On Jul 8, 2008, at 2:21 PM, RISKS List Owner wrote:

Date: Thu, 03 Jul 2008 11:06:12 -0800 From: Rob Slade <rmslade@shaw.ca> Subject: REVIEW: "The dotCrime Manifesto", Phillip Hallam-Baker

BKDCRMNF.RVW 20080317

"The dotCrime Manifesto", Phillip Hallam-Baker, 2008, 0-321-50358-9, U$29.99/C$32.99 %A Phillip Hallam-Baker dotcrimemanifesto.com hallam@gmail.com %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8 %D 2008 %G 978-0-321-50358-9 0-321-50358-9 %I Addison-Wesley Publishing Co. %O U$29.99/C$32.99 416-447-5101 fax: 416-443-0948 800-822-6339 %O http://www.amazon.com/exec/obidos/ASIN/0321503589/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0321503589/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0321503589/robsladesin03-20 %O Audience n+ Tech 2 Writing 2 (see revfaq.htm for explanation) %P 415 p. %T "The dotCrime Manifesto: How to Stop Internet Crime"

In the preface, the author notes that network and computer crime is a matter of people, not of technology. However, he also notes that changes to the network infrastructure, as well as improvements in accountability, would assist in reducing user risk on the net.

Section one enlarges on the theme that people are more important than machines or protocols. Chapter one looks at the motive for Internet crime (money, just like non-computer crime), and repeats the motifs of the preface. The text goes on to list various categories and examples of network fraud. The content of chapter two is very interesting, but it is hard to find a central thread. Overall it appears to be saying that computer criminals are not the masterminds implied by media portrayals, but that the problem of malfeasance is growing and needs to be seriously addressed. What Hallam-Baker seems to mean by "Learning from Mistakes," in chapter three, is that security professionals often rely too much on general principles, rather than accepting a functional, if imperfect, solution that reduces the severity of the problem. Chapter four presents the standard (if you'll pardon the expression) discussion of change and the acceptance of new technologies. A process for driving change designed to improve the Internet infrastructure is proposed in chapter five.

Section two examines ways to address some of the major network crime risks. Chapter six notes the problems with many common means of handling spam. SenderID and SPF is promoted in chapter seven (without expanding the acronym to Sender Policy Framework anywhere in the book that I could find). Phishing, and protection against it, is discussed in chapter eight. Chapter nine is supposed to deal with botnets, but concentrates on trojans and firewalls (although I was glad to see a mention of "reverse firewalls," or egress scanning, which is too often neglected).

Section three details the security tools of cryptography and trust. Chapter ten outlines some history and concepts of cryptography. Trust, in chapter eleven, is confined to the need for aspects of public key infrastructure (PKI).

Section four presents thoughts on accountability. Secure transport, in chapter twelve, starts with thoughts on SSL (Secure Sockets Layer), and then moves to more characteristics of certificates and the Extended Verification certificates. (The promotion of Verisign, infrequent and somewhat amusing in the earlier chapters is, by this point in the book, becoming increasingly annoying. The author is also starting to make more subjective assertions, such as boosting the trusted computing platform initiative.) Domain Keys Identified Mail (DKIM) is the major technology promoted in support of secure messaging, in chapter thirteen. Chapter fourteen, about secure identity, has an analysis of a variety of technologies. (The recommendations about technologies are supported even less than before, and the work now starts to sound rather doctrinaire.) It may seem rather odd to talk about secure names as opposed to identities, but Hallam-Baker is dealing with identifiers such as email addresses and domain names in chapter fifteen. Chapter sixteen looks at various considerations in regard to securing networks, mostly in terms of authentication. Random thoughts on operating system, hardware, or application security make up chapter seventeen. The author stresses, in chapter eighteen, that the law, used in conjunction with security technologies, can help in reducing overall threat levels. Chapter nineteen finishes off the text with a proposed outline of action that recaps the major points.

Hallam-Baker uses a dry wit well, and to good effect in the book. The humour supports and reinforces the points being made. So does his extensive and generally reliable knowledge of computer technology and history. In certain areas the author is either less knowledgeable or careless in his wording, and, unfortunately, the effect is to lessen the reader's confidence in his conclusions. This is a pity, since Hallam-Baker is championing a number of positions that would promote much greater safety and security on the Internet. Overall this work is, for the non-specialist, a much-better-than-average introduction to the issue of Internet crime and protection, and is also worth serious consideration by security professionals for the thought-provoking challenges to standard approaches to the problems examined.

copyright Robert M. Slade, 2008 BKDCRMNF.RVW 2008031 rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org http://victoria.tc.ca/techrev/rms.htm