Category: #IT/CYBER/TECHNOLOGY

For the past decade, I have had this notion that there must be a Cybersecurity Canon: a list of must-read books where the content is timeless, genuinely represents an aspect of the community that is true and precise and that, if not read, leaves a hole in cybersecurity professional’s education. I’ll be presenting on this topic at RSA 2014, and between now and then, I’d like to discuss a few of my early candidates for inclusion. I love a good argument, so feel free to let me know what you think.

Kingpin: How a Hacker Took Over the Billion-Dollar Cybercrime Underground (2011) by Kevin Poulsen

Kingpin tells the story of the rise and fall of a hacker legend: Max Butler. Butler is most famous for his epic, hostile hacking takeover in August 2006 of four of the criminal underground’s prominent credit card forums. He is also tangentially associated with the TJX data breach of 2007.

Butler’s downfall resulted from the famous FBI sting called Operation Firewall where agent Keith Mularski was able to infiltrate one of the four forums Butler had hacked: DarkMarket. But Butler’s transition from pure white-hat hacker into something gray—sometimes a white hat, sometimes a black hat—is a treatise on the cyber criminal world. The author of Kingpin, Kevin Poulsen, imbues the story with amazing descriptions of how Butler hacked his way around the Internet and pulls the curtain back on how the cyber criminal world functions.

In much the same way that Clifford Stoll’s The Cuckoo’s Egg reads like a spy novel, Kingpin reads like a crime novel. Cybersecurity professionals might know the highlights of this cyber criminal underworld, but Poulsen is able to provide a lot of detail about how this world functions that is understood by mostly only the cyber criminals themselves and the law enforcement officials who stalk them.

The Story

Back when I first learned of the Max Butler story, I remember being fascinated at the time that this guy was linked to another strange and amazing story about the hackers behind the TJX breaches in 2007. I even presented the story at RSA in 2010. Poulsen, from Wired magazine, did some of the original reporting on the story in 2008 and then took the time to publish this book about it in 2011.

Butler—a.k.a. Iceman among other aliases—happened to be one of its most notorious carders. For the uninitiated, a carder is a hacker who engages in the illicit collection (theft) andunderground-market selling of stolen credit card information. Butler’s infamy did not just come from his brilliant hacker prowess, however. The hacking community considers him to be a hacker god because of his unbelievable moxie. Poulsen fills the book with unbelievable stories of hacker derring-do, but in my humble opinion, Butler’s most astonishing act came when he decided that he did not like the status quo of the current carding scene.

After Shadowcrew

Two years after the feds shut down the Shadowcrew underground carding forum in October 2004, the carding community was fractured. Multiple carding groups emerged to fill the space left by Shadowcrew, but there was mistrust in the air, and none of the hackers were sharing information. Butler had a naive view of the hacking world and believed that there should be a place for underground researchers to freely share and discuss this kind of credit card information without the worry of getting arrested. He thought there needed to be a place where people like him could meet and discuss tradecraft and business within a trusted environment. So, he decided to fix the situation.

In a 48-hour marathon hacking session, Butler compromised the four leading carding forums of the day, which were run by criminal hackers; stole the user databases that resided there, which included user IDs and passwords; stole the forum transcripts that also resided there, which included everybody’s chat sessions; reinstalled everything on his own forum called CardersMarket; destroyed the data that resided on those rival forums; and then sent an e-mail to every user on the four compromised servers saying that he was now the forum Kingpin. How awesome is that? What ego does it take to even think that you could get away with such an operation? But he did. The customers of the now-defunct servers—the cyber criminals—grumbled a bit. But because they could continue to operate, most stayed on Butler’s new CardersMarket forum.

One of the four forums that Butler compromised was called DarkMarket. This is the same forum that FBI agent Keith Mularski was able to penetrate as an undercover agent just months prior to Butler’s takeover. Mularski convinced the owner of DarkMarket to let him be the forum administrator. Because of that, DarkMarket was the only forum to survive Butler’s attacks. Mularski was scrupulous about making backups, and because of that, he had DarkMarket back online only days after Butler’s blitzkrieg. He remained undercover as a forum administrator and monitored every conversation on the forum for the FBI for two years. Because of that effort, Mularski helped put the puzzle pieces together that ultimately resulted in Butler’s arrest.

Before Kingpin, I always assumed that Butler suspected Mularski as being a fed from the start. According to Poulsen, Butler had traced Mularski’s IP address back to the National Cyber-Forensics & Training Alliance (NCFTA) and knew he was a plant. Butler told anybody on the forums who would listen to him to stay away from Mularski, but nobody believed him.

