Slashdot Mirror
Stealing the Network: How to Own an Identity
Scott Pinzon writes "Writing sonnets, screenplays, or an epic poem in your third language is a breeze compared to the toughest of art forms, didactic fiction. That might explain why the various chapters of Stealing the Network: How to Own an Identity range from appalling to exciting. Whether you see the glass of STN: Identity as half empty or half full depends on whether this is your cup of poison -- but on a technical level, it rocks." Read on for the rest of Pinzon's review.
Stealing the Network: How to Own an Identity
author
Raven Alder, Jay Beale, Riley "Caezar" Eller, Brian Hatch, Chris Hurley (Roamer), Jeff Moss, Ryan Russell, Tom Parker, Timothy Mullen, Johnny Long
pages
336
publisher
Syngress
rating
6
reviewer
Scott Pinzon
ISBN
1597490067
summary
Fiction that teaches about network security
Slashdotters have a distinguished history of calling b.s. on fiction authors who get technical details wrong. (My recent favorite is Jeffrey Deaver's jargon-in-a-blender paragraphs in The Blue Nowhere, where a computer expert can't break a hacker's defenses because "I can't decrypt his firewall!") But what happens when the problem is reversed? Can authors with awesome technical credentials, but little literary background, teach by using story?
And these authors do have impeccable Internet security cred. Many of them are stars circling the firmament of Black Hat and Defcon; senior penetration testers; former consultants to No Such Agency; authors of popular books on security; and so on.
Thus, STN: Identity describes attacks with accuracy and depth. The light veneer of fiction gives the networking tips real-world context. (On this point, I agree with Blain Hilton, who reviewed the first STN volume for Slashdot.) Sure, you've heard of all kinds of hacker tools, but do you know exactly when an attacker would use, say, Metasploit Framework, and not Knoppix? Chris Hurley's chapter, "Saul on the Run," stands out in this regard, showing how a black hatter uses social engineering and numerous tools to get a valid birth certificate for someone else, and exactly how an attacker can intrude on a secured wireless residential network to explore private information.
Another stand-out chapter is Johnny "Google Hacker" Long's "Death by a Thousand Cuts." This rambling episode follows, in part, a forensic cop's efforts to make a disc image of an iPod found at a crime scene. The trouble is, Apple's drivers spring into action whenever the iPod senses it has connected to a computer. If the driver activity changes anything in the iPod, all evidence on it will be inadmissible in court. In unraveling this challenge, STN became so fascinating, I couldn't put it down. Which made showering awkward.
Brian Hatch's chapter, "Bl@ckTo\/\/3r," stood out to me, also, but for the opposite reason: almost all of it went over my head. I thought I had accepted Unix into my heart, but I'm not disciple enough to keep up with Hatch's treatise on X11. Where I thought Hatch was talking only to himself, I had a more senior network security expert read the chapter, and he considered it well written. YMMV.
Other chapters cover basic crypto and code-breaking; how to forge cards that will fool magnetic stripe readers; the dark side of biometric authentication; uses of a Faraday cage; making a QWERTY keyboard type Dvorak letters, and just lots and lots of good undergroundy badness. The technical lessons hold tightly to the stated theme of identity theft. Any network administrator could learn a lot about the enemy's techniques from this volume; and, because of the story-driven format, probably even remember them.
But I've been dodging my opening question: does the fiction part work? Before I answer, I should mention that I've written a lot of fiction. I've had four books of fiction and 60 short stories published, and studied under the editor who removed 500 pages from Stephen King's The Stand. I'm not saying I'm good at writing fiction; I'm just saying I respect the craft. So, can STNs authors write fiction? No. No, they cannot.
STN: Identity reads like a catalog of beginning-fiction-writer mistakes, from misspellings and homophones (from Chapter 5: "He called me a Windows administrator, and it wasn't a complement") to characters with no feelings or personality. In Chapter 8, where college students decide to 0wn Hushmail's DNS servers for a man-in-the-middle attack, they work 36 hours straight without a smart remark, a crabby comeback, or, really, any dialog except ad hoc lectures on network architecture. Fiction-wise, it's as if Nancy Drew or the Hardy Boys tried hacking. And a couple of the chapters go so far past "wordy" that they're almost the verbal equivalent of running in place. If you're in a hurry to get to the technical meat [Jedi hand wave], these are not the authors you want. With that said, I admit that some of the chapters clamber all the way up to "adequate." But remember, fiction that teaches is hard for anyone to pull off.
