[risks] Risks Digest 22.57

From: RISKS List Owner (riskoat_private)
Date: Wed Feb 19 2003 - 16:02:23 PST

  • Next message: RISKS List Owner: "[risks] Risks Digest 22.58"

    RISKS-LIST: Risks-Forum Digest  Weds 19 February 2003  Volume 22 : Issue 57
    
       FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
       ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
    
    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <URL:http://catless.ncl.ac.uk/Risks/22.57.html>
    and by anonymous ftp at ftp.sri.com, cd risks .
    
      Contents: [Huge backlog.  Sorry.]
    Playing Russian Roulette with traffic lights (Dan Foster)
    Scuba diving computer recall (Tom Race)
    Gambling on systems accountability (Irena Szrek)
    University software development fiasco (Identity withheld by request)
    Re: Identity theft evidently based on spoofing AOL (Identity withheld)
    REVIEW: "Mike Meyers' Certification Passport CISSP", Shon Harris (Rob Slade)
    REVIEW: "CISSP Training Guide", Roberta Bragg (Rob Slade)
    REVIEW: "Advanced CISSP Prep Guide: Exam Q & A", Krutz/Vines (Rob Slade)
    REVIEW: "The CISSP Prep Guide Gold Edition", Krutz/Vines (Rob Slade)
    More-Than-Abridged info on RISKS (comp.risks)
    
    ----------------------------------------------------------------------
    
    Date: Wed, 19 Feb 2003 22:22:53 +0000
    From: Dan Foster <dsfat_private>
    Subject: Playing Russian Roulette with traffic lights
    
    I came across a post by someone I know from previous posts in a travel
    USENET newsgroup -- Bill Mattocks, who mentioned an interesting cause of a
    car accident he was in on 2 Feb 2003 at the College and Nall intersection in
    Overland Park, Kansas.
    
    He was driving towards an intersection that was apparently in a flashing
    four-way red traffic signal so all cars came to a full stop and yielded
    appropriately. He then proceeded to drive through the intersection when it
    was his turn and after having verified the intersection and immediate
    vicinity was clear of any potential hazards, and had the monumental bad luck
    of having entered the intersection just as the lights suddenly started
    working again and it had signalled green in the lane at a 90 degree angle to
    him.
    
    End result? A BMW sped through the intersection, having seen a green, and
    didn't see his car until it was too late. (Both parties seems to be ok, with
    some minor injuries, fortunately.)
    
    The RISKS? The light *didn't* fail safely. Well, it did fail safely by
    reverting to a four way flashing red light which is equivalent to a four way
    stop sign. However, if it was properly designed, it would not have changed
    into any other mode without manual intervention by someone present at the
    control box by the intersection, along with a police officer to temporarily
    handle the traffic at moment the lights were put back into working order,
    manually.
    
    I realize that such an approach would have been burdensome in certain
    situations such as a large scale recovery after a power outage, but it's
    much less of a Russian Roulette-type of situation for drivers ("Is the light
    going to suddenly indicate green or red in my direction if it decides to
    start working again?") when properly handled.
    
    The crux being that there is no safe way to deterministically recover from
    such a failure without onsite manual intervention.
    
    Perhaps something that the Department of Transportation (DOT) and engineers
    at Crouse-Hinds (a major traffic light manufacturer) might take into
    account?
    
    ------------------------------
    
    Date: 17 Feb 2003 05:35:20 -0800
    From: tom.raceat_private (Tom Race)
    Subject: Scuba diving computer recall
    
      [See also Risks in scuba equipment, Carl Page, RISKS-21.41]
    
    In simple terms, a dive computer monitors the amount of nitrogen dissolved
    in the diver's blood.  Typically worn like a wrist watch, it tracks the
    diver's depth and calculates the absorbed nitrogen according to a
    mathematical model of the human body's various tissues.
    
    If a diver surfaces too quickly with too much nitrogen in the body it is
    released as bubbles within the blood or tissues, potentially causing injury
    or death through Decompression Sickness (DCS).  Divers typically rely
    heavily on a computer to tell them when to surface to avoid DCS.
    
