Issue No. 05 - September/October (2006 vol. 4)
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSP.2006.127
To review or not to review
To the Editors:
I was delighted by your editorial ["Why We Won't Review Books by Hackers," July/August 2006]. I read that Mitnick book in its entirety. Besides being, as you point out, trivial and the work of a criminal, Mitnick's book is riddled with factual errors. I could provide you with examples of his errors and reference these to academic standards.
To the Editors:
Regarding your most recent editorial column, "Why We Won't Review Books by Hackers," I must respectfully disagree with your selection strategy and position.
Based on my career and lessons learned over time, I have found that the best way to prepare for and counter threats from the hacker community is to see how they think, what they think (or at least what they want you to think that they think), and what their respective modus operandi are.
In several situations with my students, I find that "getting into a hacker frame of mind" in looking at systems and exploits aids in understanding and locating the vulnerabilities and deficiencies in systems, and thereby correcting or mitigating them.
From a historical perspective, history has taught us that "knowing your enemy" is one of the first steps toward defeating him. General George Patton was often seen reading the works, memoirs, papers, and manuscripts from his contemporaries (and soon to be potential enemies) in the likes of German Field Marshal Erwin Rommel and others in the German High Command.
Also, look at the famous Maginot Line and its failure—the lessons still being learned from the study of that and other monolithic security structures remain valuable and illustrative to us today.
I enjoy the magazine and your reviews—please continue to provide your insights across the gamut of books and published offerings. Such a narrow focus toward restrictive and selective reviews (I feel) would deprive the security community of much needed and applicable information.
Derek E. Isaacs
Castle Rock, CO
Thanks to both writers for their careful reading of our column and their thoughtful consideration of our position.
Meinel observes that the Mitnick book is riddled with factual errors. Our assessment of the book is at a different level—whether to read it in the first place. Buying the book, or encouraging others to buy and read it, provides remuneration to Mitnick based in large measure on the reputation he gained by performing criminal acts. So the larger question is: do we want to tacitly endorse those actions by reviewing such books in our column? We think not.
But Isaacs respectfully disagrees. He argues that learning how hackers think is key to countering their attacks. As Isaacs says, "getting in the hacker frame of mind" helps identify vulnerabilities. We strongly agree, and were the book written by a researcher who had interviewed Mitnick to elicit important insights, we would happily review it.
Our point was that a review of this book (or others of its ilk) would endorse a convicted computer criminal who now wants to pass himself off as a legitimate consultant, based on notoriety for his unethical behavior. From our point of view, writing a book about hackers, hacking, vulnerabilities, or countermeasures is fine. Presenting the perspective of a researcher, student, victim, or innocent bystander is welcome. But rewarding criminal behavior crosses the line.
—Shari Lawrence Pfleeger, Chuck Pfleeger, and Martin R. Stytz