Category: Cybersecurity Canon

For the past decade, I have held the notion that the security industry needs a Cybersecurity Canon: a list of must-read books where the content is timeless, genuinely represents an aspect of the community that is true and precise and that, if not read, leaves a hole in a cybersecurity professional’s education.

If you’d like to hear more about my Cybersecurity Canon idea, take a look at the presentations I made at this year’s RSA Conference and at Ignite 2014. As always, I love a good argument, so feel free to let me know what you think.

The Cybersecurity Canon: Secrets and Lies: Digital Security in a Networked World (2000) by Bruce Schneier

Secrets and Lies: Digital Security in a Networked World is the perfect book to hand to new bosses or new employees coming in the door who have not been exposed to cybersecurity in their past lives*. It is also the perfect book for seasoned security practitioners who want an overview of the key issues facing our community today. Schneier wrote it more than a decade ago, but he talks about a variety of ideas so ahead of their time that they are still relevant today. Concepts he touches on include:

• The idea that “security is a process, not a product.” With that one line, Schneier captures the essence of what our cybersecurity community should be about.
• No matter how advanced security technology becomes, people are the still the weakest link in the security chain.
• The cyber-adversary as something more than just a hacker.
• Making the Internet more secure by strengthening confidentiality, integrity, and availability (CIA), as well as improving Internet privacy and anonymity.
• Challenging the idea that security practitioners must choose between security and privacy.
• Holding software vendors accountable for security risks in their code.
• The need for a Bitcoin-like capability long before Bitcoin became popular.

The content within Secrets and Lies is a good introduction to the cybersecurity community, and Schneier tells the story well.

The Story

Secrets and Lies demonstrates Schneier’s evolution as an early thought leader in the cybersecurity community and outlines some key concepts that are still valid today.

Security Is a Process

In the preface, Schneier freely admits to thinking in his earlier life that cryptology would solve all of our Internet security problems. In Secrets and Lies, however, he is forced to acknowledge upfront that technology by itself does not even come close to solving these problems. You do not get security out of a box. You get security by applying people, process, and technology to a problem set, and the more complex we make things, the more likely it is that we are going to screw up the process.

People Are the Weakest Link

The weak link in all of this is the people. You can have the best tools on the planet configured to defend your enterprise, but if you do not have the qualified people to maintain them and to understand what the tools are telling you, you have probably wasted your money. This goes hand in hand with the user community, too. It doesn’t matter that I spent a gazillion dollars on Internet security this year if the least-security-savvy people on your staff take their laptops home and unwittingly install malcode on their machines.

Risk

When it comes to business risk, cybersecurity isn’t its own category separate from more traditional risks. What I have noticed in my career is that many security-practitioners and senior-level company leaders treat “cyber risk” as a thing unto itself and throw the responsibility for it over to the “IT guys” or to the “security dorks.” In my mind, this is one of our community’s great failures. It is up to all of us to convey that essential idea to senior leadership in our organizations.

Software Liability

Every new piece of software deployed has the potential to expose additional threats to the enterprise in terms of new vulnerabilities, and vendors have no liability for this. In other industries, if a vendor were to produce a defective product that causes monetary damage to a company, that company would most likely sue that vendor with a high probability of success in court. It is not like that in the commercial software business or even in the open-source movement. Vendors will patch their systems for sure, but they accept no responsibility for, let’s say, hackers stealing 400 million credit cards from a major retail chain. Schneier is aghast at this development that the user community has let vendors get away with this stance.

Adversary Motivations

Secrets and Lies was the first time that I had seen an author characterize the adversary as a person or a group with motives and aspirations.

“Adversaries have varying objectives: raw damage, financial gain, information, and so on. This is important. The objectives of an industrial spy are different from the objectives of an organized-crime syndicate, and the countermeasures that stop the former might not even faze the latter. Understanding the objectives of likely attackers is the first step toward figuring out what countermeasures are going to be effective.”

This was a revelation to me. At this point in my career, I just thought “hackers” were trying to steal my stuff. This is Schneier’s first cut of a complete adversary list:

• Hackers
• Lone Criminals
• Malicious Insiders
• Industrial Espionage Actors
• Press
• Organized Criminals
• Police
• Terrorists
• National Intelligence Organizations
• Info warriors

In my work, I have found it useful to refine Schneier’s list of people into the following adversary motivations:

• Cyber Crime
• Cyber Espionage
• Cyber Warfare
• Cyber Hactivism
• Cyber Terrorism
• Cyber Mischief

The bottom line is that these adversaries have a purpose, and it helps network defenders if they understand what kind of adversaries are likely to attack the defender’s assets.