Poulsen describes how the “new” CardersMarket forum was a cesspool of mistrust and politics, and Butler accused a lot of hackers of working for the feds as they accused him of doing likewise. Nobody got any traction. Butler’s takeover did not instigate a new era of trust and cooperation among the carders; it had almost the opposite effect.

The Tech

Butler’s gateway drug to hacking was probably the online phenomenon called TinyMUDs, the successors to multi-user dungeons (MUDs). MUDs were typically Dungeons & Dragons (D&D)-themed multi-user text-based games, the precursor to the three-dimensional and graphical massively multiplayer online role-playing games (MMORPGs) like World of Warcraft today. TinyMUDs discarded the D&D game elements and allowed users to meet each other and build onto their environments as they saw fit, kind of like the precursor to the three-dimensional MMORPG called Second Life. I recently highlighted this MUD culture in a blog about anotherCybersecurity Canon-worthy novel called The Blue Nowhere. Just like both hacker characters in The Blue Nowhere, Butler was an avid TinyMUD player, and also just like the hacker characters, he stored the tools of his trade in unsuspecting compromised sites, tools likes NetXray, Laplink, and Symantec’s pcAnywhere.

Throughout Poulsen’s book, it is clear that Butler never really understood where the line existed between white-hat and black-hat activity. One of Butler’s early epic hacks came about when the security community discovered a gigantic security vulnerability in the BIND implementation of the domain name system (DNS).

Thinking that it was his duty as a white-hat security researcher to fix the problem, Butler crafted a buffer overflow attack that leveraged the vulnerability, scanned the Internet for DNS systems that were vulnerable, compromised those machines with the buffer overflow attack, downloaded a rootkit to each of the machines that he now owned, and installed the patch that fixed the vulnerability. He thought he was doing a worthy community service to the world. The owners of all of those DNS boxes had a different opinion.

As a white-hat researcher, he helped develop BRO, one of the first experiments in intrusion detection systems. While assisting the Honeynet Project, he developed a program called Privmsg that allowed him to reconstruct hacker chat messages by listening to network traffic. The guts of Privmsg became a part of BRO.

Wearing his black hat, Butler became an expert at wardriving to find unprotected WiFi sites that he could use to hide his hacking activity. He used the Bifrost Trojan to gain entry into unsuspecting victim computers but modified it to bypass anti-virus engines. He tested his modifications on multiple VMware instances running different versions of anti-virus engines. Then he delivered his creation to other black-hat hackers in order to see what they were doing and to steal their credit card dumps for his own profit. He took advantage of a serious vulnerability in a software program called RealVNC. VNC stands for virtual network console, and the RealVNC software ran on point-of-sale devices on many small businesses’ computers. Like he did with the DNS vulnerability, Butler scanned the Internet looking for vulnerable instances in order to compromise the machines and steal the credit card information that the business owners collected daily. To say the least, he was a little conflicted.

Butler’s business partner, Chris Aragon, was responsible for the money-laundering piece of their illicit carding enterprise. After reading Poulsen’s description of the mechanics, you cannot help but think that being a cyber criminal is really hard work. Most non-geeks never really think about the difficulty of converting stolen credit card numbers into real cash. There is a convoluted process involving specialized equipment and many small transactions involving multiple people. You essentially have to make credit cards, and the accompanying driver’s licenses, by imprinting the credit card numbers and user information onto blank card material. You hand those cards to your mules—in Aragon’s case, four or five young and attractive women—who would spend the day shopping for high-end luxury items. The mules return the merchandise back to Aragon, who in turn sells it on eBay at reduced prices. Poulsen goes into great detail about how Aragon, and later Butler on his own, went about this daily business.

Poulsen also describes how the advent of distributed denial of service (DDoS) attacks originated in the hacking community as a way for black-hat hackers to mess with each other. But when Michael Calce—a.k.a. MafiaBoy—launched an experimental DDoS attack against some prominent public websites—CNN, Yahoo!, Amazon, eBay, Dell, and E-Trade—the cat was out of the bag, and the result was an emergency meeting of security experts at the White House.

Butler used hard drive encryption to protect his data and, by inference, his hacking activity. The thought was that this best practice in the hacker community would protect hackers in case law enforcement seized their equipment. Law enforcement officials could grab the hard drives, but because the drives were encrypted, officials would not be able to read any of the information. When the feds finally showed up on Butler’s doorstep, accompanied by some forensics experts from Carnegie Mellon, Butler thought he was secure. Unfortunately, they showed up almost unannounced, and Butler did not have the time to power his systems down. What he did not realize is that while the systems are running, the key for the encryption is stored in RAM. It took them a while, but the forensics experts were able find the encryption key in RAM and unlock Butler’s hard drives.

