UP | HOME

Menn2010: Fatal System Error: The Hunt for the New Crime Lords Who Are Bringing Down the Internet

Table of Contents

Introduction

Fatal System Error is a book targeted to a niche audience, that is for sure.

Menn’s writing style has, from my experience, never been good. Personally, I do not mind it, since I focus solely on the information given, yet it has never been acceptable for literature, focusing more on the quantity of facts and details than the storyline. That is what makes this book, just like Menn’s cDc, such a difficult read. Writing this paragraph, it occured to me that the best way to describe it would be: “notes for an article-turned-book”. He has done a tremendously good job gathering and evaluating information, but he did not combine them properly. Had the author taken some extra time to polish the book, maybe reading it more thorougly, I would have no trouble suggesting it to anyone.

After all, I think that this book is important. Not only is it an intersting read but it also highlights some of our society’s problems.

However, the timeline is not linear, jumping from one place to another in a random fashion and confusing the reader with much unnecessary complexity. Some information given is unimportant to the story and the bigger picture, serving only to the further confusion of the reader and taking away from crucial moments in the book.

I do not want to be too harsh on Menn. I get it: details are not only included for their intrinsic value, they also help build the protagonists’ portraits and I am not sure whether taking every such element out of the book would help improve its readability. It is just certain that something should be done in this direction.

Taking a step back, to focus on the better part of the book; Its content is undoubtedly inspiring, terrifying, thought-provoking and, being someone who is interested in the field of cybersecurity, I found it very informative.

After all, fbi.pp.ru and mazafaka.ru are excellent naming templates for one’s server1

The book at a glance

Most of the books content is, honestly, frightening. I could not believe the levels of corruption worldwide (and how deep its roots are in the Net). Almost every sentence in the book filled me with sadness and disgust. How can something so beautiful and universal as the Internet have such an ugly dark side…

Cybersec Philosophy

The ethics behind this particular aspect of infosec are a constant theme of the book. Not only do we see Barret’s and Andy’s evolution on the topic, but through the pages book the horror that cybercrime entails becomes apparent, just like the damages for every involved party.

Sadly, the reader also witnesses the weaponization of the cyberspace. No longer would anyone in the governmental bodies care about Barlow’s Declaration of the Independence of the Cyberspace; All it does is remind us that cyberspace knows no boundaries. We are not only its users but its guardians as well and we should care more about fixing this problem. 2

State and Crime

Even though the book could be considered a brief history of cybercrime it deals with so much more than just that. What I believe is the most crucial element in the book, is the power dynamics that developed over time, shaping the Internet as we know it.

Sometime, too long ago for me, yet closer to the present for others, a large percentage of cybercrime consisted of DDoS attacks, coordinated by criminal groups and organizations against companies, blackmailing them to get money otherwise the (potential) clients would have no way of reaching those companies’ websites. That did not last for long, though it was not because of the advancements on the blue-side.

There were companies like Barret’s Prolexic, actively fighting DDoS attacks and mitigating their risk, but the threat actors, gaining power from every new vulnerable device connected to the internet, evolved much quicklier; It was no problem even for teenagers to launch DDoS attacks against websites they did not like.

Cybercrime simply moved on. A better alternative to DDoS attack had been found, and it was Identity Theft. The author suggests some pretty terrifying statistics here, stating that it is so widespread that more than 4/10 Americans have fallen victims. But… could not the states do something to deal with it?

Unfortunately governments of the world did not stand up to the task. While there was a little bit of movement3, there was minimal to no improvement for the common computer user. Instead…

  • April 2007: Russian Attack On Estonia
  • 2000-2003: Chinese Attack on the U.S: Operation Titan Rain
  • 2005-2010: U.S (and Israeli) Attack on Iran: Stuxnet

We can do better

Getting Away With It All (Messed Up)

What can we do?

While it is easy to feel overwhelmed by the burden we have to bear, there are things we can do to gradually get out of this cybersecurity mess we have found ourselves in. The answer does not lie in wasting money on various kinds of security products to make our machines impenetrable. There is no such thing4. What we can opt for is raising the lower bound5.

Straight from the book:

Turning on a home PC without a strong firewall and without an operating system and antivirus software that each update automatically is like leaving a loaded shotgun on the front porch for passersby

So… what to do:

  • Keep your applications and operating system out of date

    Windows users have a right to feel enraged by that, it is however vital that you do not miss out on security patches. If you do, there is no one to blame but you.

  • Follow some standard password policies
    1. Use a password manager
    2. Different strong passwords for each site
    3. Use 2FA
    4. Maybe signup on HaveIBeenPwned. This project notifies you of breaches in which your email is present.
  • Shame politicians and companies into action and make sure to criticize.

    These are fundamental in any democratic society and thus, not limited to the cybersecurity conversation. Just like it occured to me in footnote 2, such actions should also be extended to the environmental public discussion.

    1. An example I would like to cite here, is access to the internet through an ID card. Terrifying is not it? Yet it was proposed sometime back to become a law…6
    2. Second example: Even though it was not ( to my knowledge ) a result of public pressure on Google, their approach to China’s censorship shows there is hope.
    3. A good starting point of pressure would be the empowerement of international internet organizations such as ICANN. Should these bodies have more control, the internet would be a safer place. A second, also important point could be made out of the necessity that those in power listen to the experts.
  • Listen to the experts

    The information security landscape is constantly changing. While the time one can spend on improving their security is limited and, frankly, not so effective after some time, try to stay up to date with the latest practices.

  • Note to SysAds/Techies

    Yup, it has been said many times but… Try to pass on to your friends, coworkers, family members the importance of some standard practices. You will, undoubtedly, get some annoyed looks but, better safe than sorry

Footnotes:

1

These are the names of Russian servers used in criminal operations.

2

It seems that:

  • We are failing miserably
  • These sentences could also be used to describe the current situation with our planet.
3

U.S.A2010: Jay Rockefeller’s and Joe Lieberman’s Senate bills

5

In algorithm analysis, the lower bound is the minimum amount of (abstract) steps the algorithm needs to perform in order to complete the given task. Here, it can be translated, as raising the bar ( in a global level ) for someone to gain control of a personal computer, IoT device, or any Internet connected device in general.

6

Unfortunately, I have no sources on this one, other than the book itself. I’ll happily appreciate any feedback here.

Originally created on 2022-03-26 Sat 00:00