Slashdot Mirror

← Back to Stories (view on slashdot.org)

Stealing the Network

Posted by timothy on from the next-week-shoplifting dept.

Blaine Hilton writes "Stealing the Network is a refreshing change from more traditional computer books. The authors have created fictional stories based on non-fictional concepts that could really happen to our computer systems today. The realistic fiction approach makes the book much lighter to read and actually entertaining. I also believe this approach makes the true methods behind the fictional stores much more memorable then memorizing thousand page textbooks." Read on for his overview of the book. Stealing the Network: How to Own the Box author Ryan Russell, Tim Mullen (Thor), FX, Dan Kaminsky, Joe Grand, Ken Pfeil, Ido Dubrawsky, Mark Burnett, and Paul Craig pages 328 publisher Syngress rating 8 reviewer Blaine Hilton ISBN 1931836876 summary An interesting fictionalized approach to hacking and other aspects of information security.

I'm leery of books that are written by multiple authors because the writing style always seems to keep me off beat from jumping around, however in this book it works out well since the book is organized as a series of short stories. Each story describes somebody involved in information security -- either somebody trying to access a system, or a person trying to keep the bad guys out.

If you are looking for a step-by-step guide to locking down your computer and network, this is not the book for you. Instead, this book is more to help people who already have at least a basic understanding of information security to see from another perspective. Stealing the Network looks at other reasons why people can break in: everything from being told to go to industry conferences to not collecting access cards when an employee leaves the company. What this book left deepest in my mind is to trust nothing, and assume even less.

After the ten short stories of how hacking is really done, there is a nicely done appendix along with Ryan Russel's "Laws of Security," which finishes this fictionalized book in a very non-fictional way. The laws cover most of the problems with current IT infrastructure, but do not go in-depth with what I believe is the biggest security hole, the user. Many of the stories touch on this fact but that's about the extent of it. I believe this may be because there are not any easy solutions to human behavior. This book says it best with "people are lazy."

At 328 pages (in pretty large text), this is a great easy read, though the book would be better with a lower price tag. However if you work with or around computers and the Internet, this book is very enlightening, if not completely informative.

Table of Contents
  • Acknowledgements
  • Contributors
  • Forward
  • Chapters:
    1. Hide and Sneak
    2. The Worm Turns
    3. Just Another Day at the Office
    4. h3X's Adventures in Networkland
    5. The Thief No One Saw
    6. Flying the Friendly Skies
    7. dis-card
    8. Social (In)Security
    9. BabelNet
    10. The Art of Tracking
  • Appendix - The Laws of Security

Most of the book's authors have websites you can hit for more information; follow these links to find more from Ryan Russell, Tim Mullen (Thor), FX, Dan Kaminsky, Joe Grand, Ken Pfeil, Ido Dubrawsky and Mark Burnett, as well as Jeff Moss (who wrote the forward).

You can purchase Stealing the Network from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

39 of 141 comments (clear)

  1. Woo Hoo! by ryanr · · Score: 5, Informative

    One of my books finally made it onto Slashdot. I wrote the "Worm Turns" chapter with Tim Mullen, acted as tech editor for the book, and wrote the overall outline. Pretty easy book to be a tech editor on. I'll be watching this thread if there are any questions I can answer.

    1. Re:Woo Hoo! by Chris_Stankowitz · · Score: 3, Interesting

      I do have a question. Does Syngres still offer their books in a downlodable text? I try to find this feature in most of my tech books and unfortunatley not many companies publish them this way.

    2. Re:Woo Hoo! by ryanr · · Score: 5, Informative

      On some books, they do. When I "registered" my copy of this book, I was given a link to download a .PDF of it. Be aware that on some books (mostly older ones) the .pdf file(s) were contained in a Windows .exe.

      If enough people care, I'll make them produce a HTML file or something.

    3. Re:Woo Hoo! by ryanr · · Score: 3, Insightful

      If I couldn't have fun with the trolls, then Slashdot would be less enjoyable.

