Russell Kay
COMPUTER-RELATED RISKS by Peter G. Neumann, Addison-Wesley, ISBN 0-201-55805-X, $22.95
E-MAIL SECURITY: HOW TO KEEP YOUR ELECTRONIC MESSAGES PRIVATE by Bruce Schneier, John Wiley & Sons, ISBN 0-471-05318-X, $24.95
For as long as I've dealt with the Internet, the single resource I've admired most is the Risks forum, or to give it its full name, Forum on Risks to the Public in Computers and Related Systems. This is a discussion group moderated by Peter G. Neumann, principal scientist at SRI International's Computer Science Laboratory.
Since Neumann started the Risks forum in 1985, it has provided a continuing stream of information and anecdotes about a remarkable variety of dangers and vulnerabilities that grow out of computer technologies.
Among the critical issues discussed on Risks are privacy and legal protections, software and hardware bugs, reliability, inflated expectations of computer accuracy and trustworthiness, use of computer systems for what are life-and-death situations, and ongoing problems involving fraud and computer-related crime.
Neumann has stepped back, looked over 10 years of Risks digests, and analyzed what it all means. The result is
Computer-Related Risks
, a book that gave me a new appreciation for many threats that I'd known about, but whose implications I didn't fully understand. One of the most interesting chapters focuses on reliability and safety issues in areas ranging from nuclear power plants to medical monitoring systems and the consequences of our general dependence on computer-based clocks and calendars.
The first part of the book lists and comments on past problems, and the second part presents techniques for increasing system reliability and security. In addition, Neumann offers some
blunt commentary on most peoples' unquestioning trust in computer-generated data.
My only quibble with
Computer-Related Risks
is that it is too analytical. It doesn't capture the wonderful give-and-take that appears on the Risks forum itself. On-line, you have the immediacy of informed and intelligent people talking to one another about the foibles and flaws--fatal, frivolous, or funny--of our increasing dependence on computers.
As more of our communication moves to E-mail, keeping it from the preying eyes of spies, crackers, and other assorted bad guys becomes more important than ever. Bruce Schneier's latest book,
E-Mail Security: How to Keep Your Electronic Messages Private
, tells you how to protect your correspondence.
Schneier is a security consultant who specializes in the black art/science of cryptography. His previous book,
Applied Cryptography: Protocols, Algorithms, and Source Code in C
(reviewed in the June 1994 BYTE), is a lucid yet detailed explanat
ion of some of the esoteric aspects and implementations of crypto systems in current use. Thus, it's no surprise that his new book concentrates on the use of crypto systems to protect E-mail.
If you decide to encrypt your E-mail--or part of it--you need to be aware of a number of issues: key management (i.e., getting secret decryption keys to the people you want to have them) and administration (e.g., what happens if you lose your key?), third-party certification, digital signatures, and more. Schneier touches on these technical concerns, along with mechanisms for achieving them, such as one-way secure hashing, in a readable fashion.
A significant part of this book focuses on PGP (Pretty Good Privacy), the most widely used crypto system around the Internet, and PEM (Privacy Enhanced Mail), another popular crypto standard. The author discusses their strengths and weaknesses, points out their differences, and mentions why you might prefer one over the other (and which one, of course). In brief, PE
M is largely concerned with authentication--you can't send an unauthenticated PEM message, for example--while PGP is much more concerned with protecting message privacy.
In addition to the main discussions of the systems, two extensive appendixes detail how you can obtain and install these programs. For PEM, we get detailed design specifications. Schneier describes the munitions/export-restriction and patent/licensing rights controversies that have erupted over PGP and its creator, Philip Zimmermann. He includes Zimmermann's PGP user's guide, which by itself constitutes a "pretty good" introduction to crypto methods and issues.
None of this material is particularly new. What makes this book noteworthy is the practical, down-to-earth way in which the author shows how to use these systems to enclose your electronic communications safely inside digital envelopes.
RISKY ON-LINE READING
To access the on-line Risks forum directly, check your local system
or on-line service to
see if they already carry it. For example,
Risks is available on BIX in the security/risks conference, and it's
distributed on the Usenet as comp.risks. Past issues of the Risks
forum are available for anonymous ftp from unix.sri.com in the /risks
directory.
Russell Kay, a BYTE technical editor, has been reporting on computer security issues since 1981.
Risky Business and Private E-Mail
