Showing posts with label books. Show all posts
Showing posts with label books. Show all posts

07 May 2020

Linux Firewalls by Michael Rash

Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort is a quite interesting book about iptables features to be configured as an UTM device through its integration with Snort specific iptables plugins for log correlation, traffic access control.
This book has many real examples and detailed configurations. I could not test those configurations in a lab so I cannot see them running, but expect this tool and its way to be configured evolve with time.

In my humble opinion, tools detailed in this book are useful for home usage and SOHO environments only able to afford free open source tools. For more exigent corporate environments, I feel this solutions loosely integrated, with a difficult maintenance if your network is big and heterogeneous  and besides nowadays there are many commercial tools with a reduced price for almost every firm.

I felt more interesting explanations given by author for many networks attacks. Those explanations are very detailed but easily understandable. Nevertheless, most part of those attacks are known at the public domain for long time, so hardened security engineers won't learn anything new here.

Summarizing: This book is correct but only really useful for those who are making their first steps in security engineering world.  

20 April 2020

"Bitcoin for the befuddled" by Conrad Barsky and Chris Wilmer

Bitcoin is one of the hottest topics today. It has gone further than a technological oddity to an evolutionary lap for finances and a matter of discussion for politicians. But understanding Bitcoin is hard. Its concepts are new and its foundations are mathematical and technological so average people have an hard time trying to understand what Bitcoin is based on.

The main good point of this book is that it tries to follow the way described by its title. You are not supposed to have any technical background to read this book, as it explain things for average people using usual day concepts and examples. Even using comics and funny drawings author are able to make easy really complex concepts that other books try to explain overwhelming you with math formula.

Sure, your are not going to develop a bitcoin based app or become the next digital billionaire just reading this book, but at least you'll lose your fears and start to understand what all this fuss is about and how it can change your life in the future. It is a light reading that you can end in just a weekend.

So, this book is quite recommended for everybody who wants to learn quickly the very basics of Bitcoin, both just to understand media news about cryptocurrencies and as a first step of further learning about this topic.

15 April 2020

Programming in Python 3 by Mark Summerfield

Python is an extremely powerful but easy to learn programming language. If you have prior knowledge of any programming language you can learn Python in just few hours and you can be a proficient developers in just some days.

However this simplicity can be dangerous too if you stay at the basics and don´t go further into this wonderful language. It's easy to keep using it just as an script language and think that that is all with Python. But actually Python is complete development language that you can use with almost anything you would need with an ease and expressiveness not easy to find in any other language.

This books focus in Python 3, the new generation of this language that now is its standard. Such an an evolution lap was not able to offer full backwards compatibility with former Python 2.7 branch. But actually this books gives a good guidance to promote your Python code to 3 branch. Book's content is extremely complete covering from basics (flow control, strings, files) to advanced topics (decorator, context manager, functors, abstract classes and metaclasses and a huge etc). Those topics will prove to be very useful to help you to translate easily mental concepts to code. All those concepts are explained with clean code, well commented and easy to understand.

As a summary, this is a good book both for newbies who want to start from the begining and for those with good expertise that want to get full advantage from Python. Besides, once finished this book is a good language reference to keep at hand on your bookshelf.

08 April 2020

Practical Lock Picking by Deviant Ollam

Security engineering ranges many fields. One of those fields is physical security. Historically one of the main pillars of physical security are locks, like you can find at doors, safes, drawers or treasure chests. Knowing how they work and how they can be subverted to make them open should be part of any security engineer expertise. Too often, the access card to the super-critical-Data-Processing-Center is kept inside a mere office drawer with a simple waffer lock.

Practical Lock Picking is written by a professional lock-picker in a clean and simple manner. Currently it focuses in to lock kinds: pine and waffer. Actually that covers 90% of doors and drawers nowadays. Author starts by describing both locks manufacturing process to enumerate their usual manufacturing defects, defects that can be used make them open. Afterwards, book describes usual methods and tools to make those locks open. Everything is plenty of diagrams to explain visually every step.

Although, author is a professional he is aware that his potentials readers are newcomers to this topic, so explanations are very detailed and he makes a real effort to put himself in a newbie feet. So he offers advice about how to start a collection of training locks and lock-picking locks, at a low initial cost and following a progressive difficulty when trying new locks.

Overall, this book is good and I find it a must have for any security engineer bookshelf.

06 April 2020

Security Engineering by Ross Anderson

Security Engineering by Ross Anderson is likely the best security book I've read so far.

Whereas other books explain from a technical point of view exclusively, Anderson focus on concepts establishing the mental framework to guide a security engineer along his professional career. So he does not refer to any specific firewall brand, programming language or operating system, but to design successes and failures along Information Technologies and Communications history. This is so enriching because dominant vendors marketing try to convince you that you only need to invest vast amounts of money to buy latest tech to get your information assets secure. However for Anderson technology is just a tool to perform a proper assess and design, from a mental framework based on comprehensive concepts independent from the latest tech state of art.