    4. Re:Woo Hoo! by Mooncaller · · Score: 2, Interesting
      How would you feel about submiting to a /. interview. Tech writting is an important part of any tech carrer. I have done quite a bit of it myself, including a 200+ page process procedure. I like to write SF short stories. When ever I do tech writing I pay as much attention to sentence structure and flow as when I write a story. The result is "wawawawawa". Nothing sticks. The prose is too smooth. That makes for a lousy procedure. The problem is that the procedure lacks a good plot.

      I'm interested in tech writiting and would like to do it better. I'm sure there are there /.ers who feel the same way. It would be nice to get the perspective of some one whos been there.

    5. Re:Woo Hoo! by ryanr · · Score: 2, Interesting

      Clearly, from the amount of whoring I've already done in this thread which is only tangentially about me, I'd love to do an interview.

      There are any number of details about how I perceive writing, what it's like to work with Syngress, etc... that I'd love to talk about.

      I can see where writing procedures, where there is little or no opportunity to include any personality, would drive one insane. I have no formal training on writing, other than the classes they have you take in college. And I read a lot. I was a little concerned about that when writing fiction... but that's what editors are for (to tell you you suck.)

  2. Stealing the network by Anonymous Coward · · Score: 4, Funny

    5 finger discounts at CompUSA!

    1. Re:Stealing the network by Lord_Slepnir · · Score: 2, Funny

      For me it's a four finger discount now. Be careful of doing that in third world countries.

  3. Learning through fiction by nacturation · · Score: 5, Interesting

    This is a very valuable technique. After reading the Clavell novels (primarily Shogun) I was able to pick up and understand a small vocabulary of Japanese as it wasn't "dry" information. Hopefully this will be a great way to get management to clue in a little better to security without PHBs realizing that they're learning valable material.

    --
    Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
    1. Re:Learning through fiction by fastdecade · · Score: 2, Informative

      Too true, it was zammechat how much dobby Nadsat was learned while reading "A Clockwork Orange". I once saw some real foreign language books start in English and gradually incorporate another language, wish I could get hold of something like that now.

      Another novel about software engineering is The Deadline: A Novel About Project Management by Tom De Marco, author of the classic text, Peopleware. As the title indicates, it's a novel that not-so-subtly illustrates certain points about project management. I haven't read it as rumours indicate the romantic aspects are a bit average, but amazon reviewers seem positive.

      Further afield, another educational book is
      The Richest Man in Babylon, a fable which attempts to demonstrate, albeit in a crude way, the how and why of saving $$$.

      Any others?

  4. Great, thanks! by Anonymous Coward · · Score: 5, Informative

    A whole book review that consists of the Contents listing, and a whole paragraph that says "I liked the writing style, even though it was written by more than one person." Gee thanks. Next time save your time and just give us a link direct to the Amazon listing why not?

  5. Re:fp! by ryanr · · Score: 5, Funny

    In one of the stories, a book author beats the anonymous coward for first post on his book review story.

  6. There was this guy.. by bigattichouse · · Score: 4, Funny

    There was this guy.. and he liked to tell stories that had meaning, because it was easy to remember the story, and the associated meaning... man, what was his name... (Insert favorite diety/boddhi here)

    People inherently remember stories and songs much better than bare facts.

    --
    meh
  7. Question: by mao+che+minh · · Score: 5, Funny
    Yes mister Ryanr, I have a question that demands your expertise. How do I perform what is commonly refferred to as "teh haxX0r" on the internet? And is the art of "haxX0ring" related to "hacking" in any way? I am routinely laughed out of IRC chat rooms because I am not "l33t", as they put it.

    Thank you.

    1. Re:Question: by ryanr · · Score: 4, Funny

      They're similar, but with hax0ring, you yell "3y3 0wn j00!!!!11!!!1!" a lot, and the actual hacking part looks a lot like flying through a wireframe cityscape.

