document.write("<link rel=\"stylesheet\" href=\"http://www.rss-info.com/css/feed.css\"><center><table width=\"276\" border=\"0\" class=\"clstable\" cellspacing=\"3\">	<tr> 		<td class=\"clstd\" bgcolor=\"#F0F0F0\" style=\"border-color:#D0D0D0;\" align=\"center\" ><b><font color=\"#000000\">TaoSecurity</font></b></td>	</tr>	<tr > 		<td class=\"clstd\" style=\"border-color:#D0D0D0;\" bgcolor=\"#F0F0F0\"><a href=\"http://taosecurity.blogspot.com/2010/09/india-v-china.html\" target=\"_blank\"><b><font color=\"#000000\">India v China</font></b></a><br><font color=\"#000000\"><img src=\"http://3.bp.blogspot.com/_Z-tqVTd9fPI/RtOgpgkH1aI/AAAAAAAAAFY/OSGys4PungQ/s200/images.jpeg\" align=left>Some of you may remember my \"X vs China\" series of posts of 2007, where I discussed multiple high profile cases where various nations noted their disapproval of China's exploitation of their networks.  (That's right, 2007 -- three years before the January festivities.)  This morning I read <a href=\"http://economictimes.indiatimes.com/latest-news/Hostile-agencies-trying-to-steal-defence-secrets-from-India/articleshow/6509965.cms\">Hostile nations trying to steal India's defence secrets</a>, by Rajit Pandit of India's Economic Times.  He writes:<br /><br /><i>Even as Chinese and Pakistani online espionage agents continue their attempts to hack into Indian computer systems, hostile intelligence agencies are also trying to steal defence secrets through use of computer storage media (CSM) devices like pen drives, removable hard disks, CDs, VCDs and the like.<br /><br />The Intelligence Bureau has sounded a red alert about \"intelligence officers of a hostile country'' encouraging their \"assets'' working in Indian defence establishments to use CSM devices to pilfer classified information from computer networks...<br /><br /><a onblur=\"try {parent.deselectBloggerImageGracefully();} catch(e) {}\" href=\"http://2.bp.blogspot.com/_Z-tqVTd9fPI/TIYwm8n2LQI/AAAAAAAAB-Q/NyMQSnwZtbY/s1600/20100821issuecovUS400.jpg\"><img style=\"float:right; margin:0 0 10px 10px;cursor:pointer; cursor:hand;width: 152px; height: 200px;\" src=\"http://2.bp.blogspot.com/_Z-tqVTd9fPI/TIYwm8n2LQI/AAAAAAAAB-Q/NyMQSnwZtbY/s200/20100821issuecovUS400.jpg\" border=\"0\" alt=\"\"id=\"BLOGGER_PHOTO_ID_5514148239428168962\" /></a>This comes even as the Army is conducting a court of inquiry against a major posted in the strategically-located Andaman and Nicobar Command, who had stored over 2,000 classified and sensitive documents on his personal computer which was \"hacked'' from Pakistan earlier this year...<br /><br />With cyber-warfare being a top military priority for China, its online espionage agents frequently break into sensitive Indian computer networks.</i><br /><br />This story is interesting for two reasons.  First, it cites an Indian example of the the risks of personnel with access to classified documents and storage media, similar to the Manning and Wikileaks cases.  Second, like the recent Economist magazine discussing the relationship between China and India, it reminds me that China is not just targeting established powers.  China is also targeting other rising powers.  It would be interesting to research Russia v China or Brazil v China scenarios.  Maybe Jeff Carr will post something? (hint)<br /><br /><a href=\"http://twitter.com/share\" class=\"twitter-share-button\" data-count=\"horizontal\" data-via=\"taosecurity\">Tweet</a><script type=\"text/javascript\" src=\"http://platform.twitter.com/widgets.js\"></script><div class=\"blogger-post-footer\">Copyright 2003-2010 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)<img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/4088979-3269673519099927351?l=taosecurity.blogspot.com' alt='' /></div></font></td>	</tr>	<tr > 		<td class=\"clstd\" style=\"border-color:#D0D0D0;\" bgcolor=\"#F0F0F0\"><a href=\"http://taosecurity.blogspot.com/2010/09/one-page-to-share-with-your-management.html\" target=\"_blank\"><b><font color=\"#000000\">One Page to Share with Your Management</font></b></a><br><font color=\"#000000\"><img src=\"http://ecx.images-amazon.com/images/I/51ts-uKilyL._AA200.jpg\" align=left>I thought this brief question-and-answer session, <a href=\"http://www.computerworld.com/s/article/print/9182783/Richard_Clarke_Preparing_For_A_Future_Cyberwar?taxonomyName=Security&taxonomyId=17\">Richard Clarke: Preparing For A Future Cyberwar</a> by Kim S. Nash extracted the essence of advanced persistent threat problems and how to address them.  