Ghost in the Wires

Ghost in the Wires, Mitnick & Simon

Disclaimer: Kevin Mitnick is a personal friend, and this review is based on a late galley copy. I have no financial interest in this book. The above link is an affiliate link.

I have been reading books about Kevin Mitnick for years. Finally, we get to read the best one yet. All of the previous authors worked from information they could glean, and some limited interactions with Kevin himself. The problem is, he was playing most of them a lot of the time. What we have here is Kevin's own version of his story, written himself, along with his collaborator William Simon.

I'll just jump right in; I loved this book. If you have any interest in real-world hacks at all, read it. The other books and news stories didn't cover half of what he did. As I devoured in in two days, I kept turning to people to say "Read this!" or repeating one of his stories for co-workers.

I have some clear favorite stories, but I don't want to give any spoilers. It's that much like reading a thriller. My favorites are how he defeated the radio encryption used by the FBI, and how he would go about obtaining a new identity. Specifically, how and where he researched the identities, and got the appropriate document papers.

The sheer audacity that some of his tricks took is amazing to me. He admits things in the first few pages that surprised me. And after reading about how things went with his friends over the years, I finally have some appreciation for why he has such hatred of snitches.

Let's be clear, this is not a technical book like others I have read. He doesn't cover how to exploit a stack overflow. When he breaks into a Solaris box, he says "I used a Solaris exploit." He says that the reason for that was to make it more readable for the general public. And I don't think he's incorrect in that. The focus is story and history.

But even if you're a hard-core technical security person, I think you'll like the book for what it is. Unless you think that security begins and ends with writing a cool exploit. Do I think Kevin has technical skills? I do. But those aren't his greatest powers. Yes, he's a fantastic social engineer. And using those skills, he owned more things and companies than probably anyone else. A 0-day exploit that lets you break into a source control server is impressive. But I don't think it's quite as cool as calling up and getting them to just mail you a tape with the source. There's no patch for stupid.

You'll also enjoy the book if you have an interest in computer or security history like I do. It spans several decades, from when he was a kid interested in magic up to almost present day. There are the cameos from other well-known hackers that have had books written about them as well. I have enjoyed reading articles and seeing Twitter exchanges with Kevin and some of his old victims. (All amiable so far as I have seen.)

If you want the most accurate version of the Mitnick story available, here you go.

The Mac Hacker's Handbook

The Mac Hacker's Handbook is the best reference for Mac-specific attack information that I have found. At 368 pages, it may appear small compared to the typical 750+ page security tome. That's because the authors have done a near-perfect job of sticking to the topic at hand, the Mac. The authors do not succumb to the usual temptation to try and teach assembly language or reverse engineering. Rather, they do an excellent job touching on those topics in an OS X context, and assume the reader has a little background in that area already, or can otherwise keep up. I have done some limited research into the areas of Mac malware and process injection in the past. This book has done a fantastic job of filling in many holes in my knowledge that I hadn't been able to take care of before. Plus, it introduced me to a number of Mac-specific security features I wasn't aware of before. Highly recommended for anyone interested in Mac security.

Detailed commentary follows.

The authors Charlie Miller and Dino Dai Zovi have impressed me on several levels.

A couple of years ago, I did a presentation of Mac malware, where I researched some similar areas on my own. The purpose of my talk was to demonstrate that the privilege separation on a typical single-user OS X box made no difference, because an attacker could do everything they need from user mode.

My skills are somewhere between beginner and intermediate in the areas of programming, reverse engineering, vulnerability research and exploit writing. With a lot of work, I was able to create a very crude keyboard sniffer by attaching a library to launched processes. In one chapter (chapter 11), this book spelled out everything I needed to know and more. And implements several useful injected components in a much more flexible way than I was able to. I could have really used this information then.

I ran across many of the same libraries and examples that the authors reference in the book. However, they were mostly code examples with no context, intended to be groked by hard-core Mac programmers. Here, they are presented in an actual understandable way, building on examples as they go. It makes a huge difference. The level of writing meshed perfectly with my past knowledge and filled in the holes I had. I have an advantage over a rank beginner, but I suspect they have reached as wide an audience as is possible with their writing.

They do this consistently throughout the book. And this is what really made this an excellent book for me, was the actual writing. You'll have to excuse me if I geek out a little bit on this topic, but I've written a few technical books myself, and I have a great appreciation for how hard it is to do this well.