    The manufacturer below is being sued over the mathematical model, which has
    a faulty assumption, or more likely a complete oversight.  The model
    embedded in this computer assumes that the diver on the surface continues to
    breath whatever gas mixture they were diving with.  When the diver is using
    nitrox, a gas mixture containing extra oxygen and therefore less nitrogen
    than air, the computer will assume that they are releasing nitrogen at a
    higher rate than reality.  Over several dives and several intervals on the
    surface, the state of the mathematical model and the diver's actual nitrogen
    levels may become seriously different, and in the 'wrong' (more risky)
    direction.
    
    A failure of requirements specification or code inspection?  The lawsuit
    refers to a 'manufacturing defect'.
    
    I have an interest, since I have a nitrox computer from the same
    manufacturer.  Fortunately mine is more recent, and I have not used it for
    gases other than air.
    
    Tom Race
    
     - - - - - - - - - - - -
    
    Uwatec, Scuba Pro and Johnson Outdoors Subject of Class Action Seeking
    Product Recall; 5 Feb 2003
    
    Dive industry leaders Uwatec and Scuba Pro, and their parent company,
    outdoor equipment conglomerate Johnson Outdoors, Inc., have been sued in
    federal court by a former authorized reseller, Robert Raimo, seeking a
    mandatory recall of all Aladin Air X Nitrox dive computers manufactured
    before 1 Feb 1996. The suit seeks certification as a class action on behalf
    of all owners of the dive computers, and all persons who acted as retailers,
    dealers, wholesalers or distributors of the dive computers.
    
    The suit claims that 1995 model Aladin Air X Nitrox dive computers have a
    manufacturing defect that prevents the computer from switching from
    underwater to surface, or air mode when the user returns to the surface. As
    a result, the computer continues to calculate a diver's decompression
    obligations as if the diver were breathing enriched air, or nitrox,
    containing as little as 50% nitrogen, while on the surface, instead of
    properly calculating the diver's decompression obligations and off-gassing
    while the diver is breathing air, which contains 78% nitrogen. This defect
    causes the computer to underestimate residual nitrogen loads, and to
    overestimate the diver's safe repetitive bottom times, thereby significantly
    increasing the diver's risk of contracting decompression sickness (bends).
    
    The suit alleges that the defect is likely to affect experienced divers
    making multiple nitrox dives in a single day to maximize bottom time, such
    as those conducted on increasingly popular "live-aboard" dive vacations in
    exotic locations, far away from the nearest treatment centers capable of
    saving the life of a diver stricken with decompression sickness.
    
    The so-called "air-switching defect" was first described in an internal
    Uwatec memo dated 30 Jan 1996, which warned one of the company's test divers
    about "the faulty Aladin Nitrox".  The memo described how to manually
    override the defect so the diver could safely use his computer until it was
    replaced by Uwatec. After this memo was sent to Uwatec's U.S. management,
    they drafted a product recall notice. However, the suit alleges the managers
    were fired before they could issue the recall notice, and the defendants
    have maintained a "conspiracy of silence" ever since.
    
    Copies of the 1996 memo and recall notice are attached as exhibits to the
    complaint and may be viewed on the News section of the Web site of Raimo's
    attorney, David Concannon, at www.davidconcannon.com.
    
    Raimo was stricken with Type II decompression sickness after using a 1995
    model Aladin Air X Nitrox on four nitrox dives off Bonaire in Apr 2002. He
    is the former owner of two retail dive centers in New York.
    
    According to Concannon, the suit was filed as a class action only after
    Johnson, Scuba Pro and Uwatec rebuffed Raimo's requests that the companies
    issue a voluntary recall. The suit was filed in Oakland, California because
    four other lawsuits filed by divers alleging they were injured by the same
    model computer are currently pending there and are scheduled for trial in
    Nov 2003.
    
