Ghost in the Wires

Ghost in the Wires: My Adventures as the World's Most Wanted Hacker
© 2011 Kevin Mitnick, William Simon. Forward by The Woz.
393 pages

CYBERPUNK introduced me to the story of Kevin Mitnick, a teenage phone phreaker turned celebrity hacker,  who boasted that he never used an outside program to break into a company. Instead,  all of his access was obtained by manipulating people within companies into giving him the information.  Writing later as a security consultant, he explained the workings of this manipulation in the book Art of Deception, which I referred to as "interesting but highly repetitive". Well....ditto for Ghost in the Wires.  It's the memoir of a serial, and apparently compulsive, hacker, whose obsession with accessing networks he has no authorization for,  and obtaining information he has no right to have,  utterly consumes his life.  He admits that hacking was like booze for him -- his entertainment, his addiction.  Even when he's barely escaped from one episode, he's already starting the other....and his enormous pride in getting one over on the hapless clerks,  alarmed security admins, and frustrated federal agents is so hubristic that he routinely calls the FBI or accesses their computer network during investigations to see how close they are to the scent. 

It's his compulsiveness that does him in time and again: even when he was relatively safe on the run, with a stolen identity (several, actually) and a comfortable job,  Mitnick is so consumed by his desire to hack that it attracts the attention of his employers, who  fire and investigate him. At one point while working there, for instance, he was on his cell phone putting on a presumably awful Japanese accent to convince an engineer that his counterpart in the Tokyo office needed him to upload cellphone source code to a server Mitnick had access to. One of his coworkers heard this outside the door and could only wonder what on earth was going on.)  When the FBI found his scent, it was because he was trying to collect the source codes for a UNIX release, as well as various next-gen cell phones that were hitting the market. Was he selling them to rival businesses? No. He was collecting them as trophies.  Mitnick is the movie villain who undermines himself by  pausing mid-kill to gloat at the hero, or  decides to consign him to a slow death in an elaborate trap.

This book was informative, however;  Mitnick proves to be far more dangerous than I'd previously believed. He wasn't  just exploring networks as portrayed in CYBERPUNK:   for him, there was no limit to the systems he'd compromise. The DMV, Social Security, Vital Records? Grist for the mill for Kevin to do what he wanted. Admittedly, his technical expertise is admirable, in the same way that Napoleon's army or the Luftwaffe  were technically admirable.  He certainly wasn't just relying on people giving him information, as  he frequently applied patches to systems to give himself  backdoor access later on. What's less admirable is Mitnick's ability to lie to so many people so habitually, to manipulate them like switches on a board. The act is deeply disturbing in itself, but  what happened to the hundreds of receptionists, clerks, and engineers who became Mitnick's unwitting dupes? 

While I began this book guardedly sympathetic to Mitnick (impressed by his talents, a little wary of his lying), by the end I regarded him as a compulsive, hubristic ass. I'm glad he's turned semistraight, in managing to squelch his desire to thwart everyone else,  but the book has virtually no information on that. Was there any soul-searching at all, or was it just a mercenary decision?   Mitnick may be a nice guy in person; he's friends with Steve Wozniak, who has experience with egotistical personalities before  and would presumably recognize it in Mitnick,  but based on this book I wouldn't trust him.

Related:
Exploding the Phone
Books by Kevin Mitnick

Control

ST Section 31: Control
© 2017 David Mack
304 pages

"...if I’m correct, going to war with Section Thirty-one can only end badly for you. Either you will lose, and you and all your friends will suffer gruesome fates I’d rather not imagine; or you will win—and in so doing, end up inflicting more harm than good upon your beloved Federation.”

For four years, Julian Bashir has yearned to destroy the malicious intelligence-and-covert ops organization known as Section 31 from the inside.  A rendezvous with a desperate journalist in the frozen wastes of Andor, however,  makes him realize more than ever that he is over his head.   Running in the background of the entire Alpha Quadrant's technical infrastructure, from replicators to warp cores and shuttle transports is a common code, creating a massively distributed superintelligence which is monitoring and reporting -- but reporting to whom?  This AI no doubt has some connection to Section 31, which always seems several steps ahead of its opponents, but how can they be defeated when the very substance of Federation civilization is reporting for it?   The truth, as ever, is even more frightening...

Many Trek books are great adventure stories, and some are beautiful bits of drama; the true talents of modern Trek literature are equally able to provide horror and comedy.  Control distinguishes itself, however, by its timeliness.   The world of Control is not a fantasy, but rather one we are building  day by day. Something very much like Control in the real world was already explored by Daemon, Daniel Suarez's cyberthriller, and those who remember its plot may steal  a march on the main characters here. Although Bashir and his fellow fugitive, his lover and fellow S31 double agent Sarina,  seek refuge and help from trusted sources, no place within the Alpha Quadrant is safe for long, because no matter what they do, Bashir and his friends always seem to be playing right into Section 31's hands.   Mack excels in torturing characters emotionally,  and that's supplied here with one prominent death and another character psychologically crushed. The ending was...surprising at first, but carries  its twist.

For those who have been fascinated by Section 31 since their introduction in "Inquisition",  Control explores their past and delivers the final reckoning with them. While it seems a little rushed, the twist ending also indicates that another game is still afoot.

Related:

• A brief clip from "Inquisition", the episode of Deep Space Nine in which Section 31 was introduced, and another clip from "Inter Arma Enim Silent Leges",  when Bashir learns that someone he admires and respects. Episodes like these are why I believe Deep Space Nine is far and away the best Trek series, not only for its deep bench of complex characters, but the serious moral issues it explored. This wasn't something that slowly developed, either, but was present from the start -- just see the first-season episode "Duet", in which a Cardassian who was a lowly clerk during the occupation assumes the identity of his murderous boss, Gul Darheel, just so that he can be exposed and put on trial -- thereby allowing Cardassia to face its guilt and redeem itself for its past injustices. 
• Daemon, Daniel Suarez

The Art of Invisibility

The Art of Invisibility: The World's Most Famous Hacker Teaches You How to Be Safe in the Age of Big Brother and Big Data
© 2017 Kevin Mitnick
320 pages

So, you want to be invisible online? Great. All you'll need is three separate computers -- one for your top secret business, one for your banking, and one for your everyday use; a few new email addresses,  a handful of burner phones, a large pile of cash to buy gift cards and electronics without leaving a credit trace, a slightly larger pile if you intend on paying strangers to buy said cards and electronics for you,  an ability to habitually lie, and the concentration of a criminal mastermind to remember which accounts you're using on which computer so you never accidentally blend your Top Secret identity with your real one. Child's play.

Kevin Mitnick knows a thing  or two about the necessity and the difficulty of staying invisible. He spent two and a half years as a fugitive from the FBI, wanted for hacking, unauthorized access, and wire fraud. These days he works as a security consultant,  and in The Art of Invisibility he provides a point-by-point tour of the surveillance web created by the internet and telecommunications infrastructure. There are also specialized chapters on surveillance in the workplace, and maintaining privacy while traveling abroad.  Mitnick's survey and advice have at least two audiences:  most of the book can be appreciated by a technologically savvy and privacy-minded individual who wants to know more, while a smaller but not insignificant portion of the book, somewhere between 30 and 40 percent,  would be of interest to the truly paranoid.