I'd like to publish the whole article, but instead I'll highlight my favorite sections:<br /><br /><i>Nash: How can the federal government protect companies?<br /><br />Clarke: Do more. <b>As a matter of law and policy, the federal government should actively counter industrial espionage.</b><br /><br />Most U.S. government counterintelligence operations are focused on intelligence against the government, not companies, and most of those are focused on spies. It's a very 20th-century approach.<br /><br /><b>Until someone makes law or policy changes that say the U.S. Cyber Command can defend AT&T or Bank of America, it doesn't have the legal authority to do that. I think it should. The government also has to explain the threat to corporations.</b> </i><br /><br />Also:<br /><br /><i>Clarke: Until CEOs and boards of directors are faced with black-and-white evidence that they have lost a terabyte of information and that this has resulted in some other company beating them to market, until they have their noses rubbed in it, they're reluctant to do anything special...<br /><br />Often, the CIO really needs board-level commitment and CEO commitment, not just of resources but to <b>policies necessary for protection</b>. Most of the time, all people want the CIO to do is <b>keep the network up and costs down</b>. As a result, many CIOs have been hired for their expertise in those areas, not for <b>expertise in figuring out how to make a resilient network that resists attack.</b></i><br /><br />Finally:<br /><br /><i>Clarke: <b>It should be the federal government's responsibility to tell companies not only when they've been attacked but when others have been, such as their competitors, so they realize this sort of thing is going on</b>...<br /><br />[S]ometimes companies don't know they've been hacked. But frequently they realize after the fact. <b>You don't know you've lost information until a knockoff of your product or some competing products start showing up in the marketplace.</b></i><br /><br />I agree with all of these sentiments.<br /><br />Incidentally I started read the library copy of <a href=\"http://www.amazon.com/Cyber-War-What-How-Fight/dp/0061962236/\">Cyber War</a> but decided I needed to take notes in the margins.  So, I bought a copy from Amazon.com.  I plan to finish it and review it by the end of the month.<br /><br /><a href=\"http://twitter.com/share\" class=\"twitter-share-button\" data-count=\"horizontal\" data-via=\"taosecurity\">Tweet</a><script type=\"text/javascript\" src=\"http://platform.twitter.com/widgets.js\"></script><div class=\"blogger-post-footer\">Copyright 2003-2010 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)<img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/4088979-4963838240609070537?l=taosecurity.blogspot.com' alt='' /></div></font></td>	</tr>	<tr > 		<td class=\"clstd\" style=\"border-color:#D0D0D0;\" bgcolor=\"#F0F0F0\"><a href=\"http://taosecurity.blogspot.com/2010/09/inside-scoop-on-dod-thinking.html\" target=\"_blank\"><b><font color=\"#000000\">The Inside Scoop on DoD Thinking</font></b></a><br><font color=\"#000000\"><img src=\"http://3.bp.blogspot.com/_Z-tqVTd9fPI/TFmInotlUNI/AAAAAAAAB9Y/4JAFW6adKGg/s400/USCYBERCOM_Logo.jpg\" align=left>I wanted to help put some of you in the mindset of a DoD person when reading recent news, namely <a href=\"http://www.washingtonpost.com/wp-dyn/content/article/2010/08/24/AR2010082406154.html?nav=emailpage\">Defense official discloses cyberattack</a> and <a href=\"http://www.washingtonpost.com/wp-dyn/content/article/2010/08/28/AR2010082803849.html?nav=emailpage\">Pentagon considers preemptive strikes as part of cyber-defense strategy</a>, both by Washington Post reporter Ellen Nakashima.  I'll assume you read both articles and the references.<br /><br />Deputy Defense Secretary Lynn's article (covered by the first Post story) is significant, perhaps for reasons that aren't obvious.  First, when I wore the uniform, the fact that a classified system suffered a compromise was itself classified.  