Conclusion

Poulsen nails this story. He recounts the transition of Max Butler from pure white-hat hacker into something gray: sometimes a white hat, sometimes a black hat. The technical hacking detail is fascinating, but more importantly, Poulsen is able to pull the curtain back on the cyber criminal world and describe how it functions with a lot of detail. You should have read this by now.

Rick Howard

For the past decade, I have had this notion that there must be a Cybersecurity Canon: a list of must-read books where the content is timeless, genuinely represents an aspect of the community that is true and precise and that, if not read, leaves a hole in cybersecurity professional’s education. I’ll be presenting on this topic at RSA 2014, and between now and then, I’d like to discuss a few of my early candidates for inclusion. I love a good argument, so feel free to let me know what you think.

Worm: The First Digital World War (2011) by Mark Bowden

Worm: The First Digital World War is the story of how the cybersecurity community came together to do battle with what seemed at the time to be the largest and most significant cyber threat to date: the Conficker worm, which was covered frequently by Palo Alto Networks researchers, among many others.

It was the time of the Estonian and Georgian distributed denial of service (DDoS) attacks, and the Conficker botnet was growing to be the largest DDoS delivery system ever created. A white hat group of cyber übergeeks formed the Conficker Cabal to stop the worm because most of the world could not even understand it, let alone do something about it.

Mark Bowden, who wrote Black Hawk Down: A Story of Modern War among other books, accurately captures the essence of our cybersecurity community in times of crisis. He compares us all to cybersecurity superheroes, like the X-Men of Marvel Comics fame, because of what he sees as our superhuman ability to work with computers and our desire to help each other.

Seasoned security professionals will learn nothing new here in terms of technology and craft, but they will remember that time and how we were all very worried about 1 April 2009: the day that the world thought that Conficker would come to life.

I think freshmen security practitioners will get a lot out of this book, however. Bowden does a great job of simply and clearly explaining many of the key technical pieces that make the Internet run. If you’re new to the community, this book makes a great introduction. It is canon-worthy material, and you should have read it by now. (But more importantly, how can you not like a book where the author favorably compares the cybersecurity community to the X-Men? As Stan Lee likes to say, “’Nuff said.”)

The History

When Bowden published Black Hawk Down, I was blown away. In that book, Bowden puts you right in the streets of Mogadishu, Somalia, with the soldiers, rangers, and bad guys who made up that fight. And then, when the 2001 movie came out and was equally as intense, I felt like I had some smidgen of understanding regarding what the U.S. armed forces had to deal with during this specific fight but, more generally, what they have to endure every day when they are deployed to areas like the Middle East.

When I heard that Bowden was taking a stab at the story behind the Conficker worm, I was excited. He is a high-caliber author attempting to describe the geeky details of the cybersecurity community at a key point in our history. I was hoping that he would make what we do in the security community sound as interesting and astonishing as he made the soldiers sound in Black Hawk Down. I think that he accomplishes this task but not in the way that you might think. He succeeds in giving a bird’s-eye view of our community’s collective thinking process. He captures our almost universal and delightful — if somewhat naive – belief that we should all help each other out and contrasts that to the relative size of our egos and how self-destructive that can be to a group effort.

As you may recall, Conficker is a worm that started targeting victims running the Windows operating system in 2008. For non-techie readers, a worm is a piece of malicious code designed to compromise a computer and then replicate itself automatically through the network to as many computers as it can. Every compromised host belongs to the worm’s collective called, in generic terms, a botnet or a robot network. It is a robot network because the owner of it can direct every machine within the collective to do his or her bidding: deliver spam, decipher encryption, dispatch denial of service attacks, etc.

John Brunner, the author of The Shockwave Rider, first wrote about the idea of a worm in his prescient 1975 novel a full decade before the Internet was more widely talked about. Around the same time, Robert Thomas built the first proof-of-concept worm called Creeper, which was designed to be an experimental mobile program in which the program itself would look around the network to find the best computer to use for its task. It was not until 1988 when the Morris worm brought the Internet to its knees that we all began to understand what a malicious application of a worm might accomplish.

Today, botnets are reusable. Authors send new instructions to their botnets when they want to repurpose them through some sort of command-and-control mechanism. The difference between a virus and a worm is that a virus does not try to spread on its own. Good worms spread very fast. Famous worms in our short Internet history include the Morris worm, Code Red and Slammer.

In the Slammer case, the worm infected 90 percent of the vulnerable computers connected to the Internet within ten minutes of the first infection. Let me restate that again so that you understand the magnitude of that incredible statistic: of the 75,000 machines connected to the Internet that were vulnerable to the attack, the worm compromised 90 percent of them in the first ten minutes after it compromised victim zero. The mind boggles.

