Martin Geisler Online

Exploiting Software, How to Break Code. ISBN: 0201786958
by Greg Hoglund and Gary McGraw.

I’ve now read through this book, and my impression of it is mixed. The book coverered lots of new stuff for me, but I’m not entirely satisfied with the way it did that.

The book (obviously) tries to cover software exploits, and it tries to do it in great detail, using lots of code listings showing both C and assembly code. The idea of explaining how real world exploits work by referring to C and assembly code it good — I’ve seen too many books which just talks about buffer overflows in theory.

But I doubt the usefulness of many of the code listings. Several of them run over multiple pages, listing entire programs which would have had a better place on a CDROM or just online. There’s no need to include so many pages of code in a book, especially when the code is listed completely bare: typeset in Courier with no bold, italic or any other syntax highlight.

Also, a good deal of the code describes plugins and other things for the IDA Pro Disassembler, which is used throughout the book in the examples. Again, the attempt to go into detail is good, but the book shouldn’t be so focused on this one tool, IMHO.

Another way in which this book is narrow-minded is the small selection of other works referenced. The bibliography in the book is very thin: three pages with just 31 cited works. Through-out the book one finds references to “Securing Java” and “Building Secure Software” — two books by the same authors. The first couple of times one sees a reference to these books it’s okay, but in the end I was wondering if I should have bought one of those books instead, since this books keeps referring to them…

Maybe those books wouldn’t waste so much paper on screenshots? This books has lots of screenshots showing “interesting” snapshots from an attack. Such a snapshot could be a standard Windows command shell, or an xterm showing the output of uname -a and id… And it’s not only the many screenshots that take up space: at one point there’s a dependency list of 161 function names from seven DLLs with one name per line, running over more than four pages. The text then concludes that this list is interesting because it shows what scrrun.dll might be able to do on behalf of a script! One doesn’t have to fill four pages with names to say that scrrun.dll (or whatever DLLs you’re analyzing) is a valuable target.

So all in all I suggest that people take a good look at this book before buying it. I would say that it requires a solid understanding of assembly code to be really useful, and experience with the IDA Pro tool is also a good idea. I have neither, and perhaps that was why I didn’t find this book that good? Please comment if you have read it!

In the continued effort to cleanup my site I uploaded the Gospel of Tux yesterday. Another text which I had a copy of at my old site is the essay “In the Beginning was the Command Line” by Neal Stephenson.

Since my copy was just a direct copy I’ve decided that there isn’t much point in me putting it up again. A much more interesting read is this commentary by Garrett Birkel.

As part of the migration from gimpster.com I found an old page of mine where I describe some of the books I own. Back then the plan was that people would click on my links to Amazon, in which my referrer code was put so that I would make lots of money! :-) No such plans this time — here’s just what I wrote about my books:

The LaTeX Companion

Michel Goossens, Frank Mittelbach, Alexander Samarin
Addison Wesley Longman Publishing Co; ISBN: 0201541998

This is probably the most comprehensive treatment of LaTeX you’ll find. Although it getting slightly old, it’s still the best reference.

Update: The newly published (April 2004) second edition is completely updated and is much larger. I can highly recommend it for anybody who is serious about learning LaTeX. The book covers a huge number of the available packages for LaTeX in addition to describing the basic commands.

Beginning Linux Programming

Richard Stones, Neil Matthew
Wrox Press Ltd; ISBN: 1861002971

This book covers Linux programming — in all it’s variants from simple shell-scripts to real GTK-programs written in C. I bought it because I (obviously) wanted to learn about programming on Linux, but I found out that it’s not a beginners book. You should at least have some experience with C first, or else you won’t be able really enjoy the code.

There’s also some rather lengthy chapters on terminal I/O, which are somewhat boring — but they will probably come in handy if I some day actually need to know those things. The chapter that was of most immediate use for me was the chapter on shell-scripts, which I still use from time to time.

The C Programming Language

Brian W. Kernighan, Dennis M. Ritchie
Prentice Hall; ISBN: 0131103628

If you want to learn C, then why not learn it from the guys who invented it? This book describes everything that is to be found in the C language (the original version, not newer versions such as C99).

It introduces all the basics, and continues with things like pointers and arrays. Most of the examples deal with text, so it can be a little boring in the end. You are asked to write programs that can count words, sentences etc…

But overall I think it’s a great book, and a true classic text in computer science. And it’s a little book — not like the modern computer books which all have to be these tomes with at least a thousand pages. Being little, the book keeps its focus well and explains you the C language in a plain and consice way.

Internetworking with TCP/IP, Vol 1: Principles, Protocols and Architecture

Douglas Comer
Prentice Hall PTR; ISBN: 0130183806

This book covers TCP/IP and does a really good job. You get to know all the low-level stuff that makes the Internet work, from different types of networks to all the different protocols used.

It’s a nice book because it manages to explain all these things, and yet it’s still a very readable book. (I’ve read the third edition of the book, but I’m sure that the fourth edition is just as good :-)

PHP3: Programming Browser-Based Applications with PHP

Dave Medinets
McGraw-Hill Professional Publishing; ISBN: 0071353429

This book gives you an introduction to PHP3: You start installing PHP, and then moves on to more daunting tasks…

But unfortunately the book is just an introduction. It just scratches subjects such as object-oriented programming (OO) and XML, but the reason for that might be, that these things weren’t as well supported in PHP3 as they are in PHP4. (And now with PHP5 the book is very quickly becoming obsolete…)

I got the book as a gift, as I was starting to learn PHP. But I must say, that it didn’t teach me that much. The ASCII table in the back is handy, though :-)

Evil Geniuses in a Nutshell

Illiad
O’Reilly UK; ISBN: 156592861X

This is one of the greatest comic-books I’ve ever read. The jokes are about computers, Windows etc — some of them are really hairy :-) But that only make even more fun, when you figure out what they’re talking about.

Highly recommended for everybody who deals with computers, especially if they are into Linux and related things.

The Ultimate Hitchhiker’s Guide

Douglas Adams
Crown Publications; ISBN: 0517149257

Every nerd has to read this one — or at least give it a try. Before you’ve read it, there’s so many things that you’ll not understand, including the Meaning of Life. After you’ve read it, you’ll know that the answer to the Ultimate Question is ‘42′.

I started reading the book, but only managed to read the first 250 of the 800+ pages. The story-line was just too strange for my taste.

I’ve finally received my books. Actually they arrived yesterday, but I didn’t get back from ETH before 18:30, and at that time the post office had closed.

It’s nice finally to have some stuff to read for my courses. In the Object-Oriented Software Construction course we will be using the Eiffel programming language for our project — I have to read up on that!

For the System Security course I bought the book Exploiting Software which explains how the bad guys attack your systems. I can already feel how the paranoia coming!

Today I ordered some new books at Amazon or my new courses. I always love to buy books, for books are nice to have. Especially when they are interesting like these:

• Security in Computing by Charles R. Pfleeger and Shari Lawrence Pfleeger.
• Exploiting Software by Greg Hoglund and Gary McGraw.
• Object-Oriented Software Construction by Bertrand Meyer.

I’m really looking forward to receiving them.