Exploits Books

Now, I only read about forty pages, but I *really* didn't like what I read. The book is obviously rushed, and not very informative.

I have been doing research on securing public instant messaging protocols and thought this would be a great resource. It isn't. At least for AOLIM, it told me much less than I was able to find on the Internet with less than an hour of searching.

Here are some spot examples of problems:

"...as previously discussed, utilities such as dsniff can be used to decrypt these passwords while they are bring transmitted over a network."

But I cannot find a previous discussion. In fact, this is mention pretty much in isolation...there is no explanation of *how* one would use dsniff to decrypt the passwords. And, aside from mentioning that the passwords are encrypted using XOR encryption, there are no further details on what is going on - such as what is being XORed with what.

Later on the same page it says:

"Figure 2.1 shows the main screen for signing into the AIM service, while figure 2.xxx shows dsniff revealing AIM passwords."

What is with that 2.xxx? It looks like that figure never got included, and the 2.xxx was a place-holder that never got filled in! In fact, I cannot find a figure ANYWHERE in the book depicting dsniff uncovering the password.

The discussion of the AIM protocol takes up just under TWO PAGES. WHAT!? AOLIM is incredibly complex, involving either the OSCAR or TOC protocol, both of which are rather complex. Searching Wikipedia (http://en.wikipedia.org/wiki/OSCAR_protocol) provides MUCH more information than is included in the text.

Finally, the discussion of encryption is A PARAGRAPH. It pretty much says that AIM includes encryption. It gives no indication as to how the encryption works other than that it involves certificates. It doesn't even say WHAT KIND of certificates.

I am returning the book post-haste. If the abysmal quality of the coverage of AOLIM is any indication, this book is not definitely not worth acquiring.

Noted security veteran Bruce Schneier has observed that for those organizations that have incorrectly deployed cryptography, it is akin to putting a big flagpole in front of your facility and hoping that it will stop any attackers from breaking in. Of course, any attacker with intelligence will simply go around the flagpole rather than running into it."

Similarly, many organizations have deployed myriad security hardware and software products in their infrastructure. But when it comes to instant messaging and peer to peer applications, these applications often execute below the radar of many security products. This is due to the fact that the security infrastructure in many organizations was not architected to deal with such applications. These applications often have so much functionality that it obviates much of the security afforded by the security hardware and software products.

Using file transfer as an example, many organizations have policies and controls in place to stop the use of protocols such as ftp and tftp. This is fine, but that will only work for the ftp protocol. File transfer can still be carried out by most instant messaging clients, and that can pose serious security risks.

With that, Securing IM and P2P Applications for the Enterprise provides an excellent overview on how to handle, manage and secure IM, P2P, and IRC applications. This book is written for security and system administrators that need specific details on how to control and secure IM, P2P and IRC applications in their organization.

The need to get a handle on IM and P2P is crucial given that IM has turned into a global communications medium with most organizations today reported that they allow it for business usage. Many marketing and technical support calls are now handled via IM and this translates in to well over 250 million IM users worldwide. P2P is great for downloading music and movies, but that that poses serious security and legal liability risks when done on most corporate networks.

But with all the benefits that IM provides, it introduces many security and privacy risks. IM viruses, identity theft issues, phishing, spyware and SPIM (SPAM over IM) are just a few of the many risks. These risks can turn into intellectual property losses and legal liability issues especially when they are combined with targeted attacks on corporate IM users. Companies that don't have an effective way in which to deal with IM and P2P are in serious danger as most IM and P2P threats fly under the radar of many traditional security solutions.

The book has a fairly straightforward approach. Chapter 1 provides an introduction to IM and the most common security issues that IM brings into an organization. The bulk of the remainder of the book details various different IM applications in Part 1 (AIM, Yahoo, MSN, ICQ, Google, Skype), P2P applications in Part 2 (Gnutella, eDonkey/eMule, BitTorrent, FastTrack) and IRC networks and applications in Part 3.

Each chapter details the specific architecture of each application, its protocols, security issues, and solutions in which to secure the application. System administrators can use many of the checklists to quickly perform the initial steps necessary to secure their organization from unauthorized IM, P2P, and IRC applications.

Each chapter also provides significant details about the internals on how each application operates. In addition, various 3rd-party tools that can be used to secure and limit the various applications are listed.

Many companies are finding that a significant amount of their bandwidth is being used by P2P applications and Part 2 describes how to secure networks from the use of P2P applications. This is not always an easy thing to carry out given that many P2P applications, such as Gnutella are designed to easily bypass many of the security control mechanisms placed against it. Administrators will find that in this case, simply blocking Gnutella ports will not block all Gnutella traffic and the application still will be able to run. What is required in this case is the use of a firewall that supports deep packet inspection. Chapter 9 helpfully lists the commands to use when using iptables to block Gnutella traffic.

Chapter 12 provides an interesting look at FastTrack, which is the P2P protocol and network used by clients such as Grokster, Morpheus and other file sharing programs. The chapter also uses Ethereal to detail the internals of FastTrack.

Part 3 deals with IRC and is the sparsest part of the book. This is due to the fact the P2P and IM are much more heavily used on enterprise networks, which this book is geared to.

The only negatives about the book are its price, and some of its formatting. At $49.95, it is on the higher-end of computer security books, with the majority of such titles being in the $25.99 - $39.99 range. The formatting uses a font size that is somewhat larger than other book. This seemingly serves to achieve a high page count.

