Hacking Books

This is a cute, funny story to share with your kids, or any other little ones in your life. Most people (especially cat owners) will get a kick out of the antics of this cat, and the anxiety those antics produce in his owner, a little boy who's trying to keep those antics hidden. Comes with musical CD, so you can "sing" along with the words to the book. Gives kids, especially the young ones, both the reading and the musical stimulation so valuable in young life. And fun for adults, too.

My daughter gave this book to me as part of a Christmas gift. The tune on the CD is catchy and humorous. My three year old grand daughter loves it. The singing is different than she has experienced and that, together with the tango beat, has fascinated her. Nice to follow along with the pictures and words as you listen to the CD, so more dimensions. Beautifully illustrated with vibrant colors.

Great book for any cat lover

author of "Hobo Finds A Home"

The grandkids love this CD and book! They think it's very funny, and it's easy for them to follow along with the CD!!

Excellent book with an overall superb overview on how XSS attacks are delivered. Covered by known blackhat speakers, the content goes from the simple definition of XSS to advanced man in the middle hijacks. Some minor typos in the code and text exist, but on the overall a truly outstanding [...].

I've been through most of this book and found it to be an excellent source of information on cross site scripting (XSS). It starts off with a good introduction of the subject, covers the tools to help you evaluate your site for issues with XSS, and then goes through XSS non-stop to the end. I really liked the discussion of XSS theory in chapter 3. Instead of just covering how to look up and try different exploit methods, the authors spend a lot of time trying to convey the knowledge needed to really understand how XSS takes advantage of web apps and your browser's willingness to try and render as much as possible. This is extremely helpful when trying to craft your defenses, since you will have a more complete understanding of the problem.

The book is a lot to absorb and I'm still wrapping my mind around it, but it has really given me a new perspective on the scope of the issue. The authors are the experts on XSS and they've done a really good job on the book. If you want to get information straight from the guys doing the research on XSS, then this is the book you want.

XSS Attacks earns 4 stars for being the first book devoted to Cross Site Scripting and for rounding up multiple experts on the topic. The authors are synonymous with attacking Web applications and regularly share their vast expertise via their blogs and tools. However, XSS Attacks suffers the same problems found whenever Syngress rushes a book to print -- nonexistent editing and uneven content. I found XSS Attacks to be highly enlightening, but I expect a few other books on the topic arriving later this year could be better.

First, as Tadaka mentioned, ch 3 is the best written part of the book. In fact, the author of ch 3 should have written the entire book. There is a difference between an author of a tool, an author of a blog, and an author of a book. The author of ch 3 clearly knows how to make a clear argument over the course of a long stretch of pages (over 90) and carry the reader. Lucky for non-book-buyers, Syngress posted ch 3 for free on their Web site. You'll get a great foundation on XSS, and learn about CSRF and backdooring Flash and Quicktime.

In terms of readability, ch 2 wasn't bad. I liked trying out various Firefox extensions and the author's examples were good. I think ch 1 should be completely dropped. It mentions terms not defined until ch 2. The language is exceptionally rough, indicating zero editing was done. The DNS pinning examples in ch 5 were confusing; it doesn't help novice readers to discuss [...] and then use [...]. (I think that's an error.) I really didn't get as much from the book past ch 3 as I did from ch 3.

The major take-away from XSS Attacks is that one should never trust clients. Furthermore, far too many vulnerable capabilities exist in applications most people would never dream of fearing, like those that render .pdf or .swf. I really liked the point that browsers constantly interpret and "fix" broken HTML, sometimes to the detriment of the security world. I also liked reading how users can be duped by attacks against the integrity of data, such as adding or removing details of Web sites.