Security researches first noticed the Conficker worm at the end of 2008. Microsoft immediately patched the vulnerability in its operating system, but because many of the computer owners who run the Windows operating system do not patch their systems regularly, they were vulnerable to the attack. By the end of 2010, as Bowden explaions, infection rates had grown large enough to pass the Slammer worm infections rates of 2003. Strangely, the botnet owners had not done anything with the system yet. Between 2008 and 2010, the botnet sat idle, growing exponentially but never being used, growing around the same time as other real-world cyber events took place, including the 2007 DDoS attack against Estonia and the 2008 DDoS attack against Georgia.

The community had DDoS attacks on the mind. Prominent individuals in the security community became alarmed that this new threat, this new weapon, this largest denial of service machine ever created, was continuing to grow unabated. Some decided to do something about it. The “cabal,” as it was affectionately referred to by its members and later changed to the Conficker Working Group, had many security luminaries.

The Story

Bowden spools the story out in two threads. The first thread is the description of the punch-counterpunch between the cabal and its adversaries. It’s fascinating and shows how two groups of übergeeks—the cabal and the Conficker authors —who understand the Internet and its systems in a way that mere mortals could not comprehend did battle over a two-year stretch in a classic white-hat-versus-black-hat confrontation. Rarely does the public get to see this interchange in the public arena. Other books that cover similar battles are Clifford Stoll’s The Cuckoo’s Egg and David E. Sanger’s Confront and Conceal, both of which I’ve already reviewed for the Cybersecurity Canon.

The second thread of the story is about the people working in the cabal. This is where Bowden hits the ball out of the park as an author. He compares the group members to the X-Men, the famous Marvel Comics super hero team with mutant abilities:

“What were superheroes, after all, but those with special powers? Marvel’s creations were also invariably outsiders, not just special but mutant, a little bit off, defiantly antisocial, prone to sarcasm and cracking wise, suspicious of authority, both governmental and corporate.”

Bowden describes how most of the cabal members had realized at one time or another that compromising computer systems was pretty easy. That ability was their “mutant superpower.” Most “normal” people have a hard time simply understanding the computer’s on-off switch. These übergeeks did not. And when they were doing their normal day jobs, they assumed the role of the mild-mannered Clark Kent: not intimidating and practically invisible to the rest of the world.

Writes Bowden: “They went about their day jobs as unassuming techies, men whose conversation was guaranteed to produce the Glaze, but out here in the cyberworld they were nothing less than the Anointed, the Guardians, the Special Ones: not just the ones capable of seeing the threat that no one else could see, but the only ones who could conceivably stop it.”

“The Glaze.” I love that phrase. I have seen it many times on the faces of my friends and family members when they politely ask me a question about what I do for a living. Sometimes I forget and actually attempt to explain it until I get, as Bowden says, “the unmistakable look of profound confusion and uninterest that descends whenever a conversation turns to the inner workings of a computer.”

I think my record for achieving “The Glaze” is less than 10 seconds.

The Tech

To describe the punch-counterpunch of the übergeeks, Bowden has to explain a lot of the technical pieces involved in order to make the story compelling, and he has to describe a bit of Internet history so that the reader can understand why the conditions for the Conficker worm were perfect for when they occurred.

Bowden has a knack for taking complex Internet technology and explaining it in a way that even a non-techie can understand. He uses a wonderful analogy comparing a botnet to the Starship Enterprise, explains the Internet by comparing it to human brain function, and describes buffer overflows by demonstrating how a chef reads recipes and cooks food in a kitchen.

He also does a decent job explaining the function of communications ports, why malcode is packed (compression and stealth), the difference between dynamic and static malcode analysis, why bad guys obfuscate their code, and how public key encryption and the Domain Name System (DNS) work.

Conclusion

Bowden’s critics like to deflate the importance of this book because the Conficker authors never used the system to any significance. Well, actually, two weeks after the 1 April 2009 update, theConficker authors rented the botnet to a well-known spammer named Waladec, and in June 2011, US and Ukraine law enforcement officials arrested 16 Kiev hackers who used Conficker to steal $73 million from international banking accounts.

However, nobody used the botnet to take down the Internet like the Morris worm did. After the cabal finally succeeded in getting the security community worried about the potential threat, the 1 April deadline came and went with a whimper. The press compared it to the other great nonevent of our Internet history: Y2K. The cabal did not succeed in eradicating the worm from the Internet either. The group stopped it from receiving instructions—check—but they were unable to kill it—no checkmate. At last count, Conficker continues to infect some twenty-four million computers connected to the Internet.

