[I wrote this review but decided not to circulate it. Instead, I wrote a
second review and posted that to a few mail lists.]
The Happy Hacker: A Guide to (Mostly) Harmless Computer Hacking
Carolyn P. Meinel
0-929408-21-7
$29.99
American Eagle Publications, Inc
Technical Editors: John D. Robinson, Roger A. Prata, Daniel Gilkerson
Damian bates, Mark Schmitz, Troy Larsen
Text copyright 1998 by Carolyn P. Meinel
Cover artwork copyright 1998 by Neil Carlin
=-=
Rather than write a review based on my opinion of the book, I decided
to take a slightly different approach to it. Here are some quotes
about various topics from the book. In some cases I have paired them
with quotes on the same topic to show the contrast. Read her own words
and decide for yourself if the book is worth it. These are just a few
things that stood out as I skimmed the book.
=-=
-
pg 15: "So don't assume that everything you learn in Win95 is just
a baby version of WinNT. NT is also much harder to break into."
From a PRN article about the HH book: "forget about Win98
and rush right out and buy a copy of the infinitely more
secure NT."
Companies like Shake Communications have over 120 NT Bugs
in their databases. Mail lists dedicated to NT Security
get up to 10x the traffic of security problems than equivilent
unix lists.
pg 240: "In early 1997 the readers of Bugtraq begin to discover huge numbers
of flaws in the Windows NT operating system."
pg 25: "Windows is way too vulnerable to simple hacks."
-
pg 19: "Learn how to do DOS and you are master of the Windows NT
universe."
pg 16: "MS-DOS stands for Microsoft Disk Operating System, an ancient
operating system dating from 1981."
pg 23: "Whoever controls the registry of a Win95 or WinNT box
controls that computer - totally."
-
pg 21: "But using other people's programs to do things seemingly by
magic isn't the hacker way, right?"
pg 9: "is to go to http://www.windows95.com/apps/ and download
some of their programs..."
pg 12: "One download site for this goodie is:
http://www.windows95.com/apps..."
pg 13: "You can find it at ftp://ftp.zdnet.com/pcmag/1998/0325/..."
pg 19: "..but a free program you may download from
http://www.ntinternals.com allows..."
pg 21: "which you can download from http://www.koasp.com..."
-
pg 27: If your friend's Win95 box is "a really big mess":
"..use your Win95 boot disk to bring his computer back to life.
Reinstall Windows95."
pg 14: "If you absolutely, certainly must be able to get back your
Windows graphics...here is your absolute desperate final solution.
Just reinstall Win95...."
-
pg 10: "YOU CAN GET PUNCHED IN THE NOSE WARNING: If you want to use
someone else's graphics, it is a good idea to ask permission
instead of just taking them. You may also be violating copyright
laws.
Compare: cover of book, figure directly behind lady sitting
down, to the right.
Compare with: www.dis.org/defcon_iv/DEFCON1/defco008.jpg
The image 'defco008.jpg' is copyrighted.
-
winner quotes
pg 30: "When you get the kind of online connection that allows you to see
pretty pictures on the Web, you are using TCP/IP."
pg 31: "I recommend picking VT100 because, well, just because I
like it best."
pg 33: "Don't ask me why, it makes no sense but it works on my computer.
Yours might be different."
pg 67: "I make my living asking dumb questions."
pg 77: "I had no idea what he meant, but then sometimes I'm a
little slow."
-
pg 37: "And Happy Hacker is a book on legal hacking, right?"
pg 37: "The worst of all is a killer ping... It's a good way to lose
your job and end up in jail."
pg 37: "ping -l 65510 ..."
[The exact way to execute a 'killer ping' denial of service attack.]
pg 42: "But as you will discover elsewhere in this book, denial of service
attacks are easy, lame, and may be the biggest threat to the
Internet."
-
pg 39: (Talking about DOS commands)
"Route - Manages router tables - router hacking is considered
extra elite."
[The MS-DOS 'route' command has nothing to do with routers.]
-
pg 41: "The Macintosh boasts one of the most secure network operating
systems known."
"...about one in every five of the world's webservers run on
Macs, and over half of all Web sites are developed on Macs."
"In February 1997, the Swedish company Infinit Information AB
(http://infinit.se/) announced a contest to break into their
Web server."
[1. The web server's security does not reflect the security
of an operating system unless it is integrated as part
of the original product.
2. A hacker was able to beat the contest *twice* actually.
3. 20% of web servers are NOT Macs.]
-
pg 56: "It would be really dumb to accidentally commit computer
crimes with an IRC program you don't fully understand."
