Sophos Cloud Optix
My previous book reviews on Naked Security have covered books which I enjoyed greatly, and which were somehow relevant to the field of computer security.
One was a novel dealing with advance fee fraud in Nigeria; the other a historical record of Second World War cryptography in the UK.
I wrote those reviews because I thought you’d enjoy those books as much as I did, and because I thought they’d be worth buying with your own after-tax income.
This review is slightly different. I read this book right to the end, and I even enjoyed it – up to a point. But I’m reviewing it merely because it relates to the field of computer security, rather than because I’d suggest that you buy it.
The book in question is the recently-published Ghost in the Wires by infamous convicted phone hacker Kevin Mitnick.
It’s an example of a curious but common contradiction-in-terms genre in publishing: an autobiography written in conjunction with someone else.
Mitnick’s book doesn’t cover his whole life story: the bulk of it is about Mitnick the hacker, from his early age on page 3 until his release from prison in January 2000 on page 383. He wraps up the decade since his release very rapidly in the ten pages which follow.
As I mentioned above, I enjoyed this book, but only up to a point. That point was somewhere around page 123, when the repetitious descriptions of Mitnick’s repetitious escapades began to wear thin.
I was also disappointed to find very little about what I’d consider hacking (whether for good or evil) in the computer science sense.
It’s not all bad, however. You will learn some important lessons about security from Ghost in the Wires, based on real-life examples from Mitnick’s life:
* Assume that attackers have a pathological patience. Assume that their primary intellectual gratification doesn’t come from building something new, or from inventing a breakthrough to simplify the task. Mitnick will show you how he sometimes succeeded against all odds, even if that meant spending weeks or months carrying out boring, repetitive work.
* Recognise that resisting social engineering is difficult. It requires behaviour by your staff which may feel anti-social. Mitnick will show you that most employees require more than just policy documents to give them resilience against creatively and manipulatively dishonest callers and emailers. You need to provide them with practical, role-based training.
The most disappointing thing about Mitnick’s book is its overall implication – perhaps, in fact, its thinly-disguised purpose – that we should trust him now that he’s out of prison, has finished his supervised release, and has turned into a businessman.
In his Acknowledgments, a seven-page appendix to the book, Mitnick shows no repentance. He doesn’t apologise to the very many victims he abused, lied to and cheated; nor to those whose cellphone time he ripped off and whose identities he stole; nor to those outside his own circle whom he left in potentially serious trouble or whose lives he diminished by his self-obsessed criminality.
In fact, he doesn’t really acknowledge his victims at all, and he gave me the impression that he’s still proud of his time as a liar and a cheat.
(He’s happy, indeed, to have the back cover describe him as a “visionary”.)
I have to admit that made me feel slightly cheated at having put my own money into Kevin’s royalty bucket.
But you might enjoy the book right to the end if your expectation of it is merely to live vicariously the life of a computer intruder and a phone phreaker, a con-artist and a fraudster, an identity thief and a crook.
ISBN: 978-0-316-20160-5
Published: August 2011
I think your comments are a bit mean spirited … I've read the book too, and to me it didn't come over at all in this way whatsoever. To me it highlighted the difference in opinion and change in attitudes that have happened over the past 20 years with regard to computer hacking. Yes he is fairly unrepentant for what he did, but lets remember that he was an "old school hacker" in the sense he did it for the sheer challenge rather than for financial gain. He didn't actually destroy any data or files either did he? It seemed to me that he went on the run from the FBI because he thought he was being made an example of and wouldn't be able to get a fair trial.
But he _did_ get financial gain – and lots of it. He points out in the book that cellphone airtime was still terribly expensive when he has phreaking, to the point that his ability to afford as much airtime even as he _visibly_ spent on his phone was suspicious. (He got sacked from a job he took under someone else's identity because they assumed he was moonlighting, since he used his phone so much and couldn't have possibly paid the bills on his regular pay. He couldn't defend himself by saying that he wasn't paying for the calls because he was stealing the airtime from other people.)
Tough luck for all the people who ended up getting stiffed with the bills for funding his hacking, eh?
And what about the people whose identities he borrowed, and in whose names he committed crimes? Or don't they count as victims because he was only doing it for the lulz?
And it seemed to me that he went on the run partly because he was afraid – and I sympathise with that – and partly because he really wanted the hacking party to continue, with other people picking up the tab. Else why didn't he get off the FBI's radar and keep his head down?
I do not really consider Mitnick a hacker but really a phreaker and social engineer. I will not buy the book but if someone gave it to me I may read it after I find time to read the rest of the million books on my list. I have just heard his story to many times to really be super interested in reading his life story. I think what the government did to him was crap because he really did not do that much. Far more people do worse things in the computer world these days that get away with it.
I pre-ordered the book but still have not read it. (I'm a few security books behind schedule here.)
Yes, he was an old school hacker – and he never did anything "malicious" like what is happening in our world today. The feds used a lot of social engineering too. He spent EIGHT MONTHS in solitary confinement because law enforcement convinced a judge that he could start a nuclear war by whistling into a payphone…
Is he supposed to spend his entire life apologizing in his books? Or should he move on (as he has done) and contribute to security – as he is currently doing?
