Computer Security: Fact and Fiction
An awful lot of users are beginning to wake up to security, or the lack of it. Apart from viruses, sypware, phishing and identity theft, there are scores of ways for the bad guys to get inside your computer.
Often it is not until someone gets a shock that action becomes imperative. While some books rightly warn and scold, it is often the fictional representations -- art versus life -- that "we should do something". I think of two movies while writing this: Matthew Broderick in "War Games" and Sandra Bullock in "The Net".
I have on my desk three works on security. I cannot judge which is the most scary: fact or fiction.
Andrew Lockhart's "Network Security Hacks", does not follow the usual line of explaining a problem in detail, such as in "Security Warrior" (O'Reilly). This "Hacks" work takes the same appraoch as others in this useful o'Reilly series: a one-line problem statement and a full explanation of how to close the gap.
There are suggestions for all of the major operating systems: Windows, Linux, Unix and OSX. It is not just that the computer itself is insecure (although a good number are -- a password alone would prevent much), but that what we connect to (including the web) have inherent weaknesses.
Lockhart shows how to shut the doors firmly and to track the possible entry atttempts. There is work at the command line and many suggestions for third party programs that can check, prevent and hunt.
With plenty of monochrome illustrations, and clear text, systems admins need to get hold of this book. It should be considered as an essential part of computer teaching department libraries. What comes across (and in the works below) is not the "if", but the "when" some form of attack will occur.
It is not often that we review works of fiction here. There are not many worthwhile: the movies have the upper hand. The best stories about computers (with exceptions like "Microserfs) are factual, like Clifford Stoll's "The Cuckoo's Egg" (Simon & Schuster).
Syngress have produced several books of computer fiction and this expensive pair work fairly well. They are a little uneven, which was mainly due to the way the works were constructed. Each book is made up of themed short stories, by different writers, to the same theme. Together they build into a a novel. Uneven they may be in terms of writing, but technically they are strong.
As part of the build-up of reality (as in all the best books) there is much unassailable fact included. However, some of this takes the form of logs, printouts or screen dumps. OK if you like that sort of thing, but an excess of such post-modernist forms can be tedious if you are looking for a good read.
Those for whom computers, networks and security are a fascination, will be attracted to these works. I must admit to trying some of the legal tricks of a couple of the books' characters. We are far less secure than we would like to believe.
The above works (particularly the first) are really aimed at those whose jobs are to administer systems. There must be a number of times during the course of the working week when questions as to how one should proceed with a matter are asked. Are there not two sides to every problem?
The "IT Ethics handbook: Right and Wrong for IT Professionals" examines many aspects of computer and network use in the workplace. It attempts to provide answers by stating a problem and then offering two answers: the conservative and the liberal. This is followed by a summary, with Frequently Asked Questions (FAQ) at the end of each section. There are also several panels, marked "Soap" in which outside consultants express their points of view.
How should one deal with an employee selling old hard drives; and what about access for trusted but temporary assistants? In the former situation making a profit from a company falls between plain wrong and "why not?". In the latter, there is a balance between security and getting the job done.
I put this book forward as a work that should be examined by any office boss who has a large number of computer-using staff, or a systems (or IT) manager who just has to do the job. Whether anyone will, or whether they will continue to err on the side of total control, is another matter.
For further information, e-mail to Graham K. Rogers.
To eXtensions: Book Reviews
To eXtensions: Year One
To eXtensions: Year Two
Back to homepage