Fixed some typos, added some commas and a couple of emphasis tags to:
doc/en_US.ISO8859-1/books/handbook/security/chapter.sgml Revision 1.64
The diff should apply against Revision 1.65 as line numbers are the same.
(This is my first attempt to send a diff via the web interface to send-pr.  Let me know if I must use a different method, thanks.)

Fix: 

diff for doc/en_US.ISO8859-1/books/handbook/security/chapter.sgml (v1.64)
It should apply against Revision 1.65 ok.

54,55c54,55
<       attack, including attacks that attempt to crash or otherwise make a
<       system unusable but do not attempt to break root.  Security concerns
---
>       attack, including attacks that attempt to crash, or otherwise make a
>       system unusable, but do not attempt to break root.  Security concerns
95c95
<       D.O.S. attacks try to take advantages of bugs in the networking
---
>       D.O.S. attacks try to take advantage of bugs in the networking
101c101
<       spoofed-packet attack, for example, is nearly impossible to stop
---
>       spoofed-packet attack, for example, is nearly impossible to stop,
128c128
<       nothing more than mess with the user's files or crash the machine.
---
>       nothing more than mess with the user's files, or crash the machine.
148c148
<       backdoors.  Backdoors provide the attacker with a way to easily
---
>       backdoors.  A backdoor provides the attacker with a way to easily
152c152
<       actually be detrimental to your security because it will not
---
>       actually be detrimental to your security, because it will not
297c297
<         sessions which closes an important hole used by many
---
>         sessions, which closes an important hole used by many
310c310
< 	you should consider but you should also consider the fact that the
---
> 	you should consider, but you should also consider the fact that the
317,319c317,319
< 	disable or change the password for a staff account in one place
< 	and have it immediately effect all the machine the staff member
< 	may have an account on.  If a staff member's account gets
---
> 	disable or change the password for a staff account in one place,
> 	and have it immediately effect all the machines on which the staff
> 	member may have an account.  If a staff member's account gets
366c366
< 	user <literal>sandboxes</literal>.  A sandbox isn't perfect unless
---
> 	user <literal>sandboxes</literal>.  A sandbox is not perfect, unless
406c406
<       <para>The other big potential root hole in a system are the
---
>       <para>The other big potential root holes in a system are the
417,418c417,418
< 	sysadmin will restrict suid binaries that only staff should run to
< 	a special group that only staff can access, and get rid of
---
> 	sysadmin will restrict suid binaries, that only staff should run,
> 	to a special group that only staff can access, and get rid of
422c422
< 	almost as dangerous.  If an intruder can break an sgid-kmem binary
---
> 	almost as dangerous.  If an intruder can break an sgid-kmem binary,
442c442
< 	have sufficient control then you may win out and be able to secure
---
> 	have sufficient control, then you may win out and be able to secure
446c446
< 	more problematic due to the extra administration and technical
---
> 	more problematic, due to the extra administration and technical
488,489c488,489
< 	use a KLD module to install his own bpf device or other sniffing
< 	device on a running kernel.  To avoid these problems you have to
---
> 	use a KLD module to install his own bpf device, or other sniffing
> 	device, on a running kernel.  To avoid these problems you have to
519c519
< 	<filename>/usr</filename> is probably counterproductive because
---
> 	<filename>/usr</filename> is probably counterproductive, because
525c525
< 	of the onion is to slow down the attacker rather than stop him in
---
> 	of the onion is to slow down the attacker, rather than stop him, in
539c539
< 	allow the limit-access box to <application>ssh</application> to
---
> 	allow the limited-access box to <application>ssh</application> to
546c546
< 	hub or through several layers of routing, the NFS method may be
---
> 	hub, or through several layers of routing, the NFS method may be
552c552
<       <para>Once you give a limit-access box at least read access to the
---
>       <para>Once you give a limited-access box, at least read access to the
557c557
< 	boxes at least once a day, and to test control files such as those
---
> 	at least once a day, and to test control files such as those
560c560
< 	mismatches are found relative to the base md5 information the
---
> 	mismatches are found, relative to the base md5 information the
575c575
< 	unsecure links, but it's also a lot harder to deal with.</para>
---
> 	unsecure links, but it is also a lot harder to deal with.</para>
584c584
<       <para>If you have a huge amount of user disk space it may take too
---
>       <para>If you have a huge amount of user disk space, it may take too
589c589
< 	want to look into.  You should probably scan them anyway at least
---
> 	want to look into.  You should probably scan them anyway, at least
600c600
<       <para>Finally, security scripts should process the log files and the
---
>       <para>Finally, security scripts should process the log files, and the
615,621c615,621
< 	any number of security features as long as they do not effect
< 	convenience, and can add security features that do effect
< 	convenience with some added thought.  Even more importantly, a
< 	security administrator should mix it up a bit &ndash; if you use
< 	recommendations such as those given by this document verbatim, you
< 	give away your methodologies to the prospective attacker who also
< 	has access to this document.</para>
---
> 	any number of security features, as long as they do not effect
> 	convenience, and can add security features that
> 	<emphasis>do</emphasis> effect convenience with some added thought.
