BKDENING.RVW   930209

ACM Press
11 W. 42nd St., 3rd Floor
New York, NY   10036
212-869-7440
Computers Under Attack: intruders, worms and viruses, Peter J. Denning, ed.,
0-201-53067-8

This book is a very readable, enjoyable and valuable resource for anyone
interested in "the computer world".

That said, I must admit that I am still not sure what the central theme of this
book is.  Denning has brought together a collection of very high quality essays
from experts in various fields, and at one point refers to it as a "forum". 
That it is, and with a very distinguished panel of speakers, but it is
difficult to pin down the topic of the forum.  Not all of the fields are in
data security, nor even closely related to it.  (Some of the works, early in
the book, relating to what we now generally term "the Internet", do contain
background useful in understanding later works regarding "cracking" intrusions
and worm programs.)

All, however, are interesting and sometimes seminal works.  Some are classics,
such as Ken Thompson's "Reflections on Trusting Trust" and Shoch and Hupp's
"The Worm Programs".  Others are less well known but just as good, such as the
excellent computer virus primer by Spafford, Heaphy and Ferbrache.

(Please do not consider my confusion over the subject to be a criticism,
either.  I do want to recommend the book.  I just find myself wondering to whom
to recommend it.  Also, in fairness, I must say that Peter Denning, who has had
a chance to respond to the first draft of this review as usual, doesn't
consider it a review.  Which, I suppose, makes us even  :-)

The book is divided into six sections.  The first two deal with networks and
network intrusions, the next two with worms and viral programs, and the last
two with cultural, ethical and legal issues.  While all of the topics have
connections to data security, there are some significant "absences".  (There
is, for example, no discussion of the protection of data against "operational"
damage, as in accidental deletions and failure to lock records under multiple
access.)

In addition to shortages of certain fields of study within data security, the
treatment of individual topics shows imbalances as well.  The division on worm
programs contains seven essays.  Six of these deal with the Internet/Morris
worm.  The seventh is the unquestionably important Shoch and Hupp work, but it
is odd that there is so much material on the Internet/Morris worm and nothing
on, say, the CHRISTMA EXEC.

Sad to say, the essays are not all of equal calibre.  This is only to be
expected: not all technical experts have equal facility with langauge. 
However, in spite of the noted gaps, and the occasional "bumps" in the
articles, most of the articles can be read by the "intelligent innocent" as
well as the "power user".  At the same time, there is much here that can be of
use to the data security expert.  At the very least, the book raises a number
of ongoing issues that are, as yet, unresolved.

What, then, is the book?  It is not a data security manual: the technical
details are not sufficient to be of direct help to someone who is responsible
for securing a system.  At the same time, a number of the essays raise points
which would undoubtedly lead the average system administrator to consider
security loopholes which could otherwise go unnoticed.

Is it a textbook?  While it would be a valuable resource for any data security
course, the "missing" topics make it unsuitable as the sole reference for a
course.  The breadth of scope, and the quality of the compositions make it very
appealing, as does the inclusion of the large social component.

While the book won't have the popular appeal of a "Cuckoo's Egg", it is
nevertheless a "good read" even for the non-technical reader.  The section on
international networks is particularly appropriate as society is becoming more
interested in both email and "cyberspace".  The overview it gives on related
issues would benefit a great many writers who seem to have a lot of "profile"
but little understanding.

My initial reason for reviewing the book was primarily as a resource for those
seeking an understanding of computer viral programs.  As such, there are
definite shortcomings in the coverage, although what is there is of very high
quality.  The additional topics, far from detracting from the viral field or
clouding the issue, contribute to a fuller understanding of the place of viral
programs in the scheme of computers and technology as a whole.  Therefore,
while it would be difficult to recommend this work as a "how to" for keeping a
company (or home) safe from viral programs, it should be required reading for
anyone seriously interested in studying the field.

One point is raised by the inclusion of the cultural, social and legal essays
within the book.  It was with a trepidation growing almost to a sense of
despair that I read the last two sections.  Here we see again the same
hackneyed phrases, and the same unmodified positions that have been a part of
every discussion of computer ethics for the last twenty years.  (Or more.) 
This is by no means to be held against Denning: on the contrary, it is the fact
that he has selected from the best in the business that is so disheartening. 
Do we really have no more options than are listed here?  Can we really come to
no better conclusions?

One illustration that is repeatedly used is that of credit reporting agencies. 
We feel that such entities must be watched.  We note that the computer systems
which they depend upon must be checked for anomalies, such as bad data or "key
fields" which cross link bad data with good people.  Still and all, we see them
as a necessary evil.  Breaking into such systems, however, is an invasion of
privacy, and therefore wrong.  Carried to its logical conclusion, this attitude
states that "free" access to such semi-private information is wrong, but that
it is "right" for companies to make money by "selling" such information.

Of course the situation is not quite that simple.  (It never is, is it?)  After
all, a large corporation needs the goodwill of the public for its continued
existence.  The corporation, therefore, has more of a vested interest in
safeguarding confidential information than any random individual with a PC and
a modem.  This belief in the "enlightened self interest" of corporations,
however, would seem to more properly belong to an earlier age: one in which
corporations didn't go bankrupt and banks didn't fall like dominos.  After all,
it used to be that companies kept employees on for forty years before giving
them the gold watch.  Now even the most stable might lay off forty thousand in
one year.

A single thread runs through almost all sixteen articles, four statements and
ten letters in the final two sections.  It is a call, sometimes clarion,
sometimes despairing, for "computer ethics".  Not once is there proposed what
such an animal might be.  Even the NSF (National Science Foundation) and CPSR
(Computer Professionals for Social Responsibility) statements only hint at some
legalistic definitions, but never try to look at what a foundation for such
"ethics" might be.  With our society discarding moral bases as fast as
possible, the most useful statement might be Dorothy Denning's, when, in
conversation with Frank Drake, she states that, "The survival of humanity is
going to demand a much greater level of caring for our fellow human beings ...
than we have demonstrated so far."

Still even the disappointments of this final part of the book are important. 
"Computers Under Attack" is a realistic overview of the current state of
thinking in information technology, and the problems facing society as a whole. 
Far from the "gee whiz" of the futurist, and equally distanced from the
sometimes dangerous "CH3CK 1T 0UT, D00DZ!" of the cyberpunk, Denning's
collection of essays is important not only for the concerned computer user, but
also for anyone concerned with the future of our increasingly technically
driven society.

copyright Robert M. Slade, 1993   BKDENING.RVW   930209
 
======================
DECUS Canada Communications, Desktop, Education and Security group newsletters
Editor and/or reviewer ROBERTS@decus.ca, RSlade@sfu.ca, Rob Slade at 1:153/733
Author "Robert Slade's Guide to Computer Viruses" (Oct. '94) Springer-Verlag