Slashdot Mirror

Scott Pinzon writes "Is the idea that cyber terrorists might take down US networks or utilities realistic, or over-hyped? One of the authors of the Patriot Act and several Black Hat 2005 speakers debated the issue informally at WatchGuard's "Security and Beer Roundtable." Participants include Dan Kaminsky, Johnny "Google Hacker" Long, Tim Mullen, Sensepost penetration testers, a guy from Microsoft's ISA team, and others."

Scott Pinzon writes "Is the idea that cyber terrorists might take down US networks or utilities realistic, or over-hyped? One of the authors of the Patriot Act and several Black Hat 2005 speakers debated the issue informally at WatchGuard's "Security and Beer Roundtable." Participants include Dan Kaminsky, Johnny "Google Hacker" Long, Tim Mullen, Sensepost penetration testers, a guy from Microsoft's ISA team, and others."

Scott Pinzon writes "Writing sonnets, screenplays, or an epic poem in your third language is a breeze compared to the toughest of art forms, didactic fiction. That might explain why the various chapters of Stealing the Network: How to Own an Identity range from appalling to exciting. Whether you see the glass of STN: Identity as half empty or half full depends on whether this is your cup of poison -- but on a technical level, it rocks." Read on for the rest of Pinzon's review. Stealing the Network: How to Own an Identity author Raven Alder, Jay Beale, Riley "Caezar" Eller, Brian Hatch, Chris Hurley (Roamer), Jeff Moss, Ryan Russell, Tom Parker, Timothy Mullen, Johnny Long pages 336 publisher Syngress rating 6 reviewer Scott Pinzon ISBN 1597490067 summary Fiction that teaches about network security

Slashdotters have a distinguished history of calling b.s. on fiction authors who get technical details wrong. (My recent favorite is Jeffrey Deaver's jargon-in-a-blender paragraphs in The Blue Nowhere, where a computer expert can't break a hacker's defenses because "I can't decrypt his firewall!") But what happens when the problem is reversed? Can authors with awesome technical credentials, but little literary background, teach by using story?

And these authors do have impeccable Internet security cred. Many of them are stars circling the firmament of Black Hat and Defcon; senior penetration testers; former consultants to No Such Agency; authors of popular books on security; and so on.

Thus, STN: Identity describes attacks with accuracy and depth. The light veneer of fiction gives the networking tips real-world context. (On this point, I agree with Blain Hilton, who reviewed the first STN volume for Slashdot.) Sure, you've heard of all kinds of hacker tools, but do you know exactly when an attacker would use, say, Metasploit Framework, and not Knoppix? Chris Hurley's chapter, "Saul on the Run," stands out in this regard, showing how a black hatter uses social engineering and numerous tools to get a valid birth certificate for someone else, and exactly how an attacker can intrude on a secured wireless residential network to explore private information.

Another stand-out chapter is Johnny "Google Hacker" Long's "Death by a Thousand Cuts." This rambling episode follows, in part, a forensic cop's efforts to make a disc image of an iPod found at a crime scene. The trouble is, Apple's drivers spring into action whenever the iPod senses it has connected to a computer. If the driver activity changes anything in the iPod, all evidence on it will be inadmissible in court. In unraveling this challenge, STN became so fascinating, I couldn't put it down. Which made showering awkward.

Brian Hatch's chapter, "Bl@ckTo\/\/3r," stood out to me, also, but for the opposite reason: almost all of it went over my head. I thought I had accepted Unix into my heart, but I'm not disciple enough to keep up with Hatch's treatise on X11. Where I thought Hatch was talking only to himself, I had a more senior network security expert read the chapter, and he considered it well written. YMMV.

Other chapters cover basic crypto and code-breaking; how to forge cards that will fool magnetic stripe readers; the dark side of biometric authentication; uses of a Faraday cage; making a QWERTY keyboard type Dvorak letters, and just lots and lots of good undergroundy badness. The technical lessons hold tightly to the stated theme of identity theft. Any network administrator could learn a lot about the enemy's techniques from this volume; and, because of the story-driven format, probably even remember them.

But I've been dodging my opening question: does the fiction part work? Before I answer, I should mention that I've written a lot of fiction. I've had four books of fiction and 60 short stories published, and studied under the editor who removed 500 pages from Stephen King's The Stand. I'm not saying I'm good at writing fiction; I'm just saying I respect the craft. So, can STNs authors write fiction? No. No, they cannot.

STN: Identity reads like a catalog of beginning-fiction-writer mistakes, from misspellings and homophones (from Chapter 5: "He called me a Windows administrator, and it wasn't a complement") to characters with no feelings or personality. In Chapter 8, where college students decide to 0wn Hushmail's DNS servers for a man-in-the-middle attack, they work 36 hours straight without a smart remark, a crabby comeback, or, really, any dialog except ad hoc lectures on network architecture. Fiction-wise, it's as if Nancy Drew or the Hardy Boys tried hacking. And a couple of the chapters go so far past "wordy" that they're almost the verbal equivalent of running in place. If you're in a hurry to get to the technical meat [Jedi hand wave], these are not the authors you want. With that said, I admit that some of the chapters clamber all the way up to "adequate." But remember, fiction that teaches is hard for anyone to pull off.

Maybe none of that matters. Is anyone looking for deathless prose when picking up a book subtitled "How to Own an Identity"? Nah. What matters is, the various authors lay down some seriously tricky attacks. If you are more geek than lit critic, the coolness factor is off the charts. If you like to spend your time reading and thinking about network security and hacking, this is for you. And if you still buy into the "romance" of hacker shenanigans, STN can be your little Defcon-away-from-Defcon.

So is this wildly uneven book worth the price? For fiction lovers, no. For white hat security aficionados, yes. For black hat security aficionados, buying it will be the last purchase you make on your own credit card -- so hell yes. #

Full disclosure: I am not personal friends with any of the authors, but I've interviewed a few of them, including the book's technical editor, Timothy Mullen, for my day job. I may also suffer from envy that my own attempts to fictionalize network security have been ignored by most of the world except German Tom's Hardware.

Scott Pinzon, CISSP, is Editor-in-Chief for WatchGuard's LiveSecurity Service, and writes about network security on the free RSS news feed WatchGuard Wire. You can purchase Stealing the Network: How to Own an Identity from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Scott Pinzon writes "Writing sonnets, screenplays, or an epic poem in your third language is a breeze compared to the toughest of art forms, didactic fiction. That might explain why the various chapters of Stealing the Network: How to Own an Identity range from appalling to exciting. Whether you see the glass of STN: Identity as half empty or half full depends on whether this is your cup of poison -- but on a technical level, it rocks." Read on for the rest of Pinzon's review. Stealing the Network: How to Own an Identity author Raven Alder, Jay Beale, Riley "Caezar" Eller, Brian Hatch, Chris Hurley (Roamer), Jeff Moss, Ryan Russell, Tom Parker, Timothy Mullen, Johnny Long pages 336 publisher Syngress rating 6 reviewer Scott Pinzon ISBN 1597490067 summary Fiction that teaches about network security

Slashdotters have a distinguished history of calling b.s. on fiction authors who get technical details wrong. (My recent favorite is Jeffrey Deaver's jargon-in-a-blender paragraphs in The Blue Nowhere, where a computer expert can't break a hacker's defenses because "I can't decrypt his firewall!") But what happens when the problem is reversed? Can authors with awesome technical credentials, but little literary background, teach by using story?

