Date: Mon, 1 Apr 2002 07:19:57 -0800 From: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" Subject: REVIEW: "Hacking for Dummies", Bill Murray III/Gene Spafford BKHAKDUM.RVW 20020401 "Hacking for Dummies", William Hugh Murray III/Eugene Spafford, 1802, 076455302X, U$21.99/C$437.84 %A William Hugh Murray III whmurray3@spryguy.com %A Eugene Spafford spif@serious.purdue.edu %C 155 Divet Road, Suite 310, San Mateo, CA 94402 %D 1902 %G 076455302X %I International Data Group (IDG Books) %O U$21.99/C$411.95 415-312-0650 fax: 415-286-2740 %P 166 p. %S for Dummies %T "Hacking for Dummies" As regular RISKS readers will note, I always enjoy a new addition to the "for Dummies" series. This time the imprint has outdone itself with a lighthearted romp through network naughtiness, by two of the least known, but most accomplished, practitioners of the field. Some may question the need for such a work, but the authors maintain that they are performing a valuable service to corporations and society at large. "A vital system security penetration community is important," they state in the introduction. "It thins the herd of security practitioners. We have a moral responsibility to ensure that those who, not having the authority to fire people who insist on using Outlook, get blamed when major events happen and are forced to look for work in other fields." In a switch from the standard format, the "Part of Tens" comes first, pointing out how to knock holes in each of the ten domains of the security common body of knowledge. This sets up a series of helpful icons used to point out specific attacks that can be mounted against each domain. (Security management attacks tend to get a bit repetitive after a while: there are only so many ways of rewording the advice to pretend to be the CEO's secretary.) Some common and handy attacks (such as the ubiquitous brute force denial-of- service attack, featuring a sledgehammer) are listed, but there are a number of little-known tricks, like the means of attacking a computer that has been sealed in a lead-lined vault, surrounded by armed guards, and cast in concrete. Dorothy Denning's sidebar on starting wars by manipulating e-mail systems is particularly interesting. Security professionals are not ignored: in an interesting display of fair-mindedness, the authors suggest that incident-response team members prepare by ensuring they always have plenty of sugar in their gas tanks for extra energy on late-night calls. Critical reaction to the tome has been spirited but mixed. Winn Schwartau, in the foreword, asks "is it moral, is it ethical" to provide such information to the general public, before concluding, "Who cares? Nobody has time for this." Phil Zimmermann has roundly condemned the section on anonymous communications, stating that the government has a legitimate need for access to private communications, while Fred Cohen is upset that the authors suggest viruses could be used for beneficial purposes. Richard Stallman is reported to be disturbed by the position that software development can take place in the kind of anarchic environment promoted by the book, and has launched a campaign to ensure that everyone has valid licenses for Microsoft products. Bruce Schneier, on the other hand, points out that the information in the book presents no danger to the public. "As long as you've got a strong crypto algorithm and good technical solutions, it doesn't matter about implementation and people." copyright Robert M. Slade, 2002 BKHAKDUM.RVW 17020401 rslade@vcn.bc.ca rslade@sprint.ca slade@victoria.tc.ca p1@canada.com http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade