Computer underground Digest Wed July 22, 1998 Volume 10 : Issue 40

Computer underground Digest Wed July 22, 1998 Volume 10 : Issue 40
ISSN 1004-042X

Editor: Jim Thomas ([email protected])
News Editor: Gordon Meyer ([email protected])
Archivist: Brendan Kehoe
Shadow Master: Stanton McCandlish
Shadow-Archivists: Dan Carosone / Paul Southworth
Ralph Sims / Jyrki Kuoppala
Ian Dickinson
Field Agent Extraordinaire: David Smith
Cu Digest Homepage: http://www.soci.niu.edu/~cudigest

CONTENTS, #10.40 (Wed, July 22, 1998)

Subject: REVIEW: Protecting Networks w/SATAN
Subject: REVIEW: "Web Security and Commerce", Simson Garfinkel/Gene Spaff
Subject: REVIEW: "3001: The Final Odyssey", Arthur C. Clarke
Subject: REVIEW: "Maximum Security", Anonymous
Subject: REVIEW: "Death Dream", Ben Bova
Subject: REVIEW: "Web Security", Rohit Khare
Subject: REVIEW: "PCWeek Microsoft Windows NT Security", Nevin Lambert/Ma
Subject: REVIEW: "Java Security", Scott Oaks
Subject: Cu Digest Header Info (unchanged since 25 Apr, 1998)

CuD ADMINISTRATIVE, EDITORIAL, AND SUBSCRIPTION INFORMATION ApPEARS IN
THE CONCLUDING FILE AT THE END OF EACH ISSUE.

---------------------------------------------------------------------

Date: Mon, 8 Jun 1998 15:45:11 -0700 (PDT)
From: Lisa Mann <[email protected]>
Subject: REVIEW: Protecting Networks w/SATAN

For immediate release
Fore more information contact:
Lisa Mann [email protected]
(707)829-0515 ext. 230

PROTECTING NETWORKS WITH SATAN

Because SATAN (Security Administrator's Tool for Analyzing Networks)
could detect weaknesses on other systems (as well as your own) through
its web interface, it earned notoriety when released in April 1995 as
the tool that would "wreak havoc" on the Internet. The Oakland Tribune
even wrote: "It's like randomly mailing automatic rifles to 5000
addresses. I hope some crazy teen doesn't get ahold of one."

But as more and more "mission critical" applications are accessible
through the web, administrators are turning their attention to the
danger of attempted intrusion from outside the networked host. SATAN
is a powerful aid for system administrators. It performs "security
audits," scanning host computers for security vulnerabilities caused by
erroneous configurations or by known software errors in frequently used
programs. O'Reilly's latest release, "Protecting Networks with SATAN",
is an invaluable tool for network and security administrators working
with SATAN.

Wietse Venema, SATAN co-author, says "In this handy book, Martin Freiss
explains the workings of SATAN and provides a helping hand with
customizing and extending the system to match local conditions." This
concise guide also discusses how you can defend your site against
potential abuse by SATAN.

###
Protecting Networks with SATAN
By Martin Freiss
1st Edition June 1998 (US)
112 pages, 1-56592-425-8, $19.95 (US$)
http://www.oreilly.com

------------------------------

Date: Mon, 22 Jun 1998 14:02:15 -0800
From: "Rob Slade, doting grandpa of Ryan and Trevor" <[email protected]>
Subject: REVIEW: "Web Security and Commerce", Simson Garfinkel/Gene Spaff

BKWBSCCM.RVW 980411

"Web Security and Commerce", Simson Garfinkel/Gene Spafford, 1997,
1-56592-269-7, U$32.95/C$46.95
%A Simson Garfinkel [email protected]
%A Gene Spafford [email protected]
%C 103 Morris Street, Suite A, Sebastopol, CA 95472
%D 1997
%G 1-56592-269-7
%I O'Reilly & Associates, Inc.
%O U$32.95/C$46.95 800-998-9938 707-829-0515 [email protected]
%P 483 p.
%T "Web Security and Commerce"

Anyone who does not know the names Spafford and Garfinkel simply does
not know the field of data security. The authors, therefore, are well
aware that data security becomes more complex with each passing week.
They note, in the Preface, that the book cannot hope to cover all
aspects of Web security, and therefore they concentrate on those
topics that are absolutely central to the concept, and/or not widely
available elsewhere. Works on related issues are suggested both at
the beginning and end of the book.