And these authors do have impeccable Internet security cred. Many of them are stars circling the firmament of Black Hat and Defcon; senior penetration testers; former consultants to No Such Agency; authors of popular books on security; and so on.

Thus, STN: Identity describes attacks with accuracy and depth. The light veneer of fiction gives the networking tips real-world context. (On this point, I agree with Blain Hilton, who reviewed the first STN volume for Slashdot.) Sure, you've heard of all kinds of hacker tools, but do you know exactly when an attacker would use, say, Metasploit Framework, and not Knoppix? Chris Hurley's chapter, "Saul on the Run," stands out in this regard, showing how a black hatter uses social engineering and numerous tools to get a valid birth certificate for someone else, and exactly how an attacker can intrude on a secured wireless residential network to explore private information.

Another stand-out chapter is Johnny "Google Hacker" Long's "Death by a Thousand Cuts." This rambling episode follows, in part, a forensic cop's efforts to make a disc image of an iPod found at a crime scene. The trouble is, Apple's drivers spring into action whenever the iPod senses it has connected to a computer. If the driver activity changes anything in the iPod, all evidence on it will be inadmissible in court. In unraveling this challenge, STN became so fascinating, I couldn't put it down. Which made showering awkward.

Brian Hatch's chapter, "Bl@ckTo\/\/3r," stood out to me, also, but for the opposite reason: almost all of it went over my head. I thought I had accepted Unix into my heart, but I'm not disciple enough to keep up with Hatch's treatise on X11. Where I thought Hatch was talking only to himself, I had a more senior network security expert read the chapter, and he considered it well written. YMMV.

Other chapters cover basic crypto and code-breaking; how to forge cards that will fool magnetic stripe readers; the dark side of biometric authentication; uses of a Faraday cage; making a QWERTY keyboard type Dvorak letters, and just lots and lots of good undergroundy badness. The technical lessons hold tightly to the stated theme of identity theft. Any network administrator could learn a lot about the enemy's techniques from this volume; and, because of the story-driven format, probably even remember them.

But I've been dodging my opening question: does the fiction part work? Before I answer, I should mention that I've written a lot of fiction. I've had four books of fiction and 60 short stories published, and studied under the editor who removed 500 pages from Stephen King's The Stand. I'm not saying I'm good at writing fiction; I'm just saying I respect the craft. So, can STNs authors write fiction? No. No, they cannot.

STN: Identity reads like a catalog of beginning-fiction-writer mistakes, from misspellings and homophones (from Chapter 5: "He called me a Windows administrator, and it wasn't a complement") to characters with no feelings or personality. In Chapter 8, where college students decide to 0wn Hushmail's DNS servers for a man-in-the-middle attack, they work 36 hours straight without a smart remark, a crabby comeback, or, really, any dialog except ad hoc lectures on network architecture. Fiction-wise, it's as if Nancy Drew or the Hardy Boys tried hacking. And a couple of the chapters go so far past "wordy" that they're almost the verbal equivalent of running in place. If you're in a hurry to get to the technical meat [Jedi hand wave], these are not the authors you want. With that said, I admit that some of the chapters clamber all the way up to "adequate." But remember, fiction that teaches is hard for anyone to pull off.

Maybe none of that matters. Is anyone looking for deathless prose when picking up a book subtitled "How to Own an Identity"? Nah. What matters is, the various authors lay down some seriously tricky attacks. If you are more geek than lit critic, the coolness factor is off the charts. If you like to spend your time reading and thinking about network security and hacking, this is for you. And if you still buy into the "romance" of hacker shenanigans, STN can be your little Defcon-away-from-Defcon.

So is this wildly uneven book worth the price? For fiction lovers, no. For white hat security aficionados, yes. For black hat security aficionados, buying it will be the last purchase you make on your own credit card -- so hell yes. #

Full disclosure: I am not personal friends with any of the authors, but I've interviewed a few of them, including the book's technical editor, Timothy Mullen, for my day job. I may also suffer from envy that my own attempts to fictionalize network security have been ignored by most of the world except German Tom's Hardware.

Scott Pinzon, CISSP, is Editor-in-Chief for WatchGuard's LiveSecurity Service, and writes about network security on the free RSS news feed WatchGuard Wire. You can purchase Stealing the Network: How to Own an Identity from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Scott Pinzon writes "Writing sonnets, screenplays, or an epic poem in your third language is a breeze compared to the toughest of art forms, didactic fiction. That might explain why the various chapters of Stealing the Network: How to Own an Identity range from appalling to exciting. Whether you see the glass of STN: Identity as half empty or half full depends on whether this is your cup of poison -- but on a technical level, it rocks." Read on for the rest of Pinzon's review. Stealing the Network: How to Own an Identity author Raven Alder, Jay Beale, Riley "Caezar" Eller, Brian Hatch, Chris Hurley (Roamer), Jeff Moss, Ryan Russell, Tom Parker, Timothy Mullen, Johnny Long pages 336 publisher Syngress rating 6 reviewer Scott Pinzon ISBN 1597490067 summary Fiction that teaches about network security

Slashdotters have a distinguished history of calling b.s. on fiction authors who get technical details wrong. (My recent favorite is Jeffrey Deaver's jargon-in-a-blender paragraphs in The Blue Nowhere, where a computer expert can't break a hacker's defenses because "I can't decrypt his firewall!") But what happens when the problem is reversed? Can authors with awesome technical credentials, but little literary background, teach by using story?

And these authors do have impeccable Internet security cred. Many of them are stars circling the firmament of Black Hat and Defcon; senior penetration testers; former consultants to No Such Agency; authors of popular books on security; and so on.

Thus, STN: Identity describes attacks with accuracy and depth. The light veneer of fiction gives the networking tips real-world context. (On this point, I agree with Blain Hilton, who reviewed the first STN volume for Slashdot.) Sure, you've heard of all kinds of hacker tools, but do you know exactly when an attacker would use, say, Metasploit Framework, and not Knoppix? Chris Hurley's chapter, "Saul on the Run," stands out in this regard, showing how a black hatter uses social engineering and numerous tools to get a valid birth certificate for someone else, and exactly how an attacker can intrude on a secured wireless residential network to explore private information.

Another stand-out chapter is Johnny "Google Hacker" Long's "Death by a Thousand Cuts." This rambling episode follows, in part, a forensic cop's efforts to make a disc image of an iPod found at a crime scene. The trouble is, Apple's drivers spring into action whenever the iPod senses it has connected to a computer. If the driver activity changes anything in the iPod, all evidence on it will be inadmissible in court. In unraveling this challenge, STN became so fascinating, I couldn't put it down. Which made showering awkward.

