Though Fancy Bear was highly skilled at phishing — the attempt to obtain sensitive information over email from another by impersonating a trustworthy person — its tradecraft was not rocket science. It wasn’t even computer science. It was cognitive science. Cognitive science is the systematic study of how humans think. From this perspective, the phishing emails sent by Fancy Bear to Clinton staffers were perfectly designed, almost as though they had been engineered in a psych lab to exploit multiple vulnerabilities of mental upcode. Fancy Bear caught its phish because its bait was so good.
Author Scott J. Shapiro (a professor of law and philosophy at Yale Law School and the director of Yale’s Center for Law and Philosophy and Yale’s CyberSecurity Lab) explains in the introduction to Fancy Bear Goes Phishing that although he had an early introduction to coding (his Dad had worked at Bell Labs and young Shapiro had access to basic computer parts before there even was a World Wide Web), it wasn’t until recently — with a professional interest in the future plausibility of cyberwars — that he really looked into the history of personal hacking, intranational cyberattacks, and the security measures put in place to protect against them. This book not only explains the history of hacking through the exposition of five different types of attacks over the years, but as a professor of the humanities, Shapiro explains the mental processes — the upcodes and downcodes, the heuristics and biases — that both lead to computer hacking and to our ongoing failure to defend against it. To the extent that Shapiro shares the history of hacking through the stories of true crimes and espionage, this made for quite an interesting read; however sometimes the technical (whether talking hacking code or human cognition) became a little dull and esoteric to me, but I will allow that another reader might want precisely this level of technical data. Overall, a fascinating read on a subject we should all know more about. (Note: I read an ARC through NetGalley and passages quoted may not be in their final forms.)
The most surprising result of my extended, even feverish, immersion in the technology, history, and philosophy of hacking is that I’m not panicking. On the contrary, I’ve concluded that much of what is said about hacking is either wrong, misleading, or exaggerated. I decided to write this book because I was excited about everything I’d discovered. But I also wanted to write it to correct these misapprehensions.
As a lazy summary, I’ll quote from the publisher’s blurb on the five hacks Shapiro covers: We meet the graduate student Robert Morris Jr., who created the so-called Morris Worm in the 1980s, accidentally crashing the internet, and becoming the target of the first federal prosecution for hacking; a Bulgarian hacker named “Dark Avenger” who invented the first mutating computer virus; a 16-year-old from South Boston who hacked Paris Hilton’s cell phone, and leaked its contents; a Rutgers undergraduate who nearly destroyed the internet in an attempt to take down the online game Minecraft; and the Russian intelligence officers who broke into the Democratic National Committee’s computer network and disrupted the 2016 presidential election. I suppose what I found most fascinating is just how easy it was for each of these hacking attempts to have been carried out successfully (from the surprising success of “mumbling” a password to a telephone agent in order to gain access to someone’s account, to the login information for video doorbells and smart toasters being posted freely online [to the boon of botnet operators]); and maybe not surprising that from Microsoft to Equifax, large corporations don’t put money into cybersecurity until it proves more costly not to. It was interesting to read that — other than the Fancy Bear attack — these (in)famous hacks were carried out by teenaged or young adult males; and that while these young men do appear to conform to a stereotype, hacking seems to be a phase of life that most will grow out of (many even making the switch to cybersecurity). And as for Fancy Bear sending phishing emails to members of the Democratic Party and America for Hillary: by international agreement, it isn’t even illegal to spy on or attempt to hack a foreign government (but it was considered tampering for the exfiltrated emails to have been released through WikiLeaks right before the 2016 election). A few interesting tidbits:
• The name UNIX began as a pun: because early versions of the operating system only supported one user — Ken Thompson — Peter Neumann joked that it was an “emasculated Multics,” or “UNICS.” The spelling was eventually changed to UNIX.
• In 1981, Gates spent $ 75,000 buying a lousy single-user operating system from a Seattle developer known as QDOS (for Quick and Dirty Operating System), adapted it for personal computers, and renamed it MS-DOS. In a masterstroke, he also licensed DOS to IBM for use in all of its personal computers, under the name PC-DOS. *
• Fancy Bear is a cyber-espionage group of the GRU. The GRU has long had a reputation as the most gonzo of the Russian intelligence services. Gennady Gudkov, a Russian opposition politician who served in the KGB, said GRU officers referred to themselves as the “badass guys who act .” “Need us to whack someone? We’ll whack him,” Gudkov said. “Need us to grab Crimea? We’ll grab Crimea.”
(* I didn’t realise that MSNBC was started by Bill Gates and Microsoft, and I sure didn’t know that “DOS” stood for Dirty Operating System.)
When cybersecurity experts are asked to identify the weakest link in any computer network, they euphemistically cite “the human element.” Computers are only as secure as the users who operate them. But the brain is extremely buggy. It is almost tragicomically vulnerable.
Beyond the extraordinary stories of famous hacks, the second focus of Fancy Bear Goes Phishing concerns cybersecurity and “the human element”. From corporations that only invest the bare minimum in keeping our data safe to the heuristics that shortcut individual decision-making, the “black hats” will always find new vulnerabilities to exploit. Shapiro draws the difference between cyber-enabled crimes (traditional crimes facilitated by computers) and cyber-dependent crimes (unauthorised access, spamming, malware), but as we spend more and more of our lives online, we’re becoming more vulnerable to attacks from both groups (who apparently tend to work together and share skillsets: the hacker might need a real world money-launderer, the ransomware attacker might hire a D-DoS service to pressure a target). And while there are those who think that bulletproof anti-hacking tech must be somewhere on the horizon (what critic Evgeny Morozov has called “solutionism”), Shapiro warns against this kind of wishful thinking:
Solutionism not only makes us less secure, it also eclipses our moral agency and sense of responsibility. Treating security and privacy as mere technical obstacles, solutionists delegate difficult political questions to engineers. Engineers do know how computers work. They are technologically literate. But they are also engineers. They are trained to build and operate machines, not to ponder their ethical costs and consequences. Not only are political questions put in the wrong hands; we are left with the impression that there are no interesting moral issues even to discuss. Politics becomes engineering; moral reasoning becomes software development.
Shapiro ends by using a proof from Alan Turing to demonstrate that there is no such thing as bulletproof anti-hacking tech anyway; hackability is built in to computational systems and we need to employ more thoughtful “upcode” to mitigate harm going forward. The good news: Shapiro doesn’t believe that there is an all out cyberwar in our future. The bad news: hacking is a feature of our connected lives — it has been since the very beginning — and we need to get better at recognising danger. The journey to these conclusions does make for an interesting read.
Ironically timely to be finishing this read as the "systems are down" at my own workplace currently due to a "cybersecurity incident". As a small cog in the machine, I have no more information than what has been posted on our (offline) website, but as a customer said to me yesterday, "Not to be cruel, but thank God it's you guys that got hit and not the hospitals or something." Probably a ransomware attack (there must be a profit motive), and I suppose I should be concerned that some black hats could now have access to my personal employee information, but, yeah, thank God it's an attack on a big corporation and not the hospitals or something. What a price to pay for the marvels of the modern world.
