1337 in the Library: Obtaining your
information security education on the cheap
by
Adrian Crenshaw
"You dropped 150 grand on a f***in' education you could have
got for a dollar fifty in late charges at the public library!" ~ Good Will
Hunting
"If you want to get laid, go to college. If you want an education, go to the
library." ~ Frank Zappa
The two quotes above were my
inspiration for writing this article, along with the fact people keep asking me
"How do I get started in security". Well, if you're asking for career advice I'm
not your man, but on the learning side of things I think I have a few tips I can
give you. While many of us use articles and videos on the Internet almost
exclusively for "getting our learn on," let's not forget those lovely dead-tree
graveyards know as libraries. For that matter, if you're interested in infosec
and don't have the money for a computer and an Internet connection, the local
library (public or academic, more on this later) is a great place to start. Now,
I know some of you will be thinking of the disadvantages of libraries, such as:
1. They have older material that's not as relevant to current information
security as what's on the web.
2. It's easier to find things with Google than the library catalog.
3. You have to leave your mother's basement.
While all of those are true to
some extent, there are some mitigating factors. #1 is hard for me to argue
against, but keep in mind that there are more than just physical books in a
modern library. There are also electronic books and journals that are be far
more up-to-date than you might expect. #2 depends on the library you choose;
some offer more than others. At any the library though, ask at the front desk to
speak to a reference librarian. Not everyone that works at a library is a
librarian. Reference librarians are trained to help patrons find the information
they want, and the reference librarian will have a better idea of what resources
are available at their particular library and its affiliates. #3 is something I
can't help you with, just remember to bath now and then.
Now, on the pro side, libraries have a few things going for them:
1. Libraries have access to electronic resources that you can't get to on the
public Internet. For example: subscription based electronic books and journals.
2. I like the feel of a real hard copy book over reading a computer screen for
hours. I know others may feel differently, but until e-paper based readers
become cheaper and have color I'll prefer wood pulp.
3. Professional writers have a tendency to be better writers. While this is not
always true, it's often the case. There's something to be said for a book or
article where the prose flows well, and the subject is taught in a concise and
understandable manner. Professionally editors can really help with this. Also,
while with many security topics "the proof is in the pudding" (aka: you can test
out the findings for yourself), peer reviewed journals have their merit when
discussing esoteric subjects.
4. Books are nice from the standpoint of having a "one stop shop" for some types
of information, rather than having to piece together bits a pieces of a topic
from multiple sources.
When asking a librarian for help
you might be better off asking "Can you help me find books on pen-testing and
information security?" than asking "Can you help me hackzor the Gibson?", and
don't forget to be polite. Unfortunately, the media in general is a pretty lazy
bunch when it comes to researching terms, and the term "hacker" causes people
outside of the geek crowd to weird out sometimes because they don't understand
its varied meanings. If you really feel the need, explain the term hacker, or
point them to the Wikipedia entry on the term. Just keep in mind that some
librarians view Wikipedia the same way union members look at scabs.
Now, it may well be that your local public library has very few books on computer security. It's been my personal experience that university libraries are better in this regard than public libraries. Even if you are not a student at the university, they may let "community patrons" borrow from their collections. This is especially true of public universities. If the public or university library near you does not have the materials you are looking for they may still be able to get them from other libraries they are affiliated with. See if your library has an interlibrary loan or request delivery program (terms vary depending on how the libraries are affiliated). Your local library may let their patrons request books from other branches, greatly increasing the collection you can pull from. This is very useful if you use a library at a public university that has multiple campuses around the state. If none of the branches directly affiliated with your library has the sort of materials you are looking for, ask about their interlibrary loan program. They may be able to hop on OCLC WORLDCAT or some other inclusive catalog and get you the book you want from another source. While we are on the subject of Worldcat, another thing I should point out is that if you are concerned about privacy and don't wish to reveal information about yourself and what you are searching for you don't have to. You could search Worldcat yourself, find a library in your area that has a copy of the book you are looking for, and go to that library in person to read it. That way, if it is a sensitive matter, you never have to leave a record by checking it out or letting people know what you are researching. Worldcat can be found at:
If all of that fails, see if the
library will do a purchase request for you. If it's a university library, it
might be best to sweet talk one of the comp sci or informatics professors into
making the request for you as they are more likely to get results.
Some libraries have access to what is known as "electronic books". Essentially,
these are web versions of normal dead-tree books that are available over the
web. The library may subscribe to different vendor collections, and may restrict
browsing based on IP address so that you have to be at the library to use the
resource, or use a proxy provided by the library. Various vendors like ebrary,
netLibrary and Books 24x7 have great collections of technical books. O'Reilly
Safari also looks like a great source, but may be harder to find because of the
expense. Unfortunately, many of these ebook vendors have restrictions on how
many pages you can print. While they are not as convenient as some of the PDF
and CHM e-books that can be pirated via Bittorrent or eMule, they are legal.
So far I've just mentioned physical and electronic books. There are also periodicals (that's magazines, journals and newspapers for the non-library crowd) that may be of use to you. If nothing else, it's a hoot to go look at a Computer World from twenty years ago to see what they thought was the next big thing. Electronic resources like Factiva, EbscoHost, and Lexis-Nexis let you search for journals that might be of interest to you, and in some cases let you download the full text of the article in PDF format. The ACM (Association for Computing Machinery) Digital Archive can be a good resource for those esoteric subjects I mentioned previously. Looking through newspapers and journals can be a great source of information in preparation for social engineering. For some older materials you may have to resort to microfilm or microfiche.
As I stated before, libraries are a great place to get free Internet access. Different libraries have varying policies concerning use of their terminals, and whether or not you have to sign in for time on the stations. Obviously I would not recommend sending any private information using the library boxes, and if you're using your own laptop to access the free WiFi at the library you may want to read my Hacker Con Hijinx Handout:
http://www.irongeek.com/i.php?page=security/hacker-con-handout
While it was written with hacker cons in mind, the same advice applies to pretty much any public network. One thing you may run into at public libraries is Internet filtering. Because of the Children's Internet Protection Act (CIPA), public libraries have to filter certain types of content to get funding. While the CIPA is mostly concerned with pr0n, SEC. 1732. does list "hacking" content as something to be filtered. Many libraries just buy a filter solution that blocks a wide range of subjects that some organizations don't want their users viewing. This includes infosec information that the filter labels as "hacking content". My local public library blocks my website, which would not bother me so much if it were not for the fact that when a user tries to visit my site it pops up a warning page in the user's browser that says my site tries to install malware, which it certainly does not. If you want more information on the CIPA check out these links:
http://www.fcc.gov/cgb/consumerfacts/cipa.html
http://en.wikipedia.org/wiki/Children's_Internet_Protection_Act
Luckily these filters are easy to get around depending on how they are implemented. A patron could use Tor, remote into a VPN, tunnel using SSH or just use Google and the search string "inurl:nph-proxy" to find a public proxy. Keep in mind this may violate the use policy of the public library, so be sure to view the user agreement before doing such actions to get around filters. You may also be able to get the library to drop the filter for you as long as you can prove you are not a minor. According to FCC Order 03-188 it is acceptable for the library to do this for an adult, but I'm not sure it's required. My guess is you will get there and find out that the librarian has no idea how to drop the filter, or if they do, they may not be willing to do so.
In summary, give your local
library a visit and see what resources they have. If nothing else it gets you
out of your mother's basement.