapter 9 regarding the tools, is that analysts need tools to find intruders. But methodology is more important than just software tools. Tools collect and interpret data, but methodology provides the conceptual model. He explains that CIRT analysts must understand how to use tools to achieve a particular goal, but it is imperative and important to start with a good operational model first, and then select tools to provide data supporting that model.



The book has a short discussion of how cloud computing effects NSM. In a nutshell, the cloud throws a monkey wrench into an NSM effort. For example, it is generally not an option for SaaS offerings since customers are limited to the back-end logs.



The book closes with the observation that NSM is not just about all the tools that the author spent over 300 pages discussing, rather it is more about the workflows, metrics and collaboration. Unfortunately, this title does not detail the necessary workflows for a NSM and it is hoped that the follow-up to this book will.



The only negative in the book is that as CSO of Mandiant, Bejtlich references his firm's products, mainly their MIR appliance for a CIRT. In the spirit of objectivity and not trying to have the book come across as marketing PR, if an author is going to mention a product their firm sells, they should also mention alternative solutions.



For those looking for a comprehensive guide on the topic of NSM, written by one of the experts in the field, The Practice of Network Security Monitoring: Understanding Incident Detection and Responseis an excellent reference that is certain to make the reader a better information security practitioner, and their network more secure.







Reviewed by Ben Rothke"
top

Book review: Hacking Exposed Mobile Security Secrets & Solutions

benrothke benrothke writes  |  about 8 months ago

benrothke (2577567) writes "Title: Hacking Exposed Mobile Security Secrets & Solutions.

Author: Neil Bergman, Mike Stanfield, Jason Rouse & Joel Scambray

Page: 320

Publisher: McGraw-Hill Osborne Media

Rating: 9/10

Reviewer:Ben Rothke

ISBN: 978-0071817011

Summary: Excellent resource to understand current mobile security threats





Little did anyone know that when the first Hacking Exposedbook came out over 15 years ago, that it would launch a set of sequels on topics from Windows, Linux, web development, to virtualization and cloud computing, and much more.



In 2013, the newest edition is Hacking Exposed Mobile Security Secrets & Solutions. In this edition, authors Neil Bergman, Mike Stanfield, Jason Rouse & Joel Scambray provide an extremely detailed overview of the security and privacy issues around mobile devices. The authors have heaps of experience in the topics and bring that to every chapter.



The power of mobile devices can be understood by the fact that this book came out in July 2013, and just last week, Steve Ballmer announced that he will step down as Microsoft CEO. While mobile has spelled the doom to Ballmer's career and Microsoft's bottom line, mobile has the Apple brand relevant again, and extremely dominant. More of a concern is that mobile is the new avenue of security attacks for a new generation of attackers.



The book provides a great overview of the new threats created by mobile devices. Like the other books in the series, it provides an overview of the issues, shows how attackers will use vulnerabilities to compromise and exploit mobile devices, in addition to showing you how to secure your mobile devices and enterprise mobile platforms against these threats.



One of difference between this book and other Hacking Exposed titles, especially the Windows editions, is that this has a dearth of script kiddie tools. This is due to the fact that such tools don't exist so much for the mobile platforms.



The 9 chapters in the book provide a comprehensive and meticulous synopsis of all of the core areas around security and privacy concerns about mobile computing.



The first two chapters provide a thorough analysis of the mobile risk ecosystem and how the cellular networks operate.



One of the major risks detailed in chapter 1 is that of physical risks. When data resides in physical data centers, a company can have some semblance of assurance of security given the data has multiple layers of physical controls in an enterprise data center or colocation. The authors note that physical access to mobile devices is difficult to defend against for very long, and the entire phenomenon of rooting and jailbreaking certainly proves this.



They also write that they have yet to find a mobile application that they could not defeat when given physical access, including defeating the mobile device management software.



The book astutely notes that if your mobile risk model assumes that information can be securely stored indefinitely on a physical mobile device, then you are starting with a false assumption. The entire book is based on the assumption of an attacker gaining control of the mobile device. To compensate for that, the book provides the requisite countermeasures.



Another bit of sagacious advice in the book is ensuring your developers, and those you outsource your development to, understand the specific risks and vulnerabilities around mobile apps. It is crucial that all programmers developing mobile apps be sufficiently trained in how to write secure mobile apps.



Chapter 3 details iOS, the Apple mobile operating system. An interesting part of the chapter is on how to jailbreak Apple devices. But the authors also note that there are pros and cons to jailbreaking. The main negative is that you expose yourself to a variety of attack vectors that could lead to a complete compromise of the device. A non-jailbroken device obviates that in most cases given the security controls in place.



The book also sheds light on the fact that even those iOS is a closed system with less threat vectors, it is still far from perfect. The Apple App Store, even with its security controls, is far from impervious to attack. The chapter tells the story of a few malicious apps that slipped past security reviews and found themselves on the Apple App Store. While these malicious apps were later removed, they will there long enough to cause damage.



While the book provides ample evidence of the risk and vulnerabilities around mobile devices, it is rich in appropriate countermeasures and methods to compensate for these. The chapters on iOS and Android provide myriad ways in which to secure the devices. Chapter 8 on mobile development security details a framework in which to secure mobile devices. This framework includes requirements from secure communications, effective authentication, preventing information leakage, to platform controls and more.



Appendix A contains a checklist of options that end-users can use to ensure the security of their private data and sensitive information stored on their mobile devices.



Appendix B is a mobile application penetration testing toolkit for performing security assessment of mobile technologies.



The press is full of stories of how the demise of Microsoft is directly related to their misreading the mobile market. The public has responded to buying mobile devices in the billions, and attackers who not so long ago wrote exploits for Windows, are now putting their efforts into iOS and Android. The message is clear, mobile apps need to be written with security in mind and the mobile devices need to be secured.



For those looking for an understanding of current mobile security threats and how to counter them, Hacking Exposed Mobile Security Secrets & Solutionsis a uniquely good book.







Reviewed by Ben Rothke"
top

Book review: The Healthy Programmer

benrothke benrothke writes  |  about 8 months ago

benrothke (2577567) writes "Title: The Healthy Programmer: Get Fit, Feel Better, and Keep Coding

Pages: 220

Rating:9/10

Author: Joe Kutner

Publisher: Pragmatic Bookshelf

Language: English

ISBN-13: 978-1937785314

Summary: A diet and lifestyle guide that works for all, not just for programmers.





Diet books are literally a dime a dozen. They generally benefit only the author, publisher and Amazon, leaving the reader frustrated and bloated. With a failure rate of over 99%, diet books are the epitome of a sucker born every minute.



One of the few diet books that can offer change you can believe in is The Healthy Programmer: Get Fit, Feel Better, and Keep Coding. Author Joe Kutner observes that nearly every popular diet fails and the reason is that they are based on the premise of a quick fix without focusing on the long-term core issues. It is inevitable that these diets will fail and the dieters at heart know that. It is simply that they are taking the wrong approach. This book is about the right approach; namely a slow one. With all of the failed diet books, Kutner is one of the few that has gotten it right.



While the title of the book says it's for programmers, it is germane to anyone whose job requires them to be at a desk for extended amounts of time.



