Internet Besieged is a wide-ranging collection of articles on Internet security. Taking a broad perspective, Dorothy Denning looks at cyberspace attacks and countermeasures, Peter Neumann at computing risks quite generally, and Steven Bellovin at Internet security. Some contributors describe specific weaknesses and threats: Eugene Spafford offers an introduction to computer viruses; Schultz and Longstaff explain how sniffer attacks work; Heberlein and Bishop explain how address spoofing works; and Drew Dean and others analyse Java security, providing a typology of language weaknesses and implementation bugs.

Other contributors cover security systems and tools. Dorothy Denning and MacDoran consider the possibilities of location-based authentication, using the unique signature from satellite positioning systems. Peter Denning writes about password systems. Gene Kim and Eugene Spafford offer a long article on Tripwire, covering its development history as well as its design and operation. Steven Snapp and others introduce DIDS, the Distributed Intrusion Detection System. Ted Doty test drives SATAN against his own network. Thomas Woo and Simon Lam present some authentication algorithms for distributed systems. And Stephen Kent describes Privacy Enhanced Mail.

Dorothy Denning and Dennis Branstad present a taxonomy of current key recovery systems. (I'm not sure whether these count as security threats or tools.)

Other articles are historical in focus: Peter Denning takes a step back to look at the Internet after thirty years; Walter Tuchman describes his role in the creation of the Data Encryption Standard (DES); William Cheswick recounts his experiences monitoring the "Berferd" hacker; Jim Christy describes the 1994 attacks on the Rome Laboratories and other military sites; and Steven Levy tells the story of the cypherpunk cryptanalysis of RSA-129 and Netscape security.

On electronic commerce, Peter Denning provides an overview, Anish Bhimani looks at some of the different approaches to securing transactions, Patiwat Panurach at payment systems, and J.D. Tygar at the problem of atomicity.

In the law and policy area, there are: speeches by Bruce Sterling to a Computers, Freedom, and Privacy conference and to the High Technology Crime Association; excerpts from a speech by US Attorney General Janet Reno; an analysis of encryption policy and market trends by Dorothy Denning; an argument against the idea that hacker break-ins are ethical by Eugene Spafford; some extracts from university policies; and a report on the introduction of computer security into an undergraduate computer science curriculum.

Web Security: A Matter of Trust considers similar topics. Rohit Khare and Adam Rifkin present a general overview of trust issues on the Web and Simson Garfinkel and Gene Spafford an overview of cryptography on the Web. More technical papers are "REFEREE: Trust Management for Web Applications" (Yang-Hua Chu and others), "Name Server Security Features in BIND 4.9.5" (Cricket Liu), "Secure CGI/API Programming (Simson Garfinkel and Gene Spafford), "A Guide to Secure Electronic Business Using the E2S Architecture" (Madsen and Herbert), "The Electronic Medical Record: Promises and Threats" (Lincoln D. Stein), and "Introducing SSL and Certificates Using SSLeay" (Frederick J. Hirsch).

Straying from the Web, three papers address the issues surrounding digital signatures and public key infrastructures. C. Bradford Biddle argues against the imposition by government of a particular model (open PKI) on a marketplace which is likely to evolve in a different direction (towards closed PKI) if left to itself. An impressive team of authors (including Bellovin, Diffie, Neumann, Rivest, and Schneier) considers the security risks and economic costs of key recovery and key escrow, coming to a largely negative evaluation. Disagreeing with that analysis, Clint N. Smith argues that there is a much greater convergence between the interests of government and business in key recovery encryption.

The range of works collected in these two volumes makes it a little awkward to pick their audience. While the articles don't, with minor exceptions, assume highly specialised knowledge, many are sufficiently narrow to interest only restricted audiences. Others will have much wider appeal. Overall, however, Internet Besieged is an excellent survey of the full range of Internet security issues, while Web Security maintains the high standards set by earlier issues of the World Wide Web Journal.

February 1998

External links:

Internet Besieged: Countering Cyberspace Scofflaws
- buy from Amazon.com or Amazon.co.uk

Related reviews:

- books about the Internet
- books about crime
- books published by Addison-Wesley
- books published by O'Reilly & Associates