Year: 2014

For the past decade, I have had this notion that there must be a Cybersecurity Canon: a list of must-read books where the content is timeless, genuinely represents an aspect of the community that is true and precise and that, if not read, leaves a hole in cybersecurity professional’s education. I’ll be presenting on this topic at RSA 2014, and between now and then, I’d like to discuss a few of my early candidates for inclusion. I love a good argument, so feel free to let me know what you think.

Snow Crash (1992) by Neal Stephenson

Every cybersecurity geek on the planet should embrace this book. It has everything that we like: Metaverse hacking, real-world swordplay, awesome weapons, and—to cap it all off—the hacker ends up with the girl.

Neal Stephenson is a cyber geek of the first order, and his personality is all over this story. His description of the “Metaverse” and the “avatars” that live in it, both terms he made famous in this book, are so prescient that anybody playing World of Warcraft or using Second Life today would feel right at home. Stephenson is an author who truly understands the hacker culture, so it’s not surprising Snow Crash wound up on Time magazine’s list of 100 novels everyone should read, among countless other accolades.

Why It Holds Up

I recently reviewed the classic cyber punk novel Neuromancer, so I figured I would continue the trend and review another classic in the genre to see if it too still holds up. Well, that, and as I’ve already mentioned, Stephenson is one of my favorite authors in this or any genre.

I first learned about Stephenson after reading his excellent article called “Mother Earth Mother Board” in Wired Magazine in 1996. He told the story about how the world is connected through massive runs of transatlantic cables that traverse the ocean floors and electronically and physically connect three continents to each other. To do the research, he traveled to each location where the cables made landfall and told the story about how it all comes together. But it was not until I read Cryptonomicon and In the Beginning…Was the Command Line, both published by Stephenson in 1999, that I became a fan. Cryptonomicon is the best “hacker” novel I have ever read, and after encountering that, I went scurrying back to the library to see what else Stephenson had written. That is when I stumbled upon Snow Crash.

Oh my!

Stephenson wrote this book in 1992, eight years after Neuromancer. At this point, authors well understood the main ideas of the style: stories written in a near dystopian future where technology is advanced, governments have withdrawn in potency to be replaced by corporations, and man-machine interfaces and cyborg beings are the norm. But Snow Crash was like nothing I had ever read before. This was my first cyber punk novel (I still hadn’t read Neuromancer for the first time), and every page read like the author was dropping new ideas onto the page like Mardi Gras beads hitting the ground on Bourbon Street. Stephenson wanted to have some fun with it, and the opening pizza-delivery scene reads like you are being launched out of a cannon.

Snow Crash’s main character is named Hiro Protagonist (see what I mean about having some fun?), a self-proclaimed master swordfighter, hacker in the three-dimensional Internet space called the “Metaverse,” and pizza deliveryman. He teams up with YT (Yours Truly), a 15-year-old skater girl courier, and Uncle Enzio, a mafia kingpin and bankroller for the good-guy team. The bad guys are represented by L. Bob Rife, a Pentecostal evangelist and fiber-optic monopolist, and Raven, a motorcycle-riding, nuclear-bomb-wielding Aleut—as in Aleutian native—who is roughly the size of a house. The catalyst to all of this good-versus-evil business is Snow Crash, a virus that works both in the “Metaverse” and in the real world that L. Bob Rife intends to use to infect the world.

The Tech

Snow Crash itself is a neural-linguistic virus. By that I mean that Snow Crash is a meme that was buried deep in the human brain and forgotten until the bad guys in this story figure out how to unlock it. Stephenson leverages the theory of memetics that was introduced by Richard Dawkins in 1976 with his book The Selfish Gene.

Dawkins said that memes may be another way that humans evolve other than gene mutation. According to the theory, memes are ideas that humans transmit to one another across generations and may account for long-lasting ideas like religion, morality, and crop rotation.

In this story, pre-Christian religious leaders controlled the masses with the Snow Crash meme. The virus’s secrets were lost to history until L. Bob Rife (the story’s bad guy) rediscovered them and found out that hackers plugged into the “Metaverse” were susceptible to the digital virus that used them. Hiro asks his girlfriend, “This Snow Crash thing – is it a virus, a drug, or a religion?” She replies, “What’s the difference?”

