Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Books Media Security

Black Hat 135

CWitz writes "I'll be honest: I'm not terribly technical. In fact, I'll probably have to get someone to help me add in the tags necessary to convert this review to readable HTML. But what I lack in technical skills, I more than make up in apprehension about the darker aspects of the internet. When I get an unexpected e-mail, I'm sure it's from some identity theft villain full of virtual lock picks just dying to snatch all my private information. John Bigg's new book Black Hat: Misfits, Criminals, and Scammers in the Internet Age is an entertaining and educational book that provides me with more than enough information about how to protect my vulnerable computer." Read on for the rest of his review; it's not aimed at experts, but Scott makes it sound like a good read for the interested layman.
Black Hat: Misfits, Criminals, and Scammers in the Internet Age
author John Biggs
pages 176
publisher APress
rating 8
reviewer CWitz
ISBN 1590593790
summary An introduction to the morass of malice that threatens any internet-connected personal computer; gives a broad overview of both social engineering and purely mechanical attacks, and advice on avoiding them.

Biggs is a technical journalist with more than seven years of real-world IT experience (programming and management), and he handles complex topics on the page in a fun, easy to understand manner. The book begins with the tale of a hapless spam victim in Germany, and moves on to introduce us to Alan Ralsky, the "spam king of Detroit."

Ralsky describes himself as an honorable marketing professional, but a Detroit Free Press article in November of 2002 pointed out that his computers vomit out more than 650,000 emails each hour. While his label of spammer or marketer may be debatable, there's no question about his efficiency. From the interview with Ralsky, Biggs moves into telling the story of his own struggle with spam. The discussion then turns to various relevant legal and social issues, and this shift is a hallmark of the book's positive qualities.

Black Hat effortlessly moves from straightforward factual reporting to first-person narratives to social and political commentary. The factual sections are just-the-facts-ma'am-reporting that would seem at home in any newspaper or technical journal. The first-person narrative sections are funny and reassuring. For leery technophobes like me, it's nice to know the experts struggle with many of the same computer bugaboos that plague me. The political and social commentary sections succinctly explain legal and cultural influences that shape the world of the internet today.

A good example of the political commentary is the chapter entitled "Upload or Perish: Pirates." As an aspiring author myself, I've always found myself believing that "sharing" intellectual property was inherently wrong. So I chose not to use Napster or Kazaa or the other options and totally agreed with efforts to prosecute active Napster users. But in this chapter, Biggs points out the misguided attempts of the industry by targeting the wrong people in their fight against sharing and piracy. In Eastern Europe and China, there are CD-pressing factories spewing out thousands of copies, complete with jewel case, printed insert, and full-color printing that are almost impossible to distinguish from the real product.

Biggs writes: "BMG Music representative Rob Anderson told me that many of the pirates have better CD and DVD reproducing equipment than even the large, official distributors." The discussion of industry actions targeting the wrong people continues with "Record companies can sue as many 12-year-olds as they want...but the equation will always be the same: piracy cannot be stopped." Detailed explanations of key landmark piracy lawsuits follow and the chapter ends with Biggs providing some suggestions for how the industry can help themselves in more effective ways, rather than attacking kids with home computers and a Jones for Metallica. Quite simply, he states the industry should use the technology to effectively deliver their product, at a reasonable cost, to the consumer. If listeners are going to share files, then the industry should harness the technology instead of stomping their feet and demanding that teenagers continue to trek down to the local mall and spend twenty dollars on a CD that may only have one or two good songs.

Personally, I'm still not sure that I believe in file sharing. Just because something isn't tangible (it's music or it's words or it's code) doesn't mean someone didn't work hard for it and invest in it. But Biggs' illuminating discussion certainly made me see how the industry has mismanaged their very lifeblood. I may not be file sharing anytime soon, but I won't be part of the angry mob hunting down file sharers any longer.

In Black Hat, Biggs manages to clearly explain certain technical aspects of spam, viruses, and other internet parasites. For instance, we've all seen that pile of gibberish at beginning of spam e-mails and Biggs explicates that mess in a way that anyone can understand. Like those rare moments in high-school English class when the teacher explains a poem that you always thought was unintelligible garbage, and the light goes on, and suddenly that long-haired Brit makes sense -- after reading Black Hat, I now understand much of what was to me only gibberish before.