In addition, the book often references tables of secondary information that spans a few pages (for examples see pages 72-80, 115-120 and more). Such information would be better served in a multiple-column table in a smaller font. Printing the information in such a manner can cut down on the page total, and save a few trees at the same time.

Besides those two minor issues, Securing IM and P2P Applications for the Enterprise is a most helpful guide. Security and system administrators can use the book to get a handle on the increasing number of IM, P2P, and IRC applications that are found on the corporate networks they support.

I had high hopes for Securing IM and P2P Applications for the Enterprise (SIAPAFTE), and thankfully this book delivers. SIAPAFTE is a modern, well-written, thorough guide to instant messaging (IM), peer-to-peer (P2P), and Internet Relay Chat (IRC) networks and related security issues. I recommend all network and security administrators read this book.

SIAPAFTE is helpful in many respects. First, the book is up-to-date. It covers events as recent as the fall of 2005. The book also takes a historical approach to describing technologies by describing when and how they were introduced. Readers learn of the evolution of various IM and P2P clients and networks, as IM network owners seek to shut out rival clients and industry groups shut down P2P infrastructure.

Second, SIAPAFTE takes a comprehensive look at IM, P2P, and IRC technologies. I believe the authors picked the right networks and clients to discuss. IM is fairly simple to understand, since the clients are closely tied to the networks. P2P is less clear, since people often refer to clients like KaZaA (or Kazaa) without understanding that FastTrack is the underlying network. I learned of many technologies for the first time reading this book. Distributed Hash Table (DHT) and Kademlia are two examples.

Third, SIAPAFTE is well-written. The text is clear and the authors communicate their points in an organized and coherent manner. This does not mean the book is without flaws. Although Zeveck's one-star review (after reading just 40 pages -- please) is ridiculous, he is correct about a bad figure reference on p 27. The bottom of p 235 features a similar problem, and some pages have large chunks of inexplicable white space. I also thought the large lists of IM threats was not needed, especially when some of them ran several pages.

I liked the protocol analysis of various networks, particularly those for P2P. It seemed some protocols got more attention than others, however. The inclusion of IPTables and Snort rules was a nice touch. I would have liked to see that for the IM and IRC parts too. The IRC section could have used an IRC command reference. Since this is a book about IM and such in the enterprise, it would have been helpful to learn how to set up a secure internal IM system like Jabber or even a local IRC server.

For those keeping track of Syngress' recent tendency to reprint chapters from other books, SIAPAFTE is no exception. The last 20 pages in Ch 7 are Ch 13 from Skype Me! Oddly, no credit is given in SIAPAFTE for that other book's material.

Overall, I think anyone involved with networks or security will find SIAPAFTE a great resource. I found the book to be highly informative, and I recommend you read it. Addressing the issues in this review would merit a five star review for a second edition.

There are not a lot of books that cover IM and P2P security - when I found this I was skepitcal at first, but quickly found it to be a great reference, and the definitive source of information on SEcuring IM and P2P.

The book is very well organized with Chapters dedicated to each major program, making it easy to educate yourself on the common pitfalls of having IM and P2P in your environment.

This book is a great source for information on the dangers of instant messaging and p2p networks. Although this material can apply to personal use, it is geared more towards system administrators and networked environments.

The structure of the book is very well laid out, giving you the ability to jump from product to product or area of interest (such as AIM, eDonkey, or IRC as a whole). This approach makes it easy to locate the information you are looking for quickly, making it an excellent reference. The author has done a great job in being realistic is the approach to these systems. Rather than totally restricting their use, this book helps you to live with these systems, recognizing that they are often used or required for businesses.

If you are running a network, you almost definitely have this type of traffic on it. This book is definitely an excellent resource with large amounts of information on multiple types of systems

The editor of this book has a long and losing track record fighting adequacy cases in court. What he couldn't accomplish in the court of law, he's trying to accomplish in the court of public opinion with this unbalanced collection of essays mostly contributed by fellow travelers at the Hoover Institution. Hanushek is famous for producing research that "proves" that money does not matter in education. When he testified to that effect in an adequacy trial in North Carolina, the judge presiding over the case remarked that "only a fool would find that money does not matter in education." You'll find no mention of that in this book, nor of the repeated failure of these arguments inside the crucible of the courtroom where opinions are subject to cross-examination, transparent and public challenge and democratic testing. If you're really interested in exploring school finance lawsuits, one of the best books to read is Peter Schrag's Final Test. Schrag is a veteran journalist and he gives plenty of space to Hanushek in his pages as he explores all sides of the issues. You get Hanushek and more, not just Hanushek and a politically-motivated and one-sided pseudo-academic treatment of the subject.

Beginning around 1990, a wave of school finance lawsuits swept the nation, based on the "adequacy" theory. Many constitutional and government scholars were critical of the legal theory, due to separation of powers. And many social scientists were highly dubious of the "costing-out" studies churned out by consultants for the teachers' unions and other parties to these cases. However, it proved difficult to convey the findings of social science in court without being misconstrued as saying "money doesn't matter" or, worse yet, as being hard-hearted toward the education of disadvantaged children.