To this day I cannot say if a classified system I used ever suffered a compromise of any kind.  Readers might be kind enough to say if this policy is still in effect today.  So, to publicly admit such a widespread event -- one that affected classified systems -- that is a big deal.  <br /><br />Second, Lynn said \"this previously classified incident was the most significant breach of U.S. military computers ever.\"  That is significant.  It sets a bar against which other incidents can be measured.  Why was it so bad?  <br /><br /><i>Adversaries have acquired thousands of files from U.S. networks and from the networks of U.S. allies and industry partners, including weapons blueprints, operational plans, and surveillance data.</i>  <br /><br />That's serious, and specific.<br /><br />Third, after citing Google's January admission, Lynn says:<br /><br /><i>Although the <b>threat to intellectual property</b> is less dramatic than the threat to critical national infrastructure, it <b>may be the most significant cyberthreat that the United States will face over the long term</b>. <br /><br />Every year, an amount of intellectual property many times larger than all the intellectual property contained in the Library of Congress is stolen from networks maintained by U.S. businesses, universities, and government agencies. <br /><br />As military strength ultimately depends on economic vitality, sustained intellectual property losses could erode both the United States' military effectiveness and its competitiveness in the global economy.</i><br /><br />I interpret this as saying cyberwar is hurting the US specifically because non-military targets are being hit, repeatedly and persistently.  <br /><br />Finally, I'd like to provide a counterpoint regarding the second Post article.  Other pundits are calling DoD's potential offensive strategy \"beyond stupid.\"  I'd like to know what's stupid: more of the same failed vulnerability-centric policies and approaches of the last, what, 10, 15, 20 years, or taking a threat-centric approach to apply pressure on the adversary?  I also <a href=\"http://taosecurity.blogspot.com/2007/04/taking-fight-to-enemy-revisited.html\">wrote about this in 2007</a>, like some other pundits.  In the three years since, playing defense hasn't helped much.  Expect more on offensive options in the coming years, in all sectors -- not just the military.<br /><br /><a href=\"http://twitter.com/share\" class=\"twitter-share-button\" data-count=\"horizontal\" data-via=\"taosecurity\">Tweet</a><script type=\"text/javascript\" src=\"http://platform.twitter.com/widgets.js\"></script><div class=\"blogger-post-footer\">Copyright 2003-2010 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)<img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/4088979-6410187388353029343?l=taosecurity.blogspot.com' alt='' /></div></font></td>	</tr>	<tr > 		<td class=\"clstd\" style=\"border-color:#D0D0D0;\" bgcolor=\"#F0F0F0\"><a href=\"http://taosecurity.blogspot.com/2010/09/review-of-hacking-exposed-wireless-2nd.html\" target=\"_blank\"><b><font color=\"#000000\">Review of Hacking Exposed: Wireless, 2nd Ed Posted</font></b></a><br><font color=\"#000000\"><img src=\"http://ecx.images-amazon.com/images/I/614FyzdRYWL._AA200_.jpg\" align=left><a href=\"http://www.amazon.com/gp/cdp/member-reviews/A2ZVOU9X5W2S47/\">Amazon.com</a> just posted my five star review of <a href=\"http://www.hackingexposedwireless.com/\">Hacking Exposed: Wireless, 2nd Ed</a> by Johnny Cache, Joshua Wright and Vincent Liu.  From the <a href=\"http://www.amazon.com/review/RZ1FWNTK2DOO8/ref=cm_cr_rdp_perm\">review</a>:<br /><br /><i>I reviewed the first edition of Hacking Exposed: Wireless (HEW) in May 2007, and offered four stars. Three years later I can confidently say that Hacking Exposed: Wireless, 2nd Ed (HEW2) is a solid five star book. After reading my 2007 review, I believe the authors took my suggestions seriously, and those of other reviewers, and produced HEW2, the best book on wireless security available. If you want to understand wireless -- and not just 802.11, but also Bluetooth, ZigBee, and DECT -- HEW2 is the book for you. </i><br /><br />I forgot to mention in my review that this new edition appears to be a substantial rewrite, not a minor editing of old chapters!  