Brian Hatch's chapter, "Bl@ckTo\/\/3r," stood out to me, also, but for the opposite reason: almost all of it went over my head. I thought I had accepted Unix into my heart, but I'm not disciple enough to keep up with Hatch's treatise on X11. Where I thought Hatch was talking only to himself, I had a more senior network security expert read the chapter, and he considered it well written. YMMV.

Other chapters cover basic crypto and code-breaking; how to forge cards that will fool magnetic stripe readers; the dark side of biometric authentication; uses of a Faraday cage; making a QWERTY keyboard type Dvorak letters, and just lots and lots of good undergroundy badness. The technical lessons hold tightly to the stated theme of identity theft. Any network administrator could learn a lot about the enemy's techniques from this volume; and, because of the story-driven format, probably even remember them.

But I've been dodging my opening question: does the fiction part work? Before I answer, I should mention that I've written a lot of fiction. I've had four books of fiction and 60 short stories published, and studied under the editor who removed 500 pages from Stephen King's The Stand. I'm not saying I'm good at writing fiction; I'm just saying I respect the craft. So, can STNs authors write fiction? No. No, they cannot.

STN: Identity reads like a catalog of beginning-fiction-writer mistakes, from misspellings and homophones (from Chapter 5: "He called me a Windows administrator, and it wasn't a complement") to characters with no feelings or personality. In Chapter 8, where college students decide to 0wn Hushmail's DNS servers for a man-in-the-middle attack, they work 36 hours straight without a smart remark, a crabby comeback, or, really, any dialog except ad hoc lectures on network architecture. Fiction-wise, it's as if Nancy Drew or the Hardy Boys tried hacking. And a couple of the chapters go so far past "wordy" that they're almost the verbal equivalent of running in place. If you're in a hurry to get to the technical meat [Jedi hand wave], these are not the authors you want. With that said, I admit that some of the chapters clamber all the way up to "adequate." But remember, fiction that teaches is hard for anyone to pull off.

Maybe none of that matters. Is anyone looking for deathless prose when picking up a book subtitled "How to Own an Identity"? Nah. What matters is, the various authors lay down some seriously tricky attacks. If you are more geek than lit critic, the coolness factor is off the charts. If you like to spend your time reading and thinking about network security and hacking, this is for you. And if you still buy into the "romance" of hacker shenanigans, STN can be your little Defcon-away-from-Defcon.

So is this wildly uneven book worth the price? For fiction lovers, no. For white hat security aficionados, yes. For black hat security aficionados, buying it will be the last purchase you make on your own credit card -- so hell yes. #

Full disclosure: I am not personal friends with any of the authors, but I've interviewed a few of them, including the book's technical editor, Timothy Mullen, for my day job. I may also suffer from envy that my own attempts to fictionalize network security have been ignored by most of the world except German Tom's Hardware.

Scott Pinzon, CISSP, is Editor-in-Chief for WatchGuard's LiveSecurity Service, and writes about network security on the free RSS news feed WatchGuard Wire. You can purchase Stealing the Network: How to Own an Identity from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Scott Pinzon writes "Writing sonnets, screenplays, or an epic poem in your third language is a breeze compared to the toughest of art forms, didactic fiction. That might explain why the various chapters of Stealing the Network: How to Own an Identity range from appalling to exciting. Whether you see the glass of STN: Identity as half empty or half full depends on whether this is your cup of poison -- but on a technical level, it rocks." Read on for the rest of Pinzon's review. Stealing the Network: How to Own an Identity author Raven Alder, Jay Beale, Riley "Caezar" Eller, Brian Hatch, Chris Hurley (Roamer), Jeff Moss, Ryan Russell, Tom Parker, Timothy Mullen, Johnny Long pages 336 publisher Syngress rating 6 reviewer Scott Pinzon ISBN 1597490067 summary Fiction that teaches about network security

Slashdotters have a distinguished history of calling b.s. on fiction authors who get technical details wrong. (My recent favorite is Jeffrey Deaver's jargon-in-a-blender paragraphs in The Blue Nowhere, where a computer expert can't break a hacker's defenses because "I can't decrypt his firewall!") But what happens when the problem is reversed? Can authors with awesome technical credentials, but little literary background, teach by using story?

And these authors do have impeccable Internet security cred. Many of them are stars circling the firmament of Black Hat and Defcon; senior penetration testers; former consultants to No Such Agency; authors of popular books on security; and so on.

Thus, STN: Identity describes attacks with accuracy and depth. The light veneer of fiction gives the networking tips real-world context. (On this point, I agree with Blain Hilton, who reviewed the first STN volume for Slashdot.) Sure, you've heard of all kinds of hacker tools, but do you know exactly when an attacker would use, say, Metasploit Framework, and not Knoppix? Chris Hurley's chapter, "Saul on the Run," stands out in this regard, showing how a black hatter uses social engineering and numerous tools to get a valid birth certificate for someone else, and exactly how an attacker can intrude on a secured wireless residential network to explore private information.

Another stand-out chapter is Johnny "Google Hacker" Long's "Death by a Thousand Cuts." This rambling episode follows, in part, a forensic cop's efforts to make a disc image of an iPod found at a crime scene. The trouble is, Apple's drivers spring into action whenever the iPod senses it has connected to a computer. If the driver activity changes anything in the iPod, all evidence on it will be inadmissible in court. In unraveling this challenge, STN became so fascinating, I couldn't put it down. Which made showering awkward.

Brian Hatch's chapter, "Bl@ckTo\/\/3r," stood out to me, also, but for the opposite reason: almost all of it went over my head. I thought I had accepted Unix into my heart, but I'm not disciple enough to keep up with Hatch's treatise on X11. Where I thought Hatch was talking only to himself, I had a more senior network security expert read the chapter, and he considered it well written. YMMV.

Other chapters cover basic crypto and code-breaking; how to forge cards that will fool magnetic stripe readers; the dark side of biometric authentication; uses of a Faraday cage; making a QWERTY keyboard type Dvorak letters, and just lots and lots of good undergroundy badness. The technical lessons hold tightly to the stated theme of identity theft. Any network administrator could learn a lot about the enemy's techniques from this volume; and, because of the story-driven format, probably even remember them.

But I've been dodging my opening question: does the fiction part work? Before I answer, I should mention that I've written a lot of fiction. I've had four books of fiction and 60 short stories published, and studied under the editor who removed 500 pages from Stephen King's The Stand. I'm not saying I'm good at writing fiction; I'm just saying I respect the craft. So, can STNs authors write fiction? No. No, they cannot.

STN: Identity reads like a catalog of beginning-fiction-writer mistakes, from misspellings and homophones (from Chapter 5: "He called me a Windows administrator, and it wasn't a complement") to characters with no feelings or personality. In Chapter 8, where college students decide to 0wn Hushmail's DNS servers for a man-in-the-middle attack, they work 36 hours straight without a smart remark, a crabby comeback, or, really, any dialog except ad hoc lectures on network architecture. Fiction-wise, it's as if Nancy Drew or the Hardy Boys tried hacking. And a couple of the chapters go so far past "wordy" that they're almost the verbal equivalent of running in place. If you're in a hurry to get to the technical meat [Jedi hand wave], these are not the authors you want. With that said, I admit that some of the chapters clamber all the way up to "adequate." But remember, fiction that teaches is hard for anyone to pull off.