    2. Re:Question: by Surak · · Score: 2, Funny

      They're similar, but with hax0ring, you yell "3y3 0wn j00!!!!11!!!1!" a lot, and the actual hacking part looks a lot like flying through a wireframe cityscape.

      Phew. And here I was starting to think that the movie "Hackers" lacked actual basis in reality. At least they got *that* part right. ;)

      So, exactly where is your gibson, and how do I get to h4x0ring it?

      --
      My journal has hot /. gossip.
  8. Amazon by Meeble · · Score: 5, Informative

    here is the Amazon Link.

    I'm always wary of amazon reviews anyhow though, half the time their anonymous and most likely the publishers, authors, and editors. With my lack of trust does that mean I'm as knowledgeable as I would be from reading the book ? ;)

    --
    Fear Breeds Knowledge
  9. Parody time. by cyt0plas · · Score: 3, Funny

    I guess it's time for someone to write "Steal this Network" - a howto guide.

    --
    Contact Me (got tired of viruses emailing me).
  10. very good by towaz · · Score: 5, Informative

    I downloaded this as an ebook from syngress its cheaper :)

    The stories were all well written, covered a varied amount of subjects and were not heavily technical.

    Hope to see more books take this different angle, the only one that seemed to be written the same style recently was Art of deception.

    --
    "I disapprove of what you say, but I will defend to the death your right to say it." - Voltaire
    1. Re:very good by ryanr · · Score: 2, Informative

      If this one does well, then it's pretty much guaranteed that Syngress will do a sequel.

  11. I read the first chapter at Barnes & Noble... by bc90021 · · Score: 5, Informative

    ...while I was waiting to see TM:R. I started reading it, and in half an hour was through fifty pages already. It was compelling, to say the least.

    The reviewer is quite correct - this book is different from most normal security books. Instead of "here's the attack, here's how to defend", it is a collection of fictional stories. Since I only read the first one, I can't comment on the rest of them, but the first was enough to make me want to read the rest.

    Needless to say, when I got home that night, I ordered it. Since then, I've been like Calvin waiting for his red beanie - every evening I come home and it's not there... but the next day I am psyched that it will be! (It should be arriving today! I am quite anxious to read the rest.)

    My recommendation is that you check it out if you get a chance. :)

    --
    libertarianswag.com
  12. Computer Security Quote by bpfinn · · Score: 3, Funny
    Could someone remind me who stated the two laws of computer security:
    1. Don't buy a computer.
    2. If you do buy a computer, don't turn it on.
    Thanks.
  13. The laws of security: by cyt0plas · · Score: 5, Funny

    1) By the time you finish reading these laws, they will be hopelessly out of date

    2) Don't use anything that Microsoft got near, even if the interaction was nothing more than an underling squinting at it over his morning coffee - It might be tainted, don't risk it.

    3) The nice thing about being a security consultant is that if the customers knew enough to judge your work, they wouldn't need you in the first place.

    4) "Security Consultant" is a important-sounding title that carries very little real responsibility.

    5) It doesn't matter how good your security is, some manager will give out his password to his wife/kids/secretary/dog, and data _will_ be lost. Don't wait for it to happen, back up the data _now_.

    --
    Contact Me (got tired of viruses emailing me).
  14. Re:Are you taking this chance to whore your balls by ryanr · · Score: 2, Funny

    Sort of. I have no need for any more karma (in fact, I'll probably lose a good chunk on this thread :) ) but I always figured if I was ever interviewed on Slashdot, or had a book review or something, that I'd answer as many questions as I could. That's the point of an interactiv website, yes?

  15. Fiction as technical by genkael · · Score: 3, Funny

    And then Bob realized he could do an nslookup on his IP. Frustration rained. They he realized that inevitably he had forgotten to put in a reverse lookup into the nameserver.

    It just doesn't work for me.

    --
    GeneralKael -- Slacker Extraordinaire
  16. reminds me of... by newsdee · · Score: 3, Informative

    ...a book I read long ago, that was supposedly a novelized true story about how a network administrator "catched" a hacker. Unfortunately I don't remember its title nor the author, but I expect somebody here will remember the scene where the guy melts his sneakers in the microwave, because he wanted to quick dry them... :-)

    Does it ring a bell?

    --
    The ENIAC Demo Competition
    1. Re:reminds me of... by JUSTONEMORELATTE · · Score: 4, Informative

      ...a book I read long ago, that was supposedly a novelized true story about how a network administrator "catched" a hacker.
      Might you be thinking of Cuckoo's Egg by chance?
      The story of how an admin caught an intruder.

      --

    2. Re:reminds me of... by ryanr · · Score: 2, Insightful

      Great book, one of my favorites. The difference is that his is a true story. Well, that and he's a much better writer than I am.

  17. don't forget The Cuckoo's Egg by paulmcd · · Score: 2, Interesting

    This is a clasic that shouldn't be forgotten. "The Cuckoo's Egg", by Clifford Stoll

  18. Great Pedagogical Technique, this by Phoenix666 · · Score: 3, Insightful

    I think this is an excellent direction to take education in. The difference between book learning and real world knowledge is always context. Book learning teaches you math out of context, teaches you grammar out of context, and what have you. It's the real world that teaches you the actual context for applying the book learning. Whereas a book like this, presenting the knowledge in the way it does, actually takes you back to the original purpose for stories: to teach.

    Remember Aesop's Fables? They weren't meant primarily to entertain, but to teach a moral lesson. The same with the little incidental stories we tell each other daily about, for example, how so-and-so got fired because he was surfing porn on the company network. The entertainment value is incidental.

    Given that bodies of knowledge, IT and otherwise, are multiplying so rapidly, it seems like the only way to get a reasonable handle on it as a society is to create these kinds of stories to put it in context.

    Great work, guys.

    --
    Do what you can, with what you have, where you are.
  19. Personally, I like the idea... by The+Angry+Mick · · Score: 3, Insightful


    ...of using a fictional approach to highlight security vulnerabilities. How many times have we sysadmins tried to point out the dangers of a particular practice (say, passwords pasted to monitors), only to be asked "what's the worst that could happen" and asked to prove the risk?

    Other than spending a large chunk of time Googling for news stories, there's not a lot of real and readily accessible information out there about the serious consequences of a lame security approach. Nor is there a pile of information that comes in an easy to understand form that upper management can grasp. Trying to explain the technical aspects will only make their eyes glaze over, and appealing to their sense of security is more often than not perceived as questioning the morality of staff.

    Anecdotal "tales" such as this, may actually help the technologically adverse see the nightmare scenarios that many of us admins lose significant sleep over, and can do so in a way that makes them understand that even the best intentions can go horribly awry.

    --

    I'm not tense. I'm just terribly, terribly, alert.

  20. Our Thoughts Writing STN by Effugas · · Score: 4, Interesting

    Heh. STN made Slashdot. Scanrand on the shelves...cool :-)

    Stealing the Network is a relatively unique book. Remember Swordfish? Remember Antitrust? Wish there was a cheap procedure to repair that psychic damage? Because that's what got me involved. Syngress was as tired of the hype as we were. Spindly kids playing with 3D modelers to make worms was not reality. Syngress had a basic request: Show us what really happens. Make it interesting, tell a story, but at the end of the day, take the gloves off.

    Most of us had worked with Syngress before -- we'd done Hack Proofing Your Network for them, which was actually pretty well received. It was a strange experience, travelling half-way round the world to Black Hat Asia and seeing my Defcon talk on sale in a Singaporean bookstore :-) So when Syngress said they wanted to do this -- we put this together.

