Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Books Media Book Reviews

Stealing the Network: How to Own an Identity 99

Scott Pinzon writes "Writing sonnets, screenplays, or an epic poem in your third language is a breeze compared to the toughest of art forms, didactic fiction. That might explain why the various chapters of Stealing the Network: How to Own an Identity range from appalling to exciting. Whether you see the glass of STN: Identity as half empty or half full depends on whether this is your cup of poison -- but on a technical level, it rocks." Read on for the rest of Pinzon's review.
Stealing the Network: How to Own an Identity
author Raven Alder, Jay Beale, Riley "Caezar" Eller, Brian Hatch, Chris Hurley (Roamer), Jeff Moss, Ryan Russell, Tom Parker, Timothy Mullen, Johnny Long
pages 336
publisher Syngress
rating 6
reviewer Scott Pinzon
ISBN 1597490067
summary Fiction that teaches about network security


Slashdotters have a distinguished history of calling b.s. on fiction authors who get technical details wrong. (My recent favorite is Jeffrey Deaver's jargon-in-a-blender paragraphs in The Blue Nowhere, where a computer expert can't break a hacker's defenses because "I can't decrypt his firewall!") But what happens when the problem is reversed? Can authors with awesome technical credentials, but little literary background, teach by using story?

And these authors do have impeccable Internet security cred. Many of them are stars circling the firmament of Black Hat and Defcon; senior penetration testers; former consultants to No Such Agency; authors of popular books on security; and so on.

Thus, STN: Identity describes attacks with accuracy and depth. The light veneer of fiction gives the networking tips real-world context. (On this point, I agree with Blain Hilton, who reviewed the first STN volume for Slashdot.) Sure, you've heard of all kinds of hacker tools, but do you know exactly when an attacker would use, say, Metasploit Framework, and not Knoppix? Chris Hurley's chapter, "Saul on the Run," stands out in this regard, showing how a black hatter uses social engineering and numerous tools to get a valid birth certificate for someone else, and exactly how an attacker can intrude on a secured wireless residential network to explore private information.

Another stand-out chapter is Johnny "Google Hacker" Long's "Death by a Thousand Cuts." This rambling episode follows, in part, a forensic cop's efforts to make a disc image of an iPod found at a crime scene. The trouble is, Apple's drivers spring into action whenever the iPod senses it has connected to a computer. If the driver activity changes anything in the iPod, all evidence on it will be inadmissible in court. In unraveling this challenge, STN became so fascinating, I couldn't put it down. Which made showering awkward.

Brian Hatch's chapter, "Bl@ckTo\/\/3r," stood out to me, also, but for the opposite reason: almost all of it went over my head. I thought I had accepted Unix into my heart, but I'm not disciple enough to keep up with Hatch's treatise on X11. Where I thought Hatch was talking only to himself, I had a more senior network security expert read the chapter, and he considered it well written. YMMV.

Other chapters cover basic crypto and code-breaking; how to forge cards that will fool magnetic stripe readers; the dark side of biometric authentication; uses of a Faraday cage; making a QWERTY keyboard type Dvorak letters, and just lots and lots of good undergroundy badness. The technical lessons hold tightly to the stated theme of identity theft. Any network administrator could learn a lot about the enemy's techniques from this volume; and, because of the story-driven format, probably even remember them.

But I've been dodging my opening question: does the fiction part work? Before I answer, I should mention that I've written a lot of fiction. I've had four books of fiction and 60 short stories published, and studied under the editor who removed 500 pages from Stephen King's The Stand. I'm not saying I'm good at writing fiction; I'm just saying I respect the craft. So, can STNs authors write fiction? No. No, they cannot.

