Stealing the Network 141
| Stealing the Network: How to Own the Box | |
| author | Ryan Russell, Tim Mullen (Thor), FX, Dan Kaminsky, Joe Grand, Ken Pfeil, Ido Dubrawsky, Mark Burnett, and Paul Craig |
| pages | 328 |
| publisher | Syngress |
| rating | 8 |
| reviewer | Blaine Hilton |
| ISBN | 1931836876 |
| summary | An interesting fictionalized approach to hacking and other aspects of information security. |
I'm leery of books that are written by multiple authors because the writing style always seems to keep me off beat from jumping around, however in this book it works out well since the book is organized as a series of short stories. Each story describes somebody involved in information security -- either somebody trying to access a system, or a person trying to keep the bad guys out.
If you are looking for a step-by-step guide to locking down your computer and network, this is not the book for you. Instead, this book is more to help people who already have at least a basic understanding of information security to see from another perspective. Stealing the Network looks at other reasons why people can break in: everything from being told to go to industry conferences to not collecting access cards when an employee leaves the company. What this book left deepest in my mind is to trust nothing, and assume even less.
After the ten short stories of how hacking is really done, there is a nicely done appendix along with Ryan Russel's "Laws of Security," which finishes this fictionalized book in a very non-fictional way. The laws cover most of the problems with current IT infrastructure, but do not go in-depth with what I believe is the biggest security hole, the user. Many of the stories touch on this fact but that's about the extent of it. I believe this may be because there are not any easy solutions to human behavior. This book says it best with "people are lazy."
At 328 pages (in pretty large text), this is a great easy read, though the book would be better with a lower price tag. However if you work with or around computers and the Internet, this book is very enlightening, if not completely informative.
Table of Contents
- Acknowledgements
- Contributors
- Forward
- Chapters:
- Hide and Sneak
- The Worm Turns
- Just Another Day at the Office
- h3X's Adventures in Networkland
- The Thief No One Saw
- Flying the Friendly Skies
- dis-card
- Social (In)Security
- BabelNet
- The Art of Tracking
- Appendix - The Laws of Security
Most of the book's authors have websites you can hit for more information; follow these links to find more from Ryan Russell, Tim Mullen (Thor), FX, Dan Kaminsky, Joe Grand, Ken Pfeil, Ido Dubrawsky and Mark Burnett, as well as Jeff Moss (who wrote the forward).
You can purchase Stealing the Network from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Woo Hoo! (Score:5, Informative)
Re:Woo Hoo! (Score:4, Interesting)
Re:Woo Hoo! (Score:5, Informative)
If enough people care, I'll make them produce a HTML file or something.
Re:Woo Hoo! (Score:1)
Question: (Score:5, Funny)
Thank you.
Re:Question: (Score:5, Funny)
Re:Question: (Score:3, Funny)
Phew. And here I was starting to think that the movie "Hackers" lacked actual basis in reality. At least they got *that* part right.
So, exactly where is your gibson, and how do I get to h4x0ring it?
Re:Question: (Score:2)
Here you go. [grc.com] Ask him about his raw sockets.
Re:Question: (Score:1)
don't forget The Cuckoo's Egg (Score:2, Interesting)
Re:Woo Hoo! (Score:3, Interesting)
I'm interested in tech wr
Re:Woo Hoo! (Score:3, Interesting)
There are any number of details about how I perceive writing, what it's like to work with Syngress, etc... that I'd love to talk about.
I can see where writing procedures, where there is little or no opportunity to include any personality, would drive one insane. I have no formal training on writing, other than the classes they have you take in college. And I read a lot.
Re:Woo Hoo! (Score:2)
Even better. I'm sure most /.ers, who would be interested, have no formal training in writing either.
Looks like Mr. Russell has been hacked himself (Score:1, Interesting)
Wired Article [wired.com]
You can also see the contents of his home dir and some of the "sites" he likes to visit:
Ryan Russell's home dir [efnet.ru]
Not quite a security expert, I would say....