Kutner is himself a programmer who builds Ruby and Rails applications, and a former college athlete and Army Reserve physical fitness trainer.



The book focuses on two areas that require change: regular exercise and proper nutrition; and it details the steps necessary to create a balanced lifestyle.



While popular diet books require rapid and major lifestyle changes and promise quick weight-loss, the book notes that small changes to your habits can provide the long-term effects that can improve your health. The book focuses on incremental changes and sustainability, not about losing x pounds in x weeks.



The book is different (read: effective) as opposed to other diet and lifestyle books, in that its goal is to make your healthy lifestyle pragmatic, attainable, and fun. It is only with those aspects that long-term change be possible.



As to programmers, Kutner writes that programming requires intense concentration that often causes them to neglect other aspects of their lives; the most common of which is their health. People's bodies have not evolved to accommodate a lifestyle of sitting and there are many negative health effects from it.



The book takes a start small approach, rather than one of drastic changes. In chapter 2, it notes the myriad benefits of walking. It states that walking is a powerful activity that can stimulate creative thinking (a required trait for a good programmer) and is a great way to bootstrap your health. The chapter details the ways in which a few short walks during the day can have a dramatic positive effect on your life.



Chapter 3 is about the dangers of chairs and sitting for long periods of time. It details a number of ways to counter the dangers of sitting. It also notes that while sometimes you simply can't get away from your chair, and when that happens, you can make sitting less dangerous by forcing your muscles to contract without even getting up. It then details a number of different calisthenics to use to do this.



Chapter 4 – Agile Dieting — is perhaps the best part of the book. It details how to fight the real causes of weight gain and details proven solutions that work. That chapter repeatedly uses terms like iterative, sustainable, slow to show what it really takes to lose weight and achieve a healthy lifestyle.



Kutner notes that most of the popular fad diets are idiosyncratic and unbalanced. They will provide short-term benefits, but ultimately fail miserably. The chapter quotes research data on what needs to be in a balanced diet. It then notes that almost every fad diet violates those needs. Nutrition needs to be rounded and well-balanced and the fad diets for that reason will only work in the short term.



This book is everything the fad diet books are not and this is most manifest in chapter 4 where Kutner writes one should cut calories slowly. This is based on research which shows that quick drastic weight loss is counterproductive. While the fad diets talk about drastic caloric changes, Kutner suggests dropping your intake slower, about 100 calories every two weeks until you get you your targeted caloric intake level.



While much of the book is on fitness and nutrition, it takes a complete body approach. Chapter 5 details the importance of eye health. This is an important topic since the average programmer spends much of their week behind a monitor.



Kutner writes about computer vision syndrome (CVS); an eye condition resulting from focusing the eyes on a monitor for extended amounts of time. Symptoms of CVS include headaches, blurred vision, neck pain, redness in the eyes, fatigue, eye strain, dry eyes, irritated eyes, double vision, vertigo/dizziness, polyopia, and difficulty refocusing the eyes. The book also details methods in which to minimize the effects of CVS, and how not to become a victim of it. Kutner writes that CVS is what most programmers refer to as life. But it does not have to be that way.



The rest of the book covers other physical ailments that plague programmers. This runs the gamut from headaches, backaches, wrist problem, carpel tunnel, head strain and much more. Most of these problems can be obviated if one follows proper ergonomics practices and employs some of the physical conditioning detailed in the book.



Another theme of the book is using goals as an impetus for change. The book lists 16 goalswhich can be used as a progressive framework to improve your health. These goals include buying a pedometer, finding your resting heart rate, getting a negative result on Reverse Phalens test and other lifestyle changes.



Given the preponderance of obesity, diabetes and other maladies associated with a sedentary lifestyle, this may be one of the most important non-programming books that every developer should read and take to heart.



The book has hundreds of bits of excellent advice and subtle lifestyle suggestions that over time can make a significant difference to your health.



The author has a web siteand an iPhone appthat can be referenced for additional help. The book is full of sage and pragmatic advice. It has no celebrity endorsement, no gimmicks or false claims; meaning it has a high chance of working.



The book concludes with the observation that programmers often say the hardest part of software development begins when a product is released. The real work, maintenance, continues on, much like your health. You must sustain a stat of wellness for the rest of your life, and you need to continue setting goals, iterating and making small improvements.



For many programmers, they love their job but not the lifestyle problems that come with it. For the programmer that wants the challenges of the professional and the benefits of a healthy lifestyle, The Healthy Programmer: Get Fit, Feel Better, and Keep Coding, may be a life changing book, and should find its rightful place on every programmer's desk.





Reviewed by Ben Rothke"
top

Book review: Present Yourself - Using SlideShare to Grow Your Business

benrothke benrothke writes  |  about 9 months ago

benrothke (2577567) writes "Title: Present Yourself — Using SlideShare to Grow Your Business

Authors: Kit Seeborg and Andrea Meyer

Publisher: OReilly Media

Pages: 224

ISBN: 978-1-4493-4236-4

Rating: 9/10

Reviewer: Ben Rothke

Summary: Great resource for maximizing the use of SlideShare and your online presentation presence





SlideShareis a free web 2.0 based slide hosting service where users can upload presentation-based files. Launched in October 2006, it's considered to be similar to YouTube, but for slideshows. It was originally meant to be used for businesses to share slides among employees more easily, but it has since expanded to also become a host of a large number of slides which are uploaded merely to entertain. SlideShare gets an estimated 58 million unique visitors a month and has about 16 million registered users.



With such a strong user base, authors Kit Seeborg and Andrea Meyer write in Present Yourself: Using SlideShare to Grow Your Businesshow SlideShare users can use the site (including other similar collaborative sites such as Prezi and Scribd) to present their story to a worldwide audience. Given that visual presentations are the new language of business, understanding how to maximize their potential can be a valuable asset for the entrepreneur, job seeker and everyone in between.



The truth is that a book on SlideShare alone would need no more than 15 pages (20 pages if you include the Pro edition). How difficult is it to upload a PowerPoint? As an aside, the truth is that there is a huge market for publishing freely available content. Check out Emereo Publisherson Amazon. They have mastered the art of taking free Wikipedia content and charging for it. Enough digression – in this valuable book – the authors show not only how to use the product, but how to maximize its use.



Throughout the book, the authors quote liberally from science and research on the power of visualization. With that lies the inherent power of SlideShare, as humans like images and think more efficiently when they use them. The authors quote a study which shows that when carrying out routine office tasks, if the data is displayed more visually (such as through visual maps), individuals are 17% more productive and need to use 20% fewer mental resources. As to the saying that a picture is worth a thousand words; the authors show that it has a basis in biological fact.



The book is worth it just for the sage advice in the quote at the beginning of chapter 3 where Nancy Duarte, author of slide:ology: The Art and Science of Creating Great Presentations states about presentations, that "they didn't come to your presentation to see you. They came to find out what you can do for them. Success means giving them a reason for taking their time, providing content that resonates, and ensures it's clear what they are to do". Using Duarte's call to arms with the guidance in the book can hopefully start a meaningful change in how data is presented.



