Fancy Bear Goes Phishing

Don’t let the three stars fool you, this book is worth reading for anyone interested in computer/cybersecurity. And, it’s interesting. I’m not sure I would say I enjoyed reading this book though; it’s A LOT!

Shapiro does an excellent job taking us through the history of various hacks, the motivations as well as the methods. I found the analysis of upcode (personal morals, ethics, motivations and laws) more interesting than much of the technical analysis, but that could be the result of listening to the book instead of reading the page. (Narration of actual code is a bit silly.)

I think my favorite hack is the first one: “The Brilliant Project” by Robert Morris Jr, who in a frenzy to prove concepts accidentally broke the internet in 1988. Oops. It was definitely a wake up call but really didn’t move industry to improve security, which took a couple more decades. The history of how industry was forced to change its focus is touched on here but is really covered in Menn’s The Cult of the Dead Cow. Industry certainly didn’t make the shift by choice.

The story of how the movie War Games brought computer security into the White House discussion gave me a bit of a chuckle. Despite whoever is in office, I can’t see cybersecurity ever being a regular Cabinet level discussion until we have a few more cabinet members who grew up with the technology.

Shapiro does a nice job explaining what we know about criminal upcode and the maturity process for the majority of hackers. This alone makes the book worth the time and the read.

I learned a great deal regarding terminology: Viruses vs Worms vs Virms vs Trojans. Kill chain, mudge, heuristics… Plus understanding the duality of data and code gave me great insight into how many hacks start.

When going into "Fancy Bear Goes Phishing" by Scott Shapiro, I was interested in his unique take on "hacking." I was hoping to learn something from his perspective as a law & philosophy professor at Yale. Unfortunately, he stumbles when trying to make his points leading me to disregard many of his conclusions.

I was fine with his glossing over the more technical details... as a professional in cybersecurity (creator of a handful of Internet security technologies), I can't get hung up when a writer for popular audiences skips the complicated bits... but what bugged me was when he got technical details flatly wrong. These lead to mistaken conclusions in his reasoning about the behavior and psychology related to various attacks he discussed.

In the end, I'd suggest skipping this book. Experts will likely be annoyed with the mistakes, while non-experts might come away with an inaccurate understanding about how malicious attacks (and associated defenses) actually work.

I give Shapiro a star for at least shining a light on cybersecurity issues that need attention. A second star is for his obvious passion for the subject and being an entertaining author. Too bad he fell off the boat beyond that.

Em português → sol2070.in/2023/07/O-lado-escuro-da-era-da-informa%C3%A7%C3%A3o-em-cinco-hacks-extraordin%C3%A1rios

That is the subtitle of the non-fiction book "Fancy Bear Goes Phishing" (2023) by Scott J. Shapiro. It's a fairly accurate description of the content. This "dark side" refers more to the fragility and vulnerabilities of information systems, which end up allowing the most varied types of hacking, but the dark world of varied types of hackers is also well portrayed, even in the most internal aspects, such as motivations and resentments, with a lot of dialogue with the work of researchers who studied this in depth.

The author is a professor of law and philosophy, but also shows himself to be a genuine computer geek. In addition to his familiarity with the subject since his youth, he has delved deeper into the topic of digital security in preparation for this book. So there is no shortage of technical details of the intrusions portrayed and, due to his teaching experience, Shapiro manages to keep it interesting and, at the same time, didactic.

I just didn't like the forays into the intricacies of law as much, but they don't compromise the book.

The author's thesis is that the most fundamental vulnerability of computer networks is not in the technologies themselves, but in what he calls the "upcode", which is the dominant culture in a given institution (for example, the idea that digital security is something secondary), as opposed to the "downcode", the code or technology used.

He demonstrates this by analyzing the entire context of these major intrusions, starting with the first network virus, which exploited Unix sendmail in 1988, to botnet attacks with the power to break a country's internet, which appeared less than ten years ago.

For anyone interested in digital security, hacking or would just like to know more about it, it's worth it. And not only as an introduction, there are several tasty stories and technical details also for those with more experience.

So much better than I expected. Fancy Bear Goes Phishing certainly is an interesting breakdown of some big and important hacks, and a clearly written primer on “cyber” security. But it is also by far the most level-headed, convincingly argued, thoughtful take on digital security policy I’ve ever seen.

I’m not a security expert. But I regularly take the advice of people who are, and I’ve been building software systems on the open internet for almost 30 years, so I have a pretty solid grounding in the fundamentals here. In Fancy Bear, Shapiro reshaped my thinking on policy topics. And he did it through five stories of hacking, by weaving much more fundamental ideas into the narrative so convincingly that the conclusions feel inevitable. An extraordinary read.

(Aside: I wish I had read this one in print. Alas, the audiobook performance has more little inflection errors than I can forgive. And listening to someone who doesn’t know programming read short code snippets aloud is a little grating.)