Chapter one, which is also part one, introduces the topic, and the
various factors involved in Web security. The topic is examined from
the perspective of the user and vendor, and also looks at
vulnerabilities at the server site, client computer, and the network
in between.

Part two concerns the user. Chapter two looks at the various possible
problems with browsers, not all of which are related to Web page
programming. Java security is only marginally understood by many
"experts," and not at all by users, so the coverage in chapter three
is careful to point out the difference between safety, security, and
the kind of security risks that can occur even if the sandbox *is*
secure. ActiveX and the limitations of authentication certificates
are thoroughly explored in chapter four. Chapter five looks briefly
but analytically at the possible invasions of privacy that can occur
on the Web.

Part three deals more completely with the question of digital
certificates. Chapter six explains the various techniques for
identification confirmation. The use of certification authorities is
reviewed in chapter seven, including the activity this can generate on
Web browsers. Chapter eight covers the steps needed to obtain a
client-side digital certificate from Verisign. Microsoft's
Authenticode code signing system is detailed in chapter nine.

Cryptography must be invoked at some point for any kind of data
security, and particularly for security over insecure networks, so
part four invests some depth in the topic. Chapter ten starts with
cryptographic basics, simply in terms of the various functions
cryptography can provide. Functional limitations of cryptography,
various existing systems, and US and international regulation with
respect to the technology are discussed in chapter eleven. SSL
(Secure Sockets Layer) and TLS (Transport Layer Security) are
described in chapter twelve.

Part five details technical aspects of securing Web servers.
Traditional host security weaknesses are reviewed in chapter thirteen.
Chapter fourteen looks at specific strengthening measures for Web
servers. Rules for secure CGI (Common Gateway Interface) and API
(Application Programmer Interface) programming are promulgated in
chapter fifteen, along with tips for various languages.

Commercial and societal concerns are major areas in Web security, so
part six reviews a number of topics related to commerce, as well as
other social factors. Chapter sixteen looks at current non-cash
payment systems, and the various existing, and proposed, digital
payment systems for online commerce. Censorship and site blocking are
carefully examined in chapter seventeen. A variety of legal issues
are discussed, civil in chapter eighteen, and criminal in nineteen.

In reviewing books I very often find that appendices are often filler.
The most useful tend to be bibliographies or lists of vendor contacts.
Too many seem to be mere self-indulgent filler used by the author to
pad out the book. Although it has almost nothing to do with Web
security as such, I very much enjoyed Appendix A, Garfinkel's
recounting of the lessons learned in setting up a small ISP (Internet
Service Provider). (I suppose that this could be considered valid
coverage of Web commerce.) The other appendices are more directly
related to the topic, including information on the installation of Web
server certificates, the SSL protocol, the PICS (Platform for Internet
Content Selection) specification, and references.

In comparison to Stein's "Web Security" (cf. BKWEBSEC.RVW) I find it
very difficult to choose between the two. Each is readable, and each
is aimed pretty much at the same target audience. There is little to
choose between them for technical depth: each has useful information
that the other does not. Both are excellent: what the heck, buy two,
they're small.

copyright Robert M. Slade, 1998 BKWBSCCM.RVW 980411

------------------------------

Date: Tue, 7 Jul 1998 09:51:16 -0800
From: "Rob Slade, doting grandpa of Ryan and Trevor" <[email protected]>
Subject: REVIEW: "3001: The Final Odyssey", Arthur C. Clarke

BK3001.RVW 980510

"3001: The Final Odyssey", Arthur C. Clarke, 1997, 0-345-42349-6
%A Arthur C. Clarke
%C 101 Fifth Avenue, New York, NY 10003
%D 1997
%G 0-345-42349-6
%I Ballantine/Fawcett/Columbine Books/Del Rey
%O http://www.randomhouse.com/delrey [email protected]
%P 274 p.
%T "3001: The Final Odyssey"

"You know those Rama books? The ones he did with somebody else?" he
asked.