Maybe none of that matters. Is anyone looking for deathless prose when picking up a book subtitled "How to Own an Identity"? Nah. What matters is, the various authors lay down some seriously tricky attacks. If you are more geek than lit critic, the coolness factor is off the charts. If you like to spend your time reading and thinking about network security and hacking, this is for you. And if you still buy into the "romance" of hacker shenanigans, STN can be your little Defcon-away-from-Defcon.

So is this wildly uneven book worth the price? For fiction lovers, no. For white hat security aficionados, yes. For black hat security aficionados, buying it will be the last purchase you make on your own credit card -- so hell yes. #

Full disclosure: I am not personal friends with any of the authors, but I've interviewed a few of them, including the book's technical editor, Timothy Mullen, for my day job. I may also suffer from envy that my own attempts to fictionalize network security have been ignored by most of the world except German Tom's Hardware.

Scott Pinzon, CISSP, is Editor-in-Chief for WatchGuard's LiveSecurity Service, and writes about network security on the free RSS news feed WatchGuard Wire. You can purchase Stealing the Network: How to Own an Identity from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Scott Pinzon writes "Writing sonnets, screenplays, or an epic poem in your third language is a breeze compared to the toughest of art forms, didactic fiction. That might explain why the various chapters of Stealing the Network: How to Own an Identity range from appalling to exciting. Whether you see the glass of STN: Identity as half empty or half full depends on whether this is your cup of poison -- but on a technical level, it rocks." Read on for the rest of Pinzon's review. Stealing the Network: How to Own an Identity author Raven Alder, Jay Beale, Riley "Caezar" Eller, Brian Hatch, Chris Hurley (Roamer), Jeff Moss, Ryan Russell, Tom Parker, Timothy Mullen, Johnny Long pages 336 publisher Syngress rating 6 reviewer Scott Pinzon ISBN 1597490067 summary Fiction that teaches about network security

Slashdotters have a distinguished history of calling b.s. on fiction authors who get technical details wrong. (My recent favorite is Jeffrey Deaver's jargon-in-a-blender paragraphs in The Blue Nowhere, where a computer expert can't break a hacker's defenses because "I can't decrypt his firewall!") But what happens when the problem is reversed? Can authors with awesome technical credentials, but little literary background, teach by using story?

And these authors do have impeccable Internet security cred. Many of them are stars circling the firmament of Black Hat and Defcon; senior penetration testers; former consultants to No Such Agency; authors of popular books on security; and so on.

Thus, STN: Identity describes attacks with accuracy and depth. The light veneer of fiction gives the networking tips real-world context. (On this point, I agree with Blain Hilton, who reviewed the first STN volume for Slashdot.) Sure, you've heard of all kinds of hacker tools, but do you know exactly when an attacker would use, say, Metasploit Framework, and not Knoppix? Chris Hurley's chapter, "Saul on the Run," stands out in this regard, showing how a black hatter uses social engineering and numerous tools to get a valid birth certificate for someone else, and exactly how an attacker can intrude on a secured wireless residential network to explore private information.

Another stand-out chapter is Johnny "Google Hacker" Long's "Death by a Thousand Cuts." This rambling episode follows, in part, a forensic cop's efforts to make a disc image of an iPod found at a crime scene. The trouble is, Apple's drivers spring into action whenever the iPod senses it has connected to a computer. If the driver activity changes anything in the iPod, all evidence on it will be inadmissible in court. In unraveling this challenge, STN became so fascinating, I couldn't put it down. Which made showering awkward.

Brian Hatch's chapter, "Bl@ckTo\/\/3r," stood out to me, also, but for the opposite reason: almost all of it went over my head. I thought I had accepted Unix into my heart, but I'm not disciple enough to keep up with Hatch's treatise on X11. Where I thought Hatch was talking only to himself, I had a more senior network security expert read the chapter, and he considered it well written. YMMV.

Other chapters cover basic crypto and code-breaking; how to forge cards that will fool magnetic stripe readers; the dark side of biometric authentication; uses of a Faraday cage; making a QWERTY keyboard type Dvorak letters, and just lots and lots of good undergroundy badness. The technical lessons hold tightly to the stated theme of identity theft. Any network administrator could learn a lot about the enemy's techniques from this volume; and, because of the story-driven format, probably even remember them.

But I've been dodging my opening question: does the fiction part work? Before I answer, I should mention that I've written a lot of fiction. I've had four books of fiction and 60 short stories published, and studied under the editor who removed 500 pages from Stephen King's The Stand. I'm not saying I'm good at writing fiction; I'm just saying I respect the craft. So, can STNs authors write fiction? No. No, they cannot.

STN: Identity reads like a catalog of beginning-fiction-writer mistakes, from misspellings and homophones (from Chapter 5: "He called me a Windows administrator, and it wasn't a complement") to characters with no feelings or personality. In Chapter 8, where college students decide to 0wn Hushmail's DNS servers for a man-in-the-middle attack, they work 36 hours straight without a smart remark, a crabby comeback, or, really, any dialog except ad hoc lectures on network architecture. Fiction-wise, it's as if Nancy Drew or the Hardy Boys tried hacking. And a couple of the chapters go so far past "wordy" that they're almost the verbal equivalent of running in place. If you're in a hurry to get to the technical meat [Jedi hand wave], these are not the authors you want. With that said, I admit that some of the chapters clamber all the way up to "adequate." But remember, fiction that teaches is hard for anyone to pull off.

Maybe none of that matters. Is anyone looking for deathless prose when picking up a book subtitled "How to Own an Identity"? Nah. What matters is, the various authors lay down some seriously tricky attacks. If you are more geek than lit critic, the coolness factor is off the charts. If you like to spend your time reading and thinking about network security and hacking, this is for you. And if you still buy into the "romance" of hacker shenanigans, STN can be your little Defcon-away-from-Defcon.

So is this wildly uneven book worth the price? For fiction lovers, no. For white hat security aficionados, yes. For black hat security aficionados, buying it will be the last purchase you make on your own credit card -- so hell yes. #

Full disclosure: I am not personal friends with any of the authors, but I've interviewed a few of them, including the book's technical editor, Timothy Mullen, for my day job. I may also suffer from envy that my own attempts to fictionalize network security have been ignored by most of the world except German Tom's Hardware.

