TaoSecurity Blog

If you've been reading this blog for a while, you probably know that reading and reviewing technical books has been a key aspect since the blog's beginning in January 2003. In fact, my first blog post announced a review of a book on Border Gateway Protocol (BGP). Looking at my previous reviews , it's clear that my interest in reading and reviewing technical books expired in the summer of 2011. Since then, the only technical book I wanted to read and review was Michael W. Lucas' excellent SSH Mastery . MWL is such a great author that I read just about anything he writes, and I was interested in his first self-published technical work. So what happened? Becoming CSO at Mandiant in April 2011 contributed to my changing interests. Since that time I've spoken to almost a hundred reporters and industry analysts, and hundreds of customers and prospects, answering their questions about digital threats and how best to live in a world of constant compromise. (I listed some...

No Starch was kind enough to send me five books for kids, which I asked my 6- and 8-year-old daughters to read. (I didn't need to "ask," really -- like my wife and I, our daughters think reading is something you have to be told "not" to do, e.g., "put the book down; we don't read at the dinner table.") I did have to encourage my daughters to review the books. Although the older one writes book reports for school, she's not accustomed to writing reviews for books sent by publishers. The five books, with links to the Amazon.com reviews, are: Python for Kids The Unofficial LEGO Technic Builder's Guide The Unofficial LEGO Builder's Guide The LEGO Adventure Book, Vol. 1: Cars, Castles, Dinosaurs & More! Wonderful Life with the Elements: The Periodic Table Personified I agree with my daughters: all five of these books are excellent. However, for readers of this blog who have kids, I would most strongly recommend the Python boo...

Amazon.com just posted a joint review by myself and my daughter of No Starch's new book Super Scratch Programming Adventure! . From the five star review : I asked my almost-8-year-old to share her thoughts on Super Scratch Programming Adventure! She chose five stars and wrote the following: "I think it's a very great book. I love the storyline, but my main concern is that I could not find a trace of the Super Scratch folder. How hard is it to draw the Mona Lisa? I have Scratch version 1.4, and I found it difficult drawing Le Louvre. On the flip side, I learned a lot. Who knew you could make Scratchy move with 1) arrow keys and 2) a medium sized Script? I enjoyed watching the Magic Star Web change colors. Overall, I think it's a very great book, and I highly recommend it to anyone who is interested in programming." I agree that this is a great book. My daughter wanted to learn how to program a video game, and I thought it would be a lot more difficult. Sho...

Amazon.com just published my five star review of SSH Mastery by Michael W. Lucas. From the review : This is not an unbiased review. Michael W. Lucas cites my praise for two of his previous books, and mentions one of my books in his text. I've also stated many times that MWL is my favorite technical author. With that in mind, I am pleased to say that SSH Mastery is another must-have, must-read for anyone working in IT. I imagine that most of us use OpenSSH and/or PuTTY every day, but I am sure each of us will learn something about these tools and the SSH protocol after reading SSH Mastery. Tweet

Amazon.com just posted my five star review of America the Vulnerable by Joel Brenner. I reproduce the review in its entirety below. I've added bold in some places to emphasize certain areas. America the Vulnerable (ATV) is one of the best "big picture" books I've read in a long while. The author is a former NSA senior counsel and inspector general, and was the National Counterintelligence Executive (NCIX). In these roles he could "watch the fireworks" (not his phrase, but one popular in the intel community) while the nation suffered massive data exfiltration to overseas adversaries. ATV explains the problem in terms suitable for those familiar with security issues and those learning about these challenges. By writing ATV, Joel Brenner accurately and succinctly frames the problems facing the US and the West in cyberspace. In this review I'd like to highlight some of Mr Brenner's insights and commentary. On pp 65-7 he discusses "China's Long...

Amazon.com just posted my five star review of Robust Control System Networks by Ralph Langner . From the review : I am not an industrial control systems expert, but I have plenty of experience with IT security. I read Robust Control System Networks (RCSN) to learn how an ICS expert like Ralph Langner think about security in his arena. I was not disappointed, and you won't be if you keep an open mind and remember IT security folks aren't the target audience. After reading RCSN I have a greater appreciation for the problems affecting the ICS world and how that community should address the fragility of its environment. Tweet

I've been reading and reviewing technical books at Amazon.com since 1999, and trying to meet reading goals since 2000. Most of you know that I only review books that I read, unlike some of the people who post "reviews" at Amazon.com. I personally don't care to read "reviews" by people who don't read the books. What's the point? However, I believe there is room for commentary on books, where I explicitly state that my reactions are based mainly on impressions and not thorough reading. After looking at my personal reading list several months ago, I decided to not read some books thoroughly enough to merit a full review. One of the techniques I adopted was to take a book on a cross-country trip (IAD to LAX, for example) and read as much as I could, or as much as interested me, during those 4 to 6 hours. During that time I would record notes, just as I do when writing book reviews. Unless I complete the book, I will not turn those notes ...

