Spotlight customer reviews:
|
Customer Rating:  
Summary: This book is quite an eye-opener
Comment: This is a great, but frightening book. The book explains many, many ways how "social engineers" (what the author calls those who manipulate strangers) can take advantage of people. These stories are clearly and convincingly illustrated by examples. Unfortunately, when one realizes all the people who have access to their private information and that it only takes one to fall for the kind of tricks mentioned here, it is clear that safety is all but impossible. That said, this can serve as a wake up call to fix what we can, especially in our own workplaces. My one complaint with the book is that the sample security policies in the last chapter were not available electronically.
Customer Rating:
Summary: A classic and must-read for anybody worried about security
Comment: This is a great starting point for anybody interested in deceit. While the book focuses on "real-world" deceit, many of the principles carry over to online crime. It is very easy to read, and yet, informative and helpful. If you want to find an answer to the question "Just how much will people agree to?" then this is the book for you to read -- whether you are a system administrator, security researcher, policy maker, or simply interested in understanding fraud and psychology better.
Markus Jakobsson
[..]
Customer Rating:
Summary: Amazing
Comment: This book is filled with information that you would not believe. I never read books ever, but this is one of the few exceptions. It is truly amazing!
Customer Rating:
Summary: Interesting overview of the human aspects of computer security, with helpful tips on prevention.
Comment: Kevin Mitnick, probably the most famous (and controversial) computer hacker of the 1990's, has spent several years of his life on the run, as well as a few years in jail. For years after leaving prison he was forbidden to log on to a computer, a prohibition he appealed successfully. He now runs a computer security business, lectures to large corporations, and has co-authored two books on computer network security.
This book focuses on the human element of computer security. Reminding us that even the most sophisticated high-tech security systems can be rendered worthless if the people running them are not sufficiently vigilant, Mitnick goes on to point out the myriad ways in which human carelessness can contribute to security breaches. An experienced con artist who is well-versed in social engineering techniques can often do far more damage by manipulating people to provide information they shouldn't than by relying on technologically sophisticated hacking methods.
The book is interesting for the most part, though it would have benefited from a 25% reduction in length, and there are some annoying stylistic tics. Throughout the first 14 chapters, each of which reviews a particular type of `con' used by hackers/social engineers to breach computer security, the chapter setup follows the same schema:
(i) an anecdote or vignette, involving fictitious characters but based on actual events, which lays out the deception as it unfolds, following it through to the successful breach (ii) analysis of the `con', focusing specifically on the mistakes or behaviors (at the individual and at the organizational level) which allowed it to succeed (iii) discussion of the changes that would be needed to stop the con from succeeding (e.g. behavior of individual employees, corporate policies and procedures, computer software and hardware). This is actually a pretty decent way to make the points Mitnick wants to get across - starting out with a concrete example of how things go wrong gets attention and motivates the reader to read on to figure out the solution.
One feature of the book which was meant to be helpful started to annoy me by about the third chapter. Interspersed throughout each chapter, the authors insert highlighted textboxes of two types: `lingo' - repeating the definition of a concept already adequately defined in the text, or `mitnick messages' - which seemed superfluous, and a little condescending, as they generally repeated what was already obvious. In general, this is not a book you will read for the delights of its prose style (after successfully gaining access to a cache of hidden documents, one hacker is described as spending his evening gleefully "pouring over" the documents); however, the prose is serviceable, managing to avoid lapses into the dreaded corpspeak, for the most part.
For some readers, the most useful part of the book may be its final two chapters. Here the authors lay out, in considerable detail, outlines for recommended corporate information security policies, and an associated training program on information security awareness. Though I am no expert in these areas, the outlines strike me as being commendably thorough - complete enough that they could be fleshed out without too much difficulty to generate a comprehensive set of policies and procedures.
Despite some redundancy, and occasional infelicities of style, this book seemed to me to be interesting, and likely to be practically useful.
Customer Rating:
Summary: Cloak and Swagger
Comment: An important book for anyone involved in security (computer or otherwise). The book recounts the real life exploits of a smart young kid who went bad and eventually got trapped by his own hubris, so it's a pssedo-biography. It shows that the real security weak-link is the human (no surprise there). Eliptic curve algorithms and 2048 bit encryption don't prevent people from just telling someone their password.
The examples used to illustrate techniques are somewhat artificial, but it doesn't take a lot of imagination to see the real world case behind it. It reveals how we are socially engineered and how that was exploited. The modern equivalent, adapted to new technology isn't laid out, but i don't think we have quite reached human 2.0 yet to make that a big intellectual stretch. It is both fascinating and scary how personal weaknesses and prejudices can be used to extract confidential information and gain access.
Mitnik's exploits also included a thorough understanding of phone systems and technology (phreaking) as well as human nature, but these are not discussed in detail in this book because he's prohibited from doing so and probably because the security holes are still there on some systems. Most of these technology based exploits utilized features designed to help field engineers and remote offices. this should help inform system designers, architects and implementors to consider mal-use cases as well. That is, think about how a requested feature could be used improperly and develop appropriate human as well as technological protocols.
The book is not the greatest read and is somewhat repetitive, with many of the exploits seeming somewhat dated. It would be nice to get an update on Mitnick's analysis of risk in current systems and social trends. With the popularity of social netwoking sites that update could help those participants develop a society and human 2.0 awareness.
I think the authors and publishers didn't want to write a handbok for cons, so this has made the book seem obtuse to some readers. I think the intention was to get the reader into the mindset of the con, so they can consider issues from that perpsective. Which is the old economics standard of "what is the maximum reward for minimum risk".
|
|
|
