REVIEW: "The Art of Deception", Kevin D. Mitnick/William L. Simon
- BKARTDCP.RVW 20021028
"The Art of Deception", Kevin D. Mitnick/William L. Simon, 2002,
%A Kevin D. Mitnick
%A William L. Simon
%C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8
%I John Wiley & Sons, Inc.
%O U$27.50/C$39.95/UK#19.95 416-236-4433 fax: 416-236-4448
%P 352 p.
%T "The Art of Deception: Controlling the Human Element of Security"
Those in the security field know that Kevin Mitnick does not deserve
the reputation he has gained as some kind of technical genius. His
gift was skill as a social engineer. Stripped of the five dollar
words, this means that he was a plain, old con man, cheat, or fraud.
In other words, this is a book about how to fool people.
Theoretically, the determined reader should be able to use the book to
keep from being conned.
In the preface, Mitnick would have us believe that, although he admits
to being a fraud and deceiver, he was never a grifter. He never
harmed anybody, never obtained a material benefit, and was just
curious to see if he could ride the buses for free (at the expense of
the transit system) or make calls for free (at the expense of an MCI
customer). (The willing moral blindness of these assertions is
possibly the most instructive part of the book: it is truly
representative of large portions of the blackhat community.) He would
have us believe that he is a "changed person": one of the most sought-
after computer security experts world-wide, and the world's most
famous hacker. Oh, and just in case the authorities are inclined to
think that this book runs counter to the injunction that he not profit
from the stories of his criminal exploits, the tales are all
completely fictional. Trust him.
Part one is entitled "Behind the Scenes." Chapter one states that
people are security's weakest link. This is a truism well known in
the field, but the first account is really about insider fraud, while
the remainder are generic fear-mongering.
Part two describes the art of the attacker. (At great length.)
Chapter two depicts escalation or enumeration through social
engineering, and points out that sometimes innocuous information
isn't. There is a section on "preventing the con" at the end of each
chapter: in this case we are told not to give out information, but not
provided with any advice about authenticating callers. Similarly,
chapter three says that sometimes attackers just ask for access or
information and says to verify callers, but doesn't say how. Chapter
four tells you to distrust everyone--which would probably be more
damaging to society than social engineering. (Interestingly,
yesterday a report came out about studies of "freeloading" in the
animal kingdom, which notes that communities with too many non-
contributing members tend not to survive. By extension, only
societies with an overwhelming majority of trustworthy members exist
for any length of time.) The prevention bit tells companies not to
have people give credit card information over the phone, but stresses
teaching employees about cons rather than policies. At about this
point the text, which is very repetitious, throws in some minor
technical details. This is enough to remind the professional that the
book is designed for the naive user, with extremely lightweight
analysis, and implications that would not be useful. There is more
repetitive redundancy in chapter six, on the way to some useful
information about fraudulent email and really lousy data about viruses
and malware, in chapter seven. Chapters eight and nine are simply
more of the same stories, which start to get very tedious.
Part three is apparently supposed to help us detect intruders.
Chapter ten has a little useful advice about having termination
procedures. The major points in chapter eleven seem to be about all
the people who have been mean to our poor Kevin. Then it is back to
the, by now extremely tiresome, con jobs for another three chapters.
We are intended to believe that part four will help us protect
ourselves and our companies against social engineering. Chapter
fifteen is an attempt to convince us that the book should be purchased
for all employees. (Nice try, Kev.) There is an arbitrary, and oddly
both generic and overly detailed, suggested security policy, in
So. Security professionals already know about social engineering. It
is unlikely in the extreme that even the most head down, don't-talk-
to-the-users, socially maladept firewall administrator will learn very
much from this book. But, of course, this is not a trade paperback.
This is a hardback aimed at the mass market: the non-professionals.
Will they learn anything from it? Well, it might be useful for
teaching new tricks to those who like to con people (although
fraudsters will likely be disappointed at the number of times it is
assumed that they know how to reprogram DMS-100 switches: don't try
this at home). The prevention sections, as noted, are big on "don't"
and short on "how not to."
Well, but the book can still be a fascinating read, can't it? Sure.
If you're the type of person who finds humour in watching someone fall
on his or her face. Over and over and over and over and over and over
and over and over and over and over again ...
copyright Robert M. Slade, 2002 BKARTDCP.RVW 20021028
rslade@... rslade@... slade@... p1@...
Find book info victoria.tc.ca/techrev/ or sun.soci.niu.edu/~rslade/
Upcoming (ISC)^2 CISSP CBK review seminars (+1-888-333-4458):
December 16, 2002 December 20, 2002 San Francisco, CA
February 10, 2003 February 14, 2003 St. Louis, MO
March 31, 2003 April 4, 2003 Indianapolis, IN