As to the presentation itself, the book notes that the presenter of today has a huge challenge in keeping the audience engaged. Anyone who has presently recently knows that many, often a majority of the audience will be distracted by their smartphones, Twitter, Facebook, Angry Birds and more. With that, presenters must put in extra effort to compete for the mindshare of a distracted audience. The book shows you how to overcome such obstacles and suggests that one way to win more audience attention is to include engaging visual slides with your presentation and show them intermittently instead of in parallel with your talk.



Throughout the book, it is clear that the authors are passionate about the topic and it lists many resources and uses to make presentation much more effective. The book has numerous real-world examples of such users. One is Adam Tratt of Haiku Deck; a free presentation app for the iPad that makes presentations simple, beautiful, and fun.



Another example is that of Jeremiah Owyang of the Altimeter Group, a research and advisory firm whose reports consistently rank in the top 100 most viewed documents on SlideShare. The amazing thing about their research, which competing firms charge thousands of dollars for, is that it is all free on SlideShare. The example also shows how they use SlideShare Pro for the secure creation of the reports. They view this model of open research as a core asset that has served the firm well, establishing its credibility and reputation as a trusted resource



While the book has business in its title, it still has significant relevance for end-users, specifically in chapter 7. There it details how you can use SlideShare to further your career and find a job. This is crucial regardless of your profession and industry, in that while the traditional resume is still alive and well, the ability to place your experience on-line opens up new horizons. A full professional presence requires both a paper resume and an online presence.



The chapter notes that a comprehensive online presence, especially with a compete profile on LinkedIn, is forty times more likely to receive job opportunities. The authors note that even if a person is not a presenter, there are things they can do on SlideShare to highlight themselves; including a presentation that serves as a visual resume of their career, a portfolio presentation that displays their creative work and more. Even for those who are not speakers, the authors recommend that the serious job searcher consider public speaking as part of their career strategy,



For those that want to take a look, the first chapter of the book is available here. Not surprisingly, it is on SlideShare.



For those that want to learn everything about SlideShare, from the mundane of adding a SlideShare widget to your website, sharing your presentation across social platforms, sharing your content, collaboration, finding a more rewarding job and much more, Present Yourself: Using SlideShare to Grow Your Business is a great resource.







About the review: Ben Rothke"
top

Book review: Assessing Vendors

benrothke benrothke writes  |  about 9 months ago

benrothke (2577567) writes "Title: Assessing Vendors: A Hands-On Guide to Assessing Infosec and IT Vendors

Author: Josh More

Publisher: Syngress

ISBN: 978-0124096073

Pages: 94

Reviewer:Ben Rothke

Rating:8/10

Summary: Good intro to use to start a vendor assessment program





Every organization has external software, hardware and 3rd-party vendors they have to deal with. In many cases, these vendors will have direct access to the corporate networks, confidential and proprietary data and more. Often the software and hardware solutions are critical to the infrastructure and security of the organization. If the vendors don't have effective information security and privacy controls in place, your data is at risk. In addition, when selecting a product to secure your organization, how to you ensure that you are selecting the correct product? All of this is critical as in the event of a breach, when the lawyers start circling, they will be serving subpoenas to your company, not your 3rd-party vendors.



With that, Assessing Vendors: A Hands-On Guide to Assessing Infosec and IT Vendorsis a valuable resource for those looking for a basic introduction on of how to understand the risks involved when sharing data with 3rd-parties, in addition to selecting the appropriate products for your organization.



Many large organizations have formal programs and processes to evaluate the vendors they interact with, in addition to software and hardware procurement. For those that don't, this 80 page reference is a good place to start.



The book shows you how to find the right balance between performing a superficial assessment and one that is way too deep.



While the book has a healthy dose of checklists, it is not about simply filling out the checklists and adding up the totals. Author Josh More writes that robust information assurance processes and regulations aside; successful vendor management involves a wide range of skills; from technical assessment to business communications, to negotiation and much more.



An effective aspect of the book is that it has many questions that you should ask the vendor as part of the assessment process. Too many organizations simply take the vendors word, without performing effective due diligence. Rarely will one find a company where too manyquestions were asked to the vendor.



Given that the book is only 80 pages, More writes that it focuses mainly on the initial assessment process, with a goal to select a vendor to solve a specific problem that your organization is experiencing, improving an existing process or adding new capabilities. Given its short length, the book does not delve very deeply into the continued operation of a formal vendor management program.



The main thrust of the first chapter is around preliminary vendor research. It shows how to identify vendors for specific products and build criteria for effective vendor selection.



An important point in chapter 1 is that the primary rule in vendor assessment and selection is to always keep yourneeds first in mind. Far too many organizations let the vendors drive the process, and in turn, the vendor will ensure that their needs are made primary.



One of the topics in chapter 3 is testing confidentiality. When comparing vendors, they will often swear that their product is secure; but will often not provide any details attesting to how secure it really is. The chapter shows how you can perform internal hands-on testing to ensure all of the promised security features do in truth work.



The book provides a lot of common sense advice that may not be intuitive to many people. One bit of invaluable advice to taking the steps to confirm that the vendor you are considering is not selling you gray or black market products. This is especially true for products from Cisco, Check Point and Juniper, which are rampant on the gray and black markets. While buying gray market products may initially be cheaper, they can be much more expensive in the long run when you find out that the warranties you paid for are worthless.



In chapter 4, the book does a good job of showing how to score vendors. It details how you can create questionnaires and use the data to assist in your selection. The chapter stresses that after all of the data is scored, weighted and sorted; you should not expect to find a vendor with a normalized score of 100%. More writes that if you do a good job of creating the right questions on the questionnaire, you will seldom see a vendor higher than the 80-90% range.



A good point the book makes in chapter 5 on testing, is that when a vendor requires you to sign an NDA prior to testing; such a request is a fundamental mark of mistrust. If the vendor is unwilling to negotiate the NDA, it may be worth replacing them with a vendor who is more willing to work with you.



After you have done all of the dirty work of a vendor selection, the book closes with a few pages on how to avoid vendor manipulation. It is not unusual for vendor to fudge the information they provide you with, which will skew the results in their favor.



Another point to consider in the vendor selection process is that vendors benefit greatly from lock-in. The harder they can make it for you to move to another vendor, the more likely they are to get annual renewals.



Selecting a vendor is not a trivial process, and it not intuitive to many organizations. Given the breadth of the topic, the book is a great place to start your work on this important process.



The book doesn't claim to be an all-inclusive resource for the topic. And at 80 pages, one should not expect it to be.



But for those looking to a highly tactical guide to start them on the road to vendor assessments, Assessing Vendors: A Hands-On Guide to Assessing Infosec and IT Vendors is a most helpful book to start with.







Reviewed by Ben Rothke"
top

Book review: The Chinese Information War

benrothke benrothke writes  |  about 10 months ago

benrothke (2577567) writes "Title: The Chinese Information War: Espionage, Cyberwar, Communications Control and Related Threats to United States Interests

Author: Dennis Poindexter

Page: 192

Publisher: McFarland

ISBN-13:978-0786472710

Rating: 9/10

Reviewer: Ben Rothke

Summary: Fascinating overview on the cyberwar with China



It's said that truth is stranger than fiction, as fiction has to make sense. Had The Chinese Information War: Espionage, Cyberwar, Communications Control and Related Threats to United States Interestsbeen written as a spy thriller, it would have been a fascinating novel of international intrigue.