More recently, the skeptics (of which I am one) have proven more successful in explaining to judges why most "costing-out" studies are "junk science," as Dr. Hanushek has put it, and why the remedies sought by plaintiffs have not been generally effective. Similarly, the constitutional arguments for separation of powers have also been more compelling, as earlier court interventions have bogged down. Consequently, the wave of court interventions seems to have peaked, followed by a series of decisions upholding state funding systems in MA, TX, KY and elsewhere.

Readers interested in understanding the intellectual basis for this turn of events should read Dr. Hanushek's volume, "Courting Failure," along with the recent Brookings volume, edited by Martin R. West and Paul E. Peterson, "The School Money Trials," based on conference papers at Harvard. Both volumes feature strong collections of essays and scientific and legal analyses by highly distinguished writers. These volumes should prove compelling to those readers with an open mind, who seek to move the nation forward with true education reform.

Courting Failure should be required reading for any serious student of education finance and policy. Court orders and fear of court orders have dramatically increased spending for public schools despite little evidence that student achievement has improved. As Hanushek points out, this is not because money can not make a difference. It is because the current system is so inefficient that merely adding resources is unlikely to improve student outcomes.

Like so many other debates in education, the field of adequacy litigation has been dominated by protestations of good intentions and glib talk of "the children." The result has been to provide moral sanction to a growing industry of consultants, attorneys, and activists who have sought to improve schooling through new inputs, airy aspirations, and without ever making tough choices. This volume casts a badly needed, skeptical eye on this entire enterprise. In doing so, it is an important contribution and one of only a handful of books that can help policymakers, educators, or reformers understand what the courts can and cannot do when it comes to school reform. In a series of bracing chapters, the authors examine the assumptions and practices that constitute the adequacy movement. Reasonable readers might disagree with the volume's editorial stance (though this reader finds it compelling), but anyone who claims to have thought seriously about education and the courts should take the time to consider the arguments and analyses in this volume.

Let the reader judge for him or herself. The judgment in the North Carolina school finance case is revealing:

"To assist the Court in probing that question defendants called Dr. Eric Hanushek, a distinguished economist and expert on public school finance and school finance policy issues. He testified that based upon his knowledge of educational research literature and his own research, he has found little systematic evidence of a correlation between spending on schools and student achievement. While he does not discount the possibility that there are effective practices that enhance student achievement, he is convinced that merely spending more money on education is unlikely to result in improved student performance. Hanushek, Nov. 30, 1999, at 217-36.
This Court understood Dr. Hanushek quite clearly. Although plaintiff=s counsel described Dr. Hanushek as the witness who was going to testify that "money does not matter," the Court finds Dr. Hanushek to be very credible. His testimony was logical and full of common sense. Put in plain English, the thrust of Dr. Hanushek=s opinion is that throwing money at an educational problem without having goals in place for the spending and a system of accountability to measure the effectiveness of the spending is wasteful and not likely to result in improving student performance. The Court is of the same opinion. Dr. Hanushek believes that money matters provided the money is spent in a way that is logical and the results of the expenditures measured to see if the expected goals are achieved.
Dr. Hanushek's opinions are based on facts."

Judge Manning's full decision can be found at: [...]

One need only ask 'where is the hatchet job?'

Many puzzle books struggle with accuracy issues, either in that there are many possible solutions, or that the posted solution actually has a refutation. This book on the other hand has been throughly error checked, and is of a higher quality then most of the puzzle books that I have used.

If you happen to be an e4 player, you will meet the Sicilian about half the time, and if the Sicilian is your response to e4 you will be playing it about half the time with the black pieces. In this case roughly 50% of your games will be played in this opening, so it is natural to study tactics that occur in these lines.

The only warning that I will add is that these problems are difficult. If you are looking for a puzzle book that you can move through quickly this is not it. I am rated approximately 1800 FIDE, and many of these problems took me 30 minutes or more to solve.

While it is true this book is essentially a book of 500 combinations there are a couple interesting aspects to it that previous reviewers have overlooked.
1) All combinations come from "Sicilian" openings and list ECO in the answers...while for the beginning player this might not matter, it is worthwhile to study patterns and ideas from openings that you play.
2) The problems have been checked to insure there are no ambiguous alternate answers....which is a common problem in chess tactic books...nothing worse than banging your head against a problem where your idea is equally legitimate or better. Lishvits's Test your chess comes to mind....
Aagaard has an enjoyable writing style, and aims to an audience somewhere between Silman and his excellent primers on strategy, and Dvoretsky and his world class books.

The previous reviewer is correct; the book is merely a collection of combinations problems taken from master play. A plethora of such books already exist, and there is nothing in Aagaard's book to distinguish it from the competition.

In addition to the other reviews, it is also important to note that the positions come from actual games (though you probably guessed that since they are all from the Sicilian) and that they are from recent praxis. This may seem a small point, but taking only from recent ECO lines increases the possibility of seeing similar tactics in your own games. There is less chance of the tactic coming from a busted or unfashionable line.

It also seems unfair to trash Aagaard's work simply because it is "another puzzle book." One doesn't throw away a Stephen King novel because it is just another horror story. Rather you should judge the work on its merit within the genre. It is a well researched and useful tactics book and will increase your tactical ability. Feel free to grab other works like Reinfield and Polgar's puzzle books, but don't overlook this collection, especially if you like to play the Sicilian.