Re:Looks like Mr. Russell has been hacked himself (Score:2)
Yep, the company that hosts the website that hasn't been updated in 3 years for $20/month was compromised. Is that supposed to reflect on me in some way?
In a way, the attention is flattering.
Re:Looks like Mr. Russell has been hacked himself (Score:1, Insightful)
Yes, in fact, it does. This is something that has obviously eluded you. You claim to be a security "expert", but you can't even keep hackers out of your own box. Very simple, you claim to be something that you are not.
And, gee, don't you send all your emails from @thievco.com? Isn't your own email worth protecting? Hardly some "crap" stored on some canadian ISP. Wouldn't mr. security expert take care to secure his own private emails?
Also, why do you write th
Re:Looks like Mr. Russell has been hacked himself (Score:2)
AFAIK, there have never been hackers in my own boxes, just those belonging to other people, like the hosting box in question. There is a reason that nothing important was on that box when it was compromised. Frankly, I expected it to be compromised long before. It wasn't even defaced, I w
Re:Looks like Mr. Russell has been hacked himself (Score:1, Insightful)
If having a box compromised means that person isn't an expert, then there are no experts.
Its not just that. You don't know anything. Look in your own damn Slashdot journal [slashdot.org]. You don't even know how to code in C!!!!! Maybe you should start with html, then graduate to something more on your skill level.
that nothing important was on that box when it was com
Phaeton Sez (Score:1)
There was a time where i (on a friend's 486) used to enjoy some $KrYp+ KiDDI3 Mischief at Hotelchat.com.
I wanted more.
So i started reading books about hax0rz. I read:
John Markoff's "Cyberpunk" (talks about the Morris Worm, Mitnick and one other less known)
Clifford Stoll's "The Cuckoo's Egg" (Ironically, i just recommended this to someone last night!)
Tsusomi Shimomira's(sp?) "Taked
Sample Chapter (Score:3, Informative)
Re:Woo Hoo! (Score:4, Insightful)
Re:Woo Hoo! (Score:2)
Re:Woo Hoo! (Score:2)
Re:Woo Hoo! (Score:1, Funny)
Dude.. I don't want to hear the word "wife" and "mom" in the same sentence depicting oral sex. You twisted fuck...
Re:Your Website (Score:2, Offtopic)
Seriously, yes my website is pathetic. At the time, I had planned to spend some free time doing some research, and post the results there. Instead, I started the vuln-dev mailing list, and my time went there. One of these days, I'll pull thievco.com onto my home network (it's on a $20/mo hosting service) and make a blog thing out of it.
Stealing the network (Score:4, Funny)
Re:Stealing the network (Score:3, Funny)
Short Review? (Score:1, Insightful)
Re:Short Review? (Score:1, Insightful)
Now I do, and I'm better off for it.
I don't go browsing through Amazon looking for reviews to read.
Learning through fiction (Score:5, Interesting)
Re:Learning through fiction (Score:3, Informative)
Another novel about software engineering is The Deadline: A Novel About Project Management [amazon.com] by Tom De Marco, author of the classic text, Peopleware. As the title indicates, it's a novel that not-so-subtly illustrates certain points about project management. I
Re:Learning through fiction (Score:2)
The obvious setting for my first fiction attempt is the information security field that I'm involved in. Well, that and hacker stuff is probably one of the few things you could
Re:Learning through fiction (Score:2)
This is why I reccomend the BOFH series to new system administrators. You can just laugh, or you can think about privacy violations, user abuse etcetera. Like Dilbert for the corporate world, but less whiny.
I like the idea of using fiction to teach, but so often it just ends up being smarmy. I'd like to try it myself, but balancing an agenda with the demands of a good story is hard. Just ask Goofus & Gallant.