Right now, if you want to learn more about recent XSS attacks in printed form, this book is your main option. Last year I favorably reviewed Lance James' book, Phishing Exposed, which includes some of these techniques. Later this year one of the other book reviewers, Dafydd Stuttard, should be publishing The Web Application Hackers Handbook: Discovering and Exploiting Security Flaws. Syngress claims to be publishing Web Application Vulnerabilities: Detect, Exploit, Prevent by Steven Palmer in the fall. Hacking Exposed Web 2.0 by Himanshu Dwivedi is another option, but I find his security books to be poorly written. I highly recommend visiting the authors' blogs, since they cover a lot of the information in XSS Attacks.

This book is a comprehensive analysis of XSS and related vulnerabilities, and covers everything from a beginner's introduction to XSS through to advanced exploitation and the latest attack techniques.

Overall, the book is well-organised, technically accurate, and full of pertinent examples and code extracts to illustrate the different vulnerabilities and attacks being described. There are plenty of tricks that will benefit even experienced web app hackers, including a wealth of filter bypasses, and coverage of offbeat topics such as injection into style sheets and use of non-standard content encoding.

There is strong coverage of recent research including JavaScript-based port scanning, history stealing and JSON hijacking, as you would expect given that these techniques were largely poineered by some of the authors. All of their explanations are clear and precise, and contain sufficient detail for you to fully understand each issue, and put together working code to exploit it. The book also includes the use of non-standard vehicles such as Flash and PDF for delivery of XSS attacks.

Here and there, the book displays the effects of multiple authorship, notably in the discussion of the best tools for finding XSS flaws. I know that some of the authors have rather opposing views on that question, but it is always good to get different people's perspectives on the tools they find most useful. There are also a few typos and editorial glitches, but that is the price you pay for being quick to market, as they evidently are.

Overall, this is a great book that will benefit a wide range of people, from novices to seasoned hackers. It is fun to read, with plenty of lighter moments punctuating the technical meat. Nothing else currently available is hitting this target - get it while it's hot!

Never judge a book by it's cover. This book was fast moving and a new twist and turn all the time. There was never a dull moment is the book. I would highly recommend this book if you like changing course and never know what is around the next bend.

There are very few fantasy/science fiction novels that pique my interest from the very beginning. This one did just that and held onto it clear through to the last page. Not just the "main" story, but the various backstories as well were interesting and well executed. I am looking forward to reading the next book in this series.

I thoroughly enjoyed this book. Just when I thought I knew where the story was headed, there was a major course change that reignited my interest. I can't wait for the next installment.

I bought this book about 4 years ago, and still find myself going back to it again and again for reference. To this day its the only technical book that I have read cover to cover. While I have not yet checked out the 2.0 book for web apps, I still feel you can't go wrong adding this book to your arsenal.

this book is quite complete, very utile to learn all about security on web applications.

I recently received copies of Hacking Exposed: Web Applications, 2nd Ed (HE:WA2E) by Joel Scambray, Mike Shema, and Caleb Sima, and Professional Pen Testing for Web Applications (PPTFWA) by Andres Andreu. I read HE:WA2E first, then PPTFWA. Both are excellent books, but I expect potential readers want to know which is best for them. I could honestly recommend readers buy either (or both) books. Most people should start by reading HE:WA2E, and then fill in gaps by reading PPTFWA.

Before proceeding I should note I used to work with the two ex-Foundstone authors of HE:WA2E, although I haven't been afraid in the past to review books honestly.

I read and reviewed the first edition of HE:WA about four years ago, and I rated that book five stars. Authors like Scambray and Shema exemplify the best aspects of the HE series: explaining technology, then showing how to exploit it. Frequently the first time security people hear about new applications is when they are being attacked. By digesting books in the core HE series, readers become familiar with the latest services, their flaws, and attacks against those technologies. HE:WA2E continues this tradition.