"Yes." I said.

"Well, they were really terrible. Not much of Clarke at all."

"True."

"But he's put out a new one. `3001.' Another in the `2001' series.
It's vintage Clarke. You'll have to get it."

So I looked forward to it with great anticipation. We all enjoy
Clarke a lot. I mean Heinlein is OK for adventure junkies and Ayn
Rand fans, and Niven has a few interesting astrophysics tricks, but
Clarke is the only one for techies when they want to avoid gnashing
their teeth every three pages over some egregious scientific error.

He was right. This is vintage Clarke. And that is not altogether
good.

For one thing, those familiar with the Clarke corpus will know that
Clarke is at his best in the short story. His novels, and
particularly the more recent, tend to have story lines that zig, and
zag, and wander up blind alleys and cul de sacs. At times Clarke
seems to get bored and will fast forward thirty years over a chapter
break. (Of course, some may object that many of the more recent
Clarke books are collaborations, but this tendency is also noticeable
in the 2001 series, the original "Rendezvous with Rama," and others
stretching back a ways.) Therefore, "3001" bears less resemblance to
a novel than to a collection of short stories with a few common
characters.

Another problem is that Clarke is good with technology, but he is not
as good with people, and particularly society. Yes, it is true that
we could not communicate with an English-speaker of a thousand years
ago, but that was because there *was* no English that long ago: it was
basically Saxon, and was about to get an infusion of French. Even
without sound recordings we can still understand English of four
centuries back with little difficulty. (I know: I've been to
Newfoundland.) What would be difficult is not only idiom (and
reasonable marks to Clarke for that) but also concepts. How would you
explain "clockwise motion," "running like clockwork," and "weekend" to
King Harold?

Clarke has a very optimistic view of society. I will agree with
Feynman's assessment, in "The Meaning of it All" (cf. BKMEANNG.RVW),
that psychology is only just starting, and that current theories will
no doubt seem as quaint as phlogiston and a periodic table with four
elements in the several hundred years that it has taken physics to
come up with some reasonably useful laws. However, the world of 3001
seems to have no social problems at all, aside from minor and isolated
aberrations. The poor, or any other social strata, are no longer with
us. I assume that Clarke would dismiss that objection out of hand,
since he is so adamant (and patronizingly so, in the valediction) that
mankind will have finally outgrown religion. (Odd, though, that the
evils of the Inquisition, the Crusades, female genital circumcision,
and the Indian subcontinent have nothing to do with politics or other
sociological pathologies.) I am not sure how the death of "religion"
fits in with a tremendous push for, oh, shall we call it
"spirituality?"

The science is reasonably strong, though spotty. Clarke seems to be
very conservative in many areas, given the vast gulf he has to play
with. If information storage has grown through nine orders of
magnitude in forty years, a mere handful in a millennium seems
pikerish. Nanotechnology is non-existent. Medicine, and particularly
microbiology, seems to have had a very lucky time of it. While there
is a nod to Mad Cow disease (and the obligatory sermon on
vegetarianism), virulent new diseases seem to have stopped happening
and antibiotic (and whatever follows antibiotics) resistance is a non-
issue. I can handle vacuum energy and inertia drives, although I
don't see why an inertia drive can't run a shuttle on earth, as it
does in other places.

