Fancy Bear Goes Phishing: The Dark History of the Information Age, in Five Extraordinary Hacks
by Scott J. Shapiro
Farrar, Straus and Giroux, 2023, 432 pp.
Crime has decreased significantly in the United States since the 1990s. Today, Americans are much less likely to become victims of burglary, theft, arson, and vandalism. But as everyone has moved online, so has crime. The majority of property crimes are now cybercrimes—including identity theft, credit card fraud, and various kinds of cyber attacks—and they are on the rise.
This development raises serious political questions. What are our digital rights, and how are they upheld? When we’re online, who’s in charge of protecting us? How are our institutions addressing the social transition to the internet?
Our physical world operates under a fairly well-established regulatory regime. There are deficiencies and inadequacies, of course, but if something goes wrong you have the right to seek legal remedy. The digital world is different. The internet is a legal frontier zone, where laws are piecemeal and there is little federal oversight.
The other day someone opened a credit card in my name. It was easy for them to do because I’ve been hacked before; a lot of my data is online, and any bored teenager can give a credit card company my name and an old address and get a shiny new card shipped directly to their door. Which means the onus is on me to prevent a random stranger who buys my data online from tanking my credit score. The thief, meanwhile, is unlikely to face any consequences. Nobody is looking for them.
If you’ve ever used the internet, you’re almost certainly at risk. (If you don’t believe me, you can visit Have I Been Pwned?, one of many websites that alert you to whether your personal information is available for sale.) Many of the sites you use store your personal data. And once enough people use a service, it becomes a high-value target for hackers. Gigabytes of personal information flow to the dark web, where anyone with cryptocurrency can buy them. Accumulate enough information from one person, and it’s very easy to steal their identity.
In Fancy Bear Goes Phishing, law professor and author Scott J. Shapiro explains how we got here—and suggests where we might go next. In clear and lively prose, he tells the peculiar history of cybercrime through five hacks that changed law, society, and politics. As technology plays an increasingly large role in our lives, cybercrime shows how connected we’ve become and reveals the cracks in our online systems.
Shapiro’s big idea is pretty simple: hacking is about humans. “Understanding what is happening in the cyber-realm,” he writes, “means staying focused on humans and the norms and institutional forces that guide them.” Fancy Bear Goes Phishing is more hacker biography than cybersecurity manual or computer explainer (though there is a welcome amount of the latter). Shapiro is fascinated by the people who figure out how to break systems, whether to make money or just to show they can.
Shapiro has a lot of empathy for his hackers. He dedicates an entire chapter to discussing the psychology of a Bulgarian virus writer named the Dark Avenger. Another is about the unfortunate early life of the man who hacked Paris Hilton’s phone back in 2005. The victims are less explored, though the book describes the financial and reputational damage caused by the hacks.
Shapiro examines the hackers using a framework with three parts: upcode, downcode, and metacode. Upcode is the social and cultural environment that shapes the people who program computers; downcode is the raw computer code itself. “One main difference between downcode and upcode is formality,” Shapiro writes. “The central processing unit does not exercise discretion—it simply executes the instructions it is given.” Computers run the programs you put in them. “Legal code,” he continues, “is significantly less formal. It contains terms such as mitigating circumstances and appropriate sentence that require moral discretion to apply.” The third category, metacode, refers to the physical rules that make computation possible, whose discovery Shapiro credits to British mathematician Alan Turing. Computing is a physical process, and Turing’s main achievement, as Shapiro has it, was to show “how to build a programmable computer capable of solving any solvable problem.” Metacode is what makes the digital world possible.
The five hacks that Fancy Bear Goes Phishing covers come in chronological order, each roughly corresponding to an era of computing. We go on a dizzying tour from the first worm to a mutating virus engine, the hack of Hilton’s phone, the hack of the Democratic National Committee on the eve of the 2016 election, and the Mirai botnet, which was a program that turned things like internet-enabled toasters into a network powerful enough to take down the internet for the entire East Coast. These hacks show how cybercrime evolves in response to changes in technology and society. Our laws—part of the upcode—must evolve in turn.
In chapter one, we meet the young graduate student Robert Morris Jr., who wrote the first worm—a malicious, self-replicating computer program. It infected nearly the entire nascent internet, from university labs to government machines, and caused hundreds of thousands of dollars in damage. The act wasn’t malicious; Morris apparently referred to it as “the brilliant project,” something undertaken just to see if it would work. After learning he was in trouble with the FBI, he fainted. The kicker? Morris’s dad, Robert “Bob” Morris Sr., had recently become chief scientist for the National Computer Security Center at the National Security Agency.
All of this happened just after the U.S. government passed the Computer Fraud and Abuse Act of 1986, one of the first U.S. cybersecurity laws. Morris might have appeared as an obvious target for the federal government under the new legislation, but as Shapiro points out later, the law didn’t prohibit writing viruses—which are most likely protected speech under the First Amendment. Instead, it “criminalized the intentional release of malicious code leading to unauthorized access” of government and bank computers.
Morris was still eventually convicted. Because of how interlinked the early internet was, it was almost impossible for any worm released there not to breach government or bank networks. But Morris was given a fine instead of a prison sentence (although he was also sentenced to three years of probation). In Shapiro’s eyes, the legal upcode was changing: a jury decided to be lenient despite the letter of the law.