STN: Identity reads like a catalog of beginning-fiction-writer mistakes, from misspellings and homophones (from Chapter 5: "He called me a Windows administrator, and it wasn't a complement") to characters with no feelings or personality. In Chapter 8, where college students decide to 0wn Hushmail's DNS servers for a man-in-the-middle attack, they work 36 hours straight without a smart remark, a crabby comeback, or, really, any dialog except ad hoc lectures on network architecture. Fiction-wise, it's as if Nancy Drew or the Hardy Boys tried hacking. And a couple of the chapters go so far past "wordy" that they're almost the verbal equivalent of running in place. If you're in a hurry to get to the technical meat [Jedi hand wave], these are not the authors you want. With that said, I admit that some of the chapters clamber all the way up to "adequate." But remember, fiction that teaches is hard for anyone to pull off.

Maybe none of that matters. Is anyone looking for deathless prose when picking up a book subtitled "How to Own an Identity"? Nah. What matters is, the various authors lay down some seriously tricky attacks. If you are more geek than lit critic, the coolness factor is off the charts. If you like to spend your time reading and thinking about network security and hacking, this is for you. And if you still buy into the "romance" of hacker shenanigans, STN can be your little Defcon-away-from-Defcon.

So is this wildly uneven book worth the price? For fiction lovers, no. For white hat security aficionados, yes. For black hat security aficionados, buying it will be the last purchase you make on your own credit card -- so hell yes. #

Full disclosure: I am not personal friends with any of the authors, but I've interviewed a few of them, including the book's technical editor, Timothy Mullen, for my day job. I may also suffer from envy that my own attempts to fictionalize network security have been ignored by most of the world except German Tom's Hardware.


Scott Pinzon, CISSP, is Editor-in-Chief for WatchGuard's LiveSecurity Service, and writes about network security on the free RSS news feed WatchGuard Wire. You can purchase Stealing the Network: How to Own an Identity from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
This discussion has been archived. No new comments can be posted.

Stealing the Network: How to Own an Identity

Comments Filter:
  • Khaaaaan! (Score:4, Funny)

    by Rosco P. Coltrane ( 209368 ) on Thursday July 28, 2005 @05:02PM (#13190374)
    STN: Identity

    Is that a new Star Trek movie I didn't know about?
    • Heh, sound more like one of those godawful CSI: Miami type things. Does everything take place in a moody halflight with people wearing UV specs?

      Really, I have no idea how they solve any crimes on those things. If they dropped their pen they wouldn't be able to find it in the murk that is the office lighting, never mind finding microscopic fibres or flecks of blood/paint.
    • You forgot the obligatory link:

      Khaaan [khaaan.com]
  • Birth Certificate (Score:3, Interesting)

    by saskboy ( 600063 ) on Thursday July 28, 2005 @05:04PM (#13190388) Homepage Journal
    "'Saul on the Run,' stands out in this regard, showing how a black hatter uses social engineering and numerous tools to get a valid birth certificate for someone else, and exactly how an attacker can intrude on a secured wireless residential network to explore private information. "

    I think comprimising someone's birth certificate, and thus all government issued documents is a bit more serious than cracking a home network.
  • Copyright (Score:3, Funny)

    by Rosco P. Coltrane ( 209368 ) on Thursday July 28, 2005 @05:08PM (#13190416)
    STN: Identity reads like a catalog of beginning-fiction-writer mistakes, from misspellings and homophones (from Chapter 5: "He called me a Windows administrator, and it wasn't a complement"

    I gather the book was made by copy/pasting Slashdot posts then? Tssk tssk, plagiarism, not good that...
  • by Anonymous Coward on Thursday July 28, 2005 @05:12PM (#13190451)
    Mr. Pinzon

    I'm writing to ask for your advice since you seem to know about stealing. I was recently at a friends house, and he showed me his new Linux. It had a lot of interesting "features" like windows and firefox and tcpip. He even showed me dirty pictures with it.

    My friend told me that he downloaded his Linux for free! He even showed me the web site. I think it was linuxtorrent.com. I freaked out! He's stealing form Linux! He told me that it was OK and that Linux is free, but I didn't believe him.