    Contact: David Concannon, 610-293-8084
    
    David G. Concannon, Law Offices of David G. Concannon, LLC
    Strafford Building One, Suite 112, 150 Strafford Avenue
    Wayne, Pennsylvania 19087
    Phone: (610) 293-8084  Fax: (610) 293-8086  concannonlawat_private
    
    ------------------------------
    
    Date: Sun, 16 Feb 2003 19:09:46 -0500
    From: Irena Szrek <irena_szrekat_private>
    Subject: Gambling on systems accountability
     
    I read with interest Peter Neumann's article on 'Gambling on Systems
    Accountability' in the 'Inside Risks' section of the February 2003
    *Communications of the ACM* (Volume 46, Number 2).  I can not agree more
    with Peter's observations on current drawback of computer systems security
    and need to focus on system integrity rather then confidentiality.  I feel
    that as long as systems will not be designed with security and integrity as
    part of the system, and will not provide effective and conclusive audit
    capabilities, they will be exposed to insider or outsider fraud and will be
    targets of (at times successful) attacks.  This is especially true in
    industries where ability to gain large sums of money is at stake, as in the
    off-track-betting systems Peter mentions, or in lottery and casino systems.
     
    I want to mention an approach to stop insider fraud in gaming systems that
    use random numbers.  Random-number generators are used in gaming to decide
    outcomes of games, and are used in electronic drawing machines to pick draw
    numbers.  Typically, the only security present is physical security; the
    audit trail, if any, is of the generation process, which can be circumvented
    by a skilled insider.  We have introduced a new notion of 'unpredictable
    auditable random numbers', where audit of outcomes is an element of system
    design.  With the use of digital signature, random numbers can be generated
    in a way providing conclusive audit of the numbers themselves.  This
    guarantees that a proper set of random numbers is used for the plays or the
    draws, and is not tampered with by dishonest insiders.
     
    Irena Szrek, Szrek2Solutions  1-401-398-0395  http://www.szrek.com
    irenaat_private <mailto:walterat_private> 
    
    ------------------------------
    
    Date: Wed, 19 Feb 2003
    From: [Identity withheld by request]
    Subject: University software development fiasco
    
    If you are interested in yet another case of a large software project gone
    horribly wrong, then this is a beauty:
    
    Back in the planning stages, we had a Director of IT who loathed UNIX.  So
    he decreed that the new academic record system would run on Windows back-end
    systems.  Oracle and Peoplesoft said, "You want to do what!?"
    
    The new system was switched on in early November 2001 and the old system was
    simultaneously switched off.  (NOTE, since we are in the Southern hemisphere,
    November is the time of peak demand for student grade processing,
    registration, etc.)
    
    It is now over a year after the system was switched on.  The system still
    does not provide several of the key features that were touted as the reasons
    for its implementation.
    
    Information that has become public in the past year includes the fact that
    several U.S. universities have had significant problems with the system.
    And *their* version was simpler than ours since our university combines both
    a normal U.S. style university and an additional school that is a sort of
    combination VocationalTech and junior college.  So, if it didn't work in the
    simpler U.S. environment, how could it possibly work here?
    
    The problems and risks that are highlighted here include:
    
    1) Choose the best platform for the job.
    
    2) The "big-bang" approach to implementation is always a disaster waiting to
       happen.  Frequently the disaster doesn't wait.  There were three problems
       which compounded the problem.  There had been no real stress testing of
       the new system, it was rolled-out at the time of peak demand, and the old
       system, which would otherwise have provided a backout option, was
       switched off.
    
    3) Non-technical people driving technical decisions.
    
    4) Overly complex and ambitious systems being implemented as a single system
       and all at once rather than being phased in.
       
    Obviously, I'm sort-of on the inside on this, so I'd rather this didn't get
    published with my name.  But, it is cautionary, at least to the extent that
    so many of the above problems keep getting repeated, in one form or another,
    year after year.  I've been reading comp.risks for a long time now and it
    seems like some lessons are never learned.
    
