Within the cloistered world of computer security, there are celebrity researchers who regularly speak at NetSec, RSA, and Black Hat, researchers whose names almost always appear in the credits Microsoft gives for discovering some new vulnerability. So when Syngress Publishing started producing books a few years back written in whole or in part by these individuals, I was intrigued. Syngress, now distributed by O'Reilly Media and Elsevier, has been steadily making a name for itself with nitty-gritty computer books on such hot topics as host integrity monitoring and physical device security. But Syngress is probably best known for its Stealing the Network series.
The first book, How To Own the Box, surfaced high in the Amazon sales list about two years ago. However the second book, How To Own a Continent, failed to generate much buzz. I'm happy to say that How To Own an Identity improves upon the overall concept (that is, asking different security writers to write about different security scenarios); however, the third and latest edition also demonstrates that the series itself cannot sustain itself much longer, and tellingly, the next-to-last chapter seems to negate the previous books altogether.
The story thus far...
In the first installment, How To Own the Box, various authors created random characters involved in random criminal hacks. These were one-shot scenarios, such as being hired to steal a piece of premium software before its commercial release. If you didn't realize that you could use an HP LaserJet to hack into a university network, then you're in for an education with this book.
If you didn't realize that you could use an HP LaserJet to hack into a university network, then you're in for an education.
In the second book, How To Own a Continent, the authors decided to impose a narrative structure (the genesis of this idea appears as a series of e-mails in the back of the book, if you're interested). Many of the characters from the first book return, only to fall under the employ of ex-NSA agent Robert Knoll, a.k.a. Knuth (in the e-mails, the authors swear that they were not thinking of legendary computer guru Donald Knuth). Knuth's dream is to become fabulously wealthy at the expense of banks located on the African continent. While building a bunker in the middle of nowhere North America, Robert Knoll drops off the Web, the electrical grid, and the radar at the same time that his alter ego Knuth goes about hiring experts in Wi-Fi hacking, SQL injection, and other skills necessary to pluck $10 billion out of a single bank.
In the third book, How To Own an Identity, Knuth returns, as do many of the previous characters, although the identity aspect appears to be more of a marketing maneuver than a legitimate frame for the book. For example, you won't learn how identities are stolen per se; rather, you'll see scenarios in which criminal hackers morph their identities in order to evade the authorities and each other. And that's where things fall apart.
The publisher and the contributors refer to their chapters as "stories," but I think that's stretching things. First, the characters are not well defined; they are mere functionaries designed to expound on various technical issues before they disappear. We are never let into the character's life; clearly, these individuals live and die only for the hack and have no lives beyond the book. Worse, the criminal hacker often succeeds in obtaining his goal with little or no opposition (and when law enforcement does appear, the officers are often portrayed as bumbling or ignorant). That happens all the time in the real world, you know.
No Real Genius here
But even if you're thinking these books might be written on the best-selling level of a R.J. Pineiro cyberthriller, you're wrong. The Stealing the Network books are unmistakably computer books at heart. Unfortunately, the emphasis on the technical accuracy is higher than the production standards themselves, and for a $40 computer book, there are far too many typos and grammatical blunders to excuse.
Nor are all of the characters original. In the How To Own an Identity chapter "Death by a Thousand Cuts," Johnny Long, of Google-hacking fame, literally reuses characters and scenes from the 1985 cult film Real Genius. In the previous volume, Jay Beale, writing the "A Real Gullible Genius" chapter for How To Own a Continent did the same, but he attributed the characters within his bio. Long does not bother; neither Brian Grazer (the film's producer), Martha Coolidge (the director) nor Neal Israel (the writer) receive attribution, though Long provides himself with a lengthy bio. Later, within How To Own an Identity, Long again "borrows" the cast of CSI for the chapter "There's Something Else"; however, this time Catherine Willows and Sara Sidle are merely elements of a dream. No attribution needed.
There's a limited audience for this material, and there's currently no one out there doing it better.
But there's redemption (I think)
"The Conversation" is the next-to-final chapter of How To Own an Identity, and the best-told tale in the book (and also the best edited). Written by Jeff Moss, the founder and CEO of Black Hat and Defcon, Moss prefaces the chapter by saying he couldn't simply jump into the Knuth saga midstory, so he chose to write about something else--something that reads more or less as a refutation of the whole Knuth saga. Around a bar table, Jeff's characters discuss the plausibility of someone stealing $4 billion--whether it could happen at all. They bring up several good points, such as how to move that much money out of the country, how one could live some 65 years as a wanted criminal, and they dismiss such a notion as impossible. Perhaps Moss is simply acknowledging that the whole Stealing the Network series is entirely tongue in cheek. But his clear writing and entertaining style easily upstages all of the previous authors and chapters.
So, are the Stealing the Network books any good? Yes. If you approach these books with some background in computer science, and you view each book as a collection of scenarios rather than works of fiction, then you might learn something. If you don't work with computers or computer security, the pages of screenshots and captured log files alone will likely bore you. There's a limited audience for this material, and there's currently no one out there doing it better.
What computer security books are on your summer reading list? Talk back to me.