Shapiro relays all this in unpretentious prose. He’s thankfully allergic to the overheated tone that suffuses many true crime stories, and the book prizes plain explanation over literary pyrotechnics. Which is good, because there’s much to explain. Shapiro covers a lot of technical ground—everything from the difference between code and data to instruction pointers and the inner workings of operating systems.
If you’ve never tried to write a website or a program, worms and hacks and botnets can seem confoundingly abstract. It’s easy to think your data doesn’t matter, if only because you can’t see it, or touch it, or smell it. But even if you’re not worried about someone hacking you personally, it should be concerning that the websites and apps that store your data don’t have to be terribly careful with it—that you can be exposed to things like identity theft just because it’s cheaper to do business that way. Shapiro’s book was itself the victim of a hack: an attack on the parent company of his publisher briefly halted its production.
Following the passage of a sweeping privacy law in 2016, companies in Europe face steep penalties for misusing personal data. The General Data Protection Regulation requires organizations to process and store your data securely. More important, it includes severe penalties for any organization that doesn’t comply—a fine of 20 million euros, or 4 percent of annual revenue, depending on which is higher. The GDPR requires organizations to notify authorities within seventy-two hours of a breach, and inform customers of data losses without delay. It also enshrines the legal right to be forgotten—the right, for example, to not have a youthful mistake ruin your life simply because someone captured it and posted it online. Americans have benefited from GDPR, too, because companies that do business in Europe have to abide by it.
But hacking has become distressingly commonplace in the United States. “Loss estimates swing wildly, from $600 billion to $6 trillion a year,” Shapiro writes, but either way it’s a lot of lost money and time. For the hackers, cybercrime is big business. Most aren’t out to break into your personal computer. They’re out to make money. If you buy someone’s credit card information online, you can buy anything you want without any real consequences. If you have their social security number, you can take out a loan. (One story in Shapiro’s book departs from this model: the Russian hackers who hit the DNC were engaged in cyber-espionage, with explicitly political goals.)
Despite the growth of cybercrime, Shapiro rejects fatalism. “When we feel that we have no control over our circumstances, when nothing we do makes a difference, we become paralyzed, like the proverbial deer in the headlights, unable to take even the few small steps needed to get out of harm’s way,” he writes. “This feeling of helpless resignation is one reason why computer users practice such poor cyberhygiene—like clicking on links in emails from people we don’t know or using six-digit passwords that start with 1 and end with 6.” Fancy Bear Goes Phishing is an attempt to demystify the systems that increasingly govern our lives—an education in how “our information is stored, used, protected, and exploited.”
While Fancy Bear Goes Phishing makes a convincing case for enhancing one’s own personal security online, it doesn’t address society-wide regulations. Its answer to “who should protect us?” is you, the user. While Shapiro thankfully rejects the idea that there are technological solutions to the problems of hacking, cybercrime, and cyberwar, he also mostly avoids politics. It’s a shame, because the “upcode” of the internet is fundamentally political. And there’s a lot of work to do. Right now the FBI is the lead federal investigator of cybercrime. Judging by its list of recent prosecutions, the bureau mostly focuses on theft, child sexual exploitation, and drug dealing on the dark web. In the United States, it can sometimes feel like there’s little interest in preventing or punishing the kind of low-level offenses that make everyday life harder. That might be because the perpetrators are hard to find. When I reported my identity theft to the credit card company who’d issued the card, they asked me if I had any idea who might have opened a fraudulent card in my name. I had to tell them I had no idea who’d done it, because it might have been anyone.
Ultimately, we’re beholden to our elected and unelected representatives, who decide whether or not we’ll get common-sense laws that actually keep people safe, or double down on the worst aspects of the existing criminal-legal system—like FOSTA-SESTA, federal legislation passed in 2018. FOSTA (Allow States and Victims to Fight Online Sex Trafficking Act) and SESTA (Stop Enabling Sex Traffickers Act) made internet companies liable for anything their users posted regarding sex trafficking. But the definition of “sex trafficking” was expansive. Many websites that hosted adult sections where users could solicit sex workers shut down, out of concerns they might run afoul of the law. As a consequence, sex work has become more dangerous. And FOSTA-SESTA doesn’t even necessarily make finding sex traffickers easier, according to Assistant-Attorney General Stephen Boyd of the U.S. Department of Justice, who registered his concerns at the time of the law’s passage.
Other recent legislation is less misguided. The same year that FOSTA-SESTA became law, California passed an internet privacy bill. Virginia, Connecticut, and Colorado have since followed suit. The bills act as a kind of state-level GDPR. Residents of those states are able to request that businesses delete their personal information, ask for copies of information collected about them, and opt out of the sale of their data. The laws also require private businesses to handle sensitive information more carefully.
These privacy bills still largely rely on individuals to take preventative measures to protect themselves. But they also create legal recourse for wronged consumers. Under California’s law, one can sue a business over a hack if the data stolen includes your name in combination with just about any other identifying information.
“Any decision we make must be informed by a deep appreciation of the underlying technology and of our fundamental moral values,” Shapiro writes. “We cannot hand these decisions off to anyone else. We are autonomous agents. These are the choices we must make for ourselves.” Changing the upcode is not an intractable problem. But until that happens, please enable two-factor authentication.
Bijan Stephen is a host and senior editor at Campside Media.