Fancy Bear Goes Phishing: The Dark History of the Information Age, in Five Extraordinary Hacks
Book written by Scott J. Shapiro
Book review by Hal Gangnath
I recommend this nonfiction book for the Cybersecurity Canon Hall of Fame.
In his book, Fancy Bear Goes Phishing, Dr. Scott J. Shapiro brings a unique perspective to cybersecurity. With a background in law and philosophy, he founded and currently directs the CyberSecurity Lab at Yale Law School.
While he initially majored in computer science at Columbia and briefly worked as a database construction consultant after graduation, he eventually "lost interest in computers" and transitioned to Yale Law School, later completing a Ph.D. in philosophy at Columbia, (Shapiro, p 6).
Shapiro sets out to answer three fundamental questions:
- Why is the Internet insecure?
- How do hackers exploit it?
- What can we do about it?
In contrast to the typical cybersecurity books that adopt either a "joyless, eat-your-vegetables" or a "breathless, run-for-the-hills-now" style (p. 16), Shapiro aims to empower readers to address these questions that underpin his book.
Shapiro writes for a non-technical audience, taking great care to provide the appropriate level of technical explanation required to convey his narrative. The "five extraordinary hacks" mentioned in the subtitle are not isolated events; they serve as pillars around which he constructs his historical account, providing the structural foundation for his captivating narrative.
Throughout the book, Shapiro introduces a recurring dichotomy: "upcode" and "downcode." "Downcode" encompasses the binary "1"s and "0"s of computer code, including device drivers, protocols, programs, and operating systems. In contrast, "upcode" represents not only the intellectual aspect required to conceive and create downcode but also the "social, political, and institutional forces that shape our world" (p. 10).
As a philosopher, Shapiro approaches his inquiries through the lens of the "philosophy of computation." He contends that hackers don't merely manipulate downcode; they exploit philosophical principles, a concept he terms "metacode." Metacode refers to the foundational principles governing all forms of computation, delineating what computation is and how it functions. It's essentially the code that must precede the execution of computer instructions (p. 11). Shapiro acknowledges the pioneering work of a 24-year-old Alan Turing, who first described these metacode principles in his 1936 article "On Computable Numbers." Without Turing's metacode, Shapiro asserts, our digital world would not have evolved (p. 12).
Shapiro takes his readers deep into the intricacies of computing history to elucidate the present. He initiates his narrative with the 1988 Morris Worm, created by graduate student Robert Morris Jr., with whom Shapiro feels a deep connection due to their similar backgrounds and ages. In exploring the Morris Worm incident, Shapiro delves into the origins of the Internet and recounts how the NSA's efforts to create the VAX VMM Security Kernel resulted in an ultra-secure yet impractical system. He also makes an intriguing detour to Lewis Carroll's 1895 philosophy journal article, "What the Tortoise Said to Achilles." From there, he explains the distinction between computer code and data and how "1"s and "0"s can represent one but not both.
Shapiro then transports readers to Bulgaria to elucidate the evolution of computer viruses and the influence of John von Neumann in crafting a self-replicating computer program. Following a detailed explanation of how viruses function, Shapiro raises questions about why virus writers create code that indiscriminately destroys data from innocent victims. He introduces Sarah Gordon, a sociologist who sought to understand if virus writers were "morally abnormal" (p. 117). In her 1994 presentation, "The Generic Virus Writer," Gordon concluded that those who write viruses for fun are not monsters but often rebellious adolescents who tend to mellow with age (p. 120).
The narrative then shifts to the breach of Paris Hilton's cell phone. In doing so, he offers insights into the evolution of operating systems as tools for market consolidation. This contributed to today's predominantly oligarchical technology landscape and its implications for cybersecurity. He offers up the example of Cameron LaCroix, who started hacking on America Online at the age of 10 and, by age 16, obtained the password to the main customer database at a local T-Mobile store through social engineering (p. 174).
Shapiro then proceeds to provide an illuminating account of how the Russian Fancy Bear group managed to infiltrate the DNC. Shapiro states “Fancy Bear caught its phish because its bait was just that good” (p. 186). Using the DNC hack as a background, he surveys how psychological heuristics make us susceptible to phishing attacks (p 199). He then provides an engaging discussion of the GRU Russian Military Intelligence Group.
Finally, in his examination of Distributed Denial of Service (DDoS) attacks, Shapiro introduces readers to Paras Jha. A bright but socially awkward individual with untreated ADHD, Paras immersed himself in computers and learned coding by age 12 (p. 245). After dropping out of Rutgers, he collaborated with online hacker friends to develop and deploy DDoS botnets. They offered their system, named Mirai, on the dark web and became embroiled in a fierce rivalry with a group of young hackers called VDoS. This rivalry eventually extended to IoT devices.
Through these chapters, Shapiro artfully answers the first two of his questions: why the Internet is so insecure and not only how hackers exploit it, but in many cases, why. This leads to his attempt to answer his third question: what can be done about it. He calls for an end to "solutionism" in cybersecurity—a ubiquitous trend where every cybersecurity firm promises to offer the ultimate solution to keep data safe (p. 282). This approach attempts to continuously solve issues through “downcode”. He argues that instead we should focus on changing the "upcode," the fundamental principles that govern our digital world. Shapiro proposes industry liability measures to hold software companies more financially accountable for breaches.
He also suggests tapping into the talents of young Eastern European hackers and redirecting them from black-hat to white-hat activities, potentially offering them legitimate opportunities in the industry (p. 294). This is perhaps his weakest suggestion. Given the sensitive nature of cybersecurity work, it is doubtful that many companies would be willing to risk hiring from this obviously talented pool for workers. There would simply be too many hurdles, both geographic and personal, for these workers to overcome. It is in this well-meaning suggestion, that his lack of a background in day-to-day cybersecurity work is apparent.
Nevertheless, Fancy Bear Goes Phishing was a joy to read. Shapiro expertly and entertainingly achieves his goal of guiding his readers, whatever their technical background, through his three fundamental questions – the why, how, and what of modern cybersecurity – and throws in a lot of fascinating tech history/psychology/philosophy to boot.