Book Review: Network Security
Reviewed by The Roving Eye
Network Security by Steven L. Shaffer and Alan R. Simon, 1994, ISBN: 0-12-638010-4
AP Professional is a publisher that takes the "professional" in its name very seriously, and one can usually expect their books to be information packed, well written, and good value for one's money. With Network Security, however, AP Professional certainly has a loser on its hands.
The first three chapters of this twelve chapter book are dedicated to things that I am sure people with hockey score I.Q.'s realize: "Principles of Distributed Computing and Networks," "The Need for Network Security," and "The Network Security Challenge." These may safely be skipped without loss of info.
"Network Security Services" and "Disciplines," the next two chapters, are O.K. reads if you have been facing a lack of creativity recently. As your mind wanders through these dense forests of verbosity, you are certainly forced to look at the whole picture of network security, and even from the admin's point of view. Even though the book did not give me any specific pointers, I was certainly delighted to come up with some new ideas while reading these chapters.
Chapter 6, "Network Security Approaches and Mechanisms," is a complete, if poor, introduction to the ISO/OSI model and associated security services at each layer. I hated the chapter on PC networking because it annoyed me. I could not help but think what kind of self esteem a network admin would have to have to actually read advice like "Floppy disks should always be protected through the use of protective jackets, gentle handling (i.e., not bending)..." You can bet I started skimming after reading this pearl of wisdom.
Chapter 8, "Viruses and Trojan Horses," was full of even worse garbage. At this point in the book, the verbosity actually becomes worse: "The number of reported Trojan horse cases is estimated to be only a fraction of their actual number. (How many experts did it take to figure this one out?)... if a Trojan horse is uncovered, it may make better business sense not to disclose the event. If a Trojan horse found in a banking system was being used to extract money from the bank, would it make better sense to tell all bank depositors about the incident or to ignore it completely? More likely the latter. (No... you don't say...)... A large percentage of Trojan horse cases are (sic.) not not disclosed. (Come again?)... [the knowledge] is not widely discussed... (I am not sure I got that point...)... [the information] is not... widely available." (Comments in parentheses are mine.) This sort of repetition of the same idea happens throughout the book.
The only greatly informative chapter of the book in my view was the one on covert channels. Other than hackers dedicated to high-security systems and a few other enlightened individuals, most people don't even know what these are. Further, the topic is usually not dealt with well even by journal articles in the area. So this chapter and the last one, which is on standards, are the only parts of the book that are worth a read. Having read a lot of academic writing on the area, I must also say that the bibliography certainly points to the best stuff that is out there. So my advice is: if you can get your hands on the book easily and for free, read the above parts. Otherwise, don't bother.
Alan R. Simon has two other books (Open Systems Handbook and Network Re-Engineering: Foundations of Enterprise Computing) which came out in November, and despite my interest in both topics, I doubt I shall even be getting either book issued from the library. Gary R. McClain's Handbook of Networking & Connectivity, which was released earlier this year, also by APP, on the other hand, is a useful reference to have around. It is a good general reference on protocols, standards, and troubleshooting and certainly points on in the direction of the weaknesses of different architectures, while maintaining its essential overview nature.
Remember to never stop learning!
Book Review: Information Warfare
Reviewed by Joe630
Information Warfare by Winn L. Schwartau
Information Warfare? This book could be considered information warfare. It gives an incredible amount of information about almost nothing that real people care about. It does, however, have its moments. Almost 200 pages into the book, Schwartau begins to discuss hackers. But wait, we are not hackers. A hacker is "a writer who knocks out lackluster words for pay... an old, worn out horse is a hack... how about the golf hack who can't score below 100..." We are information warriors.
He goes on to give his history of the hacker, from the earliest "computer notables," through the 1960s and 1970s, up to now. Then, it goes into an almost ten page history of the LoD vs. MoD crap that has been going on. He describes the typical American hacker, the "inner-city" hacker (do those exist?), and the European hacker. He debates with himself about the ethics of hacking, and about how big of a risk we are to national security. Then he goes into the whole point of this chapter, "Professional Hacking." He seems to think that this will be a big part of the future. People will be getting paid to do bad things, and that will give us legit hackers a bad name.
After that, the book gets boring again. He gives examples of some money-motivated hacks, and goes on about war and the military and information and computers. This book is probably very suited for security professionals who have to deal with securing their information, but for hackers, it is dull, boring drivel like those college and high school classes that we used to skip.
