Slashdot Mirror


Security Warrior

Peter Wayner writes with a review of O'Reilly's Security Warrior: "Close the doors and they come in the windows. Bar the windows and they slip through some cracks in the foundation. Seal those up and the find another way in through the door. Computer security is an odd pursuit because it's just not possible to have a strong, theory of everything when cracks can appear anywhere. Into this field comes Security Warrior, a book on the topic with a wide ranging collection of tidbits and suggestions on sealing as many holes as you can find." Read on for the rest. Security Warrior author Cyrus Peikari and Anton Chuvakin pages 531 publisher O'Reilly rating 7 reviewer Peter Wayner ISBN 0596005458 summary Not a deep approach to security, but a great bag of tricks every sysadmin should have at hand.

The book comes lightly packaged in a metaphor about the training of samurai. A security warrior, it is said, must avoid a "superficial study of the subject" because that leads to a "deterioration of the samurai spirit." To avoid this, the authors plunge deeply into a wide variety of ways that attackers might break into your system. The book is meant to help you "know your enemy" and "see through an attacker's eyes."

This chestbeating fluff disappears pretty quickly because the authors dive into reading assembly code in the first chapter and start talking about the registers of the CPU by page 4. The rest of the first part of the book explores reverse engineering software by reading assembly dumps and using good tools to decipher it.

After poking around in binary code, they turn to the bits floating around the network. Chapters 6 through 10 explore how to sit on one end of the Internet and pry your way into another computer. Chapters 11 through 17 dive deeper into the specific defenses of platforms like UNIX, Windows, SOAP and SQL. The rest of the book, Chapters 18 through 22, explore how to figure out just what the attackers may be doing by setting up honeypots and log analysis tools.

Covering all of these topics in 531 pages is clearly not possible and the book reads more like a survey or a catalog of what can go wrong. If you use PHP, for instance, as a frontend to your database, you might want to be sure that some "script kiddie" won't slip in some extra SQL in the form fields. Each topic isn't built up from some bedrock foundation with perfect mathematical pedagogy, it's just defined as a list of bad things that you should avoid doing.

The authors seem to be aware of how this might be misinterpreted. There are many good tricks in the book and it wouldn't be hard to rename it Al K Da's 1337 Haxor Tips . So the authors stress how learning about the enemy is the only way to defeat the hordes.

I think the problem is deeper and more philosophical. There's no way to prove a negative. There are no good mathematical tools that make it easy to prove statements like P!=NP or big numbers can't be factored quickly. In a larger sense, it's not really possible to prove that someone can't break into a system. A more traditional, ground-up approach to the topic can offer some assurances, but books like this one are always necessary. Anyone doing battle against unknowable and unpredictable adversaries must look between the cracks.

If you look at it this way, the book is a good collection of tips and hints that will help someone keep their network a bit more secure. It doesn't provide a deep, elegant and rigorous explication of the topic, but I don't think that is possible. It's a great collection of tricks that should be part of a good warrior's training.

Peter Wayner is the author of Translucent Databases and Policing Online Games . You can purchase Security Warrior from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

11 of 124 comments (clear)

  1. Samurai by nacturation · · Score: 4, Funny

    The book comes lightly packaged in a metaphor about the training of samurai.

    First rule: know when to commit seppuku.

    --
    Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
  2. ...when cracks can appear anywhere.. by burgburgburg · · Score: 3, Funny
    One word: caulk.

    Nuff said.

  3. Seppuku by Timesprout · · Score: 3, Funny

    The book comes lightly packaged in a metaphor about the training of samurai

    Does this mean I can look forward to lots of MSCE admins comitting seppuku when they get cracked?

    --
    Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
    What truth?
    There is no dupe
  4. I read the first version by Hardwyred · · Score: 3, Funny

    It was called the Art of War by some guy named Sun Tzu. I think he worked for IBM or something ;-)

    --
    www.linux-skunkworks.com
  5. Ob by GillBates0 · · Score: 3, Funny

    1. Pull network cord
    2. Pull power cord
    3. ???
    4. Security!!!

    --
    An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
    1. Re:Ob by kfg · · Score: 2, Funny

      That's a DoS.

      Not if you're using it as a doorstop.

      KFG

  6. How much security do I need? by stand · · Score: 4, Funny

    I think it's like that old joke about how to protect yourself from being killed by a bear. (I don't need to outrun the bear, I just need to outrun you). I only need to be slightly more secure than the rest of you. Right now, frankly, that's not too hard.

    --
    Four fifths of all our troubles in this life would disappear if we would just sit down and keep still. -C. Coolidge
  7. windows by hak+hak · · Score: 2, Funny
    close the doors and they come in the windows.

    Yeah, many computer hackers in recorded history have come in through Windows.

  8. Some Wisdom by Anonymous Coward · · Score: 2, Funny
    Close the doors and they come in the windows. Bar the windows and they slip through some cracks in the foundation. Seal those up and the find another way in through the door.

    Best security practice- get rid of your Windows first.

  9. Top 10 by Anonymous Coward · · Score: 4, Funny

    Here are the top 10 reasons:

    10) You've just been ordered to migrate from sendmail to Exchange server.

    9) Your boss, let's just call him Bill, insists upon being given root priviledges, in spite of the fact that he constantly breaks things even with mere user priviledges.

    8) Your boss won't let you filter out .vbs & .exe attachments at the mail server because he is an amature (read: terrible) coder. Moreover, his amature programs cause as much if not more trouble than the virus-laden attachments he keeps opening. He also has crazy ideas about putting "stamps" on email.

    7) You are told by your boss, who (mis)read a computer security advisory to put the company webserver (which handles online sales) on a non-standard port "so the hackers won't be able to mess with it."

    6) Your boss expects you to find a way to make your Solaris servers, with tons of ancient, crufty legacy code which is vital to the company, run ASP pages just so they can use (read: justify the rediculous expense of) some crappy B2B application they bought without consulting IT. Preferably sometime next week.

    5) Your boss thinks that some 'internet accelerator' software (read: spyware) should be made mandatory for all employees to improve productivity.

    4) Your "security policy" is more like a list of who to blame for what.

    3) Your boss is negotiating a SCO IP license, since "any publicity is good publicity."

    2) Your boss thinks you should be more thankful, because the management is so "IT-savvy" and always ready to help you out.

    1) You ignore all this bad advice, pretend you took it anyway (he'll never actually know...), and waste your time posting on Slashdot instead of working.

  10. Re:scary no doubt by Anonymous Coward · · Score: 1, Funny

    I've been running your servers, databases, and clients for years without problems, too.