Fancy Bear Goes Phishing

Don’t let the three stars fool you, this book is worth reading for anyone interested in computer/cybersecurity. And, it’s interesting. I’m not sure I would say I enjoyed reading this book though; it’s A LOT!

Shapiro does an excellent job taking us through the history of various hacks, the motivations as well as the methods. I found the analysis of upcode (personal morals, ethics, motivations and laws) more interesting than much of the technical analysis, but that could be the result of listening to the book instead of reading the page. (Narration of actual code is a bit silly.)

I think my favorite hack is the first one: “The Brilliant Project” by Robert Morris Jr, who in a frenzy to prove concepts accidentally broke the internet in 1988. Oops. It was definitely a wake up call but really didn’t move industry to improve security, which took a couple more decades. The history of how industry was forced to change its focus is touched on here but is really covered in Menn’s The Cult of the Dead Cow. Industry certainly didn’t make the shift by choice.

The story of how the movie War Games brought computer security into the White House discussion gave me a bit of a chuckle. Despite whoever is in office, I can’t see cybersecurity ever being a regular Cabinet level discussion until we have a few more cabinet members who grew up with the technology.

Shapiro does a nice job explaining what we know about criminal upcode and the maturity process for the majority of hackers. This alone makes the book worth the time and the read.

I learned a great deal regarding terminology: Viruses vs Worms vs Virms vs Trojans. Kill chain, mudge, heuristics… Plus understanding the duality of data and code gave me great insight into how many hacks start.

Cybersecurity is my job, so I came into this book with some amount of knowledge of the subject, but I still found it a fascinating read.

At first, I was slightly annoyed that Shapiro was making up new words (downcode, upcode, metacode) to describe things we already have word for in the industry, but as I read the book I started to see why he's using these words.

Shapiro does a great job of using the ideas of downcode (what you might consider regular computer code), upcode (generally the ethics or rules that the computer user has), and metacode (the rules that exist "above" the user, such as laws). By defining these three ideas, Shapiro makes the case that cybersecurity is not a technology problem at all, but rather a human problem.

This idea is something that I've tried to instill in others at my day job, but it is something that is hard for people to understand, even those that work in the IT/cybersecurity industry. Many technical people think you can solve all problems via technical means. This is what Shaprio calls "solutionism" near the end of this book (if I remember correctly, the word "solutionism" is actually coined by someone else).

I found myself comparing this book to another one I read recently, A City on Mars by Zach and Kelly Weinersmith. Both of these books take what is ostensibly a "technical problem" and then start to apply the human element to it, with the end result being about the same. Technology cannot and will not solve all of our problems. We really have to do it in the messy human world.