    What should I do? My friend is stealing from Linux. A lot of people worked very hard to make Linux, and he's taking it without even saying thanks. I want him to stop, but I don't want him to go to jail!
  • And you'll own it. No really.
  • It's actually all written by one person, but you don't find that out til the last chapter.
  • How about... (Score:2, Interesting)

    by JeiFuRi ( 888436 )
    if the glass was in the forest and no one was there to see it, would it be half anything?
  • by hellfire ( 86129 ) <deviladv AT gmail DOT com> on Thursday July 28, 2005 @05:24PM (#13190537) Homepage
    Slashdotters have a distinguished history of calling b.s. on fiction authors who get technical details wrong.

    Shashdotters call b.s. on anything because they like to do this! They are natural born devil's advocates and kill-joys who look for the flaws in things. And it makes them happy, if not on the outside then deep on the geeky inside.

    But what happens when the problem is reversed? Can authors with awesome technical credentials, but little literary background, teach by using story?

    The same thing would happen. Slashdotters are nitpickers because they can be. Slashdotters, while a majority of them are tech heads, are not limited to tech heads. Nerd and geeks take many forms, including literary geeks. Enough of them exist in the slashdot base to properly rend a poorly written and poorly thought-out story to quivering shreds.
    • "Shashdotters call b.s. on anything because they like to do this! They are natural born devil's advocates and kill-joys who look for the flaws in things. And it makes them happy, if not on the outside then deep on the geeky inside."

      I call B.S. Let me be the devil's advocate and put to you that you're nitpicking on Slashdotters' habits.
    • Shashdotters call b.s. on anything because they like to do this! They are natural born devil's advocates and kill-joys who look for the flaws in things.

      Facts:

      1. Slashdotters are mammals.
      2. Slashdotters call b.s. ALL the time.
      3. The purpose of Slashdotters is to flip out and look for flaws in things.

      These guys are so crazy and awesome that they flip out ALL the time. I heard that there was this Slashdotter who was eating at a diner. And when some dude dropped a spoon the Slashdotter kill-joyed the whole to

  • I know eff all about computer security over and above what I need to lock down my own computers - and I have no doubt I could do a better job of that. I really think fiction is one of the best ways to teach while you entertain. Despite myself I have picked up a large amount of history from reading the Richard Sharpe novels by Bernard Cornwall.
  • by Anonymous Coward on Thursday July 28, 2005 @05:33PM (#13190591)
    1. Get born.
    2. Get issued a state sanctioned Identification Number.
    3. Get a job
    4. Profit.
  • by aquabat ( 724032 ) on Thursday July 28, 2005 @05:44PM (#13190644) Journal
    Ajygannfw cy-o bry yday dape yr mat. a "PYF t.fxrape yfl. Ekrpat n.yy.pov

    Cb Qw frg hgoy dak. yr mat. ogp. yday yd. _QtxNafrcgy_ rlycrb cb yd. t.fxrape o.jycrb co o.y yr _ekrpat_ cboy.ae ru _go_ rp ,day.k.pv

    Ru jrgpo.w p.an daq0po ap. jrmmabe ncb. go.pow or frg ,aby yr go. _nraet.fo ekrpat_ cboy.aewv C dak. ydco cb mf i.byrr oyapygl ojpclyov

    Yd. ucpoy ydcbi C gogannf er ,d.b C i.y a b., t.fxrape co yr lrl ruu ann yd. jalo abe p.appabi. yd.m cb Ekrpat nafrgyv Rbj. C dak. yd. t.fo o.y gl pcidyw C jab rbj. aiacb nrrt ay mf ucbi.po ,dcne C yfl.v d.d.v

    Cy-o dape x.cbi or 1337v

    • Whoops! forgot to escape the angle brackets. Preview pane doesn't help much in this case.
    • "Actually, it's not that hard to make A QRTY keyboard type Dvoark letters,

      In X, you just have to make sure that the "XkbLayoiut" option in the keyoard section is set to "dvorak" instead,. I have this in my gentoo startup scripts.

      The first thing I usually do when I get a new keyboard is to pop off all the caps and rearrange them in Dvorak layout. Once I have the keys set up right, I can once again look at my fingers whild I type. hehe.

      It's hard being so 1337."

      Daymn, you're so 13373 you don't even need to use
    • Translation:

      Actually, it's not that hard to make a QRTY keyboard type Dvorak letters.