I didn't do a chapter-by-chapter comparison.  I did read the whole book, which the publisher provided as a review copy.<br /><br /><a href=\"http://twitter.com/share\" class=\"twitter-share-button\" data-count=\"horizontal\" data-via=\"taosecurity\">Tweet</a><script type=\"text/javascript\" src=\"http://platform.twitter.com/widgets.js\"></script><div class=\"blogger-post-footer\">Copyright 2003-2010 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)<img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/4088979-7939599405453203824?l=taosecurity.blogspot.com' alt='' /></div></font></td>	</tr>	<tr > 		<td class=\"clstd\" style=\"border-color:#D0D0D0;\" bgcolor=\"#F0F0F0\"><a href=\"http://taosecurity.blogspot.com/2010/08/ge-looking-for-business-response-team.html\" target=\"_blank\"><b><font color=\"#000000\">GE Looking for Business Response Team Leader</font></b></a><br><font color=\"#000000\"><img src=\"http://3.bp.blogspot.com/_Z-tqVTd9fPI/SMVOa_6spbI/AAAAAAAAAn0/omYjihSfwrk/s200/tagline.gif\" align=left>GE continues to hire security professionals to help reduce IT risk at our company.  I should be posting additional jobs for my team (<a href=\"https://www.ge.com/cirt\">GE-CIRT</a>) next month, but right now my boss (our CISO) asked me to help find a Business Response Team (BRT) Leader for our Corporate entity.  Visit <a href=\"http://www.ge.com/careers\">www.ge.com/careers</a> and search for job 1251700 to find the role.  From the summary:<br /><br /><i>The Business Response Team (BRT) Leader is responsible for working with business peers and the GE Computer Incident Response Team (GE-CIRT) to better protect GE Corporate from digital intruders. The BRT Leader limits and assesses the damage caused by digital intruders, evaluates the posture and configuration of business computers, provides direct security support to business initiatives, and works to improve the security of the business.</i><br /><br />This role is in Connecticut in order to be close to our HQ.<br /><br /><a href=\"http://twitter.com/share\" class=\"twitter-share-button\" data-count=\"horizontal\" data-via=\"taosecurity\">Tweet</a><script type=\"text/javascript\" src=\"http://platform.twitter.com/widgets.js\"></script><div class=\"blogger-post-footer\">Copyright 2003-2010 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)<img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/4088979-6673938813439117605?l=taosecurity.blogspot.com' alt='' /></div></font></td>	</tr>	<tr > 		<td class=\"clstd\" style=\"border-color:#D0D0D0;\" bgcolor=\"#F0F0F0\"><a href=\"http://taosecurity.blogspot.com/2010/08/bejtlich-on-silver-bullet-podcast.html\" target=\"_blank\"><b><font color=\"#000000\">Bejtlich on Silver Bullet Podcast</font></b></a><br><font color=\"#000000\"><a onblur=\"try {parent.deselectBloggerImageGracefully();} catch(e) {}\" href=\"http://1.bp.blogspot.com/_Z-tqVTd9fPI/THMmNvLBbOI/AAAAAAAAB-I/ykqgnCMJkuI/s1600/logo-sbsp-sm.jpg\"><img style=\"float:left; margin:0 10px 10px 0;cursor:pointer; cursor:hand;width: 144px; height: 144px;\" src=\"http://1.bp.blogspot.com/_Z-tqVTd9fPI/THMmNvLBbOI/AAAAAAAAB-I/ykqgnCMJkuI/s400/logo-sbsp-sm.jpg\" border=\"0\" alt=\"\"id=\"BLOGGER_PHOTO_ID_5508788786647100642\" /></a>Gary McGraw was kind enough to interview me for his <a href=\"http://www.cigital.com/silverbullet/show-053/\">Silver Bullet Podcast</a>.  Gary is a real pro; he does his homework.  After describing the interview process to my wife, she thought Gary's approach sounded like James Lipton and Inside the Actor's Studio!  We talked about a lot of subjects and Gary tailored his questions to relate to my incident detection and response duties and relations to software security.