But here’s why I think that criticism is shortsighted. Back then, during the time of the Estonia and Georgia DDoS attacks, we were all still thinking that somebody might try to kill the Internet for some diabolical purpose. That thinking has largely changed since then. Why would bad guys kill the Internet when they need it to accomplish their goals?

Back then, we were all concerned about it. Bowden captures the security community coming together to combat a potential worldwide threat, a threat that few people on the planet could fully understand, let alone do something about. He precisely and, I think, accurately captures the essence of our community, these cyber X-Men with the übergeek superpowers who volunteer to combat this threat simply because they can.

For that reason alone, the book belongs in the cybersecurity canon. But if you are trying to explain some of this stuff to, say, a nongeek boss, this book also might come in very handy. I believe it is canon-worthy material, and you should have read it by now.

Rick Howard

For the past decade, I have had this notion that there must be a Cybersecurity Canon: a list of must-read books where the content is timeless, genuinely represents an aspect of the community that is true and precise and that, if not read, leaves a hole in cybersecurity professional’s education. I’ll be presenting on this topic at RSA 2014, and between now and then, I’d like to discuss a few of my early candidates for inclusion. I love a good argument, so feel free to let me know what you think.

The Blue Nowhere (2001) by Jeffrey Deaver

Jeffery Deaver is best known in literary circles as a crime novelist. He is not normally associated with technical thrillers, but he turned his writing skills in this book to a manhunt-type story where the serial killer in question is also a world-class hacker.

The Blue Nowhere is a cyber thriller written by an accomplished novelist about the hacking culture. It is interesting to compare this to other more recent cyber thrillers written by cyber experts who are writing their first novels, such as Richard A. Clarke’s Breakpoint (2007) andMark Russinovich’s Zero Day (2011) and Trojan Horse (2012), all of which I’ve reviewed in previous installments in the Cybersecurity Canon. Compared to Clarke and Russinovich, Deaver may not have as much of a technical background, but he knows how to flesh out his characters. The Blue Nowhere feels more like real people in a cyber story as opposed to a cyber premise populated with cookie-cutter characters.

Phate

When the cops in Deaver’s book realize they have a serial killer-hacker on the loose, they break another hacker out of jail temporarily to be their subject-matter expert. What results is a hacker-on-hacker escalation where hackers try to one-up each other in a series of social engineering and hacking operations.

As was the custom in the 1980s, self-proclaimed hackers gave themselves nicknames. The nickname of the serial-killer-hacker is “phate,” intentionally spelled with a “ph” instead of an “F.” Members of the “cracker” subculture that emerged in this decade were mostly teenagers determined to play and share games and other programs they did not pay for. “Cracking” the software so that others members could use it gave the group their name. Members merged skateboard jargon and hacker jargon into a unique lexicon called “leet-speak” where letter substitutions were common on bulletin board communication systems: “ph” for “f”, “z” for “s”, “e” for “3”, etc. On the good-guy side, the recruited hacker is Wyatt Gillette (a.k.a. ValleyMan and renegade334).

There’s a decent love story between Wyatt and his estranged wife and a feel-good father-son mentorship side-story between the lead detective and Wyatt. But the primary manhunt story line is good and Deaver gets the computing and hacking-culture details right.

The Tech 

Deaver does a good job aligning the hacking culture with the gaming culture of the time. During the 80s and 90s, many of the same people who were involved in the hacking community were also involved in the gaming community. That relationship is not quite as common these days, but back then, there was a lot of overlap in the two worlds. You could usually count on the fact that if a hacker had any skill at all, he or she also spent some significant time crawling through multi-user dungeons (MUDs), which are text-based adventure games that are the precursor to the World of Warcraft-styled games we see today.

It turns out that phate and Wyatt both logged significant hours in their MUD of choice called “Access.” In this game, the main point was to sneak up on your opponents and get close enough to assassinate them, to get access to them. phate decided that he needed to play Access in the real world and set off on a killing spree.

The story is set in the late 90s in and around the Silicon Valley, and Deaver does a good job setting just the right tone for the hacker and computer industry culture during that Internet bubble period (1997–2000). He even takes the time to provide little historic tidbits regarding the evolution of computing. phate plans his killing to coincide with significant milestones in computing history, from the University of Pennsylvania announcing the first general-purpose computer to the world in 1946 to IBM’s 1981 announcement of the first affordable home computer for the masses.

phate and Wyatt use a mix of real hacker and forensics tools—like Norton Commander, SATAN (Security Administrator Tool for Analyzing Networks), restore, and HyperTrace —and fake tools that sound genuine—like Vi-Scan 5.0, the FBI Forensic Detection Package, and the DOD Partition and File Allocation Analyzer—to do battle with each other.