I was pleased to see HE:WA2E is largely a thorough reworking of the first edition. (This has not always been the case with HE books, considering there are five editions.) In one case, however, this worked against the authors. Ch 8 (Attacking XML Web Services) references non-existent material in Ch 1. Ch 1 in HE:WA2E is completely different from Ch 1 in the first edition, which contains the referenced diagram. A positive aspect of the rewrite is the frequent reference to outside material, instead of repeating techniques and tools already published. Combined with the extensive chapter-ending references list, this makes for a book packed with value. Note that the second edition still offers 520 pp, vastly exceeding the 386 pp of the first.

HE:WA2E is very consulting-oriented, which delivers some excellent real-world experience. For example, Ch 2 (Profiling) explains how to identify and deal with load balancers and web application firewalls. This seems to contrast with PPTFWA which says, for "IDS/IPS Systems," "[m]ake sure your client disables these." I thought HE:WA2E took a more realistic approach to this problem.

HE:WA2E's major weakness is its coverage of Web Services. PPTFWA does a better job addressing this important area. In fact, HE:WA2E's Web Services coverage seems fairly similar to the first edition's material. PPTFWA also includes a larger variety of attacks and tools, albeit in a manner not as organized as HE:WA2E. Ch 12 of HE:WA2E would be conceptually stronger if so-called "threat trees" were called "attack trees," as originally developed by Bruce Schneier in 1999. Furthermore, the list of "threats" on pp 404-5 are mostly vulnerabilities. The figures of Ollydbg in Ch 12 are also too small.

Despite these issues, I think HE:WA2E is the best general-purpose Web application security book available. I would definitely add it to your HE library. In other words, if you have HE:5E, you still need HE:WA2E. If you have the first edition of HE:WA, it's time for an update. After reading HE:WA2E, read PPTFWA. Perhaps both sets of authors could collaborate on a comprehensive Web app attack, defend, and test virtual machine, building on the one Andres Andreu built?

The book is very logically arranged into 3 parts. For using feeds, making feeds and mixing feeds. Most readers will probably deal with the first part and maybe the third part.

Using feeds is explained as being able to aggregate data from websites offering these using RSS or Atom methods. From which, you can see how to recast the output into HTML pages for your website. Or maybe send it to your mailbox. Actually and more realistically, to the mailboxes of those who visit your website and ask for this feed.

Orchard deliberately does not go much into the fine distinctions between the different and incompatible RSS standards. Or likewise with the various Atom formats. More technical books can discuss these points ad nauseum. But Orchard is aiming this text at a programmer who just wants to put together a news feed, and does not really care about lower level details.

Making a news feed is the second part of the book. Only a fraction of readers will head here. It's not easy to produce original content, after all.

The last part of the book is essentially an advanced continuation of the first part. You are shown how to embed higher level logic into processing the feeds. With an extensive example on using a Bayesian to try to identify news articles that might be of interest to your readership. Be aware that the Bayesian method is not perfect. Occasionally, you might get an incongruous article.

Definitely, Orchard has produced a nice programming book. (In Python.)

Often times there's information somewhere on the web that you want to use in your own computing. Perhaps you want to look at news stories and display the headlines of what's happening today with a link to the site of the story. In the early days of the web, when you wanted to do something like that you had to do it manually or do some kind of hard coding to parse the information you wanted out of the HTML. Tedious, and if they ever change their web page you're re-doing your code.

This is the problem that RSS/Atom are intended to fix. These are standards that, when followed, present the information from a site in a standardized manner that makes it easy to parse.

First, what this book is NOT. This book does not tell you all the details about how to put RSS/Atom information up on a site. Instead, this book is on taking the information from an RSS/Atom 'page' and getting into a form you can use.

The book is broken down into three parts: Consuming Feeds, Producing Feeds, Remixing Feeds. In each part the author programs a few simple applications to show you what can be done. The programming is in Python, the operating system he uses is Linux.

The only complaint I could make about this book is that it would help the newbie to have another chapter at the beginning that talked about some common feeds and the nature of the tags they use to encapsulate their data.

Rather than just read RSS feeds, would you like to *do stuff* with RSS and Atom? I received a copy of a really good book that goes beyond the nuts and bolts of RSS formatting... Hacking RSS and Atom by Leslie M. Orchard.