According to Stephenson, he invented the term “Metaverse” for this book. Readers will most likely associate the “Metaverse” with online role-playing games (RPGs) like World of Warcraft and online heightened-reality experiences like Second Life. But Stephenson’s description of the “Metaverse” in the first 30 pages of Snow Crash is almost a blueprint to building these kinds of worlds. When you consider that the designers of Google Earth used Stephenson’s description as a model and that he published the book two years before World of Warcraft debuted and 11 years before Second Life launched, you realize just how prescient Stephenson was. In a perfect example of the definition of “meta,” players in the Second Life Metaverse annually reenact the Snow Crash novel.

The term “avatar” originates from Hindu mythology and refers to the form of a god living on earth. Game designers adopted the term to represent characters in RPGs as far back as 1979. But Stephenson’s use of the word to describe his characters’ online personas—not just any character but the representation of his or her own personality in the “Metaverse”—catapulted the word into the popular culture, so much so that the word was common enough for James Cameron to use as the title of his blockbuster movie in 2009.

Conclusion

By culturally defining “avatars” and the “Metaverse” for the geek crowd and being one of the first Internet commentators to realize how important memes are, Snow Crash is must-read for any Internet history enthusiast and security professional. It is canon. You should have read this by now.

[Source: Rick Howard]

For the past decade, I have had this notion that there must be a Cybersecurity Canon: a list of must-read books where the content is timeless, genuinely represents an aspect of the community that is true and precise and that, if not read, leaves a hole in cybersecurity professional’s education. I’ll be presenting on this topic at RSA 2014, and between now and then, I’d like to discuss a few of my early candidates for inclusion. I love a good argument, so feel free to let me know what you think.

Neuromancer (1984) by William Gibson

William Gibson’s landmark Neuromancer is a must-read for every cybersecurity professional, not because you will learn new insights into your craft, but because you will understand why this book was so influential to the cybersecurity zeitgeist back in the day.

Gibson invented and clarified the language that we are still using today ten years before it became mainstream. He coined the word “cyberspace,” launched the “cyberpunk” genre, pontificated about “the singularity,” guessed (correctly) that “hacktivism” would be a thing, and understood that we would need a form of ” search” long before any of us even knew how vital Google and similar services would become. You should have read this by now.

Gibson published Neuromancer in 1984 and subsequently received multiple book awards for his efforts, including The Nebula Award for Best Science Fiction Novel and The Philip K. Dick Award for Best Science Fiction Paperback. Among his accolades,

Gibson is credited with one of the best ever opening novel lines:

“The sky above the port was the color of television, tuned to a dead channel.”

Literary critics subsequently tagged this novel as the “quintessential” work in a new genre called cyberpunk. Gibson himself chafes a bit at that label, but it may be that label that got security geeks interested in the book in the first place.

Scholars categorize cyberpunk as stories written in a near-dystopian future where technology is advanced, governments have withdrawn in potency to be replaced by corporations, and man-machine interfaces and cyborg beings are the norm (think Blade Runner if you are having trouble getting your head around the concept). Sci-fi writers invented cyberpunk when they realized that there might be another path to the future besides the one advertised by Star Trek and Star Wars, one that is not as pristine and humanitarian as, say, Ender’s Game. Cyberpunk worlds always have some grit to them: sex, drugs, and rock and roll.

But I don’t think cyberpunk itself is the draw for security geeks. The draw, in my mind, is a combination of elements that is consistent in popular geek entertainment today.

Hackers and Cowboys

The main Neuromancer character is Case, a world-class hacker, referred to as a cowboy in the book, who has fallen from grace. The government caught him doing something stupid and, through surgery, made it impossible for him to ever connect to the Internet — “jack” into “cyberspace” — again.

The story opens with Case on his last leg, hustling the streets of Japan for drug and booze money, cigarettes and if he had anything left over, food. He is literally days away from expiring. Through a series of random meetings that the reader does not understand until midway through the book, Case gets a chance at redemption.