<br /><br /><a href=\"http://twitter.com/share\" class=\"twitter-share-button\" data-count=\"horizontal\" data-via=\"taosecurity\">Tweet</a><script type=\"text/javascript\" src=\"http://platform.twitter.com/widgets.js\"></script><div class=\"blogger-post-footer\">Copyright 2003-2010 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)<img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/4088979-6107924371642319688?l=taosecurity.blogspot.com' alt='' /></div></font></td>	</tr>	<tr > 		<td class=\"clstd\" style=\"border-color:#D0D0D0;\" bgcolor=\"#F0F0F0\"><a href=\"http://taosecurity.blogspot.com/2010/08/review-of-least-privilege-security.html\" target=\"_blank\"><b><font color=\"#000000\">Review of Least Privilege Security Posted</font></b></a><br><font color=\"#000000\"><img src=\"http://ecx.images-amazon.com/images/I/518LRr12%2BCL._AA200.jpg\" align=left><br /><a href=\"http://www.amazon.com/gp/cdp/member-reviews/A2ZVOU9X5W2S47/\">Amazon.com</a> just posted my four star review of <a href=\"https://www.packtpub.com/least-privilege-security-for-windows-7-vista-and-xp/book\">Least Privilege Security for Windows 7, Vista and XP</a> by Russell Smith.  From the <a href=\"http://www.amazon.com/review/R3SLOETR7ZAIC8/ref=cm_cr_rdp_perm\">review</a>:<br /><br /><i>Russell Smith's Least Privilege Security for Windows 7, Vista, and XP (LPS) is a helpful contribution to the toolbox of many enterprise system administrators. Numerous organizations are finally realizing that the Internet is too hostile an environment to let normal users function with elevated privileges. Although by no means a panacea for preventing intrusions, users operating with least privilege are somewhat more able to resist some attack vectors. Beyond resisting attacks, users operating with least privilege are more likely to meet organizational rules. Thanks to LPS, administrators running Windows 7, Vista, and XP can apply the author's lessons and guidance to their own environment. </i><br /><br /><a href=\"http://twitter.com/share\" class=\"twitter-share-button\" data-count=\"horizontal\" data-via=\"taosecurity\">Tweet</a><script type=\"text/javascript\" src=\"http://platform.twitter.com/widgets.js\"></script><div class=\"blogger-post-footer\">Copyright 2003-2010 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)<img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/4088979-9213737828942457023?l=taosecurity.blogspot.com' alt='' /></div></font></td>	</tr>	<tr > 		<td class=\"clstd\" style=\"border-color:#D0D0D0;\" bgcolor=\"#F0F0F0\"><a href=\"http://taosecurity.blogspot.com/2010/08/bejtlich-teaching-at-black-hat-abu.html\" target=\"_blank\"><b><font color=\"#000000\">Bejtlich Teaching at Black Hat Abu Dhabi 2010</font></b></a><br><font color=\"#000000\"><img src=\"http://bp0.blogger.com/_Z-tqVTd9fPI/R4_4pDL3mnI/AAAAAAAAARg/2BJsXzFO9s0/s200/blackhat.jpg\" align=left>The teaser page for <a href=\"http://www.blackhat.com/html/bh-ad-10/bh-ad-10-home.html\">Black Hat Abu Dhabi 2010</a> is now live, and I am pleased to announce that I will teach TCP/IP Weapons School 2.0 there on 8-9 November.  <a href=\"https://blackhat.tme-events.com/Events/2010/Blackhat/Registration.aspx\">Preregistration</a> appears to be available. This will truly be the last edition of TWS version 2.0.  I have been in contact with experts from the<a href=\"http://www.aecert.ae/index-en.php\">United Arab Emirates Computer Emergency Response Team</a> (aeCERT) and I hope to have students from the region participate in my class.<br /><br />For those interested in TWS 2.0 but not familiar with it, I described the class in this blog post  titled <a href=\"http://taosecurity.blogspot.com/2009/02/sample-lab-from-tcpip-weapons-school-20.html\">Sample Lab from TCP/IP Weapons School 2.0</a>.<br /><br />I described differences between my class and SANS in <a href=\"http://taosecurity.blogspot.com/2009/12/difference-between-bejtlich-class-and.html\">this post</a>.<br /><br />I am also developing version 3.0 for Black Hat DC 2011 in January.  When I have details on that class I will post them here.<br /><br /><a href=\"http://twitter.com/share\" class=\"twitter-share-button\" data-count=\"horizontal\" data-via=\"taosecurity\">Tweet</a><script type=\"text/javascript\" src=\"http://platform.twitter.com/widgets.js\"></script><div class=\"blogger-post-footer\">Copyright 2003-2010 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)<img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/4088979-5488737330479010615?l=taosecurity.blogspot.com' alt='' /></div></font></td>	</tr>	<tr > 		<td class=\"clstd\" style=\"border-color:#D0D0D0;\" bgcolor=\"#F0F0F0\"><a href=\"http://taosecurity.blogspot.com/2010/08/review-of-it-security-metrics-posted.html\" target=\"_blank\"><b><font color=\"#000000\">Review of IT Security Metrics Posted</font></b></a><br><font color=\"#000000\"><img src=\"http://ecx.images-amazon.com/images/I/51NLqSucknL._AA200.jpg\" align=left><a href=\"http://www.amazon.com/gp/cdp/member-reviews/A2ZVOU9X5W2S47/\">Amazon.com</a> just published my five star review of <a href=\"http://www.mhprofessional.com/product.php?isbn=0071713409\">IT Security Metrics</a> by <a href=\"http://www.ischool.utexas.edu/~lhayden/\">Lance Hayden</a>.  