However, I would have kept my big keyboard shut, had Clarke not
dropped one heck of a clanger in *my* field: computer viruses. I
don't care whether ID4 or 3001 had the idea first (and did either of
you thank Fred Cohen? No, I didn't think so) but the concepts are
still equally invalid. Turing, and his machines, proved that whatever
algorithm one machine can compute another can compute: he didn't say
that any machine can run another machine's programs. (The creation of
this super virus/trojan reminds one of Monty Python's military use of
The Perfect Joke.) Alright, I can accept that there will be all kinds
of wonderful, and not so wonderful, developments in computing over the
next millennia, but for the same reason that you cannot have a perfect
virus defence, you can't have an undetectable virus. (There's never
an AV that'll always recover: there's never a virus that can't be
discovered.) The tricks that Clarke proposes are all the mathematical
equivalents of asking the super-deluxe-really-smart computer the well-
beloved trick question "why?" (Didn't Clarke use that one once
already?) And I don't care if you do have an agent inside the
machine; the "Firstborn" seem to be just a tad older and smarter than
you, and MonolithOS 3.14159... probably has a thread killing daemon
that will keep the machine from chasing its CPU up its own
multiplicity. (Nice parallelism, mind. Bit hard on the desktop
models, maybe.)

copyright Robert M. Slade, 1998 BK3001.RVW 980510

------------------------------

Date: Tue, 30 Jun 1998 14:51:22 -0800
From: "Rob Slade, doting grandpa of Ryan and Trevor" <[email protected]>
Subject: REVIEW: "Maximum Security", Anonymous

BKMAXSEC.RVW 980501

"Maximum Security", Anonymous, 1997, 1-57521-268-4,
U$49.99/C$70.95/UK#46.95
%A Anonymous
%C 201 W. 103rd Street, Indianapolis, IN 46290
%D 1997
%E Mark Taber [email protected]
%G 1-57521-268-4
%I Macmillan Computer Publishing (MCP)
%O U$49.99/C$70.95/UK#46.95 800-858-7674 http://www.mcp.com
%P 885 p. + CD-ROM
%T "Maximum Security"

Rather loudly promoted on the net these days, the major selling point
of this book is that it was written "by an experienced hacker."
Supposedly one who spent some time as a guest of Uncle Sam for
fiddling bank machines. (Some of what we are told about the author
does not fit with the contents of the book, but then, as an old
professional paranoid, I may be unduly suspicious.) Leaving aside
questions of morality and definitions of the term "hacker," let us
merely observe that these people are the gnostics. They are the
devotees of the hidden, esoteric, and arcane knowledge. Such
knowledge, of course, is cheapened and weakened by being revealed.
Which may explain a certain reticence on a number of points in the
book. The introduction makes this mindset clear: Anonymous assumes
that if you will not work diligently at his direction you do not
deserve to secure your system. One can almost feel his glee at the
expectation that thousands of sysadmins around the world will be
wracking their brains and flooding Usenet with discussions of the
significance of his clues to the vital encrypted message he has hidden
on the CD-ROM. This does, of course, presume that his direction, and
the contents of the book, warrant the effort to try and guess his
riddle.

Part one might be characterized as a social background to security.
Chapter one is essentially an extension of the introduction,
continuing to try to convince the reader that the book is worthwhile.
But it also states that the author wishes to raise the awareness of
security in the general public. I rather doubt that this will be the
book to do so: the average user will be put off by both the size and
the subtitle's emphasis on Internet sites and networks, neither of
which the average user will run. The (very verbose) sales pitch
continues in chapter two with rather generic promises of the goodies
offered to all manner of readers, and a list of chapters to come. (Of
course, nudge, nudge, wink, wink, some unethical people might use this
information for cracking, nudge, nudge, but none of *us* upstanding
people would do that, right? wink, wink) Having been rather careless
with the term "hacker" up to this point, chapter three belatedly
attempts to distinguish between hackers and crackers. It doesn't
succeed very well, being a pretty faint-hearted try. Chapter four
lists a number of security penetrations in an bid to prove that anyone
can be attacked.

Part two moves into more of a technical background to security.
Chapter five looks at the complexity of current network systems and
other factors militating against safety. A brief introduction to the
TCP/IP protocol suite is given in chapter six. Chapter seven gives
some random material on the Internet, programming, and UNIX. A
variety of Internet problems are briefly mentioned in chapter eight.