    ------------------------------
    
    Date: Wed, 19 Feb 2003
    From: [Identity withheld by request; same contributor as above]
    Subject: Re: Identity theft evidently based on spoofing AOL (RISKS-22.56)
    
    About a year ago, we had a student who created a page based on the Hotmail
    password change page and then spammed Hotmail users with a poorly written
    e-mail, in fractured English, which instructed them to click on the link and
    change their Hotmail password.  We estimate that it was active for no more
    than an hour.  At the time he was shut down he had more than 120 username/
    password combinations.
    
    Given the dodgy nature of the message from "Hotmail" and the fact that the
    URL was clearly of the form ,,,.edu.,,, it makes me wonder about the extent
    to which people seem to suspend critical judgment when they connect to the
    Net.
    
    I suppose that I shouldn't be so surprised, given the number of hoax virus
    messages that seem to regularly get forwarded.
    
    ------------------------------
    
    Date: Mon, 13 Jan 2003 08:20:51 -0800
    From: Rob Slade <rsladeat_private>
    Subject: REVIEW: "Mike Meyers' Certification Passport CISSP", Shon Harris
    
    BKMMCISP.RVW   20021106
    
    "Mike Meyers' Certification Passport CISSP", Shon Harris, 2002,
    0-07-222578-5, U$29.99/C$44.95
    %A   Shon Harris shonharrisat_private www.intenseschool.com
    %C   300 Water Street, Whitby, Ontario   L1N 9B6
    %D   2002
    %G   0-07-222578-5
    %I   McGraw-Hill Ryerson/Osborne
    %O   U$29.99/C$44.95 +1-800-565-5758 +1-905-430-5134 fax: 905-430-5020
    %O  http://www.amazon.com/exec/obidos/ASIN/0072225785/robsladesinterne
    %P   422 p.
    %T   "Mike Meyers' Certification Passport CISSP"
    
    There is a "Check-In" foreword, which seems to be about the series, and an
    introduction that provides a very terse overview of the CISSP (Certified
    Information Systems Security Professional) exam.
    
    The book consists of ten chapters, one for each of the CBK (Common Body of
    Knowledge) domains.  "Security Management Practices" demonstrates that the
    book is perhaps a bit too thin: illustrations and other materials from
    Harris' "All-in-One" guide (cf. BKCISPA1.RVW) appear, but most of the
    tutorial material is vague and generic.  (When covering "controls," a vital
    concept in this domain, the text provides an "exam tip" that controls should
    be visible enough to deter misdeeds, but not visible enough to be avoided,
    but completely neglects the second axis of the control matrix, which covers
    deterrence, detection, and so forth.)  The review questions at the end of
    the chapter are better than some, but still quite simplistic.  As well as
    being limited, the content is suspect in places: a "cognitive password" is
    very insecure, and why would a retina scanner blow air into your eye?  The
    "Computers 101" part of "Security Architecture and Models" is all right,
    although very brief and with significant gaps, but the formal models are
    simplified to a problematic extent (and the explanation of lattice models is
    flatly wrong).  The "Physical Security" chapter is probably adequate for
    study purposes.  Even after all of the above, I was surprised at how poor
    the material in "Telecommunications and Networking Security" was.  The
    TCP/IP content is definitely insufficient, and specific errors are made in a
    number of areas (such as the ability of PPTP [Point-to-Point Tunneling
    Protocol] to encrypt data).  "Cryptography" is limited to little more than
    the terms involved, and it is odd how much space is wasted on editorial
    comment.  (The text could also use a bit more organization: a number of
    topics appear, in isolation, at a fair distance away from related items.)
    "Disaster Recovery and Business Continuity" is terse, but possibly
    sufficient for study purposes.  The material in "Law, Investigation, and
    Ethics" is problematic: it appears to be somewhat dated and has some
    important gaps, such as corporate liability, interviewing, and the process
    of incident response.  A great deal of the content in "Application
    Development" seems to have been parroted without any understanding: the
    iterative class of systems development models are not collected, the spiral
    model description is incorrectly described, the point of Java as a hybrid of
    compilation and interpretation seems to have been completely lost, and the
    malware text is rife with errors.  "Operations Security" doesn't have as
    many mistakes, but it seems to be pretty much of an unorganized grab bag of
    topics.
    