Contents:
Part 1 - Consuming Feeds: Getting Ready to Hack; Building a Simple Feed Aggregator; Routing Feeds to Your Email Inbox; Adding Feeds to Your Buddy List; Taking Your Feeds with You; Subscribing to Multimedia Content Feeds
Part 2 - Producing Feeds: Building a Simple Feed Producer; Taking the Edge Off Hosting Feeds; Scraping Web Sites to Produce Feeds; Monitoring Your Server with Feeds; Tracking Changes in Open Source Projects; Routing Your Email Inbox to Feeds; Web Services and Feeds
Part 3 - Remixing Feeds: Normalizing and Converting Feeds; Filtering and Sifting Feeds; Blending Feeds; Republishing Feeds; Extending Feeds
Part 4 - Implementing a Shared Feed Cache
Index

This book starts with the assumption that you either already understand all the details of RSS/Atom formatting, or that you're willing to learn the details on your own as you go. This is *not* a reference book on RSS standards. Rather, Orchard answers the question "what can you *do* with RSS that's cool and useful?". Using a series of projects, he starts to get you thinking about how you might use RSS technology in ways you haven't considered. For instance, having your log files report things via RSS feed could give you immediate notice of unusual situations. Or perhaps having RSS feeds go to your IM client would allow you to react quickly to news and information. The possibilities are endless, and Orchard does a good job in getting you to think.

The caveat here is that he assumes a particular software language and platform for building these hacks. Python is the language used, so this book would be most helpful if you already knew the language (or were willing to figure it out on the fly). Likewise, he writes for the Unix platform primarily. You can use Unix emulators like Cygwin to run Unix-like command in Windows, or you can mentally adapt the concepts to whatever hack you want to build. At first I was thinking that single focus might be a liability for the book. But after thinking about it, I don't think it's that bad. It maintains the focus on the hack instead of on how every different platform needs to be coded, hence the book is more concise. Also, his goal is to get you to hack and experiment, not to teach you a technology via a tutorial. Since hacking is experimenting, you may end up hacking these ideas on a couple of different fronts...

Excellent idea and application book... If you're interested in going beyond simple feed readers and building stuff for yourself, this is a definite purchase you want to check out...

The Character Connection tapes reflect the best of what clinical wisdom and behavioral science have to offer on rearing healthy children and youth. Inherent in this approach is the recognition that relationship rather than manipulative tactics and stratetgies is the key to successful parenting. The conversational format complements the message by being interactive rather than dydactic. Principles of successful parenting emerge through discussion of concrete, real-life questions and situations. I recommend Character Connection to both prospective and current prents as a guide to the most important endeavor adult life has to offer.

I highly recommend listening to Making the Character Connection. The format of a group of women speaking with a moderator lends itself to a very well laid out flow of different views that address very important issues in child-raising. It was so different than the regular "lecture" format. The diversity of lifestyles introduced different perspectives. As you were listening, you felt that you were a part of the group. The vignettes that the participants volunteered were very realistic and made their views very relatable. I learned more from these tapes than I have from reading the countless books from child-rearing experts. These tapes are great!!

This tape series has a lot going for it: It draws on the knowledge base of a psychology specialist, it provides practical information about what to expect from your growing child, and it answers questions about what to do in real childhood situations. It is styled as a meeting between a variety of mothers and an informed group leader. This brings up a discussion of real-life situations that could happen in lots of different children. Understanding complex childhood issues becomes fun. Professionally, I respect these tapes and the up-to-date information they present. .

