Comment Re:Flash...? (Score 2) 69

by benrothke on Monday January 13, 2014 @10:44PM (#45947051) Attached to: Book Review: The Digital Crown

Your observation that I write anodyne book is accurate. With the exception of this review from September - http://books.slashdot.org/story/13/09/30/1314232/book-review-latest-two-books-by-peter-loshin – I prefer to write reviews of books that I think are exceptionally good. I come across plenty of titles that are rubbish, but prefer not to review them. When I come across a book that I think is a great resource, I will try to share that.

Submission + - Book review: The Digital Crown 1

Submitted by benrothke on Sunday January 12, 2014 @02:08AM

benrothke writes: Title: The Digital Crown: Winning at Content on the Web

Author: Ahava Leibtag

Pages: 358 pages

Rating: 10/10

Reviewer: Ben Rothke

ISBN: 978-0124076747

Summary: Invaluable resource and reference for building an effective web content strategy

With Adobe Flash, it's possible to quickly get a pretty web site up and running; something that many firms do. But if there is no content behind the flashy web page, it's unlikely anyone will return.

In The Digital Crown: Winning at Content on the Web, author Ahava Leibtag does a fantastic job on showing how to ensure that your web site has what it takes to get visitors to return to the website, namely great content.

Make no mistake, creating good content for a large organization is a massive job. But for those organizations that are serious about doing it right, the book provides the extensive details all of the steps required to create content that will bring customers back to your web site.

Leibtag writes in the introduction that the reason so many websites and other digital strategy projects fail is because the people managing them don't focus on what really matters. They begin changing things for the sake of change and to simply update, without first asking why. They also forget to ask what the updates will accomplish. What this does is create a focus on the wrong priorities. Leibtag notes that the obvious priority is content.

So what is this thing called content? The book defines it as all of the information assets of your company that you want to share with the world.

The book is based around 7 rules, which form the foundation of an effective and comprehensive content strategy, namely:

1. Start with Your Audience

2. Involve Stakeholders Early and Often

3. Keep it Iterative

4. Create Multidisciplinary Content Teams

5. Make Governance Central

6. Workflow that Works

7. Invest in Professionals and Trust Them

Chapter 1 (freely available here) takes a high-level look at where branding and content meet, and details the need for a strategic content initiative.

An interesting point the book makes in chapter 2 which is pervasive throughout the book is to avoid using the term users. Rather refer to them as customers. Leibtag feels that the term users as part of a content strategy, makes them far too removed and abstract. Dealing with them as customers makes them real people and changes the dynamics of the content project. Of course, this transition has to be authentic. Simply performing a find/replace of user/customer in your documentation is not what the author intended; nor will such an approach work.

The book is heavy on understanding requirements and has hundreds of questions that need to be asked before creating content. The book is well worth it for that content alone.

It also stresses the importance of getting all stakeholders involved in the content creation process. As part of the requirements gathering process, the book details 3 roadmap steps which much be done in order to facilitate an effective strategy.

The book notes that content is much more than web pages. Content includes various formats, platforms and channels. An effective strategy must take allof these into account. The book notes that there are hundreds of possible formats for content. While it is impossible to deal with every possible option; an organization must know what they are in order to ensure they are creating content that is appropriate for their customers.

By the time you hit page 100, it becomes quite clear that content is something that Leibtag is both passionate about and has extensive experience with. An important point she makes is that it is crucial not for focus on design right away in the project, as it eats up way too much time. The key is to focus the majority of your efforts on the content.

The dilemma that the book notes is that during the requirements gathering process, far too many organizations are imagining a gorgeous web site with all kinds of bells and whistles, beautiful colors and pictures. That in turn moves them to spend (i.e., waste) a tremendous amount of time on design; which leads them to neglect contact creation and migration.

The book details multichannel publishing, which is the ability to publish your content on any device and any channel. This is a significant detail, as customers will be accessing your site from desktops with huge screens and bandwidth to mobile devices with smaller screens and often limited bandwidth. This requires you to adapt and change your content publishing process. This is clearly not a trivial endeavor. But doing it right, which the book shows how to do, will payoff in the long run.

Another mistake firms make is that they often think content can be done by just a few people. The book notes that it is an imperative to create multidisciplinary content teams, since web content will touch every part of the organization, and needs their respective input.

One of the multidisciplinary content teams that must be involved is governance. The book notes that governance standards help you set a consistent customer experience across all channels. By following them, you can avoid replicating content, muddying your main messages and confusing your customers. Governance is also critical in setting internal organizational controls.

Leibtag lays out what needs to be done in extreme detail. She makes it quite clear that there are no quick fixes that can be done to create good content. Creating an effective content marketing strategy and architecture is complex, expensive and challenging. But for most organizations, it is also absolutely necessary for them in order to compete.

The author is the head of a content strategy and content marketing consultancy firm. Like all good consultants, they focus on getting answers to the questions clients often don't even know to ask. With that, the book has myriad questions and requirements that you must answer before you embark on getting your content online.

The book also provides numerous case studies of sites that understand the importance of content and designed their site accordingly. After reading the book, the way you look at web sites will be entirely different. You will likely find the sites you intuitively return to coincidentally happened to be those very sites that have done it right and have the content you want.

My only critique of the book is that the author quotes herself and references other articles she wrote far too often. While these articles have valid content, this can come across as somewhat overly promotional. Aside from that, the book is about as good as anything could get on the topic.

For firms that are serious about content and looking for an authoritative reference on how to build out their content and do it right, The Digital Crown: Winning at Content on the Web is certain to be an invaluable resource.

Reviewed by Ben Rothke.

Submission + - Book review: Digital Archaeology: The Art and Science of Digital Forensics

Submitted by benrothke on Sunday December 22, 2013 @01:54AM

benrothke writes: Title: Digital Archaeology: The Art and Science of Digital Forensics

Author: Michael Graves

Pages: 600

Publisher: Addison-Wesley Professional

Rating: 9/10

Reviewer: Ben Rothke

ISBN: 978-0321803900

Summary: Excellent introductory text to digital forensics

The book Digital Archaeology: The Art and Science of Digital Forensicsstarts as yet another text on the topic of digital forensics. But by the time you get to chapter 3, you can truly appreciate how much knowledge author Michael Graves imparts.

Archaeology is definedas the study of human activity in the past, primarily through the recovery and analysis of the material culture and environmental data that they have left behind, which includes artifacts, architecture, biofacts and cultural landscapes.

The author uses archeology and its associated metaphors as a pervasive theme throughout the book. While most archeology projects require shovels and pickaxes; digital archeology requires an entirely different set of tools and technologies. The materials are not in the ground, rather on hard drives, SD cards, smartphones and other types of digital media.

In the preface, Graves writes that in performing an investigation that explores the use of computers or digital data, the investigator is embarking on an archaeological expedition. In order to extract useful artifacts, information when dealing with our topic at hand; the investigator must be exceedingly careful in how he approaches the site. The similarities between a digital investigation and an archaeological excavation are much closer than you might imagine. Data, like physical artifacts, gets dropped into the oddest places. The effects of time and environment are just as damaging, if not more so, to digital artifacts as they are physical mementos.