Back in my IT days, I routinely ran Norton Commander on my disk operating system (DOS) computers and SATAN on my UNIX networks. For a non-techie, Deaver does a great job of explaining what a computer BIOS is, how hackers and crackers of all sorts had thick calluses on their fingertips because of how much time they spent in front of their computers, and how hackers stash their tools of the trade all over the Internet so that they can quickly grab them from any location in the world. However, his coup de grâce was his explanation of TrapDoor.

TrapDoor is a fictionalized tool that phate develops to track his victims and enemies. phate essentially creates a man-in-the-middle attack by compromising many of the major Internet Service Provider (ISP) border-gateway-protocol (BGP) routers (like Sprint, AT&T, Qwest, and others). These are the routers that form the Internet’s backbone by connecting ISPs. Once phate discovers the IP address of the victim’s computer, he instructs his botnet of BGP routers to watch for traffic to and from that address.

If the botnet sees traffic from that IP address, the botnet redirects that traffic to phate’s own servers for collection and then returns the traffic to the normal packet stream. The victim notices nothing because phate is not on the victim’s computer. That would be a nice trick if a hacker figured out how to do it. In his endnotes, Deaver explains that TrapDoor is not a real tool and that he does not know if any hacker has subsequently built it, nor does he name anybody who might have given him the idea for it. However, it seems unlikely that a crime novelist could develop that attack blueprint without talking to somebody who is at least thinking about how it might be done.

Conclusion 

The Blue Nowhere is a good cyber thriller that gets the technical details right. I put this square on the shelf with other novels about hackers that do not exaggerate the craft. It also has the added benefit of being written by an accomplished novelist who knows a thing or two about plot, character development, and pace. It describes a time that we have mostly forgotten about these days: a time of modems, DOS, bulletin board systems, and the Internet bubble.

For the cybersecurity history buffs in the crowd, Deaver provides a nice window into the hacking culture of the time. It is a good candidate for the Cybersecurity Canon, and I highly recommend it.

Rick Howard

For the past decade, I have had this notion that there must be a Cybersecurity Canon: a list of must-read books where the content is timeless, genuinely represents an aspect of the community that is true and precise and that, if not read, leaves a hole in cybersecurity professional’s education. I’ll be presenting on this topic at RSA 2014, and between now and then, I’d like to discuss a few of my early candidates for inclusion. I love a good argument, so feel free to let me know what you think.

Reamde (2011) by Neal Stephenson

I’ve already reviewed two Neal Stephenson works, Snow Crash and Cryptonomicon, for inclusion in the Canon. Here is a third: a high-octane, straight-up cyber thriller that elevates the genre in the process.

The novel has everything that a cyber thriller needs: Chinese hackers, Russian mafia, cyber crime, massively multiplayer online role-playing games (MMORPGs), hacking culture, and guns. It is classic Stephenson, and not quite as dense as some of his other works. While it is a wildly imaginative story, the details are real and correct. If you are a cybersecurity professional, you will not learn anything new here, but you will appreciate a ripping good story told within the boundaries of the cybersecurity community you know.

Stephenson centers on Richard Forthrast, the founder and owner of the Fortune 500 company that manages T’Rain, an MMORPG. He is a former drug smuggler who funneled his profits into a computer gaming company and turned T’Rain into the most popular computer game on the planet. Across the world, a group of young and talented Chinese hackers and T’Rain players devise an elaborate gold-farming ransom scheme. They create and distribute the Reamde virus, which essentially bricks the T’Rain gamer’s computer until the victim delivers a specified amount of virtual gold to a remote location in the T’Rain online world. The hackers collect the virtual gold and convert the gaming money into real money for profit.

Forthrast’s niece, and employee, inadvertently shares a sample of the Reamde virus with her boyfriend. The boyfriend dabbles in credit card fraud, and when the Reamde virus corrupts the computer network of his Russian mob contact—specifically the group’s pension fund, the obshchak—the Russians come looking for the perpetrator.

What follows is a mad dash around the world as the Russian hackers, with Forthrast’s niece in tow, try to get their money back from the Chinese hackers. They run into a separate collection of international terrorists operating out of the same abandoned Chinese building as the Chinese hackers and an MI6 agent tracking the terrorists. As the terrorists escape and evade the Russians, MI6, and the Chinese hackers, they end up in the backwoods of Canada, Forthrast’s backyard. There’s a lot of fun stuff going on here.

The story is similar in heft—almost one thousand pages—to two other Stephenson works: Cryptonomicon and The Baroque Cycle. But Reamde is a straight-up cyber thriller and Stephenson doesn’t spend a lot of time diverging from the main story as he did in those books.