    We've actually put together a surprisingly good package. Everything from dumpster diving to printer abuse to some of the first real documentation of my personal scanrand techniques shows up. If there's interest, I'll put together a summary of some of the cooler things in here. And of course, if there's any questions, bug me here or in email :-)

    Yours Truly,

    Dan Kaminsky

  21. Re:yes it is... by Carbonite · · Score: 4, Funny

    I improve my English through /.

    Sweet Jesus! That's like improving your health through heroin.

    --
    ich muß mehr Kuhglocke haben
  22. Brilliant by Mannerism · · Score: 4, Funny

    The authors have created fictional stories based on non-fictional concepts that could really happen to our computer systems today.

    Wow. This could spawn a whole genre of books. We could call it "Science Fiction".

    --
    Please donate your spare CPU cycles to help fight cancer and other diseases
  23. Highlights from STN by Effugas · · Score: 3, Informative

    All--

    Thought it'd be fun to talk about some of the more interesting material we put together throughout the book:

    --HTTP-only access to the outside world doesn't actually pose much of a barrier...httptunnel (the original web service) may not be as mindbending as IP-over-DNS or mailtunnel, but damned if it doesn't punch ssh sessions bidirectionally through web proxies ;-) This gets mentioned in Dubrawsky's attack tree analysis -- an extremely systematic breakdown of attack selection across pretty much every platform an attacker might find.

    --Worm analysis. Guys, Code Red and Nimda were astonishingly successful; there's not-so-idle speculation that Nimda was a test run from a foreign intelligence service. One of my good friends did almost nothing for a year but manage Nimda recovery. Just because it left the press doesn't mean it left the network. Reverse Engineering is never trivial (unless you're Halvar Flake and dream in x86); throw extreme time sensitivity, malicious design, and financial implications and you get an idea of the world virus fighters and worm smashers have to face. Kudos to Tim Mullen and Ryan Russell for their nuts-and-bolts breakdown of this process.

    --Joe Grand. Software-based RF Analyzer. Pre-GSM/GPRS Blackberry transmissions. Mobitex.exe. And if that wasn't enough, "Creating a fake gelatin finger to bypass a biometric fingerprint sensor.", complete with photographs.

    --Ah, FX. Leave the poor Cisco alone, man :-) And of course, it wouldn't be FX without seeing those HP Laserjets as covert outposts :-)

    --Security and Functionality tend to play in opposition...as Paul Craig points out, maybe those step-by-step guides to getting through the VPN shouldn't show up on Google :-)

    --WiFi. Dead horse. But it's nice to see it anyway.

    --Password cracking by calling up administrators and listening to them type in their password -- nice, Mark. I'd like to see some of the stats code to manage that. Also good to see Windows Proxy Autodetection getting some misexposure.

    --Auditors are given lots of leeway. No, let Ken Pfiel clarify...those who claim to be auditors are given lots of leeway.

    --OK, I'm a protocol geek. For a good time, switch to root and type:

    "tcpdump -w - -s65535 | strings --bytes-8"

    If it's ugly, it's SMB. If it's scary, you're probably at Network Interop, where there's 220 access points and you're sniffing across all of them.

    --Scanrand docs! Portscan detection on switched networks by watching the router spew an ARP storm! "If your SMTP server has teleported 15 hops closer than the rest of your host, perhaps it's being hijacked by your hotel." And more NAT games.

    --Collaborating on tracking down an attacker, while the attacker can read your email...fun.

    We've had some fun, to say the least. :-)

    Yours Truly,

    Dan Kaminsky

  24. Re:WTF? $50 for a paperback fiction? by ryanr · · Score: 2, Informative

    A common (and probably fair) complaint. If you shop around a bit you may find it for slightly less.

    Syngress books tend to be priced a bit higher than some of the competition. They seem to be happy doing a little less volume at a little more margin. They're also a small publisher, so they don't neccessarily have the same economics of scale or influence that a big publisher does.

    The whole book industry is interesting, from what relatively little I know about it.

