As soon as I noticed a book published with this savvy title (and cover, created by Rodrigo Corral) this year, I knew I had to read it: Fancy Bear Goes Phishing: The Dark History of the Information Age, in five Extraordinary Hacks. Authored by Scott J. Shapiro, professor of law and philosophy at Yale Law School. In his youth, Shapiro spent much time with computers, but later chose a career in philosophy and law. When writing about cyberwar, he returned to computers, re-learning programming, computer science and the lingo: Evil maid attack, bald butler attack, bluesnarfing, phishing, spear phishing, whaling…
Attempting to answer the simple questions of why the Internet is insecure, how do hackers exploit insecurity and how they can be prevented, or at least decreased in numbers, Shapiro takes us on a journey with five stops, from the late 1980’s to the hacks of the Democratic National Committee and the Minecraft wars 30 years later.
One of Shapiro’s main arguments is the distinguishment between upcode and downcode. Upcode is the human aspect of cybersecurity, such as regulation, law, and organizational norms, whereas downcode is the technical programming and operating of programs, operative systems and alike. His consistent argument is that upcode regulates downcode. Thus, he opposes solutionism, the view that “technology can and will solve our social problems”. I’ve written about the tech elite earlier in 2023, their engineering-like focus on all issues, they being able to solve everything with math and algorithms, as if reality can be reduced to technicalities. Shapiro continues, with his fantastic sense of humour: “Great news! We can reverse centuries of imperialism, revolution, and poverty with our cell phones.” This connects to Bruce Schneier’s angle on cybersecurity too: focus on the humans primarily.
Another sentence deeply related to Cathy O’Neil is “Most problems do not have solutions that are reducible to finite procedures.” Solutionism cannot succeed, because it relies on (Alan) Turing’s physicality principle: changes in the digital realm presupposes changes in the physical realm, which means computation, when all is said and done, is a physical process, and relies on control over the physical world, such as cables, servers, and routers.
The almost inherent insecurity of the Internet of Things (IoT) is quite obvious, another connection to Schneier, who claims the same thing. IoT-devices have very rudimentary operating systems, meaning they’re usually really poorly designed. They have a singular, or few, purposes, rendering them with attack vectors. So, your refrigator might be part of a zombie-net controlled by some angry teenager playing Minecraft, using your very refrigator attacking another server running Minecraft.
Solutionism dominates so much, represented by ignoration and non-comprehension among programmers and computer scientists, disguised as the common resentment and claims that politics is unfit to kepp up with things technical. The sentiment of solutionism Shapiro compresses in one sentence:
“Politics becomes engineering; moral reasoning becomes software development.”
Cybersecurity – it’s a human thing
Shapiro connects law and legal discussions in the cases the tells. What are the implications judiciously for the hackers, how does the hackers think, and the legal system perceive these acts. In cases where the perpetrator is sentenced, how does the legal system reason?
I appreciate how he considers gaming and programming culture as overtly (white) male, rendering women targets usually for misogynic hatred, or at least suspicious activites by men against women (and other gender identities, might I add). This touched briefly on the deeply ingrained meritocratic aspects of programming/hacking culture, as covered by Gabriella Coleman in Coding Freedom: The Ethics and Aesthetics of Hacking.
Shapiro also provides us with the combination of basic computers science terms and programming functions, such as the difference between data and code, and how operating systems work. If you don’t understand how very rudimentary programming functions, Shapiro will inform you how it actually works to prove his points, and easen the complexities of cyberspace somewhat. Knowledge will calm you more than ignorance, he reasons, and I concur.
Mainly he presents various ways hackers exploit humans via their cognition: visuality, irrationality, probability, and time. Hackers are great cognitions and really social beings, at least virtually, and comprehend how some people will be fooled.
The sense of humour!
Regarding the oh, so common Nigerian prince/general/rich person mail, Shapiro regularly depicts issues and technicalities through diagrams or pictures, and provides proper examples the reader can understand, such as:
“This Nigerian Astronaut pushes this internet scam to eleven.”
Anyone who comprehends this sentence, will enjoy reading a serious book on a serious subject.
It goes up to eleven
Of all the books on technology I’ve read, this is the best one. Were I to give people a recommendation on one single book they could read to better grasp the cyber realm, Fancy Bear Goes Phishing it is.