In the chapter entitled "Shockwave: Worms and Viruses," Biggs dissects a simple, working worm. The worm was written by 16-year-old in Austria named Second Part to Hell with a taste for programming to White Zombie. Biggs interviews the worm writer and delves into the world of programmers he likens to sword makers, steeped in art and tradition. They do not include any dangerous payloads in their worms, but the possibility that someone could use the worm for malevolence isn't their concern, any more than the sword maker worries about how the weapon is being used. The dissection of Second Part to Hell's worm begins by actually showing the PHP web-programming code. Biggs then walks through each section, explaining how the worm selects which files to infect, creates a copy of itself, and processes its code to spread, and finally appends itself to the top of each file so it can seek out new victims.

The book goes on to discuss Nigerian 419 scammers, malicious virus writers, hacking legends like Lord Digital, spyware, and ultimately what a user can do to protect their computer and data. Entertaining and educational, Black Hat was a valuable read to a non-technical person like me. Best of all, John Biggs' suggestions for protecting my computer against the frightening aspects of the internet have made my cyber activities more comfortable and secure.


You can purchase Black Hat: Misfits, Criminals, and Scammers in the Internet Age from bn.com. Slashdot welcomes readers' book reviews. To see your own review here, carefully read the book review guidelines, then visit the submission page.

This discussion has been archived. No new comments can be posted.

Black Hat

Comments Filter:
  • I have to ask, is the treatment of "spyware" and "419 scams" only a mention in the book, or is there some detail given to these important subjects?

    Also, I am technical, too, but I readily admit to buying and reading "... for Dummys" series books on many (including technical) subjects. It's nice to see a Slashdot review for this type of book.

    • by g0bshiTe ( 596213 ) on Tuesday July 20, 2004 @01:52PM (#9751530)
      No shame in the For Dummies series brother or sister. A few grace my shelves also. I find them useful when you dont need to sift through tons of BS to get to what you want.
      • No shame in the For Dummies series brother or sister. A few grace my shelves also. I find them useful when you dont need to sift through tons of BS to get to what you want.

        I've browsed in a few, and they seem pretty much on the ball usually, no really big stinkers on first look. The "for dummies" title is basically a way of poking fun at themselves, well, and their readership. Anyway, it's meant as a joke.

        Other series however, seem to take such titles perhaps a little bit too seriously.

        What are we to m
        • by kfg ( 145172 )
          Anyway, it's meant as a joke.

          It is what is called "irony." Saying the opposite of what you mean. The joke is that the books are for those intelligent people who feel like dummies because they have been reading people who actually are and thus "don't get" what are actually simple concepts if simply, and intellegently, explained.

          Andre LaMothe's Windows Game Programming for Dummies, for instance, gives the most concise and intelligently understandable introduction to the Windows SDK and Direct X I have ever
      • I find them useful when you dont need to sift through tons of BS to get to what you want.

        Wow. My experience with the For Dummies books have been the exact opposite. Page after page of nothing but fluff with very little actual meat. I much prefer books that don't talk down to you but instead just give you all the facts. The O'reilly Nutshell series of books are what I think of when I think of being useful when you dont need to sift through tons of BS to get to what you want.
        • It sounds like you're after more technical texts. The For Dummies books are great primers for the more in-depth books out there. They don't pretend to be anything more, and are a great help. They give a fair amount of information in a friendly way.
      • I'm not ashamed to admit that "Linux for Dummies" graces my shelves. Even if you will eventually sift through tons of BS, they give you a good foundation to get started.

        LK
  • Chapter 1: (Score:5, Funny)

    by Neil Blender ( 555885 ) <neilblender@gmail.com> on Tuesday July 20, 2004 @01:41PM (#9751393)
    Those assassination threats are real. Be sure to do as you are told.
  • by Anonymous Coward on Tuesday July 20, 2004 @01:45PM (#9751438)
    When I get an unexpected e-mail, I'm sure it's from some identity theft villain full of virtual lock picks just dying to snatch all my private information.