From the <a href=\"http://www.amazon.com/review/R39J264951OEFD/ref=cm_cr_rdp_perm\">review</a>:<br /><br /><i>I was not sure what to expect as I started reading IT Security Metrics (ISM). I had just discarded another new book, published in July 2010, supposedly about security metrics but really about nothing useful to anyone anchored in the operational IT world. Would ISM be another disappointment? Since Andrew Jaquith published Security Metrics in 2007, no other book had appeared to help security professionals measure their worlds. Thankfully, I can strongly recommend Lance Hayden's ISM as a very strong contributor to the discussion on security metrics. ISM's subtitle, \"A Practical Framework for Measuring Security & Protecting Data,\" really does explain the purpose and value of this great new book. </i><br /><br /><a href=\"http://twitter.com/share\" class=\"twitter-share-button\" data-count=\"horizontal\" data-via=\"taosecurity\">Tweet</a><script type=\"text/javascript\" src=\"http://platform.twitter.com/widgets.js\"></script><div class=\"blogger-post-footer\">Copyright 2003-2010 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)<img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/4088979-4015493552270101721?l=taosecurity.blogspot.com' alt='' /></div></font></td>	</tr>	<tr > 		<td class=\"clstd\" style=\"border-color:#D0D0D0;\" bgcolor=\"#F0F0F0\"><a href=\"http://taosecurity.blogspot.com/2010/08/review-of-practical-lock-picking-posted.html\" target=\"_blank\"><b><font color=\"#000000\">Review of Practical Lock Picking Posted</font></b></a><br><font color=\"#000000\"><img src=\"http://ecx.images-amazon.com/images/I/417HJkGjpsL._AA200_.jpg\" align=left><a href=\"http://www.amazon.com/gp/cdp/member-reviews/A2ZVOU9X5W2S47/\">Amazon.com</a> just posted my five star review of <a href=\"http://www.syngress.com/hacking-and-penetration-testing/Practical-Lock-Picking/\">Practical Lock Picking</a> by <a href=\"http://deviating.net/\">Deviant Ollam</a>.  From the <a href=\"http://www.amazon.com/review/R1YVV0BY91TC9C/ref=cm_cr_rdp_perm\">review</a>:<br /><br /><i>Practical Lock Picking (PLP) is an awesome book. I don't provide physical testing services, but as a security professional familiar with Deviant's reputation I was curious to read PLP. Not only is PLP an incredible resource, it should also serve as a model text for others who want to write a good book. First, although the book is less than 250 pages, it is very reasonably priced. Second, Deviant wastes NO space. There is no filler material, background found in other readily available texts, reprinted Web site content, etc. Third, the writing is exceptionally clear and methodical, with extreme attention to detail and a master's approach to educating the reader. Finally, the diagrams, pictures, and figures are superb. When necessary they convey the most subtle elements of lock or key design, and they are the appropriate size and clarity. Overall, this book is helpful for those wishing to pick locks AND those who want to know how to write a good book. </i><br /><br /><a href=\"http://twitter.com/share\" class=\"twitter-share-button\" data-count=\"horizontal\" data-via=\"taosecurity\">Tweet</a><script type=\"text/javascript\" src=\"http://platform.twitter.com/widgets.js\"></script><div class=\"blogger-post-footer\">Copyright 2003-2010 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)<img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/4088979-3563163019419622988?l=taosecurity.blogspot.com' alt='' /></div></font></td>	</tr>	<tr> 		<td class=\"clstd\" bgcolor=\"#F0F0F0\" style=\"border-color:#D0D0D0;\" align=\"center\" ><b><font color=\"#000000\">RSS integration by <a href=\"http://www.rss-info.com\" target=\"_blank\">RSSinclude</a></font></b></td>	</tr></table></center>");