I read Extreme Exploits because the content looked intriguing and I am familiar with applications written by lead author Victor Oppleman. The back cover states the book is "packed with never-before-published advanced security techniques," but I disagree with that assessment. While I found all of the content helpful, between 1/3 and 1/2 of it is probably available in older books -- including several by publisher McGraw-Hill/Osborne. Nevertheless, I find the strength of the network infrastructure security sections powerful enough to recommend Extreme Exploits.

I found Extreme Exploit's most innovative material in chapter 1 (Internet Infrastructure), 2 (ISP Security Practices), 4 (Reliable Connectivity), 8 (Email Gateways, Filtering, and Redundancy), 10 (Sinkholes and Backscatter, and 14 (Performing the Assessment, Part 1). These chapters introduced projects like RADB, IRRd, INOC-DBA (a VoIP "hotline" for ISPs), the Distributed Checksum Clearinghouse (an anti-spam system), and Hashcash (to consume CPU cycles and frustrate spammers). Subjects like questions to ask ISPs, ways to multi-home, and using anycast to improve redundancy were also welcome. A comment that spammers are using people who register with porn sites to pass CAPTCHA tests really surprised me! Ch 10's coverage of ISP sinkholes was clear, and I learned about triggered blackhole routing. Advice on checking publicly announced routes was cool, especially the reference to the author's Pwhois system.

Although the vulnerability and patch management information in ch 12 was fairly routine, I also liked the author's mention of recent industry projects like the NIAC vulnerability lifecycle and Common Vulnerability and Scoring System.

Other chapters mainly covered topics found in other books, like Hacking Exposed, Gray Hat Hacking, or Hardening Network Security (all Osborne titles). Most of the book contains sound advice, but I must disagree with several assertions made in ch 7 (Intrusion Detection and Prevention). These include the "rejection" of the value of passive detection (p 116), the "logical transition" where detection and prevention converges into firewalls (p 116), the idea that intrusion prevention systems are "less prone to insertion and evasion attacks" (p 120), and "signature-based IDS normally do not have an understanding of the underlying protocol that they are examining and simply perform byte-by-byte pattern matching" (p 121).

Almost all of the vulnerability assessment material could have been cut, aside from the BGP query and network infrastructure advice in ch 14. The misnamed "exploiting digital forensics" chapter (16) tempts the reader into thinking it will cover anti-forensics, but really it's an overview of network-, host-, and memory forensics in 26 pages. An excerpt from p 332 summarizes the problem with the chapter: "At this point, you might be asking, what do I do with the data?" Still, ch 16 deserves an honorable mention for describing multiple tools with which I was not familiar or had only passing familiarity. These included Foremost by Jesse Kornblum and Kris Kendall, Disktype, and Memdump.

In terms of structure, I liked the fact that every chapter concluded with a "checklist for developing defenses" summarizing important points in an actionable format. The writing is always clear, and the diagrams are excellent. Many of the network infrastructure suggestions are supported by command-line syntax and examples, consistent with Osborne's Hacking Exposed style.

Overall, I think most everyone will learn something by reading Extreme Exploits. Those with a decent amount of experience or who have read books already mentioned might find some of the book repetitive. Despite this, I learned a lot about network infrastructure and I look forward to reading Victor's upcoming book on "Carrier Class Network Security."

The book has two major sections: (a) configuration and maintenance practices, and (b) techniques for vulnerability assessment. The breadth of coverage of many modern techniques and terminology is very good; they go in-depth on a few topics here and there.

The basic assumption of section (a) is that you're trying to defend against unknown/unfixable threats. This is basically the current (2001-2005-) school of thought on security and leads to default-deny policies. This book has lots of good information on how to implement default-deny. The book convinced me that it's much more difficult than a default-deny firewall rule.

The book has many contributing authors; this probably contributes to its strength.
Many books are focused on ISPs, or on enterprises (read: "windows clients and servers with a firewall"), or on software developers, or VoIP carriers. This book has some good material for all of those types.

It's written from a Unix perspective. It does have some coverage of analyzing threats to Windows-based systems, but you'll get the most value from the book as an analyst/administrator if you use some sort of Unix. They have a BSD bias.

The authors also have an bias towards open-source software.

But it's not perfectly integrated, and the organization isn't ideal everywhere. For example, there are two sections of the book that discuss buffer overflows, apparently contributed by two different authors.

The index is only minimal; it only covers one of the sections on stack overflows. Bad indexes are a common problem in technical books from some publishers.

Regardless of how many steps you take to secure your organizational computing environment, there's always some new exploit waiting to nail you. The best you can do is to understand your network and stay on top of the technology. Extreme Exploits - Advanced Defenses Against Hardcore Hacks by Victor Oppleman, Oliver Friedrichs, and Brett Watson can help you in that pursuit, especially in the networking realm...