    Because going through life in perpetual fear is always the best way to deal with it.

    If you are afraid of something, learn about it. If it doesn't make the fear go away, at least you can learn how to minimize the threat.
    • (I think that's what this book is about)
    • Er? (Score:5, Insightful)

      by mblase ( 200735 ) on Tuesday July 20, 2004 @01:50PM (#9751500)
      If you are afraid of something, learn about it.

      Um, that's probably the reason the reviewer bought the book.
      • Re:Er? (Score:1, Interesting)

        by Anonymous Coward
        >>If you are afraid of something, learn about it.

        >Um, that's probably the reason the reviewer bought the book.


        If you are already fearful of the Internet, purchasing a book titled Black Hat: Misfits, Criminals, and Scammers in the Internet Age is probably more to validate your fears rather than calm them.
    • ...Than to live on your knees. I don't know who said it, but it is part of my personal philosophy of life.

      I life my life for myself. Many will think that a selfish attitude, and they are right. But it is no more selfish than those who would tell me how to live my life, for example by telling me to not climb mountains, get shot at, or sleep alone and unprotected in Grizzly country. It is my life, and my choices. I believe that life is about choosing either to live, or merely exist. For me, living is seeking

      • ...Than to live on your knees. I don't know who said it,

        The same person who said just about everything else of importance: James Brown [funky-stuff.com].

        And of course, I should know.

      • I don't know who said it

        "Better to die on your feet than to live on your knees"
        - Benito Mussolini.

        Now, I'm not saying that there's not some truth in the sentiment, but it's worth knowing when you're quoting fascist dictators.

    • Because going through life in perpetual fear is always the best way to deal with it.

      Perpetual vigilance, on the other hand...

      Wouldn't say that I'm paranoid - but back in my windows days - and to some extent even now running Linux - I treat(ed) every email attachment as a potential virus. Probably why I never got infected via email (infected just once, thru other computers at a LAN game.)

      I do know some windows users who *are* afraid of viruses - and I'm not sure they are all that wrong to be, eith
    • If you are afraid of something, learn about it

      I'd love to, but I'm too busy cleaning the sand out of my nostrils.
  • misfits, criminals, and scammers, I'd like to formally protest the association this book makes between my clients and spammers. My clients might not have ethics, decency, limits or any sense of right and wrong, ...umm,...I've lost my train of thought.

    Those sending $49.95 will receive a full, detailed rebuttal to these scurrilous attacks against my clients. Or better yet, send your credit card number and we'll just bill you.

  • by quantax ( 12175 ) on Tuesday July 20, 2004 @01:48PM (#9751481) Homepage
    I am just curious cause I've been looking for something like this to explain to my parents, both of whom are self-described computer-stupid, and are in need of such knowledge due to some past issues. They're the type of people who might use the acronym CPU and mean a hard drive, if you know what I mean, when describing computer problems. Is this something I could give to them and they'd understand, or is this something I give to someone who's already has a technical understanding of computers?
  • by nebaz ( 453974 ) on Tuesday July 20, 2004 @01:49PM (#9751484)
    From the review
    Personally, I'm still not sure that I believe in file sharing. Just because something isn't tangible (it's music or it's words or it's code) doesn't mean someone didn't work hard for it and invest in it. But Biggs' illuminating discussion certainly made me see how the industry has mismanaged their very lifeblood. I may not be file sharing anytime soon, but I won't be part of the angry mob hunting down file sharers any longer.

    This suggests that the way to get this message out to people is more through media (books, maybe films?) than just whining about it amongst ourselves or trying to argue with people.

    On the other hand, the reviewer is specifically reading the book, looking for this information, rather than having it forced on him, so would seem to be more receptive.

