hat do the son of the one-time chief scientist at the National Security Agency, Bulgarian malware coders, Paris Hilton’s cell phone, Minecraft servers, and the Democratic National Committee all have in common? This may sound like the set up to a properly bizarre joke, but the punchline is anything but funny. For author Scott Shapiro, they are five hacks that are illustrative of fundamental flaws of internet security and offer windows into the world of cybercrime and cyber war. Shapiro, a Yale University law and philosophy professor offers one of the more novel looks at the world of hackers and hacking in his oddly adorably titled book “Fancy Bear Goes Phishing.”
For those unfamiliar with the world of cyber hacking, Fancy Bear is the name given by Western analysts to a hacking unit within Russia’s military intelligence, the GRU. “Phishing” is the disguising of malicious emails or messages to make them appear to come from legitimate sources. It is a tool widely used by hackers to exploit human fallibility to steal credentials and gain access to accounts, and was used as Shapiro explains, in the 2016 Democratic National Committee breach.
Books on the world of cybersecurity and cyberwar are a decidedly mixed bag. They are often hyperbolic, breathless accounts of how the Internet will come crashing down (Richard Clarke’s “Cyber War,” for example). Alternatively, they are deeply nuanced and highly intelligent, but written for experts. Daniel Moore’s superb “Offensive Cyber Operations” is a prime example. The challenge is narrowly treading the middle-ground. Whereas Clarke’s book takes advantage of the ignorance of most of the public (and trades on both fear and his CV) and Moore’s is written for a knowledgeable audience, the Economist- and FT-reading middle is left out. Enter Scott Shapiro from stage left.
“Fancy Bear Goes Phishing” threads this needle brilliantly, making cybersecurity both accessible and interesting, but respecting the reader’s intelligence and curiosity. It is a grounded look at cyber threats and their emergence through five key hacks, but also offers a sort of Computer Science 101 in the process. This is an inspired way to address cybersecurity. Shapiro doesn’t just explain what happened, or the tools and techniques used to access the systems in question. Rather, he dives into the structural vulnerabilities and code weaknesses (both digital and human) hackers exploited. He makes coding and programming interesting and compelling for a lay audience, and it makes both the stories themselves, but his argument more broadly, far stronger.
Arthur C. Clarke wrote that “Any sufficiently advanced technology is indistinguishable from magic.” For most consumers, computers and iPhones may as well be considered magic. So long as they work, that’s all they care about. It’s when they don’t that panic ensues. By exploring the underlying structure of modern computing, the ones and zeroes, and the human psychology hackers take advantage of, Shapiro shows readers how exploits work and why they are successful. By deconstructing human fallibility, he shows readers how Nigerian scammers and Russian hackers dupe users into surrendering both money and access credentials.
“Fancy Bear Goes Phishing” is a compelling read even without the inclusion of this 101 course. Shapiro is an engaging writer with a command of details and a flair for storytelling. But by adding in this educational component, it makes his book stand even further out from the crowd. Understanding what happened isn’t enough to lead to solutions. As Shapiro vividly illustrates, you need to know how it happened.
Shapiro focuses not just on the “downcode” as he calls it—the programming languages and underpinning zeroes and ones of binary that creates the vulnerabilities—but also the “upcode,” or legal, regulatory, and social structures that govern the cyber world. As he masterfully illustrates, you cannot understand one without the other, and one cannot exist without the other.
“Fancy Bear Goes Phishing” successively follows the growing complexity of both the downcode and upcode. Shaprio begins his story with the “Morris Worm” written by the son of the chief scientist at the National Security Agency, which ran rampant through the early Internet and led to one of the early computer crime cases. He then turns to the heady days of malware coders in Bulgaria (a similar subject covered by Matt Potter in his book “We Are All Targets”). A digital Wild West at the time, Bulgaria became the source of some of the most prolific and effective malware in the ‘90s.
He then looks at how a bored teenager social-engineered his way into socialite Paris Hilton’s T-Mobile cloud account, leaking her personal messages, photos, and contacts. The highly politicized breach of the DNC servers (by the titular Fancy Bear) is, interestingly, the only nation-state breach he covers in depth, but it too is illustrative of not some grand hacking scheme, but just a crafty phishing attack. Finally, Shapiro explores how a botnet army that started as a way of dominating the servers running the game “Minecraft” became a distributed denial of service (DDOS) attack for hire scheme.