Things Stay the Same

Sadly, even though Schneier published Secrets and Lies in 2000, all of these things are still true, and there is no real solution is sight. Many organizations still think that installing the latest shiny security toy to hit the market will make their networks more secure. They don’t stop to think that they might be better off if they just made sure that the toys they already have installed on their network worked correctly.

People are still the weak link both in the security operations center (SOC) and in the general user community. As I have written elsewhere, talented SOC people are hard to come by, and many organizations still spend resources on robust employee-training programs, but the results are mixed at best.

CISOs are still struggling to convey the security risk message to the C-Suite. Most of us came up through the technical ranks and think colorful bar charts about the numbers of systems that have been patched are pretty cool. The CEO couldn’t care less about those charts and instead wants to know what the charts mean in terms of material risk to the business.

Finally, software vendors still have no liability when it comes to deploying faulty software that results in monetary loss to a customer. This just seems to be something we have all accepted, that it is much better to build a working piece of code first and then worry how to secure it later. I know entrepreneurs prefer this method because the alternative slows the economic engine down if developers spend time adding security features to a new product that drives no immediate revenue opportunities. But this is the great embarrassment to the computer science field: we have not eradicated bugs like buffer overflows in modern code. How is it possible that we can send people to the moon but we cannot eliminate buffer overflows in code development? Don’t get me wrong; the industry has made great strides in developing tools and techniques in these areas—just look at the Building Security in Maturity Model (BSIMM) project to see for yourself. But the fact that, as a cybersecurity community, we have not made it mandatory to use these techniques is one of the reasons we are still often considered a “field of study.”

What We Need

In the end, Schneier makes the case for things that the cybersecurity community needs in order to make the Internet more secure. Long before the acronym became a staple on Certified Information Systems Security Professional (CISSP) exams, he advocated the need to strengthen confidentiality, integrity, and availability (CIA). He does not call it CIA in the book, but he talks at length about the concepts. He was prescient in his emphasis on the need for Internet privacy and Internet anonymity and was one of the first thought leaders to start asking the question about security versus privacy in terms of government surveillance. He also anticipated the need for a Bitcoin-like capability long before Bitcoin became popular.

The Tech

Unfortunately, when you begin to write a technology book about the current state of the art surrounding cybersecurity, much of what you write about is already outdated as you go to press. As I was rereading Schneier’s book, I chuckled to myself when he referenced his blindingly fast Pentium III machines running Windows NT. The world has indeed changed since 2000.

Schneier wrote Secrets and Lies at the time when the industry had just accepted that a stateful inspection firewall was not sufficient to secure the enterprise.

“Today’s firewalls have to deal with multimedia traffic, downloadable programs, Java Applets, and all sorts of weird things. A Firewall has to make decisions with only partial information: It might have to decide whether or not to let a packet through before seeing all the packets in transmission.”

Besides firewalls, he describes other controls that the cybersecurity community has decided are necessary to secure the perimeter, such as demilitarized zones (DMZs), virtual private networks (VPNs), application gateways, intrusion detection systems, honeypots, vulnerability scanners, and email security. Since the book’s publication, security vendors have added even more tools to this conga line, tools like URL filters, Doman Name System (DNS) monitoring, sandboxing technology, security incident and event management systems (SIEMS), and protocol capture and analysis tools.

As of May 2014, the cybersecurity community is mounting a bit of a backlash against the vendor community’s conga line strategy. Practitioners simply can’t manage it all. The best and most recent example of this is the Target data breach. Like many of us, the Target security team installed the conga line of security products and even had a dedicated SOC to monitor them. According to published reports, the controls dutifully alerted the SOC that a breach was in progress but there was apparently so much noise in the system (and perhaps Target’s process was not as efficient as it could be) that nobody in the organization reacted to the breach until it was too late. It’s a perfect example of why many organizations are looking for simpler solutions rather than continuing to add new tools to the security stack.

Cryptology

According to Schneier, underlying everything is cryptology. As you would expect from a cryptologist, Schneier believes that his field of study is the linchpin of the entire idea of Internet security.