  25. Copyright != Patents by FreeUser · · Score: 4, Informative

    Wonder what would have happened if Guthenberg was allowed to take a patent (don't think that particularly concept existed at that time) off his invention of the printing press.

    What would have happened? The patent would have expired 14 years later, that's what (28 years if he bothered to renew it). Net effect on society: probably about zero, because technology didn't spread very quickly.

    If you are going to defend the current system of government monopoly entitlements, you should at least learn to differentiate between copyright law and patent law. While the two do bear similiarities in their stifling of human creativity and economic endeavor, they are not the same, and their consiquences, while often similiar, are not the same. Certainly the duration of their respective monopolies are not at all similiar. Patent law grants monopoly entitlements for 20 years on human knowledge. Copyrights grant monopoly entitlements for 95 years, or life plus 75 years, on human expression and information.

    In your comment above, you are confusing copyright law (as it was implimented in the United States after the revolutionary war, with its 14 year expiration + optionally an additional 14 years) with patent law (which had a 17 year expiration and now has a 20 year expiration, in the US, but was in other jurisdiction granted for much longer ...sometimes in perpetuity).

    Copyright in England was perpetual in its initial incarnation, and offered publishers only exclusive rights ... authors had no rights at all, until the Statue of Anne was passed almost a century later, and practically still had no rights until the Statue of Anne was enforced by a court case several decades after that.

    What would have happened is that the printing press would have spread much more slowly during its initial 'craze', giving governments and the Church more lead time in devising effective methods of censorship. Things like the reformation might never have happened in such an environment, where 20 years could have been the difference from a disruptive technology allowing exposure of a new idea ("let's all read and interpret the Bible for ourselves, rather than being spoonfed our opinions from Rome") and an emerging technology so controlled as to be reduced to a tool of the entrenched power ologopolies (sound familiar? It should: that is how everything from the telephone and radio to television and aerospace work today. The Internet was a surprising phenomenon ... one that was immediately addressed with software patents and, when that failed to quell the innovation quickly enough, draconian copyright laws such as the world hasn't seen since before copyright's relative liberalisation under the Statue of Anne).

    It is difficult to know with certainty what chilling effect a 20 year patent (or a patent in perpetuity, as was the norm at the time patents were first being offered as Royal rewards for innovation, often to those who had brought the innovation to the crown and not to those who actually did the innovating and inventing ... a sad state of affairs that exists to this day, if you substitute USPTO for the crown). However, based upon the chilling effects being observed today, and our knowledge of the importance the printing press played in political and cultural changes in Europe that led to the enlightenment and modern scientific collaboration, among other things, it is safe to day that a 20 (or perpetual) delay might well have tipped the scales sufficiently in favor of the entrenched powers so as to make any such reforms very difficult, at least, and perhaps impossible.

    Which really should give one pause. How many similiar, much needed changes and reforms have been quelled by slowing down and ultimately suppressing emerging technologies. What is it that threatens free software and the internet more than anything else? You guessed it, copyright law on the one side as wielded by the media cartels, and patent l

    --
    The Future of Human Evolution: Autonomy
  26. Sample Chapter by ryanr · · Score: 2, Informative

    BTW, sample chapter if anyone wants to see.

  27. Read it through today ... by cobrabyte · · Score: 2, Insightful

    After reading about the book this morning on /., I went to B&N and actually caught sight of the book (inadvertently). I picked it up and it was such an interesting read, I didn't put it down until I had read it all. As mentioned, it's interesting in the fact that they're all 'make believe' stories carrying an underlying lesson in each chapter. A lot of different scenarios are covered and it would be a pretty good read for anyone even remotely connected to network security. Now, I am not saying that it gives you the XYZ of keeping your network safe from prying eyes ... it's far from that. In fact, the appendix is really the only thing that contains a 'true' lesson. The stories, however, illustrate the 'outside-the-box' thinking that some hackers possess. All in all, I give it about a 7 out of 10.