Although Mitnick does cover material would be a given to those with an interest in security --  don't use public WIFI networks for banking or other sensitive business, even if they're password-protected, that kind of thing -- most of his information is less elementary. He's thorough, explaining how tools like email and hardware encryption work,  where they're vulnerable, and why they're useful.   The Tor browser  is a mainstay of recommendation, as it allows users to be relatively anonymous and evade filters that restrict access in territories controlled by authoritarian states like China by redirecting the user's activity across a series of nodes. The nodes chosen are random, and it's possible to encounter a node controlled by surveying authorities. If a person uses Tor on the same computer and accesses the same accounts as they normally do, however, then if they're under active surveillance by someone their token efforts at anonymity are for naught.  People in witness protection can't go to family reunions, and those who want remain invisible can't muddle their identities together. If you want to have an email account and use Tor,  Mitnick advises, then use Tor and create a new email account. The same concept applies across communication technologies: Mitnick was caught in the 1990s because despite using multiple cell phones, he was using them in the same location (a motel room), and thereby connecting to the same cell tower every single time -- allowing  the FBI to collaborate with the local telecom to get a fix on their man.

The Art of Invisibility is far more comprehensive and helpful than Mitnick's previous books on intrusion and social engineering.  Mitnick offers his exhaustive tour of vulnerabilities not to scare readers into retreating to a monastery, but to point out -- this is what you're up against, this is what you can do about it, this is where you'll still be weak. Like a security consultant's tour of your home, The Art of Invisibility shakes expectations, and disturbs the illusion of safety -- while at the same timeVanishingly few people are capable of taking all of Mitnick's advice: even he doesn't. He leaves the decision to the reader how best to integrate this information with their own practices. Everyone can benefit from better cyber-security hygiene, even if it's something as basic as keeping your cellphone locked, running adblock to disable malicious scripts on websites,  and keeping SmartTvs that never stop listening to you out of your house.

Related:

• 10 Don'ts On Your Digital Devices Daniel G. Bachrach, Eric J. Rzeszut.  A more entry-level citizen's guide to digital hygiene. 
• Swiped: How To Protect Yourself in World of Scammers, Phishers, and Identity Thieves,  Adam Levin
• Future Crime: Everything Is Connected, Everyone is Vulnerable, and What We Can Do About It, Marc Goodman

Little Brother

Little Brother
© 2008 Corey Doctorow
380 pages

Following the destruction of the Bay Bridge in San Francisco, a nightmare begins for a high school student who is scooped up by police in the aftermath. Not only has one of his friends been seriously wounded, but Marcus'  presence near the bridge and his suspicious computer equipment make him a person of interest to the authorities, doubly so when he refuses to unlock or decrypt his devices and information for them.  If he’s innocent, he has nothing to hide, right? But Marcus has been rebelling before this,  mostly to elude his school’s draconian security measures. and his initial stubbornness turns into revolutionary resolve when he realizes  that the authorities are not merely mistaken: they are malevolent. He seems doomed in the police state that San Francisco has become overnight, where the demonization of any dissent alienates Marcus from his family and friends,  but there are other allies waiting in the wings, and they and his own resolve will spur him on.

So begins Little Brother, a man vs state story that combines the alienation and surveillance of 1984 with modern cybersecurity tools.  At its best, Little Brother is a technologically savvy thriller,  a defiant championing of civil liberties amid the war on terror,  and a call to arms to readers to get serious about learning to defend themselves against abuse.  This continues after the novel: there are several essays included after the story on the nature of security. At its worst,  the arguments are one-sided, with only one attempt at mutual understanding.  The security apparatus of the State is so extensive, however – both in the story in real life – that I can’t seriously begrudge Doctorow just wanting to fire up righteous indignation.  Easily my favorite aspect of Little Brother was the pervasive cybersecurity information: Marcus doesn't just do things, but as a narrator he's conscious that he's speaking to an audience, and explains how encryption or whatever is he's doing at the moment works.  Winston's intelligence as cyberpunk rebel extends not only to tech, but to the nature of resistance: he realizes that certain tactics will only strengthen the government's hand against him, so the trick is to find ways to keep them off balance -- sometimes by appearing to retreat.

Little Brother is an exceptional read, a smart thriller that takes its teen readers seriously. If you are concerned about the status of civil liberties across the world, the surveillance state,  or curious about how tech can both amplify and mitigate the problem, it's one to take a look at.

The story's use of a couple of young dissidents who fall in love underground reminded me strongly of a song called "By Morning" by folk-punk songwriter Evan Greer. He wrote it in tribute to several young people who were imprisoned on charges of terrorism for  harassing an animal testing lab. The song begins at 1:15.

And if they come for us by morning, with that "knock knock" on the door --
I'll hold you a little closer as they reach the second floor
And if I have to give my name, know I won't be giving yours
I'll run my hands through your hair, say it's them that's really scared
Because they know love is stronger than their bars can ever be.


Related:

• 1984, George Orwell. Little Brother is commonly referred to as "1984 for the 21st century", which is a gross exaggeration. Even so, Little Brother makes numerous hat-tips to Orwell's dystopia beyond the surveilliance state:  one of Marcus' online pseudonyms is pronounced "Winston", for instance. 
• No Place to Hide, Glenn Greenwald.  The story  of Edward Snowden and the surveillance apparatus of the NSA. 

Crime, private and public sector

Let's start the week off with two birds and one stone!    

Earlier in the week I was finally able to get access to No Place to Hide, by Glenn Greenwald, on his encounter with Edward Snowden and the stories that led to.  For those hiding under rocks,  Edward Snowden was a civilian contractor working for the NSA until he exposed part of their globe-spanning surveillance apparatus in 2013/2014. While employed by the CIA and NSA, Snowden became increasingly concerned with the scope, ambition, and dubious legality of his employers' programs, and decided to begin documenting what he was seeing.  After methodically collecting reports for months on end, throughout several assignments, Snowden contacted a reporter with an established reputation for criticizing both the government and a complicit media.    Greenwald, after  recounting his first contact with Snowden,  then shares information from the stories he filed with The Guardian before switching into an argument against the surveillance state, and a condemnation of the establishment media, particularly the Washington Post and the New York Times.

I daresay no one will be surprised to learn that I'm far more a supporter of Snowden than the NSA -- not because I believe the NSA is  part of some evil conspiracy, but because I have certain strongly-held believes on the nature and consequences of power, and know that the construction of an inescapable surveillance apparatus is Bad News. When Greenwald says global, he means global;   the book mentions numerous programs, not just the email-tapping ones, and between them they cover pretty much everyone but the crew of the International Space Station.   It can't all be to fight terrorism: what do terrorists have to do with Brazilian gas companies, and why is NSA surveillance being shared with US agricultural departments?   Those who believe that the NSA are swell chaps who wouldn't countenance abuse of their data may sleep soundly, but what happens when someone with less scruples is in charge?  As the current administration demonstrates, we no longer require even the pretense of civility from those those who want to operate the beastly machine that is DC.

More recently I read through Kevin Mitnick's The Art of Intrusion.  Mitnick was partially featured in Cyberpunks, a teenage telephone 'phreaker' turned pioneering computer hacker. Since his release from prison Mitnick has used his reputation and experience in intrusion to sell himself as a cybersecurity consultant. The Art of Intrusion collects 'true crime' stories of computer-based or related intrusions;   ranging from illicit exploration to digital skulduggery.   A lot of data is omitted for the protection of the persons and companies mentioned, but a lot of the stories seem dated, for the book's publication year, and others are so technical I am not sure who would be reading them. I did find quite a bit of interest, however, in the chapters on penetration testing and social engineering. I still do not like Mitnick's term for an art he and his friends practiced, and one which remains a security threat:  obtaining information and access through human, instead of technological, means. Mitnick shares the stories of  analysists, who -- performing audits on companies, and attempting to breach their security -- were able  access highly sensitive areas within buildings simply by chatting up coworkers and 'acting' like they belonged there.  This also involved technical assistance, like a fake id that security guards didn't vet too closely.    Mitnick claimed in his trial that he relied on social engineering, not computer programs, to access as much as he did, and he has previously authored a book called The Art of Deception that documents the psychological strategies used in this kind of 'engineering'.  As someone with a work-related interest in security,  I may look around for a copy.

