Top-notch books on computer security are as about as rare as great Scottish limbo dancers, but that hasn’t stopped publishers cranking out more and more titles on the subject in the hope that quantity will eventually wear down the audience’s resistance. Even the word “security” now induces phobia in anyone who has to read such books for a living. “Not another security book”, you hear yourself saying under your breath, as you pull a new candidate from its miserable cardboard wrapper.
It should be simple. Find someone with something to say and the ability to say it, wrap it up in some decent production values, and market it like hell. Too often, publishers simply mistake ‘knowing what you’re talking about’ with the ability to impart that knowledge. You also need a degree of flair.
Despite its slightly misleading title, and (being fussy here) duff production values, Robert Shifreen’s Defeating the Hacker could be the book to cure the cynics, myself included. I am about to type a sentence of the utmost rarity: I have just read a good security book, one that I would recommend and possibly even buy myself.
For those outside the UK who might not know, author Robert Shifreen is a name that will enter the history books. In 1985, while working for a computer magazine, he worked out how to access – hack if you like - a British Telecom Prestel communications system run by the same publishing company. Armed with the admin password, he was able to look at the contents of user mailboxes, some of which belonged to well-known people.
He wasn’t, then, the first modern hacker by any means, but he did become the first person in the world to be prosecuted in front of a jury for his acts, a trial that attracted considerable media attention. He won, and in the process managed to put the concept that privacy could be threatened by computer security into the mainstream.
He had not set out to be malevolent, and from his account (and we have no reason to doubt him here) became one by an accident of his own naivety and curiosity. That’s what happens to people who are among the first to do things people haven’t thought of before – they get incorrectly classified.
The paradox of security publishing is that the people most likely to buy such books are precisely the ones who probably don’t need to. It’s hard to say whether Defeating the Hacker will vault this trap, but it will not be for want of trying. Shifreen’s book is a down-to-earth practical guide to the topic aimed squarely at people who have some of the pieces, but who need the gaps filled in with an intelligent overview.
Its strength is it is written for the informed non-expert without losing the important detail, and is thorough enough to cover all the important bases. Designing security policies, the basics of server and PC security, firewalls, email, and wireless networking are all covered in readable and sensible fashion. It then details the nature of the software and personnel threats with lucidity, so much so that a reader could easily keep the book handy to dip into as needed. The section on law is the least comprehensive, but to be fair that it s subject now far too large for this sort of book.
You also get a short chapter on Vista, and ones on forensics, outsourcing, the principles of social engineering, the perils of search engines, encryption, Internet misuse, and document security. Some of the chapters are perfunctory, but every topic is covered.
What Defeating the Hacker builds into is a cultivated state of mind that stresses rational assessment of the threats and sensible caution regarding their mitigation. It isn’t over-sensational or deliberately scary. As he points out again and again, most security folly is of the victim’s own making. What makes people and the companies they work for easy to hack is not a lack of knowledge so much as the wrong mentality born of laziness, complacency, and sometimes even an inappropriate paranoia. What a reader will get at the end is a checklist of the top issues, and most of the knowledge to deal with them in a consistent way.
I’m still not convinced the ‘hacker’ of the title is really the person that now threatens the average company or individual. Fretting about what a curious teenager can do with a modem and a keyboard is a bit like a data centre manager coming up with a contingency plan in case the building is raided by the Sioux Indians from a cowboy movie. Defeating the Criminal might have been more accurate if less salesworthy title.
A book like this also deserves better production values from a publisher that should know better. Its layout is only one notch up from 1980’s DTP, but that is to pick holes for the sake of it. This is still an excellent book, full of personality and insight, that will should end up being well thumbed by anyone who buys it.
Defeating the Hacker: A Non-Technical Guide to IT security
By Robert Shifreen
2006, John Wiley & Sons
The website of the book can be found here.