This is an unconventional history of cybercrime and war in that the nation-state features so little and that the hacks themselves are not highly complex Hollywood-esque thrills. Most have a warped view of what hacking is in practice. It is far more about social engineering and exploiting human fallibility than bespoke code smuggled across air-gapped servers. While there are examples of exquisitely designed and executed hacks—the SolarWinds breach by Russia’s foreign intelligence agency, the SVR, and the U.S.-Israeli Stuxnet worm, for example—most are far less complex. Indeed, during a recent working group hosted by the White House on the nexus of space and cyber security in which the reviewer participated, the overwhelming consensus was that the greatest threat was not malware targeting space systems, but phishing to steal credentials—it was much lower-hanging fruit than going directly after satellites.
Shapiro closes his book with an argument against “solutionism,” the belief that there will be some widget that will solve all the cybersecurity problems faced by society. While this will surely raise the hackles of cybersecurity companies the world over, he does have a point. It does, however, fray at the edges—technology may not solve every problem, but it is critical to addressing many of them. Throughout the cases Shapiro presents, the real villains and vulnerabilities are not the codes or programs, but the people sitting in the chairs either using them or being duped by them. It is the embodiment of the “PEBCAK” error code: “problem exists between chair and keyboard” or the squishy human element. No amount of upcoding will remove human fallibility, irrationality, or gullibility, but systems can better constrain and guide human weaknesses.
He proposes three “Ps” of pathways to cybercrime, payments for cybercrime, and penalties for software vulnerabilities. First, finding clever talent and guiding them into more productive avenues and outlets for their talents would take some, but not all, of the budding black-hat (or criminal) hackers out of the wild. Similarly, creating off-ramps for arrested black hats and turning them white-hat (good hackers) hacking could also help take some of the players off the field. It is an ambitious idea, but one that will likely have limited efficacy. Going after the payments is, however, a proven path toward success in targeting crimes: It was not a smoking gun that brought down Al Capone, but tax evasion. Criminals will always find a way to launder their money, but making it that much harder, and the penalties for discovery that much greater, makes it less of an attractive prospect.
Creative punitive measures for software vulnerabilities is an interesting concept. Companies are held liable for defective products, but defining the parameters for such measures may prove more difficult in practice than theory. A reasonableness test would almost certainly be necessary as it is impossible for a company to identify every potential vulnerability—the 2013 Target hack was accomplished by hackers breaching the HVAC company first. Mandating security-by-default is a sensible measure but will almost always be reactive. These interconnections of devices, especially in the growing Internet of Things (IoT) raises the prospect of unforeseen and unanticipated vulnerabilities. Creating an actuarial risk table for these risks, let alone defining penalties and liabilities, is exceedingly challenging.
Shapiro’s death of “solutionism” may be premature. Technology may not be a panacea, but it is a necessary component to address cyber vulnerabilities that will always exist. A perfectly secure piece of software is one that is ultimately unusable. Even a highly secure system will be surpassed by one that is less secure but achieves first-mover advantage in the market. This was a key point Shapiro raised in his exploration of Microsoft Windows' efforts to react to market dynamics, turning the operating system into a Christmas tree of functionality, but little consideration initially for security. Apple’s iOS operating system, by contrast, pursued a different approach. Apple’s core code is the company’s crown jewels, yet Apple created an ecosystem through its App Store (still imperfect) offering users new functionality through third-party programs, after they have been vetted and audited. The challenge is, ultimately, about containing the damage and attempting to stay one-step ahead of the hackers, and that is where the technology of solutionism emerges.
For Shapiro, the future is ultimately about getting the upcode and the downcode right, yet that is wherein lies the rub. The downcode of programming and technology will always outpace the ability of the upcode to cope. How does the government define legislation for video and audio deepfakes? Where does the law stand on large language models that used copyrighted materials for training? Will a medical AI assistant require independent medical malpractice insurance? At their core the legal questions of ownership and liability may remain the same, but the evolution of technology is occurring at a breakneck pace. Institutions of law and government simply aren’t equipped to handle the upcode, and barely understand the basics of downcode.
The future will see more Fancy Bears, albeit operating off-leash and in the wild.
a global affairs media network
Cyber Lions, Digital Tigers, & Fancy Bears (Oh My!)
Image created via Midjourney.