“Cryptography is pretty amazing. On one level, it’s a bunch of complicated mathematics. On another level, cryptography is a core technology of cyberspace. In order to understand security in cyberspace, you need to understand cryptography. You don’t have to understand the math, but you have to understand its ramifications. You need to know what cryptography can do, and more importantly, what cryptography cannot do.”

I agree. (Note: The difference between the terms cryptography, cryptanalysis, cryptology, and cryptologist is left as an exercise for the reader.) I would say that the cybersecurity community has failed in this regard. While it is true that cryptography is the underlying technology that makes it possible to secure the Internet, it is still too complicated for the general user to leverage. In light of the Edward Snowden revelations —that we not only have to worry about foreign governments spying on our electronic transmissions, but we also have to worry about our own government doing it—the fact that most people do not know how to encrypt their own email messages as a matter of course is a testament to our industry’s failure.

Kill Chain

Schneier makes a distinction between computer and network security, that the conga line of security tools that make up the security stack at the network perimeter is not the same as the set of tools you need to secure the endpoint. While this is still true today, the cybersecurity community has merged these two ideas together since Schneier’s book was published.

The thought is that it does not make sense to consider network and endpoint security separately; it makes more sense to think of everything as a system, as we do at Palo Alto Networks. As organizations develop indicators of compromise at both the network and endpoint layers, essentially the Kill Chain model, the cybersecurity community can develop advanced adversary profiles about the attacker’s campaign plan.

In conclusion, the ideas Schneier examines in Secrets and Lies were years ahead of their time.  They show the cybersecurity industry just how far we have come and how far we still have to go. Because of this, Secrets and Lies is a candidate for the cybersecurity canon, and you should have read it by now.

*Full disclosure: The first civilian job I took after I retired from the US Army was with the company that Bruce Schneier founded called Counterpane, so I may be a little biased. 

[Source: Rick Howard]

 

For the past decade, I have had this notion that there must be a Cybersecurity Canon: a list of must-read books where the content is timeless, genuinely represents an aspect of the community that is true and precise and that, if not read, leaves a hole in a cybersecurity professional’s education.

I presented on this topic at RSA Conference 2014 and will also be discussing it at Ignite 2014. I love a good argument, so feel free to let me know what you think.

The Girl with the Dragon Tattoo (2005) by Stieg Larsson

When I read The Girl with the Dragon Tattoo for the first time a few years ago, I got the idea that there must be a lot of books published involving hackers and how they hack. I started to seek them out to see if any of them were any good.

What I discovered was that you could categorize these hacker books into two broad categories. In one category, the author does not really understand hacking at all and does not even attempt to describe how anything is done. I call this the “Harry Potter School of Hacking”: the hackers do a lot of hand-waving and say a lot of magic words like “Sending spike now!” or “Breaking encryption, this will just take a couple of seconds,” but you never really see how they accomplish those tasks. A good example of this kind of hacker storytelling is The Zenith Angle by Bruce Sterling. I loved the story, but Harry Potter might as well have been the main character because the hacking accomplished is magically done.

In the other category, the author has spent some time trying to understand hacking culture and to describe exactly how the hacker did what he or she did. A good example of this kind of storytelling is The Blue Nowhere by Jeffery Deaver, which I reviewed for a previous Cybersecurity Canon post. Deaver gets the technical details right by describing real-world and fictional tools that the two main hackers use against each other. The Girl with the Dragon Tattoo also falls into this latter category. Not only is it a fantastic story, but Larsson also gets the technical details right.

You probably have seen the popular movie versions, but this is one case where you definitely need to check out the book.

The Story

The Girl with the Dragon Tattoo is a ripping-good detective story set in the vicinity of Stockholm, Sweden, during a time when the only way to connect to the Internet from your home was with inexpensive modem lines or expensive ADSL lines.

The story revolves around a disgraced journalist, Mikael Blomkvist, who agrees to take a research case from a very old family patriarch, Henrik Vanger. The case involves the disappearance of Vanger’s favorite niece, Harriet, some forty years prior.

At a family gathering on their private island, Harriet disappeared without a trace. The local law enforcement officials suspected a runaway, then suicide, then murder, but were unable to find any meaningful clues one way or the other. Vanger suspects murder and is convinced that someone in his own family was behind the crime, but because the members of his extended family all vehemently hate each other and have a long list of fetishes and prejudices, any one of them could have had the motive to do it.

