REVIEW: "Silence on the Wire", Michal Zalewski

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
BKSLNOWR.RVW   20050603

"Silence on the Wire", Michal Zalewski, 2005, 1-59327-046-1,
%A   Michal Zalewski
%C   555 De Haro Street, Suite 250, San Francisco, CA   94107
%D   2005
%G   1-59327-046-1
%I   No Starch Press
%O   U$39.95/C$53.95 415-863-9900 fax 415-863-9950
%O  ( product link shortened)
  ( product link shortened)
%O   Audience s- Tech 2 Writing 1 (see revfaq.htm for explanation)
%P   281 p.
%T   "Silence on the Wire"

I don't know why, exactly, the phrase "self-taught information
security researcher" (in "About the Author") should give me such a
sense of foreboding.  (The phrase could apply to me, and to many
colleagues, although we tend not to use it.)  And even before I read
it, a number of people had warned me I wouldn't like it.

Well, I did like it, once I figured out what it was.  I think a lot of
people don't understand it.  It is not a security text, by any means,
but rather a series of explorations that take our "professional
paranoid" mentality and examine some issues we seldom consider.

The subtitle states that the book is about passive and "indirect"
attacks.  Although passive attacks are well defined, indirect does not
have a formal distinction, and the introduction does not help in
explaining what the author intends.

Part one covers activities that occur at the origin of data and
processing.  Chapter one is titularly about typing, but spends a lot
of time dealing with the problems of pseudo-random number generation,
and seed data acquisition, and finally outlines an unlikely and very
complex attack, heavily dependent upon specific functions and data
availability, and seemingly directed at finding out if someone is
typing at the computer.  (The attack is also active, not passive.)  A
discussion of digital electronics, boolean algebra, and processor
architecture, in chapter two, eventually leads to a brief discussion
of the timing and power attacks that are well known in cryptology
circles.  (There are also odd and careless errors: readers are asked
to contrast figure 2-4 with figure 2-4.  There is a difference, it
just isn't explained.)  Chapter three reviews a few random and
unrelated vulnerabilities.  It is very difficult to determine what the
point of chapter four might be, but it seems to be a screed against
the use of Web crawling bots.

Part two appears to address local communications links.  Chapter five
provides a brief review of data communications 101, and then notes the
"flickering modem LED" vulnerability.  The ethernet frame padding
problem is described in chapter six, while chapter seven lists some
other networking difficulties, and eight briefly mentions
miscellaneous topics such as identification by keystroke analysis and
war driving.  (It should be noted that chapter length varies widely:
chapters one, two, and five average twenty-five pages each, while the
rest are closer to five.)

Part three moves out to the Internet.  Chapter nine reviews most of
the TCP/IP protocol, and then discusses how the ways that different
systems populate fields of the IP header can be used to identify
operating systems without a direct connection.  The discussion in
chapter ten starts with passive mapping of an inaccessible network,
but the attack described seems to be intended for sequence number
guessing (and session hijacking).  Chapter eleven addresses weaknesses
in various types of firewalls.  Dissection of an odd packet is in
chapter twelve, a method of third party scanning in thirteen, some
possible metrics for identifying software in fourteen, and some ways
of recognizing attacker machines in chapter fifteen.

Part four supposedly attempts to relate these disparate elements,
apparently without much success.  Chapter sixteen describes a storage
method using packets bouncing around the net, seventeen looks at
different methods of mapping the net and some possible uses, and
eighteen considers the discovery of worms and other malware via the
capturing of unusual packets.

The material in the book is fascinating in places.  However, the work
is not structured in a way that makes the security implications
obvious (the writing is not very direct, and the narrative or topical
thread tends to wind around subjects), and, in fact, the security
implications aren't very powerful at all.  Yes, in the end, the author
has written mostly about passive and indirect attacks, but the methods
covered are unusual, and probably not very useful.  Most of the
material concentrates on rather weak covert channels.  In this regard
it can have some uses in a minor way: covert channel examples are not
abundant in the general security literature.  The attacks suggested
are interesting thought experiments, but have limited uses either in
attack or defence.  As "Trivial Pursuit" (meaning the game of oddball
facts) for the tech crowd it's great, but the author never intended
the text to be a vulnerability warning.

copyright Robert M. Slade, 2005   BKSLNOWR.RVW   20050603

============= for back issues:
[Base URL] site /
      or mirror /
CISSP refs:     [Base URL]mnbksccd.htm
Security Dict.: [Base URL]secgloss.htm
Book reviews:   [Base URL]mnbk.htm
Review mailing list: send mail to

Re: REVIEW: "Silence on the Wire", Michal Zalewski

Rob Slade, doting grandpa of Ryan and Trevor wrote:

Quoted text here. Click to load it

I'm not sure we disagree all that much (my full review is at ), but I can't imagine
"not liking" this.  Certainly, as you note, this isn't and wasn't
intended to have much relevance to real day-to-day security concerns,
but I enjoyed it tremendously for the author's wit and also for the
excitement of the unexpected:  so many times I was ready to surf on
through something, thinking "yeah, yeah, we KNOW already", only to have
a complete curve ball come whizzing by me.  I enjoyed it tremendously
and probably will have to buy another copy because the one I lent out
isn't likely to come back to me soon.

Tony Lawrence
Unix/Linux/Mac OS X  resources:

Site Timeline