The Business Controls Caddy

Permalink New Book Throws FUD at Microsoft




While it might suprise some of my readers, I am about to come to defense of the Microsoft Corporation. If you recall, yesterday I posted about the assertion contained in Lance James new book, Phishing Exposed, that Microsoft Outlook was potentially a phisherman's paradise because it did not display the url behind a hyperlink when hovered over. Carl Tyler of Instant Technologies quickly let me know that this was not a problem with Outlook 2003. I wanted to test it with other versions of the program. However, I never have used, and never will (if I can help it) use Outlook, so I had no way of testing. So I sent an email off to the author for clarification. The answers stunned me and I feel that both the author and the publisher, Syngress Press, be called on the carpet for publishing FUD and leaving out information about how Microsoft is upgrading its tools to fight phishing.

What The Author Did (or Did Not Do)

It is on page 225 of the book that the reader is presented with the screenshot of an email message in the Outlook client. Along with this picture, the author states that "most popular email client in the world has no default status bar" to display a URL when hovering over a link, identifying this as a vulnerability
in Outlook. I asked him to clarify this and to explain what kind of testing program he used to verify the statement. His response was "I believe (emphasis added) Outlook 2002 is the one I tested with".

My basic problem with this is that there was no disciplined methodology taken and the result of the "test" that was taken has been generalized to the whole universe of Outlook clients. There is no indication in the book of what client was tested, or the fact that this is no longer a vulnerability in Outlook 2003. He said that:

"The book was under-edited so they have missed my footnote on the version. I'm pretty sure I originally put that in there. 2002 is still pretty recent though and a lot of users still use that."  

I will address the under-editing in a bit. However, the author either did or did not include a footnote. There should be no "pretty sure" about it. In addition, it does not matter that "a lot of users" still use Outlook 2002. This is where the author should have stepped in and encouraged users to upgrade to Outlook 2003 or switch to another mail client that does not have the vulnerability. All that was dome was to compare this generalized statement about outlook to the functionality of Thunderbird. Thunderbird is a decent product as far as POP clients go, but it is nowhere near ready for primetime as an enterprise-grade collaboration tool. If this book is truly targeted for security professionals and others that work in corporate environments, the author should have, at minimum in passing, mentioned that this vulnerability does not exist in Lotus Notes/Domino and, if appropriate, Groupwise.

I responded to Lance with the same thing I have been saying in my reviews of Syngress Books this past year:

I have had a lot of heartburn with the editing, or lack thereof, on the part of Syngress and this has been reflected in many of my reviews of their titles. This type of thing always gives me pause for concern because it hits the credibility of the author(s), i.e. "if this is so wrong, how can we trust the rest of the content?"

The Under-Editing By Syngress

This case is just another major mistake that has made its way into books put out by Syngress Press. The mistakes have included some real gems such as the "fact" that there was an Internet cafe in Iraq during the first gulf war, the inclusion of an urban legend about RFID tags being in the new US$20 bills, and the publication of a book about Sarbanes-Oxley that should, in my opinion, never been published.

Syngress has got to step up to the plate and do a better job in making sure that their books get a real technical edit and that mistakes and FUD-spreading like this stop making it into print. It speaks to their credibility as a publisher and the credibility of their distribution partners.

An Apology Is Due To Microsoft

In this particular case, I feel that both the author and Syngress Press owe Microsoft a public apology and that the misstatement be corrected in future printings of the book. It is a shame that a good book has to be tarnished with something like this. Some of us may have come to expect this from certain industry analysts or magazine writers, but not from technical books.



Comments
11/22/2005 06:37:43 PM

Comment posted by Duffbert11/22/2005 06:25:06 PM
Homepage: http://www.twduff.com


We better frame this one... It may not happen again that you defend MS!

11/25/2005 12:12:45 AM

Comment posted by Lance James11/24/2005 11:50:51 PM
Homepage: http://www.securescience.net


Umm - to the effect of your comment - I have made sure this correction is made on the next printing - and in fact, my footnote was in there regarding testing 2002 and I specifically state that 2003 fixes this problem. On the 2nd set of printings I have confirmed that this correction that was missed be in there. I will not publicly apologize for a mistake I do not believe I made, but I will apologize on behalf of the mistake that was made - and for that, I regret it was made. I stand by my professionalism as I make it a point to eagle eye my facts. Thanks for keeping me on my toes as I do appreciate that and I expect more people like you to come forward and make sure security specialists do not come off alarmist/FUD'ish in nature.

Thanks for your time.

11/25/2005 12:43:45 AM

Comment posted by Nate11/25/2005 12:22:00 AM


You can see that this must of been a mistake on Syngress's part as there is a huge space for a footnote on page 225. I also agree with Lance that the book was under-edited as, unfortunately, there are quite a few small typo's that should of been spotted by Syngress's editors. While their technical editing is great, they really should step up their grammatical editing.