Part three looks at a number of the more common security penetration
tools. Chapters nine through fourteen discuss scanners, password
crackers, trojans, password sniffers, identity tools, and malicious
software respectively. Advice on how to deal with these problems
varies in depth, but generally is not extensive. As only one example,
the author does recommend that Web browsers be set to alert the user
when a cookie is being set, but fails to give the slightest indication
of how this is to be accomplished. The section on viruses is the book
in miniature: not necessarily *all* wrong, but overly verbose, lacking
in insight, and missing those points that would really be helpful to
the computer user or manager.

Part four reviews a number of operating system platforms. Chapter
fifteen presents the concept of vulnerabilities (termed as "holes").
In spite of the fact that MS-DOS, Windows 3.x, and Windows 95 have no
appreciable security, chapter sixteen lists a large number of security
penetration programs for them. (It also has a rather odd reference
demonstrating that the author does not actually understand how the
CMOS password functions work.) Chapter seventeen does contain a
collection of the more common suggestions for securing a UNIX box.
Tools for breaking Novell NetWare are displayed in chapter eighteen.
Cracking tools for VMS are listed in chapter nineteen. Chapter twenty
has both cracking and some protection software for the Mac. The
installation of the Plan 9 operating system is discussed in chapter
twenty one.

Part five gives some advice on what to go after when you crack a
system. Chapter twenty two suggests that root access is a suitable
target. Chapter twenty three points out that it is easier to crack a
system with partial access or inside information. Consultants seem to
be the topic of chapter twenty four.

Part six gives information on how to penetrate a system from outside.
Chapter twenty five looks at gathering information about the target.
Rather obvious statements about levels of attack are made in chapter
twenty six. Chapter twenty seven is a simple review of packet
filtering firewalls. IP spoofing is discussed in chapter twenty
eight. Telnet attacks cover a wide range, so it is surprising that
chapter twenty nine is so short. Chapter thirty looks at loopholes in
Web page programming.

Part seven, chapter thirty one, reviews legal aspects, and for once
even mentions laws outside the US.

Basically, there is a whole lot of partial information here. It is a
handy list of security related Web sites, but made less useful by the
bulked out verbiage between the listings. In addition, it is rather
plain to see that there is far greater emphasis on cracking than on
protection. (After all, how vital is it to securing your system to
know the algorithm for generating fake Microsoft software registration
keys?) All you teenage-mutant-cyberscofflaw-wannabes might be
disappointed, though: the information is almost never complete.

copyright Robert M. Slade, 1998 BKMAXSEC.RVW 980501

------------------------------

Date: Thu, 16 Jul 1998 09:54:09 -0800
From: "Rob Slade, doting grandpa of Ryan and Trevor" <[email protected]>
Subject: REVIEW: "Death Dream", Ben Bova

BKDTHDRM.RVW 980519

"Death Dream", Ben Bova, 1994, 0-553-57256-3, U$5.99/C$7.99
%A Ben Bova
%C 1540 Broadway, New York, NY 10036
%D 1994
%G 0-553-57256-3
%I Bantam Books/Doubleday/Dell
%O U$5.99/C$7.99 800-323-9872 http://www.bdd.com [email protected]
%P 560 p.
%T "Death Dream"

Viruses, artificial intelligence, and virtual reality are the
mainstays of the thriller world, where it touches on technology at
all. This book uses, and abuses, VR.

I am willing to accept high resolution imagery, and short latency
times. I am willing to accept that vision, sound, and minor physical
sensations can have an impact out of all proportion to reality.
(Wanna know how Disney forces you into your seat when you take off on
a rocket? The base of the seat sinks. You really feel like you are
rising. Maybe more like an elevator than a rocket, but you really
seem to move.) I am less willing to accept that this makes a
simulation so indistinguishable from reality that you have to ask your
wife for a password.