      In X, you just have to make sure that the "XkbLayoiut" option in the keyboard section is set to "dvorak" instead of "us" or whatever.

      Of course, real hax0rs are command line users, so you want to use "loadkeys dvorak" instead,. I have this in my gentoo startup scripts.

      The first thing I usually do when I get a new keyboard is to pop off all the caps and rearrange them in Dvorak layout. Once I have the keys set up r

    • If you want to translate Dvorak to/from Qwerty, go snag this decrypt script [hackinglinuxexposed.com] I wrote a long time ago. It's NOT what was used for the chapter. (You'd know why if you read the chapter.)

      The quick way to switch your actual keyboard is to use setxkbmap, or loadkeys, but if then you'd need to type in all the comments here to have them translate. This script would work as a filter, which is more convienient.

      Also, if you want to switch back and forth, or are on an old system that doesn't have alternate keyboar

  • No wonder this guy's so crafty, he used to get kids out of trouble with flash pots and prayer. [alibris.com]
  • by Quirk ( 36086 ) on Thursday July 28, 2005 @05:46PM (#13190656) Homepage Journal
    Fiction from the deepest past to the present has always had a moral message. It could be said the purpose of fiction is to preach.

    What is the moral being propagated in this work? None? Is it just a wapper for tech knowledge? Then why read it? Most geeks just want the facts. As the reviewer points out /. ers do well at calling bs. Why read poorly crafted fiction when the tech details are readily at hand?

    • cause they're fucking boring!
    • Fiction can make fact more easily understood, and hence can serve a useful purpose. Example: those silly mnemonics one is learns in order to recall various sequences.
    • What the authors are trying to preach in this series are techniques that are used by the "bad guys" so that the "good guys" can learn from them.

      I don't want a military bomb expert who couldn't figure out how to build a bomb (albeit a lame one) with some nails, some glass bottles, Clorox, and a bottle of ammonia. Similarly, I feel a hell of a lot better as a network administrator (unpaid -- grumble) knowing how to compromise a system when it comes to securing the damned thing.

    • Right. Take for example, Stephen King. The moral is, don't burn your fingers on the meteorite, and then stick them in your mouth.

      (Note: I am in no way attempting to equate my fiction abilities with those of Stephen King.)
    • by daniel_mcl ( 77919 ) on Thursday July 28, 2005 @10:08PM (#13191997)
      With the exception of Aesop's Fables and medieval morality plays, most good pieces of fiction are not generally built around a single "moral." There are themes throughout a work, but usually a serious author does not write a story for the express purpose of advancing a message. Upton Sinclair felt strongly enough about this that he prefaced The Jungle by saying that unlike actual literature, his book was written for the purpose of conveying a message.

      I haven't read this book and I likely won't; it sounds too much like a the computer-crime version of a Tom Clancy or Stephen King novel. There are probably several flaws in it, but the reasons you cite would rule out e.g. Thomas Pynchon's Entropy, one of the classics of modern American literature.
      • I read Pynchon's book ,Gravity's Rainbow, in highschool, and, while I was impressed by his genius, I just didn't like his style. Because of my experience with Gravity's Rainbow I've, unfortunately, not read Entropy. Accordingly I can't directly respond to your point.

        Admittedly, themes run through great works, and, you're quite right about Aesop's Fables and the passion plays. I would add that the works of the Troubadours and Trouvères also have much to do with the making of The Western Canon [amazon.com].

        My point

    • Actually, the purpose of fiction and all story-telling in general is -not- to preach, but to tell a story. Any stories that are written on the basis of "trying to get a point across" are almost invariably sub-par and loathsome to tackle. Good authors know this, and tell stories rather than weave morals.
  • by Randseed ( 132501 ) on Thursday July 28, 2005 @06:20PM (#13190907)
    STN: How To Own A Continent was good, I thought. Rarely do I pick up a book over coffee in a bookstore, and not only wind up buying the thing for $25 or whatever it was, but read the thing non-stop (except for work) from start to finish in two days.