The book shows you precisely how to extract those artifacts effectively. And in a little over 500 pages, the books 21 chapters, provides a comprehensive overview of every area relevant to digital forensics. The author brings his experience to every page and rather than being a dry reference, Graves writes an interesting reference guide for the reader who is serious about becoming proficient in the topic.

Rather than provide dry overview of the topics and associated hardware and software tools. The books take a real-world approach and provides a detailed narrative of real-world scenarios.

An important point Graves makes is that a digital investigator who does not understand the basic technology behind the systems they are investigating is going to be at a distinct disadvantage. Understanding the technology assists in the investigative process and ensures that the evidence can be held up in court.

The need to a proficiency in digital forensics is manifest in the recent attack against Target stores. After an aggressive attack, the store called in external digital forensics consultants to help them make sense of what happened.

The book starts with an anatomy of a digital investigation, including the basic model an investigator should use to ensure an effective investigation. While the author is not a lawyer; the book details all of the laws, standards, constitutional issues and regulations that an investigator needs to be cognizant of.

The author notes that Warren Kruse and Jay Heiser wrote in Computer Forensics: Incident Response Essentialsthat the basic computer investigation model was a four-part model with the following steps: assess, acquire, analyze and report. Graves breaks those into more detailed and granular level levels that represent processes that occur within each step. These steps are: identification and assessment, collection and acquisition, preservation, examination, analysis and reporting.

Chapter 2 has a section on the constitutional implications of forensic investigation, of which is the topic is also pervasive throughout the book.

As noted, a significant portion of the book is dedicated to the legal aspects around digital investigations. Graves spends a lot of time on these needed issues such as search warrants and subpoenas, basic elements of obtaining a warrant, the plain view doctrine, admissibility of evidence, keeping evidence authentic, defining the scope of the search, and when the Constitution doesn't apply.

The only chapter that was deficient was chapter 13 – Excavating a Cloud. Graves writes that the rapid emergence of cloud computing has added a number of new challenges for the digital investigator. The chapter does a good job of detailing the basic implications of cloud forensics. But it unfortunately does not dig any deeper, and does not provide the same amount of extensive tool listings as do other chapters.

Each chapter closes with a review of the topic and various exercises. Those wanting to see a sample chapter can do so here.

For those looking for an introductory text on the topics of digital forensics, Digital Archaeology: The Art and Science of Digital Forensicsis an excellent read. Its comprehensive overview of the entire topic combined with the authors excellent writing skills and experience, make the book a worthwhile reference.

Reviewer: Ben Rothke

Submission + - Book review: Digital Outcasts

Submitted by benrothke on Sunday November 24, 2013 @01:11PM

benrothke writes: Untitled documentTitle: Digital Outcasts: Moving Technology Forward without Leaving People Behind

Author: Kel Smith

Pages: 288

Publisher: Morgan Kaufmann

Rating: 9/10

Reviewer: Ben Rothke

ISBN: 978-0124047051

Summary: Manifesto for technology accessibility for all

Many of us have experimented what it means to be disabled, by sitting in a wheelchair for a few minutes or putting a blindfold over our eyes. In Digital Outcasts: Moving Technology Forward without Leaving People Behind, author Kel Smith details the innumerable obstacles disabled people have to deal with in their attempts to use computers and the Internet.

The book observes that while 1 in 7 people in the world have some sort of disability, (including the fact that 1 in every 10 U.S. children has been diagnosed with ADHD), software and hardware product designers, content providers and the companies who support these teams often approach accessibility as an add-on, not as a core component. Adding accessibility functionality to support disabled people is often seen as a lowest common denominator feature. With the companies unaware of the universal benefit their solution could potentially bring to a wider audience.

One of the many examples of this which the book provides is how sidewalk ramps are often an easier access method to streets; not just for those in wheelchairs, but for those simply walking and desiring an easier method.

In the book, Smith details how digital outcastsoften rely on technology for everyday things that we take for granted. The problem is that poorly designed products create an abyss for these outcasts, who number in the hundreds of millions.

So just what is this digital outcast? Smith notes that the term was first introduced by Gareth White of the University of Sussex to describe people who are left behind the innovation curve with respect to new advances in technology. The term is also relevant to today's Internet user who can't perform a simple function such as making an e-commerce purchase or checking their financial statement; due to inaccessibility of the content, platform or device. These outcasts represent large swaths of forgotten populations.

In the first chapter, Smith makes the chilling observation that all of us, at some point or another, will find that our capabilities have diminished. Today's disabled users are not outliers of the able-bodied population – they are a prototype of what our future looks like.

The book provides a detailed overview of how people with disabilities use technology. More importantly, it shows that creating effective user interfaces for those with disabilities is beneficial for all users.

It showcases numerous application and case studies, including how iPad apps have been used for cognitive therapy, video games to help many types of illnesses and more.

An important point the book makes is that there are no easy answers or silver-bullet solutions. There are no quick add-ons which a firm can use to quickly make their user interfaces outcast compliant. Rather it takes a concerted effort from senior management to make accessibility work.

A key point Smith makes many times is that students with disabilities are left behind. There are many students who fail in antiquated educational systems since the administration can't restructure their curricula around a child's individual talents or aptitudes. He writes that students with disabilities get stigmatized into special educationprograms, some of which are very good, but can be socially ostracizing.

Throughout the book, Smith quotes many studies and significant amounts of data that shows the power of how software can make significantly positive impacts on the lives of those with disabilities. In chapter 7, he writes that at the Center for BrainHealth at The University of Texas, they used virtual worlds and avatars to help autistic children. That form of therapy has proven to be successful and that 4 or 5 sessions using that technology, is worth 2 or 3 years of real world training.

As detailed in many parts of the book, many doctors say the best high-tech treatments are in fact the ones you can download from an app store.

As the end of the book, Smith writes that for accessibility to work, it has to be an enterprise initiative. He provides 8 strategic steps to doing that, including creating an accessibility task force (and engaging them from the very beginning of the project), knowing the legal landscape (and not to be driven solely by law), to designing mobile applications to be run universally, and more.

Smith sadly writes at the end of the book that while Apple has been at the forefront of accessibility, in 2012, despite having no legal mandate, Apple removed the Speak for Yourself (SFY) application; which was an extremely popular and helpful augmentative and alternative communication app. It seems that SFY is now once again available in the App Store, but with legal maneuvering what it is, that could change at any moment.

While the accessibility of technology is getting better every year, there are still many challenges to ahead. Digital Outcasts: Moving Technology Forward without Leaving People Behind articulately and passionately details the groundwork, itemizes what needs to be done, and implores the reader to do something to ensure this trend continues.

This book is an important read for everyone. As there are two types of people, those that are currently digital outcasts, and those that will be sometime in the future.

The book closes with a most accurate observation: digital outcasts are not a biological model for a future we should fear, they are an inspiration for what we can all become.