Along this book, these concepts are assessed, applying them to every information security field comparing them with historical events. So, many topics are covered. Topics so interesting and different like psychology, ergonomics, cryptography, access control policies to information assets, economics impact on security, integrity controls, security in shared data environments, intellectual property, terrorism and a quite long etc... 

The author's long expertise gives many examples to book from banking, defense industry and intelligence sector (of course, those sectors have been the great developers of current information security state of art). In those examples you get detailed descriptions ranging from IFF systems (Identify-Friend-or-Foe) to command and control military organizations; from the evolution of nuclear missiles protocols to improvements of electronics to spy electromagnetic emissions.

Besides, this books is going to stay relevant on your shelf for long as happens with general topics covered in it. This book is not one of those that end in your basket after some years.

All that makes Security Engineering a critical book for any security engineer and a good investment worth every penny you use to buy it.

28 March 2016

The Hacker's Playbook

When reading technical books I mainly find three kind of books: those that don't teach anything new, those that are gold mine of knowledge and those that only scratchs the surfaces of topics but give you interesting links to investigate further on. I think that "The Hacker's Playbook: Practical Guide to Penetration Testing" by Peter Kim is placed in the third category: just reading it you won't be a master pentester but if you really investigate the links and resources the author points you'll definitely get the mastery.

The book deals with many topics but not profoundly: scanning (network and web), exploiting, privilege elevation, networks attacks (wired and wireless), social engineering, AV-evasion, password cracking, etc. I think that as an introductory text is right and it's well focused because it explains things using tools "open source" or freely available, but where this books excels is pointing at public resources to go deeper in your learning. There are a wealth of links along the book all all of them points to really interesting web resources with tools, courses, tutorials and, and this is very important, places to train your skills without end with SWAP knocking your door.

Text is well written and explanations are concise and easy to understand. Content is cleverly structured and covers almost every field in penetration testing.

Taking in count it's not an expensive book I've found worth buying and reading it and I recommend it for introductory levels or for mediums levels who want a quick state-of-the-art review.

12 January 2016

Functional Python Programming

I always wanted to know what was about that thing called functional programming, but I didn't want top learn a new language to understand functional programming, not now at least. So when a found a book dealing the topic (Functional Python Programming by Steven Lott) from a Python focus I read it.

After reading it I feel that I've been following a lot of functional programming principles without even realizing it: short functions, don't alter outer states from inside a function, use iterators (lazy-evaluation) wherever possible, etc. That doesn't mean I didn't learn anything, for instance I really enjoyed the examples about features in itertools library which I hadn't used so far.

It includes some advices I'm not going to follow, like the one about chaining functions. The book really like function chaining (you know, inserting a function call as a parameter for another function) but doing that you end with really long line codes that I feel entirely un-pythonic. Besides, they really like recursion but I fell unconfortable with that concept and to be honest I didn't understand the books example about tail optimizations.

Nevertheless the book is extensive, systematic and includes a lot of example so I think it's worth reading it to get some concepts to improve your overall coding skills.

12 July 2015

Effective Python

When you learn a language there is a point where beginners books don't give you anything useful any longer, where you can develop almost anything you want with what you know so far but that level of knowledge is not enough, you want to master the language and improve your skills a little more everyday.

"Effective Python" is the kind of book to read when you get that point. It's not a book for beginners but a book for developers who want to be really pythonic.

Written by a Google engineer, it covers several developments areas like functions, classes, metaclasses, concurrency, collaboration, production, etc, through many recipes and examples. You can read this book sequentially or not. It has many similarities with books like "Python Cookbook". Some topics will be known for you, some others will be new and interesting. In the end you'll use this book as a reference when you come across situations like the depicted ones in the book.

I'm my humble opinion the money to get this book is well invested. I got examples and tricks about topics and possibilities really useful for my developments and many months after reading it I keep coming back to this book for references.

14 March 2015

Clean Code

Along your life there are not many books that really change your way of thinking or doing things. In my case I can count with my fingers of one hand the books like those that I've met: Kurose & Ross's "Computer Networking: a Top-Down Approach", Ross J.Anderson's "Security Engineering: A Guide to Building Dependable Distributed Systems", and the book this article is talking about Robert C. Martin's "Clean Code: a Handbook of Agile Software Craftsmanship".

I met this book in one of the PyConEs-2013 conferences. In that conference they talked about how to write code sustainable along time. The topic was very interesting to me because I was worried about a phenomenon every programmer know sooner or later: even in Python, when your code grows it gets harder to be maintenable. I had programmed applications that some months later where hard to understand when I had to make a revision over them. Many years before that I had switched to Python to avoid that same problem in Java and Perl, but then it was there again. In the conference they promised that principles explained in that book helped to prevent the problem. So I read the book and I have to admit that they were right.

Reading this book is shocking. There are so many practices that we think that are right that actually are terribly wrong that you first read some passages with a mixture of surprise and incredulity. Things like saying that code comments are a recognition of your failure to make your code readable sounds strange in the first read but afterwards you really get that author is really right.