I'll look for the book, and the publisher Syngr
Re:Learning through fiction (Score:2)
But honestly, I recently read Kim Stanley Robinsons' Mars Trilogy (Red Mars, Blue Mars, Green Mars). As a result, I feel like I know a fairly good chunk about current martian geography, theories on various teraforming techniques, and about as much on the most likely ca
Re:Learning through fiction (Score:2)
Great, thanks! (Score:5, Informative)
Re:Great, thanks! (Score:1)
For the folks writing these "summaries" and calling them "reviews": how about at least superficially delving into criticism/praise for the book? I'm not asking for in-depth information, but at least a little more than this offers.
There was this guy.. (Score:4, Funny)
People inherently remember stories and songs much better than bare facts.
Re:There was this guy.. (Score:1)
ObSimpsons (Score:2)
Marge, you remember, he drove that blue car?!?!
Re:There was this guy.. (Score:2)
What would have happened? The patent would have expired 14 years later, that's what (28 years if he bothered to renew it). Net effect on society: probably about zero, because technology didn't spread very quickly.
Gutenberg invented the moveable type press in 1455. The first printing press didn't appear in England until 1476,
Copyright != Patents (Score:5, Informative)
What would have happened? The patent would have expired 14 years later, that's what (28 years if he bothered to renew it). Net effect on society: probably about zero, because technology didn't spread very quickly.
If you are going to defend the current system of government monopoly entitlements, you should at least learn to differentiate between copyright law and patent law. While the two do bear similiarities in their stifling of human creativity and economic endeavor, they are not the same, and their consiquences, while often similiar, are not the same. Certainly the duration of their respective monopolies are not at all similiar. Patent law grants monopoly entitlements for 20 years on human knowledge. Copyrights grant monopoly entitlements for 95 years, or life plus 75 years, on human expression and information.
In your comment above, you are confusing copyright law (as it was implimented in the United States after the revolutionary war, with its 14 year expiration + optionally an additional 14 years) with patent law (which had a 17 year expiration and now has a 20 year expiration, in the US, but was in other jurisdiction granted for much longer
Copyright in England was perpetual in its initial incarnation, and offered publishers only exclusive rights
What would have happened is that the printing press would have spread much more slowly during its initial 'craze', giving governments and the Church more lead time in devising effective methods of censorship. Things like the reformation might never have happened in such an environment, where 20 years could have been the difference from a disruptive technology allowing exposure of a new idea ("let's all read and interpret the Bible for ourselves, rather than being spoonfed our opinions from Rome") and an emerging technology so controlled as to be reduced to a tool of the entrenched power ologopolies (sound familiar? It should: that is how everything from the telephone and radio to television and aerospace work today. The Internet was a surprising phenomenon
It is difficult to know with certainty what chilling effect a 20 year patent (or a patent in perpetuity, as was the norm at the time patents were first being offered as Royal rewards for innovation, often to those who had brought the innovation to the crown and not to those who actually did the innovating and inventing
Which really should give one pause. How many similiar, much needed changes and reforms have been quelled by slowing down and ultimately suppressing emerging technologies. What is it that threatens free software and the internet more than anything else? You guessed it, copyright law on the one side as wielded by the media cartels, and patent l
Amazon (Score:5, Informative)
I'm always wary of amazon reviews anyhow though, half the time their anonymous and most likely the publishers, authors, and editors. With my lack of trust does that mean I'm as knowledgeable as I would be from reading the book ?
Parody time. (Score:3, Funny)
Where to buy (Score:2, Informative)
Or from Amazon
Insert secret Slash affilate number here [amazon.com]
very good (Score:5, Informative)
The stories were all well written, covered a varied amount of subjects and were not heavily technical.
Hope to see more books take this different angle, the only one that seemed to be written the same style recently was Art of deception.
Re:very good (Score:3, Informative)
I read the first chapter at Barnes & Noble... (Score:5, Informative)
The reviewer is quite correct - this book is different from most normal security books. Instead of "here's the attack, here's how to defend", it is a collection of fictional stories. Since I only read the first one, I can't comment on the rest of them, but the first was enough to make me want to read the rest.
Needless to say, when I got home that night, I ordered it. Since then, I've been like Calvin waiting for his red beanie - every evening I come home and it's not there... but the next day I am psyched that it will be! (It should be arriving today! I am quite anxious to read the rest.)
