En dashes to em dashes--the circle of life continues.

(Not because I don't like en dashes, but because em dashes are the
right ones here)

Also, s/effect/affect a couple times.

en_US.ISO8859-1/books/handbook/security/chapter.sgml

@@ -113,7 +113,7 @@
       are ever competing with the human necessity for convenience.  &unix;
       systems, in general, are capable of running a huge number of
       simultaneous processes and many of these processes operate as
-      servers – meaning that external entities can connect and talk
+      servers — meaning that external entities can connect and talk
       to them.  As yesterday's mini-computers and mainframes become
       today's desktops, and as computers become networked and
       internetworked, security becomes an even bigger issue.</para>
@@ -255,7 +255,7 @@
       </listitem>
 
       <listitem>
-	<para>Securing <username>root</username> &ndash; root-run servers
+	<para>Securing <username>root</username> &mdash; root-run servers
 	  and suid/sgid binaries.</para>
       </listitem>
 
@@ -332,7 +332,7 @@
 	You can do this by editing
         your <filename>/etc/ssh/sshd_config</filename> file, and making
         sure that <literal>PermitRootLogin</literal> is set to
-        <literal>NO</literal>.  Consider every access method &ndash;
+        <literal>NO</literal>.  Consider every access method &mdash;
         services such as FTP often fall through the cracks.
 	Direct <username>root</username> logins should only be allowed
 	via the system console.</para>
@@ -428,7 +428,7 @@
 
       <para>Using something like Kerberos also gives you the ability to
 	disable or change the password for a staff account in one place,
-	and have it immediately effect all the machines on which the staff
+	and have it immediately affect all the machines on which the staff
 	member may have an account.  If a staff member's account gets
 	compromised, the ability to instantly change his password on all
 	machines should not be underrated.  With discrete passwords,
@@ -619,7 +619,7 @@
 	such as <literal>schg</literal>,
 	will be enforced.  You must also ensure that the
 	<literal>schg</literal> flag is set on critical startup binaries,
-	directories, and script files &ndash; everything that gets run up
+	directories, and script files &mdash; everything that gets run up
 	to the point where the securelevel is set.  This might be overdoing
 	it, and upgrading the system is much more difficult when you
 	operate at a higher secure level.  You may compromise and run the
@@ -644,7 +644,7 @@
 	<filename>/usr</filename> is probably counterproductive, because
 	while it may protect the files, it also closes a detection window.
 	The last layer of your security onion is perhaps the most
-	important &ndash; detection.  The rest of your security is pretty
+	important &mdash; detection.  The rest of your security is pretty
 	much useless (or, worse, presents you with a false sense of
 	safety) if you cannot detect potential incursions.  Half the job
 	of the onion is to slow down the attacker, rather than stop him, in
@@ -663,7 +663,7 @@
 	box, or by setting up ssh key-pairs to
 	allow the limited-access box to ssh to
 	the other machines.  Except for its network traffic, NFS is the
-	least visible method &ndash; allowing you to monitor the
+	least visible method &mdash; allowing you to monitor the
 	filesystems on each client box virtually undetected.  If your
 	limited-access server is connected to the client boxes through a
 	switch, the NFS method is often the better choice.  If your
@@ -725,7 +725,7 @@
 
       <para>Finally, security scripts should process the log files, and the
 	logs themselves should be generated in as secure a manner as
-	possible &ndash; remote syslog can be very useful.  An intruder
+	possible &mdash; remote syslog can be very useful.  An intruder
 	tries to cover his tracks, and log files are critical to the
 	sysadmin trying to track down the time and method of the initial
 	break-in.  One way to keep a permanent record of the log files is
@@ -738,11 +738,11 @@
       <title>Paranoia</title>
 
       <para>A little paranoia never hurts.  As a rule, a sysadmin can add
-	any number of security features, as long as they do not effect
+	any number of security features, as long as they do not affect
 	convenience, and can add security features that
-	<emphasis>do</emphasis> effect convenience with some added thought.
+	<emphasis>do</emphasis> affect convenience with some added thought.
 	Even more importantly, a security administrator should mix it up a
-	bit &ndash; if you use recommendations such as those given by this
+	bit &mdash; if you use recommendations such as those given by this
 	document verbatim, you give away your methodologies to the
 	prospective attacker who also has access to this document.</para>
     </sect2>
@@ -829,7 +829,7 @@
 	<application>ntalkd</application>,
 	<application>sendmail</application>, and other Internet-accessible
 	services.  If you try to configure the firewall the other way
-	&ndash; as an inclusive or permissive firewall, there is a good
+	&mdash; as an inclusive or permissive firewall, there is a good
 	chance that you will forget to <quote>close</quote> a couple of
 	services, or that you will add a new internal service and forget
 	to update the firewall.  You can still open up the high-numbered
@@ -848,7 +848,7 @@
       <indexterm><primary>ICMP_BANDLIM</primary></indexterm>
 
       <para>Another common DoS attack is called a springboard attack
-	&ndash; to attack a server in a manner that causes the server to
+	&mdash; to attack a server in a manner that causes the server to
 	generate responses which overloads the server, the local
 	network, or some other machine.  The most common attack of this
 	nature is the <emphasis>ICMP ping broadcast attack</emphasis>.