Contents:
Part 1 - Core Internet Infrastructure for Security Professionals: Internet Infrastructure for Security Professionals; ISP Security Practices - Separating Fact from Fiction; Securing the Domain Name System
Part 2 - Defending Your Perimeter and Critical Internet Infrastructure: Reliable Connectivity; Securing the Perimeter; Redefining the DMZ - Securing Critical Systems; Intrusion Detection and Prevention; E-mail Gateways, Filtering, and Redundancy; Data Leaks - Exploiting Egress; Sinkholes and Backscatter; Securing Wireless Networks
Part 3 - Network Vulnerability Assessments: Vulnerability and Patch Management; A Winning Methodology for Vulnerability Assessments; Performing the Assessment - Part 1, Performing the Assessment - Part 2
Part 4 - Designing Countermeasures for Tomorrow's Threats: Exploiting Digital Forensics; Viruses, Worms, Trojans, and Other Malicious Code; Exploiting Software
Index

The authors of this book are real gurus when it comes to networking technology. I worked with Brett Watson at a prior place of employment, and I can attest to the fact that he really knows his trade. In the first part of this book, they go into networking and security probably deeper than any other book I've had the opportunity to review. To get the most out of the material, it helps to be firmly grounded in networking technology. If you're not a network administrator or if you're just starting out, you'll probably struggle to keep up. Parts 2 and 3 are also valuable sections. Part 2 continues the in-depth analysis of how best to protect your network from attack, along with software recommendations to implement your security plans. And if you aren't already using a formal methodology to continuously review your network security, Part 3 will help you set up the necessary framework to implement a solid security review. Part 4 probably is the weakest part of the book, in that most of the material is available from multiple other sources, and doesn't necessarily fit into the "extreme exploits" flavor of the rest of the book. It's good information, to be sure... Just not all that unique or special if you've read more than one other security book.

One feature at the end of each chapter stood out and works well... It's a "Checklist for Developing Defenses" along with a recommended reading list. Using the checklist allows you to make sure you understood what each chapter was getting at, as well as giving you a roadmap for implementing security in the particular area that was just discussed. And if a particular chapter was really applicable to your organization, the follow-up reading can help you get even deeper into the material. Good practical technique for helping the reader move from theory to application...

If you have the basics of network security down, it's time to pick up a copy of this book. While you may have to work at understanding the material, it will pay off in a system network that is much more secure than most...

Here is the thing - I am giving this book a high score (4) since it contains unique and fun content related to network infrastructure attacks and defenses, which I have not seen anywhere else. In my view, the good stuff justifies such score, although I suspect that some other reviewers will sledgehammer the book for having too much of routine material covered in other previous books, including the venerable Hacking Exposed.

While I had a general idea of how providers mitigate DDoS attacks, I did not know the specifics of unicast reverse-path forwarding method, described in the book. Similarly, I picked up a lot of material of setting up sinkholes for dropping traffic (and, more specifically, how they are better than ACLs in many cases).

From other topics, I liked their coverage on the evolution of DMZ from simple designs of years past to current security zone design.

The book also presents a lot of up-to-date material, such as the coverage of security information management (SIM), vulnerability management and recent security standards, such as CVSS. It doesn't go into details in some places where I'd wanted it to, but still is interesting to read.

On the other hand, some chapters are disappointing and seem to be in the book for it to appear "comprehensive". Forensics chapter is one of those (it is also mistakenly called "Exploiting Forensics", while no exploitation is taking place)

I recommend the book for most people, from beginners to advanced, since the former will enjoy the breadth of coverage while the latter will likely benefit from the network infrastructure protection (and devastation, of course!) tips. In addition, defense checklists in the end of each chapter are useful for those who do not have time to go and study the material in-depth. The book is slightly biased towards the defense side, with good coverage of the attacking side as well.

Dr Anton Chuvakin, GCIA, GCIH, GCFA is a recognized security expert and book author. In his current role as a Security Strategist with netForensics, a security information management company, he is involved with defining future features and conducting security research. A frequent conference speaker, he also represents the company at various security meetings and standard organizations. He is an author of a book "Security Warrior" and a contributor to "Know Your Enemy II", "Information Security Management Handbook" and the upcoming "Hacker's Challenge 3". Anton also published numerous papers on a broad range of security subjects. In his spare time he maintains his security portal at info-secure.org and a blog at O'Reilly"

More recent books on web application security are welcomed. The publication date of 2006 suggests it might fall into that category.

The focus on the programmer is also welcomed. Many security books deal with threats, but the actual practice of programming to ameliorate those threats may not be readily apparent. One would like support for a programmer "security mindset" and specific strategies to implement that.

The book is addressed to programmers and written in a fashion that is engaging. And, as a more general work to highlight the importance of security at the development stage, it's OK.

But, there's just not much depth here for it's intended topic. And, the content appears to reflect lectures presented in the 90s. There's some significant reference to C, which is not typically used in contemporary web programming. The focus tends towards the *nix world, but again a fair amount of emphasis, as I recall, on cgi, where again, PHP is more commonly used today. References in the Microsoft world are exclusively to ASP -- a technology which was superseded in 2002 by ASP.NET.

There's some appropriate programming advice here. But, it's soft rather than hard, and diffuse and general rather than focused and specific.

I would rate it 3 stars for that content if it were more appropriately titled.

When I came across this book on the O'Reilly website I was immediately interested, as web applications are becoming more and more prevalent. And other than thinking it covered methods of securing web applications I had no preconceived assumptions. My main aspiration for this book was to give me better awareness of security in the area of web applications and to provide me with some tools. After having read this book I can say that it has done both.

Each of the chapters in this book seem to follow a pattern of first defining the topic, second giving real world examples, and finally providing the reader with solutions. The book begins by providing a history of the hacking methodology and defining the various types of hacking. It was interesting to learn about some of the various hacks and hackers. For example, I had no idea Steve Jobs (Apple Computers) used to be a hacker.

