Issue No. 02 - March-April (2004 vol. 2)
Martin R. Stytz , US Air Force Research Laboratory
Hacking for Understanding
Jon Erickson, Hacking: The Art of Exploitation, No Starch Press, 2003, ISBN 1-59327-007-0, 264 pages, US$39.95.
Like climbing a particularly challenging mountain, Hacking: The Art of Exploitation is not for the faint of heart or the ill prepared. Jon Erickson, a cryptologist and security specialist based in Northern California, is clearly adept in his subject matter and is able to communicate the most complex and ingenious concepts and fundamentals of hacking clearly. However, he writes at a level that assumes a considerable background on the reader's part; he also assumes an above-average degree of technical expertise in C, Linux, assembler, and Perl. Given this assumption, Erickson presents the material in a manner that is both easy to follow and a joy to read. The assumed preparation lets him proceed directly to a discussion of the subject matter without preamble or digression, which lets him concentrate on presenting a variety of hacks (and the concepts and weaknesses that underlie their operation) while also keeping the book from being unmanageably long and complex .
If readers are technically ready for the book by virtue of familiarity with the aforementioned languages, they will find that Erickson presents the material in a logical progression coupled with clear, detailed examples.
Erickson begins the book by introducing relatively simple hacking concepts and techniques before gradually, via thorough explanations and examples, expanding each hacking concept to its fullest. As the book proceeds, the concepts and interrelationships that must be understood increase in difficulty, but at no time would a technically savvy reader feel lost in the text. Any difficulty on the reader's part would come from unfamiliarity with any of the underlying concepts and their relation to the hacking concepts Erickson examines.
The first part of the book addresses programming and introduces fundamental hacking techniques and concepts, and then demonstrates how they come together to perform a hack. The second part of the book addresses networking. The final part of the book covers cryptography and wireless networking. Erickson provides more foundational material in the final part of the book than any other—for example, he includes a brief discussion about information theory, encryption, ciphers, and some of the most popular public key techniques as part of his description of encryption as it relates to hacking.
Ultimately, this book demonstrates how to create short but powerful programs by exploiting the capabilities that emerge when a variety of languages and language capabilities combine to the programmer's benefit. For many readers, Erickson's book will serve to refresh talents that might have grown rusty and provide insight into the design and assembly of hacks. Most importantly, from a security and privacy viewpoint, the book reminds us all that even the smallest of errors can open unintended but powerful doors to computer systems for people with malicious intentions. This last reason is why computer scientists and engineers who include computer security as part of their work or professional life would benefit from reading this book, as would students in an introductory course to computer security. That said, the vast majority of people might find this book to be a tough—but not impossible—read, and I highly recommend that they prepare themselves before tackling this book. Those who have the requisite technical background will find that Erickson leads them through a complex subject masterfully.