07/10/11

Kevin Mitnick - ghost in the wires, or scourge of the internet?

My previous book reviews on Naked Security have covered books which I enjoyed greatly, and which were somehow relevant to the field of computer security.
One was a novel dealing with advance fee fraud in Nigeria; the other a historical record of Second World War cryptography in the UK.

I wrote those reviews because I thought you'd enjoy those books as much as I did, and because I thought they'd be worth buying with your own after-tax income.

This review is slightly different. I read this book right to the end, and I even enjoyed it - up to a point. But I'm reviewing it merely because it relates to the field of computer security, rather than because I'd suggest that you buy it.
The book in question is the recently-published Ghost in the Wires by infamous convicted phone hacker Kevin Mitnick.

It's an example of a curious but common contradiction-in-terms genre in publishing: an autobiography written in conjunction with someone else.

Mitnick's book doesn't cover his whole life story: the bulk of it is about Mitnick the hacker, from his early age on page 3 until his release from prison in January 2000 on page 383. He wraps up the decade since his release very rapidly in the ten pages which follow.

As I mentioned above, I enjoyed this book, but only up to a point. That point was somewhere around page 123, when the repetitious descriptions of Mitnick's repetitious escapades began to wear thin.

I was also disappointed to find very little about what I'd consider hacking (whether for good or evil) in the computer science sense.

It's not all bad, however. You will learn some important lessons about security from Ghost in the Wires, based on real-life examples from Mitnick's life:

* Assume that attackers have a pathological patience. Assume that their primary intellectual gratification doesn't come from building something new, or from inventing a breakthrough to simplify the task. Mitnick will show you how he sometimes succeeded against all odds, even if that meant spending weeks or months carrying out boring, repetitive work.

* Recognise that resisting social engineering is difficult. It requires behaviour by your staff which may feel anti-social. Mitnick will show you that most employees require more than just policy documents to give them resilience against creatively and manipulatively dishonest callers and emailers. You need to provide them with practical, role-based training.

The most disappointing thing about Mitnick's book is its overall implication - perhaps, in fact, its thinly-disguised purpose - that we should trust him now that he's out of prison, has finished his supervised release, and has turned into a businessman.

In his Acknowledgments, a seven-page appendix to the book, Mitnick shows no repentance. He doesn't apologise to the very many victims he abused, lied to and cheated; nor to those whose cellphone time he ripped off and whose identities he stole; nor to those outside his own circle whom he left in potentially serious trouble or whose lives he diminished by his self-obsessed criminality.

In fact, he doesn't really acknowledge his victims at all, and he gave me the impression that he's still proud of his time as a liar and a cheat.

(He's happy, indeed, to have the back cover describe him as a "visionary".)

I have to admit that made me feel slightly cheated at having put my own money into Kevin's royalty bucket.

But you might enjoy the book right to the end if your expectation of it is merely to live vicariously the life of a computer intruder and a phone phreaker, a con-artist and a fraudster, an identity thief and a crook.

ISBN: 978-0-316-20160-5
Published: August 2011

Tidak ada komentar:

Posting Komentar