In chapter two the author discusses what he calls a "Code Grinder", and how to not become or produce a code grinder. A code grinder is someone who works in a highly regulated environment where creativity is discouraged. I found it interesting that a code grinder environment typically produces more unsecure code then an environment that is open and promotes creativity.

Chapter three discusses the risks associated with mobile code. Chapter four covers vulnerable CGI scripts and introduces the reader to some tools such as Nikto and Web Hack Control Center to scan your website to find vulnerabilities. The author goes on to discuss the issues faced by the various CGI scripting languages, and then provides an outline of rules to writing secure CGI scripts.

Chapter five covers hacking techniques and tools. This section gets you into the mind of a hacker, what are their goals, how are those goals achieved and what tools do they use. In chapter six the topic is "Code Auditing and Reverse Engineering." This chapter I found exceptionally interesting and helpful. The author takes you through various types of vulnerabilities and with each weakness explains how it affects each of the more popular programming/scripting languages. And to take it a step further the author also provides the reader with the functions/methods for each programming/scripting language that are vulnerable to attack and then explains either how to use those functions securely or gives an alternative function/method that is more secure.

Chapters seven through ten cover securing code in specific languages; Java, XML, ActiveX, and ColdFusion. Chapter eleven discusses developing security enabled applications using such technologies as PGP, SSL, and PKI. Finally in chapter twelve the author wraps up the book by taking the reader through creating and working with a security plan.

CONCLUSION
--
I found this book to be interesting and a good read. I plan to make use of some of the tools it introduced in hardening applications I work with and develop. And as I mentioned before, the chapter on code auditing will be extremely useful to me in cleaning up existing apps and developing new ones. I liked this book and I would recommend it to anyone who is writing code.

With the increasing number of incidents of crime that is occurring on the world wide web it behooves every programmer to become fluent in all aspects of information security. This book provides a great overview of the various methods a hacker uses to penetrate various forms of web architectures. The author's goals it seems was to cover a broad subject by touching on all important aspects of securing a website.

Throughout the book a hacker mindset is presented and how to design your website to overcome the tools and tricks of the hacker. For instance in many of the chapters the manner of attack that a hacker would use to exploit a piece of technology is covered. Overall I believe this book to be a good introduction to the field of securing websites. Since security in of itself is such a broad subject and the Internet is also a broad subject it is unfair to expect one book to cover all aspects of a complex and dynamic environment

Harmon Leon, perhaps the most daring infiltration journalist of this or
any other time. I had to stop reading several times because I was laughing
so hard, though a lot of the places he ventures to (Minutemen, Patriotic Pro-war
skinheads, Promise Keepers) are really disturbing under the surface.

The Infiltrator: My Undercover Exploits In Right Wing America is a good look
at the modern state of our country.

This is not a funny book, though it certainly tries far too hard. The humor is strained, forced and relies mainly on Leon's failure to reconcile his notions of modern politics (which seem mainly gleaned from second-rate political cartoons) with the actions and attitudes of real people.



It's not clever - indeed, it's clear that Leon knows pretty much nothing about the politics he seeks to subvert and explore. His attempts to skewer the hypocrisy of Right-wing America just make him come off like a prejudiced dick. And if you can't hit a target as huge as Right-wing hypocrisy, how bad is your aim anyway?



As a work of journalism it's desperately weak: reportage is mixed with snide parenthetical observations gleaned from Leon's cartoonishly limited worldview, intercut with "this equals this and this is bad so HAH!!!" comparisons that are tenuous at best, just plain made-up at worst.



It's not particularly brave: much of the book takes place in Leon's living room. Most of the (material that passes for) really cutting observations are not actually delivered to their targets, just slipped into snide parentheses that betray Leon's grade-school-level powers of reasoning.



Much of what Leon observes isn't really bad at all, just deemed by him to be "uncool"; so he laces it with ridiculous extremes unconnected to the example at hand. Hey, it's fun to make fun of other peoples' beliefs if those people might know people who disagree with your politics!



The primary thrust of many chapters seems to be nothing so much as Harmon Leon trying to convince us that Harmon Leon is SO COOL!: the literary equivalent of a drunk guy telling you embarrassing, exaggerated stories about what he said this one time to this one guy and it was great, aw man, you shoulda been there!



After all this, it seems churlish to fault the book for having apparently not been edited at all: spelling errors and grammatical flaws are rife, and many quotes and passages make next to no sense. This may be due to their having been chopped and changed to fit into a book, or may just be due to Leon's inability to write or tell a story.



But hey, I'm a strong supporter of left-wing politics and subverting the system and all that good stuff - so, if the Harmon Leon character depicted in this book is any indication, "churlish dick" is my middle name.

Gonzo journalist Harmon Leon infiltrated the right-wing movement and published REPUBLICAN LIKE ME, a hard-hitting yet humor-laden take on Republican sentiments and insider experiences: now THE INFILTRATOR: MY UNDERCOVER EXPLOITS IN RIGHT-WING AMERICA arrives to expose more Republican views draws on Leon's underground experiences with O.J. Simpson, a civilian vigilante group on patrol for illegal aliens, and another group which eventually promotes him president. As an amazing story of 'infiltration journalist' techniques, it's also a top pick for any college-level journalism library.