But the book is far from a novel. It's a dense, but well-researched overview of China's cold-war like cyberwar tactics against the US to regain its past historical glory and world dominance.



Author Dennis Poindexter shows that Chinese espionage isn't made up of lone wolves. Rather it's under the directive and long-term planning of the Chinese government and military.



Many people growing up in the 1940's expressed the sentiment "we were poor, but didnt know it". Poindexter argues that we are in a cyberwar with China; but most people are oblivious to it.



Rather than being a polemic against China, Poindexter backs it up with extensive factual research. By the end of the book, the sheer number of guilty pleas by Chinese nationals alone should be a staggering wake-up call.



In February, Mandiant released their groundbreaking report APT1: Exposing One of Chinas Cyber Espionage Units, which focused on APT1, the most prolific Chinese cyber-espionage group that Mandiant tracked. APT1 has conducted a cyber-espionage campaign against a broad range of victims since at least 2006. The report has evidence linking them to China's 2nd Bureau of the People's Liberation Army.



China is using this cyberwar to their supreme advantage and as Poindexter writes on page 1: until we see ourselves in a war, we can't fight it effectively. Part of the challenge is that cyberwar does not fit the definition of what a war generally is because the Chinese have changed the nature of war to carry it out.



Poindexter makes his case in fewer than 200 pages and provides ample references in his detailed research; including many details, court cases and guilty verdicts of how the Chinese government and military work hand in hand to achieve their goals.



The book should of interest to everyone given the implications of what China is doing. If you are planning to set up shop in China, be it R&D, manufacturing or the like, read this book. If you have intellectual property or confidential data in China, read this book as you need to know the risks before you lose control of your data there.



Huawei Technologies, a Chinese multinational telecommunications equipment and services firm; now the largest telecommunications equipment maker in the world is detailed in the book. Poindexter details a few cases involving Huawei and writes that if Huawei isn't linked to Chinese intelligence, then it's the most persecuted company in the history of international trade.



The book details in chapter 2 the intersection between cyberwar and economic war. He writes that any foreign business in China is required to share detailed design documents with the Chinese government in order to do business there. For many firms, the short-term economic incentives blind them to the long-term risks of losing control of their data. The book notes that in the Cold War with Russia, the US understood what Russia was trying to do. The US therefore cut back trade with Russia, particularly in areas where there might be some military benefit to them. But the US isn't doing that with China.



Chapter 2 closes with a damming indictment where Poindexter writes that the Chinese steal our technology, rack up sales back to us, counterfeit our goods, take our jobs and own a good deal of our debt. The problem he notes is that too many people focus solely on the economic relations between the US and China, and ignore the underpinnings of large-scale cyber-espionage.



Chapter 6 details that the Chinese have developed a long-term approach. They have deployed numerous sleepers who often wait decades and only then work slowly and stealthily. A point Poindexter makes many times is that the Chinese think big, but move slow.

Chapter 7 is appropriately titles The New Cold War. In order to win this war, Poindexter suggest some radical steps to stop it. He notes that the US needs to limit trade with China to items we can't get anywhere else. He says not to supply China with the rope that will be used to hang the US on.



He writes that the Federal Government has to deal with the issue seriously and quickly, to protect its telecommunications interests so that China isn't able to cut it all off one day. He also notes that national security must no longer take a backseat to price and cheap labor.



Poindexter writes that the US Government must take a long-view to the solution and he writes that it will take 10 years to build up the type of forces that that would be needed to counter the business and government spying that the Chinese are doing.



Rachel Carson's Silent Springis the archetypal wake-up call book. Poindexter has written his version of Silent Spring,but it's unlikely that any action will be taken. As the book notes, the Chinese are so blatantly open about their goals via cyber-espionage, and their denials of it so arrogant, that business as usual simply carries on.



The Chinese portray themselves as benevolent benefactors, much like the Kanamits in To Serve Man. Just as the benevolence of the Kanamits was a façade, so too is what is going on with the cold cyberwar with China.



The book is an eye-opening expose that details the working of the Chinese government and notes that for most of history, China was the world's dominating force. The Chinese have made it their goal to regain that dominance.



The book states what the Chinese are trying to accomplish and lays out the cold facts. Will there be a response to this fascinating book? Will Washington take action? Will they limit Chinese access to strategic US data? Given Washington is operating in a mode of sequestration, the answer should be obvious.



The message detailed in The Chinese Information War: Espionage, Cyberwar, Communications Control and Related Threats to United States Interestsshould be a wake-up call. But given that it is currently ranked #266,881 on Amazon, it seems as if most of America is sleeping through this threat.









Reviewed by Ben Rothke"
top

Book review: Exploding the Phone

benrothke benrothke writes  |  about 10 months ago

benrothke (2577567) writes "Title:Exploding the Phone: The Untold Story of the Teenagers and Outlaws who Hacked Ma Bell

Author: Phil Lapsley. Forward by Steve Wozniak

Publisher: Grove Press

Pages: 416

ISBN: 978-0802120618

Reviewer: Ben Rothke

Rating: 9/10

Summary: Fascinating story of the early phone phreaks





In Exploding the Phone: The Untold Story of the Teenagers and Outlaws who Hacked Ma Bell, author Phil Lapsley calls his book "the untold story of the teenagers and outlaws who hacked Ma Bell". The story is an old one, going back to the early 1960's. Lapsley was able to track down many of the original phone phreaks and get their story. Many of them, even though the years have passed, asked Lapsley not to use their real names.



While parts of the story have been told before, Lapsley's far-reaching research brings many of the central characters into a single read, resulting in an extremely interesting and engrossing read.



When Alexander Graham Bell created his harmonic telegraph, which would later turn into the telephone, it was like the Internet, built for functionality, with no inherent security controls. Those security vulnerabilities were begging to be found, and when they were discovered by the phone phreaks, it was a wake-up call to AT&T.



Defining a phone phreak is like defining a hacker; it means different things to different people. Lapsley defines it as "someone who loves exploring the telephone system and experimenting with it to understand how it works.



What the phone phreaks did was to spend endless hours dialing different numbers to understand how the inner-workings of the telephone system operated. Meaningless sounds to most people were music to the phreaks as they could determine how calls were routed via these tones.



Many of the phreaks practiced what is today known as social engineering and would impersonate phone company employees and technicians.



The devices that enabled them to make phone calls were called black boxes, blue boxes, and red boxes. The book notes that Steve Wozniak (who wrote the forward to the book) and Steve Jobs sold blue boxes before they started Apple. In fact, Jobs is quoted as saying that if they hadnt built blue boxes, there wouldn't have been an Apple.



The book has many layers to it. One part is an interesting history of the telephone and long-distance communications. It then segues into phone phreaks, who much like early computer hackers, used the phone network as a portal for exploration and hacking. The vast majority of the phone phreaks did it for the thrill, rather than just to make free phone calls.