Reviewer: Ben Rothke

Submission + - Book review: Testing Cloud Services: How to Test SaaS, PaaS & IaaS

Submitted by benrothke on Sunday October 27, 2013 @02:17PM

benrothke writes: }

Testing Cloud Services: How to Test SaaS, PaaS & IaaS

Authors: Kees Blokland, Jeroen Mengerink, Martin Pol

Pages: 184

Publisher: Rocky Nook

Rating: 9/10

Reviewer: Ben Rothke

ISBN: 978-1-937538-38-5

Summary: Brings to light the imperative of testing cloud services before deployment

David Mitchell Smith wrote in the Gartner report Hype Cycle for Cloud Computinglast year — that while clearly maturing and beyond the peak of inflated expectations, cloud computing continues to be one of the most hyped subjects in IT. The report is far from perfect, but it is accurate in the sense that while cloud computing is indeed ready for prime time, the hype with it ensures that too many firms will be using it with too much hype, and not enough reality and detailed requirements.

While there have been many books written about the various aspects of cloud computing, Testing Cloud Services: How to Test SaaS, PaaS & IaaSis the first that enables the reader to successfully make the transition from hype to actuality from a testing and scalability perspective.

The book is an incredibly effective and valuable guide that details the risks that arise when deploying cloud solutions. More importantly, it provides details on how to test cloud services, to ensure that the proposed cloud service will work as described.

At 160 pages, the book is a great start to the topic. The 6 chapters detail a paradigm that cloud architects, managers and designers can use to ensure the success of their proposed cloud deployments.

The first two chapters are a very brief introduction to cloud computing. In chapter 3, the authors detail the role of the test manager. They write that the book is meant to give substance to the broadening role of the test manager within cloud computing. They encourage firms to make sure the test manager is involved in all stages of cloud computing; from selection to implementation. In fact, they write that it is only a matter of time until this service will be available in the cloud, in the form of TaaS – Testing as a Service.

Besides the great content, the book is valuable since it has many checklists and questions to ask. One of the reasons cloud hype is so overly pervasive, is that the customers believe what the marketing people say, without asking enough questions. It would have been an added benefit if these questions and checklists would be made available in softcopy to the reader.

In chapter 4, the book details performance risks. As to performance, an important aspect of selecting the correct cloud provider is scalability of the service. This then requires a cloud specific test to determine if the scaling capacity (also known as elasticity) of the provider will work efficiently and effectively in practice.

An extremely important point the authors make is that when choosing a cloud service, many firms don't immediately think of having a test environment, because the supplier will themselves test the service. The absence of a test environment is a serious risk.

About 2/3 of the book is in chapter 5 – Test Measures. The chapter mostly details the test measures for SaaS, but also does address IaaS and PaaS testing. The chapter spends a lot of time on the importance of performance testing.

An important point detailed in the chapter is that of testing elasticity and manual scalability. This is an important topic since testing elasticity is a new aspect of performances testing. The objectives of elasticity tests are to determine if the performance of the service meets the requirements across the load spectrum and if the capacity is able to effective scale. The chapter details various load tests to perform.

In the section on guarantees and SLAs, the authors make numerous excellent points, especially in reference to cloud providers that may guarantee very high availabilities, but often hide behind contract language. They provide a number of good points to consider in regards to continuity guarantees, including determining what is meant exactly by up- and down-time; for example, is regular maintenance considered downtime or not.

Another key topic detailed is testing migration. The authors write that when an organization is going to use a service for an existing business process, a migration process is necessary. This includes the processes of going into the cloud, and backing the service out of the cloud.

With all of the good aspects to this book, a significant deficiency in it is that it lacks any mention of specific software testing tools to use. Many times the authors write that "there are many tools, both open source and commercial, that can" but fail to name a single tool. The reader is left gasping at a straw knowing of the need to perform tests, but clueless as to what the best tools to use are. Given the authors expertise in the topic, that lacking is significant.

The only other lacking in the book is in section 5.3 on testing security, the authors fail to mention any of the valuable resources on the topic from the Cloud Security Alliance. Specifically the Cloud Controls Matrix(CCM) and Consensus Assessments Initiative(CAI) questionnaire.

With that, Testing Cloud Services: How to Test SaaS, PaaS & IaaSshould be on the required reading list of everyone tasked with cloud computing. This is the first book to deal with the critical aspect of testing as it related to cloud computing. The ease of moving to the cloud obscures the hard reality of making a cloud solution work. This book details the hard, cold realities of turning the potential of cloud computing, in the reality of a working solution.

Had the designers of the Obamacare website taken into consideration the key elements of this book, it is certain that the debacle that ensued would have been minimize and the administration would not have had to send out a cry for help. The Obamacare website will turn into the poster child of how to not to create a cloud solution. Had they read Testing Cloud Services: How to Test SaaS, PaaS & IaaS, things would have been vastly different.

Reviewer: Ben Rothke

Submission + - Book review: Secret History: The Story of Cryptology

Submitted by benrothke on Sunday October 13, 2013 @01:40PM

benrothke writes: Secret History: The Story of Cryptology

Author: Craig P. Bauer

Pages: 620

Publisher: CRC Press

Rating: 9/10

Reviewer: Ben Rothke

ISBN: 978-1466561861

Summary: Excellent comprehensive and decipherable text on the history of cryptography

Narrating a compelling and interesting story about cryptography is not an easy endeavor. Many authors have tried and failed miserably; attempting to create better anecdotes about the adventure of Alice and Bob. David Kahn probably did the best job of it when wrote The Codebreakers: The story of secret writingin 1967 and set the gold standard on the information security narrative. Kahn's book was so provocative and groundbreaking that the US Government originally censored many parts of it.

While Secret History: The Story of Cryptologyis not as groundbreaking, it also has no government censorship. With that, the book is fascinating read that provides a combination of cryptographic history and the underlying mathematics behind it.

As a preface; the book has cryptologyin its title, which is for the most part synonymous with cryptography. Since cryptography is more commonly used, I'll use it in this review.

Kahn himself wrote that he felt this book is by far the clearest and most comprehensive of the books dealing with the modern era of cryptography including classic ciphers and some of the important historical ones such as Enigma and Purple; but also newer systems such as AES and public-key cryptography.

The book claims that the mathematics detailed in it are accessible requiring minimal mathematical prerequisites. But the reality is that is does require at least a college level understanding, including algebra, calculus and more.

As an aside, nearly every book on encryption and cryptography that claims no advanced mathematical knowledge is needed doesn't meet that claim. With that, Bauer does a good job of separating the two narratives in the book (cryptography and history), so one who is not comfortable with the high-level math can easily parse through those sections.

Bauer brings an extensive pedigree to the book, as he is a former scholar-in-residence at the NSA Center for Cryptologic History. While Bauer has a Ph.D. in mathematics, that does not take away from his ability as an excellent story teller. And let's face it; telling the story of cryptography in a compelling and readable manner is not an easy task.

The 20 chapters in the book follow a chronological development of encryption and cryptography; from Roman times to current times. Each chapter has a set of exercises that can be accessed here. Besides being extremely well-researched, each chapter has numerous items for further reading and research.

Chapters 1-9 are focused on classical cryptology, with topics ranging from the Caesar cipher, Biblical cryptology, to a history of the Vigenère cipher, the ciphers of WW1 and WW2 and more.