    The STN series is unique in that it focuses on technical details. Some of the fiction itself might be lacking in form, but the reality is that this is not what the authors are really trying to do. They're trying to educate about various techniques in an entertaining way, and in that department I think they do a pretty good job.

    One of the criticism about STN: How To Own A Continent that I had, though, was that there didn't seem to be enough technical details. I'd much rather read a book like this and have it go over my head than be able to understand everything without much thought. From this review, it looks like they might have addressed this in STN: How To Steal an Identity.

    Most likely, I'll be ducking into a bookstore to buy this thing.

    • Cool, I'm glad you liked it.

      To give you fair warning, I don't think you'll find the tech level in this one any different from Continent. I think it's quite relative to the reader, and the reviewer's comments reflect his impression.

      Having said that, I would of course love to have you thumb through it in a bookstore, and decide yourself. I expect you will be abe to find it on store shelves in a few weeks. The first printing just finished this week, and so far the only place you could have purchased it is a
  • Badly edited. (Score:5, Insightful)

    by techno-vampire ( 666512 ) on Thursday July 28, 2005 @06:54PM (#13191101) Homepage
    STN: Identityf reads like a catalog of beginning-fiction-writer mistakes, from misspellings and homophones (from Chapter 5: "He called me a Windows administrator, and it wasn't a complement") to characters with no feelings or personality.

    The beginning mistakes listed here, except for lack of characterization, could all have been fixed if the book had been run past a competant editor. Just using a spelling checker and (maybe) a grammer checker isn't enough. You need to make sure the words are the right words, and a computer just can't do that. Blame the publishers for that, not the authors.

    • To a certain extent. But don't forget the authors WROTE the damn thing. At a very basic level all the mistakes are theirs.
      • Yes, the authors made the mistakes. But it's still the editor's responsibility to catch them and correct them. We're all only human, and an occasional one slips by, but there shouldn't be that many. If there are enough that the reviewer thinks it worth mentioning, the editors didn't do their jobs properly.
    • It's not the author's fault when he or she makes an error that neither the computer nor the publisher catch? Might as well say that there's no need for an author to have any command of spelling or grammar whatsoever because someone else will check it for them.
      • The author is, of course, responsible for correcting as many mistakes as possible. Part of the editor's job is to catch those that got past the author, and those that were missed because of ignorance. The author can consistantly misuse "their," "there" and "they're," but with a good editor, the audience will never know.
    • if the book had been run past a competant editor. Just using a spelling checker and (maybe) a grammer checker isn't enough.
  • by dbhankins ( 688931 ) on Thursday July 28, 2005 @07:04PM (#13191152)
    I don't think this will be worth picking up.

    After all, how can the authors be truly 1337 if they can't even spell pwn?
  • by Master of Transhuman ( 597628 ) on Thursday July 28, 2005 @08:46PM (#13191633) Homepage
    for his identity to be stolen?

    So he sold it on eBay.

    New procedure:
    1) Get born.
    2) Grow up.
    3) Get official documents proving^H^H^H^H^H^H^Hallowing you to exist.
    4) Sell existence on eBay.
    5) PROFIT!!!
  • the author of this and a few other books will be doing a book signing at defcon 13 in las vegas tomorrow, friday the 29th at 15:00 cya at the con....
  • by Anonymous Coward
    Well, almost fiction I suppose. A weekly read of mine is SecurityMonkey's stories [ittoolbox.com], and I nearly pee myself waiting for the next installment.

    Rumor: he apparently has a book deal in the works. I'm going to pre-order on Amazon!!!
  • I read the same book and he can't even manage to spell the word "Steganography". He spells it "StenaNography". Of course if you Google the latter you'll get hits, but that, as this guy [blogspot.com] will attest, is Deaver's fault...
  • Is it just me, or should Slashdot only review books that are in print and available for purchase. The link to by it from Barnes and Noble says that the book isn't available yet. Amazon says it is available in August. Not a good way for Slashdot to make money off the purchase if you can't purchase it.

"The following is not for the weak of heart or Fundamentalists." -- Dave Barry

Working...