Sunday, August 07, 2005

Zombie Hacker Survival!

I have just read Jon Erickson's excellent book, Hacking: The Art of Exploitation published by No Starch Press; followed closely by Max Brooks' The Zombie Survival Guide: Complete Protection from the Living Dead published by Three Rivers Press. Coming from someone who hates reading books, these are two select reads. The first was a detailed but introductory technical reference on exploiting programs, attacking the network, and encryption; the second was a humorous but valuable guide to zombies and how to defend against them.

Hacking leads the introductory C programmer straight into the realm of security. If you can code, you'd better buy Hacking (or at Amazon) now. Hacking is an invaluable introduction into why security holes exist, and how to abuse them. To the programmer, it's a quick smack along side the head with a police baton; now that you're fully awake, you can quit screwing up and start writing more secure code. To the aspiring security expert, it's a step straight towards where you want to be; not only does it tell you what kinds of attacks are possible, but it shows you how to discover them and write your own attacks.

More than half of Hacking is dominated by its focus on exploiting ugly program code. Unlike with common titles which lay into overflows with high level explainations and example programs, Hacking takes you to the beginning and drags you on your face to the end. You start with an example program with a visible stack overflow, and an illustration of taking advantage of this. Like any other book on the topic, after a few short pages you've successfully taken root access for some unknown reason.

Before you know it, the author starts dumping output from gdb onto the page and explaining how he's sorting out the layout of the stack, finding addresses in the environment, and defeating security countermeasures by changing the file name of the program to a string of shellcode. By this time you could drop the book in your toilet and find yourself able to actually write the shellcode yourself, using a text editor and nasm. As you continue, you learn about how to hijack functions with changes to the GOT, utilize printf() to take over a program, and damage function pointers to constantly win skeletal gambling games.

Hacking includes two smaller sections. The first explains packet sniffing, spoofing, and hijacking the network for man-in-the-middle attacks with MAC spoofing and ARP cache poisoning; while the second enters into cryptology, password cracking, and breaking WEP using the flaw in the RC4 stream cipher algorithm as described by the FMS attack. In the scope of Hacking, these topics are less interesting; the author clearly covers them as helpful filler, but at a lesser degree of usefulness than the programming section. Still, for what they are, they do supply valuable introductory information for the inexperienced reader.

Hacking falls short of relating to the real world. When talking about buffer overflows for example, it doesn't reference any worms such as Sasser or Blaster, both of which utilize buffer overflows to spread. It doesn't otherwise bring up history lessons of any sort. Hacking is also not a guide to securing your system; it doesn't dive into address space layout randomization or any other systems with only probabilistic if any evadability.

Even without these, however, Hacking: The Art of Exploitation manages to clearly communicate its topic to the reader, and is a great read for anyone with programming experience. Even if you're not going to enter into the field of security, Hacking should be the first on your list as soon as you can manipulate strings and local arrays in C.

If you like Hacking, you'll like The Zombie Survival Guide. Besides giving your brain a break before moving onto Silence on the Wire (or at Amazon), it may lead you to respect good physical security, including self defense, firearms, and physical barriers. The undead may not be here tomorrow, but it doesn't hurt to be ready.

The Zombie Survival Guide is a a humorous piece, but a very deadpan one. It opens up to detail what exactly a zombie is, their characteristics, similarities and differences to the humans they once were, strengths, weaknesses, fabrications, classes of zombie attacks by size, and how to recognize a zombie attack through government and media coverups. From there it goes on to educate the reader on how to run, defend, or attack when faced with zombies. The culmination leads up to the final scenario of a Class 4 outbreak, zombification of the entire civilized world, and how to start fresh and begin taking the planet back.

The Zombie Survival Guide details weapons, defenses, and survival techniques for journies and camping. It baits the user with the most attractive weapons such as explosives and chainsaws and explains why they are poor choices, often due to mobility, fuel, or the unwieldliness for the precision needed to take down a zombie. It also details defenses impassible by zombies, such as high walls (zombies are too stupid to climb).

The Guide gives the reader the most critical information needed both to run from and to run into a zombie outbreak. Not only is long-term travel out of an infected area covered; but the procedures for an offensive sweep of many environments are explained as well. Stealth, or the blatant ignorance and even avoidance thereof, is critical depending on whether you want the undead to come to you or stay away. Vehicles can be either death traps or godsends, and knowing which to chose based on your goals and which to avoid at all costs for preference of walking is no problem for the reader.

Besides valuable military tactics, there is a detailed account of every known zombie outbreak at the end of the book. These can be quite entertaining as a history lesson, although bear in mind they're completely fabricated. Still, the accounts of heroics and tragedy in rapid passing make for an interesting and colorful read.

The Zombie Survival Guide: Complete Protection from the Living Dead is a humorous yet serious guide to protecting your well-being in the event of a small skirmish or an apocolyptic uprising of the undead. If taken with a grain of salt, it may not only amuse the reader, but also provide valuable information when adjusted for the combat considerations of more likely enemies. Remember: an intruder in your home is more likely to be alive than dead; don't count on him to beat on an unlocked door eternally because he can't figure out how to turn a doorknob, but by all means unload a carbine on him at the first sign of hostility.


Blogger Antonio Hicks said...

I was just browsing various blogs as I was doing a search on the word poster, and I just wanted to say that I really like what you've done with your blog, even though it wasn't particularly related to what I searched for. I appreciate your postings, and your blog is a good example of how a blog should be done. I've only just recently started a Posters website - feel free to visit it when you get a chance if you wish. Much success, antonio.

11:48 PM  
Blogger Anny said...

Very useful John, I can use what you've got here on Zombie Hacker Survival! as well as your other stuff for the research we're doing for survival. Cheers, Anny.

3:03 PM  
Blogger wow power leveling said...

Why was there no follow on bankruptcy then? The bailout of AIG FP went to (wow power leveling) hedge funds that bound credit swaps on Lehman failing or others betting on rating (wow power leveling) declines. AIG has drained over 100 billion from the government. Which had to go to those who bet on failures and downgrades. Many of whom (power leveling)were hedge funds. I-banks that had offsetting swaps needed the money from the AIG bailout or they would have been caught. Its an (wow powerleveling) insiders game and it takes just a little bit too much time for most people to think (wow gold) through where the AIG 100 billion bailout money went to, hedge funds and players, many of whom hire from the top ranks of DOJ, Fed, Treasury, CAOBO
wow goldwow goldwow goldwow gold CAOBO

9:49 PM  
Blogger office said...

The Tax Return Crack-Up<4>
Realizing he might have dug himself in there,Microsoft Office 2010the general emphasized that Office 2010he had spent some time as a junior Office 2007officer working "very closely Microsoft Officewith the Israeli air force" and that heMicrosoft Office 2007had found that "more cosmopolitan,Office 2007 key liberal version of the Israeli population" Office 2007 downloadto be just chock full Office 2007 Professionalof that sort of "goodwill" necessary Windows 7to give a bunch of land back Microsoft outlook 2010to the Palestinians.

4:02 AM  

Post a Comment

<< Home