In chapter 8 World War II: The Enigma of Germany, Bauer does a great job of detailing how the Enigma machine worked, including details regarding the cryptanalysis of the device, both in its rotor wirings and how recovering its daily keys ultimately lead to is being broken. The chapter also asked the question: what if Enigma had never been broken,and provides a provocative answer to that.

Chapter 8 opens with the famous quote from Ben Franklin that "three may keep a secret if two of them are dead". He notes that the best counterexample to that is of the 10,000 people that were involved in the project to break the Enigma. They all were able to maintain their silence about the project for decades; which clearly shows that large groups can indeed keep a secret. Bauer notes that it is often a reaction to conspiracy theories that large groups of people could never keep a secret for so long.

Chapter 9 provides a fascinating account of the Navajo code talkers. These were a group of Navajo Indians who were specially recruited during World War II by the Marines to serve in their communications units. Since the Navajo language was unknown to the Axis powers; it ensured that all communications were kept completely secret.

While part 1 is quite interesting; part 2, chapters 10-20 focuses on modern cryptology and is even more fascinating. Bauer does a fantastic job of encapsulating the last 60 years of cryptography, and covers everything from the origins of the NSA, the development of DES and AES, public key cryptography and much more.

The book was printed in March 2013 just before the NSA PRISM surveillance program became public knowledge. If there is any significant mistake in the book, it is in chapter 11 where Bauer writes that "everything I've seen and heard at the NSA has convinced me that the respect for the Constitution is a key component of the culture there".

Aside from the incorrect observation about how the NSA treats the Constitution, the book does an excellent job of integrating both the history of cryptography and the mathematical element. For those that aren't interested in to the mathematics, there is plenty of narrative in the book to keep them reading.

For those looking for a comprehensive and decipherable text on the history of cryptography, this is one of the best on the topic in many years.

Kahn's book laid the groundwork that made a book like this possible and Secret History: The Story of Cryptology is a worthy follow-up to that legendary text.

Reviewed by Ben Rothke

Comment Re:composed of, or comprise, but not comprised of (Score 1) 28

by benrothke on Monday September 30, 2013 @07:57PM (#44996993) Attached to: Book Review: Latest Two Books By Peter Loshin

Thank you. I stand corrected.

Submission + - Book review: Two books by Peter Loshin

Submitted by benrothke on Sunday September 29, 2013 @12:17AM

benrothke writes: Two books by Pete Loshin

Simple Steps to Data Encryption: A Practical Guide to Secure Computing

Pages: 86

Publisher: Syngress

ISBN: 978-0124114838

Practical Anonymity: Hiding in Plain Sight Online

Pages: 128

Publisher: Syngress

ISBN: 978-0124104044

Reviewer: Ben Rothke

Summary: Avoid these books. Use the free and better online documentation references.

Of the books that author Pete Loshin has written in the past, a number of them are completely comprised of public domain information that he gathered. Titles such as Big book of Border Gateway Protocol (BGP) RFCs, Big Book of IPsec RFCs, Big Book of Lightweight Directory Access Protocol (LDAP) RFCs, and others, are simply bound copies of publicly available information.

In two of his latest books Practical Anonymity: Hiding in Plain Sight Onlineand Simple Steps to Data Encryption: A Practical Guide to Secure Computing, Loshin doesn't do the wholesale cut and paste like he did from the RFC books, but on the other side, doesn't offer much added information than the reader can get online.

The software tools detailed in the books are open source tools; and the open source community has done a fantastic job of not only making the software free, but creating documentation that is also free and rivals commercial technical guides.

Practical Anonymity is basically an overview of the basics of Tor. The truth is that all that it takes to use Tor is to download it and then click on Start Tor Browser. For those that want to read the manuals, the Tor documentation repositoryhas detailed information that includes everything a user needs to know about using the product. The Tor site has numerous manuals, FAQ's and more. There is likely enough information there for about 98% of Tor and potential Tor users.

At 130 pages, the book is useful for those that want a hard copy to read on a bus or plane and for whatever reason, don't want to print out the references from the Tor site. Loshin does a decent job of presenting the topic, including why Tor is important, and who it could most benefit.

Tor was first released in 2002. But since it became known that the NSA was viewing data, Tor usage has doubled, as detailed in a recent Washington Post article.

One of the main drawbacks of Tor, as the book notes in chapter 2 (and also detailed in the Tor FAQ here) is that Tor is slow; really slow. The FAQ notes that here are many reasons why the Tor network is currently slow. It is first off important to know that Tor is never going to be extremely fast. All Tor traffic is bouncing through volunteers computers in various parts of the world, and bottlenecks and network latency will always be present. The current Tor network is small compared to the number of people trying to use it, and Tor cant always handle file-sharing traffic load.

The book also spends a large amount of space detailing Tails, which is a Linux distro that can booted as a CD or on a USB. The benefit of Tails is that no trace of it will be left on the host it was run off of.

Like Tor, the Tails documentation repositoryhas a large set of documents and FAQs covering all areas of the product. For those on a budget, this site has everything that they need to know about using Tails.

Practical Anonymity: Hiding in Plain Sight Onlineis a decent start for those who want to be more anonymous. It is far from a comprehensive guide, as using Tor is just the beginning to start being anonymous, but far from the only resource or method.

In Simple Steps to Data Encryption: A Practical Guide to Secure Computing, Loshin attempts to provide an overview of why you need encryption, and how to use it. The book barely succeeds at doing that, but there are certainly other titles that do it either more articulately or at least without charging for it. In addition, the book seems like it was rushed to print, and could have used a better technical editor.

In fact, the book starts with an overview of how to use GnuPG (Gnu Privacy Guard). And like Tor, there are numerous free references at the GnuPG documentation sitethat provide many useful references.

At $60- for the pair, the books provide little added value to the free online documentation. For those that want a bound hard copy of a book, these two titles may suit them. For other who want to save trees and their money, and get the same and improved information direct from the source, the respective documentation sites are but a click away.

Reviewer: Ben Rothke

Submission + - Book review: The Practice of Network Security Monitoring

Submitted by benrothke on Sunday September 08, 2013 @03:15PM

benrothke writes: Title: The Practice of Network Security Monitoring: Understanding Incident Detection & Response

Author: Richard Bejtlich

Pages: 376

Publisher: No Starch Press

Rating: 9/10

Reviewer:Ben Rothke

ISBN: 978-1593275099

Summary:Definitive guide to the new world of Network Security Monitoring (NSM)

It has been about 8 years since my friend Richard Bejtlich's (note, that was a full disclosure 'my friend') last book Extrusion Detection: Security Monitoring for Internal Intrusionscame out. That and his other 2 books were heavy on technical analysis and real-word solutions. Some titles only start to cover ground after about 80 pages of introduction. With this highly informative and actionable book, you are already reviewing tcpdump output at page 16.

In The Practice of Network Security Monitoring: Understanding Incident Detection and Response, Bejtlich takes the approach that your network will be attacked and breached. He observes that a critical part of your security posture must be that of network security monitoring (NSM), which is the collection and analysis of data to help you detect and respond to intrusions.

In this book, Bejtlich details how to design a NSM program from the initiation state. Being a big open source proponent, the book lists no proprietary tools and myriad open source solutions. The book is designed for system and security administrators, CIRT managers and analysts with a strong background in understanding threats, vulnerabilities and security log interpretation.