Zero Day

Zero Day

© 2011 Mark Russonovich
328 pages

Two cybersecurity experts, both with government backgrounds, realize their current cases have a connection. The more they dig the more widespread the danger grows, and  to their horror they realize what seems like an ordinary bit of digital vandalism is merely the prelude to a total infrastructure attack that is planned for the anniversary of September 11th.  Computer systems in the United States and Europe -- from private PCs to those controlling ships and power plants -- are being hit with an array of distinct but related viruses, all of which have the simple goal of turning their targets into complete bricks.  The effect on the west will be catastrophic when the full attack is released.

Zero Day is a technical thriller, with cyber-forensics constituting most of the book. The ending chapters are a brief switch into action,  but on the whole only readers with a serious interest in computer crime stories should try. Unfortunately, those are the very readers who are liable to be annoyed by the multitude of electronic conversations here being rendered in highly abbreviated form, with so many missing vowels one might as well be reading Hebrew.  There's also a bit of l33t speak, which -- seriously, is that still a thing?   I enjoyed  this book's sequel, Trojan Horse,  far more, as it had more balanced characters (here we have evil Arabs, Russian hackers, and corrupt bureaucrats), and hope that means Russinovich continued to improve.

This completes my WannaCry-inspired sweep of books, although they've led me to an older history of the hacking community, publishyed in 1995.

WannaCry Sweep:  The Dark Net | Kingpin | Countdown to Zero Day | Zero Day

Kingpin

Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground
© 2011 Kevin Pulsen
288 pages

If Meyer Lanksy had gone straight, a contemporary of his noted, he could have rivaled Nelson Rockefeller. Maybe the same could be said for Max Butler, only a few years older than Mark Zuckerberg. Instead of becoming a billionaire, however, Butler’s genius and entrepreneurial risks landed him in prison for thirteen years with a $30 million dollar debt to pay off. Kingpin recounts his beginning as a teenager given to pranks, discovering the internet as a place with ample opportunities for play, and follows his slide into crime. Although Butler attempted to direct his skill and curiosity towards creative purposes -- becoming a ‘whitehat’ security consultant, a hacker for the good guys -- his early experiences with the Justice Department gave Butler a chip on his shoulder, and he continued to flirt with darkness, unable to resist tests of his skill.

Butler entered the scene just as hacking’s very character was changing. A generation of telephone ‘phreakers’ turned programmers whose motivation had been exploring the technology itself was giving over to those who saw in the internet an opportunity for quick money. Central to this story, and Butler’s evolution as a criminal, is credit card fraud. Although he tended to get into trouble as a kid, Butler wasn’t malicious at heart: he liked to push the boundaries, especially when he could experiment with his skills. When he began stealing card numbers, he did so from other fraudsters, and used a similar justification when he began compromising the systems of banks: they were the utter bad guys, constantly luring poor people into debt. What were they but crooks pretending to be legitimate? Time and again Butler contemplated going straight, but he’d see an opportunity for showing off and couldn’t fail to take it up. One of his most dramatic achievements is covered early on, when he single-handedly effects a takeover of several underground forums, combining their databases into his own and deleting the originals from the internet. It was a hostile takeover that made Butler the king of a carding empire, netting him a $1000 a day just from stealing, selling, or using credit card data.

Kingpin is the fascinating history of not just a man, but of a criminal industry. Because of creative minds like Butler’s, identity theft doesn’t just threaten people who thoughtlessly throw sensitive information into the trash. Butler’s bread and butter was milking restaurants’ point of sale systems -- those machines shoppers use for credit card transactions -- so anyone who uses a credit card in stores is vulnerable. In recent years, for instance, customers of Target and Wendy’s have been exposed. The government and businesses have attempted to respond by moving to cards with an embedded chip which is nominally more difficult to extract data from, but after reviewing Butler’s many adventures it’s hard to believe anything will be secure for very long.

Good reading for a bit of ‘modern’ true crime, told by someone like Butler who once practiced the dark arts, but who managed to stay on the straight and narrow.

Related:
Spam Nation, Brian Krebs

Countdown to Zero Day

Countdown to Zero Day:  Stuxnet and the Launch of the World's First Digital Weapon
© 2014 Kim Zetter
448 pages

A couple of years ago I created a new label, 'digital world', in recognition of the fact that the Internet is no longer a discrete system (like a grid of water pipes). It has seeped into every aspect of our everyday lives, as basic as electricity. Through it, the entire developed world moves. War is no exception to this digital revolution, and the fun is just beginning. People may associate cyberwar with the theft of intelligence, or perhaps monkeying-around with the power grid, but the case of "Stuxnet" demonstrates how weaponized computer programs can cause physical destruction no less complete than a bomb. What's more, the specific vulnerability used to great effect here is virtually universal in the industrial world. Countdown to Zero Day is a forensic-political history of how the United States used a computer virus to effect the kind of destruction only imaginable before by an airstrike, and a warning to the entire online world that we are vulnerable.

If war is the continuation of politics by other means, cyberwar appears to occupy a grey area between the two. The policy of the Bush administration, once it became obvious that Iran was pursuing nuclear weapons, was to squelch the threat through any means necessary. While there may have been many in DC who wanted to see another example of shock-n-awe, even Bush knew a third war in the same mideast minefield wasn't possible. Remote sabotage, however, offered an alternative to war or a nuclear Iran, and a program which started under Bush would bear full fruit during the Obama administration. What a small elite knew in DC as "Olympic Games", the world would later call "Stuxnet": a virus that began as a carefully targeted weapon and but which would later spread across Eurasia.

The author delivers the full story of Stuxnet in a back and forth narrative: the first track begins with the eruption of the virus, and the methodical picking-apart that Symantec, Kapersky, and other cybersecurity firms subjected the code to. Step by step, they attempted to figure out what the code was doing, how it got in, what mechanisms the code was using, and finally -- what was its intended target? This campaign of digital detection work wasn't the product of one cyber Sam Spade, but a collaborative effort between various businesses who shared their information and results. Eventually, over the course of two years, they realized that the initial program was highly target specific: it was aimed at two kinds of programmable logic controllers, or computers used in industrial work. The particular PLCs targeted were used in rotors that were specific to the kind of centrifuge that Iran used to enrich uranium.

The teams dissecting the Stuxnet code marveled several times at its structure, but marveled all the more when they figured out - -based on reports coming in from Iran -- how the program worked. Because the centrifuges' speed and weight necessitate careful handling -- slow acceleration and then slow deceleration, nothing too abrupt -- the program's main attack was to methodically stress the centrifuges by taking them up to speed, or down, in patterns resigned to slowly ruin the pieces. What's more, long before this act of digital undermining ever began, the program silently sat and waited, recording the normal activities: during the actual sabotage, the program fed recorded data to he plant's control room, meaning eventually the Iranians had to physically watch the motors to see what was happening. The program had a nucleus so deeply hidden that when the machine software was placed under repair by the Iranian engineers, the core program methodically re-wrote the new programming. It's as if an invasive bacteria promptly turned the body's immune system into its own means of reproduction.

The case of Stuxnet is important because PLCs are pervasive; they aren't just used in manufacturing, but are common wherever computer-controlled machinery is used. They're in hospitals, food production plants, powerstations, transit networks: there's no end to the mischief that could be managed by attacking them, and until recently very little done to protect the systems. Stuxnet was a wakeup call to many technical directors in the developed world, an alarm bell to their vulnerability. As the recent WannaCry attack which cripped hospitals in the UK demonstrates, however, we're not taking cybersecurity anywhere near enough seriously. (The WannaCry and Stuxnet attacks also demonstrate the volatility of cyberweapons: they don't go away. In both cases, code and tools designed by DC were trapped and corralled into use by other parties.) Throughout the world we rely on computers which haven't been protected for years, or we have foolishly ensnared vital public infrastructure like the power grid with the public internet. Stuxnet was only the beginning -- perhaps it may be like the Hiroshima-Nagasaki attacks, a singular event that frightens everyone into more caution. I doubt it, though.