For the seven years before Harriet disappeared, she gave Vanger a framed exotic flower to hang on his wall for his birthday. For the next thirty-seven years after Harriet’s disappearance, he anonymously received another framed exotic flower in the mail on his birthday. Each flower is a reminder that Harriet is gone, that Vanger has no clue what happened, and that the person sending the flower may be the killer, taunting him. Before he dies, which could be very soon, Vanger wants resolution and hires Blomkvist to solve the case.

With the mystery laid out, Larsson walks the reader through what he really wants to talk about: a culture of violence against women. The working title to the book before he published it translates as Men Who Hate Women, so you know what Larsson had in mind. Lisbeth Salander is the tattooed girl referred to by the book’s title. She is an orphan, a ward of the state, a hacker with a photographic memory who works for a private investigation firm, and a young woman who refuses to be a victim.

Lisbeth is an amazing character — a real woman with strengths and flaws but who can be held up as someone to admire for her intelligence and determination. Blomkvist hires her to help him with the Vanger mystery, and although the story is told from Blomkvist’s perspective, you come to realize that the story is really about Salander.

The Tech

The story is so engulfing that when I read it for the first time, I got through about 75 percent of it and realized that I had not seen a lot of hacking by the Tattoo Girl. All that Larsson did describe was a lot of innuendo. Phrases like “the Tattoo Girl hacked my password and looked at my hard drive” pepper the narrative, but Larsson would never explain how Salander hacked things.

I was ready to chalk the entire book up as a good read, but put it squarely in the Harry Potter School of Hacking stories, when I arrived at the second climax of the story. There are two parallel plots running through the book, and the final climax is where the hacking comes in. Larsson describes in fairly good detail how Salander was able to defeat an e-mail encryption scheme central to one of the story’s main resolutions, install a piece of stealthy malcode over time, remotely control a bad guy’s Dell laptop with her Apple MacBook (I think there is a political statement in there somewhere), and reroute his money stored in numerous bank accounts around the world to equally numerous anonymous accounts that she had sole control over. The hacking description is very realistic.

Conclusion

If you like mysteries and if you like stories about hackers, you have to read this book. Be warned: there are a number of scenes that Larsson describes in gory detail regarding the sexual abuse of women. But it’s because of the hacking explanations that I think The Girl with the Dragon Tattoo is Canon-worthy – the techniques described and outcomes created are realistic.

Start with the book, but I’d also recommend you watch both movie versions of the book: the original 2009 Swedish version with Noomi Rapace as Salander and the American 2011 remake with Rooney Mara as Salander. Both actresses provide a compelling and completely different take on Salander, and each is fascinating to watch.

Rick Howard

For the past decade, I have had this notion that there must be a Cybersecurity Canon: a list of must-read books where the content is timeless, genuinely represents an aspect of the community that is true and precise and that, if not read, leaves a hole in a cybersecurity professional’s education. I’ll be presenting on this topic at RSA 2014, and between now and then, I’d like to discuss a few of my early candidates for inclusion. I love a good argument, so feel free to let me know what you think.

Fatal System Error: The Hunt For New Crime Lords Who Are Bringing Down the Internet (2010) by Joseph Menn

If you are interested in the evolution of cyber crime, Fatal System Error is a good first reference. The author, Joseph Menn, is able to capture the early years of the cyber criminal community as it was just beginning to productize its cyber business and professionalize it so that it ran more like a business.

Most of this book is about the incipient history of cyber crime. Menn tells the story through two early cybersecurity practitioners: a very young Barrett Lyon—an early cybersecurity services businessman who built one of the first denial of service protection companies called Prolexic Technologies—and Andy Cocker, who at the time was an agent for the UK’s National Hi-Tech Crime Unit.

Menn also manages to sprinkle in a discussion of some of the significant cybersecurity milestones from around 1995 to about 2009. He talks about the rise of cyber espionage and one of the first public discoveries of a state-sponsored amateur hacker group called the Chinese Network Crack Program Hacker (NCPH) group.

Menn also describes one of the first and most notorious known organized cyber crime syndicates called the Russian Business Network (RBN) which was virtually untouchable by law enforcement during this period. The owner of the syndicate was the son of a high-placed political official, so even if a Russian police officer felt the urge to arrest this cyber criminal, there were powerful forces within the Kremlin that made it a good idea not to.