Diane C. Donovan
California Bookwatch

Both currently available books, `Serious Pig' and `Pot on the Fire', by John Thorne and wife Matt Lewis Thorne, are composed of essays cut from the same culinary journalistic cloth, the authors' food letter `Simple Cooking'. These essays as bodies of work do not quite fit any established form of culinary writing. It is certainly not `The Best Recipe' genre followed by the magazine `Cooks Illustrated' and some writers, although there is some element of this point of view. It is not culinary history, since it is so distinctly done from the authors' point of view. There are some essays that taste like memoir or nostalgia, but these serve more as chapters used to set the scene for text dealing with the food. It is certainly not food science a la Shirley Corriher or Alton Brown, although Alton Brown does credit Thorne as one of his biggest influences. In a nutshell, the Thornes simply provide interesting writing about food.

I love intellectual connections, so I was delighted to discover that one of the wellsprings from which John Thorne draws his inspiration is the writing of Richard Olney. This ties up a string of influence from Elizabeth David to Olney to Thorne to Alton Brown, one of the most influential popular voices in culinary journalism. Olney is one of the most intellectual writers on culinary matters writing in English and available in the United States. And, it is clear not only in Thorne's `Simple Food' motto but also in his intellectual point of view that he owes much to Olney.

The first thing which changed my reading Thorne from simple pleasure to respect was his essay on the Italian Panzanella salad, which he describes in great detail and with great attention to what Italians really mean when they make this salad, a combination of tomato, stale bread, red onion, mozzarella, cucumber, basil, and salt and pepper. The subtle intellectual honesty that caught my attention was when Thorne created an adaptation using fresh bread and remained true to the original nomenclature by calling his invention Panzanetta salad. Contrast this to Alton Brown's borrowing the same Panzanella term and applying it to a twist on the BLT sandwich by adding bacon and forgetting the onion and garlic. Not Panzanella at all, I think. Not much to most people, but to a person schooled in the principle that language was something to be respected, I was impressed.

The second thing that caught my attention was the tale of how Thorne fell into the vocation of cooking and culinary journalism. Like so many things, and like myself, it was by accident and necessity. In Thorne's case, it was because he was a dropout with little money who needed to feed himself with as few dollars as possible. If this was the prime mover in his career path, a strong influence seems to be his Maine roots. More than one essay has the feel of Maine's Stephen King writing about food. Popular subjects are his old residences, Maine crops such as potatoes and blueberries, and Maine cuisine featuring the lobster and other seafood, and Maine restaurants. One of my favorite series of essays deals with the origin of chowder. I will never again respect a chowder recipe that does not include some potato or biscuit as a thickening agent. Maine does not monopolize the story. A long series of essays covers Cajun and Creole culinary topics from New Orleans. This is where he proposes the theory that a great cuisine such as the Cajun or Italian cuisine is based on emulating a memory of greatness. I think there is a germ of truth here, but I believe Paula Wolfert offers a much fuller picture in her Morocco book.

The third and most enduring attraction of Thorne's writing is that it is simply entertaining stuff. A writer could provide the recipes on these pages with no explanation or commentary and they would be good recipes, but the writing would be like the food with the salt and pepper left out. Similarly, the history / memoir / commentary would not be nearly as interesting without the instructions for preparing the dishes on which the essays expound. The very best example of a perfect mix of culinary technique with storytelling is the essay on `Perfect Rice'. It all starts with John Thorne's claiming that he makes a pretty good pot of rice, followed by a derisive response from Madame Thorne, who had studied the issue at some length before Sir John touched on the subject early in their joint lives. Thorne proceeds to relate the story of their mutual investigations into making perfect rice. In the process, we learn much about the world's rice varieties and why rices behave like it does. After seeing how much care one can devote to such a simple subject, I mentally demote people like Sara Moulton for posing as a teacher of culinary matters when they confesses to not being able to properly cook a pot of rice.

Both volumes are available in midpriced trade paperback editions with no pictures. It is a sure test of the fact that pictures are not necessary in works on cooking in that I never miss them. A really important addition to books of this type is a list of recipes in addition to the index and table of contents. Both volumes have this important tool. The most telling endorsement of these books is that I am sure I will read them again, cover to cover, and enjoy every minute of it.

A rare treat for foodie readers.

This most recent compilation of John and Matt Lewis Thorne's Simple Cooking newsletter continues their intelligent, friendly, delicious writing about food and a real life.This book ends with "Last Gleaning," about the final illness of John's father, and the role food and eating played in their sometimes difficult relationship.John Thorne has been compared to MFK Fisher, and there is some validity to the comparison, to an extent. They both write very very good prose, and they both write about hunger other than the visceral. However, there are differences. At times, Fisher's writing seems exclusionary, and Thorne's never does.To clear up a point of potential confusion: "Matt" is a nickname for Martha. They are married. She acts as editor, and does add an occasional essay or aside. Her contributions make a good writer even better.

I really enjoyed John Thorne's other books, but when I read this one I was bored. He has been publishing for a number of years, and you'd think he would grow and change, expand his awareness, try something new. Instead, I get the feeling his life is shrinking and that he is becoming a miserly, curmudgeonly northeastener who is living a narrow and deprived life out of choice rather than necessity. He moved from a small town to a bigger city, but he hasn't changed much, still the narrow anal focus on the details of simple recipes. Living with him must be mind-numbingly boring. I wonder if his wife ever wants to scream and run out of the house? So obviously my advice is, skip this one and reread one of the earlier ones.

