The Art of Intrusion

Berglund Authority Level 3


Review by Jeffrey Barlow <barlowj@pacificu.edu>

Mitnick, Kevin D. and William L. Simon.  The Art of Intrusion. Indianapolis In., Wiley Publishing Inc., 2005

We have previously reviewed Mitnick and Simon’s first book, The Art of Deception, Controlling the Human Element of Security. [1] That work left a rather bad aftertaste, possibly because it contained boasts of spectacular feats of lying and deception, barely concealed as cautionary tales intended to assist in preventing criminals similar to the author from slithering their way into the reader’s computer system.

This book is superior on all counts.  If the first book seemed like a tale told by a black nylon-clad teen-aged rogue in a dark internet cafe, this one comes to us in a three-piece suit and is recounted at Starbucks.  Either Mr. Mitnick has grown considerably since 2002, or Mr. Simon has found an appropriate voice for him.

The previous work, as the title suggests, was more about the human side of computer intrusion---the many clever ruses employed to gain the confidence of employees so as to garner passwords, etc.  This work, while referring occasionally to similar approaches, rather concentrates on case studies in which the intrusion was accomplished by electronic means. At times the language is formidably technical.

The examples are supposedly as-told-to stories, often by reformed hackers who, like Mr. Mitnick himself, spent time in prison and now work in the industry in “white hat” roles.  Several of the stories are about legitimate intrusions in that corporations hired the perpetrators to test firewalls and other security measures.

The stories are interesting ones, and the insights into hacker practices revelatory---one cannot but shudder at reading of one hacker’s dogged attempts at penetrating a highly-protected site for more than two years before succeeding.  But the real value of the book for those in the industry, clearly a target audience for this work, lies in the summative materials at the end of each of the chapters which gives genuinely useful advice as to how to prevent similar intrusions.

The book has another interesting slant in that the events of 9/11 have clearly raised the stakes for all participants.  There are repeated glimpses into a shadowy nether world where naïve hackers and dangerous terrorists---or are they FBI agents? or informants?  Or all three?---sometimes meet.

Mitnick and Simon have produced an interesting work of potential value to a broad audience.  If I worked in computer security, I would see that my firm’s CEO found a copy of this work under his holiday tree.  Its many examples show that computer security is an increasingly difficult effort requiring more and more resources.

For educators at all levels, there is another lesson:  Almost in passing Mr. Mitnick several times refers to the lack of ethical barriers to hacking---most teen-agers think of hacking as closer to sport than to criminality. As one of the subjects said while being interviewed:

Maybe we’re brought up not to lie to people, but we’re not taught computer ethics. I would agree that there’s less compunction when fooling a machine than deceiving your fellow man. (p. 135)

Just as corporations need to institute appropriate defenses, so perhaps do schools, beginning at the lowest levels, need to begin to discuss values and ethics appropriate to the 21st century.

[1] Mitnick, Kevin D. and William L. Simon, The Art of Deception, Controlling the Human Element of Security.  Indianapolis, Indiana: Wiley Publishing, 2002. See the review at: http://bcis.pacificu.edu/journal/2003/05/mitnick.php