The book is about the inevitable, that attackers will get inside your network. While it's foreseeable they will get in, it's not inevitable that you have to be caught off-guard. For those who are serious about securing their network, this is an invaluable book that provides a unique and very workable model to create a fully-functioning NSM infrastructure.

The book is a hands-on guide to installing and configuring NSM tools. The reader who is comfortable using tools such as Wireshark, Nmap and the like will be quite at home here.

This is a book about how not to be surprised and its 13 chapters detail how to create and manage a NSM program, what to look for, and details myriad tools to use in the process.

The focus of the book is not on the planning and defense phases of the security cycle, hopefully, that is already in place in your organization, rather on the actions to take when handling systems that are already compromised or that are on the verge of being compromised, as detailed in the preface.

In chapter 1, the book details the difference between continuous monitoring(CM) and NSM; since their terms are similar and many people confuse the two. CM is big in the federal computing space and NIST provides an overview and definition of it here. The book notes that CM has almost nothing to do with NSM or even with trying to detect and respond to intrusions. NSM is threat-centric, meaning adversaries are the discussion of the NSM operation; while CM is vulnerability-centric; focusing on configuration and software weaknesses.

Also in chapter 1, Bejtlich asks the important question: is NSM legal? He writes that there is no easy answer to that questions and anyone using or deploying an NSM solution should first consult with their legal counsel; in order not to potentially violate the US Wiretap Act and other laws and regulations. This is especially true for those who are in European Union (EU) countries, as the EU places a high threshold on information security teams who want to monitor network traffic. Something as simple as running Wireshark on a corporate network in the US, would require court approval if done on an EU-based network.

One of the main NSM tools the book references and details is Security Onion(SO). SO is a Linux distro for IDS and NSM. Its based on Ubuntu and the distro contains Snort, Suricata, Bro, Sguil, Squert, Snorby, ELSA, Xplico, NetworkMiner and many other useful security tools.

The book details and explains how use these tools in an NSM environment. An important point Bejtlich makes in chapter 9 regarding the tools, is that analysts need tools to find intruders. But methodology is more important than just software tools. Tools collect and interpret data, but methodology provides the conceptual model. He explains that CIRT analysts must understand how to use tools to achieve a particular goal, but it is imperative and important to start with a good operational model first, and then select tools to provide data supporting that model.

The book has a short discussion of how cloud computing effects NSM. In a nutshell, the cloud throws a monkey wrench into an NSM effort. For example, it is generally not an option for SaaS offerings since customers are limited to the back-end logs.

The book closes with the observation that NSM is not just about all the tools that the author spent over 300 pages discussing, rather it is more about the workflows, metrics and collaboration. Unfortunately, this title does not detail the necessary workflows for a NSM and it is hoped that the follow-up to this book will.

The only negative in the book is that as CSO of Mandiant, Bejtlich references his firm's products, mainly their MIR appliance for a CIRT. In the spirit of objectivity and not trying to have the book come across as marketing PR, if an author is going to mention a product their firm sells, they should also mention alternative solutions.

For those looking for a comprehensive guide on the topic of NSM, written by one of the experts in the field, The Practice of Network Security Monitoring: Understanding Incident Detection and Responseis an excellent reference that is certain to make the reader a better information security practitioner, and their network more secure.

Reviewed by Ben Rothke

Submission + - Book review: Hacking Exposed Mobile Security Secrets & Solutions

Submitted by benrothke on Sunday August 25, 2013 @03:00PM

benrothke writes: Title: Hacking Exposed Mobile Security Secrets & Solutions.

Author: Neil Bergman, Mike Stanfield, Jason Rouse & Joel Scambray

Page: 320

Publisher: McGraw-Hill Osborne Media

Rating: 9/10

Reviewer:Ben Rothke

ISBN: 978-0071817011

Summary: Excellent resource to understand current mobile security threats

Little did anyone know that when the first Hacking Exposedbook came out over 15 years ago, that it would launch a set of sequels on topics from Windows, Linux, web development, to virtualization and cloud computing, and much more.

In 2013, the newest edition is Hacking Exposed Mobile Security Secrets & Solutions. In this edition, authors Neil Bergman, Mike Stanfield, Jason Rouse & Joel Scambray provide an extremely detailed overview of the security and privacy issues around mobile devices. The authors have heaps of experience in the topics and bring that to every chapter.

The power of mobile devices can be understood by the fact that this book came out in July 2013, and just last week, Steve Ballmer announced that he will step down as Microsoft CEO. While mobile has spelled the doom to Ballmer's career and Microsoft's bottom line, mobile has the Apple brand relevant again, and extremely dominant. More of a concern is that mobile is the new avenue of security attacks for a new generation of attackers.

The book provides a great overview of the new threats created by mobile devices. Like the other books in the series, it provides an overview of the issues, shows how attackers will use vulnerabilities to compromise and exploit mobile devices, in addition to showing you how to secure your mobile devices and enterprise mobile platforms against these threats.

One of difference between this book and other Hacking Exposed titles, especially the Windows editions, is that this has a dearth of script kiddie tools. This is due to the fact that such tools don't exist so much for the mobile platforms.

The 9 chapters in the book provide a comprehensive and meticulous synopsis of all of the core areas around security and privacy concerns about mobile computing.

The first two chapters provide a thorough analysis of the mobile risk ecosystem and how the cellular networks operate.

One of the major risks detailed in chapter 1 is that of physical risks. When data resides in physical data centers, a company can have some semblance of assurance of security given the data has multiple layers of physical controls in an enterprise data center or colocation. The authors note that physical access to mobile devices is difficult to defend against for very long, and the entire phenomenon of rooting and jailbreaking certainly proves this.

They also write that they have yet to find a mobile application that they could not defeat when given physical access, including defeating the mobile device management software.

The book astutely notes that if your mobile risk model assumes that information can be securely stored indefinitely on a physical mobile device, then you are starting with a false assumption. The entire book is based on the assumption of an attacker gaining control of the mobile device. To compensate for that, the book provides the requisite countermeasures.

Another bit of sagacious advice in the book is ensuring your developers, and those you outsource your development to, understand the specific risks and vulnerabilities around mobile apps. It is crucial that all programmers developing mobile apps be sufficiently trained in how to write secure mobile apps.

Chapter 3 details iOS, the Apple mobile operating system. An interesting part of the chapter is on how to jailbreak Apple devices. But the authors also note that there are pros and cons to jailbreaking. The main negative is that you expose yourself to a variety of attack vectors that could lead to a complete compromise of the device. A non-jailbroken device obviates that in most cases given the security controls in place.

The book also sheds light on the fact that even those iOS is a closed system with less threat vectors, it is still far from perfect. The Apple App Store, even with its security controls, is far from impervious to attack. The chapter tells the story of a few malicious apps that slipped past security reviews and found themselves on the Apple App Store. While these malicious apps were later removed, they will there long enough to cause damage.

While the book provides ample evidence of the risk and vulnerabilities around mobile devices, it is rich in appropriate countermeasures and methods to compensate for these. The chapters on iOS and Android provide myriad ways in which to secure the devices. Chapter 8 on mobile development security details a framework in which to secure mobile devices. This framework includes requirements from secure communications, effective authentication, preventing information leakage, to platform controls and more.