Even though John Sweeney is Tech Editor for Technical Analysis of Stocks & Commodities, I had rather low expectations, expectations which most books in this field fulfill nicely. Mssrs. Sweeney have presented an idea book which focuses on what to look for, what to look out for, and, in passing, saves the cost of a piece of software. What this book is not is a set of formulae showing how to make a million trading. Thank Heavens!

The thrust of the book is to look at the phases a market can go through and to develop an approach for trading the phase now in evidence. Sweeneys also present concepts for turning a loss generated by a phase change into a profitable reversal. This concept builds on the authors' other work, Maximum Adverse Excursion. The concepts are fully explained and a methodology is used to illustrate each. The authors are careful to note that the method used may not be what they use and may not be optimum, but rather is presented for illustrative purposes.

At the outset I thought this work appropriate for only intermediate and experienced traders. Now I'm not so sure. Beginning traders, if they go back to this work from time to time, may be able to save themselves some time and grief.

I certainly recommend the book; I am uncertain whether I should post five stars or only four.

ron davis,CMT

This book beats the theories of Max Adverse Excursion (how much a trade moves against you), Min and Max Favor Excursion (how much it moves in your direction) and then applies it to varying trending, non trending and reversal type of situations. The idea is that a winning trade is not likely to move very far against you. A losing trade is likely not to move very far in your favor. Therefore, one can uses these ideas to construct proper risk management and tweak their methods. I did find the book to be a bit wordy, often taking several chapters to explain a few points that could be summarized in two lines. There is also an interesting chapter about using options to hedge your position, rather than relying on stops. I give this book a strong 3 or a weak 4. There are certainly some good ideas, but isn't anything to write home about.

I purchased the book as a gift for my father. Before I saw him, I picked it up, and read it in a very short time. Frankly, I was completely unaware of this aspect of the war. It almost seems as though the Confederate Navy was successfully battling the mighty Union Navy with only chewing gum, shoe strings, and cast-off wood. This was a very interesting book. The chapters are well written and easy to follow, and are written in an exciting and reader engrossing style. No technical language is necessary to understand or follow the descriptions in this book. It includes both interesting background information about key officers, and descriptions of the battles themselves. My father also liked it!

R. Thomas Campbell continues his series of anecdotal accounts of the Confederate Navy. While anecdotal books can be tiresome, Campbell's is well-written and entertaining, and taken with the other three books in the series, approaches epic proportions. Entertaining and informative.

I hate to say this, because I really like the authors in this anthology and I love the vampire genre, but I was really disappointed by the stories in this collection. Maybe my expectations were too high given the above.

Castle Wrath by Karin Kallmaker started off really promising. I was chuckling out loud as the character narrated the start of her adventure and I was really enjoying the humorous writing in a style Ms. Kallmaker doesn't normally use. But I dunno, somewhere things shifted and it almost became an entirely different style of story. I think it either should have started differently to fit the later portion, or the initial tone should have been maintained throughout. In the end, aside from that, the story itself just didn't interest me at all. The idea of inheriting a castle in a vampire story had the potential to go in all sorts of wonderful directions, but the direction that Ms. Kallmaker chose wasn't where I wanted to go. By the end I just wasn't interested in what happened to the characters.

Running with Stone Ponies was another story with a lot of potential, but I feel it fell really flat. This time mostly due to what came across to me as amateurish writing. Which I suppose takes a lot of gall for me to say, since my attempts at writing are quite pathetic, but there it is all the same. I felt the relationship between the two main characters developed ridiculously. More that there wasn't really any development at all, it was just suddenly there. At various points while reading I was actually cringing at parts of the plot, or specific phrasing choices. If I'm cringing at the writing, I'm not being swept away into the fantasy.

Elsewhen by Therese Syzmanski was a solid story and one that I did enjoy. But the writing at times was disjointed in a way difficult for me to describe. I felt like characters were all over the place at various points in what they were thinking or feeling, making it difficult for me to follow along as well as I should. That's not to say that characters shouldn't be muddled or confused about what they think, but it needs to be written in a way so that as a reader I'm empathetic, not irritated and taken out of the story.

We Recruit by Julia Watts was okay. I can't really think of anything negative to say about it. It just didn't really grab me either, at least not the latter part. Maybe because they wimped out as vampires. Heh. While being a vastly morally superior stance to take, drinking bottled blood just ain't sexy!

I gave the anthology 3 stars. To me that means it's average, and if you're strongly interested, probably still worth buying and reading. I didn't feel it was a total waste of my time. But I'm still left with that disappointing feeling of being disappointed by an anthology that I had been anticipating with a great deal of excitment. (For context, I own almost all the published novels and anthologies by Karin Kallmaker, Therese Syzmanski, and Julia Watts, so normally I really am a fan!)

It's surprising that Bella After Dark has come up with three successive good collections of themed novellas using only four authors. In each of the collections, I have had a favorite story. In the first one Karin Kallmaker's re-telling of the Little Mermaid was my favorite; she also topped the list in BELL BOOK AND DYKE. In this collection, Barbara Johnson out did herself. I was afraid that the stories would be unable to find new territory to explore, but Johnson's pre and post atomic disaster tale did it for me. I hope these women can come up with yet another theme and do as well with it.