One of the things the phone phreaks did was to read as much corporate documentation and manuals (obtained both legally and serendipitously) as they could. Lapsley notes that many of the technical documents that the phone company shared were in truth highly confidential.



As AT&T was a monopoly with zero competition, the notion that someone would use their own technical documentation against them was unheard of. Lapsley writes that for reasons of corporate pride, national service and public relations, AT&T felt an obligation to share its latest and greatest technical feats with the public. For that reason, the Bell System Technical Journal was required reading for every phone phreak.



The web sitefor the book has available many of the technical documents detailed in the book that played a role in the development of phone phreaking.



The book details many similarities between the phone phreaks and the early Internet hackers. While law enforcement stated that Kevin Mitnick could launch missiles via whistling into the phone, law enforcement called the phone phreaks a public menace, mentally unstable, a national threat and much more.



Like early hackers, the phone phreaks showed how engineering insiders are often the last to know what is actually possible with the systems they design. Lapsley noted that part of the problem was pride, in that Bell Labs had created the public telephone switching network, and they didn't want to admit how vulnerable it was. Its engineers were spring-loaded to disbelieve reports to the contrary.



Another advantage the phone phreaks, like hackers, had is that the Bells Labs engineers only looked at the systems as how it was supposedto work. That blinded them to how the system actuallydid work and how it could be made to do things it was never designed to do,



The results were that they couldn't see the holes in their own network; holes that a blind teenager found. Even when that blind teenage told them of the problem, (the book tells the story of Joe Engressia), they didn't understand it when first described to them.



The book describes another major technical security oversight made by AT&T in 1970 with the introduction of the telephone credit card. Lapsley writes that fraud was epidemic as AT&T's credit card numbering system was a bad joke from a security perspective. The card numbers were easy to guess and highly predictable resulting in millions of dollars of related fraudulent calls.



One of the main recurring characters in the book is John Draper, better known as Captain Crunch. Draper made a lot of money as a legitimate software engineer, but lost it due to his business naiveté and personal demons. Draper had numerous arrests related to phone phreaking and served time in prison.



The book notes that Draper's arrest in 1976 is a textbook case of how not to deal with the FBI when arrested. One of the incredulous things Draper did when he was read his rights was to waive them. While the FBI didn't have a search warrant, he voluntarily allowed them to search his apartment and Volkswagen Van, where incriminating evidence was indeed discovered.



While Draper was later convicted, the book quotes a fascinating observation by a phone company employee in that 90% of the phone phreak and hacker cases, law enforcement in fact had no criminal case. Most of the evidence they had was things they couldn't be prosecuted for. Either there was no legitimate crime on the books or all they had was the phone phreaks confession, but no tangible evidence.



It wasn't just the phone phreaks who were raising havoc on the phone company networks. The book writes of others who used black boxes and blue boxes for free calls. From Mafia bookies, to the Hare Krishna movement making fraudulent long-distance phone calls.



The book closes in 1982 when the US Dept. of Justice and AT&T came to an agreement to break up Ma Bell in the Baby Bells.



Lapsley has a degree in electrical engineering from UC. Berkeley so he as a deep first-hand understanding of the technology he is writing about. He also has the unique ability to write about bland technical topics and make them both engaging and comprehendible. He understands directly the curiosity the phone phreaks had and the passion to understand the inner workings of the phone system.



For a book that ends over 30 years ago, Phil Lapsley does a superb job of writing the story of the glory days of phone phreaking. In 2013, the notion of a domestic long-distance callis for the most not in anyone's lexicon. But making free long-distance calls was the mantra of the phone phreaks.



Exploding the Phoneis the first comprehensive history of the era of phone phreaking and Lapsley has done a masterful job a making the story fascinating and readable.





Reviewed by Ben Rothke"
top

Book review: Locked Down: Information Security for Lawyers

benrothke benrothke writes  |  about a year ago

benrothke (2577567) writes "Title: Locked Down: Information Security for Lawyers

Authors: Sharon Nelson, David Ries, John Simek

Publisher: American Bar Association

ISBN-13: 978-1614383642

Reviewer: Ben Rothke

Overview: Required reading for all lawyers

Rating:9/10









Had Locked Down: Information Security for Lawyersnot been published by the American Bar Association (ABA) and 2 of its 3 authors not been attorneys; one would have thought the book is a reproach against attorneys for their obliviousness towards information security and privacy. In numerous places, the book notes that lawyers are often clueless when it comes to digital security.



With that, the book is a long-overdue and valuable information security reference for anyone, not just lawyers.



Such a title is needed as the legal field has embraced digital technology for nearly every aspect of the legal field, has magazines and conferences about legal technology and much more. Wireless (often insecure) networks are pervasive in corporate offices throughout legal America.



The underlying problem is that while attorneys often know the intricacies of tort law, court proceedings and the like; they are utterly unaware of the information security and privacy risks surrounding the very technologies they are using. In many firms, the lawyers think that someoneis protecting their data, but don't understand theirrequirements around those areas of data protection.



Legal IT systems are a treasure trove of personal data. Many small law firms are extremely attractive to identity thieves gives their systems have significant amount of personal information via social security numbers, credit card information, birth dates, financial information and much more. Small law firms are notorious for weak information security controls and attackers will scan those systems and networks for vulnerabilities.



A pervasive aspect of the book is ABA rule 1.6 regarding the confidentiality of information regarding client-lawyer relationships. The rule requires that a lawyer not reveal information relating to the representation of a client unless the client gives informed consent. The lawyer though can reveal information relating to the representation of a client to the extent the lawyer reasonably believes necessary. The myriad details of 1.6 can be left to the bar association to enforce, suffice to say that a lawyer can find themselves on the wrong side of the law if they are not careful with information security controls.



The authors note that although lawyers are all well aware of rule 1.6, the challenge is how to keep client data secure in the digital age. In a world of paper, things were much easier and cheaper This is why the authors note that so many otherwise competent layers fails so miserably in reference to their duty to maintain the confidentiality of digital client data.



The book quotes an ABA 2011 technology survey in which 21% of large law firms reported that their firm had experiences some sort of security breach, and 15% of all firms reported that they suffered a security breach. It is figures like those which show that attorneys really need to read this book and take the information to heart.



The books 17 chapters are in a readable 150 pages, with an additional 120 pages of appendices. Written in an easily understandable style and non-technical for the technologically challenge lawyer.



When it comes to the security of client data, in chapter 4 the authors write that encryption is a topic that most attorneys don't want to touch with a ten-foot pole. But it has reached a point where attorneys must understand how and when encryption should be used. Just as important, they need to know about key managements, and what good encryption is. The chapter provides a high-level detail on what needs to be done regarding encryption.



Chapter 13 is on secure disposal, is an important topic to everyone, and not just lawyers. Digital media needs to be effectively disposed of; and for many lawyers, they often think that means reformatting a hard drive or simply erasing files. The chapter effectively details the issues and offers numerous valuable hardware and software-based solutions.