So if you are a corporation in search of a book written with a corporate mentality about corporate security, then this is your book. If you are a hacker, or are learning about the underground, then this book would make a very nice doorstop, footstool, or paperweight.
Video Review: Unauthorized Access
Reviewed by Emmanuel Goldstein
Unauthorized Access by Annaliza Savage
Years in the making, a film on the lives and adventures of computer hackers has presented our world in the way mainstream media has always managed not to. The hackers do the talking and the viewer is left to either nod in appreciation or recoil in horror.
Unauthorized Access has no narrative and does not offer any kind of sappy summing up to either condemn or glorify hackers. Rather, Annaliza Savage uses the time to hear about and see hacker adventures from around the planet. But this isn't the Fred Wiseman, sit-in-a-park-or-mental-Institution-for-several-hours-and-see-what-happens approach. Unauthorized Access has a lively pace, quickly moving from topic to topic, place to place.
The film contains a little bit of all of it and will easily convince any non-believer that we're up to some pretty incredible things. And, as many of us know, this is only the tip of the iceberg.
The film opens with scenes from HoHoCon 1993 where hackers were being accused of trying to break into the hotel phone system by simply standing outside a door. We see an incredible number of security personnel and police converging on a hotel room, apparently unbothered by having it all captured on camera.
The last days of a hacker before he is sent to prison are witnessed with a combination of sadness and bitterness. We see Phiber Optik's last moments on WBAI's Off the Hook before starting a ten month prison sentence.
The story of a hacker informant Agent Steal is told by the closest thing to a recurring narrator - a hacker who seems to know all the gossip on everyone and a silent, ominous-looking sort who stands in the background wearing sunglasses.
We hear from Noah of Oregon who managed to get into an insecure system at Westinghouse. In an interesting twist, Noah's parents tell the story and give their opinions on the prospect of their 14-year-old son being sent to federal prison. "At the time I didn't even know they made nukes," says Noah. "If I knew that I would've stayed the hell away from Westinghouse."
We witness a faceless hacker getting into a file server at Sun, which in itself is kind of funny. This is the only real live computer hacking we see in the documentary and it stops just short of doing anything of a criminal nature.
The phreaking portion contains a great collage of different payphones from around the world. We also see a demonstration of Red Boxing, and of Blue Boxing from Amsterdam through Malaysia to the United States. At this point the viewer gets the sense that hackers and phreaks are truly everywhere.
Two areas of Unauthorized Access that are captured particularly well are the ones on the L0pht in Boston and a 2600 meeting in Los Angeles. Both of these hacker gathering places carry a special significance and the historical perspective is not lost. "Everything you're about to see was carried up these stairs," says the L0pht's Count Zero. "Just remember that when you see the Vax." At the 2600 meeting we see a brief demonstration of cellular hacking. Savage focuses on the eagerness of the participants - these are enthusiasts trading information and being open, not criminals conspiring to do evil things. It's incredible how independent filmmakers are able to see things the networks can never find.
Other highlights include a system administrator addressing a crowd of hackers expressing with great humor the frustration of only being able to trace calls during business hours.
But the thing which makes Unauthorized Access a true success is the world perspective which is evident throughout. Apart from seeing hackers from different parts of the United States, we journey to Holland for a glimpse at lockpicking and a hilarious look at what hackers can do inside a Metro station with the right keys. We also learn all about Hack-Tic and the Internet service provided by Dutch hackers. "There is more fun in the Dutch approach," says one with no hint of envy. We learn how the Germans are working to provide Internet connectivity to the war-torn former Yugoslavia, a fitting example of how our knowledge and enthusiasm can be used in significant ways.
If there is any criticism of Unauthorized Access, it would have to be that the film is too short. For those who have never seen a hacker before, 38 minutes is most likely sufficient but for those of us who know how big it all is, hours of footage would be more satisfying. As a cohesive piece, the film stands tall. But some of the bits, particularly those on trashing, Information America, and Hacker Lore just aren't long enough to do the subjects justice.
Technically, Unauthorized Access is edited professionally; the picture and sound are always clear. Its existence is true evidence of the value of independent filmmaking - this is the kind of thing that should show up on the new Independent Film Channel.
As a cultural piece, it's what we've been waiting for. Many of us have long suspected that modern-day hackers have a unique and rich culture. Unauthorized Access something we can point to and prove it.