I have a hard time accepting the undefined but non-intrusive means of
generating specific physical sensations. Not only is this well beyond
the technology that we have available now, but even with physical
probes the ability to stimulate a particular tactile response (or any
other, really) is very much a hit and miss affair. (To be strictly
fair, the book does allow that this requires some brain mapping, and
does not transfer accurately from person to person.)

(Oh, and by the way, someone who is aphasic from a stroke probably
would be paralysed on the right side of the body. I have both
professional and personal reasons for knowing this.)

I am much less willing to accept that a team of technicians, looking
for faults in equipment, cannot recognize a transmitter of some sort
where none should be.

I am little short of astounded that a primarily visual simulation
system has no external monitors.

However, I am willing to forgive all of this, given the extremely
important point that is central to this book. Presentation of
information, in our age, has become more important than content.
Control of information shapes, and may cripple, leaders and
governments. The hand that holds the clicker may well rule the world.

copyright Robert M. Slade, 1998 BKDTHDRM.RVW 980519

------------------------------

Date: Thu, 18 Jun 1998 10:21:46 -0800
From: "Rob Slade, doting grandpa of Ryan and Trevor" <[email protected]>
Subject: REVIEW: "Web Security", Rohit Khare

BKW3JI23.RVW 980411

"Web Security", Rohit Khare, 1997, 1-56592-329-4 ISSN 1085-2301,
U$29.95/C$42.95
%E Rohit Khare [email protected]
%C 103 Morris Street, Suite A, Sebastopol, CA 95472
%D 1997
%G 1-56592-329-4 ISSN 1085-2301
%I O'Reilly & Associates, Inc.
%O U$29.95/C$42.95 800-998-9938 fax: 707-829-0104 [email protected]
%P 272 p.
%S World Wide Web Journal
%T "Web Security: A Matter of Trust"

Many issues of the World Wide Web Journal coincide with major
specification announcements: Web standards that have been in process,
and anticipated, for some time determine the topic. That does not
seem to be the case with this issue, although the first report covers
the use of PICS (Platform for Internet Content Selection) 1.1 labels
for DSig 1.0 signature labels, the second gives more detail on DSig,
and the third reports on the Joint Electronic Payment Initiative
(JEPI).

Still, the "technical" papers in this issue seem to have a decidedly
philosophical bent. This emphasis is not necessarily a bad thing,
since it serves to redirect attention from the minutiae of Web server
"hole patching" and towards a more fundamental question, that of
trust. An interesting reversal of perspective occurs when you turn
from the concept of a closed and opaque system to one where
everything, including identity, is transparent.

Topics included in the papers include a cryptography primer, the
REFEREE system for trust management, SSL (Secure Sockets Layer) and
the free SSLeay implementation, security for the DNS (Domain Name
System), name server security in BIND, security in CGI (Common Gateway
Interface) and API (Application Programmer Interface) programming,
secure electronic business with E2S (End-to-End Security), concerns
and benefits with medical record availability, digital signature
legislation and regulation, and the risks and government promotion of
key escrow and recovery.

copyright Robert M. Slade, 1998 BKW3JI23.RVW 980411

------------------------------

Date: Thu, 9 Jul 1998 12:11:33 -0800
From: "Rob Slade, doting grandpa of Ryan and Trevor" <[email protected]>
Subject: REVIEW: "PCWeek Microsoft Windows NT Security", Nevin Lambert/Ma

BKPWNTSG.RVW 980514

"PCWeek Microsoft Windows NT Security", Nevin Lambert/Manish Patel,
1997, 1-56276-457-8, U$39.99/C$56.95/UK#36.99
%A Nevin Lambert [email protected]
%A Manish Patel [email protected]
%C 201 W. 103rd Street, Indianapolis, IN 46290
%D 1997
%G 1-56276-457-8
%I Macmillan Computer Publishing (MCP)
%O U$39.99/C$56.95/UK#36.99 800-858-7674 http://www.mcp.com
%P 388 p.
%T "PCWeek Microsoft Windows NT Security: Security Administrator's
Guide"

I always get a bit worried at a book written by two cofounders of a
consulting startup related to the topic of the book. My alarm level
rises when the sarcasm starts right away in the acknowledgements. I
am not comforted by the fact that the authors are enthralled by the
glories of Microsoft.