Scott Pinzon, CISSP, is Editor-in-Chief for WatchGuard's LiveSecurity Service, and writes about network security on the free RSS news feed WatchGuard Wire. You can purchase Stealing the Network: How to Own an Identity from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Scott Pinzon writes "Writing sonnets, screenplays, or an epic poem in your third language is a breeze compared to the toughest of art forms, didactic fiction. That might explain why the various chapters of Stealing the Network: How to Own an Identity range from appalling to exciting. Whether you see the glass of STN: Identity as half empty or half full depends on whether this is your cup of poison -- but on a technical level, it rocks." Read on for the rest of Pinzon's review. Stealing the Network: How to Own an Identity author Raven Alder, Jay Beale, Riley "Caezar" Eller, Brian Hatch, Chris Hurley (Roamer), Jeff Moss, Ryan Russell, Tom Parker, Timothy Mullen, Johnny Long pages 336 publisher Syngress rating 6 reviewer Scott Pinzon ISBN 1597490067 summary Fiction that teaches about network security

Slashdotters have a distinguished history of calling b.s. on fiction authors who get technical details wrong. (My recent favorite is Jeffrey Deaver's jargon-in-a-blender paragraphs in The Blue Nowhere, where a computer expert can't break a hacker's defenses because "I can't decrypt his firewall!") But what happens when the problem is reversed? Can authors with awesome technical credentials, but little literary background, teach by using story?

And these authors do have impeccable Internet security cred. Many of them are stars circling the firmament of Black Hat and Defcon; senior penetration testers; former consultants to No Such Agency; authors of popular books on security; and so on.

Thus, STN: Identity describes attacks with accuracy and depth. The light veneer of fiction gives the networking tips real-world context. (On this point, I agree with Blain Hilton, who reviewed the first STN volume for Slashdot.) Sure, you've heard of all kinds of hacker tools, but do you know exactly when an attacker would use, say, Metasploit Framework, and not Knoppix? Chris Hurley's chapter, "Saul on the Run," stands out in this regard, showing how a black hatter uses social engineering and numerous tools to get a valid birth certificate for someone else, and exactly how an attacker can intrude on a secured wireless residential network to explore private information.

Another stand-out chapter is Johnny "Google Hacker" Long's "Death by a Thousand Cuts." This rambling episode follows, in part, a forensic cop's efforts to make a disc image of an iPod found at a crime scene. The trouble is, Apple's drivers spring into action whenever the iPod senses it has connected to a computer. If the driver activity changes anything in the iPod, all evidence on it will be inadmissible in court. In unraveling this challenge, STN became so fascinating, I couldn't put it down. Which made showering awkward.

Brian Hatch's chapter, "Bl@ckTo\/\/3r," stood out to me, also, but for the opposite reason: almost all of it went over my head. I thought I had accepted Unix into my heart, but I'm not disciple enough to keep up with Hatch's treatise on X11. Where I thought Hatch was talking only to himself, I had a more senior network security expert read the chapter, and he considered it well written. YMMV.

Other chapters cover basic crypto and code-breaking; how to forge cards that will fool magnetic stripe readers; the dark side of biometric authentication; uses of a Faraday cage; making a QWERTY keyboard type Dvorak letters, and just lots and lots of good undergroundy badness. The technical lessons hold tightly to the stated theme of identity theft. Any network administrator could learn a lot about the enemy's techniques from this volume; and, because of the story-driven format, probably even remember them.

But I've been dodging my opening question: does the fiction part work? Before I answer, I should mention that I've written a lot of fiction. I've had four books of fiction and 60 short stories published, and studied under the editor who removed 500 pages from Stephen King's The Stand. I'm not saying I'm good at writing fiction; I'm just saying I respect the craft. So, can STNs authors write fiction? No. No, they cannot.

STN: Identity reads like a catalog of beginning-fiction-writer mistakes, from misspellings and homophones (from Chapter 5: "He called me a Windows administrator, and it wasn't a complement") to characters with no feelings or personality. In Chapter 8, where college students decide to 0wn Hushmail's DNS servers for a man-in-the-middle attack, they work 36 hours straight without a smart remark, a crabby comeback, or, really, any dialog except ad hoc lectures on network architecture. Fiction-wise, it's as if Nancy Drew or the Hardy Boys tried hacking. And a couple of the chapters go so far past "wordy" that they're almost the verbal equivalent of running in place. If you're in a hurry to get to the technical meat [Jedi hand wave], these are not the authors you want. With that said, I admit that some of the chapters clamber all the way up to "adequate." But remember, fiction that teaches is hard for anyone to pull off.

Maybe none of that matters. Is anyone looking for deathless prose when picking up a book subtitled "How to Own an Identity"? Nah. What matters is, the various authors lay down some seriously tricky attacks. If you are more geek than lit critic, the coolness factor is off the charts. If you like to spend your time reading and thinking about network security and hacking, this is for you. And if you still buy into the "romance" of hacker shenanigans, STN can be your little Defcon-away-from-Defcon.

So is this wildly uneven book worth the price? For fiction lovers, no. For white hat security aficionados, yes. For black hat security aficionados, buying it will be the last purchase you make on your own credit card -- so hell yes. #

Full disclosure: I am not personal friends with any of the authors, but I've interviewed a few of them, including the book's technical editor, Timothy Mullen, for my day job. I may also suffer from envy that my own attempts to fictionalize network security have been ignored by most of the world except German Tom's Hardware.

Scott Pinzon, CISSP, is Editor-in-Chief for WatchGuard's LiveSecurity Service, and writes about network security on the free RSS news feed WatchGuard Wire. You can purchase Stealing the Network: How to Own an Identity from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Corey Nachreiner writes "Until recently, I considered myself a Google power-user; so much so that I often call Google my "second brain." Whenever I stumble upon a computing dilemma I can't solve, I submit an advanced query to my second brain, Google, and let it supply the answers. That's why I was So There when Johnny Long released his recent book, Google Hacking for Penetration Testers . I heard Johnny's lively, light-hearted presentation to a packed house at the BlackHat Briefings last summer in Las Vegas. It was the hit of the show, but in one hour he could only present a few of his startling findings about Google hacking. After reading Johnny's book, I've learned a ton more and realized I wasn't quite as Google-savvy as I thought. As with my real brain, I've only been using about ten percent of my Google-brain's capacity." Read on for the rest of Nachreiner's review. Google Hacking for Penetration Testers author Johnny Long pages 448 publisher Syngress rating 8 reviewer Corey Nachreiner ISBN 1931836361 summary Google's dark and dork sides exposed; despite the title, useful for everyone who'd like to get the most out of google.

According to its cover, Johnny Long's book focuses primarily on revealing the "Dark Side" of Google -- a promise it delivers in spades. But I can also heartily recommend Google Hacking to newbies who simply want to learn how to harness Google's full potential.

The first few chapters of the book walk you through Google's interfaces and features, then introduce you to Google's advanced operators and techniques you can use to refine your Google searches. Instead of submitting basic searches that leave you arduously parsing hundreds of results for your desired answer, you quickly learn to submit powerful queries that almost instantly yield the results you intend. Even as an experienced Google user, I learned a lot from Google Hacking's early chapters. For Google neophytes, this alone makes the book worth its price.

However, we all know Slashdotters really want this book in order to learn how hackers misuse Google. Well, you won't be disappointed. As soon as Long has taught you to submit advanced queries, he wastes no time in showing you the techniques l33t Google hax0rs use to exploit the search engine's power. For example, did you know you can use Google as a free proxy server? By submitting a specially-crafted, English-to-English translation query, you can capitalize on Google's translation service to anonymously submit all your Web requests. This simple hack just scratches the surface of Google's malicious potential.