Maybe none of that matters. Is anyone looking for deathless prose when picking up a book subtitled "How to Own an Identity"? Nah. What matters is, the various authors lay down some seriously tricky attacks. If you are more geek than lit critic, the coolness factor is off the charts. If you like to spend your time reading and thinking about network security and hacking, this is for you. And if you still buy into the "romance" of hacker shenanigans, STN can be your little Defcon-away-from-Defcon.
So is this wildly uneven book worth the price? For fiction lovers, no. For white hat security aficionados, yes. For black hat security aficionados, buying it will be the last purchase you make on your own credit card -- so hell yes. #
Full disclosure: I am not personal friends with any of the authors, but I've interviewed a few of them, including the book's technical editor, Timothy Mullen, for my day job. I may also suffer from envy that my own attempts to fictionalize network security have been ignored by most of the world except German Tom's Hardware.
Scott Pinzon, CISSP, is Editor-in-Chief for WatchGuard's LiveSecurity Service, and writes about network security on the free RSS news feed WatchGuard Wire. You can purchase Stealing the Network: How to Own an Identity from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Slashdotters have a distinguished history of calling b.s. on fiction authors who get technical details wrong. (My recent favorite is Jeffrey Deaver's jargon-in-a-blender paragraphs in The Blue Nowhere, where a computer expert can't break a hacker's defenses because "I can't decrypt his firewall!") But what happens when the problem is reversed? Can authors with awesome technical credentials, but little literary background, teach by using story?
And these authors do have impeccable Internet security cred. Many of them are stars circling the firmament of Black Hat and Defcon; senior penetration testers; former consultants to No Such Agency; authors of popular books on security; and so on.
Thus, STN: Identity describes attacks with accuracy and depth. The light veneer of fiction gives the networking tips real-world context. (On this point, I agree with Blain Hilton, who reviewed the first STN volume for Slashdot.) Sure, you've heard of all kinds of hacker tools, but do you know exactly when an attacker would use, say, Metasploit Framework, and not Knoppix? Chris Hurley's chapter, "Saul on the Run," stands out in this regard, showing how a black hatter uses social engineering and numerous tools to get a valid birth certificate for someone else, and exactly how an attacker can intrude on a secured wireless residential network to explore private information.
Another stand-out chapter is Johnny "Google Hacker" Long's "Death by a Thousand Cuts." This rambling episode follows, in part, a forensic cop's efforts to make a disc image of an iPod found at a crime scene. The trouble is, Apple's drivers spring into action whenever the iPod senses it has connected to a computer. If the driver activity changes anything in the iPod, all evidence on it will be inadmissible in court. In unraveling this challenge, STN became so fascinating, I couldn't put it down. Which made showering awkward.
Brian Hatch's chapter, "Bl@ckTo\/\/3r," stood out to me, also, but for the opposite reason: almost all of it went over my head. I thought I had accepted Unix into my heart, but I'm not disciple enough to keep up with Hatch's treatise on X11. Where I thought Hatch was talking only to himself, I had a more senior network security expert read the chapter, and he considered it well written. YMMV.
Other chapters cover basic crypto and code-breaking; how to forge cards that will fool magnetic stripe readers; the dark side of biometric authentication; uses of a Faraday cage; making a QWERTY keyboard type Dvorak letters, and just lots and lots of good undergroundy badness. The technical lessons hold tightly to the stated theme of identity theft. Any network administrator could learn a lot about the enemy's techniques from this volume; and, because of the story-driven format, probably even remember them.
But I've been dodging my opening question: does the fiction part work? Before I answer, I should mention that I've written a lot of fiction. I've had four books of fiction and 60 short stories published, and studied under the editor who removed 500 pages from Stephen King's The Stand. I'm not saying I'm good at writing fiction; I'm just saying I respect the craft. So, can STNs authors write fiction? No. No, they cannot.
STN: Identity reads like a catalog of beginning-fiction-writer mistakes, from misspellings and homophones (from Chapter 5: "He called me a Windows administrator, and it wasn't a complement") to characters with no feelings or personality. In Chapter 8, where college students decide to 0wn Hushmail's DNS servers for a man-in-the-middle attack, they work 36 hours straight without a smart remark, a crabby comeback, or, really, any dialog except ad hoc lectures on network architecture. Fiction-wise, it's as if Nancy Drew or the Hardy Boys tried hacking. And a couple of the chapters go so far past "wordy" that they're almost the verbal equivalent of running in place. If you're in a hurry to get to the technical meat [Jedi hand wave], these are not the authors you want. With that said, I admit that some of the chapters clamber all the way up to "adequate." But remember, fiction that teaches is hard for anyone to pull off.
