BKSLNOWR.RVW 20050603 "Silence on the Wire", Michal Zalewski, 2005, 1-59327-046-1, U$39.95/C$53.95 %A Michal Zalewski lcamtuf@coredump.cx lcamtuf.coredump.cx/silence/ %C 555 De Haro Street, Suite 250, San Francisco, CA 94107 %D 2005 %G 1-59327-046-1 %I No Starch Press %O U$39.95/C$53.95 415-863-9900 fax 415-863-9950 info@nostarch.com %O http://www.amazon.com/exec/obidos/ASIN/1593270461/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/1593270461/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/1593270461/robsladesin03-20 %O Audience s- Tech 2 Writing 1 (see revfaq.htm for explanation) %P 281 p. %T "Silence on the Wire" I don't know why, exactly, the phrase "self-taught information security researcher" (in "About the Author") should give me such a sense of foreboding. (The phrase could apply to me, and to many colleagues, although we tend not to use it.) And even before I read it, a number of people had warned me I wouldn't like it. Well, I did like it, once I figured out what it was. I think a lot of people don't understand it. It is not a security text, by any means, but rather a series of explorations that take our "professional paranoid" mentality and examine some issues we seldom consider. The subtitle states that the book is about passive and "indirect" attacks. Although passive attacks are well defined, indirect does not have a formal distinction, and the introduction does not help in explaining what the author intends. Part one covers activities that occur at the origin of data and processing. Chapter one is titularly about typing, but spends a lot of time dealing with the problems of pseudo-random number generation, and seed data acquisition, and finally outlines an unlikely and very complex attack, heavily dependent upon specific functions and data availability, and seemingly directed at finding out if someone is typing at the computer. (The attack is also active, not passive.) A discussion of digital electronics, boolean algebra, and processor architecture, in chapter two, eventually leads to a brief discussion of the timing and power attacks that are well known in cryptology circles. (There are also odd and careless errors: readers are asked to contrast figure 2-4 with figure 2-4. There is a difference, it just isn't explained.) Chapter three reviews a few random and unrelated vulnerabilities. It is very difficult to determine what the point of chapter four might be, but it seems to be a screed against the use of Web crawling bots. Part two appears to address local communications links. Chapter five provides a brief review of data communications 101, and then notes the "flickering modem LED" vulnerability. The ethernet frame padding problem is described in chapter six, while chapter seven lists some other networking difficulties, and eight briefly mentions miscellaneous topics such as identification by keystroke analysis and war driving. (It should be noted that chapter length varies widely: chapters one, two, and five average twenty-five pages each, while the rest are closer to five.) Part three moves out to the Internet. Chapter nine reviews most of the TCP/IP protocol, and then discusses how the ways that different systems populate fields of the IP header can be used to identify operating systems without a direct connection. The discussion in chapter ten starts with passive mapping of an inaccessible network, but the attack described seems to be intended for sequence number guessing (and session hijacking). Chapter eleven addresses weaknesses in various types of firewalls. Dissection of an odd packet is in chapter twelve, a method of third party scanning in thirteen, some possible metrics for identifying software in fourteen, and some ways of recognizing attacker machines in chapter fifteen. Part four supposedly attempts to relate these disparate elements, apparently without much success. Chapter sixteen describes a storage method using packets bouncing around the net, seventeen looks at different methods of mapping the net and some possible uses, and eighteen considers the discovery of worms and other malware via the capturing of unusual packets. The material in the book is fascinating in places. However, the work is not structured in a way that makes the security implications obvious (the writing is not very direct, and the narrative or topical thread tends to wind around subjects), and, in fact, the security implications aren't very powerful at all. Yes, in the end, the author has written mostly about passive and indirect attacks, but the methods covered are unusual, and probably not very useful. Most of the material concentrates on rather weak covert channels. In this regard it can have some uses in a minor way: covert channel examples are not abundant in the general security literature. The attacks suggested are interesting thought experiments, but have limited uses either in attack or defence. As "Trivial Pursuit" (meaning the game of oddball facts) for the tech crowd it's great, but the author never intended the text to be a vulnerability warning. copyright Robert M. Slade, 2005 BKSLNOWR.RVW 20050603