Moving from Pascal and Bernoulli in the 16th and 17th centuries through Keynes, Carnap,Ramsey, de Finetti and Heisenberg in the 20th century,Hacking(H)does a commendable job blending the philosophy and history of science with the history and philosophy of probability.H's tie in of Pascal's Wager and decision theory is just one example of his ability to connect the ideas of different centuries to each other.However,there is one small criticism that must be made.It is in regards to J M Keynes's logical theory of probability put forth in A Treatise on Probability(TP) in 1921.H bases his assessment of Keynes's theory on one chapter of the TP alone.That chapter,chapter 3,was to be regarded as an introduction only.Keynes's point was that,in general,a probability could not be measured by a single number or numeral alone,i.e.,probabilities were "nonnumerical"or not by a single numeral(number).In general,Keynes argued that most probabilities required TWO numbers to specify the probability estimate,a lower bound and an upper bound.In Part II of the TP Keynes refers to his theory of "approximation".In modern terminology,Keynes's interval estimates are "indeterminate" or"imprecise" probabilities.Given the above summary of Keynes's approach to probability,the following statement by H is incorrect and very misleading:"Indeed Keynes argued masterfully in Chapter 3 of his A Treatise on Probability that many comparisons of probability are necessarily qualitative and cannot be represented by real numbers."(Hacking,p.73)While it is true that most probabilities cannot be represented by A SINGLE REAL NUMBER,most probabilities can be represented by TWO REAL NUMBERS in Keynes's approach.A strictly qualitative approach would be practically useless.Probability would not be the guide to life.

This is a great book. Hacking describes the development of probability and statistics from the Renaissance to David Hume. His central questions are: What were Pascal, Huygens, Leibniz, Jacques Bernoulli, and all the others really doing? What problems were they trying to solve? What limitations were they working under? How did all this fit into other intellectual and mathematical problems of the day? How did all this affect the subsequent development of probability and statistics? Some of this clears up minor details that I had never grasped before, such as what was the problem with two dice that Pascal solved for the Chevalier de Mere. More important is the description of the intellectual implications of the development of modern probability and statistics. I had not known that the very name "probability" grew out of a profound religious and intellectual argument between the Jansenist Pascal and the Jesuits.

The book is full of historical gems. For example, the Dutch and English governments in the seventeenth century became infatuated with annuities as a way to finance theor expenses, especially wars. Most of the schemes were actuarially unsound. The early statisticians devoted a lot of energy to this problem and this led to major advances. Unfortunately the governments were not always pleased to be told they had no clothes. It all sounds terribly up to date.

In summary, this book covers material that is important not only in a histroical context but also for its relvance to many contemporary issues. It is well written and concise. If you want to know what the early probabilists were thinking about and how that affected the way we all think about uncertainty today, this is the book for you.

Hacking Exposed: VoIP (HE:V) is the sort of HE book I like. It's fashionable to think HE books are only suitable for script kiddies who run tools they don't understand against vulnerable services they don't recognize. I like HE books because the good ones explain a technology from a security standpoint, how to exploit it, and how to defend it. I thought HE:V did well in all three areas, even featuring original research and experiments to document and validate the authors' claims.

HE:V is a real eye-opener for those of us who don't perform VoIP pen testing or assessments. It's important to remember that the original HE books were written by Foundstone consultants who put their work experience in book form. HE books that continue this tradition tend to be successful, and HE:V is no exception. Good HE books also introduce a wide variety of tools and techniques to exploit weaknesses in targets, and HE:V also delivers in this respect. HE:V also extends attacks beyond what most people recognize. For example, everyone probably knows about low-level exploitation of VoIP traffic for call interception and manipulation. However, chapter 6 discusses application-level interception.

HE:V goes the extra mile by introducing tools written by the authors specifically to implement attacks. In at least one case the authors also provide a packet capture (for the Skinny protocol) which I particularly appreciate. HE:V also looks ahead to attacks that are appearing but not yet prevalent, like telephony spam and voice phishing. Taken together, all of these features result in a great book. You should already be familiar with the common enumeration and exploitation methods found in HE 5th Ed, because the HE:V authors wisely avoid repeating material in other books (thank you).