Appendix A contains a checklist of options that end-users can use to ensure the security of their private data and sensitive information stored on their mobile devices.

Appendix B is a mobile application penetration testing toolkit for performing security assessment of mobile technologies.

The press is full of stories of how the demise of Microsoft is directly related to their misreading the mobile market. The public has responded to buying mobile devices in the billions, and attackers who not so long ago wrote exploits for Windows, are now putting their efforts into iOS and Android. The message is clear, mobile apps need to be written with security in mind and the mobile devices need to be secured.

For those looking for an understanding of current mobile security threats and how to counter them, Hacking Exposed Mobile Security Secrets & Solutionsis a uniquely good book.

Reviewed by Ben Rothke

Submission + - Book review: The Healthy Programmer

Submitted by benrothke on Sunday August 11, 2013 @11:45PM

benrothke writes: Title: The Healthy Programmer: Get Fit, Feel Better, and Keep Coding

Pages: 220

Rating:9/10

Author: Joe Kutner

Publisher: Pragmatic Bookshelf

Language: English

ISBN-13: 978-1937785314

Summary: A diet and lifestyle guide that works for all, not just for programmers.

Diet books are literally a dime a dozen. They generally benefit only the author, publisher and Amazon, leaving the reader frustrated and bloated. With a failure rate of over 99%, diet books are the epitome of a sucker born every minute.

One of the few diet books that can offer change you can believe in is The Healthy Programmer: Get Fit, Feel Better, and Keep Coding. Author Joe Kutner observes that nearly every popular diet fails and the reason is that they are based on the premise of a quick fix without focusing on the long-term core issues. It is inevitable that these diets will fail and the dieters at heart know that. It is simply that they are taking the wrong approach. This book is about the right approach; namely a slow one. With all of the failed diet books, Kutner is one of the few that has gotten it right.

While the title of the book says it's for programmers, it is germane to anyone whose job requires them to be at a desk for extended amounts of time.

Kutner is himself a programmer who builds Ruby and Rails applications, and a former college athlete and Army Reserve physical fitness trainer.

The book focuses on two areas that require change: regular exercise and proper nutrition; and it details the steps necessary to create a balanced lifestyle.

While popular diet books require rapid and major lifestyle changes and promise quick weight-loss, the book notes that small changes to your habits can provide the long-term effects that can improve your health. The book focuses on incremental changes and sustainability, not about losing x pounds in x weeks.

The book is different (read: effective) as opposed to other diet and lifestyle books, in that its goal is to make your healthy lifestyle pragmatic, attainable, and fun. It is only with those aspects that long-term change be possible.

As to programmers, Kutner writes that programming requires intense concentration that often causes them to neglect other aspects of their lives; the most common of which is their health. People's bodies have not evolved to accommodate a lifestyle of sitting and there are many negative health effects from it.

The book takes a start small approach, rather than one of drastic changes. In chapter 2, it notes the myriad benefits of walking. It states that walking is a powerful activity that can stimulate creative thinking (a required trait for a good programmer) and is a great way to bootstrap your health. The chapter details the ways in which a few short walks during the day can have a dramatic positive effect on your life.

Chapter 3 is about the dangers of chairs and sitting for long periods of time. It details a number of ways to counter the dangers of sitting. It also notes that while sometimes you simply can't get away from your chair, and when that happens, you can make sitting less dangerous by forcing your muscles to contract without even getting up. It then details a number of different calisthenics to use to do this.

Chapter 4 – Agile Dieting — is perhaps the best part of the book. It details how to fight the real causes of weight gain and details proven solutions that work. That chapter repeatedly uses terms like iterative, sustainable, slow to show what it really takes to lose weight and achieve a healthy lifestyle.

Kutner notes that most of the popular fad diets are idiosyncratic and unbalanced. They will provide short-term benefits, but ultimately fail miserably. The chapter quotes research data on what needs to be in a balanced diet. It then notes that almost every fad diet violates those needs. Nutrition needs to be rounded and well-balanced and the fad diets for that reason will only work in the short term.

This book is everything the fad diet books are not and this is most manifest in chapter 4 where Kutner writes one should cut calories slowly. This is based on research which shows that quick drastic weight loss is counterproductive. While the fad diets talk about drastic caloric changes, Kutner suggests dropping your intake slower, about 100 calories every two weeks until you get you your targeted caloric intake level.

While much of the book is on fitness and nutrition, it takes a complete body approach. Chapter 5 details the importance of eye health. This is an important topic since the average programmer spends much of their week behind a monitor.

Kutner writes about computer vision syndrome (CVS); an eye condition resulting from focusing the eyes on a monitor for extended amounts of time. Symptoms of CVS include headaches, blurred vision, neck pain, redness in the eyes, fatigue, eye strain, dry eyes, irritated eyes, double vision, vertigo/dizziness, polyopia, and difficulty refocusing the eyes. The book also details methods in which to minimize the effects of CVS, and how not to become a victim of it. Kutner writes that CVS is what most programmers refer to as life. But it does not have to be that way.

The rest of the book covers other physical ailments that plague programmers. This runs the gamut from headaches, backaches, wrist problem, carpel tunnel, head strain and much more. Most of these problems can be obviated if one follows proper ergonomics practices and employs some of the physical conditioning detailed in the book.

Another theme of the book is using goals as an impetus for change. The book lists 16 goalswhich can be used as a progressive framework to improve your health. These goals include buying a pedometer, finding your resting heart rate, getting a negative result on Reverse Phalens test and other lifestyle changes.

Given the preponderance of obesity, diabetes and other maladies associated with a sedentary lifestyle, this may be one of the most important non-programming books that every developer should read and take to heart.

The book has hundreds of bits of excellent advice and subtle lifestyle suggestions that over time can make a significant difference to your health.

The author has a web siteand an iPhone appthat can be referenced for additional help. The book is full of sage and pragmatic advice. It has no celebrity endorsement, no gimmicks or false claims; meaning it has a high chance of working.

The book concludes with the observation that programmers often say the hardest part of software development begins when a product is released. The real work, maintenance, continues on, much like your health. You must sustain a stat of wellness for the rest of your life, and you need to continue setting goals, iterating and making small improvements.

For many programmers, they love their job but not the lifestyle problems that come with it. For the programmer that wants the challenges of the professional and the benefits of a healthy lifestyle, The Healthy Programmer: Get Fit, Feel Better, and Keep Coding, may be a life changing book, and should find its rightful place on every programmer's desk.

Reviewed by Ben Rothke

Comment Re:slashdot book reviews (Score 1) 40

by benrothke on Monday July 29, 2013 @09:25PM (#44418989) Attached to: Book Review: Present Yourself - Using SlideShare To Grow Your Business

As a matter of fact, I have a number of books that are would be a 2.0 out of 10. Just don't want to waste my time reviewing them.

