[HACK] REVIEW: "The Art of Deception", Kevin D. Mitnick/William L. Simon

Jesus Cea Avion jcea at argo.es
Thu Dec 19 14:09:08 CET 2002 

Es costumbre de esta lista no publicar cosas que han salido en otros
sitios, y más si no están traducidas al castellano, pero viendo que
el tema de la ingeniería social es algo recurrente (hola, Ignatius :)
y nadie ha enviado a la lista, aún, ningún comentario sobre este
libro, me permito romper el hielo.

Por cierto, echad un vistazo a
http://catless.ncl.ac.uk/Risks/22.43.html#subj13

El siguiente texto fue publicado en
http://catless.ncl.ac.uk/Risks/22.43.html#subj14

>>>>>
Date: Thu, 12 Dec 2002 08:00:51 -0800
From: Rob Slade <rslade at sprint.ca>
Subject: REVIEW: "The Art of Deception", Kevin D. Mitnick/William L. Simon

BKARTDCP.RVW   20021028

"The Art of Deception", Kevin D. Mitnick/William L. Simon, 2002,
0-471-23712-4, U$27.50/C$39.95/UK#19.95
%A   Kevin D. Mitnick
%A   William L. Simon
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2002
%G   0-471-23712-4
%I   John Wiley & Sons, Inc.
%O   U$27.50/C$39.95/UK#19.95 416-236-4433 fax: 416-236-4448
%O  http://www.amazon.com/exec/obidos/ASIN/0471237124/robsladesinterne
%P   352 p.
%T   "The Art of Deception: Controlling the Human Element of Security"

Those in the security field know that Kevin Mitnick does not deserve the
reputation he has gained as some kind of technical genius.  His gift was
skill as a social engineer.  Stripped of the five dollar words, this means
that he was a plain, old con man, cheat, or fraud.  In other words, this is
a book about how to fool people.  Theoretically, the determined reader
should be able to use the book to keep from being conned.

In the preface, Mitnick would have us believe that, although he admits to
being a fraud and deceiver, he was never a grifter.  He never harmed
anybody, never obtained a material benefit, and was just curious to see if
he could ride the buses for free (at the expense of the transit system) or
make calls for free (at the expense of an MCI customer).  (The willing moral
blindness of these assertions is possibly the most instructive part of the
book: it is truly representative of large portions of the blackhat
community.)  He would have us believe that he is a "changed person": one of
the most sought- after computer security experts world-wide, and the world's
most famous hacker.  Oh, and just in case the authorities are inclined to
think that this book runs counter to the injunction that he not profit from
the stories of his criminal exploits, the tales are all completely
fictional.  Trust him.

Part one is entitled "Behind the Scenes."  Chapter one states that people
are security's weakest link.  This is a truism well known in the field, but
the first account is really about insider fraud, while the remainder are
generic fear-mongering.

Part two describes the art of the attacker.  (At great length.)  Chapter two
depicts escalation or enumeration through social engineering, and points out
that sometimes innocuous information isn't.  There is a section on
"preventing the con" at the end of each chapter: in this case we are told
not to give out information, but not provided with any advice about
authenticating callers.  Similarly, chapter three says that sometimes
attackers just ask for access or information and says to verify callers, but
doesn't say how.  Chapter four tells you to distrust everyone--which would
probably be more damaging to society than social engineering.
(Interestingly, yesterday a report came out about studies of "freeloading"
in the animal kingdom, which notes that communities with too many non-
contributing members tend not to survive.  By extension, only societies with
an overwhelming majority of trustworthy members exist for any length of
time.)  The prevention bit tells companies not to have people give credit
card information over the phone, but stresses teaching employees about cons
rather than policies.  At about this point the text, which is very
repetitious, throws in some minor technical details.  This is enough to
remind the professional that the book is designed for the naive user, with
extremely lightweight analysis, and implications that would not be useful.
There is more repetitive redundancy in chapter six, on the way to some
useful information about fraudulent e-mail and really lousy data about
viruses and malware, in chapter seven.  Chapters eight and nine are simply
more of the same stories, which start to get very tedious.

Part three is apparently supposed to help us detect intruders.  Chapter ten
has a little useful advice about having termination procedures.  The major
points in chapter eleven seem to be about all the people who have been mean
to our poor Kevin.  Then it is back to the, by now extremely tiresome, con
jobs for another three chapters.

We are intended to believe that part four will help us protect ourselves and
our companies against social engineering.  Chapter fifteen is an attempt to
convince us that the book should be purchased for all employees.  (Nice try,
Kev.)  There is an arbitrary, and oddly both generic and overly detailed,
suggested security policy, in chapter sixteen.

So.  Security professionals already know about social engineering.  It is
unlikely in the extreme that even the most head down, don't-talk-
to-the-users, socially maladept firewall administrator will learn very much
from this book.  But, of course, this is not a trade paperback.  This is a
hardback aimed at the mass market: the non-professionals.  Will they learn
anything from it?  Well, it might be useful for teaching new tricks to those
who like to con people (although fraudsters will likely be disappointed at
the number of times it is assumed that they know how to reprogram DMS-100
switches: don't try this at home).  The prevention sections, as noted, are
big on "don't" and short on "how not to."

Well, but the book can still be a fascinating read, can't it?  Sure.  If
you're the type of person who finds humour in watching someone fall on his
or her face.  Over and over and over and over and over and over and over and
over and over and over again ...

copyright Robert M. Slade, 2002   BKARTDCP.RVW   20021028
rslade at vcn.bc.ca  rslade at sprint.ca  slade at victoria.tc.ca p1 at canada.com
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

<<<<<

-- 
Jesus Cea Avion                         _/_/      _/_/_/        _/_/_/
jcea at argo.es http://www.argo.es/~jcea/ _/_/    _/_/  _/_/    _/_/  _/_/
                                      _/_/    _/_/          _/_/_/_/_/
PGP Key Available at KeyServ   _/_/  _/_/    _/_/          _/_/  _/_/
"Things are not so easy"      _/_/  _/_/    _/_/  _/_/    _/_/  _/_/
"My name is Dump, Core Dump"   _/_/_/        _/_/_/      _/_/  _/_/
"El amor es poner tu felicidad en la felicidad de otro" - Leibniz

More information about the hacking mailing list