Top critical review
4 people found this helpful
avoid this (and other such) nonsense
on June 14, 2014
This book and its ilk offer precious little of any value. Of course, the book is very fat, but much of that volume can be attributed to (a) reviewing background material that has precious little to do with "hacking," whatever that might mean in the authors' stultified world view; and (b) the fact that, wherever two lines of code would suffice to illustrate a point, the authors instead to choose page-filling screen shots of nonsensical Windows tools that, ultimately, and I do mean ULTIMATELY, offer those two lines--if you succeed in hunting them down.
I earned my CISSP thirteen years ago, when it actually meant something, although the exam was--to be blunt--TRIVIAL compared to a challenging exam such as the CCP. This was before the Department of Defense legislated away the Orange Book and its associated core of intellectually vital output from leading researchers, choosing instead to buckle to the pressure of Microsoft and such (hey, they are, after all, in bed with them: one sees Microsoft Windows on even the OJCS's desktops).
Yes, modern security practitioners know a whole lot about computer and network security. That's why, almost weekly, we hear on the news about how the latest retail chain was hacked and N hundred thousand or K million credit card numbers were compromised. Your latest coterie of "CISSPs" will rush to babble about encryption, although encryption was never more than a Band-Aid approach, and the ease of stealing the keys is never mentioned. These keys live--guess where--in disk files that are no safer than the disk-file-resident ciphertext with which they are associated, but your Johnny-come-lately CISSPs, who have no experience with professional operating systems, have zero understanding of the underlying mechanisms and architectural strictures that make SECURE systems secure.
It makes one incredibly angry. Do you remember when some Russian group commandeered iPhones from afar? Yes, the iPhone comes out of the box with no identification and authentication mechanism, so Joe Anybody from across the globe enjoys the same privileges as the physical owner of the box. But, of course, security is "of vital importance" to Apple and Google and their ilk. S-U-U-U-U-R-E it is . . . I remember when I interviewed at Microsoft many years ago, before the genie was out of the bottle. Although nearly everyone enjoyed the freedom of a luxurious office, their current "security guru" was some clown in a cubicle who had the UNIX file permission algorithm PDL (yes, all six lines of it) displayed on his wall as if it were gospel--and as if a rhesus monkey couldn't memorize it.
Given the academic and experiential basis from which the authors proceed, one can almost feel pity for them rather than revulsion. But I did say ALMOST. The book is garbage because the material is nonsense. One can find any number of textbooks about, say, UNIX, offering spellbindingly accurate, broad, and deep coverage of this and that. But, look for "the Bible" on Windows security, and all you will EVER succeed in finding is a few vague mentions here and there, along with statements that the mechanisms are "in flux" or "difficult to understand," or other excuses that might fool a grade-schooler. Christ, they can't even get the terminology correct: an audit "profile" (as one might reasonably term it) attached to a file system object is called the "system access control list" or other such nonsense.
Even more pathetic than the content is the packaging--"Hacking Exposed," as if they're offering the keys to the kingdom. They're offering vague, quasi-applicable, extremely intermediate-level nonsense.