He ends up joining a misfit team: The Leader, Armitage (ex-military); The Assassin, Molly (a beautiful cyborg); The Techie, Finn (a prototypical scrounger); and The Mentalist, Peter (a psychopathic mind bender). Case completes the team as the resident cowboy. The leader seems to have unlimited funds at his disposal and pays to reverse the process that prevents Case from jacking in (and pays to have his kidneys amplified so that his body cannot process drugs either – bonus!). The reader is never really sure what the team’s ultimate objective is until close to the end of the story, but along the way we get plenty of Kung Fu between the assassin and every bad guy we meet, love-making between the hacker and the assassin, and a verbal description of what it means to hack that is eerily similar to how modern computer gamers play today.

What’s not to like? Why wouldn’t the cybersecurity geeks of the world love a story where the loser-hacker can win the girl, hack for a greater good, be critical to a super-ninja’s purpose, and ultimately be the hero in the story? The cyberpunk elements make the story fun, but the hacking-copulating-jujitsuing elements make the story soar, at least to a geek like me.

The story itself is really about the incipient moments before “the singularity,” that moment when an artificial intelligence, a software program, becomes sentient. You know what I am talking about. This is a standard sci-fi trope today probably best known in the Terminator movies when Skynet goes online and decides that humans are no longer needed. In Neuromancer, the singularity is still a relatively new sci-fi idea, and the reader discovers that the power behind the leader is really an artificial intelligence called Wintermute. Wintermute is a subprogram working for a larger artificial intelligence called Neuromancer.

The Tech

Gibson invents some new culture in this book too, and when I remember that he published it in 1984, I get chills thinking about how prescient he was. Two ideas come to mind. The first is a hacktivist group called the Moderns. Remember that in 1984, the Internet was little more than a white board diagram and some primitive university communications systems. Yet, Gibson had the vision to predict cyber hacktivists – which these days continue to be all over the news — and described them this way:

“Moderns: mercenaries, practical jokers, nihilistic technofetishists.”

If that is not the perfect description of Anonymous, I don’t know what is.

The second idea comes in the form of a personalized search engine Gibson calls the Hosaka. The Hosaka is basically an artificial intelligence that searches the Internet for whatever the user requires. This is not quite what Google does for us today, but it is very close.

Conclusion

I thoroughly enjoyed reading this book. It really is a must-read if you want to understand the cybersecurity culture of today, not only because it is one of the first cyberpunk novels, but also because it is ripping good story that discusses things that cybersecurity geeks like to talk about: kung fu, getting the girl, and making hacking sound fun and exciting. How cool is that?

[Source: Rick Howard]

For the past decade, I have had this notion that there must be a Cybersecurity Canon: a list of must-read books where the content is timeless, genuinely represents an aspect of the community that is true and precise and that, if not read, leaves a hole in cybersecurity professional’s education. I’ll be presenting on this topic at RSA 2014, and between now and then, I’d like to discuss a few of my early candidates for inclusion. I love a good argument, so feel free to let me know what you think.

The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud) (2012) by Dawn M. Cappelli, Andrew P. Moore, and Randall F. Trzeciak

When the Edward Snowden case hit the press in summer 2013, I was working as the CISO of a mid-sized government contractor organization. At the time, my senior leadership rightly asked if our own insider threat program would have detected Snowden’s activities before he released classified information to the public. I had to admit that the honest answer was no. Because of Snowden’s system administrator position, he was a trusted employee (contractor). He had the keys to the city, or at least some of them.

We may have had better luck catching Bradley Manning. According to Bill Simpich at Reader Supported News (RSN), Manning released some 700,000 documents to the public. That volume of ex-filtrated documents may have been noticed by my automated monitoring system or would have been stopped by my preventative controls (not allowing access to the CD system on classified machines), but Snowden released only a handful of documents (with the promise of more later). My monitoring system would not have noticed that kind of precision, and because he was a system administrator, he most likely had permission to turn off my preventive controls that stopped USB use.

It was because of these developments that I picked up The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud) by Dawn Cappelli, Andrew Moore, and Randall Trzeciak. I wanted to see if there was something else that could be done.