Amazon.com just posted my four star review of Metasploit: The Penetration Tester's Guide by David Kennedy, Jim O’Gorman, Devon Kearns, and Mati Aharoni. From the review : Metasploit: The Penetration Tester's Guide (MTPTG), is a great book about the Metasploit Framework. I first tried MSF in April 2004 (noted in one of my blog posts) and have since used it to test detection mechanisms, as well as simulate activity by certain threat groups. I've read MSF coverage in a few other books, but MTPTG really outdoes the competition. While I see areas for improvement to be addressed in a second edition, if you have any interest in Metasploit you should check out this book. Tweet

Amazon.com just posted my five star review of Hacking: The Art of Exploitation, 2nd Ed by Jon Erickson. From the review : This is the last in a recent collection of reviews on "hacking" books. Jon Erickson's Hacking, 2nd Ed (H2E) is one of the most remarkable books in the group I just read. H2E is in some senses amazing because the author takes the reader on a journey through programming, exploitation, shellcode, and so forth, yet helps the reader climb each mountain. While the material is sufficiently technical to scare some readers away, those that remain will definitely learn more about the craft. Tweet

Amazon.com just posted my three star review of Gray Hat Hacking, 3rd Ed by Allen Harper, Shon Harris, Jonathan Ness, Chris Eagle, Gideon Lenkey, and Terron Williams. From the review : Critical reviews are my least favorite aspect of my Amazon experience, but I believe readers expect me to be honest with them. Gray Hat Hacking, 3rd Ed (GHH3E) has a lot of potential, but it needs a reboot and a ruthless editor. I read and reviewed the original edition 6 1/2 years ago but skipped the 2nd Ed. This 3rd Ed (published in Jan 2011) features several exceptionally talented authors (such as Allen Harper and Chris Eagle), so my expectations remained high. Unfortunately, after finishing the book I had collected a pile of notes that I will try to transform into constructive commentary for a 4th Ed, which I would enjoy seeing! Tweet

Amazon.com just posted my four star review of Ninja Hacking by Thomas Wilhelm and Jason Andress. From the review : Ninja Hacking is not a typical digital security book. When I saw the title I expected the use of "Ninja" to be a reference to a style of digital attack. While this is true to a certain extent, Ninja Hacking is about actual Ninja concepts applied to the digital world. The book is an introduction to Ninja history and techniques, applied to the modern digital security context. That was not at all what I expected, but I found the result intriguing. Tweet

Amazon.com just posted my five star review of Managed Code Rootkits by Erez Matula. From the review : Managed Code Rootkits (MCR) is one of the best books I've read in 2011. MCR is a one-man tour-de-force through the world of malicious software that leverages managed code for its runtime. Prior to reading the book I was only vaguely aware of the concept and implementation. After reading MCR, I am wondering when we might see more of this technique in the wild. Author Erez Metula does almost everything right in MCR, and I strongly recommend reading it. Tweet

Amazon.com just posted my two star review of Buffer Overflow Attacks, by James C. Foster, et al. From the review : I read "Buffer Overflow Attacks" as part of a collection of books on writing exploit code (reviewed separately). I have to give credit to the author team for writing one of the first books on this subject; Syngress published BOA in 2005, when the subject received less published coverage. However, better books are available now if you want to learn the sort of material found in BOA. Tweet

Kevin Mitnick was kind enough to send me a galley copy of his upcoming autobiography Ghost in the Wires . Amazon.com won't let me post a review yet, so I'll write what I would have supplied to the site. In 2002 I reviewed Kevin Mitnick's first book, The Art of Deception . In 2005 I reviewed his second book, The Art of Intrusion . I gave both books four stars. Mitnick's newest book, however, with long-time co-author Bill Simon, is a cut above their previous collaborations and earns five stars. As far as I can tell (and I am no Mitnick expert, despite reading almost all previous texts mentioning him), this is the real deal. Mitnick addresses just about everything you might want to know about. For me, the factor that made the book very unique was the authors' attention to detail. This sounds like it might have been a point of contention between the co-authors, but I found the methodical explanation of the social engineering and technical attacks to be rele...