My recommendation is that you check it out if you get a chance.
Re:I read the first chapter at Barnes & Noble. (Score:2)
Re:I read the first chapter at Barnes & Noble. (Score:2)
I asked a B&N employee about in-store vs. on-line pricing once. They're fully aware that the on-line pricing is cheaper (often much less if the book falls into the "text book" category), and they don't seem to have a problem with you browsing in the store and then ordering on-line.
Or maybe that was just the employee's personal opinion, you know, less work for her.
Logical evolution (Score:1)
Computer Security Quote (Score:3, Funny)
- Don't buy a computer.
- If you do buy a computer, don't turn it on.
Thanks.Re:Computer Security Quote (Score:1)
Re:Computer Security Quote (Score:2)
The laws of security: (Score:5, Funny)
2) Don't use anything that Microsoft got near, even if the interaction was nothing more than an underling squinting at it over his morning coffee - It might be tainted, don't risk it.
3) The nice thing about being a security consultant is that if the customers knew enough to judge your work, they wouldn't need you in the first place.
4) "Security Consultant" is a important-sounding title that carries very little real responsibility.
5) It doesn't matter how good your security is, some manager will give out his password to his wife/kids/secretary/dog, and data _will_ be lost. Don't wait for it to happen, back up the data _now_.
Fiction as technical (Score:3, Funny)
It just doesn't work for me.
Re:Fiction as technical (Score:1)
Re:Fiction as technical (Score:2)
--Dan
reminds me of... (Score:4, Informative)
Does it ring a bell?
Re:reminds me of... (Score:5, Informative)
Might you be thinking of Cuckoo's Egg [amazon.com] by chance?
The story of how an admin caught an intruder.
--
yes it is... (Score:1)
Re:yes it is... (Score:5, Funny)
Sweet Jesus! That's like improving your health through heroin.
Re:yes it is... (Score:2)
Re:yes it is... (Score:2)
Sweet Jesus! That's like improving your health through heroin.
Of course! What else do you expect from addicts?
Re:yes it is... (Score:2)
Well, if you're looking for weight loss......not as fucking boring as Jared's Dead Horse.
Re:yes it is... (Score:2)
--
Re:reminds me of... (Score:3, Insightful)
Re:reminds me of... (Score:2)
Re:reminds me of... (Score:2)
Re:reminds me of... (Score:1, Informative)
Re:reminds me of... (Score:1, Informative)
Very good book (if a little dated)
Re:reminds me of... (Score:1)
Great Pedagogical Technique, this (Score:4, Insightful)
Remember Aesop's Fables? They weren't meant primarily to entertain, but to teach a moral lesson. The same with the little incidental stories we tell each other daily about, for example, how so-and-so got fired because he was surfing porn on the company network. The entertainment value is incidental.
Given that bodies of knowledge, IT and otherwise, are multiplying so rapidly, it seems like the only way to get a reasonable handle on it as a society is to create these kinds of stories to put it in context.
Great work, guys.
Personally, I like the idea... (Score:3, Insightful)
Other than spending a large chunk of time Googling for news stories, there's not a lot of real and readily accessible information out there about the serious consequences of a lame security approach. Nor is there a pile of information that comes in an easy to understand form that upper management can grasp. Trying to explain the technical aspects will only make their eyes glaze over, and appealing to their sense of security is more often than not perceived as questioning the morality of staff.
Anecdotal "tales" such as this, may actually help the technologically adverse see the nightmare scenarios that many of us admins lose significant sleep over, and can do so in a way that makes them understand that even the best intentions can go horribly awry.
Our Thoughts Writing STN (Score:5, Interesting)
Stealing the Network is a relatively unique book. Remember Swordfish? Remember Antitrust? Wish there was a cheap procedure to repair that psychic damage? Because that's what got me involved. Syngress was as tired of the hype as we were. Spindly kids playing with 3D modelers to make worms was not reality. Syngress had a basic request: Show us what really happens. Make it interesting, tell a story, but at the end of the day, take the gloves off.