Chapter 14 on outsourcing and cloud computingis an area where too many attorneys are oblivious to of the security and privacy risks. For example, the authors advise attorneys against the use of the free Gmail service since the terms of service allow Google to do anything it wants with the data. That opens a Pandora's Box when it comes to securing client data. The authors advise to use premium Google business versions, so attorneys can stay in control of their data with added security and privacy features.



Two omissions in chapters 13 and 14 are that the authors don't reference NAID(National Association for Information Destruction) or the CSA(Cloud Security Alliance (CSA).



Firms that outsource their digital disposal to non-NAID certified firms run the risk of having a glorified recycler do their work. As to NAID, it is an international trade association for companies providing information destruction services. NAIDs mission is to promote the information destruction industry and the standards and ethics of its member companies; while the mission of the CSA is to promote the use of best practices for providing security assurance within cloud computing and to provide education on the uses of cloud computing to help secure all other forms of computing.



The authors include many real-world stories and case law to reinforce their point.



The book closes with a number of appendices on various rules from the FTC, state information protection regulations, the SANS Institute glossary of security terms and more.



For the lawyer looking for an easy to read introduction to nearly everything they need to know about information security and privacy, the bookis a great resource.



The book closes with the note that since lawyers have an ethical duty to protect their client's data, they have no choice but to keep themselves as well educated as possible.



For the attorney that wants to ensure their requirements remain current and are looking for an easy to read introduction about information security and privacy Locked Down: Information Security for Lawyersshould be considered required reading.







About the reviewer: Ben Rothke."
top

The Plateau Effect: Getting from Stuck to Success

benrothke benrothke writes  |  about a year ago

benrothke (2577567) writes "Untitled documentol{margin:0;padding:0}.c8{max-width:468pt;background-color:#ffffff;padding:72pt 72pt 72pt 72pt}.c7{color:#1155cc;text-decoration:underline}.c0{font-size:12pt;font-style:italic}.c6{color:inherit;text-decoration:inherit}.c1{font-size:12pt}.c5{font-size:9pt}.c3{font-weight:bold}.c2{direction:ltr}.c9{height:11pt}.c4{text-align:justify}.c10{text-decoration:underline}.title{padding-top:0pt;line-height:1.15;text-align:left;color:#000000;font-size:21pt;font-family:"Trebuchet MS";padding-bottom:0pt}.subtitle{padding-top:0pt;line-height:1.15;text-align:left;color:#666666;font-style:italic;font-size:13pt;font-family:"Trebuchet MS";padding-bottom:10pt}li{color:#000000;font-size:11pt;font-family:"Arial"}p{color:#000000;font-size:11pt;margin:0;font-family:"Arial"}h1{padding-top:10pt;line-height:1.15;text-align:left;color:#000000;font-size:16pt;font-family:"Trebuchet MS";padding-bottom:0pt}h2{padding-top:10pt;line-height:1.15;text-align:left;color:#000000;font-size:13pt;font-family:"Trebuchet MS";font-weight:bold;padding-bottom:0pt}h3{padding-top:8pt;line-height:1.15;text-align:left;color:#666666;font-size:12pt;font-family:"Trebuchet MS";font-weight:bold;padding-bottom:0pt}h4{padding-top:8pt;line-height:1.15;text-align:left;color:#666666;font-size:11pt;text-decoration:underline;font-family:"Trebuchet MS";padding-bottom:0pt}h5{padding-top:8pt;line-height:1.15;text-align:left;color:#666666;font-size:11pt;font-family:"Trebuchet MS";padding-bottom:0pt}h6{padding-top:8pt;line-height:1.15;text-align:left;color:#666666;font-style:italic;font-size:11pt;font-family:"Trebuchet MS";padding-bottom:0pt}

Title: The Plateau Effect: Getting from Stuck to Success

Authors: Bob Sullivan and Hugh Thompson

Publisher: Dutton

ISBN-13: 978-0525952800

Reviewer: Ben Rothke

Overview: Book shows how to learn to identify plateaus and break through any stagnancy in your life.

Rating:8/10







Full disclosure: I am friends with Hugh Thompson, one of the authors of this book.





One of the challenges in reading The Plateau Effect: Getting from Stuck to Successis figuring how to classify it. Amazon has it ranked mainly in applied psychology, but also time managementand inexplicable personal finance. In some ways it is all of the above and more. In fewer than 300 pages, the authors reference myriad different areas of science, mathematics, psychology and more; in the effort to show the reader how they can elevate themselves from the stuffin life that glues them to the status quo.



With that, the premise of the book is that the plateau effect is something that affects everyone. We all have our ups and down in life, relationships, work and more. The book attempts to help the reader identify plateaus in their life, in order to break through them.



While a plateau is often simply flat terrain, the authors are all over the terrain in the book. They quote and reference liberally from science, statistics, life sciences, psychology, ethics, information technology and much more. From that end, the book is a fascinating and insightful read.



At the start of the book, the authors use the term acclimationto refer to the plateaus that many of us reach. This is the inability to notice changes in the environment around us. To a degree, acclimation is a critical element of our lives. If everything was brand new, life would be overwhelming; both to our senses and psyche. The downside is that this acclimation often leads us to accepting things the way they are, staying at the plateau, getting stuck and the inability to move forward.



The authors note that a real plateau means that you have stopped growing and that your mind and senses are being dulled by sameness; by a routine that sucks the life and soul out of you. Plateaus force you to make bad decisions and feel desperate. By understanding the force and tapping into it, you can get more out of life with less effort, and feel more in tune to your existence. If this scares you that the book sounds like a new-age title, relax, it is far from it, thankfully.



Chapter 3 is one of the many fascinating sections in the book where the authors detail the greedy algorithm, where the locally optimal choice is what is generally preferred. They tie this into the Gekko mantra of greed being good. But note that research has shown that long-term greed is good, but short-term greed, the type that maximizes the here and now seems to work for a while but almost always leads to a plateau. And as you realize, plateaus are bad.



Chapter 5 details flow mechanisms, step functions and choke points. Author Hugh Thompson is a mathematician and its obvious this chapter is his baby. A choke point is a part of a system that breaks first and slows everything else down. The book notes that a common cause of plateaus is not recognizing when and where choke points will occur.



Chapter 6 is another fascinating chapter that details people's inability to effectively deal with risk. The example given is around shark attacks. While the risk of shark attack is extraordinarily low, the media often makes it seem like an epidemic, and the gullible populace overreacts. The authors give many examples of where people don't comprehend risk and statistics. The authors note that people buy lottery tickets, often described as a tax on the mathematically disinclined, despite knowing the odds. They also write that due to various factors, people and society have become overly risk-averse, not realizing how risky that is.



While not new, chapter 7 details the problems with multitasking and its illusions of productivity. The authors quote Jordon Grafman, chief of the cognitive neuroscience section of the National Institute of Neurological Disorders and Stroke who states that multitasking is actually a misnomer. He terms it rapid togglingbetween tasks. The downside to this rapid toggling is that people become less effective and productive. The reality they show is that people can'tmultitask.



While the book is indeed a fascinating and valuable read, some readers may find it somewhat frustrating that the authors at times can seem like they are all over the place, quoting and integrating different facets of science and psychology. While the theme of the book is plateaus, there is not always a discernible sense of unity between all of the examples.