July 8, 2023
Books on the world of cybersecurity and cyberwar are a mixed bag, often accessible but breathless accounts of our doom to come, while others are nuanced but written for experts. Author Scott Shapiro walks the middle ground brilliantly in his latest, "Fancy Bear Goes Phishing," writes Joshua Huminski
W
hat do the son of the one-time chief scientist at the National Security Agency, Bulgarian malware coders, Paris Hilton’s cell phone, Minecraft servers, and the Democratic National Committee all have in common? This may sound like the set up to a properly bizarre joke, but the punchline is anything but funny. For author Scott Shapiro, they are five hacks that are illustrative of fundamental flaws of internet security and offer windows into the world of cybercrime and cyber war. Shapiro, a Yale University law and philosophy professor offers one of the more novel looks at the world of hackers and hacking in his oddly adorably titled book “Fancy Bear Goes Phishing.”
For those unfamiliar with the world of cyber hacking, Fancy Bear is the name given by Western analysts to a hacking unit within Russia’s military intelligence, the GRU. “Phishing” is the disguising of malicious emails or messages to make them appear to come from legitimate sources. It is a tool widely used by hackers to exploit human fallibility to steal credentials and gain access to accounts, and was used as Shapiro explains, in the 2016 Democratic National Committee breach.
Books on the world of cybersecurity and cyberwar are a decidedly mixed bag. They are often hyperbolic, breathless accounts of how the Internet will come crashing down (Richard Clarke’s “Cyber War,” for example). Alternatively, they are deeply nuanced and highly intelligent, but written for experts. Daniel Moore’s superb “Offensive Cyber Operations” is a prime example. The challenge is narrowly treading the middle-ground. Whereas Clarke’s book takes advantage of the ignorance of most of the public (and trades on both fear and his CV) and Moore’s is written for a knowledgeable audience, the Economist- and FT-reading middle is left out. Enter Scott Shapiro from stage left.
“Fancy Bear Goes Phishing” threads this needle brilliantly, making cybersecurity both accessible and interesting, but respecting the reader’s intelligence and curiosity. It is a grounded look at cyber threats and their emergence through five key hacks, but also offers a sort of Computer Science 101 in the process. This is an inspired way to address cybersecurity. Shapiro doesn’t just explain what happened, or the tools and techniques used to access the systems in question. Rather, he dives into the structural vulnerabilities and code weaknesses (both digital and human) hackers exploited. He makes coding and programming interesting and compelling for a lay audience, and it makes both the stories themselves, but his argument more broadly, far stronger.
Arthur C. Clarke wrote that “Any sufficiently advanced technology is indistinguishable from magic.” For most consumers, computers and iPhones may as well be considered magic. So long as they work, that’s all they care about. It’s when they don’t that panic ensues. By exploring the underlying structure of modern computing, the ones and zeroes, and the human psychology hackers take advantage of, Shapiro shows readers how exploits work and why they are successful. By deconstructing human fallibility, he shows readers how Nigerian scammers and Russian hackers dupe users into surrendering both money and access credentials.
“Fancy Bear Goes Phishing” is a compelling read even without the inclusion of this 101 course. Shapiro is an engaging writer with a command of details and a flair for storytelling. But by adding in this educational component, it makes his book stand even further out from the crowd. Understanding what happened isn’t enough to lead to solutions. As Shapiro vividly illustrates, you need to know how it happened.
Shapiro focuses not just on the “downcode” as he calls it—the programming languages and underpinning zeroes and ones of binary that creates the vulnerabilities—but also the “upcode,” or legal, regulatory, and social structures that govern the cyber world. As he masterfully illustrates, you cannot understand one without the other, and one cannot exist without the other.
“Fancy Bear Goes Phishing” successively follows the growing complexity of both the downcode and upcode. Shaprio begins his story with the “Morris Worm” written by the son of the chief scientist at the National Security Agency, which ran rampant through the early Internet and led to one of the early computer crime cases. He then turns to the heady days of malware coders in Bulgaria (a similar subject covered by Matt Potter in his book “We Are All Targets”). A digital Wild West at the time, Bulgaria became the source of some of the most prolific and effective malware in the ‘90s.
He then looks at how a bored teenager social-engineered his way into socialite Paris Hilton’s T-Mobile cloud account, leaking her personal messages, photos, and contacts. The highly politicized breach of the DNC servers (by the titular Fancy Bear) is, interestingly, the only nation-state breach he covers in depth, but it too is illustrative of not some grand hacking scheme, but just a crafty phishing attack. Finally, Shapiro explores how a botnet army that started as a way of dominating the servers running the game “Minecraft” became a distributed denial of service (DDOS) attack for hire scheme.