What is clear from reading the book is that there is no technical solution that truly mitigates insider threat risks, which is something many of my colleagues at Palo Alto Networks have also written about. Technology can aid in discovery – and in our case, can safely enable applications without slowing down business productivity. But the tech itself is only a part of an organization’s discovery process. For any insider threat program to be successful, leadership must coordinate across three lines of business activity: policy, training, and information technology (IT) discovery.

Book Organization

The CERT book itself is a bit odd. It is written in an academic style that is not as direct as other technical security books that I have come across. The authors scatter layers of the same information through the chapters. Specifically, they talk about the 16 mitigating controls in at least three locations at various levels of detail. Lists of Indicators of precursor behavior are all over the place and are not consistently presented. To me, the thing they do get right is that they are very explicit about what the risks are and what you can do to counter the risks.

There is good information here. Cappelli and her co-authors recommend specific administrative, technical, and physical controls that they have found useful in detecting and mitigating the insider threat. What’s also helpful is that they define three types of insider threats:

• Insider IT sabotage: Incidents in which the insider uses IT to direct specific harm at an organization or an individual.
• Insider fraud: Incidents in which an insider uses IT for the unauthorized modification, addition, or deletion of an organization’s data (not programs or systems) for personal gain, or the IT theft of information that leads to an identity crime.
• Insider theft of intellectual property: Incidents in which an insider uses IT to steal proprietary information from an organization.

They make a weak case that certain mitigations, controls and certain precursor behavior go with specific types of insider threats, but they do not show that the data is conclusive. Nevertheless, insider threat programs must look for all potential precursor behavior and apply the correct mitigation control against it.

16 Mitigation Practices

The authors say it right away: “If you learn only one thing from this book, let it be this: Insider threats cannot be prevented and detected with technology.”

There is no magic bullet here. The mitigations this book describes are the same mitigations that any group of CISOs standing around a white board for an hour might come up with. What makes the book valuable is that it is backed up with real data. After analyzing some 700 cases, the authors can make reasonable assertions about what might work. The epiphany for me was that the bulk of the recommendations do not fall within the technical realm. More than half fall into the administrative side, which may be why detecting the insider threat is so hard.

For any insider threat program to work, it must rely on humans communicating clearly across business boundaries, from the executive leadership team down to the employee users regarding policy, from the internal business units to the external trusted business partners about acceptable use, from the managers observing employee behavior and reporting anomalies to human resources, and from the IT department gathering evidence for leadership to make a decision. My colleague, Danelle Au, recently discussed why CISOs have to be the executives that ensure these communications are happening cross-functionally on a regular basis.

The authors describe 16 strategic goals to help prevent an insider threat attack and suggest a number of tactical controls for an organization to put in place to make that strategic goal successful. These include everything from considering insiders and business partners when performing enterprise-wide risk assessments, to a clearly documented and consistently enforced set of policies and controls.

I’ve also seen success in techniques such as periodic security awareness training for all employees, anticipating and managing negative workplace issues, and many more suggested by the authors.

What To Focus On

Assessing my organization’s ability to detect and prevent insider threat activity similar to actions performed by Snowden and Manning was sobering. With the controls I had in place in my previous role, I most likely would not have been successful. The CERT Guide book outlines specific mitigating controls to consider for preventing this kind of activity in the future.

Although the book is frustratingly academic, the specific assertions about what to put in place are backed by more than 700 case studies. It is the authoritative source about what works and what does not for this threat. What I learned from reading this book is that there is no technical solution that truly mitigates insider threat risks. For any insider threat program to be successful, leadership must coordinate across the entire business in terms of policy, training and implementation to ensure four tactical goals:

1. Train employees and managers to watch for the signs of potential insider threat behavior.
2. Provide mechanisms across the organization to report and review the activity.
3. Establish and maintain the apparatus to monitor for potential abuse.
4. Mitigate the risk before any damage is done.

The key to the entire program is the human element, and that is why defending against the insider threat is hard.