Menn also covers the familiar ground of Estonia, Georgia and Kyrgyzstan where attackers first proved that cyber warfare was possible, and he documents some of the first uses of distributed denial of service (DDoS) attacks as an extortion tool. He explains the rise of bulletproof-hosting providers (essentially criminal Internet service providers) and the impotence of US law enforcement when tracking Russian cyber criminals during this period. In fact, Menn almost takes relish in describing the complete lack of respect for the FBI from the cybersecurity community during this time.

The Story

These details are side stories. The bulk of the book is about the rise of cyber crime. Lyon’s story is how he was sucked into protecting some less-than-savory companies that dabbled in offshore gambling and porn. Organized crime rings ran most of these operations, and the criminals involved were not above trying to sabotage their competitors’ efforts.

Offshore gambling became popular about the same time that hackers discovered that it was possible to launch DDoS attacks that could take a website or a data center offline by simply bombarding it with random data streams from thousands of computers – a botnet – around the Internet. These new cyber criminals used those kinds of tools against their competitors in an effort to drive them out of business. Lyon’s company owned the technology that could mitigate these kinds of attacks, and the organized crime operators came calling to get his help. Lyon’s story is about how he naively gets involved with these cyber criminals and subsequently tries to get himself out of the situation. It was not easy.

Cocker’s story is a bit different. He was an old-school British police officer frustrated with the inability of law enforcement to break down jurisdictional lines across international borders to arrest known cyber criminals. He and his National Hi-Tech Crime Unit decided to do something about it. Instead of waiting for Russian law enforcement to be compelled by political leaders to cooperate, Cocker went into the Eastern Bloc countries to build relationships with local law enforcement officials who were just as eager to bring these new cyber criminals to justice as he was. He had one tried-and-true method to accomplish this task: drink lots of vodka together. Over time, he built trust and friendships with his Russian counterparts and had amazing success arresting cyber criminals in the area.

Menn got a lot of help writing this book from various prominent cybersecurity researchers and journalists at the time. He singles out important commercial cybersecurity intelligence organizations like iDefense, Team Cymru, and SecureWorks. He pointedly casts disdain on several anti-virus vendors as being ineffective, including Kaspersky Lab and the perception that Russians were falsely persecuted by the rest of the world in terms of who was responsible for cyber crime, cyber hacktivism, and cyber warfare.

I do have a couple of quibbles with Menn’s story. He claims that RBN was the main force responsible for the DDoS attacks against Estonia and Georgia. While it may be true that computers within the RBN botnet system participated in those offensive attacks, I do not find Menn’s evidence compelling that RBN leaders orchestrated the attack on their own.

Both attacks had too much precision—some would say military precision—to be run from a civilian organization. I also do not like the way that Menn jumps back and forth in the timeline. For example, in one chapter, he will talk about events in 2008, jump to events in 2002, and then jump ahead to significant events in 2006. He makes it tough for the reader to understand the narrative arc. I would have appreciated a straight-up timeline to keep everything straight. But these are small quibbles. I do not have any compelling evidence either about who is responsible for the Estonia and Georgia attacks, so who am I to criticize the way that Menn tells this complicated story?

Conclusion

If you are interested in the evolution of cyber crime, Fatal System Error is a good reference. If you read this book and another that I just recently reviewed, Kevin Poulsen’s Kingpin, you will have a fairly thorough understanding of the cyber criminal world. Fatal System Error is a vital historical reference for the cybersecurity community. It is worthy of being a part of the Cybersecurity Canon, and you should have read it by now.

Rick Howard

For the past decade, I have had this notion that there must be a Cybersecurity Canon: a list of must-read books where the content is timeless, genuinely represents an aspect of the community that is true and precise and that, if not read, leaves a hole in a cybersecurity professional’s education. I’ll be presenting on this topic at RSA 2014, and between now and then, I’d like to discuss a few of my early candidates for inclusion. I love a good argument, so feel free to let me know what you think.

Daemon (2006) and Freedom™ (2010) by Daniel Suarez

If you appreciate hacking stories like The Girl with the Dragon Tattoo or gaming stories like Ready Player One or stories that combine both like Reamde, you will love both Daniel Suarez’s Daemon and his Freedom™ like I did.

These two books tell one long story and are loaded with seemingly futuristic ideas that are just years away from general deployment. Suarez introduces these new ideas from an old-school hacker perspective in an effort to reboot the world order.