Another lacking is the shortage of prescriptive actions the reader can take. For the reader who may be indifferent to their need for change, the book may not be of full value to then. It would have been appreciated if the authors could have created action items and exercises for each chapter.



But perhaps the best advice is on the 3rd to the last page of the book. The authors note that if your company is stuck and has plateaued, and unable to get past some vexing problems. What should you do? Tell the type A's in the room to be quiet for a while and set out some frontline introvert an ask for their advice. Giving voice to the quietest person in the room might be the most unique exercise a firm undertakes.



With that, The Plateau Effect: Getting from Stuck to Successis an extremely stimulating read. For the reader who wants to grow and move off their plateau, this will certainly help them. The book promises to help the reader unstick themselves from the things in life that weigh them down. It certainly lives up to its promise and makes for a fascinating read.









About the reviewer: Ben Rothke."
top

The Death of the Internet

benrothke benrothke writes  |  1 year,1 day

benrothke (2577567) writes "Title: The Death of the Internet

Author: Markus Jakobsson

Pages: 392

Publisher: Wiley-IEEE Computer Society Press

ISBN-13: 978-1118062418

Rating: 9/10

Overview: Excellent reference on current Internet security threats









When I first heard about the book The Death of the Internet, it had all the trappings of a second-rate book; a histrionic title and the fact that it had nearly 50 contributors. I have seen far too many books that are pasted together by myriad disparate authors, creating a jerry-rigged book with an ISBN, but little value or substance.



The only negative thing about the book is the over the top title, which I think detracts from the important message that is pervasive in it. Other than that, the book is a fascinating read. Editor Markus Jakobsson (Principal Scientist for Consumer Security at PayPal) was able to take the collected wisdom from a large cross-section of expert researchers and engineers, from different countries and nationalities, academic and corporate environments, and create an invaluable and unique reference.



The premise of the book is that the Internet is a cesspool of inefficient management and vulnerabilities that threaten to undermine its use.



In the preface, Jakobsson asks the obvious question: is the title a joke? He writes that ultimately, if the Internet can't be secured, and that the underlying amount of crime and fraud make the Internet useless and dangerous, then it indeed will lead to the tipping point where the result would be the death of the Internet. Where is that point? Nobody knows.



Chapter 1 observes that if a hostile country or organization wants to hurt us, they may find that the easiest way of doing so is by attacking the Internet, and our very dependence on the Internet invites attacks. We are more vulnerable to these attacks as our dependence on the Internet grows.



Chapter 3 provides an in-depth look at how criminals profit off the Internet and provides an intriguing overview of how click fraud works. While the click fraud rate at one point was as high as 30%, it is still in the range of 20%. The book notes that while the overall click fraud rate has been on the decline, there is the emergence of new schemes and those that focus on display ads. The click fraud schemes are so effective that the fraudsters are operating large scale automated attacks in a way that is difficult for the ad networks to distinguish between fraudulent and real clicks, thus producing high revenue for the fraudsters.



The chapter also provides an interesting look at the malware industry. It notes that malware development and distribution is highly organized and controlled by criminal groups that have formalized and implemented business models to automate cybercrime. The authors detail the interaction between the various components in a typical cybercrime business model, in which individual groups of criminals coordinate their efforts. The outcome is a product known as CaaS – crimeware as a service.



Many have often called the Internet the Wild West. Chapter 4 details the Internet infrastructure and cloud, in which the amorphous cloud images may help fuel the false perception that the Internet is a lawless and unaccountable entity that exists beyond policy. The book notes that what is breaking the Internet is not lack of policy, but lack of enforcement and accountability. Internet criminals appears to exists outside the policy structure when the reality is that they are embedded in it and their livelihood in fact depends on the Internet functioning regularly, quickly and efficiently.



While much of the book is focused on cybercrime and fraud, the book also points fingers at ICANN (Internet Corporation for Assigned Names and Numbers) for in some ways facilitating this Internet crime wave. ICANN is the organization that coordinates the Domain Name System (DNS), Internet Protocol (IP) addresses, space allocation, protocol identifier assignment, generic (gTLD) and country code (ccTLD) Top-Level Domain name system management, and root server system management functions. Their premise is that ICANN is more interested in generating revenue and profits than in security.



Due to systemic failures, cybercriminals often hide behind false WHOIS information held by Registrars who do not perform adequate due diligence or enforcement. This is primarily due to the fact that the more domain names that are sold create more revenue for the Registrars. Chapter 4 notes that this weak oversight by ICANN is also one of the biggest threats to the stability of the Internet. The chapter quotes a Godaddy executive who stated that proactive measures to make Internet registries more accurate would not be affordable or useful.



The book provides an analysis of social spam, which has become more pervasive with the emergence of Web 2.0. People are sharing vast amounts of personal data that opens them to these spam attacks. Since the defining characteristic of Web 2.0 is its social nature, it encourages people to share information, collaborate and form social links. These features of social media have the implication that they create a large network of connections between users and content that is controlled almost entirely by the users. This places great power in the hands of well-intentioned users to engage with others and express themselves. But it also provides an opportunity for spammers to exploit the social web for their own interests. As a result, social web applications have become tempting targets for spam and other forms of Internet pollution.



Another fascinating observation around Web 2.0 is that the authors were able to perform use analysis, in which they were able to identify pieces of information about the users which are not necessarily shared directly by their profiles. Items such as sleeping patterns, daily routines, physical locations, and much more are able to be extracted via metadata and other external analysis.



By the time one gets to chapter 5, they have read 200 pages detailing the problems with security and privacy around the Internet core. Exacerbating this is the role of the end user where the chapter notes that if people are offered the choice of convenience or security, then security will lose. The average Internet user is more lazy than security aware; not at all an encouraging observation.



Chapter 7 details one of the banes that have plagued information security; poor user interfaces. It details the four sins of security application user interfaces: popup assault, security by verbosity, walls of checkboxes and all or nothing switches. The book is worth purchasing just for this section.



The book ends with some thoughts for the future, but there is no magic wand or quick happy endings that Jakobsson and his band of ultra-smart contributors offer. Throughout the book, the contributors do though write how there are ways to secure the Internet, but those take thorough and comprehensive strategies and design. There are countermeasures for most of the threats and vulnerabilities detailed and the book provides an unparalleled view of the current state of Internet security.



Situational awarenessis defined as the perception of environmental elements with respect to time and/or space, the comprehension of their meaning, and the projection of their status after some variable has changed. For those looking for a book to gain situation awareness about the dangers of the Internet, one is hard pressed to find a better title than The Death of the Internet.