Most Web surfers don't realize the sheer amount of extremely sensitive information available for the harvesting on the Internet. In that sense, Google Hacking is eye-popping. Do you want to find misconfigured Web servers that publicly list their directory contents? A quick Google search does the trick. Or, suppose you found some new exploit code that only works against a particular version of IIS 5.0. Submit a quick Google query for a helpful list of possible targets. Do you want to harvest user logins, passwords (for example, mySQL passwords in a connect.inc file), credit card numbers, social security numbers or any other potentially damaging tidbit that Web users and administrators accidentally leak onto the Internet? Google Hacking shows you how, with highly refined searches gleaned from the community contributing to the Google Hacking database (GHDB) found on Long's Web site.

While Long's book discloses these and many other potentially malicious Google searching techniques, it does so responsibly, with the goal of prevention in mind. Only the less damaging search strings are fully revealed. Long saves the juicier (read: more dangerous) hacks for your own discovery. Long even obfuscates the sensitive results of the more damaging search strings in order to protect the innocent incompetents he refers to as "googledorks." After showing you how hackers subvert Google to their malicious intent, Long dedicates a chapter to how Web administrators can configure their Web servers securely in order to prevent sensitive data from making it into a Google Hacker's clutches.

Though I've gushed about the book so far, I will quibble with its inconsistent tone. Some of its chapters target readers having different levels of technical understanding. While the book starts out in a voice easy enough for even the most novice user to understand, some of the later chapters, on topics such as document grinding, database digging, and query automation, jump drastically and use language and techniques that only programmers or Unix power-users would understand. In addition, the humor that made Johnny's live presentation so memorable shows up in his book, but in scant supply; frankly, more jokes would be welcome.

But these negatives are mere nits. Whether you're a penetration tester wanting to exploit Google, a Web administrator wanting to protect yourself from information leaks, or even a newbie wanting to harness Google's full potential, Google Hacking for Penetration Testers makes an excellent resource. If you, too, use Google as a second brain, pick up Johnny Long's book and learn how to exploit this powerful search engine to its full capacity.

Corey Nachreiner, Network Security Analyst for WatchGuard's LiveSecurity Service, writes about network security on the free RSS news feed, WatchGuard Wire (browsable version, RSS feed.) You can purchase Google Hacking for Penetration Testers from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Corey Nachreiner writes "Until recently, I considered myself a Google power-user; so much so that I often call Google my "second brain." Whenever I stumble upon a computing dilemma I can't solve, I submit an advanced query to my second brain, Google, and let it supply the answers. That's why I was So There when Johnny Long released his recent book, Google Hacking for Penetration Testers . I heard Johnny's lively, light-hearted presentation to a packed house at the BlackHat Briefings last summer in Las Vegas. It was the hit of the show, but in one hour he could only present a few of his startling findings about Google hacking. After reading Johnny's book, I've learned a ton more and realized I wasn't quite as Google-savvy as I thought. As with my real brain, I've only been using about ten percent of my Google-brain's capacity." Read on for the rest of Nachreiner's review. Google Hacking for Penetration Testers author Johnny Long pages 448 publisher Syngress rating 8 reviewer Corey Nachreiner ISBN 1931836361 summary Google's dark and dork sides exposed; despite the title, useful for everyone who'd like to get the most out of google.

According to its cover, Johnny Long's book focuses primarily on revealing the "Dark Side" of Google -- a promise it delivers in spades. But I can also heartily recommend Google Hacking to newbies who simply want to learn how to harness Google's full potential.

The first few chapters of the book walk you through Google's interfaces and features, then introduce you to Google's advanced operators and techniques you can use to refine your Google searches. Instead of submitting basic searches that leave you arduously parsing hundreds of results for your desired answer, you quickly learn to submit powerful queries that almost instantly yield the results you intend. Even as an experienced Google user, I learned a lot from Google Hacking's early chapters. For Google neophytes, this alone makes the book worth its price.

However, we all know Slashdotters really want this book in order to learn how hackers misuse Google. Well, you won't be disappointed. As soon as Long has taught you to submit advanced queries, he wastes no time in showing you the techniques l33t Google hax0rs use to exploit the search engine's power. For example, did you know you can use Google as a free proxy server? By submitting a specially-crafted, English-to-English translation query, you can capitalize on Google's translation service to anonymously submit all your Web requests. This simple hack just scratches the surface of Google's malicious potential.

Most Web surfers don't realize the sheer amount of extremely sensitive information available for the harvesting on the Internet. In that sense, Google Hacking is eye-popping. Do you want to find misconfigured Web servers that publicly list their directory contents? A quick Google search does the trick. Or, suppose you found some new exploit code that only works against a particular version of IIS 5.0. Submit a quick Google query for a helpful list of possible targets. Do you want to harvest user logins, passwords (for example, mySQL passwords in a connect.inc file), credit card numbers, social security numbers or any other potentially damaging tidbit that Web users and administrators accidentally leak onto the Internet? Google Hacking shows you how, with highly refined searches gleaned from the community contributing to the Google Hacking database (GHDB) found on Long's Web site.

While Long's book discloses these and many other potentially malicious Google searching techniques, it does so responsibly, with the goal of prevention in mind. Only the less damaging search strings are fully revealed. Long saves the juicier (read: more dangerous) hacks for your own discovery. Long even obfuscates the sensitive results of the more damaging search strings in order to protect the innocent incompetents he refers to as "googledorks." After showing you how hackers subvert Google to their malicious intent, Long dedicates a chapter to how Web administrators can configure their Web servers securely in order to prevent sensitive data from making it into a Google Hacker's clutches.

Though I've gushed about the book so far, I will quibble with its inconsistent tone. Some of its chapters target readers having different levels of technical understanding. While the book starts out in a voice easy enough for even the most novice user to understand, some of the later chapters, on topics such as document grinding, database digging, and query automation, jump drastically and use language and techniques that only programmers or Unix power-users would understand. In addition, the humor that made Johnny's live presentation so memorable shows up in his book, but in scant supply; frankly, more jokes would be welcome.

But these negatives are mere nits. Whether you're a penetration tester wanting to exploit Google, a Web administrator wanting to protect yourself from information leaks, or even a newbie wanting to harness Google's full potential, Google Hacking for Penetration Testers makes an excellent resource. If you, too, use Google as a second brain, pick up Johnny Long's book and learn how to exploit this powerful search engine to its full capacity.

Corey Nachreiner, Network Security Analyst for WatchGuard's LiveSecurity Service, writes about network security on the free RSS news feed, WatchGuard Wire (browsable version, RSS feed.) You can purchase Google Hacking for Penetration Testers from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Corey Nachreiner writes "Until recently, I considered myself a Google power-user; so much so that I often call Google my "second brain." Whenever I stumble upon a computing dilemma I can't solve, I submit an advanced query to my second brain, Google, and let it supply the answers. That's why I was So There when Johnny Long released his recent book, Google Hacking for Penetration Testers . I heard Johnny's lively, light-hearted presentation to a packed house at the BlackHat Briefings last summer in Las Vegas. It was the hit of the show, but in one hour he could only present a few of his startling findings about Google hacking. After reading Johnny's book, I've learned a ton more and realized I wasn't quite as Google-savvy as I thought. As with my real brain, I've only been using about ten percent of my Google-brain's capacity." Read on for the rest of Nachreiner's review. Google Hacking for Penetration Testers author Johnny Long pages 448 publisher Syngress rating 8 reviewer Corey Nachreiner ISBN 1931836361 summary Google's dark and dork sides exposed; despite the title, useful for everyone who'd like to get the most out of google.