Amazon.com just posted my five star review of Windows Internals, 5th Ed by Mark Russinovich and David Solomon, with Alex Ionescu. Microsoft Press provided a free review copy. From the review : Windows Internals, 5th Ed (WI5E) by Mark Russinovich and David Solomon, with Alex Ionescu, is a remarkable technical achievement. I read the book to better understand Windows to improve my security knowledge. I am not a Windows programmer, but I thought WI5E would provide context for some of the exploit and vulnerability information I occasionally encounter. I absorbed as much of WI5E as I could, but quickly found the scope and depth of the material to be incredible. While there is no substitute for reading source code, the explanations in WI5E come close! So many aspects of Windows are described, to such a deep level, that you might find yourself wanting to use Windows just to see WI5E's descriptions at work. Tweet

Amazon.com just posted my five star review of Windows System Programming, 4th Ed by Johnson M. Hart. Addison-Wesley provided a free review copy. From the review : I read Windows System Programming, 4th Ed (WSP4E) by Johnson M. Hart after finishing Windows via C/C++, 5th Ed (WVCP5E) by Richter and Nasarre. While I liked WVCP5E, I found WSP4E to be the better book for the sort of understanding I was trying to achieve. I'm not a professional Windows programmer, but I wanted to learn more about how Windows works. Hart's book did the trick, especially for a person like me with more of a Unix background. If you want to better know how to program on Windows, and specifically recognize differences among using the C libraries, the Windows API, and Windows "convenience functions," WSP4E is the book for you too. Tweet

Amazon.com just posted my four star review of Windows via C/C++, 5th Ed by Jeffrey M. Richter and Christophe Nasarre. Microsoft Press provided a free review copy. From the review : I will admit right away that I am probably not the target audience for this book, because I am not a professional Windows programmer. However, I am very interested in learning how Windows works, and Windows via C/C++, 5th Ed (WVCP5E) is one of the books that will help develop that expertise. Had I not also read Windows System Programming, 4th Ed (WSP4E) by Hart, I would have given WVCP5E 5 stars. Both are strong books, but WSP4E received 5 stars in a separate review. Still, I very strongly believe that WVCP5E by Richter and Nasarre is a must-read for anyone who wants to know more about Windows applications. Tweet

Amazon.com just posted my five star review of Beginning Visual C++ 2010 by Ivor Horton. Wrox provided a free review copy. From the review : I read Ivor Horton's Beginning Visual C++ 2010 (BVCP2) to gain some familiarity with the C++ programming language. Prior to this book I read Mr Horton's Beginning C book. Between the two books, I hoped to learn enough about C and C++ to prepare me to read a third book titled Windows via C/C++, 5th Ed by Richter and Nasarre. As a security professional, being able to grasp the essence of C and C++ as they are used in Windows helps me understand security advisories and related discussion of vulnerabilities in exploits. BVCP2 is a great book for a person like me, but it also appears to be the right book for someone who wants to become a legitimate C++ for Windows programmer. I highly recommend it to both sorts of readers. Tweet

Amazon.com just posted my five star review of Beginning C by Ivor Horton. Apress provided a free review copy. From the review : I read Ivor Horton's Beginning C to gain some familiarity with the C programming language. As a security professional, being able to grasp the essence of C helps me understand security advisories and related discussion of vulnerabilities in exploits. Beginning C is a great book for a person like me, but it also appears to be the right book for someone who wants to become a legitimate C programmer. I highly recommend it to both sorts of readers. Tweet

Amazon.com just posted my four star review of Programming Amazon EC2 by Jurg van Vliet and Flavia Paganelli. O'Reilly provided a free review copy. From the review : Because this is a short book, I'll write a short review. Programming Amazon EC2 (PAE) explains how to use certain elements of Amazon Web Services to deploy applications in Amazon's cloud infrastructure. The discussion centers on the authors' experiences deploying live, production Web sites (like Kulitzer) using AWS. I found this approach refreshing and novel, because it reads like a playbook for recreating similar infrastructure for the reader's own purposes. Tweet