Submission + - Book review: Present Yourself - Using SlideShare to Grow Your Business

Submitted by benrothke on Sunday July 28, 2013 @12:52PM

benrothke writes: Title: Present Yourself — Using SlideShare to Grow Your Business

Authors: Kit Seeborg and Andrea Meyer

Publisher: OReilly Media

Pages: 224

ISBN: 978-1-4493-4236-4

Rating: 9/10

Reviewer: Ben Rothke

Summary: Great resource for maximizing the use of SlideShare and your online presentation presence

SlideShareis a free web 2.0 based slide hosting service where users can upload presentation-based files. Launched in October 2006, it's considered to be similar to YouTube, but for slideshows. It was originally meant to be used for businesses to share slides among employees more easily, but it has since expanded to also become a host of a large number of slides which are uploaded merely to entertain. SlideShare gets an estimated 58 million unique visitors a month and has about 16 million registered users.

With such a strong user base, authors Kit Seeborg and Andrea Meyer write in Present Yourself: Using SlideShare to Grow Your Businesshow SlideShare users can use the site (including other similar collaborative sites such as Prezi and Scribd) to present their story to a worldwide audience. Given that visual presentations are the new language of business, understanding how to maximize their potential can be a valuable asset for the entrepreneur, job seeker and everyone in between.

The truth is that a book on SlideShare alone would need no more than 15 pages (20 pages if you include the Pro edition). How difficult is it to upload a PowerPoint? As an aside, the truth is that there is a huge market for publishing freely available content. Check out Emereo Publisherson Amazon. They have mastered the art of taking free Wikipedia content and charging for it. Enough digression – in this valuable book – the authors show not only how to use the product, but how to maximize its use.

Throughout the book, the authors quote liberally from science and research on the power of visualization. With that lies the inherent power of SlideShare, as humans like images and think more efficiently when they use them. The authors quote a study which shows that when carrying out routine office tasks, if the data is displayed more visually (such as through visual maps), individuals are 17% more productive and need to use 20% fewer mental resources. As to the saying that a picture is worth a thousand words; the authors show that it has a basis in biological fact.

The book is worth it just for the sage advice in the quote at the beginning of chapter 3 where Nancy Duarte, author of slide:ology: The Art and Science of Creating Great Presentations states about presentations, that "they didn't come to your presentation to see you. They came to find out what you can do for them. Success means giving them a reason for taking their time, providing content that resonates, and ensures it's clear what they are to do". Using Duarte's call to arms with the guidance in the book can hopefully start a meaningful change in how data is presented.

As to the presentation itself, the book notes that the presenter of today has a huge challenge in keeping the audience engaged. Anyone who has presently recently knows that many, often a majority of the audience will be distracted by their smartphones, Twitter, Facebook, Angry Birds and more. With that, presenters must put in extra effort to compete for the mindshare of a distracted audience. The book shows you how to overcome such obstacles and suggests that one way to win more audience attention is to include engaging visual slides with your presentation and show them intermittently instead of in parallel with your talk.

Throughout the book, it is clear that the authors are passionate about the topic and it lists many resources and uses to make presentation much more effective. The book has numerous real-world examples of such users. One is Adam Tratt of Haiku Deck; a free presentation app for the iPad that makes presentations simple, beautiful, and fun.

Another example is that of Jeremiah Owyang of the Altimeter Group, a research and advisory firm whose reports consistently rank in the top 100 most viewed documents on SlideShare. The amazing thing about their research, which competing firms charge thousands of dollars for, is that it is all free on SlideShare. The example also shows how they use SlideShare Pro for the secure creation of the reports. They view this model of open research as a core asset that has served the firm well, establishing its credibility and reputation as a trusted resource

While the book has business in its title, it still has significant relevance for end-users, specifically in chapter 7. There it details how you can use SlideShare to further your career and find a job. This is crucial regardless of your profession and industry, in that while the traditional resume is still alive and well, the ability to place your experience on-line opens up new horizons. A full professional presence requires both a paper resume and an online presence.

The chapter notes that a comprehensive online presence, especially with a compete profile on LinkedIn, is forty times more likely to receive job opportunities. The authors note that even if a person is not a presenter, there are things they can do on SlideShare to highlight themselves; including a presentation that serves as a visual resume of their career, a portfolio presentation that displays their creative work and more. Even for those who are not speakers, the authors recommend that the serious job searcher consider public speaking as part of their career strategy,

For those that want to take a look, the first chapter of the book is available here. Not surprisingly, it is on SlideShare.

For those that want to learn everything about SlideShare, from the mundane of adding a SlideShare widget to your website, sharing your presentation across social platforms, sharing your content, collaboration, finding a more rewarding job and much more, Present Yourself: Using SlideShare to Grow Your Business is a great resource.

About the review: Ben Rothke

Submission + - Book review: Assessing Vendors

Submitted by benrothke on Sunday July 07, 2013 @10:09PM

benrothke writes: Title: Assessing Vendors: A Hands-On Guide to Assessing Infosec and IT Vendors

Author: Josh More

Publisher: Syngress

ISBN: 978-0124096073

Pages: 94

Reviewer:Ben Rothke

Rating:8/10

Summary: Good intro to use to start a vendor assessment program

Every organization has external software, hardware and 3rd-party vendors they have to deal with. In many cases, these vendors will have direct access to the corporate networks, confidential and proprietary data and more. Often the software and hardware solutions are critical to the infrastructure and security of the organization. If the vendors don't have effective information security and privacy controls in place, your data is at risk. In addition, when selecting a product to secure your organization, how to you ensure that you are selecting the correct product? All of this is critical as in the event of a breach, when the lawyers start circling, they will be serving subpoenas to your company, not your 3rd-party vendors.

With that, Assessing Vendors: A Hands-On Guide to Assessing Infosec and IT Vendorsis a valuable resource for those looking for a basic introduction on of how to understand the risks involved when sharing data with 3rd-parties, in addition to selecting the appropriate products for your organization.

Many large organizations have formal programs and processes to evaluate the vendors they interact with, in addition to software and hardware procurement. For those that don't, this 80 page reference is a good place to start.

The book shows you how to find the right balance between performing a superficial assessment and one that is way too deep.

While the book has a healthy dose of checklists, it is not about simply filling out the checklists and adding up the totals. Author Josh More writes that robust information assurance processes and regulations aside; successful vendor management involves a wide range of skills; from technical assessment to business communications, to negotiation and much more.

An effective aspect of the book is that it has many questions that you should ask the vendor as part of the assessment process. Too many organizations simply take the vendors word, without performing effective due diligence. Rarely will one find a company where too manyquestions were asked to the vendor.

Given that the book is only 80 pages, More writes that it focuses mainly on the initial assessment process, with a goal to select a vendor to solve a specific problem that your organization is experiencing, improving an existing process or adding new capabilities. Given its short length, the book does not delve very deeply into the continued operation of a formal vendor management program.

The main thrust of the first chapter is around preliminary vendor research. It shows how to identify vendors for specific products and build criteria for effective vendor selection.

An important point in chapter 1 is that the primary rule in vendor assessment and selection is to always keep yourneeds first in mind. Far too many organizations let the vendors drive the process, and in turn, the vendor will ensure that their needs are made primary.

One of the topics in chapter 3 is testing confidentiality. When comparing vendors, they will often swear that their product is secure; but will often not provide any details attesting to how secure it really is. The chapter shows how you can perform internal hands-on testing to ensure all of the promised security features do in truth work.

