[HACK] REVIEW: "The Art of Deception", Kevin D. Mitnick/William L. Simon

Jesus Cea Avion jcea at argo.es
Fri Jan 3 15:43:03 CET 2003


Más comentarios sobre el libro:

http://catless.ncl.ac.uk/Risks/22.44.html#subj14

>>>>>

Date: Wed, 18 Dec 2002 02:46:21 -0600
From: "Don Norman" <don at jnd.org>
Subject: Why you should read Mitnick's book: The risks of seeing the trees
  and not the forest

In an apparent coincidence, in RISKS 22.43, in the article that followed
my recommendation that RISK readers read the new book by Mitnick &
Simon, Rod Slade did his standard "this book has no merit" review of the
book.

Slade is wrong: you should read this book.

Slade criticizes each individual tree, and thereby misses the forest.
His critique of the individual trees is correct. Are the stories
repetitive? Yes. (you know, each tree looks just like the other, and
after awhile, it gets boring.)  Is the book self-serving?  Yes. Is
Mitnick reformed or still a scoundrel (guess). Is the advice he gives
rather pedestrian or even worthless? Yes.  Are there any new, profound
insights, well, no, not if you keep your head down and only focus on the
trees.

But individual trees add up to a forest, and there is value in studying
forests.

I'm a student of human psychology.  That's what I do for a living.
Technology and people. Among other things, I read books by ex-criminals:
Thieves, bank robbers, con-artists.  I learn a lot. This is not the
first such book I have read. And it won't be the last.

I learned a lot from Mitnick. I was impressed by his approaches. They
are not as simple and easy to do as a quick reading would make them
appear. After the fact, everything always looks obvious. But I, for
example, would find it difficult to even think of the schemes, let alone
carry them out successfully. As with all great confidence operators, he
knows a lot about practical, human psychology.  He knows how to set up
the mark. How to make multiple phone calls or visits, each to a
different person, each asking for help, and each time picking up one
little piece of information that, by itself, does not seem important.
How to win confidence.  And then, put the little bits together, and you
sound like a legitimate employee, supplier, or customer in an
unfortunate situation, where just a little help would be useful.  It's
classic con-artist, and he does it very well.

I believe that many readers of RISKS would learn a lot -- and be very
bothered by what was learned; it would be very easy to fall for some of
those ruses.  (As Mitnick points out, even good con artists will
sometimes fall for other people's cons.)  This is a really good antidote
to all those technical approaches to security.

Slade also can't decide how to treat Mitnick: as a weak technologist
(hey, most of his cons don't involve technology, so what's the big deal)
or as too good a technologist (to do one fraud, you need to reprogram a
DMS-100 switch). That last fraud, by the way, is quite interesting: Go
out and buy a used switch -- or just get access to someone else's -- and
you can make the telephone caller ID say anything you want it to. So
don't trust caller ID to show that the caller is someone you know, or
from your own company.  Is this news to professionals? No. Is it good to
know?  Yes. Would a serious person trying to steal company secrets, or
money, use the trick? Gee, I would -- wouldn't you?  Of course they
would. Can I program the switch?  No, but I could learn, or more easily,
just hire someone to do it for me.

Slade complains that this is not a technology book, "this is a book
about how to fool people." Well, yeah, duh, that's the point. Put up all
the technology you want, it isn't that secure because I'll break in from
inside, or fool people into giving me the information I seek.

So, if you are a security professional, you can ignore the book. Maybe.
You already know all this stuff. You could probably write a better book
yourself. If you aren't such an expert, read the book. Its an easy read.
Big print. Lots of stories. No big words or deep thoughts. Very
repetitive. But I found it revealing -- and frightening.

On one thing Slade and I agree: "Chapter four tells you to distrust
everyone--which would probably be more damaging to society than social
engineering." Yup, this was precisely the point of my posting in RISKS
22.43.  It is already becoming more damaging.

Read Mitnick & Simon. Don't take their recommendations seriously -- they
are lightweight, sometimes wrong or irrelevant, and probably there for
legal reasons -- to impress the court that this is a prevention book,
not a "how-to" book.

It's a great how-to book, and if you read it, you will become better at
prevention. Maybe.

Don Norman, Computer Science, Northwestern University  http://www.jnd.org
Nielsen Norman Group   http://www.nngroup.com  norman at nngroup.com

<<<<<

-- 
Jesus Cea Avion                         _/_/      _/_/_/        _/_/_/
jcea at argo.es http://www.argo.es/~jcea/ _/_/    _/_/  _/_/    _/_/  _/_/
                                      _/_/    _/_/          _/_/_/_/_/
PGP Key Available at KeyServ   _/_/  _/_/    _/_/          _/_/  _/_/
"Things are not so easy"      _/_/  _/_/    _/_/  _/_/    _/_/  _/_/
"My name is Dump, Core Dump"   _/_/_/        _/_/_/      _/_/  _/_/
"El amor es poner tu felicidad en la felicidad de otro" - Leibniz




More information about the hacking mailing list