BKMCACNS.RVW 20070102
"Minoli-Cordovana's Authoritative Computer and Network Security
Dictionary", Daniel Minoli/James Cordovana, 2006, 0-471-78263-7
%A Daniel Minoli
%A James Cordovana
%C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8
%D 2006
%G 0-471-78263-7
%I John Wiley & Sons, Inc.
%O 416-236-4433 fax: 416-236-4448
%O http://www.amazon.com/exec/obidos/ASIN/0471782637/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0471782637/robsladesinte-21
%O http://www.amazon.ca/exec/obidos/ASIN/0471782637/robsladesin03-20
%O Audience i- Tech 2 Writing 1 (see revfaq.htm for explanation)
%P 443 p.
%T "Minoli-Cordovana's Authoritative Computer and Network Security
Dictionary"
I find that, again, I need to declare the possibility of bias or
conflict in this review. Not only have I published a security
dictionary of my own, but my work was also intended, as the authors
announce in their preface, to be not simply a list of terms, but a set
of practical definitions, and even a commentary on the security field.
While my dictionary addresses only security, Minoli and Cordovana have
included computer and network in the title (and later mention that
they are including financial terms). However, the preface also makes
clear that security is the major thrust of the glossary: the first
two-thirds of the introduction basically preaches security, and the
remaining material even mentions a superior telecommunications
dictionary.
Therefore, it comes as a bit of a surprise that the first term that
has any direct connection to security comes on page four, and even
then is only the expansion of an acronym. We are on page eight before
we find the first actual definition that has even a nominal connection
to security. A random sampling of terms seems to indicate that less
than 20% of the entries in the work relate to security. (That
relation holds in terms of number of entries. The actual material
appertaining to security is proportionately less, since non-security
entries tend to be longer than those defining security phrases.)
A surprising number of terms deal with cellular telephone technologies
and standards, and the promised financial jargon is there in
abundance. It is, in fact, not always clear (even from the
definition) from which field a particular term comes. (Generally the
financial jargon is so identified, but I chased down a particular
thread through a number of entries, which task was not aided by the
lack of cross-references between terms, before I finally realized that
it was not an unusual security phrase, but a minor part of a specific
cellular telephone service.)
In regard to the security terms themselves, the value is questionable.
Like Phoha's "Internet Security Dictionary" (cf. BKINSCDC.RVW) the
authors have included twelve variations on the access theme, and
"access control" is only defined in terms of the old confidentiality
model. There are 28 variants on authentication, 13 on
vulnerabilities, and 20 on business with only three related to
security. Five "attacks" are listed, none major. There are seven
entries starting with "trojan": one is a definition, five are possible
types of trojans, and the last entry lists the previously defined
types. Eight phrases start with "Computing:" and include items such
as "Computing: Molecular Computers." Ten entries are components of
the United States' Communications Assistance for Law Enforcement Act
[CALEA], which proliferation of American legal entries also points out
the US-centric nature of the work. There are entries for both "Domain
Name System" and "Domain Names System." (There is, so help me, a
definition for "one-time password" and another for "One-Time
Password.") There are two entries for grid computing, and they
contradict each other.
The "authoritative" part of the title seems to be based on the fact
that the references section lists over 500 articles, Web pages, and
books. (It's hard to judge what they are, since the list is not in
author, title, publisher, or even date order.) However, the entries
sometimes merely conflate material that seems to come from diverse
sources, without any attempt at analysis or explanation. (The
definition of "stateful inspection," for example, in one phrase is
talking about session state, and before the sentence is over has
switched to content examination.)
Some of the terms are idiosyncratic or seldom used, and there are
frequently multiple terms for the same concept. Again, it is not easy
to assess the amount of duplication that goes on, since there are
almost no cross-references between terms (and in those few instances
some of the alternate terms suggested don't actually exist in the
book). Even where a specfic technology may have major divisions
related terms aren't noted. (The "firewall" entry, for example,
doesn't even inventory the four major catgories, and "intrusion
detection system" lists neither the engine types nor the sensor
placement architectures.) However, by looking up terms known to be
related the reader can readily find not only multiple terms for
similar concepts, but frequently duplicated wording as well (see
"ankle-biter" and "script-kiddie").
One of the attacks catalogued, "attack on hash-and-sign signature
schemes" is much more widely known as the birthday attack, but there
is no corresponding entry under that term. (There is a definition for
birthday paradox.) There is an entry for CUT (Coordinated Universal
Time) but not the more widely used UCT. Some of the phrases used for
entries mean that people may not find what they are looking for: there
is "computer bug" but not "bug" (and no mention of implementation
versus design) as well as "computer evidence" and "computer forensics"
but not "evidence" or "forensics" (or "digital forensics").
Cryptanalytic attacks are defined under their own entries, but most
are also listed (and with more detail) under "Cryptanalysis, " [sic]
entries (and, again, there are no cross-references between them).
There is also an entry for "fork bomb" which is said to be equivalent
to "logic bomb" but is defined more as a processor exhaustion virus or
worm. "Kleptography" makes reference to "subliminal" and the
definition of "subliminal channel" gives an example of a covert timing
channel and then states that this is *not* what a subliminal channel
is. (Subliminal never is defined except to state that it is an
undetectable covert channel.)
Canonicalization defines only one of the many meanings (and that
possibly the least significant). Only one aspect of "race condition"
is given. "Digital money" (rather than the more commonly used digital
cash) has no mention of the requirements or technical challenges.
Feistel cipher never states the requirement for multiple rounds of
simple functions or the iterated subdivision of blocks. The
definition of low-level format does not mention that it operates at
the physical, rather than logical, stratum (and it states,
incorrectly, that a low-level format destroys all data on the disk).
A number of entries are for specific (and often obscure) products and
little used processes. There are five entries related to crypto-
viruses, occupying three pages, whereas the definitions for worm
and virus combined don't exceed three column inches. (Within that
brief space are at least three factual errors, and there are many
important factors that are missing. "Vaccine," which term has not
been seriously used in years and then only for a specific type of
change detection, is said only to be a program to detect and disable
viruses.)
There are a great number of extremely silly typographical errors, such
as rile instead of role, pc rather than PC, ant-keylogger versus anti-
keylogger, and competing for computing.
There are other, and better, communications dictionaries. There are
other, though older, computer dictionaries. There are other security
dictionaries, and, even excluding my own, I could not say that this
glossary has any advantage over them.
copyright Robert M. Slade, 2006 BKMCACNS.RVW 20070102
====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
It was much better to imagine men in some smoky room somewhere,
made mad and cynical by privilege and power, plotting over the
brandy. You had to cling to this sort of image, because if you
didn't then you might have to face the fact that bad things
happened because ordinary people, the kind who brushed the dog
and told their children bedtime stories, were capable of then
going out and doing terrible things to other ordinary people.
- `Jingo,' Terry Pratchett
Dictionary of Information Security www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm
Rob Slade (rMslade@shaw.ca)