This is an unconventional history of cybercrime and war in that the nation-state features so little and that the hacks themselves are not highly complex Hollywood-esque thrills. Most have a warped view of what hacking is in practice. It is far more about social engineering and exploiting human fallibility than bespoke code smuggled across air-gapped servers. While there are examples of exquisitely designed and executed hacks—the SolarWinds breach by Russia’s foreign intelligence agency, the SVR, and the U.S.-Israeli Stuxnet worm, for example—most are far less complex. Indeed, during a recent working group hosted by the White House on the nexus of space and cyber security in which the reviewer participated, the overwhelming consensus was that the greatest threat was not malware targeting space systems, but phishing to steal credentials—it was much lower-hanging fruit than going directly after satellites.
Shapiro closes his book with an argument against “solutionism,” the belief that there will be some widget that will solve all the cybersecurity problems faced by society. While this will surely raise the hackles of cybersecurity companies the world over, he does have a point. It does, however, fray at the edges—technology may not solve every problem, but it is critical to addressing many of them. Throughout the cases Shapiro presents, the real villains and vulnerabilities are not the codes or programs, but the people sitting in the chairs either using them or being duped by them. It is the embodiment of the “PEBCAK” error code: “problem exists between chair and keyboard” or the squishy human element. No amount of upcoding will remove human fallibility, irrationality, or gullibility, but systems can better constrain and guide human weaknesses.
He proposes three “Ps” of pathways to cybercrime, payments for cybercrime, and penalties for software vulnerabilities. First, finding clever talent and guiding them into more productive avenues and outlets for their talents would take some, but not all, of the budding black-hat (or criminal) hackers out of the wild. Similarly, creating off-ramps for arrested black hats and turning them white-hat (good hackers) hacking could also help take some of the players off the field. It is an ambitious idea, but one that will likely have limited efficacy. Going after the payments is, however, a proven path toward success in targeting crimes: It was not a smoking gun that brought down Al Capone, but tax evasion. Criminals will always find a way to launder their money, but making it that much harder, and the penalties for discovery that much greater, makes it less of an attractive prospect.
Creative punitive measures for software vulnerabilities is an interesting concept. Companies are held liable for defective products, but defining the parameters for such measures may prove more difficult in practice than theory. A reasonableness test would almost certainly be necessary as it is impossible for a company to identify every potential vulnerability—the 2013 Target hack was accomplished by hackers breaching the HVAC company first. Mandating security-by-default is a sensible measure but will almost always be reactive. These interconnections of devices, especially in the growing Internet of Things (IoT) raises the prospect of unforeseen and unanticipated vulnerabilities. Creating an actuarial risk table for these risks, let alone defining penalties and liabilities, is exceedingly challenging.
Shapiro’s death of “solutionism” may be premature. Technology may not be a panacea, but it is a necessary component to address cyber vulnerabilities that will always exist. A perfectly secure piece of software is one that is ultimately unusable. Even a highly secure system will be surpassed by one that is less secure but achieves first-mover advantage in the market. This was a key point Shapiro raised in his exploration of Microsoft Windows' efforts to react to market dynamics, turning the operating system into a Christmas tree of functionality, but little consideration initially for security. Apple’s iOS operating system, by contrast, pursued a different approach. Apple’s core code is the company’s crown jewels, yet Apple created an ecosystem through its App Store (still imperfect) offering users new functionality through third-party programs, after they have been vetted and audited. The challenge is, ultimately, about containing the damage and attempting to stay one-step ahead of the hackers, and that is where the technology of solutionism emerges.
For Shapiro, the future is ultimately about getting the upcode and the downcode right, yet that is wherein lies the rub. The downcode of programming and technology will always outpace the ability of the upcode to cope. How does the government define legislation for video and audio deepfakes? Where does the law stand on large language models that used copyrighted materials for training? Will a medical AI assistant require independent medical malpractice insurance? At their core the legal questions of ownership and liability may remain the same, but the evolution of technology is occurring at a breakneck pace. Institutions of law and government simply aren’t equipped to handle the upcode, and barely understand the basics of downcode.
The future will see more Fancy Bears, albeit operating off-leash and in the wild.