He demonstrates quality writing that gets the technical details right. The two books combine into one story that is Cybersecurity Canon-worthy.

Two Books, One Story

Published by Verdugo Press, but self-published first by the author and his wife in 2006, Daemon is a story about hackers who begin a revolution using near-future technology as catalysts to change the world. The sequel, Freedom™, published in 2010, is really the second half of the story. Daemon and Freedom™ describe a world that is rebuilt from the ground up if hackers were to seat themselves comfortably at the design controls.

The premise is fascinating. Matt Sobol is the long-time CTO and founder of a gaming company that built and maintains a hugely successful World of Warcraft-like massively multiplayer online role playing game (MMORPG). With that experience, he learned a little something about artificial intelligence and how it interacts with real humans. In the first few pages though, Sobol dies of cancer. In his place, he leaves behind a software daemon that, in interviews, Suarez has said is a “transmedia news-reading, human-manipulation engine.”

For the uninitiated, the word daemon is ”an acronym for Disc and Execution Monitor [used in UNIX environments] and is pronounced {dee-mon}. Essentially it is a program that runs in the background, fully automated, and usually handles mundane activities such as log in requests, initiating transactions, etc.”

Sobol’s daemon is a little more sophisticated. As the mad genius of the story, Sobol anticipates his death, designs a complex logic tree of potential outcomes, and configures the Daemon to watch for those outcomes. His purpose is to inject catalysts into the old-world system to cause revolution, a reboot if you will, and he is not against burning the entire world down to get it.

Suarez tells the story in two parts. The first book, Daemon, revolves around the rise of the Daemon, its disciples in the Darknet community, and how the US government and its corporate partners plan to defeat them. The good guys in the story, the ones organizing against the Daemon, consist of an NSA code breaker, a local California cop, an FBI SWAT team commander, a CIA special operator, and a software security consultant/gamer/hacker.

The second book, Freedom™, focuses on the Darknet reboot aftermath, how society changes for the better after the reboot, and the cataclysmic showdown between Darknet forces and the commercial and government forces attempting to hang onto the past. Some of the good guy forces from the first book eventually switch over to the Darknet side, realizing that there is no going back and that the reboot result is way better then the old system.

The Tech

Some of the hype around Suarez is that he is a legitimate heir to the Michael Crichton throne of storytelling, specifically fiction such as Jurassic Park, State of Fear, Prey, and Disclosure that is about the societal impact of technologies that are just a few years away from reality.

I concede the comparison. Both of Suarez’s books are loaded with fantastic ideas that already exist and could be in common use within the next decade. Things like “sound production without speakers [that] can make voices appear in mid-air,” autonomous vehicles (in 2006, this was four years before military drones became the operational centerpiece to President Obama’s foreign policy decisions in the Middle East), advanced voice-recognition systems, desktop manufacturing, and augmented reality are just some of the technologies that drive the Darknet.

Of course, because Sobol is dead, he needs living surrogates to do his bidding. One of the things his Daemon does is recruit, initially from his game. For the non-gamers in the crowd, people who excel in MMORPGs have a lot more skills than simply pressing the Enter Key really fast in order to kill monsters. As they progress in the game and gain experience, they learn how to organize large groups of people from around the world, function within a team to accomplish team goals, assess strengths and weaknesses within the team and of potential adversaries, and plan and execute operations that leverage those strengths and weaknesses for success.

If you think I am kidding, read Rick McCormick’s article in The Verge that describes the epic space battle that occurred in January of this year. In an MMORPG called Eve Online, McCormick estimates that more than 5,000 players joined the fray on both sides of a conflict that ultimately resulted in the loss of more than $200,000 of real US dollars because of the resulting virtual spacecraft damage. Building up fleets of that size takes years of planning and effort. The skillsets involved are quite extraordinary. In the game world, these people are the centers of power and manipulation and the results of their actions can mean real money.

Sobol knows this and recruits the best players in his game by giving them special missions to test their individual skill sets. He eventually sends the best of the best out of the game to accomplish real-world missions, and this is where the hacking comes in.

One of the main recruits is Brian Gragg (hacker name: Loki). Sobol tests Loki by having him break into a remote facility using nothing but his hacking skills. Loki uses a software tool called “Netstumbler” to locate a wireless access point that is using Wi-Fi protected access (WPA) for authentication. He uses another software tool called “Air-Jack” to force key exchanges from the Wi-Fi router and uses a third tool called “Asleap” to collect the wireless key exchanges.

