Interesting look into social hacking, but I think I was overly familiar with the subject matter and got bored.

This one had been sitting on my shelf for a loooong time.

As a nerdy kid growing up I was fascinated by computers and the then-emerging Internet. Dial-up to AOL and local BBSes had me feeling pretty fly. I remember stumbling onto the "Anarchist Cookbook", and finding a few issues of the hacker magazine 2600 at a Barnes and Noble. The checkout lady gave me a concerned frown and told me to be careful. Haha, joke was on her! I had no idea what I was reading.

Except for the parts about Kevin Mitnick, the world's greatest hacker. There was apparently some big "Free Kevin!" movement for this guy who hacked and stole information from big companies and was thrown into a dark jail cell with no communication with the rest of the world because they were afraid of what he was capable of. Except he never hurt anyone or truly damaged or broke anything, he just got caught having fun digitally trespassing.

The day came when he was finally released from prison, and I remember gleefully watching him on ZNet TV on an episode of the Screensaver's being allowed to access the Internet for the first time. This was the ultimate "We did it Reddit!" about 10 years before Reddit even existed.

When I recently had to take an online training class at work about social engineers trying to trick you into giving up valuable proprietary information, there were cute little video segments featuring my old friend Kevin. Holy crap! That guy! My old hero! I changed my AIM status to support you! Oh wait, I bought your first book when it came out and I never read it! Let's do this!

I regret that I did not read it then. While a lot of the information it provides is still quite valuable and true, it's almost commonplace in any workplace setting these days. That's not to say social engineers have given up and hung up their hats, it's likely more prevalent than ever, but this is the Social Engineering 101 book for people taking the on-ramp to the Information Superhighway for the very first time in the early 2000s.

It features advice in there like don't keep your passwords written down next to locked computers (there are a few X-Files episodes where Mulder and Scully can be thankful the monsters they were investigating didn't read this book), make those passwords a little more secure by being longer than 8 characters, don't let someone convince you to attach a dial-up modem to your computer or network, and don't set your modem to auto-answer lest a bored Matthew Broderick finds it.

The main point behind this book is still very true today: It doesn't matter how sophisticated your technologically amazing security systems are, gullible super-friendly happy-to-help human beings are always your weakest link. I'm convinced that if the Chinese have any engineering blueprints of our latest warfighters, they probably got it from having a young-looking spy with a goofy grin pretend to need help writing a book report. But it's less embarrassing to blame faceless hackers.

The best parts of the book were the little story vignettes that demonstrated how a person can make a few seemingly innocent phone calls asking for tidbits of information that lead to the mother-load. The first call could be person pretending to be a customer needing some advice. The next phone call could be to the receptionist with that little bit of gained knowledge to sound like an employee at another location. That receptionist will provide information that a manager could use, and suddenly Gary in accounting needs to send over the latest financial projections STAT. Fax would work best, e-mail has been acting weird.

I especially enjoyed the story about how young Kevin and a friend of his in high school went to a tech convention and managed to thwart a super-secure system in development. Not through hacking so much as waiting for the employees to all leave the system un-attended during lunch, sweet-talking a promoter, using slight of hand and lock-picking a cabinet, and switching around some network cables. Kind of silly to build the vault door out of titanium if the surrounding walls are made from cardboard.

The last chunk of the book is just lists and simple paragraphs of kind of boring now-cliche advice that those working in security should know by heart. It becomes an undergrad textbook, basically.

I say all of this but find myself wanting to read the other books Kevin's since published as I'm sure he's got a wealth of ideas and knowledge about what social engineers might be up to today. And it's when you don't think you can be fooled is when you are most likely to be.

The core content is interesting, but the structure is almost designed to bore. I think it's all the time the authors spend pretending that this book is not a "how-to" for would be social engineers. The stories about various attacks are informative, but then each is followed by pages of rather infantilizing explanations of how the con worked/could have been prevented. Then the last two chapters basically just repeat that information all over again - at length. Of course, the parts about preventing social engineers were important, but they were also incredibly repetitive. If the authors had cut down the redundant content, I think this book would have been about a hundred pages shorter.

Me crucé con este libro (está en la mula, por supuesto) y me lo he devorado en dos días. Hay una segunda parte, The Art of Intrusion, que parece que está incluso mejor.

