Story location: http://www.wired.com/news/culture/0,1284,59340,00.html
02:00 AM Jun. 27, 2003 PT
Stealing The Network: How to Own the Box, a compendium of tales written by well-known hackers, is a perfect summer read. The stories are fictional. The technology and techniques described are very real.
A warning: Those who believe in the theory of "security through obscurity" -- keeping information on hacking techniques under wraps so that fewer people might exploit them -- probably will be infuriated by this book.
Each chapter details not only the methods used to hack and counterattack, but also explains the thought processes hackers use to carry out assaults on computer systems and people.
The result is a fascinating look at the tedious and occasionally brilliant mental discipline of hacking. But it is a book that wanders close to what some might consider the ethical edge. Some security experts said that even though Stealing the Network is legal, it isn't right to provide detailed information on hacking to anyone who is willing to spend $50 on the book.
"We take a rather dim view of teaching folks about hacking," said Chris Wraight, a technology consultant at security firm Sophos. "To us, this serves no practical end; if anything, it greatly facilitates the real apprentice hackers out there in terms of speeding their learning curve."
"There are many ways to teach security professionals how to defend their systems without resorting to teaching them how to hack in the first place," Wraight said. "In addition, companies hiring an 'ex-hacker' to help them better defend their networks is analogous to the proverbial fox guarding the chicken coop. We feel these folks are not to be trusted."
Stealing the Network's editor Jon Babcock argued that the book will benefit more than harm.
"You need to know your enemy if you want to protect yourself from them, and getting to know that enemy from a variety of viewpoints is what this book is all about," Babcock said.
"I agree that there is a line that should not be crossed when it comes to publishing or otherwise releasing potentially damaging material to the general public," Babcock added. "I think we came close to that line more than a few times in this book, but we never actually crossed it."
Ken Pfeil, author of one of the social engineering chapters in Stealing the Network, explained why he opted to go into detail in his story.
"The scenarios we describe in this book can and will happen to someone, if they haven't already. My main objective was to get people thinking," Pfeil, chief security officer for corporate consulting firm Capital IQ, said.
"By understanding some of the mentalities and motives behind the deed, we can avoid a lot of these situations in the first place," Pfeil said. "When you obscure the truth about security to the point where you're no longer proactive, you're playing into the underground's hands. They love complacency."
Independent security consultant Mark Burnett provides a detailed description on the art of what he calls social reverse-engineering -- using people's own moral ambiguities to encourage them to hack into their own networks.
Burnett uses an example of leaving a CD-ROM disk marked "Sales Data" at 15 booths at a technology expo, assuming that those who found the disk wouldn't be able to resist having a look. The disk actually contains a Trojan Horse program that gives a hacker access into the dupe's network.
Joe Grand's chapter documents ways to amuse yourself while you wait for a flight. It is a goose-bump-producing exposÈ of the state of airport network security. Happily, it's just "fiction." Grand is the founder of the Idea Studio, a development firm, and a former member of hacker think tank L0ph.
At 328 pages, Stealing the Network is a summer blockbuster without the nonsense that packs the pages of most warm-weather reads. It's entertaining, but it won't leave your brain gagging on an overdose of fluff.