Related:
@ war: The Rise of the Military-Internet Complex, Shane Harris
Glass Houses: Privacy, Secrecy, and Cyber Insecurity in a Transparent World,  Joel Brenner

Confront and Conceal

Confront and Conceal: Obama's Secret Wars and Surprising Use of Power
496 pages
© 2012 David E. Sanger

Barack Obama may have been the only Nobel Peace Prize winner in history to order lethal force used on a regular basis, but things could have been worse. Confront and Conceal attempts to make a case for an "Obama Doctrine", one which avoids epic disasters like the destruction of Iraq, but still asserts American influence via surgical operations and international organizations.  Sanger reviews the actions of the Obama White House regarding Iraq, Afghanistan, Pakistan, North Korea, China and Iran, with a special section on drones and cyberwarfare. He relies on extensive interviews with administration officials, including then-secretary of State, Clinton, as well as State Department cables which were made available via Wikileaks.  He creates a picture of an Obama who -- though mocked for his weakness or aggression, depending on the mocker --  attempted a cautious but efficacious approach  to foreign policy.  Considering Sanger's access -- interviewing heap-big chiefs  as high as as the secretary of state- -   it is perhaps no surprise that the representation rendered here is admiring, on the whole.

Obama encountered no shortage of foreign policy crises during his first time. He began it faced with the deathly tar pit of Afghanistan,  further complicated by the amount of trouble-makers hiding in the western fringes of Pakistan.  Excising the United States from Afghanistan wasn't as simple a matter as cutting losses and leaving, for neither the DC nor Pakistan desired a power vacuum between Pakistan and Iran.  The Arab spring, which forced DC to choose between its interests and its proclaimed values, further muddied the waters. The cascade of populist revolts took everyone by surprise, including the President who was determined to restore the American reputation in the middle east.  To avoid messes like Iraq and Afghanistan, Obama  preferred to use a light footprint approach: if American interests were at risk, then action must be taken --but the action should be swift and precise, using new tools like drones and cyberwarfare.   Diplomacy was preferable to brute force, however: Obama was also a genuine internationalist, who preferred using global organizations to apply pressure to ne'er do wells like Qaddafi, and to effect change.  This was not always possible;  the Iranians didn't trust his intentions and regarded him as timid; the international community remains divided over Syria, with some supporting Assad and others supporting the rebels and ISIS.   Ditto for North Korea: as vexsome as they are to all of their neighbors, China included, they won't just go away. Leaving the north in the hands of the Kim family cult isn't an attractive option for China, but it's more attractive than millions of malnourished and uneducated refugees streaming into China.

Anyone who has followed my reading for any length of time may have picked up on the fact that I am not a fan of DC, in any administration.  I did have a grudging respect for much of  Obama's foreign policy, however,  at least until he began getting the country more entangled with Syria and resurrecting Cold War tensions.   That respect was validated here, as Obama seems to have approached DC's expanse of empire with the desire to do as little damage as possible. I don't know how strong willed and idealistic someone would have to be to sit in the One Chair of the west wing, surrounded by the whispering host of the DC establishment,  faced with a neverending series of crises and commitments, and say "To hell with you, I'm not playing this game", and start manipulating the Titanic of state  away from its inevitable course of empire.  Obama seems to have resisted it for several years: agreeing to escalate in Afghanistan, but only with a pre-determined date to cut losses and run;  continuing Bush's development of the Olympic Games project, which would give him  more options in Iran;  and using drones instead of conventional bombing and strike team, because those were the only options DC produced. (The targets were 'terrorists', of course.  DC wouldn't casually assassinate just any reichsfeinde. That would never happen, no sir.)

Cantankerous sarcasm aside,  Confront and Conceal was a varied and endlessly fascinating history given the range of topics and their (unfortunately) continued relevance.  The Kims are even more problematic now than they were;  Syria continues to exact a morbid fascination for the establishment, and China...well, it's still there. So too are the opportunities for mischief the digital world has opened, as this weekend's crippling wave of digital attacks (chiefly in Britain) have shown all too well.   I would take its general admiration for the establishment with no small level of salt, however.  Foreign-policy wise, I think it's especially helpful for the material on the US-Pakistan relationship.

Related:
Playing to the Edge, Michael Hayden. Another keyhole light inside  the establishment.

Playing to the Edge

Playing to the Edge: American Intelligence in the Age of Terror
© Michael Hayden 2016
464 pages

As someone who became a civil libertarian in response to the increasingly sweeping powers of the surveillance state during the Bush administration, I began reading this as a hostile audience, more or less. I was chiefly interested in the chapter on cybersecurity, although he says very little about it. The book is part memoir-biography, part defense of the privileged powers given to the United States' intelligence-security programs. While I am still not nor never will be comfortable with the amount of information being collected by these agencies, even if they are staffed by the heroic characters who populate this book under Hayden's pen, recent books on cyber war have made me realize that that agencies like these have actual national-security priorities, with a focus on malevolent organizations outside the U.S.

Hayden is very good at making the enormous amount of data-collecting sound completely mundane, even benign, and is very cagey with details when a plant is bombed or infrastructure sabotaged via computer viruses. Sometimes interesting and sometimes plodding are his comments on CIA-NSA organization, and the organization of the intelligence community (sixteen agencies, including the intelligence depts of other organizations). There's the usual attraction in a political memoir in that formidable media personalities are suddenly reduced to ordinary people: Secretary of State Condeleeza Rice becomes "Condie", the attorney general is "Al", Hayden himself is "Mikey"...it's a little touch of intimacy that a vast bureaucracy, far-removed from the concerns of the people as a whole, is usually without. All that said, I still like having Greewalds and Snowdens to keep the government on its toes.

The Director

The Director
© 2014 David Ignatius
384 pages

The first week at a new job is rough for anyone, but what if you're the new director of the CIA and a German kid off the street just informed you that every agent in Europe is exposed?  Such is the promising hook of The Director, a novel  involving  conspiracies within conspiracies, told through meeting after meeting. The news that the CIA's internal networks are compromised grows more ominous after the German is found with a Russian bullet in his head, but for most of the work the 'action' consists of the Director's agent flitting from town to town,  reading up on his Globalist British Banking Conspiracy literature and  recruiting a cyber League of Shadows to take down said conspiracy. Everyone else sips mineral water and talks. And talks....and talks...and....talks.  The director also occasionally receives ominous quotations from Cicero.

I found The Director to be utterly tedious, as most of the book consists of people who enjoy hearing themselves talk spinning riddles around the increasingly frustrated director. (He's not so much an actor as a coordinator, bringing the plot together in his office.)  There are some positive points, however.  Some bits of description leap out; "the cowl of a foreign accent shrouded his voice". The author, a D.C. journalist, offers an interesting flavor to the hacking conspiracy; early on,  people are recruited into it using references to the Illuminitas trilogy. The author claims this is a cult classic among hackers, and while I can't vouch for that, this playing-with geek culture is definitely different from the ordinary international thriller. The problem is that all the conversation of this book isn't all that thrilling. Some of it borders on pompous, as though the characters were straining to be dramatic. I just imagined and pictured them as Hollywood personalities to make it tolerable (and amusing).  There were very few people in this novel I enjoyed reading about -- and I certainly had no interest in following them to the supermarket to consider competing brands of Greek yogurt, or to Berlin's sex-clubbing scene.

Interesting in spots, obscene in others, but on the whole rather dull.