About the reviewer: Ben Rothke."
top

Bookreview: The Death of the Internet

benrothke benrothke writes  |  1 year,2 days

benrothke (2577567) writes "Untitled documentol{margin:0;padding:0}.c3{max-width:468pt;background-color:#ffffff;padding:72pt 72pt 72pt 72pt}.c6{color:#1155cc;text-decoration:underline}.c7{color:inherit;text-decoration:inherit}.c0{text-align:justify;direction:ltr}.c2{height:11pt}.c1{font-size:12pt}.c5{font-style:italic}.c4{direction:ltr}.title{padding-top:0pt;line-height:1.15;text-align:left;color:#000000;font-size:21pt;font-family:"Trebuchet MS";padding-bottom:0pt}.subtitle{padding-top:0pt;line-height:1.15;text-align:left;color:#666666;font-style:italic;font-size:13pt;font-family:"Trebuchet MS";padding-bottom:10pt}li{color:#000000;font-size:11pt;font-family:"Arial"}p{color:#000000;font-size:11pt;margin:0;font-family:"Arial"}h1{padding-top:10pt;line-height:1.15;text-align:left;color:#000000;font-size:16pt;font-family:"Trebuchet MS";padding-bottom:0pt}h2{padding-top:10pt;line-height:1.15;text-align:left;color:#000000;font-size:13pt;font-family:"Trebuchet MS";font-weight:bold;padding-bottom:0pt}h3{padding-top:8pt;line-height:1.15;text-align:left;color:#666666;font-size:12pt;font-family:"Trebuchet MS";font-weight:bold;padding-bottom:0pt}h4{padding-top:8pt;line-height:1.15;text-align:left;color:#666666;font-size:11pt;text-decoration:underline;font-family:"Trebuchet MS";padding-bottom:0pt}h5{padding-top:8pt;line-height:1.15;text-align:left;color:#666666;font-size:11pt;font-family:"Trebuchet MS";padding-bottom:0pt}h6{padding-top:8pt;line-height:1.15;text-align:left;color:#666666;font-style:italic;font-size:11pt;font-family:"Trebuchet MS";padding-bottom:0pt}

When I first heard about the book The Death of the Internet, it had all the trappings of a second-rate book; a histrionic title and the fact that it had nearly 50 contributors. I have seen far too many books that are pasted together by myriad disparate authors, creating a jerry-rigged book with an ISBN, but little value or substance.



The only negative thing about the book is the over the top title, which I think detracts from the important message that is pervasive in it. Other than that, the book is a fascinating read. Editor Markus Jakobsson (Principal Scientist for Consumer Security at PayPal) was able to take the collected wisdom from a large cross-section of expert researchers and engineers, from different countries and nationalities, academic and corporate environments, and create an invaluable and unique reference.



The premise of the book is that the Internet is a cesspool of inefficient management and vulnerabilities that threaten to undermine its use.



In the preface, Jakobsson asks the obvious question: is the title a joke? He writes that ultimately, if the Internet can't be secured, and that the underlying amount of crime and fraud make the Internet useless and dangerous, then it indeed will lead to the tipping point where the result would be the death of the Internet. Where is that point? Nobody knows.



Chapter 1 observes that if a hostile country or organization wants to hurt us, they may find that the easiest way of doing so is by attacking the Internet, and our very dependence on the Internet invites attacks. We are more vulnerable to these attacks as our dependence on the Internet grows.



Chapter 3 provides an in-depth look at how criminals profit off the Internet and provides an intriguing overview of how click fraud works. While the click fraud rate at one point was as high as 30%, it is still in the range of 20%. The book notes that while the overall click fraud rate has been on the decline, there is the emergence of new schemes and those that focus on display ads. The click fraud schemes are so effective that the fraudsters are operating large scale automated attacks in a way that is difficult for the ad networks to distinguish between fraudulent and real clicks, thus producing high revenue for the fraudsters.



The chapter also provides an interesting look at the malware industry. It notes that malware development and distribution is highly organized and controlled by criminal groups that have formalized and implemented business models to automate cybercrime. The authors detail the interaction between the various components in a typical cybercrime business model, in which individual groups of criminals coordinate their efforts. The outcome is a product known as CaaS – crimeware as a service.



Many have often called the Internet the Wild West. Chapter 4 details the Internet infrastructure and cloud, in which the amorphous cloud images may help fuel the false perception that the Internet is a lawless and unaccountable entity that exists beyond policy. The book notes that what is breaking the Internet is not lack of policy, but lack of enforcement and accountability. Internet criminals appears to exists outside the policy structure when the reality is that they are embedded in it and their livelihood in fact depends on the Internet functioning regularly, quickly and efficiently.



While much of the book is focused on cybercrime and fraud, the book also points fingers at ICANN (Internet Corporation for Assigned Names and Numbers) for in some ways facilitating this Internet crime wave. ICANN is the organization that coordinates the Domain Name System (DNS), Internet Protocol (IP) addresses, space allocation, protocol identifier assignment, generic (gTLD) and country code (ccTLD) Top-Level Domain name system management, and root server system management functions. Their premise is that ICANN is more interested in generating revenue and profits than in security.



Due to systemic failures, cybercriminals often hide behind false WHOIS information held by Registrars who do not perform adequate due diligence or enforcement. This is primarily due to the fact that the more domain names that are sold create more revenue for the Registrars. Chapter 4 notes that this weak oversight by ICANN is also one of the biggest threats to the stability of the Internet. The chapter quotes a GoDaddy executive who stated that proactive measures to make Internet registries more accurate would not be affordable or useful.



The book provides an analysis of social spam, which has become more pervasive with the emergence of Web 2.0. People are sharing vast amounts of personal data that opens them to these spam attacks. Since the defining characteristic of Web 2.0 is its social nature, it encourages people to share information, collaborate and form social links. These features of social media have the implication that they create a large network of connections between users and content that is controlled almost entirely by the users. This places great power in the hands of well-intentioned users to engage with others and express themselves. But it also provides an opportunity for spammers to exploit the social web for their own interests. As a result, social web applications have become tempting targets for spam and other forms of Internet pollution.



Another fascinating observation around Web 2.0 is that the authors were able to perform use analysis, in which they were able to identify pieces of information about the users which are not necessarily shared directly by their profiles. Items such as sleeping patterns, daily routines, physical locations, and much more are able to be extracted via metadata and other external analysis.



By the time one gets to chapter 5, they have read 200 pages detailing the problems with security and privacy around the Internet core. Exacerbating this is the role of the end user where the chapter notes that if people are offered the choice of convenience or security, then security will lose. The average Internet user is more lazy than security aware; not at all an encouraging observation.



Chapter 7 details one of the banes that have plagued information security; poor user interfaces. It details the four sins of security application user interfaces: popup assault, security by verbosity, walls of checkboxes and all or nothing switches. The book is worth purchasing just for this section.



The book ends with some thoughts for the future, but there is no magic wand or quick happy endings that Jakobsson and his band of ultra-smart contributors offer. Throughout the book, the contributors do though write how there are ways to secure the Internet, but those take thorough and comprehensive strategies and design. There are countermeasures for most of the threats and vulnerabilities detailed and the book provides an unparalleled view of the current state of Internet security.



Situational awarenessis defined as the perception of environmental elements with respect to time and/or space, the comprehension of their meaning, and the projection of their status after some variable has changed. For those looking for a book to gain situation awareness about the dangers of the Internet, one is hard pressed to find a better title than The Death of the Internet.







Reviewed by Ben Rothke."

Link to Original Source

Journals

benrothke has no journal entries.

Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...