There are many traps one can fall into when writing a book like this. A lot of the topics are circular. As in, it's difficult to pick a sane order to follow, and not repeat a lot of information. There's always a temptation to try and show off advanced topics, and not adequately cover the intro material. It's easy to get lazy and not put the time into explaining a concept, assuming everyone knows it. Authors sometimes dump a lot of pictures and code on the reader for length.

These authors fell for none of these. The ordering of topics and advancing difficulty seem ideal. Code is almost uniformly useful and well-documented. They don't beat you over the head with example after example for the same topic. Rather than attempting to include a complete PowerPC and x86 instruction reference, they give you the minimum set of instructions that they used. The pacing was great. I was neither bored reading things I knew, nor unable to keep up with the material (until I struggled slightly to absorb the last chapter or two.)

Production values are good. The price is great, the length is very appropriate. Editing is good. (Not perfect; I spotted a dozen very minor typos. But then, I can't turn off my internal proofreader anymore, you're unlikely to notice most if any of those.)

There are other minor things to appreciate if you've been around vulnerabilities and exploits for a while. I feel like they did a great job explaining heap exploitation, compared to other attempts I've read. I very much enjoyed the little bits of history when they discuss who pioneered a particular technique. Most of Dino's code has a date in the comments, so you have some idea what was known at the time.

I'd go so far as to say that this book really is a general book about how to find and exploit vulnerabilities, using the Mac as your research platform. And it turns out that the Mac is a great place to learn.

Old skool security

While researching things for the Oldest Vulnerability Contest, I ran across a number of references to "Computer abuse perpetrators and vulnerabilities of computer systems" 1975, by Donn B. Parker. I did find it listed on Amazon, unknown binding, ASIN B0006WFZ9I. I left in on pre-order for a good year or so, but no one was ever selling one.

Mr. Parker appears to have written a number of security books and reports in the 70's and 80's, mostly while working at SRI. You can find most of his published books easily enough, but not what I'm looking for. I'm guessing it's not a regular book.

I can see that he left a collection to The Charles Babbage Institute at UMN that includes it. I'm going to check there about getting a copy. He seems to have granted some copyrights to CBI, so that might work out.

Also, anyone know if Donn Parker is still alive, and if so, how to reach him? I'd love to do an interview with him. I see references to him doing things in the early 2000's, so he can't have been gone long, if he is.

Amazon Links

I'm trying to see what Amazon links look like now. I've had an Amazon affiliate account for years, but I have barely ever used it. I used to just throw my associate ID ("thievco") onto links, but it looks like that changed probably around 2004. Amazon sent me a quarterly report email the other day, so I thought I would look into it. I plan to mention books frequently, and I'm not at all above throwing on my associate ID. But I wanted to see how it was going to look.

Here's one for my latest book, which is now in print and in stock:



Let's see how that looks. I may twiddle this post, apologies if it shows up in a feed multiple times. Of course, this is all javascripty, so if you're reading this in an RSS reader, you probably don't see it at all. Don't worry, I'll do a proper post in the near future where I shill my latest book the right way.

Update: Whoops! I was wrong. I found the right report, and I did get some hits from the old-style affiliate links. I put a link somewhere, and two people bought a book based on that. I have earned 83 cents this year so far. Thank you for the support. ;)

"Art of Software Security Assessment, The"

Just got a new post in my RSS feed from the authors' blog for "The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities". Justin Schuh says that InformIT has their book on sale at a significant savings. I did some cursory checking, and InformIT does seem to have the best price. Ground shipping was free, so my total (after adding tax) was $35.88. Not bad. Amazon wants list price for it, so don't by it there.



I've been meaning to buy this book since it came out. This offer seemed like a good reason to get around to doing that. Obviously, since I'm just now buying it, I can't offer a review. However, a number of people whose opinions on this topic I respect, like Dave Aitel, and the Matasano guys, indicate that it is well worth reading.

I'll try and get a proper review in, but my reading backlog is already comically long. But mostly I wanted to point out that this looks like a cool book, and if you're going to buy it, do so at this price.

Update: Uh oh, I got an email that it is backordered. "We strive to fill backorders within 30 days. If we are unable to ship your backordered item(s) within that time frame, we will cancel the item(s) on backorder and you will receive an e-mail confirmation of the cancellation." Good thing I'm not in a hurry. I hope I didn't talk anyone into wasting their time waiting if it's not going to come.

Update 2: It arrived on Feb. 19. The guys posted a blog entry about the delays. I suspect they have the stock straightened out now.