[Source: Rick Howard]

For the past decade, I have had this notion that there must be a Cybersecurity Canon: a list of must-read books where the content is timeless, genuinely represents an aspect of the community that is true and precise and that, if not read, leaves a hole in cybersecurity professional’s education. I’ll be presenting on this topic at RSA 2014, and between now and then, I’d like to discuss a few of my early candidates for inclusion. I love a good argument, so feel free to let me know what you think.

The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage (1989) by Clifford Stoll

If you are a cybersecurity professional, you should have read this by now. More than 20 years after it was published, it still has something of value to say on persistent cybersecurity problems like information sharing, privacy versus security, cyber espionage and the intelligence dilemma. Rereading it after 20 years, I was pleasantly surprised to learn how pertinent that story still is. And even if you are not a cybersecurity professional, you will still get a kick out of this book. It reads like a spy novel, and the main characters are quirky, smart, and delightful.

Looking Back

The Cuckoo’s Egg is my first love. Clifford Stoll published it in 1989, and the first time I read it, I devoured it over a weekend when I should have been writing my grad school thesis. It was my introduction to the security community and the idea that somebody had to protect these new-fangled gadgets called computers. Back in those days, authors put their email addresses in their books, and when I finished reading it, I sent Mr. Stoll a note explaining how much I enjoyed his book. He answered immediately and that forever made me a fan. But besides being a window back through time to the beginning of our modern Internet age, Stoll’s book highlights many of the security problems that still plague us today.

The story itself reads like an Alfred Hitchcock movie. Joe Average-Man — in this case, Stoll as a hippie-type systems administrator keeping the computers running at the Lawrence Berkeley National Laboratory just outside San Francisco — is in the right place at the wrong time. Like Cary Grant and Jimmy Stewart before him, Stoll is minding his own business when he stumbles upon a bit of a mystery that, when it all plays out, is much larger than he is. By tracking down a miniscule computer-accounting error, Stoll unraveled an outsourced, Russian-sponsored, international cyber-espionage ring that leveraged the Berkeley computers to break into US military and government systems across the United States.

The book documents Stoll’s journey as he tries to get help from the US and German governments to do something about this serious threat that nobody wants to own. As the story unfolds, the reader also gets a fascinating glimpse at how the Internet looked just before it exploded into the commercial, informational and cultural juggernaut that it has become today.

The interesting dichotomy at play in the book though is how Stoll deals with government authorities. In the book, he describes himself as a “mixed-bag of new-left, harmless non-ideology,” yet he routinely called, cajoled, and coordinated leaders and administrators in the NSA, the CIA, the FBI, and other government and military organizations–bastions of the near and far right. How Stoll gets his head around those two philosophies is fun to read.

It is these interactions with the government that Stoll runs squarely into one of those persistent problems that we still have in the security community today, and one we still talk about at each and every cybersecurity conference I attend.

The government does not like to share.

Stoll consistently ran into government bureaucracy: human-government vacuum cleaners who were eager to take any and all information that Stoll had in regard to his investigation but who were also unwilling to share anything that they knew in return. To be fair, the US government today is getting better at this information-sharing thing, but leaders are a long way from implementing a free-flowing information exchange. I am not sure it will ever get there. And as we’ve been discussing for months now here at Palo Alto Networks, what we’ve learned about what the government will share versus what data they will collect is going to continue to be a source of hand-wringing and also a catalyst for the increased use of techniques such as SSL/encryption.

There’s also the second persistent problem. As Stoll is wrapping up the book, he concludes, “After sliding down this Alice-in-Wonderland hole, I find the political left and right reconciled in their mutual dependency on computers. The right sees computer security as necessary to protect national secrets; my leftie friends worry about an invasion of their privacy.”

If that is not the perfect summation of the fallout from the Edward Snowden investigation, I don’t know what is. The Snowden case is just the last one in a series of privacy-versus-security trade-off debates that the United States and other countries have made in the past twenty years. AsBruce Schneier points out, this is a false argument: “The debate isn’t security versus privacy. It’s liberty versus control.”

He and other pundits highlight the fact that this is not an either-or decision. You can have security and privacy at the same time, but you have to work for it. In this book, Stoll was the first one I can remember who raised the issue. He struggled with it back then as we are all doing today.