11/26/2005 10:11:45 PM

Comment posted by Christopher Byrne11/26/2005 10:05:12 PM
Homepage: http://www.controlscaddy.com/


@Nate - If you are going to astroturf, you have got to be more creative than this.

The reason there is so much space is because the next graphic on Page 226 is too big to fit in the space on 225. It has nothing to do with a missing footnote

11/27/2005 02:34:43 PM

Comment posted by Peter de Haas11/27/2005 02:27:03 PM
Homepage: http://www.peterdehaas.com


Didn't see this post before I commented you earlier post. Thanks for fighting FUD

Add Your Comments



Email addresses provided are not made available on this site.





You can use UUB Code in your posts.

[b]bold[/b]  [i]italic[/i]  [u]underline[/u]  [s]strikethrough[/s]

URL's will be automatically converted to Links


:angry: :-( :-p :lips: :laugh: :-o :rolleyes: :huh: :-D :grin: :cool: :cry: :-) :-\ ;-) :-x :emb:






Remember me    

Add Manual Trackback
Please enter the details of the trackback post. Your trackback will not appear on the site until it has been verified. This may take up to 10 minutes.

Site Name

Permanent URL of TrackBack Post

Title of Post ( If Any )

Excerpt of Post ( Max 250 Chars )



Page 1 of the Leaderboard

 About This Blog

 Publications

 Book Reviews

 IDC Publications

 CERT/Phishing Alerts

 




Get on Board!

In The Bookstore

Search
Google
Sponsored Ads
My Other Blog

Fighting Fud

Fear, Uncertainty and Doubt (FUD) are too often used as marketing tools. And too many mainstream publications are citing reports that have no validity. So if you know anybody who is citing these publications and reports to make business decisions, please point them to one or more of these links. You can also point them to the "Fighting FUD" index of stories and/or add the "Fighting FUD" graphic link to your web site.



flag icon graphic Microsoft Tries To Feed Up More FUD, Again

flag icon graphic Lies, Damn Lies, and Radica...oops I Mean Statistics

flag icon graphic On Forbes, Foolishness and FUD

flag icon graphic When Technical Magazines Fuel FUD


Fighting FUD Blogroll
Tom "Duffbert" Duff
Chris Linfoot
Matt White
Joe Litton
Jeff Crossett
Gerco Wolfswinkel
Chris Whisonant
Gregg Eldred
Richard Schwatrz

Leaderboard By Category

About Me
About the Blog
Accounting Software
Admin2005
Articles
Auditing Standards
Best Practices
Best Practices - Coding
Blogging Risks
Blogging Templates
Blogsphere
Book Downloads
Book Reviews
Bookstore
Business Continuity
Business Continuity/Disa...
Business Controls
Business Process Re-Engi...
Caddyshack
Case Studies
Collaboration Tools
College Football
College Hoops
Commentary
Community News
Compliance
Compliance Tools
Compliance Tools - Lotus...
Conference Presentations
Control Frameworks
Control Self Assessment ...
Copyright, Fair Use and ...
Corporate Governance
Data Protection
Daylight Savings Time
Dimensions of Leadership
Disaster Recovery
E-Commerce
E-Mail Compliance
E-Mail Etiquette
Employee Policies
Ethics
Exposure Drafts
Eye on Sports Media
Fighting FUD
Fraud Prevention
General
Going Green
Golf
Governance Cup
Government Compliance
HIPAA
Humour/Satire
IBM Pensions
IM Controls
Internet Safety
Interviews
Ireland 2007
IS Governance
IS Governance At Home
IT Audit Tools
IT Governance
IT Governance Insight
ITIL
Just for Fun
Licensing
Live Blogging Tools
Lotus AdvisorLive
Lotus Notes 8
Lotus Quickr
Lotusphere 2005
Lotusphere 2006
Lotusphere 2007
Lotusphere 2008
Lotusphere 2009
Movie Reviews
News Links
Newspaper Columns
Niagara Basketball
None
Notes 8 Beta
Notes/Domino Administrat...
Notes/Domino Development
Notes/Domino Mail
Notes/Domino Security
Observations
Outsourcing
Patent Issues
Presentations
Press Releases
Privacy
Procurement Controls
Product Advocacy
Records Retention
Reflections
Risk Assessment
Sarbanes-Oxley
Sarbanes-Oxley Tools
Secure Messaging
Security Awareness
Security Controls
Site Update
Smoking Kills
Social Engineering
Social Software
Social Software Risks
Software Development Con...
Software Tools
Spreadsheet Controls
Telecommuting Risks
The Disposable Society
Training Series
Travel Tips/Observations
Trivia
TV/Radio Sports
Understanding COBIT
User Education
User Interface
Vocabulary
Way Off Topic
WebSphere
XBRL
XML Feeds