REVIEW: "The dotCrime Manifesto", Phillip Hallam-Baker (was Re: [RISKS] Risks Digest 25.22))
R.A. Hettinga
rah at shipwright.com
Tue Jul 8 14:38:12 EDT 2008
On Jul 8, 2008, at 2:21 PM, RISKS List Owner wrote:
> Date: Thu, 03 Jul 2008 11:06:12 -0800
> From: Rob Slade <rmslade at shaw.ca>
> Subject: REVIEW: "The dotCrime Manifesto", Phillip Hallam-Baker
>
> BKDCRMNF.RVW 20080317
>
> "The dotCrime Manifesto", Phillip Hallam-Baker, 2008, 0-321-50358-9,
> U$29.99/C$32.99
> %A Phillip Hallam-Baker dotcrimemanifesto.com hallam at gmail.com
> %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8
> %D 2008
> %G 978-0-321-50358-9 0-321-50358-9
> %I Addison-Wesley Publishing Co.
> %O U$29.99/C$32.99 416-447-5101 fax: 416-443-0948 800-822-6339
> %O http://www.amazon.com/exec/obidos/ASIN/0321503589/robsladesinterne
> http://www.amazon.co.uk/exec/obidos/ASIN/0321503589/robsladesinte-21
> %O http://www.amazon.ca/exec/obidos/ASIN/0321503589/robsladesin03-20
> %O Audience n+ Tech 2 Writing 2 (see revfaq.htm for explanation)
> %P 415 p.
> %T "The dotCrime Manifesto: How to Stop Internet Crime"
>
> In the preface, the author notes that network and computer crime is a
> matter of people, not of technology. However, he also notes that
> changes to the network infrastructure, as well as improvements in
> accountability, would assist in reducing user risk on the net.
>
> Section one enlarges on the theme that people are more important than
> machines or protocols. Chapter one looks at the motive for Internet
> crime
> (money, just like non-computer crime), and repeats the motifs of the
> preface. The text goes on to list various categories and examples of
> network fraud. The content of chapter two is very interesting, but
> it is
> hard to find a central thread. Overall it appears to be saying that
> computer criminals are not the masterminds implied by media
> portrayals, but
> that the problem of malfeasance is growing and needs to be seriously
> addressed. What Hallam-Baker seems to mean by "Learning from
> Mistakes," in
> chapter three, is that security professionals often rely too much on
> general
> principles, rather than accepting a functional, if imperfect,
> solution that
> reduces the severity of the problem. Chapter four presents the
> standard (if
> you'll pardon the expression) discussion of change and the
> acceptance of new
> technologies. A process for driving change designed to improve the
> Internet
> infrastructure is proposed in chapter five.
>
> Section two examines ways to address some of the major network crime
> risks.
> Chapter six notes the problems with many common means of handling
> spam.
> SenderID and SPF is promoted in chapter seven (without expanding the
> acronym
> to Sender Policy Framework anywhere in the book that I could find).
> Phishing, and protection against it, is discussed in chapter eight.
> Chapter
> nine is supposed to deal with botnets, but concentrates on trojans and
> firewalls (although I was glad to see a mention of "reverse
> firewalls," or
> egress scanning, which is too often neglected).
>
> Section three details the security tools of cryptography and trust.
> Chapter
> ten outlines some history and concepts of cryptography. Trust, in
> chapter
> eleven, is confined to the need for aspects of public key
> infrastructure
> (PKI).
>
> Section four presents thoughts on accountability. Secure transport,
> in
> chapter twelve, starts with thoughts on SSL (Secure Sockets Layer),
> and then
> moves to more characteristics of certificates and the Extended
> Verification
> certificates. (The promotion of Verisign, infrequent and somewhat
> amusing
> in the earlier chapters is, by this point in the book, becoming
> increasingly
> annoying. The author is also starting to make more subjective
> assertions,
> such as boosting the trusted computing platform initiative.) Domain
> Keys
> Identified Mail (DKIM) is the major technology promoted in support
> of secure
> messaging, in chapter thirteen. Chapter fourteen, about secure
> identity,
> has an analysis of a variety of technologies. (The recommendations
> about
> technologies are supported even less than before, and the work now
> starts to
> sound rather doctrinaire.) It may seem rather odd to talk about
> secure
> names as opposed to identities, but Hallam-Baker is dealing with
> identifiers
> such as email addresses and domain names in chapter fifteen. Chapter
> sixteen looks at various considerations in regard to securing
> networks,
> mostly in terms of authentication. Random thoughts on operating
> system,
> hardware, or application security make up chapter seventeen. The
> author
> stresses, in chapter eighteen, that the law, used in conjunction with
> security technologies, can help in reducing overall threat levels.
> Chapter
> nineteen finishes off the text with a proposed outline of action
> that recaps
> the major points.
>
> Hallam-Baker uses a dry wit well, and to good effect in the book. The
> humour supports and reinforces the points being made. So does his
> extensive and generally reliable knowledge of computer technology and
> history. In certain areas the author is either less knowledgeable or
> careless in his wording, and, unfortunately, the effect is to lessen
> the reader's confidence in his conclusions. This is a pity, since
> Hallam-Baker is championing a number of positions that would promote
> much greater safety and security on the Internet. Overall this work
> is, for the non-specialist, a much-better-than-average introduction to
> the issue of Internet crime and protection, and is also worth serious
> consideration by security professionals for the thought-provoking
> challenges to standard approaches to the problems examined.
>
> copyright Robert M. Slade, 2008 BKDCRMNF.RVW 2008031
> rslade at vcn.bc.ca slade at victoria.tc.ca rslade at computercrime.org
> http://victoria.tc.ca/techrev/rms.htm
>
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list