The third persistent problem is the cyber espionage threat. The commercial world only really became aware of the issue when the Chinese government compromised Google at the end of 2009. The US military had been dealing with the Chinese cyber espionage threat, back then known as TITAN RAIN, for at least the decade before that. But Stoll claims that his bookdescribes the first public case where spies used computers to conduct espionage, this time sponsored by the Russians. The events in The Cuckoo’s Egg started happening in August 1986, almost 15 years before TITAN RAIN, and some of the government characters that Stoll deals with in the book hint that they know about other nonpublic espionage activity that happened earlier than that. The point is that the cyber espionage threat has been around for some 30 years and shows no sign of going away any time soon.

The fourth and final persistent problem is really not a cyber problem at all but an intelligence discipline problem. Throughout the book, Stoll struggles with the idea of whether or not to publish his findings. He describes the problem like this:

“If you describe how to make a pipe bomb, the next kid that finds some charcoal and saltpeter will become a terrorist. Yet if you suppress the information, people won’t know the danger.”

That is the classic intelligence dilemma. It goes directly to the Snowden issue today wherein the lefties are concerned about privacy and want transparency for all security matters. The righties value security over privacy and worry that transparency will give too much information away to the bad guys. In my heart, I think there is some middle ground that could be reached. Since 9/11, the United States has swung in the direction of security over transparency. I do not see that changing anytime soon. Stoll definitely comes down on the side of transparency though, but like I said, he is a self-described “mixed-bag of new-left, harmless non-ideology.”

A Side Note

On 3 November 1988, 34 minutes after midnight and almost a year after Stoll concluded his forensics investigation on the Russian-sponsored cyber espionage ring, Robert Morris Jr. brought the Internet to its knees. He launched the first ever Internet worm, and for at least some days after, the Internet ceased to function as UNIX wizards of all stripes worked to eradicate the worm from their systems. Aside from the coincidental timing of the worm, the reason this is significant to this book is that Robert Morris’ father, Bob Morris Sr., was Stoll’s contact at the NSA during the investigation. He was one of those human vacuum cleaners taking in information but not giving any out. By all accounts, Bob Morris Sr. was a computer wizard in his own right and I have often speculated about how much his son picked up at the dinner table from his dad about the theoretical ways one might attack the Internet.

The Tech

The egg in The Cuckoo’s Egg title refers to how the hacker group compromised many of its victims. In turns out that the real-life cuckoo bird does not lay its eggs in its own nest. Instead, she waits for any kind of other bird to leave its nest unattended. The mother cuckoo then sneaks in, lays her egg in the unoccupied nest, and sneaks out, leaving her egg to be hatched by another mother. Similar to the cuckoo bird, Stoll’s hackers took advantage of a security vulnerability in the powerful and extensible GNU EMACs text-editor system that Berkeley had installed on all of its UNIX machines. As Stoll said, “The survival of cuckoo chicks depends on the ignorance of other species.”

The spy ring spent a lot of time trying to take over regular user accounts so that they could log in as those users and review the system without causing alarm. In one instant, after becoming a system administrator with the EMACs attack, one hacker opened up the system’s password file. He still did not know what the passwords were to all the users on the system because they were encrypted. Instead of trying to break them, he just erased one of them. He picked a specific user and erased the user’s password. When he logged in as that user later, the system would grant access since there was no password guarding the account.

After a while, the hacker started downloading the entire password file to his home computer. Stoll later discovered that the hacker executed a brilliant new attack. He encrypted every word in the dictionary with the same algorithm that encrypted passwords and compared the encrypted passwords in the downloaded password file with the encrypted dictionary words. If he found any that matched, he could now log in as a legitimate user. Brute-force dictionary attacks are standard today, but back then, this was a new idea.

Decades Later

I can’t tell you how pleased I am that The Cuckoo’s Egg still holds up after 20 years. Being my first love and all, the old girl has aged quite well. Instead of playing Jimmy Stewart or Cary Grant in an old black-and-white favorite movie, Stoll fits quite nicely in a modern setting. The book still has something of value to say on persistent cyber security problems like information sharing, privacy versus security or liberty versus control,cyber espionage, and the intelligence dilemma. This book is part of the canon for the cyber security professional. You should have read this by now.