If you want to understand VoIP, how to attack it, and how to defend it, I highly recommend reading HE:V. The book is clear, thorough, and written by experts.

In this book David Endler and Mark Collier have pulled together a vast wealth of material about hacking VoIP networks at every possible level. More than this, they have also created new value in the form of software test tools, which they have published on an accompanying website. It really is a must-have reference book for anyone working in VoIP.

Chapter 1 talks about Google hacking, or in other words, using the Internet to find out things about a target network. They show that Google can be a crucial tool in finding out what type of hardware and software you use in your VoIP networks, and in some cases will give vital clues even about how to login to the management systems of your network from the Internet. If this doesn't scare the bejesus out of you, then proceed on to further chapters about more VoIP-specific issues.

Chapters 2 and 3 detail the kind of tools a hacker might use to scan your network and enumerate all the devices, i.e. build their own map of how your network is laid out, right down to the telephone numbers and MAC addresses of desktop phones. Chapter 4 talks about Denial-of-Service, and the kind of attack resources that hackers might use to cripple a telephony network.

Chapter 5 is on VoIP eavesdropping, talking about some existing tools that can be used for this (Oreka, Wireshark and the unpleasantly named vomit), and as in the earlier chapters, some suggestions on how to defend against such a type of threat. Chapter 6 goes further to explain how a VoIP man-in-the-middle attack might be mounted, giving the possibility not just to listen, but to modify, replace or remix the audio stream.

Chapters 7, 8, 9 talk about specific platform threats, namely to Cisco Unified CallManager, Avaya Communication Manager and the Asterisk PBX. The vendors have added their own comment to these chapters, at the request of the authors. Chapter 10 takes in Softphones, including Google Talk, Gizmo, Yahoo and of course the ever popular Skype.

Chapter 11 describes VoIP fuzzing, or in other words, testing protocol stacks for flaws, so this is useful for those developing VoIP systems and applications. Chapter 12 talks about disruption of networks using flooding techniques and chapter 13 talks about Signaling and Media Manipulation.

The final section of the book is entitled Social Threats, and talks about SPAM over Internet Telephony (SPIT) in Chapter 14, followed by Voice Phishing in Chapter 15. Neither of these threats are in frequent use yet, but their use is certain to increase in the future, so this is a good moment to get to grips with what this means.

This is a highly technical book, but for managers responsible for IT security but not immersed in the details I would say this: buy the book, and read the case studies. There are five sections to the book, and each starts with a short case study. Invest 20 minutes in reading these, and you will start to get an appreciation for how important VoIP Security will be in the future. Then pass the book on to your hands-on security guy and tell him to read it from cover to cover.

If you have dealt in the theory of Information Security and also would like to do some thing practical, this is one of the books that you should have. Since the practical tools, and their location on the web are continuously changing, the book should have a web site, where updates should be followed regularly. There is a web page for errors and/or changes . But that is not the point I would like to make, a live dynamic page for supporting the book. I have recommended the book in my cryptography/Network security course.

I have read many Security books and this one goes Above and Beyond all the
other books. All the Computer Security books I have read and seen teach
theory and this one does that and then he shows you the proof in the pudding
as he walks you through his Virtual Labs.

The second most useful MRCS textbook with a particularly good anatomy section, although still you always need a separate anatomy book in addition. Garner in my opinion is number 1 but this guide is also a must without a doubt. Its a very useful and essential read and divided appropriately for the respective sections of the viva exam. 5/5.

This book is primarily designed for the British postgraduate surgical examination (MRCS). The equivalent standard in the US would be from final year medical student until mid surgical residency program. It contains questions on anatomy, physiology, surgical pathology, priniciples of surgery, operative surgery and critical care. It has a separate section for communication skills in surgery. It is a question and answer style format. While designed for the British market this would be a useful book outside the UK for anyone interested in oral examinations in surgery and for study groups as an aide to revision. Learning in this style makes a change from revising endless lists.