    Yes, I can see the need (or desire) for a short and quick reference to the
    CISSP CBK.  However, if you are going to take on that task, you have to make
    every single word (and figure) count.  This book doesn't.  Since McGraw-Hill
    also published "CISSP All-in-One Certification Exam Guide" they should
    probably have heeded the old dictum that "if it ain't broke, don't fix it."
    As it is, this work is well back in the CISSP pack, along with "Secured
    Computing" (cf. BKSCDCMP.RVW) and "CISSP for Dummies" (cf. BKCISPDM.RVW).
    
    copyright Robert M. Slade, 2002   BKMMCISP.RVW   20021106
    
    ------------------------------
    
    Date: Tue, 11 Feb 2003 08:10:53 -0800
    From: Rob Slade <rsladeat_private>
    Subject: REVIEW: "CISSP Training Guide", Roberta Bragg
    
    BKCISPTG.RVW   20030127
    
    "CISSP Training Guide", Roberta Bragg, 2003, 0-7897-2801-X,
    U$69.99/C$108.99/UK#50.99
    %A   Roberta Bragg Roberta.Braggat_private
    %C   201 W. 103rd Street, Indianapolis, IN   46290
    %D   2003
    %G   0-7897-2801-X
    %I   Macmillan Computer Publishing (MCP)
    %O   U$69.99/C$108.99/UK#50.99 800-858-7674 infoat_private
    %O  http://www.amazon.com/exec/obidos/ASIN/078972801X/robsladesinterne
      http://www.amazon.co.uk/exec/obidos/ASIN/078972801X/robsladesinte-21
    %O   http://www.amazon.ca/exec/obidos/ASIN/078972801X/robsladesinterne
    %P   727 p. + CD-ROM
    %T   "CISSP Training Guide"
    
    The introduction and frontmatter appear to be much more concerned with the
    structure of the book (and this particular series of books) than the CISSP
    (Certified Information Systems Security Professional) exam.  The initial
    list of topics covered by the domains has notable gaps and some oddities in
    organization.
    
    Part one is entitled "Exam Preparation," and is divided into the ten
    standard domains of the CBK (Common Body of Knowledge).  Chapter one, on
    access control, shows problems right away.  The first paragraph tries to
    distinguish between access control and authentication, but doesn't really
    outline the relationship between the two concepts, let alone dealing with
    the broader and more usual interrelated ideas of identification,
    authentication, authorization, and accountability.  When discussing access
    models, the lattice content touches on advanced outcomes of the model, but
    not the basic principles.  The biometric material is simply inadequate.
    There are sample questions at the end of the chapter, and this first set, at
    least, do appear to be crafted in order to avoid the usual "reading check"
    level of simplicity, but the wording is extremely poor and many answers are
    either flatly wrong or highly misleading.  Similar problems are evident with
    telecommunications and networking, in chapter two, which has excessive space
    given to topics like cabling characteristics, poor explanation of the
    relationship between tunnelling and virtual private networks, an overview of
    intrusion detection that contradicts the material in chapter one, and some
    completely idiosyncratic terminology.  The answers to sample question are
    more correct, but only because the questions themselves are overly
    simplistic.  The rudimentary factors of security management are discussed in
    chapter three, but in a confused fashion, not assisted by the fact that
    topics are repeated and sections from other domains are introduced for no
    apparent reason.  The central material is very brief, despite the sixty
    pages devoted to the topic, and entire sections, such as the various
    evaluation criteria, are missing.  Applications development, in chapter
    four, does possibly provide enough information to deal with the CISSP exam
    on this subject, but lists lots of problems without many solutions, and has
    a great deal of extraneous material such as lists of different types of
    memory (fast page mode [FPM] versus extended data out [EDO] dynamic random
    access memory, for example).  I thought the introduction to cryptography, in
    chapter five, wasn't all that bad (absent details such as the key in a one
    time pad having to be no shorter than the message being sent).  That is,
    until I realized that it was the entire chapter, and details about any form
    of encryption, digital signatures, and the requirements for certification
    and a public key infrastructure were completely missing.  Chapter six does
    cover the elemental points of security architecture, but in a disorganized
    manner, and has no material at all dealing with computer architecture.
    Operations security is discussed in terms of details like specific logs in
    Windows 2000 and updating antiviral scanners, and chapter seven misses more
    general concepts and operating principles.  Business continuity and disaster
    recovery planning, in chapter eight, does provide most necessary information
    about the process, except for the recovery phase.  Law, in chapter nine,
    concentrates too heavily on US legislation, and the investigative process
    fails to address incident response, interviewing, and relations with outside
    agencies.  Chapter ten again covers physical security with specific details
    rather than underlying concepts.
    