Kevin Mitnick se hizo bastante famoso, para su desgracia, cuando le condenaron a unos cuantos años de cárcel por diversos delitos contra la seguridad electrónica de varias empresas y agencias estatales norteamericanas (nada grave según él, el holocausto informático según el fiscal). La Wikipedia (Kevin Mitnick, Kevin Mitnick ) cuenta su historia por encima. El caso es que él está convencido de que le tomaron como cabeza de turco, tanto los periodistas como el sistema judicial.

Este libro no es una biografía, sino un repaso a los métodos de lo que se ha dado en llamar “ingeniería social”, o el arte de sonsacar información importante a la gente que la tiene sin que estos se alarmen. El libro consiste en un montón de casos (supuestamente verídicos) en los que una persona ajena a cualquier empresa u organización acaba por obtener gran cantidad de información. Kevin Mitnick [KM] habla de detectives privados, de estudiantes de instituto con mucho tiempo libre e incluso de una nueva figura, en el borde de la legalidad, llamada “brokers de información”, especialistas todos ellos en encontrar información que supuestamente no debe ser divulgada al público.

Los casos son realmente entretenidos de leer. Muchas de las veces uno piensa “no, eso no me podría pasar a mí”, pero eso justo es lo que dice KM que piensa todo el mundo. Y sin embargo pasa constantemente, según él. En cada caso que relata termina instruyendo acerca de cómo algunas políticas de difusión de información dentro de la empresa, bien instauradas, podrían evitar la gran mayoría, si no todos, los escapes de información debidos a ataques mediante ingeniería social.

El último capítulo es algo más soso y se dedica íntegramente a resumir de manera estructurada todos los pasos que cualquier organización, ya sea privada o gubernamental, debería dar para establecer políticas claras e inatacables que minimicen el flujo de información importante al exterior.

El libro es muy entretenido y se lee rápidamente. Deja (al menos a mí) con muchas ganas de seguir leyendo sobre el tema, por lo que rápidamente “localicé” el siguiente libro del mismo autor, que ya ando devorando. Mi nota: Muy interesante.

This book was pretty interesting. A good read about how easy it can be to get what you want out of life. Its a little unnerving to see just how easily trust can be manipulated. Not really a manual for how to fool someone, more of a how not to get fooled.

This book has very interesting and useful information about social engineering, though it ultimately becomes repetitive. The stories of cons are interesting for about 100 pages, by page 250, Mitnick is basically rehashing the same story over and over. I had a hard time getting to the last section, which has some solid security advice but again, is information that has already been discussed. Basically, it could have been a great 150 page book but is instead an okay 350 page one.

"The truth is that there is no technology in the world that can prevent a social engineering attack" (p245)

Mitnick describes many examples of social engineering; often con-artists that work remotely (via phone or internet). In this way, he shows where vulnerabilities are that are exploited. Such as basic human trust, or setting up an elaborate operation where several victims all do one innocuous looking part of chain that leads to a large breach.

The anecdotes and examples are insightful and entertaining. Sometimes a bit (technologically) dated, the book was written in 2002. However, with more and more technical possibilities and impact, the flaws in human nature that can be taken advantage of increase in importance.

Mitnick strongly advocates continuously training staff to be vigilant and avoid the traps that (online) con-men can set. "People must be trained that it 's not only acceptable but expected to challenge authority when security is at stake." (p112). He also echoes Bruce Schneier's quote: "Security is not a product, it is a process" (p4). But he is also aware of the challenge to find a good balance between security and productivity.

Something I did not know: there exists such a thing as a lock pick gun, making it easier to pick a (physical) lock (p.226)

H bought this as fuel for her course. I picked it up N times and read a few pages at random. I think I've got the picture.

Mitnick is of course a celebrity of a kind. This book is a stream of anecdotes about deception which presumably he has, in some way, exercised. There's a definite satisfaction in learning how some of this is done, especially when a psycho-magician is also a tech-wizard, so if you like that sort of thing ...

He has a ghost writer alongside so I deduce English prose is not is strong suit. He also gives succinct advice on ow not to fall for these spoofs, but we might summarise as "Don't be a dickhead". Eventually I had had enough of it, tough.