POC or GTFO
Book written by Manul Laphroig
Book review by Adrian Sanabria
Bottom Line
I recommend this book for the Cybersecurity Canon Hall of Fame.
Review
The beginning of this book reads, “The Book of POC||GTFO is a weird book.” Whatever word you use to describe it - weird, special, blasphemous - there’s nothing else quite like it out there. POC||GTFO is a love letter to hacker zines. It celebrates hacker culture and values right there in the title: Proof of Concept, or Get the Fuck Out.
Initially, POC||GTFO was released in PDF form, a chapter at a time. These were not normal PDFs. These were PDFs that were also ZIP files. Or JPEG images. Sometimes, a PDF contained a bootable operating system. Articles celebrating the art of file format abuse were among the contents of these PDFs that were much more than simple PDFs.
Once enough chapters were released, the editors behind the concept of this modern-day hackerzine thought a physical form might also be enjoyed by fans of POC||GTFO. The editors of the zine embraced creative formats in digital form, so it wasn’t a surprise when they decided to experiment with its physical form as well.
The book already had a liturgical theme, with the book’s editors using the pseudonym Pastor Manul Laphroig and referring to articles as ‘sermons’. Naturally, they challenged the book’s publisher, NoStarch founder Bill Pollack, to emulate the look and feel of a bible. Thin, gold-edged pages. A flexible cover. Lay-flat binding. An integrated ribbon bookmark. POC||GTFO’s physical form got the royal (holy?) treatment.
To date, there are three volumes of POC||GTFO - this review focuses on the first volume. As you might imagine, the other two volumes continue to experiment with the physical form. Volume 2 has a circuit diagram printed on the page edges opposite the bindings. Volume 3 has physical cut-outs at the page edge, making it easy to jump directly to specific chapters by feel. These are books you will feel compelled to experience and share - not just read.
The content is no less pleasing or thoughtful. The books’ editors sought out hackers, engineers, security researchers, and implored them to submit content clever and quirky enough that it would be right at home in a classic volume of Phrack. One chapter is literally scribbles on a napkin. Poetry by Ben Nagy closes out many of the chapters. Another article explores the Dolphin Gamecube emulator. Polyglot file munging abounds with file format abuses. A TAR archive that is also a PDF. A PDF that is also a ZIP file. An operating system that’s also a PDF that contains chapters of this book.
Joe Grand contributes an article on delayering and reverse engineering PCBs. There are hypervisor exploits. One author reprograms a mouse jiggler into a malicious USB Rubber Ducky alternative. Novel attack surface is shared. So are descriptions of how exploits were discovered. Dan Kaminsky gets passionate about random number generation. Natalie Silvanovich hacks a Tamagotchi. Optical drive lasers are hacked for art projects (”Coastermelt”).
The articles within run a wide range of topics and technical depth. Some are very specific hacks or exploits. Others teach more general skills. Some went far over my head. The ones I found most interesting were more philosophical. For example, there’s Manul Laphroaig’s Sermon on Hacker Privilege.
… reveals a deep truth about us. We don’t want to be part of things that treat people’s time as worthless. More to the point, we cannot stand such things, we simply cannot operate where they rule. We fight, we flee, or we walk away, but in the end we are by and large a community of refugees with an allergy to bullshit.
This article both points out the lucky circumstances of the security researcher and the purpose of these POC or GTFO volumes: exploits either work or they don’t, there’s no faking results or falsifying data. With access to systems, devices, or code, outcomes are undeniable and clear.
This book is a celebration of how hackers think. There’s a clarity to this way of thinking that, after a few hundred pages, gives the sense that the broadness of the topics and authors couldn’t be accidental. It’s as if someone asked the questions, “what is hackable” and “ what is hacking”, and this book sprang into existence as the answer to both.
We modeled the Cybersecurity Canon after the Baseball Hall of Fame and the Rock & Roll Hall of Fame, except it’s a canon for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number. Please write a review and nominate your favorite.
The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!