-
pg 63: "One of the most popular hacking tricks is forging email."
[Is that to say spammers are hackers?]
-
pg 64: "If you use the information in this chapter to spam from
Eudora, I will personally punch you out."
pg 184: "If people reading this book use the information below
to write a spam program and sell it to the teeming
masses yearning to make money fast, I will personally
punch them out."
-
pg 78: "You could go to jail warning: In the US, war dialing is illegal."
[Colorado Springs and a FEW other limited areas make it
illegal to 'successively dial numbers without the intent
to communicate'.]
pg 83: "The way you can tell this is your problem is that you enter the
correct user name and password over and over again but it doesn't
work. If this happens, don't keep on trying the login sequence.
Don't jump to the conclusion that you got hacked and your password
changed. Break the connection, dial again and see if you are lucky
enough to get a healthier modem."
-
pg 222: "You can get sued warning: ... This was libel. If your victim
can afford to sue you, you could have to pay out lots of money."
[Finally, an area she is an expert on.]
-
pg 90: " But the bash shell ignores this command,
smugly sitting there with a "bash#" prompt. That #, by the way,
doesn't mean I'm root. It means the sysadmins at this shell account
provider think it is cool to make the "#" a default prompt for
all users."
pg 90: "Kewl directories to check out include /usr, /bin and /etc.
For laughs, jericho suggests exploring /temp."
[Misquote. I said /tmp]
pg 92: "Jericho recommends the book Unix in a Nutshell published
by O'Reilly."
pg 104: "Getting this list of commands makes you look really kewl to your
friends because you know how to get the computer to tell you how
to hack it. And it means that all you have to memorize is the
"telnet 25" and "help" commands. For the rest, you can
simply check up on the commands while on-line. So even if your
memory is as bad as mine, you really can learn and memorize this
hack in only half an hour. Heck, maybe half a minute."
=-=
pg 107: "An internet host computer that doesn't run ident is a gold
mine for bad guys. No one can trace back to the true users
of port 25 on a host that doesn't run ident. On these computers,
spammers, email bombers, extortionists and nasty pranksters
can run rampant."
pg 128: "(Note: sendmail 8.8 also tracks true identity of the user
regardless of whether ident is running.)
=-=
pg 118: "If you want to be a real hacker, you will be using the pico
editor..."
=-=
pg 128: "Ident determines the email address of the person who composes
email and logs a record of that person writing that particular email
message into a file named syslog. This syslog file is what you look
for if you want to track down email criminals. Syslog is a file that
can only be read by the sysadmin of the computer on which the
message was forged. So to tacking down these criminals usually requires
the cooperation of sysadmins on the computers used to commit these bad
guy deeds." [sic]
[Mail isn't logged to syslog by default. It is logged to 'messages'
or another log file depending on configuration. 'syslog' is often
readable to ANY local user on the system as well.]
=-=
pg 129: "the users of these programs began to get arrested and Global kOS
withdrew these programs from their download sites."
[Site one example of an email bomber using their software getting
arrested.]
=-=
pg 148: "However, if your experiments at using anything other than a program
plainly labeled "nslookup" don't work, don't email me to complain.
I *will* flame you."
pg 153: "Or it could be something else. Sorry, I'm not enough of a genius
yet to figure this one out for sure. Are we having phun yet?"
=-=
pg 158: "This is interesting, no username
requested, just a password. If I were the sysadmin, I'd make it a
little harder to log in."
[Despite the ability to set up an ACL to control who can connect
to this port, I doubt she is referring to that.]
pg 228: "At that infamous DefCon V panel I hosted, Shadrack boasted to the
audience that "When I break in, I close the doors behind me." He
makes a big deal about how hackers can keep from getting busted
by deleting or modifying log files."
[The above quote was taken out of context. It was said in reference
to professional controlled penetration attempts, not about
hackers in general.]
pg 144: "19 chargen Pours out a stream of ASCII characters. Use ^C
to stop. On some computers even ^C doesn't work - you may even
have to reboot your computer. Great for playing jokes on newbies."
pg 170: "...is available from the Hack FAQ written by Voyager.."
[from the hack faq: "No document will make you a hacker."]
(ironic)
pg 219: "Trust me, the Succeed.net attackers are toast."
"When it came back up, Succeed.net was now one of the most secure
ISPs around. It also was about the least fun for any hacker to use.
The owner had disabled nearly all services, including telnet and
ftp. Only dialup and Web page access is now allowed. TCP Wrappers
is in place." [sic]
[As of June 29, 16 services including telnet and ftp are open
on succeed.net.]