    It's just too bad that the media is owned by so few people, all of whom have a vested interest in keeping things the way they are.
  • At least... (Score:3, Interesting)

    by causality ( 777677 ) on Tuesday July 20, 2004 @01:49PM (#9751487)
    At least works like this will help to increase the awareness that the fact that people could be out to screw you over does not disappear and give way to a fairy-tale world just because you go online. People who would feel insecure not locking their cars and their houses do some amazingly stupid things online because there's still this idea that Microsoft or the Web site (think online shopping) or their ISP will take care of all security matters for them. I hope the book sells well, as awareness in this area is sorely needed, plus it sounds entertaining.
  • It's funny, if you go to his site, do a select all and you'll see black on black text with the name: EditRegion1. That's a DreamWeaver template. Oh well, this is an uninteresting fact.
  • Not even a mention of satelite king Cap'n Crunch.
  • by Kjuib ( 584451 )
    Am I on? or maybe I have a whole chapter... but wait... I have to get caught before anyone knows enough about me to through me in a book.
  • by dcw3 ( 649211 ) on Tuesday July 20, 2004 @01:51PM (#9751518) Journal
    Okay, you've admitted that you're not technically competent, but now you're claiming that the book is providing you with "more than enough information about how to protect my vulnerable computer"??? How do YOU know? Just because you're paranoid (which is good in this case) doesn't make you competent enough to judge the merits of this text. On the other hand, it just might be a good one.
    • 90% (yes, I pulled that number out of my a**) of the problems are the result of social engineering. Opening the interesting email (or attachment), or clicking on the popup that promises to check your PC for spyware.

      A little education will go a long way toward nullifying those common types of attacks. Not having read the book, I assume it also tells people that there are technical measures that must also be employed (i.e. AV, firewall, etc.)

      • The social engineering is possible only because of whoever designed a system where opening an attachment to read it is able to run a program with full administrative privileges on the machine. Trying to teach users that some things are safe to open and others not is really the wrong approach. The system needs to make a much stronger distinction between safe operations and those which are really very dangerous (such as running a program sent to you). And the set of safe operations needs to be enough that
    • Should people go on the bases that their computers arn't protected? That way they might be motivated to install patches and updates instead of thinking "great! I have my anti-virus and my firewall, and a little bit of a clue what to watch out for in emails...I must be safe!"
      A false sense of security is no substitute for real security and real security is something you need to continually rethink...at least that's MHO.
  • uhhh (Score:2, Insightful)

    But what I lack in technical skills, I more than make up in apprehension about the darker aspects of the internet. What?
    • Re:uhhh (Score:5, Funny)

      by the_mad_poster ( 640772 ) <shattoc@adelphia.com> on Tuesday July 20, 2004 @02:09PM (#9751756) Homepage Journal

      What I lack in fighting skills, I more than make up for in fear of walking down the street.

      What I lack in investment banking skills, I more than make up for in fear of opening a savings account.

      What I lack in driving skills, I more than make up for in apprehension about driving on the road.

      This has got to be an all time low for Slashdot.... this guy basically started out by stating that he wasn't qualified to write the following review, but he did it anyway.... lovely. Does this mean if I review the next release of an Apple OS I can qualify it by saying I know almost nothing about Apple systems and Slashdot's editors will post it?

    • Re:uhhh (Score:3, Interesting)

      by theCat ( 36907 )
      Indeed. I've noticed a direct correlation between not understanding the Internet, and fearing it.

      Case in point: I knew an administrative assistant once who kept a towel draped over the front of her monitor when she wasn't using the computer so people connected elsewhere on the LAN couldn't watch her paint her nails on the job. This was around 1990 at a university, and they were just then pushing out the administrative network to departments. She didn't want LAN access when it first arrived. Kept pulling th
    • He has more of an intuitive understanding than a technical understanding about Internet wrongdoers.
  • Mom (Score:3, Funny)

    by eingram ( 633624 ) on Tuesday July 20, 2004 @01:55PM (#9751568)
    Be sure to send this book to your parents then send them here [strangecharm.net].

    My mom didn't find it that funny.. :)
  • by Prince Vegeta SSJ4 ( 718736 ) on Tuesday July 20, 2004 @01:56PM (#9751573)
    Black Hat: Misfits, Criminals, and Scammers in the Internet Age

    To summarize:

    • Misfits, Crinimals, and Scammers, Oh MY!
    • Misfits, Crinimals, and Scammers, Oh MY!
    Were off to see the Wizard, the wonderful Wizard of Wor [klov.com]

    Theres no place like 127.0.0.1

    Theres no place like 127.0.0.1


  • I've always found myself believing that "sharing" intellectual property was inherently wrong.