Loki cracks the WPA key by using an off-line phase-shift keying (PSK) dictionary, basically a collection of words that he can test (brute force) against the acquired keys. Once on the network, he uses a fourth tool called “Superscan” to ping sweep and port scan the entire network. He telnets to the one Unix machine (OpenBSD) that he can see and uses a simple network management protocol (SNMP) buffer overflow attack to compromise it. Once in, he finds that the Unix box is connected to a Web server that is tightly locked down. He uses an SQL injection attack to break in, and Sobol rewards Loki by making him a key operative in the Daemon’s quest.

That sequence is a real-world hack using legitimate hacker tools that could have worked in 2006 (when Suarez wrote the book), and most likely, a hacker could use a variation of it to break into some systems today.

Sobol collects people like Loki, black-hat hacker types, who have no moral problems with killing bystanders and intermediaries for the greater goal. But he also collects people with more socially acceptable skills to round out his new world order called the Darknet. The purpose of the Darknet is all-out destruction of the status quo: corrupt governments and the international corporations that pull the strings in the background. The Daemon infiltrates as many corporations as it can (the good ones and the corrupt ones) via the Internet and through Sobol’s Darknet operatives in the real world. But the Daemon does not destroy these companies; it creates a symbiotic relationship with them. It tells the organizational leadership of these now-infiltrated organizations that if they accept the relationship and some basic behavior rules, they can still function. If they don’t, the Daemon will destroy them.

Many do not comply, and the Daemon vaporizes them by erasing all of their corporate data (and whatever backups they had). Those that comply donate a small percent of their revenue to the Darknet cause but are allowed to stay in business. The money the Daemon collects from the thousands of companies it infiltrates funds the growing Darknet.

Darknet operatives wear specially designed sunglasses that act as a direct connection to Darknet operations. The glasses provide the wearer with an augmented Darknet reality, broadcasting video as an overlay to the world directly to the inside lens. The augmented reality allows Darknet operatives to recognize other members and to manipulate Darknet objects, initially Daemon programs but eventually programs and data sets created by other Darknet members. The Darknet glasses are eerily similar to the Google Glass experiment that we started reading about in 2012.

Darknet operatives plan and communicate through this interface, this D-Space. Their opponents desperately try to crack and infiltrate the D-Space network in order to collect intelligence that will help them defeat the Darknet forces. I found this idea intriguing and realized how closely it mirrors some thinking from the intelligence community in the last decade.

US intelligence organizations have considered the prospect that these MMORPGS could be used for terrorist planning purposes. You can log in from all over the world, your avatar is for the most part anonymous, you have access to voice and message communication services within the game, and the language of the game suits itself to planning and destroying military and civilian targets. Players of the game use the same language to actually play the game.

Conclusion

I loved these two books. They fit nicely into two separate categories that I like to track: hacker novels that do not exaggerate the genre and the combination of gaming and future intelligence collection.

It is not a perfect story by any means. You have to suspend disbelief a bit to accept that notion that Sobol could anticipate every major response to his Daemon over a three-year period. With Sobol’s great insight, he develops a viable plan to do something about each and every response from his opponents and programs the Daemon to execute that plan, and everything happens without a glitch. Personally, I can’t get my browser to work correctly unless I reboot the computer on a regular basis. But I am fine with that little conceit. Sobol is the mad genius after all, and I have suspended my disbelief for other novels with similar characters. Also, Suarez presents a love story between the good guy hacker and the NSA code breaker that seems a little forced. But these are minor quibbles. Daemon and Freedom™ together represent an engaging story. Along the way, Suarez introduces the reader to some new tech that will be available to the general population in the near future, describes what it takes to be a real hacker, and highlights how the lessons learned through MMORPG development might be beneficial in the real world.

The bigger notion that Suarez gives the reader, one that can be lost with all the other amazing things going on, is that Suarez does not like the direction the country, and indeed the world, is going. He believes that most people do not realize it, but that we are all slaves to some severe controls that our governments and their corporate sponsors place upon us, that we all depend too much on these handlers and give away too many liberties to them in the name of security and fear. The title of his second book, Freedom™, is no accident. He does not believe that we can unshackle ourselves without some sort of major cataclysm. In this exciting story, the Daemon causes that cataclysm.

Rick Howard