Scott J. Shapiro

We can be thankful that Scott Shapiro wanted to be accurate. For his book Fancy Bear Goes Phishing, this Yale University philosophy and law professor returned to school to learn coding – the art and science of it, its lingo, and its nuances. Pretty much everything has changed since he took up coding as a kid in the 80s. This re-education effort has allowed him understand what has been going on in the world, both real and cyber, and transmit in nice plain English how everything has been falling apart.

He does it by teaching readers the basics of coding, like the difference between code and data. This is key to how to understand, if not actually devise malware, including worms, viruses, vorms and ransomware. It’s not exactly a treat, but Shapiro makes it move briskly, and it helps readers understand the very different attacks they read about. He also profiles the hackers in depth, following their trackdowns to arrest and conviction, and how precisely they damaged computers, the internet, and the roadkill of innocent bystanders, by the millions.

Hacking is not necessarily intuitive or straightforward. For example, Shapiro says “If you want to start a fight among antivirus researchers, ask them to define virus. If you want that fight to turn into a brawl, ask them to distinguish viruses from worms.” For the record, not all malware is viral. Viruses need to be able to self-replicate to be viruses, as well as to infect other programs. Worms seek to exploit network vulnerabilities, as opposed to hardware or software vulnerabilities. Worms have the bigger job and are much larger than viruses, which, like medical viruses, are dumbfoundingly simple and tiny beasts. Viruses just have to trick humans into installing and executing them.

The spine of it all is five major internet hacks, many of which might be familiar to readers because they extended to the world at large, well beyond the forums and chat rooms of the internet. They include The Morris Worm, the first takedown of the internet, long before everyone had their own computer. The Minecraft Wars sought to kill off competing servers. The Paris Hilton Scandal, The Bulgarian Connection, the Internet of Things/ Denial of Service exploits, and of course Fancy Bear and the evisceration of the Democratic Party in 2016. What they mostly have in common is anonymous male teenagers becoming a threat bigger than a world war. The internet was so sloppy, so unprepared for malice and so rushed to gain market share that security and elegant code took a back seat, or more accurately, no seat at all.

Fancy Bear is a code name for the Russian GRU unit that spends all its time infiltrating computer networks, sites and services all over the world (Cozy Bear is the same kind of unit, but at Russia’s FSB, the successor to the KGB). Their bizarre mandate is to shake the confidence of users in other political systems and somehow come to appreciate Russia’s lovely status, stability and power. Fancy Bear is just one player, albeit a global one. Far bigger exploits have been committed by simple, single teenagers who know how to bamboozle a customer service rep, write a short (less than 2000 kb) program to crush a system, and weaponize the internet of things into slave machines to run massive denial of service attacks on whomever they want to extort money from - to make it go away.

The teens all dreamed up their schemes themselves. They all acted with zero concern for anyone else, and while they all might have begun it for the thrill of it all, they sometimes graduated to wanting the big bucks. Fancy Bear wanted nothing less than the dissolution of the American electoral system. It even invented Guccifer2 to taunt the internet with its power to destabilize.

Shapiro explains it is a truism that every country has departments that do this to other countries. The USA has the biggest and the “best”. It is expert at disinformation and hacking. It is a truism that international law does actually permit spying between countries, if only because the signers knew that no one would stop. And it is a truism that most countries have made it illegal for other nations to spy on them (while they expand their own spying of others). What a great example they all set. Is it any wonder that teenagers feel free to dive right in?

About the only thing I did not like in Fancy Bear Goes Phishing was Shapiro’s rose-colored glasses over cyberwar. His position is that only weak nations wage cyberwars against the powerful, because they know they can’t wage real war against them. Therefore, the USA, for example is probably safe from its entire electrical grid being taken down. Because no one wants to suffer the response from America. This might work in a Logic class at Yale, but in the real world, not only does anything go, but every weapon ever invented gets deployed. No exceptions. If they build it, they use it. Players do not always act in their own best interests. Rogue teenagers can gum up carefully crafted policies. Wildcard maniacs cannot be predicted or prevented. Fortunehunters don’t care about weak vs strong. Neither do the rich. Applying logic to this cauldron of instability is laughable. It’s another “What could possibly go wrong” moment.

Is there blame? Lots. Congress all but totally fails to live up to its responsibilities to regulate cyberspace. Corporate greed recognized this instantly, and abandoned any kind of security measures in favor getting more and more defective and unsecured products out there in the race to be the biggest. (Once again, I cite the Sirius Cybernetics Corporation’s galaxy wide success. It was due to their fundamental design flaws being completely hidden by their superficial design flaws. The Hitchhiker’s Guide To The Galaxy already saw this in the 1970s. Congress, not so much.) The winner take all mentality subsumed all else. To become the standard, to have a lock on their markets. To own the client. It’s just garden-variety monopoly, totally enabled in this fresh and wide open arena of cyberspace. It was and remains the opportunity of a lifetime.

Edward Snowden’s revelations showed endless examples of egregious overreach, abuse of privilege, and outright lies. And that was just by democratic governments. The very existence of secret courts and secret court orders, where not even the accused are allowed to know their own involvement, continues to be a major stain on America, along with surveillance of - everyone. The false façade of cyberspace (“Information wants to be free!”) is aided and abetted by negligent and malicious government. If there’s blame, that’s where it lies.

All these things opened the hangar doors for bored male teenagers to notice they could have it all too. It was so silly that firms actually published the factory-set login information on their websites for their smart products. Hackers collected them and published lists of logins and passwords, ranked by their accuracy and reliability. In creating their gigantic botnets, hackers took over hundreds of thousands of smart toasters, security cameras, doorbells, coffee makers and thermostats, instructing them to send their data to denial of service targets, flooding them with garbage data and causing them to crash. The owners of the appliances never even knew. But then, they probably never even knew what their own passwords were and so did not change them.

For some this book will be nostalgic, with perhaps some new details, particularly regarding the personal stories of the hackers, a worthy read in its own right. For most, it will at last explain what it all means in the context of out of control corporate and personal greed. It will appeal to several different audiences and satisfy all their inclinations and needs. It is fast paced, helpful, and accessible. It makes sense of it all.

Shapiro is of the opinion that it is not possible to win the hacker battles definitively. Rather, he says, there are different approaches to what he calls the three categories: crime, espionage, and war. Their differing goals require different countermeasures, and therefore different deterrents and tactics. It’s another aspect of this book that makes it different from the pontificating books I have read before it.

The real hope of cyberspace is breaking it of its winner take all mentality. Just like any society, be it Man or beast, widely distributed varieties of DNA will save it from being wiped out by a single virus or bacterium. Having multiple brands of computer, multiple operating systems and multiple network protocols can help prevent any attack from taking down everything in a few minutes. Like he shows the Mirai botnet did – repeatedly and relentlessly. Because it could.

We can learn from this book.

David Wineberg… (meer)