Chapter one, however, is a very reasonable look at the different
levels of security that a situation may demand. Physical security,
warnings, accounts, and backups are part of the picture that is
presented. Some of the advice is questionable (the use of NTFS
sometimes involves a tradeoff between access control and recovery) but
the overall scenario has good range and scope. The system history
given in chapter two is rather biased in favour of Microsoft and its
products, but the system overview is useful background. Account and
group concepts and maintenance are covered well in chapter three. The
discussion of filesystems in chapter four still hews closely to the
Microsoft party line, but it does provide information that can be very
helpful for decisions regarding reliability. In the Trusted Computer
System Evaluation Criteria (Orange Book) the term "Trusted Path"
refers to at least B2 level systems, which NT cannot approach.
However, in the review of the NT security subsystem in chapter five,
the authors do a credible job of justifying the use of the phrase
through the level of detail they provide of the logon process, as well
as other operations. Chapter six looks at access to local resources
and gives significant detail and information in such areas as well
known SIDs (Security IDs). However, as is too often the case, the
book fails to furnish a clear explanation of assessment of effective
rights to an object.

The review of basic networking concepts takes up about half of chapter
seven, with the remainder looking at shares and network security
provisions. RAS (Remote Access Service) and the related encryption
schemes are discussed in chapter eight, but the lack of details of the
encryption process make it difficult to assess levels of security and
operational needs. Coverage of printer management in chapter nine is
good, but the implications of options such as spooling and redirection
are not completely addressed. Chapter ten deals with a number of
Registry related topics, including editing, Registry tools, backup,
and security related keys.

Chapter eleven provides a thorough and helpful explanation of
profiles, although, again, extra material on the security implications
of specific choices could be more helpful. The ramifications of
auditing could be discussed forever, of course, but I would have to
say that chapter twelve's coverage is quite appropriate for the target
audience level of the book. Internet security could (and does) fill
other books, so it is acceptable that only concepts and warnings are
raised in chapter thirteen. Chapter fourteen reviews security aspects
of BackOffice but only in a brief and limited manner.

Chapter fifteen provides information on NT's use of cryptography, but
this data is not very helpful since it is not backed up with
conceptual material on cryptographic strengths and key management.
Enterprise policies are reviewed quickly in chapter sixteen. Chapter
seventeen looks to the future delivery of Distributed Security
Services (DSS). The security references and resources listed in the
appendices are not extensive, but they are of reasonably good quality.

The book has both a readable style and useful information. The lack of
formal security concepts means that there are gaps in coverage, but
overall this work can provide both new users and non-specialist
administrators with a measure of protection that would reduce
vulnerability considerably. Security specialists who are not familiar
with Windows NT would likely find the most benefit from using the text
as a tutorial, since they would be able to fill in the blanks from
their own conceptual background.

copyright Robert M. Slade, 1998 BKPWNTSG.RVW 980514

------------------------------

Date: Fri, 10 Jul 1998 11:11:58 -0800
From: "Rob Slade, doting grandpa of Ryan and Trevor" <[email protected]>
Subject: REVIEW: "Java Security", Scott Oaks

BKJAVASC.RVW 980520

"Java Security", Scott Oaks, 1998, 1-56592-403-7, U$32.95/C$46.95
%A Scott Oaks [email protected]
%C 103 Morris Street, Suite A, Sebastopol, CA 95472
%D 1998
%G 1-56592-403-7
%I O'Reilly & Associates, Inc.
%O U$32.95/C$46.95 707-829-0515 fax: 707-829-0104 [email protected]
%P 456 p.
%T "Java Security"

As the author notes, security means many different things to many
different people. In the general public, Java security tends to mean
browser and applet security, and the default applet "sandbox."
Therefore I feel obliged to point out that this book is primarily
concerned with the programming of security into systems, and the
security APIs (Applications Programming Interfaces) built into the
language to ease that task.