    Part two is a review.  About half of the "Fast Facts" are useful and the
    rest aren't: it would be hard for an exam candidate to know which is which.
    The study and exam prep tips are generic, and probably not much help.  The
    practice exam questions are, like most of the sample questions in the book,
    far too simplistic and particular to properly prepare candidates for the
    actual CISSP exam.
    
    Despite the size of this volume, it does not contain as much information as,
    say, Harris' "CISSP All-in-One Certification Exam Guide" (cf. BKCISPA1.RVW),
    nor is it organized as well as the Krutz and Vines work (cf. BKCISPPG.RVW).
    It is closer to the Endorf (cf.  BKSCDCMP.RVW), Miller/Gregory
    (cf. BKCISPDM.RVW), or the second Harris (cf. BKMMCISP.RVW) works, and
    therefore its utility as preparation for the CISSP exam is questionable.
    
    copyright, Robert M. Slade, 2003   BKCISPTG.RVW   20030127
    rsladeat_private  rsladeat_private  sladeat_private p1at_private
    http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade
    
    ------------------------------
    
    Date: Wed, 5 Feb 2003 08:28:24 -0800
    From: Rob Slade <rsladeat_private>
    Subject: REVIEW: "Advanced CISSP Prep Guide: Exam Q & A", Krutz/Vines
    
    BKADCIPG.RVW   20030110
    
    "Advanced CISSP Prep Guide: Exam Q & A", Ronald L. Krutz/Russell Dean
    Vines, 2003, 0-471-23663-2, U$50.00/C$77.50/UK#37.50
    %A   Ronald L. Krutz
    %A   Russell Dean Vines
    %C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
    %D   2003
    %G   0-471-23663-2
    %I   John Wiley & Sons, Inc.
    %O   U$50.00/C$77.50/UK#37.50 416-236-4433 fax: 416-236-4448
    %O  http://www.amazon.com/exec/obidos/ASIN/0471236632/robsladesinterne
    %P   331 p. + CD-ROM
    %T   "Advanced CISSP Prep Guide: Exam Q & A"
    
    Like "The Total CISSP Exam Prep Book" (cf. BKTCIEPB.RVW) before it, this
    volume contains no tutorial material, only questions, and then questions and
    answers.  The format is quite similar to the Peltier work, with the book
    divided into the standard ten domains.  A major difference is the inclusion
    of a CD-ROM with a testing engine.  Every CISSP candidate wants sample exams
    and sample questions, so the query remains, are the questions any good?
    
    The CD-ROM contains "the Boson-powered test engine," but the questions are
    not quite as simplistic as those on the Boson exams.  They tend to be
    longer, and, at first glance, look a lot more like real CISSP exam
    questions.  However, upon closer examination, two problems become obvious.
    One is that a number of the questions are still very simple, despite the
    additional verbiage.  They concentrate on pure recitation of facts, without
    the analysis and critical thinking that the actual exam requires.  The
    second issue is that a large number of questions rely on very specific, and
    often esoteric facts.  Again, this is counter to the genuine test, where
    concepts and principles are emphasized.
    