Related:
Trojan Horse, Mark Russinovich.  Also a cyberthriller, but buckets more fun.

Glass Houses

Glass Houses: Privacy, Secrecy, and Cyber Insecurity in a Transparent World
© 2011, 2013 Joel Brenner
320 pages

Glass Houses, originally titled  America the Vulnerable, outlines some of the major ways that private citizens, corporations, and the government itself are exposed to attack through digital measures, and closes with measures to strengthen defenses. While not as sweeping as Future Crimes,  Brenner offers a different kind of insider perspective -- the NSA's.  Brenner was formally the head of counterintelligence, and thus his work primarily concerns itself with national security.  He argues that an ordinary citizen's desire for privacy, and the government's own need for secrecy, are essentially the same. (And what about a citizen's desire for privacy from the NSA?)

*chirp*

Brenner isn't nearly as fear-inducing as writers like Marc Goodman,  but his piece stands out because of his role within the government. While arguing for better data hygiene, he also criticizes the still-disjointed approach of D.C. to cybersecurity.  There are several 'cyber' organizations within the aegis of the government, but all of them have completely different priorities, and none of them truly cover civilian infrastructure that the government relies on. One of the early points Brenner makes is that not only is everyone utterly exposed  to digital threats --  hacking tools are cheap,   marketable, and encouraged by governments  in China and Russia --  but the boundaries between public and private are increasingly gone. Corporations are now under attack by national governments, and the United States relies more and more on private services  for essential functions.   Brenner likens the current division of cyberdefense --  one on military security, one on collecting information about foreign states and securing the information of the government --  to that which prevailed in the armed services before World War 2.  Then, the Army and Navy departments were separate, and rivals:  they are both contained within the Department of Defense and officers commonly serve tours in connection to other branches.

While Brenner doesn't argue for militarization of non-military departments, he does maintain that closer cooperation is vital. The president's cybersecurity 'czar' does nothing but ineffectually urge everyone to work together, a la Gladhands in West Side Story.  Brenner's specific policy recommendations don't involve creating a new Cyber Homeland Security department, though; instead, his measures are more subtle. He suggests that antitrust laws that discourage ISPs and cybersecurity firms from working  more closely together  be relaxed, and that the federal government use its buying power to insist on more security from the equipment and software it uses, dictating to the market a la Wal-Mart. Such a demand will filter through to the consumer market shortly enough.  He also echoes the advice of other books:  disconnecting the control networks of energy companies from the public Internet (Richard Clarke, Cyber War), and companies practicing deliberate and methodical digitial hygiene (various, incl. Swiped).  Companies whose networks contain vital information, for instance, should forbid the use of outside flashdrives, and issue instead encrypted drives which are collected and purged periodically.

Unless the current Dear Leader candidates have savvier advisors than themselves, the outlook of the United States' cybersecurity remains fairly grim.  Glass Houses is effective citizen awareness -- not technical, not long, and with quasi-fictional 'scenarios' to illustrate how a cyberattack might look, and how the mere threat of it might alter foreign policy -- that stands out especially  for the look into the American intelligence community.  It's unusual to read a book from the NSA's perspective,given their secrecy and recurring roles as uber-villain in  other books about data security, but aside from the unapologetically hostile attitude toward Julian Assange, there's nothing too partisan.  I appreciated Brenner's prudent recommendations, which are more about incentives and pressure and less about outright coercion.

Related:

• Future Crimes: Everything is Connected, Everyone is Vulnerable, and What We Can Do About It, Marc Goodman.
• Cyber War, Richard Clarke. Another book written about national security, this one from a general's perspective.
• Lights Out, Ted Koppel. A bit of investigative journalism about the potential effects of cyber war on the American electric grid.

Lights Out

Lights Out: A Cyberattack, a Nation Unprepared
© 2015 Ted Koppell
288 pages

In Lights Out,  investigatory journalist Ted Koppel comments on the vulnerability of the United States' power grid to a cyber attack,  and reviews the way government agencies, private citizens, and other organizations are attempting to prepare for a grid-down scenario.

The story begins with the integration of the internet and the electrical grid, which allows for an efficient market but at the cost of vulnerability of outside attack. The threat doesn't come from nation-states like China and Russia, however;  although they almost certainly have hooks deep inside energy's cyber infrastructure, they have too much to lose from reprisals. Entities like North Korea and Isis have no such qualms.  The most dire attack would be one similar to that which the United States and Israel employed in Iran: a viral program introduces commands into their centrifuges which slowly undermined their functionality.  If the large power transformers which are the backbone of the electrical network are destroyed or seriously damaged,  widespread and prolonged outages would follow. Not only are these massive machines custom-built for each location, they require special rail cars for transport; replacing one would take anywhere from six months to two years.

After establishing the problem, Koppel moves to attempts a solution. Although various government agencies, including the White House, have expressed concern over the vulnerability, plans at redressing the situation are slow in coming. Washington's stance toward cyber attacks against civilian infrastructure seems motivated by a conviction that the United States can and will strike first, as though cyber shocks can be predicted.   There is a growing awareness of the problem, but response has been marginal at best. Not only  is the American government not ready to defend against a pointed cyber attack on its electrical grid, it is not ready to deal with the chaos that would ensue from widespread power outages. Without electricity,  the constant production and shuttling of goods and services would shut down completely; major cities would exhaust commercial supplies in less than days, and after that -- what social hell would follow?   FEMA's plans seem to involve evacuating major cities like New York, but to what end?  Keeping supplies for that many people is problematic, considering that if there's no emergency, the supplies simply go to waste. The agency is far more prepared for regional disasters than it was after 2005's Katrina, but that's a fairly low bar.

 In the last third of the book, Koppel examines communities like the Mormons and the prepping community which steel themselves for emergencies. The Mormons are motivated by a series of nasty altercations -- small-scale wars, even -- between themselves and state militias in the 19th century, but their entire church structure seems engineered for resilience.  Likewise impressive are rural communities in Wyoming, who acknowledge that in the event of a grid-down scenario, they would be left to their own devices while D.C. prioritizes places like New York City. People in sparsely-settled states like Wyoming are more kin to their pioneer forebears  than they are the naked urbanite, who is at the mercy of complex systems working as planned.

Lights Out is a most interesting book, with at least three subject areas: energy, cyberwar, and emergency preparation.  Given Koppel's name recognition, I could see this book as one introducing a lot of citizens to the general idea of cyber attacks, or even the importance of electric infrastructure -- subjects that few people would be willing to pick up a book about.   It's not exactly complete --  Koppel doesn't mention, for instance, that there are three grids in North America, so damage wouldn't necessarily be continent-wide. (The three grids are the eastern seaboard, the western seaboard, and Texas. The publisher's cover actually hints at the segmentation, though) It succeeds at isolating the key points about abstract systems and distilling them into a warning, however.


Related:
Cyber War, Richard Clarke. Clarke is quoted extensively.

Cyber War

Cyber War: The Next Threat to Our National Security and What to Do About It
© 2010 Richard Clarke, Robert Knake
320 pages

Soon, the ultimate tool will become...the ultimate enemy! So said the 1982 trailer for Tron, a heavily dated computer film that comes to mind with every mention of "Cyber Warrior" here.  The word sounds like a teenager flailing around in a 1990s mall wearing a bulky VR helmet.  Whatever the awkwardness in adapting military terminology to the brave new digital world, however, the threat posed by war in cyberspace is real -- both because of multitude of potential attack vectors, and because the United States has been such a boundlessly optimistic first-adopter that no nation on Earth is as exposed to digital attack.  In Cyber War: The Next Threat to Our National Security,  long-time security official Richard Clarke  reviews how hacking can be used to utterly cripple the United States' elaborately interconnected electrical and telecommunications infrastructure and  briefs readers on how the military and government are attempting to get a handle on what to do next -- and, given his status as an adviser to four presidents, he has suggestions of his own.   Cyber War is filled with horror stories and dire predictions, but at root is a useful introduction to how increasingly fragile our digital world is becoming.