> 	Even more importantly, a security administrator should mix it up a
> 	bit &ndash; if you use recommendations such as those given by this
> 	document verbatim, you give away your methodologies to the
> 	prospective attacker who also has access to this document.</para>
650c650
< 	to cause the server to eat processes, file descriptors, and memory
---
> 	to cause the server to eat processes, file descriptors, and memory,
653c653
< 	while it is possible to prevent a machine from going down it is
---
> 	while it is possible to prevent a machine from going down, it is
663c663
< 	<option>-OMaxDaemonChildren</option> option which tends to work
---
> 	<option>-OMaxDaemonChildren</option> option, which tends to work
666,668c666,668
< 	<literal>MaxDaemonChildren</literal> parameter when you start
< 	<application>sendmail</application> high enough to handle your
< 	expected load but no so high that the computer cannot handle that
---
> 	<literal>MaxDaemonChildren</literal> parameter, when you start
> 	<application>sendmail</application>, high enough to handle your
> 	expected load, but not so high that the computer cannot handle that
676,677c676,678
< 	<literal>MaxDaemonChildren</literal> option for that sendmail to
< 	prevent cascade failures.</para>
---
> 	<literal>MaxDaemonChildren</literal> option for
> 	<emphasis>that</emphasis> sendmail to prevent cascade failures.
> 	</para>
704c705
< 	services or that you will add a new internal service and forget
---
> 	services, or that you will add a new internal service and forget
706c707
< 	port range on the firewall to allow permissive-like operation
---
> 	port range on the firewall, to allow permissive-like operation,
709c710
< 	binding via the various <literal>net.inet.ip.portrange</literal>
---
> 	binding, via the various <literal>net.inet.ip.portrange</literal>
714c715
< 	65535, then block everything under 4000 off in your firewall
---
> 	65535, then block off everything under 4000 in your firewall
779c780
<         better it may be prudent to manually override both
---
>         better, it may be prudent to manually override both
782c783
< 	you want to crash the machine.  Setting both
---
> 	you want to crash the machine).  Setting both
795c796
< 	authentication protocol but there are bugs in the kerberized
---
> 	authentication protocol, but there are bugs in the kerberized
810c811
< 	duration of your login and if a attacker has broken root on the
---
> 	duration of your login, and if an attacker has broken root on the
860c861
<       Standard.  This is not such a problem for users that live in
---
>       Standard.  This was not such a problem for users resident in
864c865
<       variants that still use DES.</para>
---
>       variants that still used DES.</para>
880c881
< 	Passwords encrypted with the MD5 hash are longer than those with
---
> 	Passwords encrypted with the MD5 hash are longer than those
899c900
< 	against libcrypt which for each type of library is a symbolic link
---
> 	against libcrypt, which for each type of library is a symbolic link
983c984
<       to initialized S/Key, and to change passwords, iteration counts, or
---
>       to initialize S/Key, and to change passwords, iteration counts, or
1264c1265
< 	database, of if Kerberos is not running, simply delete the extra
---
> 	database, or if Kerberos is not running, simply delete the extra
1432c1433
< 	renamed to <filename>srvtab</filename> so that all the server can pick
---
> 	renamed to <filename>srvtab</filename> so that all the servers can pick
1958c1959
< 	<para>If an <emphasis>index</emphasis> value is supplied, it used to
---
> 	<para>If an <emphasis>index</emphasis> value is supplied, it is used to
2172c2173
< 		connection (the SYN bit set is set but the ACK bit is
---
> 		connection (the SYN bit is set but the ACK bit is
2351c2352
< 	  packet can be passed on.  syslogd with also start using up a lot
---
> 	  packet can be passed on.  syslogd will also start using up a lot
2386c2387
< 	    traffic there is normally a security threat (e.g. Suns RPC and
---
> 	    traffic there is, is normally a security threat (e.g. Suns RPC and
2391c2392
< 	    If you want to allow access to archie, you'll have to allow
---
> 	    If you want to allow access to archie, you will have to allow
2478c2479
<     <para>The IPsec mechanism provides secure communication either for IP
---
>     <para>The IPsec mechanism provides secure communication for IP
2499c2500
<       <para>Let's setup security association to deploy a secure channel
---
>       <para>Let us setup security association to deploy a secure channel
2504c2505
<       <para>Now we should choose algorithm to be used corresponding to
---
>       <para>Now we should choose an algorithm to be used corresponding to
2514c2515
<       <para>OK, let's assign SPI (Security Parameter Index) for each protocol.
---
>       <para>OK, let us assign SPI (Security Parameter Index) for each protocol.
2549c2550
<       <para>Now, let's setup security association.  Execute &man.setkey.8;
---
>       <para>Now, let us setup security association.  Execute &man.setkey.8;
2560,2561c2561,2562
<      <para>Actually, IPsec communication doesn't process until security policy
<      entries will be defined.  In this case, you must setup each host.</para>
---
>      <para>Actually, IPsec communication does not process until security policy
>      entries are defined.  In this case, you must setup each host.</para>
2678c2679
<       <para>If port number field is omitted such above then "[any]" is
---
>       <para>If the port number field is omitted such as above then "[any]" is
2862,2863c2863,2864
<         client connects.  The user is prompted to enter 'yes' only during
<         the first time connecting.  Future attempts to login are all
---
>         client connects.  The user is prompted to enter 'yes' only when
>         connecting for the first time.  Future attempts to login are all