Feb24
Book Review: Fatal System Error: The Hunt for the New Crime Lords Who Are Bringing Down the Internet posted by Rick Howard
I just finished reading Fatal System Error: The Hunt for the New Crime Lords Who are Bringing Down the Internet
by Joseph Menn. I was interested in it because the author talks
specifically about our Russian analyst, Kimberly, and I wanted to try
reading something on my new Kindle.
Overall, I really liked the book. Menn covers the same territory that iDefense has covered in our trends papers since VeriSign acquired us some five years ago. In fact, if you combined all of our trends papers and the trends briefings we have given since 2005, you would have the same content that Menn covers here minus some stuff about offshore betting, distributed denial of service (DDoS) attacks and organized crime.
He covers it all: NCPH, Russian Business Network (RBN), the rise of botnets, the rise of bulletproof hosters, the rise of DDoS attacks, the rise of cyber espionage, the rise of cyber warfare, the impotence of law enforcement, the frustration with cooperating with Russian law enforcement and the lack of respect for the US FBI. He singles out important cyber security intelligence organizations like VeriSign iDefense, Team Cymru and SecureWorks. He pointedly leaves out the anti-virus vendors, he only cursorily mentions Symantec and he was astonished at Kaspersky's view of the world (how the Russians were not behind Estonia, Georgia and Kyrgyzstan; this is something that Kimberly has been reporting for years, that the Russians feel persecuted by the rest of the world in terms of who is responsible for cyber crime, cyber hactivism and cyber warfare).
He singles out respected independent security researchers like Kimberly, Joe Stewart (SecureWorks), Barret Lyon (founder of Prolexic), Andy Crocker (UK's National High Tech Crime Unit, now replaced by the Serious Organized Crime Agency, or SOCA), Rafal Rohozinski (CEO SecDev), Don Jackson (SecureWorks), Jart Amin (independent researcher), Paul Ferguson (independent researcher), Avivah Litan (Gartner analyst) and Dimitri Alperovich (Secure Computing).
He also points to cyber security journalists like Brian Krebs, John Markoff, Jon Swartz, Byron Acohido, Kevin Poulsen, Kim Zetter, John Leyden and Robert McMillan as being the cream of the crop, with which I am in total agreement.
I do have quibbles.
Menn claims that RBN was responsible for Estonia and Georgia, with which we completely disagree.
Menn strongly asserts that organized crime, as in the old "Godfather" type of organized crime, is way more involved in Russian cyber fraud than iDefense believes.
He implies that Russian cyber crime is really the work of a small number of hackers (less than a 100; my number) and not a cadre of hackers, as iDefense has asserted (more than 1,000; again, my number).
I don't like the way that he jumps back and forth in the timeline; for example, he talks about events in 2008 and then jumps to 2002 and then to 2006. He makes it tough to understand the narrative arc. I understand why he did it, but a timeline of everything might have been useful.
I don't like the way he quotes Kimberly without any association with VeriSign or iDefense, as if she were an independent researcher.
I don't like the way he sources iDefense without any association with VeriSign. We have been a VeriSign business unit for five years.
I didn't think that his first chapters about offshore betting and DDoS attacks were that interesting.
Like I said, these are quibbles. This book is a good historical resource. If you are interested in how we got to where we are today in terms of the cyber security landscape, you would do well to read this book. Menn does not get everything right, but he is close. I am going to add it to my must-read list for cyber security professionals. Here is the updated list:
Novels and Books for Historical Context
(You should have read these by now.)
"Neuromancer" by William Gibson
"The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage" by Cliff Stoll
"Snow Crash" by Neal Stephenson
"Fatal System Error: The Hunt for the New Crime Lords" by Joseph Menn
Current State-of-the-Art Books
"Cyber Fraud: Tactics, Techniques and Procedures" by iDefense (shameless plug)
Books You Should Hand Your New Boss as He Comes in the Door
"Secrets and Lies: Digital Security in a Networked World" by Bruce Schneier
Good Hacker Novels that Don't Exaggerate the Genre
"The Blue Nowhere: A Novel" by Jeffery Deaver
Interesting Cyber Security Novels that I Just Liked
"Cryptonomicon" by Neal Stephenson
"Killobyte" by Piers Anthony
"The Zenith Angle" by Bruce Sterling
Gaming and Future Intelligence Collection
"Daemon" by Daniel Suarez
"Halting State" by Charles Stross
