Fancy Bear Goes Phishing by Scott Shapiro review – a gripping study of five extraordinary hacks | Computing the net books
As we head towards 2030, a terrible realisation is dawning on us – that we have built a world that is critically dependent on a set of technologies that almost nobody understands, which are also extremely fragile insecure. Fancy Bear Goes Phishing seeks to tackle both sides of this dilemma: our collective ignorance, on the one hand, our insecurity on the other. Its author says that he embarked on the project seeking an understanding of just three things. Why is the internet so insecure? How (why) do the hackers who exploit its vulnerabilities do what they do? And what can be done about it?
In ornithological terms, Scott Shapiro is a pretty rare bird – an eminent legal scholar who is also a geek. Wearing one hat (or perhaps a wig), he teaches jurisprudence, constitutional law, legal philosophy related topics to Yale students. But wearing different headgear (a reversed baseball cap?), he is also the founding director of the university’s cybersecurity lab, which does pretty good research on security information technology generally.
Shapiro was fascinated by computers from a young age, for a time was a computer science major at Columbia University a startup entrepreneur. But eventually legal philosophy got a grip on him he wound up with a professorship in a law school. Embarking on the book forced him to revisit his past: relearning old programming languages; coming to terms with Unix, Linux other operating systems, internet protocols database technology; wading through the weeds of malicious software – worms, viruses, distributed denial of service (DDoS) attacks other loathsome creatures of the cyberdeep.
Most authors in his position would probably have shirked such technicalities. After all, nothing breaks a narrative like a discussion of musings on the “physicality principle” (which states that computation is a physical process of symbol manipulation), the Hungarian-American mathematician physicist John von Neumann’s adventures with cellular automata, or Microsoft’s failure to get to grips with TCP/IP (Transmission Control Protocol/Internet Protocol). And yet Shapiro doesn’t blink, manages to carve a readable path through the conceptual undergrowth.
It’s an impressive achievement. His technique for creating a narrative is to pick five epic hacks, each of which illustrates salient points about the networked world in which we are now enmeshed. He starts with the Morris worm, a program innocently released by a Cornell University student in 1988 that brought the internet to a grinding halt. This is a well-known story that has been told many times, but Shapiro’s account is the most illuminating I’ve seen, largely because it brings out the fiendish ingenuity of Robert Morris’s little program – in the process justifies Shapiro’s decision not to shirk technicalities when telling the tale.
The second hack takes him to an unlikely place: Bulgaria in the 1980s – the world’s first centre of excellence in creating computer viruses – to the battle between an exceptionally gifted hacker, the “Dark Avenger”, his nemesis, the antivirus expert Vesselin Bontchev. This chapter also required Shapiro effectively to become a sociologist of hacking, seeking an understanding of who hackers are what motivates them.
From Bulgaria the story moves to the US in the 00s the hacking of Paris Hilton’s phone, followed by Microsoft’s introduction of the Visual Basic programming language into its Office suite of programs. The idea was to enable users of the software to automate routine tasks. The unintended consequence was that it also enabled the “macro” viruses – such as Melissa ILOVEYOU – that infected Microsoft Word brought nearly every office in the western world to a halt for a few weeks.
The fourth hack is what gives the book its title – the hacking by Russian agencies of the Democratic National Committee’s computers in 2016 the subsequent release of a huge trove of emails that were damaging to Hillary Clinton’s presidential campaign. Again, this is a story we thought we knew, but Shapiro’s account is detailed fascinating, still leaves you wondering whether the hack played a role in Clinton’s defeat.
Shapiro’s final hack is about the “botnet wars” – in which virtual armies of compromised networked devices are marshalled to deliver paralysing DDoS attacks on targeted websites – the subsequent evolution of DDoS as a service. Once upon a time, that kind of destructive hacking required significant technical nous. Now it just requires a credit card malign intent.
What are the takeaways from this absorbing tour of cyberspace’s netherworld? Four things stout. One: “Hacking is not a dark art, those who practise it are not 400lb wizards or idiot savants.” Two: it’s not a hobby, but a business, conducted by rational people out to make a living, or a killing. Just like bankers, in fact. Three: we could do a lot to reduce our vulnerability to it, but governments will first have to make it a crime not to take precautions. And four: mass media plays a really malignant role by providing an endless loop of scare stories zero understanding of the problem.