    Even if it is PART of their business model?
    as in shareware, radio, publicly displayed art, etc...
    Do you feel you owe an artist or his family a few dollars if you enjoy a statue or a painting?
    What about the architect when you enjoy a building or a park?
    • I was taught to share in preschool

      were you taught to cheat as well?
      • yep, that's where I learned that you lose things if you leave them laying around.
        That's also where I learned about singleton bullies and those that are able to bully through group negotiation (like RIAA).
        Only Gene Roddenberry could believe our future includes a public of such moral standing that they would refuse to pick money up off of the ground, or if they saw that the previous tenent left the cable line hot they'd refuse to watch it and the'd report it immediately so the cable company could start bill
  • <I>spend twenty dollars on a CD that may only have one or two good songs.</I>
    <P>Ah, good, this old chestnut. Guess what? Risk is part of life. The meal you buy may not be up to snuff, the album you buy may not be 100% excellent all the way through. Whoop-de-doo.
    <P>Also, that $20 is getting you 60+ minutes of music whereas 25 years ago more money (inflation, remember?) would get you a 35 minute LP.
    • ahhhh, but if the food is bad, I can send it back, where as it's very difficult to return a CD and get your money back.
  • by Donoho ( 788900 ) on Tuesday July 20, 2004 @02:15PM (#9751816) Homepage
    Personally, I'm still not sure that I believe in file sharing. Just because something isn't tangible (it's music or it's words or it's code) doesn't mean someone didn't work hard for it and invest in it.

    I believe the growth of intangibles in our society will require a cultural/corporate paradigm shift. As much as we'd like to believe otherwise, the amount of effort we exert is not the only factor which determines our effort's worth. Supply and Demand.

    The proliferation of books and music has traditionally be limited by access and the physical space they take up amongst your personal belongings (unless you go to your Library - Does anyone know if there have been similar historical issues with brick and mortar libraries?). The internet has become a digital library with no return date but, current laws make this illegal.

    Here's an idea... How about instead of creating wrapper technologies which block sharing songs, books, and code, all are freely available but wraped in technologies which allow for easy donation to the effort's creator? An encoder which integrates certificates and paypal. I got nothing against middle (wo)men... they can maintain the servers. I can't imagine that this doesn't exist somewhere already...
    • it's been shown, over and over, that the 'donation' system does not work with internet distribution.
    • Hard work doesn't necessitate a return on investment

      This just won't work. Maybe you should try out this system with your boss: give them your work for free, and make it easy for them to make donations to you. It is very reasonable to try and charge people for your work, even if it is intangible.

      There is a precedent with literature and art (in the past), one that much of science currently uses: grants. If these intangible works are in the public good, then the public should sponsor them. In Mexico, artis

  • But what I lack in technical skills, I more than make up in apprehension about the darker aspects of the internet

    Oh, well... in that case you're hired. Who needs technical skills if you're a certified fraidy cat?
  • by Ieshan ( 409693 ) <{moc.liamg} {ta} {nahsei}> on Tuesday July 20, 2004 @02:21PM (#9751887) Homepage Journal
    Perhaps this is a touch offtopic, but I think this is a very misunderstood attack strategy on the part of the RIAA and there are quite a few people who seem not to understand it. Not understanding things technical is the point of this thread. =) If I've misrepresented something, someone ought to tell me.

    The point of "attacking uploaders" is that people in a P2P network are essentially selfish. So long as they can get their own content, most parties in the network derive no benefit from uploading to others. People are much more likely to "stop uploading" than they are to "stop downloading" because of this. Instead of attacking people where it matters (Stop getting things for free!), the RIAA strategy works by cutting off the supply (Stop this annoying service that eats up your bandwith and doesn't provide you any benefit).

    The problem, of course, is that if *everyone* stops sharing, the P2P network ceases to exist, and if a large enough majority stops sharing, the network becomes bogged down by bandwith issues (because the only way to operate a truly efficient network is to have truly distributed bandwith).

