BKINBSGD.RVW 971120 "Internet Besieged: Countering Cyberspace Scofflaws", Dorothy E. Denning/Peter J. Denning, 1998, 0-201-30820-7 %A Dorothy E. Denning denning@cs.georgetown.edu %A Peter J. Denning %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8 %D 1998 %G 0-201-30820-7 %I Addison-Wesley Publishing Co. %O 416-447-5101 fax: 416-443-0948 800-822-6339 617-944-3700 %O Fax: (617) 944-7273 bkexpress@aw.com %O http://www.amazon.com/exec/obidos/ASIN/0201308207/robsladesinterne %P 547 p. %T "Internet Besieged: Countering Cyberspace Scofflaws" As with the earlier "Computers Under Attack" (cf. BKDENING.RVW), this book is a collection of papers related to the titular topic. This text is not just an updating of the earlier work, although some of the same papers appear, having been revised and updated. It is also more narrowly focussed, with sections discussing the worldwide network, Internet security, cryptography, secure electronic commerce, and finally dealing with law, policy, and education. The anthology style is well suited to a constantly changing and still emergent field. Under the scope of the worldwide network, there is an initial review of the history of the net by Peter Denning. Dorothy Denning follows up with an overview of system security breaking methods over networks. (While it is a fine and readable piece of work, the essay is not quite as riveting as the interview with a system cracker in "Computer Under Attack.") As usual, the most interesting papers deal with real case studies, such as the attack on Rome Labs. Peter Neumann's brief piece on the RISKS-FORUM archives indicates the value that the net can be in protecting itself, since RISKS acts as a kind of repository memory of attacks and weaknesses. The even briefer article on securing the information infrastructure is a kind of call to arms to pay attention to security in important control systems. Part one is finished off with Eugene Spafford's computer virus paper; by now the classic short work in the field. Part two, specifically looking at Internet security, starts with another case study; that of the Berferd attack on Bell Labs. This is followed by an overview of network security threats and protective tools. Two articles look at specific types of assaults: "sniffing", which works because of the broadcast nature of many means of media access, and "spoofing", which works because of the automatic configuration and repair protocols intended to provide reliability. An overview of password use looks primarily at technologies to make password cracking more difficult. Four security tools are introduced, a GPS (Global Positioning System) based authentication scheme, Tripwire, DIDS (Distributed Intrusion Detection System), and SATAN (Security Administrator Tool for Analyzing Networks). Java security also gets a thorough examination. The section on cryptography starts with the development of the Data Encryption Standard. (It is indicative of the rate of change in this field that the following article, looking at the breaking of two recent cryptographic systems, doesn't cover the cracking of DES. The book was published just before that happened.) There is a detailed essay on the Internet Privacy Enhanced Mail (PEM) protocol, and a more conceptual paper on authentication for distributed networks. There is also a taxonomy, or method of classifying, for key recovery encryption systems. Security of electronic commerce covers electronic commerce itself, atomicity in electronic commerce (which determines the general usefulness of a system), another overview of Internet security vulnerabilities, digital forms of money and cash, ad identify misuse and fraud. The final part looks at social issues. The law enforcement in cyberspace address, coming as it does from a US federal agency, is unsurprising in its call for key escrow. Dorothy Denning follows up with a more reasoned review of the market forces. Bruce Sterling gets two cracks at computers and privacy. Eugene Spafford gets the hardest job--looking at computer ethics--and does a decent and practical job. There are two examples of use policies from universities, and a final, very interesting, article on the inclusion of data security topics and activities in the teaching of computer science concepts (rather than the other way around). Even within this limited frame of reference, the book cannot be exhaustive. When you start to consider the gaps that are missing, like the international nature of many activities that make them essentially immune to legal remedies, you also find that whole fronts of the Internet siege are unmentioned, or only tangentially referred to. Spam, fraudulent scams, and chain letters claim many more victims than do system crackers. Still, this work is both interesting and valuable. It should be of particular use to the student or teacher of data security, although there is much to hold the attention of any interested individual. copyright Robert M. Slade, 1997 BKINBSGD.RVW 971120