http://www.spinellis.gr/pubs/Breview/1998-CR-Hacker/html/review.html
This is an HTML rendering of a working paper draft that led to a publication. The publication should always be cited in preference to this draft using the following reference:

The document's metadata is available in BibTeX format.

Find the publication on Google Scholar

This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these works may not be reposted without the explicit permission of the copyright holder.

Diomidis Spinellis Publications


Copyright © 1998 by the Association for Computing Machinery, Inc. Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, to republish, to post on servers, or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from Publications Dept, ACM Inc., fax +1 (212) 869-0481, or permissions@acm.org.

Hacker proof: the ultimate guide to network security.

Diomidis Spinellis
University of the Aegean

Klander, Lars.
Jamsa Press, Las Vegas, NV, 1997,
666 pp., $54.95, ISBN 1-884133-55-X

"Hacker proof" describes commonly-used network technologies from the data-link layer up to the application layer and explains the security issues involved. It covers of TCP/IP, HTTP, firewalls, encryption, digital signatures, secure HTTP, the secure session layer, Kerberos authentication, the Java programming language, viruses, Windows NT, Novel Intranetware, Unix, X-Windows, testing tools, Web browsers, hostile scripts, and network security policies. Most technologies are explained in detail adding to the book's length without substantially contributing to the coverage of security issues. This lack of focus on security combined with a number of omissions and inaccuracies diminishes the book's contribution to the field. The intended audience of the book is probably technology novices who are interested in practical network security, However, the level of technical expertise of the potential reader varies greatly between different topics. As an example, the section explaining telnet attacks presumes an intimate knowledge of the telnet protocol ("the hacker sends ATK_SVR_OFFSET bytes"), while the sections on Unix explain the shell's input and output redirection syntax.

A number of inaccuracies and factual errors may confuse a non-expert reader. As an example uuencode is described as the "most easy-to-use and popular tool for encrypting binary data", Microsoft's CryptoAPI as similar to PGP, and the Unix csh as virtually identical to the Bourne shell. The explanations of attacks contain even more errors: the description of the TCP/IP sequence number prediction attack confuses consecutive IP addresses with the TCP sequence numbers, the section on hyperlink spoofing confuses domain name servers with the domain name system addresses and the URLs, while the description of the sendmail debug problem confuses the program's debug level with the stack frame depth. Some omissions are equally glaring. Although the chapter on Unix auditing includes the helpful advice of consulting the shell history file, it fails to mention the process accounting log files. A list of the Unix file permission constants is presented without mentioning that the numbers are represented in the octal system. Finally, a number of suspect claims unsubstantiated by references add to the mistrust of the book. As an example the author attributes the majority of virus infections to the hundreds of retail publishers who have admitted distributing infected disks and to retailers who re-wrap retailed software returned from users.

Many concepts are described using well presented diagrams which clearly help the novice reader. On the other hand, an annoying aspect of the book's presentation is the lack of italic space correction after italic to roman font changes which results in the effective merging of adjacent words. It is a sad fact of our desktop publishing era that such elementary errors are still prevalent. In addition, the 159 section headings beginning with the word "understanding" quickly become annoying. A page with six Web links and screen dumps of their associated pages at the end of each chapter is an interesting addition to the book, but no excuse for the total lack of references. The book's index is complete and can help the reader navigate thought its voluminous material.

Ignoring the problems mentioned above, "Hacker proof" can be used by a novice reader as a crash course on modern network technologies and the related security issues. Other readers would be better served by more specialised books such as [1], [5] and the relevant RFCs for understanding the underlying technologies and [2], [3], [4] and Web-material for practical security-related advice.

References

  1. Douglas E. Comer et al. Internetworking with TCP/IP, volumes I-III. Prentice-Hall.
  2. Simson Garfinkel and Gene Spafford. Web Security and Commerce. O'Reilly and Associates, Sebastopol, CA, USA, 1997.
  3. David L. Oppenheimer, David A. Wagner, and Michele D. Crabb. System Security: A Management Perspective. Short Topics in System Administration. USENIX Association, Berkeley, CA, USA, 1997.
  4. Aviel D. Rubin, Daniel Geer, and Marcus J. Ranum. Web Security Sourcebook. John Wiley Sons, 1997.
  5. Bruce Schneier. Applied Cryptography. Wiley, second edition, 1996.