Although the United States has led the way in the adoption of the internet for military purposes -- the internet was created for military purposes --the enthusiastic embrace of net integration by civilian infrastructure has made the United States one of the most vulnerable targets for cyber attack.  Especially problematic is the fusion of the power grid and the internet;  while it allows for convenient remote management ,  the connectedness of the grid itself means it is possible to disable one  subsystem and force cascade failures on either the west or east coast.  The absence of power doesn’t mean a few hours of going without the television, either, because a carefully-planned attack could cause physical damage to the generators themselves….and they are monstrous machines that would have to be laboriously rebuilt. Another vulnerable target is the financial system; not only could a disruptive attack aimed at that quarter destabilize the economy, if the public lost trust in digital dollars, outright paralysis might ensue.

Cyber attacks aren’t theoretical, either. Although China receives the most attention as a digital threat, Clarke contends that the Russians are (circa 2010) ahead of the pack, and points to havoc wreaked in Estonia and other Warsaw escapees when they  courted Moscow’s wrath.   Because the United States offers so many soft targets, both military and civilian, cyber warfare has an asymmetrical nature:  America has a lot more to lose from cyberattacks and reprisals than either North Korea or China –-  the former,  because it has little in the way of functional systems to begin with, and the latter because they have a firebreak that can separate China’s internal internet from the global web.  In a democratic system like the United States, that’s not an option.

Clarke proposes a cyber triad:  secure the ‘trunks’, the main ISP lines through which everyone connects, using a filter to automatically scan for and deep-six malicious code; harden the power grid by distancing it from the main internet;  and shore up the vulnerabilities of the military and government networks.   The ISP security would be a private-public venture, with administration of the filter left to the ISPs themselves to head off the aspect of censorious abuse. Cyber War is only six years old,  but the future is arriving more quickly these days. There is very little said about the danger of data collection, for instance, and cybersecurity firms are far more skeptical about the conventional viral-definitions approach Clarke endorses here.   Cyber security is definitely a red-queen arms race..


The datedness aside,  for those who have never considered the subject his review of how the internet basically works, highlighting its weak spots,  will be most useful. There is the added attraction of watching successive governments become aware of and attempt to respond to the problem of  IT security; Clarke had an inside view, serving in several administrations crossing party lines.He also proposes diplomatic action, a cyber version of SALT. The core of Clarke’s argument – that our systems, particularly our electrical grid, are vulnerable – remains intact, if not the particular defense he proposes -- holds good, and the authors' largely-jargon free if doom-laced style makes it an easy if alarming read.  One thing that isn't dated is the danger: a recent study indicated that the US government is still far behind in the realm of cybersecurity when ranked against IT firms, and to make matters worse it is in the same tier as the energy and telecommunicatons companies.

Related:
Future Crimes, Marc Goodman
The Grid, Phillip Schewe
@ War, Shane

Trojan Horse

Trojan Horse
© 2012 Mark Russinovich
336 pages

Something sinister is developing in the depths of the dark net. There are inexplicable power outages in Washington, and misinformation filtering through the systems of the United Nations. Jeff Aiken and his partner Daryl Hagen, having previously unmasked an al-Queda cyber attack against the United States, suspect this is more a technical conspiracy than buggy software -- and one that spans all of Eurasia.

Trojan Horse is a cyberthriller that leads with Jeff and Daryl’s computer forensics before shifting into a more conventional action thriller once the government that authorized the cyberattack against the United Nations realizes their software is being sniffed out. The first half of the novel is more thoughtful and detailed than CSI-style cyber mysteries; there’s no guy-staring-at-computer-typing-furiously, but a lot of trouble shooting and mulling over how the software intrusion might work.  Interest in cybersecurity  helps to take it on, but the last half is far easier going: the  malicious agents attempt a street abduction,  and much action follows, culminating in a car-and-airplane chase from the Czech Republic through Turkey into Iran.

I especially enjoyed Trojan Horse for its characters.   The men  conspiring against the interests of the UN/US, and on behalf of China and Iran, are antagonistic without being diabolical.   The Americans, Iranians, and Chinese are all cold professionals, working on behalf of their respective nation-states. The Iranian lead, Ahmed,  and his Turkish girlfriend/courier Saliah, are no slogan-screaming jihadists; they’re practically lapsed, religiously.. After abducting the sleuths to find out what they know, Ahmed instructs his men to dispense with their guns – they’re not gangsters, and weapons are no longer required. Daryl, Aiken’s partner in work as well as romance,  is similarly complicated. When she and Jeff are abducted,  it is her cold fury that the Iranians fear more than Jeff. Physically, he’s a threat…but she is, by Ahmed’s estimation, utterly deranged.

Trojan Horse is a thriller far more relevant than the kind previously unreleased, because the sort of cyber intrusion detailed here happens every day. Both the American  Department of Defense and American corporations are constantly attacked by sources within the Chinese state. A tool the Chinese use to follow the main characters’ cell phones sounds like the Stingray device employed by American intelligence agencies, and more frequently ordinary law enforcement:  it mimics a cell tower, then tracks phones which connect to it – the phone’s owners are completely in the dark.  If nothing else, a thriller like this is worth trying just to see what we’re in for in the 21st century.

Related:

• Future Crimes, Marc Goodman
• @ War,  Shane Harris

Swiped: How to Protect Yourself in a World Full of Scammers, Phishers, and Identity Thieves
© 2015 Adam Levin
288 pages

 Looking for a growth industry? Try identity theft. Over a third of Americans have experienced some degree of outside use of their accounts, and that number will only rise as our personal data is collected in more and more places.  News reports may have alerted citizens to the need to destroy physical mail carrying their social security number and other personal information, but  even the most vigilant of privacy-protectors can’t stop outside forces from sacking institutions that use that data. Big box stores, transnational health insurance providers, even the federal government: all are vulnerable.  In Swiped, Levin maintains that if a given reader hasn’t already experienced identity theft, the odds are good that they will in the near future.   Instead of consoling oneself with the pleasant notion that such a crime can’t happen to them, he urges readers to minimize their risk, monitor their accounts, and take precautions to manage the damage.

Personal cybersecurity, covered in only a chapter of books like Future Crimes, takes center stage here, and with chapters especially devoted to identity theft arising from tax fraud and healthcare systems,  it makes for an especially pertinent read for tax season. The heaviest burden for action against identity theft is laid on the individual, for we are much more quick-footed about adapting behavior to threats than institutions, and have the most control over releasing information. Regardless of the precautions taken -- the savvy exercised -- at some point Levin believes that most people's personal accounts will be compromised.  He recommends constant scrutiny of personal records: daily bank check-ins, thorough examinations of "benefits received" from insurance companies, etc.  Finally, Levin urges readers to have an action plan for when -- not if -- they are compromised.  Know what accounts you need to freeze, what forms to file -- and don't think it stops with your death, either, because there are plenty of operators who comb the obituaries for accounts to borrow. While his emphasis is on personal vigilance, Levin also has chapters detailing ideas for business security culture, and national-level legislation.   Swiped is fast and abounding with ideas on 'data hygiene', and its emphasis on action rather than alarm makes it an welcome follow-up to Data and Goliath and Future Crimes.

