Errors
1. Page 41 "With the first 23 people you meet, you have a 50% chance and not a 6.3%
chance (23 in 365) that someone has the same birthday as you."
You actually do have a 6% chance of having the same birthday as someone else if you
meet 23 people. The birthday paradox says that if 23 people are put "in a room together"
there is a 50% chance that any 2 of those people will have the same birthday. This is
what gives you the increased probability of combinations. For 10 individuals in a room
together, the probability is 11.7% that at least two of them have the same birthday; for 22
individuals it's 47.6%, while for 23 individuals it's 50.7%. The text should say, "With the
first 23 people you meet IN A GROUP, you have a 50% chance . . ."
2. Page 119 "DNS Zone transfers use TCP port 23."
TCP Port 23 is used by Telnet servers, DNS Servers use TCP port 53 for zone transfers.
3. Page 286 "Asymmetric encryption uses two keys ..... One of the keys known as the
private is used to encrypt, the second key, called the public key decrypts"
This is completely reversed: the public key is known to everyone and the private key is
known only to the recipient of the message. When Bob wants to send a secure message to
Alice, he uses Alice's public key to encrypt the message. Alice then uses her private key
to decrypt it.
4. Page 332 Review Question 3 : A _____ is a shorter version of the message itself that is
created by the contents of the message and the sender’s private key.
The answer in the instructor’s manual is incorrect; it should be "D (digital signature)".
Clarifications
1. Page 37-39 discuss Password guessing. Page 37 states "Password-guessing attacks fall
into 3 categories. Page 39 states "the third type of attack is software exploitation". How
does buffer overflows deal with password attacks?
ANSWER: Software exploitations, particularly buffer overflows, can be used to
generate attacks that are password-related. For example, consider a login program in
which we utilize user-typed passwords and hashes from a password file in two adjacent
arrays. The intent is to authenticate by obtaining the username and then loading the
corresponding hash into the array. We will read the user password into the array, hash it,
and compare it to the contents of hash array. An attacker could generate any 8 character
password and the corresponding hash. When asked for the password, enter the 8character password, then enter 72 characters (filling up the buffer for the cleartext
password) and then type in the corresponding hash, which overwrites the hash stored
from /etc/passwd.
2. Page 310, “Three asymmetric algorithms are commonly used: Rivest Shamir Adleman
(RSA), Diffie-Hellman, and Pretty Good Privacy (PGP).“ While Diffie-Hellman are
known for their key-exchange algorithm, I can not see where they have an asymmetric
algorithm commonly used for actual encryption.
ANSWER: In strict terms, Diffie-Hellman is a key exchange. Yet it’s so closely linked
with SSL, PKI, and SSH it’s usually considered in that same arena as asymmetric
encryption. Some argue that it’s an example of the derivation of the shared secret key
from one party’s public key and another party’s private key. The CompTIA Security+
objectives don’t even mention Diffie-Hellman or key exchange, so without creating an
entire new section for a chapter I included it here.
3. Page 361, "This makes RAID 1 the most efficient of any RAID technology." I thought
RAID 5 was the most efficient.
ANSWER: I should have defined what I meant by "efficient". RAID 1 has a transfer
rate per block that is equal to that of a single disk, and even under some circumstances it
can sustain multiple simultaneous hard drive failures. Plus, it is the simpliest RAID
design. These are "efficiencies" that can be important. However, it does have a high disk
overhead compared to other types of RAID, so in that sense it is not "efficient".