    Occasionally these two difficulties combine in a single question, such as
    "Which choice below is NOT one of NIST's 33 IT security principles?"  If you
    haven't fully memorized NIST's 33 security principles, don't worry.  Even if
    you have no idea where to find NIST's 33 security principles you can still
    get the answer.  One of your options is "Totally eliminate any level of
    risk."  Even the rawest security neophyte can tell you that, since this is
    impossible, it obviously has to be the right answer.
    
    This book may give you a somewhat better idea of the types of questions you
    may encounter, and the range of topics you may need to know.  As preparation
    for the exam, however, it will both scare you unnecessarily (although if it
    drives you to take the ISC2 course, that might not be a bad thing), and fail
    to prepare you fully.
    
    copyright Robert M. Slade, CISSP, 2003   BKADCIPG.RVW   20030110
    rsladeat_private  rsladeat_private  sladeat_private p1at_private
    http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade
    
    ------------------------------
    
    Date: Wed, 12 Feb 2003 08:04:50 -0800
    From: Rob Slade <rsladeat_private>
    Subject: REVIEW: "The CISSP Prep Guide Gold Edition", Krutz/Vines
    
    BKCIPGGE.RVW   20030130
    
    "The CISSP Prep Guide Gold Edition", Ronald L. Krutz/Russell Dean
    Vines, 2003, 0=471-26802-X, U$80.00/C$124.50/UK#59.50
    %A   Ronald L. Krutz
    %A   Russell Dean Vines
    %C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
    %D   2003
    %G   0=471-26802-X
    %I   John Wiley & Sons, Inc.
    %O   U$80.00/C$124.50/UK#59.50 416-236-4433 fax: 416-236-4448
    %O  http://www.amazon.com/exec/obidos/ASIN/047126802X/robsladesinterne
      http://www.amazon.co.uk/exec/obidos/ASIN/047126802X/robsladesinte-21
    %O   http://www.amazon.ca/exec/obidos/ASIN/047126802X/robsladesin03-20
    %P   944 p. + CD-ROM
    %T   "The CISSP Prep Guide Gold Edition"
    
    I happened to notice, in the preparation of this review, that a certain
    online bookstore has a special in relation to this title.  You can buy it,
    along with the "Advanced CISSP Prep Guide: Exam Q & A" for a price slightly
    less than that of the two volumes together.  Pity those who take the
    bookstore up on their offer: this volume is nothing more than "The CISSP
    Prep Guide" (cf. BKCISPPG.RVW) and "Advanced CISSP Prep Guide: Exam Q & A"
    (cf. BKADCIPG.RVW) bound together.
    
    The authors have done some updating: there are, for example, a few
    additional pages of material on wireless security.  The authors have
    improved their coverage of the Common Criteria--by reprinting the
    explanation that is provided on the National Institute of Standards and
    Technology (NIST) Web site.
    
    Overall, however, the same comments appropriate to Krutz and Vines' original
    books still apply, so what I said was, for those studying for the CISSP
    exam, this book does provide a guide to the topics to be covered.  If you
    are confident that you know more than the book at every point, you should be
    in good shape to sit the exam: if not, you will have to get help somewhere
    else.  If you are studying for another security course, or are a security
    professional, this work will not have much to offer you.  This volume may
    give you a somewhat better idea of the types of questions you may encounter,
    for the CISSP exam.  As preparation for the exam, however, it will both
    scare you unnecessarily and fail to prepare you fully.
    
    copyright, Robert M. Slade, 2003   BKCIPGGE.RVW   20030130
    rsladeat_private  rsladeat_private  sladeat_private p1at_private
    http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade
    
    ------------------------------
    
    Date: 19 Feb 2003
    From: RISKS-requestat_private
    Subject: More-Than-Abridged info on RISKS (comp.risks)
    
      [See www.risks.org for the archives of back issues, almost all of
      which include info on RISKS.  (This issue is an exception.)  PGN]
    
    ------------------------------
    
    End of RISKS-FORUM Digest 22.57
    ************************
    



    This archive was generated by hypermail 2b30 : Wed Feb 19 2003 - 16:43:20 PST