Related:
Ten Don'ts On Your Digital Devices, Daniel G. Bachrach, Eric J. Rzeszut

Future Crimes

Future Crimes; Everything is Connected, Everyone is Vulnerable, and What We Can Do About It
Paperback subtitle: Inside the Digital Underground and the Battle for Our Connected World 
© 2015 Marc Goodman
608 pages

"It's not safe out here. It's wondrous, with treasures to satiate desires both subtle and gross. But it's not for the timid."  (Q, ST TNG)

 The future is arriving more quickly than we think,  the world being re-formed beneath our feet. Ten years ago, the fact that a presidential candidate was glued to his ‘BlackBerry’ was an oddity;  now, smartphones are the very way we interface with our environment.   The transformation of the world from material to digital is total, providing new avenues for the darker instincts of  mankind to exercise themselves alongside entertainment, commerce, and education. Future Crimes is an astonishing review of the myriad of ways that this brave new world is making us not only more productive, but more vulnerable to malicious attack – and offers insight into the dangers we will face tomorrow.  This is a book without  rival.

 Goodman writes as a law enforcement official who specialized in cyber security as computers left warehouses to become basic infrastructure. Now, after decades of experience, he shares extensive research and personal encounters with the reader. He begins by treading familiar ground at first, by reviewing  the state of overwhelming exposure people now live in. As learned in Data and Goliath, virtually everything we do generates data that is collected and evaluated by someone, whether it’s our phone company keeping a history of where our phone travels, apps within the phone transferring our information to marketing agencies, or our interactions with the online world being monitored and recorded, as Google sifts through our email – and our websearches, and our YouTube viewing history, and our web activity on Android and Chrome – ostensibly to sell ‘better ads’.   It's not just Google, of course: facebook is another major data distributor, but practically every website that depends on adspace is complicit.

 Adding to this, however, is the threat of outside attack: criminal elements corrupting apps or creating their own to collect data for more malicious purposes, like emptying our bank accounts – or entities across the globe, looking for secrets.  The fact that a person is an American or German national won’t stop Chinese companies from having an interest in their personal business if they are involved in technical enterprises of interest.   Blueprints of the US president’s personal aircraft, for instance, were obtained by the Chinese after a defense worker’s laptop was infected with targeted malware.  It’s not just smartphones, either: as computers undergird our very homes, surveillance no longer requires a group of fictional plumbers poking around installing cameras into  ceiling fans.  These days, even the power outlets can have ears.

 Data collection isn’t just a problem for privacy issues: the concentration of so much information invites crime.  When heist extraordinaire Willie Sutton was asked why he robbed banks, he replied simply – that’s where the money is. Why penetrate Target’s databanks? That’s where the information is  --  high-value credit card information.   The exposure isn’t all about profit, either, though the information superhighway has already helped far-distant predators steal and skedaddle. The early hackers practiced their craft for laughs, and so they still do – but the odds at stake are higher than simply wiping out computer drives.   Future Crimes documents one case of a young teenager whose laptop was infected with software that allowed an outside party – a teenager at her school who was not even reasonably clever, but purchased a kit – to  turn on her webcam,  collect photographs of her in states of undress, and then attempt to blackmail and humiliate her. Even after she switched schools,  the photos became the arsenal of bullies there,  their hounding continued after a failed suicide attempt, and eventually ended only when she succeeded in killing herself.  Secure in anonymity, able to meddle in the lives of others from safety, humans are willing and capable to do all matter of wretched things.

The fun will continue as the 21st century develops. Our digital world is in its infancy, a mere golf ball of connectivity compared to the solar-sized scale of tomorrow.  In the years to come,  it is possible that most every object in our home will be connected to an internet of things, and even if paranoiacs and luddites like myself object, regulation and market availability may force some level of IoT integration.  The systems that control our lives – traffic management, electrical grids, financial markets – are managed online, and each of them has already been tampered and manipulated by tech-savvy hoods.  As the world continues to become more automated,  services performed by machines running on software that can be manipulated,  our danger grows.  Military drones have already been touched by malefactors – insurgents can watch a drone’s feed as it approaches, or skew its navigation so that it blows up the wrong neighborhood. (Assuming it had the right neighborhood to begin with...)   Manufacturing robots have already proven themselves lethal,  sometimes mistaking human laborers for parts to be manipulated, and if their software is tampered with, accidents could be effected on purpose.

Future Crimes is a daunting, eye-opening book.   Even after reading other books on cyber-security,  Goodman provides case after case I hadn’t heard of. This is five hundred pages of disturbing reporting and evaluation,   dense and powerful.   Like any security auditor, Goodman doesn’t leave readers shocked but helpless: the last fifth of the book offers some ideas into protecting ourselves.   Part of the problem is that culture has not caught up to technological change yet: as smartphones ease  un-informed adults into the digital world, people unprepared for vigilant defense of their information expose themselves to a burgeoning number of thieves and opportunists.   Not even those who should know better are ready; many of the instances document here come from military or security officials not being fastidious enough, with the result that a virus intended for an Iranian offline network traveled to the International Space Station.   In addition to arguing for regulations that force private enterprises to take more fiscal responsibility for safeguarding the information they collect,  Goodman shares more interesting ideas, like crowdsourcing better digital security systems.

Two things are certain: we’re in for a ride in the next decade, and I won’t find a more eye-opening book this year.  This book delivers reams of eye-opening information. It would make for an interesting exposure of crime merely by itself,  but goes beyond that to brief readers on the multitude of security challenges we face now, and will face tomorrow, threats to our personal, corporate, and national security.  Future Crimes is well worth your time: it, and the world it opens one's eyes to, are incredible.

Related:

• Data and Goliath, Bruce Schneier
• The Internet Police, Nate Anderson
• Spam Nation, Brian Krebs
• 10 Don'ts On Your Digital Devices,  Eric Rzesut, Daniel Bachrach
• @ War, Shane Harris

I have a few more titles in this vein that will appear later this year, like Richard Clark's Cyberwar and Glenn Greenwald's No Place to Hide.  They may succeed, but they won't surpass....

Data and Goliath

Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World
© 2015 Bruce Schneier
400 pages, including 160 pgs of citations.

You're being watched -- all the time, no matter where you go or what you do. Not  by mysterious men in trench coats, or even black suits, shades, and earwigs -- but by the very system you live in.  Perhaps watched isn't the right word; monitored may be more apt.  In virtually every moment of the day in the developed world, billions of people are passing on data about themselves, knowingly and unknowingly. Our phones report where we are,  as do our cars if they are new enough;   in-store cameras track and analyze our shopping patterns, or alert security if we act aberrant;   and we add to the data stream ourselves by taking  inexplicable photos of our lunch and sharing them on facebook. Bruce Schneier has been involved with cybersecurity from the early days of the internet, and in Data and Goliath he alerts lay audiences to the fact that in the last fifteen years, a giant infrastructure of observation has grown around them, the joint work of companies out to sell you and governments out to control (sorry, "protect") you. After reducing the reader to a wide-eyed paranoiac, he then offers suggestions as to regulation might rein in the government and corporations, and -- more practically -- gives the reader ideas of how to safeguard against the worst aspects of the All Seeing iWorld.

We live in a digital world, quite literally. Not only have computerized systems become nearly as ubiquitous as asphalt at this point – in our phones, our cars, our homes, our electric grid – but much of our live is now lived in a digital sphere. A decade ago that might have only been true for socially awkward teenagers who found online Starcraft more appealing than in-person awkwardness.  These days,  virtually everyone spends part of the day partially engrossed in the web, particularly through social media.  Unlike communing in a café over the latest photographs or stories, our online connections are monitored and recorded.  There’s no conspiracy involved;  we pass our information through electronic portals, and the information is saved as part of the network’s very infrastructure before it can be transmitted.  More deliberate monitoring and recording is also at work:  online businesses track our activity to create better ads,  and ever since 2001 the NSA has been obsessive about detecting terrorists through electronic data collection.  A certain amount of this is tolerable in both instances, but questionable territory is reached when Facebook begins using users’ tagged photos to create sophisticated facial recognition software, or when NSA begins piling up information and filching emails en masse from people not accused of a crime, merely declared connected by software.