According to its cover, Johnny Long's book focuses primarily on revealing the "Dark Side" of Google -- a promise it delivers in spades. But I can also heartily recommend Google Hacking to newbies who simply want to learn how to harness Google's full potential.

The first few chapters of the book walk you through Google's interfaces and features, then introduce you to Google's advanced operators and techniques you can use to refine your Google searches. Instead of submitting basic searches that leave you arduously parsing hundreds of results for your desired answer, you quickly learn to submit powerful queries that almost instantly yield the results you intend. Even as an experienced Google user, I learned a lot from Google Hacking's early chapters. For Google neophytes, this alone makes the book worth its price.

However, we all know Slashdotters really want this book in order to learn how hackers misuse Google. Well, you won't be disappointed. As soon as Long has taught you to submit advanced queries, he wastes no time in showing you the techniques l33t Google hax0rs use to exploit the search engine's power. For example, did you know you can use Google as a free proxy server? By submitting a specially-crafted, English-to-English translation query, you can capitalize on Google's translation service to anonymously submit all your Web requests. This simple hack just scratches the surface of Google's malicious potential.

Most Web surfers don't realize the sheer amount of extremely sensitive information available for the harvesting on the Internet. In that sense, Google Hacking is eye-popping. Do you want to find misconfigured Web servers that publicly list their directory contents? A quick Google search does the trick. Or, suppose you found some new exploit code that only works against a particular version of IIS 5.0. Submit a quick Google query for a helpful list of possible targets. Do you want to harvest user logins, passwords (for example, mySQL passwords in a connect.inc file), credit card numbers, social security numbers or any other potentially damaging tidbit that Web users and administrators accidentally leak onto the Internet? Google Hacking shows you how, with highly refined searches gleaned from the community contributing to the Google Hacking database (GHDB) found on Long's Web site.

While Long's book discloses these and many other potentially malicious Google searching techniques, it does so responsibly, with the goal of prevention in mind. Only the less damaging search strings are fully revealed. Long saves the juicier (read: more dangerous) hacks for your own discovery. Long even obfuscates the sensitive results of the more damaging search strings in order to protect the innocent incompetents he refers to as "googledorks." After showing you how hackers subvert Google to their malicious intent, Long dedicates a chapter to how Web administrators can configure their Web servers securely in order to prevent sensitive data from making it into a Google Hacker's clutches.

Though I've gushed about the book so far, I will quibble with its inconsistent tone. Some of its chapters target readers having different levels of technical understanding. While the book starts out in a voice easy enough for even the most novice user to understand, some of the later chapters, on topics such as document grinding, database digging, and query automation, jump drastically and use language and techniques that only programmers or Unix power-users would understand. In addition, the humor that made Johnny's live presentation so memorable shows up in his book, but in scant supply; frankly, more jokes would be welcome.

But these negatives are mere nits. Whether you're a penetration tester wanting to exploit Google, a Web administrator wanting to protect yourself from information leaks, or even a newbie wanting to harness Google's full potential, Google Hacking for Penetration Testers makes an excellent resource. If you, too, use Google as a second brain, pick up Johnny Long's book and learn how to exploit this powerful search engine to its full capacity.

Corey Nachreiner, Network Security Analyst for WatchGuard's LiveSecurity Service, writes about network security on the free RSS news feed, WatchGuard Wire (browsable version, RSS feed.) You can purchase Google Hacking for Penetration Testers from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Corey Nachreiner writes "Until recently, I considered myself a Google power-user; so much so that I often call Google my "second brain." Whenever I stumble upon a computing dilemma I can't solve, I submit an advanced query to my second brain, Google, and let it supply the answers. That's why I was So There when Johnny Long released his recent book, Google Hacking for Penetration Testers . I heard Johnny's lively, light-hearted presentation to a packed house at the BlackHat Briefings last summer in Las Vegas. It was the hit of the show, but in one hour he could only present a few of his startling findings about Google hacking. After reading Johnny's book, I've learned a ton more and realized I wasn't quite as Google-savvy as I thought. As with my real brain, I've only been using about ten percent of my Google-brain's capacity." Read on for the rest of Nachreiner's review. Google Hacking for Penetration Testers author Johnny Long pages 448 publisher Syngress rating 8 reviewer Corey Nachreiner ISBN 1931836361 summary Google's dark and dork sides exposed; despite the title, useful for everyone who'd like to get the most out of google.

According to its cover, Johnny Long's book focuses primarily on revealing the "Dark Side" of Google -- a promise it delivers in spades. But I can also heartily recommend Google Hacking to newbies who simply want to learn how to harness Google's full potential.

The first few chapters of the book walk you through Google's interfaces and features, then introduce you to Google's advanced operators and techniques you can use to refine your Google searches. Instead of submitting basic searches that leave you arduously parsing hundreds of results for your desired answer, you quickly learn to submit powerful queries that almost instantly yield the results you intend. Even as an experienced Google user, I learned a lot from Google Hacking's early chapters. For Google neophytes, this alone makes the book worth its price.

However, we all know Slashdotters really want this book in order to learn how hackers misuse Google. Well, you won't be disappointed. As soon as Long has taught you to submit advanced queries, he wastes no time in showing you the techniques l33t Google hax0rs use to exploit the search engine's power. For example, did you know you can use Google as a free proxy server? By submitting a specially-crafted, English-to-English translation query, you can capitalize on Google's translation service to anonymously submit all your Web requests. This simple hack just scratches the surface of Google's malicious potential.

Most Web surfers don't realize the sheer amount of extremely sensitive information available for the harvesting on the Internet. In that sense, Google Hacking is eye-popping. Do you want to find misconfigured Web servers that publicly list their directory contents? A quick Google search does the trick. Or, suppose you found some new exploit code that only works against a particular version of IIS 5.0. Submit a quick Google query for a helpful list of possible targets. Do you want to harvest user logins, passwords (for example, mySQL passwords in a connect.inc file), credit card numbers, social security numbers or any other potentially damaging tidbit that Web users and administrators accidentally leak onto the Internet? Google Hacking shows you how, with highly refined searches gleaned from the community contributing to the Google Hacking database (GHDB) found on Long's Web site.

While Long's book discloses these and many other potentially malicious Google searching techniques, it does so responsibly, with the goal of prevention in mind. Only the less damaging search strings are fully revealed. Long saves the juicier (read: more dangerous) hacks for your own discovery. Long even obfuscates the sensitive results of the more damaging search strings in order to protect the innocent incompetents he refers to as "googledorks." After showing you how hackers subvert Google to their malicious intent, Long dedicates a chapter to how Web administrators can configure their Web servers securely in order to prevent sensitive data from making it into a Google Hacker's clutches.