Maybe none of that matters. Is anyone looking for deathless prose when picking up a book subtitled "How to Own an Identity"? Nah. What matters is, the various authors lay down some seriously tricky attacks. If you are more geek than lit critic, the coolness factor is off the charts. If you like to spend your time reading and thinking about network security and hacking, this is for you. And if you still buy into the "romance" of hacker shenanigans, STN can be your little Defcon-away-from-Defcon.
So is this wildly uneven book worth the price? For fiction lovers, no. For white hat security aficionados, yes. For black hat security aficionados, buying it will be the last purchase you make on your own credit card -- so hell yes. #
Full disclosure: I am not personal friends with any of the authors, but I've interviewed a few of them, including the book's technical editor, Timothy Mullen, for my day job. I may also suffer from envy that my own attempts to fictionalize network security have been ignored by most of the world except German Tom's Hardware.
Scott Pinzon, CISSP, is Editor-in-Chief for WatchGuard's LiveSecurity Service, and writes about network security on the free RSS news feed WatchGuard Wire. You can purchase Stealing the Network: How to Own an Identity from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
"'Saul on the Run,' stands out in this regard, showing how a black hatter uses social engineering and numerous tools to get a valid birth certificate for someone else, and exactly how an attacker can intrude on a secured wireless residential network to explore private information. "
I think comprimising someone's birth certificate, and thus all government issued documents is a bit more serious than cracking a home network.
Saskboy's blog is good. 9 out of 10 dentists agree.
if the glass was in the forest and no one was there to see it, would it be half anything?
"Actually, it's not that hard to make A QRTY keyboard type Dvoark letters,
In X, you just have to make sure that the "XkbLayoiut" option in the keyoard section is set to "dvorak" instead,. I have this in my gentoo startup scripts.
The first thing I usually do when I get a new keyboard is to pop off all the caps and rearrange them in Dvorak layout. Once I have the keys set up right, I can once again look at my fingers whild I type. hehe.
It's hard being so 1337."
Daymn, you're so 13373 you don't even need to use "QWERTY" you can use "QRTY" (I admit, the shift "WE" can be a bitch...)... other than that just an extra "i" in the X config and "," on the same line... not bad (thats dvorak smack for all you qwurdy folk...)
for his identity to be stolen?
So he sold it on eBay.
New procedure:
1) Get born.
2) Grow up.
3) Get official documents proving^H^H^H^H^H^H^Hallowing you to exist.
4) Sell existence on eBay.
5) PROFIT!!!
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
Cool, I'm glad you liked it.
To give you fair warning, I don't think you'll find the tech level in this one any different from Continent. I think it's quite relative to the reader, and the reviewer's comments reflect his impression.
Having said that, I would of course love to have you thumb through it in a bookstore, and decide yourself. I expect you will be abe to find it on store shelves in a few weeks. The first printing just finished this week, and so far the only place you could have purchased it is at Black Hat. And tomorrow at Defcon.
Amazon, etc... should show stock in a week or two, I hope.
With the exception of Aesop's Fables and medieval morality plays, most good pieces of fiction are not generally built around a single "moral." There are themes throughout a work, but usually a serious author does not write a story for the express purpose of advancing a message. Upton Sinclair felt strongly enough about this that he prefaced The Jungle by saying that unlike actual literature, his book was written for the purpose of conveying a message.
I haven't read this book and I likely won't; it sounds too much like a the computer-crime version of a Tom Clancy or Stephen King novel. There are probably several flaws in it, but the reasons you cite would rule out e.g. Thomas Pynchon's Entropy, one of the classics of modern American literature.
I used to read Caltizzle. I was a lot cooler than you.
Admittedly, themes run through great works, and, you're quite right about Aesop's Fables and the passion plays. I would add that the works of the Troubadours and Trouvères also have much to do with the making of The Western Canon.
My point takes more from an essay by James Joyce wherein he makes the point that all drama (fiction) invites catharsis. Catharsis, requires both recognition and resolution. From resolution I imply conflict and, in conflict, judgement, i.e. moral judgement.
Technology comes about when we extract information and abstract the information into mathematical expressions. Fiction requires we embed and entangle our selfs sympathetically into a story, as such it encourages "the right side of the brain" responses which feed moral choice.
cheers.
"Academicians are more likely to share each other's toothbrush than each other's nomenclature."
Cohen
if the book had been run past a competant editor. Just using a spelling checker and (maybe) a grammer checker isn't enough.