    Essentially, the "Stop Uploading" attack has little to do with the fact that the RIAA places some sort of greater moral or legal weight on actually copying a file for someone else. Instead, it's a clever, underhanded way of attacking a P2P network designed to fly under the radar of most pseudo-techies operating nodes.
    • I think that if you look at copyright law, it is not illegal to receive an illegal copy of something. Copyright law makes it illegal to *distribute* copyrighted material.

      So the guy downloading a file isn't breaking the law - the guy uploading it is. Or at least they can make a much more clear-cut case in court that the uploader has broken the law.
      • See, this is what the RIAA wants you to think.

        Actually, it's illegal to knowingly recieve and use stolen goods or those taken by copyright infringement.

        In a server-client*n model, it's much more efficient just to ask the server to stop distributing content. In the (client/server)*n paradigm (like P2P), it's much more efficient to go after the downloader, since it's very difficult to get all those people to stop distributing, but it's very easy to prove that each downloader has been downloading illegal con
        • by Anonymous Coward
          It is my understanding that it is (or has been) perfectly legal (in the US) to copy songs or videos from the radio or TV for personal use. In fact I believe there are laws that explicitly permit this, and fees on various blank media that are transferred to copyright rights aggregators to theoretically reimburse artists for this activity. (If they actually get any significant money is a separate issue).

          If this is true, why should downloading be different? I am interested in both legal and philosophical info
  • PHP viruses (Score:4, Informative)

    by downbad ( 793562 ) on Tuesday July 20, 2004 @02:29PM (#9751965)
    "Second part to hell" wrote the "PHP Virus Writing Guide." [netlux.org]

    If you're interested in that stuff, I guess it might be worth checking out.

  • Old sayings (Score:4, Insightful)

    by HarveyBirdman ( 627248 ) on Tuesday July 20, 2004 @02:29PM (#9751966) Journal
    But what I lack in technical skills, I more than make up in apprehension about the darker aspects of the internet.

    Which is yet another way of saying people fear what they do not understand.

    I'm sorry. That was mean.

  • by weeboo0104 ( 644849 ) on Tuesday July 20, 2004 @02:47PM (#9752212) Journal
    In fact, I'll probably have to get someone to help me add in the tags necessary to convert this review to readable HTML.

    If you post your /. ID and password, I'd be happy to log in with your ID and add the HTML links to goats^c^c^c^c^c ... um, I mean the HTML to post your story.
  • No book on Black Hats would be complete without an interview with Fyodor [slashdot.org] in it.
  • Swordmaking?! (Score:2, Insightful)

    by aynrandfan ( 687181 )
    Biggs interviews the worm writer and delves into the world of programmers he likens to sword makers, steeped in art and tradition.

    Except that swordmaking takes skill and years of experience, as opposed to running a one-line script.

  • "John Bigg's new book Black Hat: Misfits, Criminals, and Scammers in the Internet Age is an entertaining and educational book that provides me with more than enough information about how to protect my vulnerable computer."

    Considering that you already said that you're not very technical, I fail to see how you are qualified to make this judgement.

    Hopefully the book makes the point that the only truly secure computer is one that is locked in a shielded vault without any internet connection (and some would sa
  • are scary then others. [dr4b.org]

  • When I read the title of this article, was anybody else thinking it was some sort of (evil) Red Hat fork?
    • When I read the title of this article, was anybody else thinking it was some sort of (evil) Red Hat fork?

      Maybe, what time did you read the title of the article?

  • Hooray (Score:2, Funny)

    by Rie Beam ( 632299 )

    "When I get an unexpected e-mail, I'm sure it's from some identity theft villain full of virtual lock picks just dying to snatch all my private information."

    Nonsense. Just decent, hard-working Nigerians who believe in the virtues of charity. Silly paranoids.

  • Misfits, Criminals, and Scammers

    There better be a whole chapter dedicated to SCO.

  • CV of reviewer? (Score:1, Interesting)

    by Anonymous Coward
    Doesn't it make sense for slashdot to at least post a biographical blurb of the reviewer?

    So at least we know some of the potential conflicts of interest or biases that the reviewer may have.

Ummm, well, OK. The network's the network, the computer's the computer. Sorry for the confusion. -- Sun Microsystems

Working...