Though I've gushed about the book so far, I will quibble with its inconsistent tone. Some of its chapters target readers having different levels of technical understanding. While the book starts out in a voice easy enough for even the most novice user to understand, some of the later chapters, on topics such as document grinding, database digging, and query automation, jump drastically and use language and techniques that only programmers or Unix power-users would understand. In addition, the humor that made Johnny's live presentation so memorable shows up in his book, but in scant supply; frankly, more jokes would be welcome.

But these negatives are mere nits. Whether you're a penetration tester wanting to exploit Google, a Web administrator wanting to protect yourself from information leaks, or even a newbie wanting to harness Google's full potential, Google Hacking for Penetration Testers makes an excellent resource. If you, too, use Google as a second brain, pick up Johnny Long's book and learn how to exploit this powerful search engine to its full capacity.

Corey Nachreiner, Network Security Analyst for WatchGuard's LiveSecurity Service, writes about network security on the free RSS news feed, WatchGuard Wire (browsable version, RSS feed.) You can purchase Google Hacking for Penetration Testers from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Corey Nachreiner writes "Until recently, I considered myself a Google power-user; so much so that I often call Google my "second brain." Whenever I stumble upon a computing dilemma I can't solve, I submit an advanced query to my second brain, Google, and let it supply the answers. That's why I was So There when Johnny Long released his recent book, Google Hacking for Penetration Testers . I heard Johnny's lively, light-hearted presentation to a packed house at the BlackHat Briefings last summer in Las Vegas. It was the hit of the show, but in one hour he could only present a few of his startling findings about Google hacking. After reading Johnny's book, I've learned a ton more and realized I wasn't quite as Google-savvy as I thought. As with my real brain, I've only been using about ten percent of my Google-brain's capacity." Read on for the rest of Nachreiner's review. Google Hacking for Penetration Testers author Johnny Long pages 448 publisher Syngress rating 8 reviewer Corey Nachreiner ISBN 1931836361 summary Google's dark and dork sides exposed; despite the title, useful for everyone who'd like to get the most out of google.

According to its cover, Johnny Long's book focuses primarily on revealing the "Dark Side" of Google -- a promise it delivers in spades. But I can also heartily recommend Google Hacking to newbies who simply want to learn how to harness Google's full potential.

The first few chapters of the book walk you through Google's interfaces and features, then introduce you to Google's advanced operators and techniques you can use to refine your Google searches. Instead of submitting basic searches that leave you arduously parsing hundreds of results for your desired answer, you quickly learn to submit powerful queries that almost instantly yield the results you intend. Even as an experienced Google user, I learned a lot from Google Hacking's early chapters. For Google neophytes, this alone makes the book worth its price.

However, we all know Slashdotters really want this book in order to learn how hackers misuse Google. Well, you won't be disappointed. As soon as Long has taught you to submit advanced queries, he wastes no time in showing you the techniques l33t Google hax0rs use to exploit the search engine's power. For example, did you know you can use Google as a free proxy server? By submitting a specially-crafted, English-to-English translation query, you can capitalize on Google's translation service to anonymously submit all your Web requests. This simple hack just scratches the surface of Google's malicious potential.

Most Web surfers don't realize the sheer amount of extremely sensitive information available for the harvesting on the Internet. In that sense, Google Hacking is eye-popping. Do you want to find misconfigured Web servers that publicly list their directory contents? A quick Google search does the trick. Or, suppose you found some new exploit code that only works against a particular version of IIS 5.0. Submit a quick Google query for a helpful list of possible targets. Do you want to harvest user logins, passwords (for example, mySQL passwords in a connect.inc file), credit card numbers, social security numbers or any other potentially damaging tidbit that Web users and administrators accidentally leak onto the Internet? Google Hacking shows you how, with highly refined searches gleaned from the community contributing to the Google Hacking database (GHDB) found on Long's Web site.

While Long's book discloses these and many other potentially malicious Google searching techniques, it does so responsibly, with the goal of prevention in mind. Only the less damaging search strings are fully revealed. Long saves the juicier (read: more dangerous) hacks for your own discovery. Long even obfuscates the sensitive results of the more damaging search strings in order to protect the innocent incompetents he refers to as "googledorks." After showing you how hackers subvert Google to their malicious intent, Long dedicates a chapter to how Web administrators can configure their Web servers securely in order to prevent sensitive data from making it into a Google Hacker's clutches.

Though I've gushed about the book so far, I will quibble with its inconsistent tone. Some of its chapters target readers having different levels of technical understanding. While the book starts out in a voice easy enough for even the most novice user to understand, some of the later chapters, on topics such as document grinding, database digging, and query automation, jump drastically and use language and techniques that only programmers or Unix power-users would understand. In addition, the humor that made Johnny's live presentation so memorable shows up in his book, but in scant supply; frankly, more jokes would be welcome.

But these negatives are mere nits. Whether you're a penetration tester wanting to exploit Google, a Web administrator wanting to protect yourself from information leaks, or even a newbie wanting to harness Google's full potential, Google Hacking for Penetration Testers makes an excellent resource. If you, too, use Google as a second brain, pick up Johnny Long's book and learn how to exploit this powerful search engine to its full capacity.

Corey Nachreiner, Network Security Analyst for WatchGuard's LiveSecurity Service, writes about network security on the free RSS news feed, WatchGuard Wire (browsable version, RSS feed.) You can purchase Google Hacking for Penetration Testers from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

LiveSecurity writes "Contests involving Wireless Access Points have been a staple of Defcon for a few years now. This year at Defcon 12, three reporters from WatchGuard Technologies followed contestants in the Running Man mini-contest. Five teams had one hour to find a roving, low-power AP serving up a picture of Arnold Schwarzenegger. Add hundreds of hackers, 104-degree F. desert heat, and stir. The report on WatchGuard's Web site is officially sanctioned by the contest's designer, Frank Thornton, who mirrors the story. Long but good geeky fun!"

LiveSecurity writes "Contests involving Wireless Access Points have been a staple of Defcon for a few years now. This year at Defcon 12, three reporters from WatchGuard Technologies followed contestants in the Running Man mini-contest. Five teams had one hour to find a roving, low-power AP serving up a picture of Arnold Schwarzenegger. Add hundreds of hackers, 104-degree F. desert heat, and stir. The report on WatchGuard's Web site is officially sanctioned by the contest's designer, Frank Thornton, who mirrors the story. Long but good geeky fun!"

Michael Pierce writes "SeattleWireless TV has done it again! This months SeattleWireless TV show features an Interview with Rob Flickenger the inventor of the pringles cantenna and co-author of Nocat, an open source wireless captive portal. Then we have a chance to hear from Risto Koiva about his remote controlled helicopter with a 2.4ghz installed camera and gps unit, learn about the Personal Telco Project out of Portland, Oregon and finally a product review on the new WatchGuard SoHo 6 wireless firewall. Download the Mpeg version here or Watch the Windows Media Stream here, or the RealPlayer stream here."