Gold Farming

Gold farming has been a staple of MMORPGs from almost the beginning of online games. It’s a term used to describe MMORPG player behavior when the player’s intent is not to play the game as the designers intended. Instead, gold farmers gather as much virtual loot available within the game for the purpose of reselling that virtual loot to other players for real-world currency. MostMMORPGs have fully functioning economies and gold farmers take advantage of that. Entire businesses have popped up, especially in China, dedicated to that effort.

In Reamde, Stephenson takes that phenomenon to the next level. Most MMORPGs distribute loot randomly within the gaming world, but in T’Rain, naturally occurring gold deposits form around the game world similarly to how they form in the real world. Tom Bissell, writing for The New York Times, described it this way:

“Two things have assured T’Rain’s commercial success: actual geological laws have been programmed to govern its terrain (it is this feature from which the game’s name derives); and the game uses a currency system based on real money — treasure mined from the strata of T’Rain’s crust can be transformed into earthly coin.”

If you take a step back from that explanation, you realize that the T’Rain economy functions eerily similar to how the Bitcoin economy works. In both systems, the amount of treasure available in the world is finite and is worth only what the people within the economy are willing to pay for it. I could find no reference that confirms that connection between T’Rain and Bitcoin, but I do find it an interesting coincidence. Stephenson is adept at explaining how money systems work. Bitcoin launched in 2009, and Stephenson published Reamde in 2011. Even if the connection was unintentional, Stephenson had to be at least thinking about Bitcoin while he was writing the book.

Wardriving

Wardriving is the act of driving around town with a collection of remote networking gear and looking for unsecured WiFi routers. In Reamde, the Russian mafia needs to find the Chinese hacker hideout in China. They kidnap the good guys and whisk them away to Xiamen, China, so that the good guys can help them with the search. The good guys, under threat of death, search for the Chinese hackers by wardriving the streets of the city and frequenting the many Internet cafes, or wangbas, that most of the locals use for Internet access.

Lock Picking

Some of the good guys in our story are traditional white-hat hackers (hackers that exploit weaknesses in systems not to steal or to cause mischief but to understand how those systems work and perhaps to offer better ways to build those systems). One interesting cultural phenomena that emerged from this hacking culture is a fascination with locks and how to pick them. If you have ever attended DEFCON, you already know what I mean. There is usually a room dedicated to the lock-picking craft, and every time I have wandered in there in the last five years, the room is jammed with expert lock pickers showing wannabes how to get started. In Reamde, the good guys lock pick their way out of several situations, and Stephenson takes a moment to explain why these white-hat hackers might have that skill.

MMORPG Battle

During the course of the story, the good guys who are working for the Russian mafia deposit the ransom of virtual gold into a remote area of T’Rain in the hopes that the Chinese hackers will unbrick their computers. A problem arises when the T’Rain community discovers the Reamde virus scheme. Many clans within the game stake out the route to the remote location in order to ambush the Reamde victims before they deposit their virtual gold.

In T’Rain, if you kill an adversary in the game, you collect his or her valuables. The Chinese hackers need to collect the ransom and walk it out of the remote area and into a T’Rain city where they can convert the virtual money into real money. With the clans blocking their path, this becomes problematic. What results is a massive clan battle between the Chinese Reamde clan and all of the other T’Rain clans in the game. Stephenson completely captures the complexity, stress, and strategy of directing hundreds of your own teammates that are maneuvering across a vast virtual terrain against thousands of hostiles whose intent is to prevent you from doing just that.

Conclusion

This novel has everything that a good hacker novel needs, right up through a bit about how to survive a zombie apocalypse. It is classic Stephenson without the denseness of Cryptonomicon and The Baroque Cycle, and it elevates the genre of the cybersecurity thriller above other entries in the field. While it is a wildly imaginative story, many of the details are real and correct and you’ll appreciate what a good time this is.

Rick Howard

For the past decade, I have had this notion that there must be a Cybersecurity Canon: a list of must-read books where the content is timeless, genuinely represents an aspect of the community that is true and precise and that, if not read, leaves a hole in cybersecurity professional’s education. I’ll be presenting on this topic at RSA 2014, and between now and then, I’d like to discuss a few of my early candidates for inclusion. I love a good argument, so feel free to let me know what you think.

Security Metrics: Replacing Fear, Uncertainty and Doubt (2007) by Andrew Jaquith

I have been interested in cybersecurity metrics and how to visualize them since before we were connecting the Internet with strings and soup cans. In 2011, I had been looking for somebody to put some rigor to the idea when I stumbled upon a strong, positive review of Andrew Jaquith’s book on Amazon. A little more digging told me this was a book I really should check out.