Chapter one looks at the overall security model for Java, and
particularly at the invocations of programs. Basic enforcement and
verification is covered in chapter two. Class loaders, in chapter
three, provide the programmer with a means to specify an almost
arbitrary level of security protection for a program. Chapter four
details the workings of the security manager, again providing the
programmer with the ability to set specific protections. The access
controller is new to Java 1.2, is the mechanism that the security
manager now uses to actually permit or deny use of resources, and the
object calls are discussed in chapter five. Implementation of access
and security policies through the class loader and security manager is
covered in chapter six.

Chapter seven looks at the need for authentication over open networks,
and the security provisions of digital signatures. The discussion of
cryptography itself is essentially non-existent since, as Oaks notes,
it is not necessary to understand it in order to use it. Those who
wish to test or implement strong encryption will need to go elsewhere.
Implementation of standard cryptographic protection is via security
providers, reviewed in chapter eight. Some simple message digest
implementations are described in chapter nine. Key management is an
important part of cryptography so chapter ten deals with keys and
certificates while chapter eleven reviews the handling of them.
Chapter twelve looks at the functions provided for dealing with
digital signatures. Specifics for encryption are listed in chapter
thirteen.

Appendices deal with security tools, identity based key management,
resources, and a quick reference chart.

While the book is well written it is not light, and is probably best
suited to those who are well familiar not only with Java programming,
but also the internals of the language. On the other hand, dealing
with security is a great way to learn the internals of a language.

copyright Robert M. Slade, 1998 BKJAVASC.RVW 980520

------------------------------

------------------------------

Date: Thu, 25 Apr 1998 22:51:01 CST
From: CuD Moderators <[email protected]>
Subject: Cu Digest Header Info (unchanged since 25 Apr, 1998)

Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are
available at no cost electronically.

CuD is available as a Usenet newsgroup: comp.society.cu-digest

Or, to subscribe, send post with this in the "Subject:: line:

SUBSCRIBE CU-DIGEST
Send the message to: [email protected]

DO NOT SEND SUBSCRIPTIONS TO THE MODERATORS.

The editors may be contacted by voice (815-753-6436), fax (815-753-6302)
or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL
60115, USA.

To UNSUB, send a one-line message: UNSUB CU-DIGEST
Send it to [email protected]
(NOTE: The address you unsub must correspond to your From: line)

CuD is readily accessible from the Net:
UNITED STATES: ftp.etext.org (206.252.8.100) in /pub/CuD/CuD
Web-accessible from: http://www.etext.org/CuD/CuD/
ftp.eff.org (192.88.144.4) in /pub/Publications/CuD/
aql.gatech.edu (128.61.10.53) in /pub/eff/cud/
world.std.com in /src/wuarchive/doc/EFF/Publications/CuD/
wuarchive.wustl.edu in /doc/EFF/Publications/CuD/
EUROPE: nic.funet.fi in pub/doc/CuD/CuD/ (Finland)
ftp.warwick.ac.uk in pub/cud/ (United Kingdom)

The most recent issues of CuD can be obtained from the
Cu Digest WWW site at:
URL: http://www.soci.niu.edu/~cudigest/

COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing
information among computerists and to the presentation and debate of
diverse views. CuD material may be reprinted for non-profit as long
as the source is cited. Authors hold a presumptive copyright, and
they should be contacted for reprint permission. It is assumed that
non-personal mail to the moderators may be reprinted unless otherwise
specified. Readers are encouraged to submit reasoned articles
relating to computer culture and communication. Articles are
preferred to short responses. Please avoid quoting previous posts
unless absolutely necessary.

DISCLAIMER: The views represented herein do not necessarily represent
the views of the moderators. Digest contributors assume all
responsibility for ensuring that articles submitted do not
violate copyright protections.

------------------------------

End of Computer Underground Digest #10.40
************************************