Book examples are not in Python but in Java, nevertheless I think that no Python programmer would have any problem to grasp concepts explained there. Few of the concepts are too Java-ish but many others are useful to Python developers. Some of the main concepts are:

  • Your function names should explain clearly what the function do. No abbreviations allowed in function names.
  • Function should do one thing and one thing only. A function should have only one purpose. Of course, a function can have many steps but all of them should be focused to get function's goal, and every step should be actually implemented in it's own function. That lead to functions easier to test.
  • Functions should be short: 2 lines is great, 5 lines is good, 10 lines average, 15 poor.
  • Code comments should be restricted only to explain design decisions instead of what code does.
  • Don't mix levels of abstraction in the same function, meaning that you should not call directly python API while other steps of your function call to your own custom functions. Instead of that wrap your call to API inside another custom function.
  • Order your implementations so you can read your code from top to down.
  • Reduce as far as possible the number of arguments you pass into functions. Functions with 1 argument are good, 2  are average and 3 is likely poor.
  • Don't Repeat Yourself (well, at least this concept was known to me before reading this book).
  • Classes should be small.
  • Classes should have only one reason to change (Single Responsibility Principle). IMHO I think this principle is a logic extension of "single purpose" for functions.
  • Class attributes should be ideally used for all class methods.If you find attributes just used by an small subset of methods you should ask yourself if those attributes and methods could go in a separate class.
  • Classes should be open for extension but close to modifications. That means that we incorporate new features by subclassing existing classes not modifying them. That way we reduce the risk of breaking things when we include new features.
  • TDD or condemn yourself to hell of include further modifications in your code fearing you are going to break the whole thing.
There are many more concepts, all fully explained with examples, but those are the ones I keep in my head when a write code.

To test if principles of this book were right, I developed an application called Geolocate following these concepts and TDD ones. In the beginning it was hard to change my behaviour about writing code but as my code was getting bigger I realized it was easier than in my previous projects to find errors and fix them. Besides, when my application got a respectable size I let it rest for five months to see how easy was to retake development after so much time without reading the code. I was amazed. Although with my previous projects I would have needed some days to understand a code so big, this time I had fully recovered control of how my code worked in just an hour.

My conclusion is that this book is a "must read" that will let you improve dramatically your code quality and your peace of mind to maintain that same code afterwards.

23 February 2014

Violent Python

Python is widely used in many fields including maths, physics, engineering, scripting, web programming and, of course, security. Its power to be a glue between many tools and programming languages make it the perfect option for pentesting.

"Violent Python" scratches the surface of python in the world security tools programming world. It's a correct book, actually a correct cookbook. Correct because although the example programs are short and simple they show python in action in many security fields: geolocation, obfuscation, exploit development, network analysis and forgery, web scrapping and a long etcetera.

Problem is that the book is just correct because example program are not very pythonic. Although code is simple and clear, python offers smarter ways to do that things. Besides example programs are unambitious and don't go further of mere curiosities. In my opinion, examples could have been more spectacular and many more fields in security could have been covered.

I don't regret having bought "Violent Python", but maybe I'm a bit dissapointed because book is geared to people in a more initial point than me in the learning journey into security engineering. For that people this book is a fun and a direct approach to security tools development.

18 October 2011

Silence on the wire

The problem with many security books is that they simply list a series of attacks against vulnerabilities in systems services. What happens to these books is that they lose validity as patches appear for vulnerabilities  explained, so that when book reach printers actually is outdated. 

But there are others who choose to be more conceptual and describe the risks caused by the designs rather than implementations. These books are much more didactic and useful to delve into the nature of the protocols and systems. Besides, its effect is much longer because the problems of an standard remains until the advent of the following standard (think for example in system security issues WEP). Silence on the wire belongs to this second set of books.

In it, author Michal Zalewski made a study of passive recognition techniques and indirect attacks on a fairly eclectic way, covering topics ranging from the deduction of passwords based on the timing of keystrokes, the parasitic use of processing power of entire networks of computers without permission from their owners, and other interesting topics like the use of the same network infrastructure as a means of hidden and anonymous mass storage, among others. Some of the chapters are strongly speculative and at first glance may seem hardly feasible but the truth is that they are all vectors of attack rarely  noticed and they serve as demonstration that until the last bit in the system design can be used by an attacker to compromise motivated enough. Other chapters in this book were before author's papers very well received in the Net for its innovative approach and the risk of alerting, as is the case of his study of implementations of pseudorandom number generators (PRGN) of most widely used operating systems, which used a mathematical transformation that allowed spatially represent the values ​​that were taking these generators and thus show that many of them drew statistically predictable values.

For all the above and more this is an excellent book should be indispensable in the library of any student of computer security warning that reading this book presupposes knowledge already acquired about networks and protocols such  that can be obtained through Kurose & Ross , Tanenbaum or Stallings .