Early on over at Twitter – I had to set some law enforcement people straight when they DM'd me about talking to Kevin on Twitter – that was a ridiculous request! It is that same type of attitude that gave me a bad taste about your review. Why not ask him straight up about the parts of the book that you had a problem with? I would be happy to DM him and ask him to follow you so that you can speak to the source 🙂
Cheers
This isn't just "one of his books". It's his autobiography (albeit partially written by someone else), in the first person singular.
So if there is a book from which his character might reasonably be judged based entirely on what he wrote, and the tone in which he wrote it, this is the one: it's his public declaration of who he is.
If there is a book where one might determine whether he is repentant, whether he feels any desire to apologise, and whether he acknowledges that his so-called "old school" crimes had plenty of victims, this is the one: it's his public declaration of who he is.
I didn't form the opinion that he was repentant, or that he regretted the misery he doubtless caused outside his own circle.
In short, I was just hoping to meet someone different than the person I found in the book, which is why I wrote that I was disappointed that, "he doesn't really acknowledge his victims at all, and he gave me the impression that he's still proud of his time as a liar and a cheat."
Anyway. I'm glad he's doing fine now. I just hope all those he touched for the worse on his wild ride are doing fine, too.
Duck,
I have not read his latest book yet. I understand what you are trying to convey. I still think that Mitnick would be the person who could best address your concerns.
/Bev
I guess my point is that he deliberately chose not to deal with the issue of his victims anywhere in 400 pages of autobiography. (This is a review of the autobiography, after all.)
The E-Book is on Pirate Bay. How perfect.
I'm going to review this book for you, but first four paragraphs about ME.
Be fair – the first _three_ paragraphs.
Personally, I like to know a little about the person reviewing a book. It helps to put things in context, especially if there are negative comments.
It's called "setting the context for what is to follow".
I love the fact that you admit you enjoyed it, even if just a little. It belies your intent here. I mean, come on, your agenda is at odds with giving the book a real 'thumbs up.' You're not being objective here when you speak on behalf of security professionals, and especially the harm and cost that can come from modern exploits of criminals. This is a piece of some of the most fascinating history on the subject. It's like you're criticizing Alexander the Great for 20th century mass murderers.
The life in its historical context is intriguing, even if those who have the same essence today do it for destructive effect and headlines. Kevin did his best to avoid headlines until he matured into a security consultant. One could expect that might cause your jealousy, which could explain your tone in this review. Did you forget in the start of his story that he was really running from another stint in solitary (which is considered inhuman and sentences like his are now disallowed). You can easily disguise any jealousy by social engineering a professional perspective. Then you get to call him by those awful labels at the end of your 'review.'
As for "those awful labels" – I simply said that the book would let you live vicariously the life of a computer intruder, phone phreaker, con-artist, fraudster, identity thief and crook. And it does, because that's exactly what the bulk of the book's _about_, is it not? Mr Mitnick's life on the lam, hacking and phreaking using other people's identities, funds and computers…
_That_, I thought, was the least arguable part of the entire review.
In short, as I said above: I enjoyed the book until it got boring. I learned something from it. I didn't find much about hacking in my sense of the word. I was disappointed not to find any space given to Mr Mitnick's victims. I wouldn't suggest you buy the book, but you might want to read it if it comes your way. End of review.
You don't have to agree with me, but accusing me of forming my opinion of the book out of professional jealousy – especially considering that I don't work in Mr Mitnick's arena of security and that I don't find person-versus-person competition much of a motivator – is as misguided as it is presumptuous.
Come on people this is hardly security related content worth the attention!
After all said and done it's just an autobiography not a hackers cookbook, so no security breaches here!!!
Great biography and a great read. It was worth the money and worth reading. I am proud to have this booking sitting on my book shelf. Some people were disappointed they though there would be more technical hacking information but right from the title you can tell it was going to be more of a biography then an instructional book was very good. Worth my time to read.
Have to agree with Paul on this one. Do I agree with Kevin’s treatment in the legal system? No, but he kind of made his own bed there. I mean when you don’t follow all the rules, you antagonize the Feds and then you expect them to follow all of the rules, well I think you’re being a bit naive.
To the point of little to no remorse, I definitely get the sense all throughout the book that Kevin felt like there were no true victims and he did little to no monetary damage. Apparently he views the world differently and free phone calls don’t count. Let’s put aside all of the break-ins to steal source code (which I’m sure Novell, Sun, Motorola and the list goes on….wouldn’t agree with ‘setting aside’) but just for now let’s just look at the cloned cell phone calls. NOT counting before he went on the run, just take a look at his time from the end of 92 to when he was caught in 95. Figure on about 750 days where he was making free phone calls. We’ll say on average he used it for 5 hours, which I’m sure is extreme lowballing, but for argument’s sake 5 hours/day for 750 days. Per Kevin’s own quote on the fact that at the time cell phone calls cost $1 per minute, that’s $225,000 in stolen calls/minutes. Things like this just seem to get swept under the rug and it’s factual. In reality the number is probably twice that and yet countless times throughout the book it stressed that there was no financial gain. It’s all perspective, I suppose if Kevin didn’t see his bank account grow, then there was no financial gain. Warped perspective.