Stealing the Network: How to Own the Box (Cyber-Fiction) [Englisch] [Taschenbuch]

As an admitted Slashotdot-reading, command-line geek, I looked forward to this book, but as a finicky reader and former English Lit major I was skeptical. Turns out it's great on both levels: as a topical, informative text and as a downright compelling collection of short thriller-type stories.

For those who have some familiarity with the subject matter, this book rings completely true and for those who do not, it's still fun and understandable.

It's an expensive book, so I waited a while, but in retrospect it delivers on the high price. Unlike most of the novels I read which wind up on my living room shelves for a while or are passed along to friends, this one wound up on the reference shelf in my computer room along with other network security books (and with a few post-it bookmarks sticking out to boot).

If you are hesitating because of the price or are worried that the writing will disappoint, I can assure you that you will be pleasantly rewarded for your investment. Best thing I've read in the genre since Stoll's superb "The Cuckoo's Egg."

You may be asking yourself why I am writing a review of "Stealing The Network - How to Own the Box" (Ryan Russell, Tim Mullen, et al, Syngress Press, 2003, 429 Pages) two years after it came out in 2003. The reason is that next month, the third book in this series, "Stealing The Network - How to Own an Identity", is being released by Syngress. So in anticipation of this new title, I wanted to read this book, as well as "Stealing The Network - How To Own a Continent" (review to be written later this week). I did not expect to be drawn in as quickly as I was by this book, but I found myself being drawn in by the totally unique style in which technical content is presented and the fast pace the narrative took.

Each chapter presents a mini-scenario that demonstrates how specific network vulnerabilities can be exploited, causing potential problems and losses from organizations. What sets this apart from many of these books that I have read is that is kind of set up in the style employed by the television serial "Law and Order: Criminal Intent": a focus on narrative and knowledge from the point of view of the bad guys. While this is a work of "techno-fiction", the level of detail suggests that only the names were changed to prevent the innocent (or the guilty system administrators who fail to lock systems down as well as they should or could).

Another interesting point throughout this book is the emphasis on "social engineering", an oft overlooked weakness that has only started gaining true visibility in the evaluation and education of system administrators, managers, and end-users through highly visible incidents. It is kind of refreshing to read a detailed tale of what led a hacker to jump in a dumpster to find out information, and what led him to that point.

It is the unique approach the authors take that may make the book a more palatable read for true "uber-geeks", rather than these people not wanting to read a dry book presenting technical material in the typical dry approach, which for sure puts me asleep any day of the week. It may also make the topic more readable for non-technical managers to get a better understanding of their risks and vulnerabilities without getting buried in technical detail. However, this also is one big weakness of the book: there is no index of keywords or topics to go back to for easy reference, which would make the book a more used reference than just a good "summer beach book".

Who Should Read This Book

This book should be read by students starting out their formal education in computer information systems. It can teach them lessons without beating them over the head. The book should be read by system administrators so they can see that technical information can be presented in simpler ways, encouraging them to work on their "soft skills". Finally, it should be read by non-technical management so they can understand that the risks and vulnerabilities are very real, and need to be addressed.

Scorecard: Par on long Par 4

Note: When you read my review for "Stealing The Network - How To Own a Continent", you will hopefully understand why I only gave this book 4 stars.

"Stealing the Network" (STN) is an entertaining and informative look at the weapons and tactics employed by those who attack and defend digital systems. STN is similar to the "Hacker's Challenge" books published by Osborne, although the stories are not separated into evidence and resolution sections. Rather, a collection of authors use mildly fictional tales to introduce readers to tactics and techniques used by black and white hat hackers.

My favorite chapter was written by FX of Phenoelit, where a female black hat battles white hat defenders. The playing field includes HP printers, GRE tunnels between routers, and other novel tricks. Reading both sides of the story was fun and educational. I also liked Joe "Kingpin" Grand's insider theft case (ch 3), featuring Palm hacks and Blackberry sniffing. The worm disassembly chapter by Ryan Russell and Tim Mullen is worth reading as well.

This book is worth reading, but it's $... cover price is steep. While the stories are fictional, much of it is probably based on the author's experiences either consulting or studying similar incidents. This book can best be used by security professionals to test how they would have responded to the threats presented by the fictional adversaries profiled in STN. There's plenty to be learned by reading STN, and I hope to see sequels.