[Source: Rick Howard]

For the past decade, I have had this notion that there must be a Cybersecurity Canon: a list of must-read books where the content is timeless, genuinely represents an aspect of the community that is true and precise and that, if not read, leaves a hole in cybersecurity professional’s education. I’ll be presenting on this topic at RSA 2014, and between now and then, I’d like to discuss a few of my early candidates for inclusion. I love a good argument, so feel free to let me know what you think.

Cryptonomicon (1999) by Neal Stephenson

I said during the introduction to this series that I wouldn’t focus purely on technical literature, or even just nonfiction, for that matter. To me, Cryptonomicon is the quintessential hacker novel. The author, Neal Stephenson, describes a story that is set around the intersection between the discovery of world-changing math insights and the incipient designs of our computer science founding fathers.

Stephenson delights in explaining how all of these things go together. His collection of fictional and nonfictional characters orbits each other across a thousand pages and propels the reader through dual timelines of World War II and the dot-com startup decade of the 1990s.

The result is a multigenerational treasure hunt worthy of an Indiana Jones adventure, but unlike Indiana Jones, this is not a light read. It is dense with ideas. You do not skim through this looking for the good parts, but if you take the time to embrace the journey, you will not be disappointed. You will be fed cybersecurity history, rollicking adventure, heartbreaking tragedy, the pleasures and perils of a multigenerational family, and the awkwardness of several geek love stories all told from the hacker perspective. There is something for everyone here, and you owe yourself the pleasure of finding your favorite part. It deserves a spot in the canon.

Genuine Passion

When I describe Cryptonomicon as the best hacker novel I’ve ever read, I use the word “hacker” from the old-school definition – meaning, not computer trolls who spend their time breaking into systems for fun and profit but technological wizards who have a genuine passion for learning about how things work and making the world a better place with that knowledge.

I admit it: I am a fanboy of Stephenson. He has written several of my favorite hacker novels over the last two decades, including Snow Crash, The Baroque Cycle and Reamde. But he uses Cryptonomicon as his personal petri dish to explore some wide-ranging ideas. He touches on everything from the impact of Allied code breaking during World War II, to the importance of Dungeons & Dragons to modern-day geeks, to the jaw-dropping complexities of twentieth-century banking, to the necessity and procedures for getting the correct ratio of milk to Cap’n Crunch kernels in your morning cereal, to the horrors experienced by soldiers and civilians in the Philippines during WWII, to the significance of cryptological systems in our state-of-the-art world, to the excitement of a present-day treasure hunt, and, most importantly, to the beauty of family ties across generations.

As you might expect, this is a dense read. One fellow fan and author, Charles Yu, describes the book this way: “A copy of Cryptonomicon has more information per unit volume than any other object in this universe. Any place that a copy of the book exists is, at that moment, the most information-rich region of space-time in the universe.”

You get the idea. It is not a novel you are going to get through in a weekend. But one of Stephenson’s great gifts is his ability to juggle many seemingly unrelated and interesting characters within a story and then surprise the reader about how they are all connected. He crafts four main narrative arcs in Cryptonomicon and uses a parade of major and minor characters that intersect at key moments to propel the story. Three of the arcs happen during WWII, and the fourth happens during the Internet boom of the 1990s. Much more is woven throughout, and the word cryptonomicon itself refers to a collection of code-breaking techniques that one character inherits and develops throughout the story.

Why It’s In

Cryptonomicon is unique in that it qualifies in two different categories: “books for important historical context” and “novels that don’t exaggerate the genre.” For historical context, Stephenson describes a story that is set around the intersection between the discovery of world-changing math insights and the incipient designs of our computer science founding fathers. That intersection is ground zero for my chosen profession—cybersecurity—and the hacks that are described are interesting and well within the realm of “the possible.”

But with all of that, Cryptonomicon is not an easy, breezy read. It is packed with ideas. Savor the journey though, and find your favorite part.

[Source: Rick Howard]