Fancy Bear Goes Phishing

Cybersecurity is my job, so I came into this book with some amount of knowledge of the subject, but I still found it a fascinating read.

At first, I was slightly annoyed that Shapiro was making up new words (downcode, upcode, metacode) to describe things we already have word for in the industry, but as I read the book I started to see why he's using these words.

Shapiro does a great job of using the ideas of downcode (what you might consider regular computer code), upcode (generally the ethics or rules that the computer user has), and metacode (the rules that exist "above" the user, such as laws). By defining these three ideas, Shapiro makes the case that cybersecurity is not a technology problem at all, but rather a human problem.

This idea is something that I've tried to instill in others at my day job, but it is something that is hard for people to understand, even those that work in the IT/cybersecurity industry. Many technical people think you can solve all problems via technical means. This is what Shaprio calls "solutionism" near the end of this book (if I remember correctly, the word "solutionism" is actually coined by someone else).

I found myself comparing this book to another one I read recently, A City on Mars by Zach and Kelly Weinersmith. Both of these books take what is ostensibly a "technical problem" and then start to apply the human element to it, with the end result being about the same. Technology cannot and will not solve all of our problems. We really have to do it in the messy human world.

Em português → sol2070.in/2023/07/O-lado-escuro-da-era-da-informa%C3%A7%C3%A3o-em-cinco-hacks-extraordin%C3%A1rios

That is the subtitle of the non-fiction book "Fancy Bear Goes Phishing" (2023) by Scott J. Shapiro. It's a fairly accurate description of the content. This "dark side" refers more to the fragility and vulnerabilities of information systems, which end up allowing the most varied types of hacking, but the dark world of varied types of hackers is also well portrayed, even in the most internal aspects, such as motivations and resentments, with a lot of dialogue with the work of researchers who studied this in depth.

The author is a professor of law and philosophy, but also shows himself to be a genuine computer geek. In addition to his familiarity with the subject since his youth, he has delved deeper into the topic of digital security in preparation for this book. So there is no shortage of technical details of the intrusions portrayed and, due to his teaching experience, Shapiro manages to keep it interesting and, at the same time, didactic.

I just didn't like the forays into the intricacies of law as much, but they don't compromise the book.

The author's thesis is that the most fundamental vulnerability of computer networks is not in the technologies themselves, but in what he calls the "upcode", which is the dominant culture in a given institution (for example, the idea that digital security is something secondary), as opposed to the "downcode", the code or technology used.

He demonstrates this by analyzing the entire context of these major intrusions, starting with the first network virus, which exploited Unix sendmail in 1988, to botnet attacks with the power to break a country's internet, which appeared less than ten years ago.

For anyone interested in digital security, hacking or would just like to know more about it, it's worth it. And not only as an introduction, there are several tasty stories and technical details also for those with more experience.