Most of us had worked with Syngress before -- we'd done Hack Proofing Your Network [amazon.com] for them, which was actually pretty well received. It was a strange experience, travelling half-way round the world to Black Hat Asia and seeing my Defcon talk on sale in a Singaporean bookstore
We've actually put together a surprisingly good package. Everything from dumpster diving to printer abuse to some of the first real documentation of my personal scanrand techniques shows up. If there's interest, I'll put together a summary of some of the cooler things in here. And of course, if there's any questions, bug me here or in email
Yours Truly,
Dan Kaminsky
Brilliant (Score:5, Funny)
Wow. This could spawn a whole genre of books. We could call it "Science Fiction".
Re:Brilliant (Score:2)
Re:Brilliant (Score:2)
Man, that sounds great! We could write about the effects of weightlessness on braless women.
Highlights from STN (Score:4, Informative)
Thought it'd be fun to talk about some of the more interesting material we put together throughout the book:
--HTTP-only access to the outside world doesn't actually pose much of a barrier...httptunnel (the original web service) may not be as mindbending as IP-over-DNS or mailtunnel, but damned if it doesn't punch ssh sessions bidirectionally through web proxies
--Worm analysis. Guys, Code Red and Nimda were astonishingly successful; there's not-so-idle speculation that Nimda was a test run from a foreign intelligence service. One of my good friends did almost nothing for a year but manage Nimda recovery. Just because it left the press doesn't mean it left the network. Reverse Engineering is never trivial (unless you're Halvar Flake and dream in x86); throw extreme time sensitivity, malicious design, and financial implications and you get an idea of the world virus fighters and worm smashers have to face. Kudos to Tim Mullen and Ryan Russell for their nuts-and-bolts breakdown of this process.
--Joe Grand. Software-based RF Analyzer. Pre-GSM/GPRS Blackberry transmissions. Mobitex.exe. And if that wasn't enough, "Creating a fake gelatin finger to bypass a biometric fingerprint sensor.", complete with photographs.
--Ah, FX. Leave the poor Cisco alone, man
--Security and Functionality tend to play in opposition...as Paul Craig points out, maybe those step-by-step guides to getting through the VPN shouldn't show up on Google
--WiFi. Dead horse. But it's nice to see it anyway.
--Password cracking by calling up administrators and listening to them type in their password -- nice, Mark. I'd like to see some of the stats code to manage that. Also good to see Windows Proxy Autodetection getting some misexposure.
--Auditors are given lots of leeway. No, let Ken Pfiel clarify...those who claim to be auditors are given lots of leeway.
--OK, I'm a protocol geek. For a good time, switch to root and type:
"tcpdump -w - -s65535 | strings --bytes-8"
If it's ugly, it's SMB. If it's scary, you're probably at Network Interop, where there's 220 access points and you're sniffing across all of them.
--Scanrand docs! Portscan detection on switched networks by watching the router spew an ARP storm! "If your SMTP server has teleported 15 hops closer than the rest of your host, perhaps it's being hijacked by your hotel." And more NAT games.
--Collaborating on tracking down an attacker, while the attacker can read your email...fun.
We've had some fun, to say the least.
Yours Truly,
Dan Kaminsky
WTF? $50 for a paperback fiction? (Score:2)
On amazon.com, it has a list price of $50, discounted to $35. Barnes & Noble has it for $40.
It was tough for me to pay $7 for "Takedown" at the used book store (it's out of print now). $35 is out of my price.
Re:WTF? $50 for a paperback fiction? (Score:3, Informative)
Syngress books tend to be priced a bit higher than some of the competition. They seem to be happy doing a little less volume at a little more margin. They're also a small publisher, so they don't neccessarily have the same economics of scale or influence that a big publisher does.
The whole book industry is interesting, from what relatively little I know about it.
Read it through today ... (Score:2, Insightful)
Re:fp! (Score:5, Funny)
Re:Are you taking this chance to whore your balls (Score:3, Funny)