Data and Goliath contains a litany of alarming and unsettling accounts of digital innovation across the globe.  Government practices in the United States, China,  United Kingdom, and Iran all fall under fire, with the US taking the heaviest flak given its Wikileaks exposure.  Have the multitude of stories about the NSA’s email abuses become commonplace?  Consider their exciting proprietary tools that imitate a cell tower, allowing them to listen to whatever phone latches on to it – or their coercion of American companies to add in “backdoors” to their telecommunications systems, like Cisco’s routers. That’s not just an American problem: international traffic flows through American infrastructure,  and as knowledge of Uncle Sam’s masterkey filters through the international community,  sales for US equipment are struggling and criminals are learning to trip the backdoors themselves. Central to much of the abuse is the idea of collecting as much data as possible, then looking for the patterns.

In the interests of not driving readers into the ranks of the Amish, Schneier attempts to provide grounds for hope, suggesting regulation that might rein in government and business alike. He proposes, for instance,  a reorganization of the NSA that would  reduce its scope and shift the more likely-to-be-abused aspects into a military organization with harsher oversight, like the US Cyber Command. One regulatory idea for the private sector he has is forbidding companies from maintaining lengthy records of consumers without their consent: Apple may need to know where your iPhone is for it to connect to service providers, but it doesn’t need to record your movements.  No branch of the government is likely to dismember the nascent surveillance state, not when they find it so useful – and find the prospect of public outrage after an attack so intimidating. More promising is the chapter on how people can minimize their own exposure to data collection. One relatively simple practice that I've adopted for years is using browser plugins like Disconnect to prevent facebook from tracking me across sites: even don't even have to be a member for that plugin to create a cookie for my computer and compile traffic data about it.  If some agency is intent on finding you, being analyzed may be inevitable:  even people who take pains to move in the shadows of the web can be caught, including trained Israeli intelligence agents.

Data and Goliath demonstrates superbly how information-gathering is not simply a matter of government overreach, but endemic to the way the internet has developed thus far. The danger lies in our growing so used to this passive surveillance that we forget what it was to live privately. It is an invaluable resource for realizing how exposed we are living in the digital world.

Related:

• The Internet Police: How Crime Went Online and the Cops Followed.  More on the law and order side.
• 10 Don't On Your Digital Devices, Eric Rzesut, Daniel Bachrach.  Covering your electronic caboose for beginners!

War, spam, and more war

Today I finished Spam Nation, a journalistic takedown of the spam industry which is centered in Russia. The book is a strange collection of memoir and journalism on criminal relationships so entangled that I felt like I was reading about the securities market. There's a fascinating chapter on who actually buys products that are advertised via spam (mostly medicine that's illegal in Europe or too expensive in the US) and how that market compares to legitimate ones, though most of the book is about two Russian  cybercriminals who dominate the arena, whose infighting over turf exposes their dirty laundry and allows the police and other interests to take them on.  It doesn't read as neatly as @ War, but it does shed light on a murky corner of the internet. Essentially, these men use viral programs to coopt other people's computers to send billions and billions of spam messages,  chiefly marketing black market drugs and porn but also launching  other revenue-boosters like scareware, programs that hijack a computer, announce computer infection and bid the victim to buy their security program to get rid of it. I've been on the receiving side of those when trying to fix relatives' computers: they are not fun at all.  (Some disable any executable, including viral protection.)   The book is interesting, though not entirely impressive;  surely these two don't account for all spam, given how much 'real' advertising is done by email these days.  The title is ambitious.

My library is currently packing up some nonfiction books to send to a newly-created rural sister library,  and a lot of books I've kinda-sorta wanted to read but haven't gotten around to because I figured they would be there when I wanted to are on the list.  Trying to read them before they disappear is why I picked up Miracle at Dunkirk a few weeks ago and got into this World War 2 reading kick.

Earlier in the week I read Operation Compass 1940, a short work (80~  pages) on the early war in northern Africa, in which Italian troops set on seizing Egypt were savaged by a far smaller British force on the counteroffensive. The work was strictly military history, with good maps but a fairly narrow scope, focusing just on this particular battle.  The Italian humiliation here seems have prompted the Germans to take Africa more seriously as a campaign ground, so I'm following it with The Desert Foxes by Paul Carell.  It's a strange work, very sentimental and war-smitten. I looked up the author to see if he'd written anything else, and it turns out he's an honest-to-God-Nazi.  Oops. I'm still trying to find out how bad an apple he was.

The World War 2 reading will continue for the time being, though I intend on mixing other subjects in.  For instance, I have an interlibrary loan book on order about a band of Irish immigrants who fought in the US-Mexican war...for Mexico!  Another book on the way involves....horses.  As far as the 2015 Reading Challenge goes, once I take down A Classic Romance, that will be it. I have the Christmas read already purchased, and it's a quickie. (Tease: it's about Jacob Marley.)  My book with antonyms was That Was Then, This is Now. If I didn't have a mound of books on the Great War, World War 2, and cities, plus four books in the mail, I might be tempted to re-read everything Hinton.  I still may.   My self-control regarding books is on the anemic side. I know the stories, I just want to encounter the writing again.

“Your mother is not crazy. Neither, contrary to popular belief, is your brother. He is merely miscast in a play. He would have made the perfect knight in a different century, or a very good pagan prince in a time of heroes. He was born in the wrong era, on the wrong side of the river, with the ability to do anything and finding nothing he wants to do."

(Rumble Fish, S.E. Hinton)

10 Don'ts On Your Digital Devices

10 Don'ts On Your Digital Devices
© 2015 Eric Rzesut, Daniel Bachrach
180 pages

Networked computers are no longer the hulking monsters of the 1970s,  only found in  industrial and military installations. In the second decade of the 21st century, they are as common as phones -- in fact, for many of us, they are our phones.  Their ubiquity allows us to connect all the various aspects of our lives to an infinite degree; we can do taxes or engage in research while traveling,  stream lectures during exercise,  and lose ourselves in TriviaCrack while on dates that aren't going so well.  But the pervasive natures of web-connected devices doesn't  just create space  for leisure, education, and personal work, however:  it's also an opportunity for parties interested in accessing and exploiting our personal data -- businesses,  criminals, and the government. In Ten Don'ts On Your Digital Devices, Eric Rzesut and Daniel Bachrach offer a crash course in basic digitial security, one which fairly well covers the basics for people who never realized that the same smartphones which allow  them access to a world of information also expose them to a world of quicksand, disasters, and predators.

 This is a technological briefing that doesn't get too technical, allowing even the most tech-oblivious to get a handle on the new territory they're covering.  Some lessons are utterly basic, like remembering that phones, tablets, and laptops can now contain information just as sensitive as that found in a wallet of credit cards and government identities, and should be guarded with the same ferocity.  Others pass along information gained only by experience, like learning to detect phishing attacks -- emails disguised as legitimate correspondence containing innocent-looking links that lead one's digitial information to being plundered.  Even the paranoid, myself included, may find updated threat information here: I wasn't aware that some phones are enabled by the manufacturer to automatically connect to whatever wireless networks are in the area, exposing unwitting users who check their bank statements on the phone without realizing it's switched to Johnny Ne'er-do-Well's network instead of their service provider's. Ever section includes a basic review of the issue, followed by suggestions. Some are behavior-related (as in, "Don't pay your credit card bill on a McDonalds wifi connection",  but some list alternatives and relevant tools.   Short but full of useful information, Ten Don't's is a good review of basic personal digital security that offers a lot of suggestions for people who want to tread more carefully.

Related:
Internet Police: How Crime Went Online (and the Police Followed), Nate Anderson
@ war: the military-internet complex, Shane Harris