[Noisebridge-discuss] BOOK REVIEW: Silence on the Wire by Michal Zalewski

[Kristian Erik Hermansen]

I thought some of you would be interested in a review of Michal
Zalewski's book entitled Silence on the Wire.  What follows is a brief
write-up, along with some errata (unlisted on the "updates" web page).
 Since this book was published by No Starch Press, I figured it would
also be a great way to kick off the Noisebridge/No Starch affiliation.
 I somehow happen to be addicted to tech reading, so maybe this trend
will continue with many future reviews by Noisebridge members.

<review>
Silence on the Wire is not your typical security book detailing the
latest application exploits or generalized security trends and attack
prevention.  Zalewski deals in the minutia.  If you were to construct
a Bell Curve of security knowledge and concepts, you would need to
chop out a large portion of this graph and simply include the upper
threshold, in which Zalewski thrives on the seemingly unkown.

Zalewski takes a bottom-up approach.  He dives right into the security
of hardware design, Random Number Generation, and how this can all add
up to information leakages otherwise known as security threats.  If
you have ever typed on a keyboard, then you may be interested in
knowing what signature you are generating of yourself every time you
log into that remote SSH console.  Perhaps you might also be
interested in the fact that simple mathematical operations, such as 2
* 100, could result in timing attacks against your algorithm, whereas
100 * 2 may not.  Scary stuff.

Zalewski continues with seemingly innocuous attacks that can occur
before your IP packets ever leave the local network.  It is unnerving
to find out just how easy (and cheap) it is to reconstruct data from
those blinking lights on your network equipment, or unsanitary
Ethernet frames.  Have you ever given thought to how nice it was to
have virtual network auto-configuration on your switches?  Well, so do
your foes.

Once your packets touch other nodes all across the Internet, that's
when the real fun begins.  If you are already familiar with the OSI
Model and the TCP/IP suite, then your reading will hit a low point for
the next thirty pages or so.  However, when you emerge from this sand
trap of common knowledge, most certainly provided to assist uninformed
readers, you are met with quite worthy knowledge detailing the ability
to accurately identify remote parties, who otherwise may wish to
remain anonymous.  Your choice of Operating System and Web Browser may
help somewhat, but Zalewski shows how you can still be sniffed out
even across the sea of the Internet.

Zalewski concludes the book with a brief look at the entire Internet
as an aggregate system, and how subtleties of its inner-workings can
be exploited by those who understand them.  It never once crossed my
mind to utilize carefully constructed packets for distributed
computing tasks acting as Boolean operations, but one of the final
topics regarding parasitic storage does appear quite attainable.
Zalewski's final chapter in the book leaves us with the lesson that
sometimes all you need to do to discover the minutia, is to open your
eyes.
</review>

<errata>
* p. 127: Figure 9-6, regarding TCP options, is incorrect.
* p. 182/183: '6,4512' should read '64,512'.
* p. 198: 'user-racking' should read 'user-tracking'.
* p. 216: 'www.rogue-severs.com' should likely read 'www.rogue-servers.com'.
* p. 233: 'recover the information he when it bounces back' should
likely read 'recover the information when it bounces back'.
</errata>

Even though almost all the details in this book are previously
published in some form (security mailing lists, etc), you will learn
much from Zalewski's analysis of the implications.  I would highly
recommend the book to anyone looking for something refreshing on the
topic of security.

I have previously read No Starch titles such as The Art of
Exploitation and Hacking the XBOX (many years ago), which were both
entertaining and enlightening.  I also own, but have not entirely
read, The Art of Assembly Language.  Feel free to ask me about them
offline...
-- 
Kristian Erik Hermansen
"I have no special talent. I am only passionately curious."