The book provides a lot of common sense advice that may not be intuitive to many people. One bit of invaluable advice to taking the steps to confirm that the vendor you are considering is not selling you gray or black market products. This is especially true for products from Cisco, Check Point and Juniper, which are rampant on the gray and black markets. While buying gray market products may initially be cheaper, they can be much more expensive in the long run when you find out that the warranties you paid for are worthless.

In chapter 4, the book does a good job of showing how to score vendors. It details how you can create questionnaires and use the data to assist in your selection. The chapter stresses that after all of the data is scored, weighted and sorted; you should not expect to find a vendor with a normalized score of 100%. More writes that if you do a good job of creating the right questions on the questionnaire, you will seldom see a vendor higher than the 80-90% range.

A good point the book makes in chapter 5 on testing, is that when a vendor requires you to sign an NDA prior to testing; such a request is a fundamental mark of mistrust. If the vendor is unwilling to negotiate the NDA, it may be worth replacing them with a vendor who is more willing to work with you.

After you have done all of the dirty work of a vendor selection, the book closes with a few pages on how to avoid vendor manipulation. It is not unusual for vendor to fudge the information they provide you with, which will skew the results in their favor.

Another point to consider in the vendor selection process is that vendors benefit greatly from lock-in. The harder they can make it for you to move to another vendor, the more likely they are to get annual renewals.

Selecting a vendor is not a trivial process, and it not intuitive to many organizations. Given the breadth of the topic, the book is a great place to start your work on this important process.

The book doesn't claim to be an all-inclusive resource for the topic. And at 80 pages, one should not expect it to be.

But for those looking to a highly tactical guide to start them on the road to vendor assessments, Assessing Vendors: A Hands-On Guide to Assessing Infosec and IT Vendors is a most helpful book to start with.

Reviewed by Ben Rothke

Submission + - Book review: The Chinese Information War 1

Submitted by benrothke on Sunday June 16, 2013 @12:15AM

benrothke writes: Title: The Chinese Information War: Espionage, Cyberwar, Communications Control and Related Threats to United States Interests

Author: Dennis Poindexter

Page: 192

Publisher: McFarland

ISBN-13:978-0786472710

Rating: 9/10

Reviewer: Ben Rothke

Summary: Fascinating overview on the cyberwar with China

It's said that truth is stranger than fiction, as fiction has to make sense. Had The Chinese Information War: Espionage, Cyberwar, Communications Control and Related Threats to United States Interestsbeen written as a spy thriller, it would have been a fascinating novel of international intrigue.

But the book is far from a novel. It's a dense, but well-researched overview of China's cold-war like cyberwar tactics against the US to regain its past historical glory and world dominance.

Author Dennis Poindexter shows that Chinese espionage isn't made up of lone wolves. Rather it's under the directive and long-term planning of the Chinese government and military.

Many people growing up in the 1940's expressed the sentiment "we were poor, but didnt know it". Poindexter argues that we are in a cyberwar with China; but most people are oblivious to it.

Rather than being a polemic against China, Poindexter backs it up with extensive factual research. By the end of the book, the sheer number of guilty pleas by Chinese nationals alone should be a staggering wake-up call.

In February, Mandiant released their groundbreaking report APT1: Exposing One of Chinas Cyber Espionage Units, which focused on APT1, the most prolific Chinese cyber-espionage group that Mandiant tracked. APT1 has conducted a cyber-espionage campaign against a broad range of victims since at least 2006. The report has evidence linking them to China's 2nd Bureau of the People's Liberation Army.

China is using this cyberwar to their supreme advantage and as Poindexter writes on page 1: until we see ourselves in a war, we can't fight it effectively. Part of the challenge is that cyberwar does not fit the definition of what a war generally is because the Chinese have changed the nature of war to carry it out.

Poindexter makes his case in fewer than 200 pages and provides ample references in his detailed research; including many details, court cases and guilty verdicts of how the Chinese government and military work hand in hand to achieve their goals.

The book should of interest to everyone given the implications of what China is doing. If you are planning to set up shop in China, be it R&D, manufacturing or the like, read this book. If you have intellectual property or confidential data in China, read this book as you need to know the risks before you lose control of your data there.

Huawei Technologies, a Chinese multinational telecommunications equipment and services firm; now the largest telecommunications equipment maker in the world is detailed in the book. Poindexter details a few cases involving Huawei and writes that if Huawei isn't linked to Chinese intelligence, then it's the most persecuted company in the history of international trade.

The book details in chapter 2 the intersection between cyberwar and economic war. He writes that any foreign business in China is required to share detailed design documents with the Chinese government in order to do business there. For many firms, the short-term economic incentives blind them to the long-term risks of losing control of their data. The book notes that in the Cold War with Russia, the US understood what Russia was trying to do. The US therefore cut back trade with Russia, particularly in areas where there might be some military benefit to them. But the US isn't doing that with China.

Chapter 2 closes with a damming indictment where Poindexter writes that the Chinese steal our technology, rack up sales back to us, counterfeit our goods, take our jobs and own a good deal of our debt. The problem he notes is that too many people focus solely on the economic relations between the US and China, and ignore the underpinnings of large-scale cyber-espionage.

Chapter 6 details that the Chinese have developed a long-term approach. They have deployed numerous sleepers who often wait decades and only then work slowly and stealthily. A point Poindexter makes many times is that the Chinese think big, but move slow.

Chapter 7 is appropriately titles The New Cold War. In order to win this war, Poindexter suggest some radical steps to stop it. He notes that the US needs to limit trade with China to items we can't get anywhere else. He says not to supply China with the rope that will be used to hang the US on.

He writes that the Federal Government has to deal with the issue seriously and quickly, to protect its telecommunications interests so that China isn't able to cut it all off one day. He also notes that national security must no longer take a backseat to price and cheap labor.

Poindexter writes that the US Government must take a long-view to the solution and he writes that it will take 10 years to build up the type of forces that that would be needed to counter the business and government spying that the Chinese are doing.

Rachel Carson's Silent Springis the archetypal wake-up call book. Poindexter has written his version of Silent Spring,but it's unlikely that any action will be taken. As the book notes, the Chinese are so blatantly open about their goals via cyber-espionage, and their denials of it so arrogant, that business as usual simply carries on.

The Chinese portray themselves as benevolent benefactors, much like the Kanamits in To Serve Man. Just as the benevolence of the Kanamits was a façade, so too is what is going on with the cold cyberwar with China.

The book is an eye-opening expose that details the working of the Chinese government and notes that for most of history, China was the world's dominating force. The Chinese have made it their goal to regain that dominance.

The book states what the Chinese are trying to accomplish and lays out the cold facts. Will there be a response to this fascinating book? Will Washington take action? Will they limit Chinese access to strategic US data? Given Washington is operating in a mode of sequestration, the answer should be obvious.

The message detailed in The Chinese Information War: Espionage, Cyberwar, Communications Control and Related Threats to United States Interestsshould be a wake-up call. But given that it is currently ranked #266,881 on Amazon, it seems as if most of America is sleeping through this threat.

Reviewed by Ben Rothke

« Newer Older »