Every time some software engineer says “Nobody will go to the trouble of doing that,” there’s some kid in Finland who will go to the trouble.
Let’s get one thing out of the way up front. Kevin Mitnick is a criminal, and if you want to flame me for recommending his new book, go ahead. But like a doctor that studies cancer to learn how to cure it, I’m going to read what the hackers write to know how to fight back.
So what’s the book about? It’s mostly a series of stories of <maybe> real </maybe> attacks on various systems, ranging from slot machines to banks. There’s enough technical detail to let you follow exactly what was going on, but not enough to become overwhelming. There were a few places where I had to stop reading and check out one of my own systems, just to be safe. There’s also a lot of insight into the motivation of the hackers involved.
All the stories were told to Mitnick by the hackers involved, and there’s an obvious problem in reporting stories told by folks that specialize in social engineering. On the other hand, all the stories seem like they could have really happened. My best guess after reading the book is that it’s all true and there isn’t much exaggeration.
This book definitely works on a couple of different levels: entertainment and education. At one level, it’s a collection of ripping yarns about computer heists. (I love that TV show about the two separate groups. Is it the police or the district attorneys who are more important? I can never remember.) On another level, it makes a persuasive case that most organizations just aren’t taking security far enough. The book definitely works best for an audience that knows some technology, and isn’t going to be put off by talk of “reverse DNS lookups” or “ARP broadcasts.” It includes some simple security guidance, but it’s a long way from being a complete tutorial on computer security.
For me, it was the perfect piece of light reading on a plane ride across the country after PDC. I would definitely buy this book for someone who was just getting started in computer infrastructure or development. This book won’t give them the education in security they need, but it might motivate them to study the more technical books by explaining why security matters. Anyone whose manager is telling them not to waste time on security should leave this book in their in-tray.
Bottom Line: An easy read, and it will make you think twice about security.