From the beginning, Jaquith attacks the security community’s sacred cow of applying annualized loss expectancy (ALE) to convince management that the security program it is paying for is working. I have to say that I loved this attack. I remember first learning about ALE when I was studying for the Certified Information Systems Security Professional (CISSP) exam back in the day. I thought then that ALE sounded well and good when you said it fast, but in reality, you were just making up the numbers to plug into a formula that sounded scientific.

According to Jaquith, and most every CISSP preparatory exam book on the planet, “ALE is the monetary loss that can be expected for an asset due to a risk over a 1-year period and is calculated by multiplying the single loss expectancy (SLE) by the annualized rate of occurrence (ARO).”

Doesn’t that sound precise and mathematical? Indeed it does. But it turns out that there are lots of problems with this formula. The biggest problem is that we don’t know what the probabilities are. How can we possibly know what the probability is that an advanced-persistent-threat-style attack will compromise the computer that your chief of counsel’s secretary uses? This is not the insurance industry; we do not have actuary tables derived from decades of data collection that can tell us precisely what these adversaries will do, how often they will do it and how much it will cost us when they do it.

So what, Jaquith and others have asked, do ALE practitioners do in the absence of hard data? They guess. They estimate. They fudge. And when they do this, they undermine the veracity of the very process that they are trying to convince management is so exacting. What good is a scientific formula if all you do is fill it with garbage data?

Jaquith’s thesis is that, instead of using imprecise models like ALE, security professionals should use metrics instead. He says that “[this change in thinking] requires practitioners to think about security in the same way that other disciplines do – as activities that can be named, and whose efficiencies can be measured with key indicators.”

Coincidentally, the first time I read Jaquith’s book, I just happened to listen to the Patrick Gray Risky Business podcast from April 2011 where he interviewed Brian Snow. Snow is a former NSA information assurance technical director, and he had a lot to say then about the folly of using probabilistic risk assessments, like ALE, to improve the cost-effectiveness of securing nuclear facilitates and government information assurance programs.

Snow made the point that these models are fine for standard risks that routinely occur—like what is the mean time to failure of the hard drive in your laptop—but that they fail miserably when trying to predict cases that have high impact to an organization but are not likely to occur. These cases that Snow referred to are called “black swan events.”

Black Swan Events

The “black swan event” term was made famous by Nassim Nicholas Taleb in his 2007 book “The Black Swan: The Impact of the Highly Improbable.” For some organizations, computer breaches are black swan events that Taleb describes as “outliers that carry extreme impact.” They are outliers because the chances of something like that happening to your network are pretty small, but when it does, the cost to your organization is extreme.

Jaquith’s solution is to “… quantify, classify, and measure information security operations in a modern enterprise environment” and to provide “… a set of key indicators that tell customers how healthy their security operations are.”

He spends a good portion of his book, two entire chapters actually, explaining what some of these metrics might be. Your organization might not have a use for all of them, but you will appreciate the thoroughness that Jaquith uses to explain why they should be considered.

As a bonus, he spends a chapter reviewing the fundamentals of statistics. If you are like me and slept through your probability and statistics course in college, you will welcome this refresher. Jaquith’s simple explanation alone about what a standard deviation is and what correlation really means is worth the price of admission.

As an extra bonus, he spends a chapter on visualization. I am a fan of Dr. Edward Tufte, who is in my opinion the world’s leading expert on how to visually display complex data. Tufte devotees will learn nothing new here but will appreciate how Jaquith reduces Tufte’s four seminal books on the subject to six rules:

• It’s about the data, not the design
• Just say no to three-dimensional graphics and cutesy chart junk
• Don’t go off to meet the (Microsoft) wizard
• Erase, erase, erase.
• Reconsider Technicolor
• Label honestly and without contortions

The only real fault I have with the book is the last chapter, “Designing Security Scorecards.” Here, Jaquith had the opportunity to show some practical security dashboards that perhaps some real organization used and found useful. Instead, he spends the entire chapter explaining what goes into making a scorecard.

As I got closer to the end of the book, I just knew that I was going to see some dazzling examples that I might use in my own organization. When I turned to the last page and found nothing but the index, I was dumbfounded. He provided no examples of real-world security dashboards. D’oh! So close to being perfect!

Why It’s Worth It

That one caveat aside, Jaquith’s book is well worth the read. I recommend it highly. I dare you to get to the end of that book without learning something that will help you in your current job, and even if security metrics are not your thing, then statistics and visualization will make you a more well-rounded business person.

But for you security professionals out there, this book is for you. It will help you unshackle yourself from the chains of probabilistic risk assessments. It will turn you away from the dark side and toward a more meaningful process to assess your enterprise’s security. You should have read this by now.

Rick Howard