27-11draft
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Reviewing<br />
Books for professionals<br />
GUN violence and what to do about it:<br />
Hacking the Hacker: Learn<br />
From the Experts Who Take<br />
Down Hackers, by Roger<br />
Grimes. Published 2017<br />
by Wiley, ISBN 978-1-<br />
119-39621-5, 320 pages,<br />
paperback, £20.99. Visit<br />
eu.wiley.com.<br />
These reviews in full, and<br />
others, are on the ‘reviews’<br />
part of our website.<br />
62<br />
UNHAPPY<br />
‘People’s personal data<br />
is protected by law and<br />
employees should not<br />
be helping themselves<br />
to information if they<br />
decide to set up a new<br />
business or move to a<br />
new position.’<br />
Head of ICO Enforcement<br />
Steve Eckersley.<br />
A land of<br />
rampages<br />
and victims<br />
How did you react to the recent news<br />
of the mass shooting in Las Vegas,<br />
writes Mark Rowe.<br />
Did it shock, or leave you<br />
fatigued; despite the dozens<br />
dead and hundreds injured,<br />
you had heard it before, and will do<br />
again, from the United States? Just<br />
as the debate between reformers and<br />
the pro-gun lobby standing on their<br />
rights does not change. An insightful<br />
American book on this topic is<br />
Rampage Nation, by Louis Klarevas.<br />
It begins with the author telling how,<br />
on holiday on a Greek island, he<br />
witnessed a shooter; and (when the<br />
shooter returned to the village square<br />
hours later for a second go) helped<br />
to pacify him. That sets the tone for<br />
the book; ‘mass shootings are just<br />
as much a threat to the American<br />
public as are terrorist attacks’. The<br />
author, though an academic, isn’t<br />
just sounding off morally; he has<br />
been through it (and describes the<br />
experience, vividly).<br />
For the US<br />
You could argue that gun ownership<br />
is an issue only for the US, not<br />
Britain. In the US, their guardforces<br />
at universities for instance look<br />
like police and their police (thanks<br />
to second-hand kit from the Iraq<br />
War) look like an army. Imagine the<br />
London Bridge terror attack of June,<br />
if the terrorists had carried not knives<br />
but semi-automatic rifles. As the<br />
book came out last year, it does not<br />
cover the most recent shootings as in<br />
Orlando. Briefly, he argues that new<br />
laws, policies, to control guns would<br />
make a difference; as having guns tips<br />
the mentally unstable into going on<br />
killing sprees. As in his own Greek<br />
case, and Las Vegas and so many<br />
others, the rampages are not lunatic<br />
but lengthy and planned. Klarevas<br />
gets down to practicalities; his Greek<br />
gunman ‘only’ had a shotgun; if<br />
NOVEMBER 2017 PROFESSIONAL SECURITY<br />
he’d had a higher-powered weapon,<br />
Klarevas and others probably would<br />
have been shot dead. Or as a chapter<br />
heading puts it, ‘Guns kill, some<br />
more than others’. The US is the<br />
‘rampage nation’, Americans are (as<br />
Klarevas was once) ‘sitting ducks’,<br />
thanks to what the author terms a<br />
‘three-pronged calculus of unstable<br />
perpetrators, vulnerable targets, lethal<br />
weapons’. The problem, he argues is<br />
growing, and - where this book speaks<br />
most directly to private security<br />
people - emotionally disturbed<br />
people allowed to own guns are able<br />
to carry those weapons, in the case<br />
of Las Vegas into a hotel. Klarevas<br />
writes powerfully of the split-second<br />
decisions that victims take. p<br />
Rampage Nation: Securing America<br />
from Mass Shootings, by Louis Klarevas.<br />
Published 2016 by Prometheus Books, 340<br />
pages. Visit www.prometheusbooks.com.<br />
LEARN FROM A HACKER<br />
‘Hackers don’t have to be brilliant.<br />
I’m living proof of that,’ is a<br />
disarming remark by the author of<br />
Hacking the Hacker: Learn From the<br />
Experts Who Take Down Hackers.<br />
He introduces two dozen or more<br />
cyber-security people (mainly men,<br />
but some women), starting with the<br />
author Bruce Schneier. For the author,<br />
their stories and his own are proof that<br />
‘the best and most intelligent hackers<br />
work for the good side’. They get to<br />
exercise their minds, and get well<br />
paid. The author soon disabuses us<br />
of the Hollywood idea that hackers<br />
are automatically bad people, who<br />
can guess or steal any passwords,<br />
living on energy drinks. Roger Grimes<br />
suggests that hackers can be good<br />
or bad, defenders or maliciously<br />
criminal, wreckers. “It’s just that the<br />
attacker usually gets more press.”<br />
Testing boundaries<br />
Hackers, Grimes argues, are people<br />
with curiosity, who test boundaries,<br />
without crossing those boundaries to<br />
do harm or commit a crime. Hackers,<br />
whether defenders or malicious, are<br />
looking for weaknesses; so they have<br />
to be persistent, until they find the<br />
weakness that undermines the whole<br />
defence perimeter. Grimes sets out<br />
how hacking is an ethical matter; like<br />
private investigators, they have to<br />
decide whether they are to stay in the<br />
law (which implies knowing what it<br />
is) or not. Are you going to break into<br />
a mobile phone, or emails, or a server,<br />
because an employer or client or mate<br />
asks you to? Are you a white-hat (who<br />
does good) or a black-hat (who does<br />
unethical or illegal things) or a greyhat<br />
(someone who pretends they are a<br />
white-hat, but do black-hat things).<br />
Style<br />
As that implies, in computer matters<br />
things can be invisible. Grimes’<br />
achievement in Hacking the Hacker,<br />
that’s true of far from all cyber books,<br />
is that besides an easy, engaging<br />
style of writing he shows us, without<br />
cinema or other illusions, people<br />
working on computer security to<br />
be thinking people like the rest of<br />
us, with choices. And, as the case<br />
of another of the two dozen shows,<br />
someone can change, start as a<br />
black-hat but become a white-hat,<br />
like famously Kevin Mitnick. Besides<br />
having the endearing trait of naming<br />
several books in the same field as<br />
his that he rates, Grimes makes a<br />
powerful and useful case that ‘the<br />
defenders are the smartest hackers’;<br />
they are the really impressive ones,<br />
who not only have to know what<br />
the malicious hackers might do, but<br />
are builders, and closers of holes in<br />
code. As someone doing penetration<br />
testing for a living, Grimes broke into<br />
every network he was hired to try to<br />
break; but only so as to better defend<br />
it against others. To break in out of<br />
malice or for criminal purposes is<br />
not only wrong; Grimes makes the<br />
arguably more compelling case that<br />
it’s not personally or professionally<br />
satisfying. Grimes, then, does take<br />
us through computer issues such as<br />
connected cars and cryptography,<br />
firewalls, DDoS attacks and ‘intrusion<br />
detection’, but is mercifully light on<br />
computing terms; instead he talks<br />
in more human terms, of ‘social<br />
engineering’ and penetration testing.<br />
The only hitch is that in the case of<br />
Schneier and Brian Krebs, you can<br />
read for free their blogs. It would be<br />
a pity not to do something as oldfashioned<br />
as buy Grimes’ book, and<br />
offer it to a young man or woman who<br />
shows an aptitude for computers. p<br />
www.professionalsecurity.co.uk<br />
p62 Books <strong>27</strong>-11.indd 1 10/10/2017 16:31