From: secedu@all.net
Reply-to: secedu@all.net
Organization: Information Security Educators Mailing List
Subject: Information Security Educators Mailing List 1998-10-22
<pre>---------------------------------------------
From: "Zaragoza, Barbara" <bazara@sandia.gov>
Date: Wed, 21 Oct 1998 11:06:12 -0600

Student Internships in Information Security Available

Job Description: Student internship positions are available at Sandia
National Laboratories in Livermore, CA.  These positions are available
today in the Distributed Information Systems (DIS) Program.  Sandia
spearheads the use of leading edge technologies - from micro-machines to
supercomputers - and the DIS Program is central to the emergence of
these new technologies.  The DIS program will be developing technology
to employ flexible, distributed, secure networks of computers to solve
problems of national interest. 

Required Criteria: Applicant must be a U.  S.  citizen and possess a
minimum cumulative GPA of 3.0 and maintain full-time enrollment (12
credit hours) at an accredited university or college.  Applicant must be
pursuing a degree in computer science or electrical engineering and have
completed upper level courses such as programming, data structures,
network programming, systems analysis, and object oriented programming. 
Direct experience programming in C, C++ and/or Java, and experience in
web development is a plus.  Undergraduate, graduate, or postdoctoral
positions are available.  How to Apply: Submit a resume and cover letter
stating your interest in this position, your projected graduation date,
and a copy of your most current transcript to Sandia National
Laboratories, P.  O.  Box 969, MS 9111, Attn: Student Internship
Program, Livermore, CA 94551-9988.  To submit resume via e-mail send as
a Microsoft Word attachment to bazara@sandia.gov.  For further
information please contact: Barbara A.  Zaragoza, (925) 294-3371. 
---------------------------------------------
From: "Rob Slade, doting grandpa of Ryan and Trevor" <rslade@sprint.ca>
Date: Wed, 21 Oct 1998 09:55:17 -0800
Subject: REVIEW: "Personal Encryption Clearly Explained", Pete Loshin

BKPERENC.RVW   980726

"Personal Encryption Clearly Explained", Pete Loshin, 1998,
0-12-455837-2, U$39.95/C$55.95
%A   Pete Loshin pete@loshin.com
%C   525 B Street, Suite 1900, San Diego, CA   92101-4495
%D   1998
%G   0-12-455837-2
%I   Academic Press/Academic Press Professional/Harcourt Brace
%O   U$39.95/C$55.95 800-321-5068 fax: 619-699-6380 app@acad.com
%P   545 p.
%T   "Personal Encryption Clearly Explained"

I am getting just a little tired of the car analogy.  "You don't need
to be a mechanic," so the metaphor goes, "to drive a car.  Therefore,
you don't need to know anything about the theory behind
[encryption|networking|programming|etc.] in order to use a computer." 
This comparison ignores two important points.  One is that in 1912 you
*did* need to be a fair mechanic to operate a car effectively, and
that is roughly where we are with regard to the development of the
computer.  The second point is that while computer programs are
generally easy enough for a novice to use once they have been set up,
the choice, evaluation, and configuration of systems requires much
more background.  Particularly in the field of encryption, in recent
times "experts" have been recommending systems for which the time
needed to crack keys has fallen to literally hours.

This book purports to give you everything that you need in order to
both use and understand encryption, specifically with regard to
digital signatures.  While the text does provide some limited
conceptual education and a little vicarious experience with a handful
of commercial products it cannot be said to deliver on its promise.

Chapter one is a bit hard to define.  It seems to start out as a sales
pitch, trying to convince the reader that encryption is important. 
However, it also looks at the scope of privacy and threats thereto,
and even starts to develop the background for encryption technologies. 
The quality is highly uneven.  A discussion of security versus
usability is excellent and notes that the convenience of modern
personal networking systems pose tremendous security vulnerabilities. 
On the other hand, the introduction to information risks cites only
computer criminals, without considering the possibility of
transmission of sensitive information to unauthorized recipients
through human errors or system failures.  A review of types of data
that should be secured fails to note that encrypting some files and
messages while leaving others accessible can, in and of itself,
provide assistance to the enemy.  The material on security
technologies and specific threats is fairly mundane.

A primer on encryption is presented in chapter two, although it is, as
is all to usual, more of a history than a real explanation.  Modern
computer encryption is less than half of the chapter, and most of that
space is dedicated to describing different applications rather than
technologies.  Appendix A should probably be considered as an
extension of the discussion, and does provide a first rate explanation
of the mathematical underpinnings to modern public-key encryption, but
ends just as we get to the good bit.  Neither the chapter nor the
appendix gives the necessary preparation for assessing cryptographic
strength.

Chapter three is a balanced but relatively superficial examination of
the debate surrounding the US government's attempts to restrict the
availability and use of encryption.  The discussion of encryption
implementation in chapter four touches on a wide range of issues, but
none in any depth.  A number of disparate products are briefly
described (and the "installation" of two is presented in some detail),
but the foundation for evaluation still has not been provided in
chapter five.  Chapter six looks at a number of security topics and
features related to the Netscape Navigator browser, but not all relate
to encryption, and encryption related topics are passed over quite
quickly.  There is, for example, no discussion of the ramifications of
dealing with either "export" copies of Netscape products, or non-US
Web servers, both of which may be restricted in the cryptographic keys
they can deal with.  Operational, but not functional, specifics of
three email products with cryptographic capabilities are detailed in
chapter seven.  Similar information is given for some file encryption
products in chapter eight.

Chapter nine's explanation of digital commerce is simplistic and
surprisingly abrupt.  The review of key management in the Network
Associates PGP product should be viewed together with the material in
chapters five and eight (and even then isn't really complete) but
additional content does begin to address some of the conceptual issues
in chapter ten.

This is yet another example of a book that tries to explain encryption
to a non-technical audience but seems to feel that a full background
is not needed.  Loshin does a better job than some other authors with
the inclusion of Appendix A, but fails to provide either the
explanation of function or the demonstration of relative strength that
Garfinkel manifested in "PGP: Pretty Good Privacy" (cf. BKPGPGAR.RVW). 
Unfortunately this current work is neither clear not complete enough
to be recommended for any particular audience.

copyright Robert M. Slade, 1998   BKPERENC.RVW   980726
---------------------------------------------