In November 1988, a Cornell University graduate student, Robert Morris, Jr., inadvertently caused a national crisis by unleashing a self-replicating computer worm on a VAX 11/750 computer in the Massachusetts Institute of Technology’s Artificial Intelligence Lab. Morris had no malicious intent; it was just a science experiment to see how many computers he could infect. But he made a serious mistake and set his re-infestation rate way too high. The worm spread so quickly that it shut down the entire computer network at Cornell University, crippled those at several other universities, and even infiltrated the computers at Los Alamos and Livermore National Laboratories.
To make matters worse, his father was a computer scientist and cryptographer who was the chief scientist of the National Security Agency’s National Computer Security Center. Although unintentional and witnesses testified that Morris had no “deceitful or dishonest bone in his body,” he was convicted of felonious computer fraud. The judge was merciful during sentencing. Instead of 15-20 years in prison, Morris was given three years of probation with community service and had to pay a $10,000 fine. Among other things, he founded Y Combinator with his old friend Paul Graham.
The “Morris Worm” is just one of five hacking cases Scott Shapiro highlights in his new book, Fancy Bear Goes Phishing: The Dark History of the Information Age in Five Extraordinary Hacks. Shapiro is a philosopher of law at Yale University, but as a child his mathematician father – who worked at Bell Labs – sparked an interest in computers by bringing home various components such as microchips, resistors, diodes, LEDs and breadboards. Their father/son outings included attending the annual convention of the Institute of Electrical and Electronics Engineers in New York City. Then a classmate in Shapiro’s high school biology class introduced him to programming on the school’s TRS-80, and Shapiro was hooked. He went on to work on an Apple II and studied computer science at university, but then lost interest and went to law school instead.
With his Yale colleague Oona Hathaway, Shapiro co-authored a book called The Internationalists: How a Radical Plan to Outlaw War Remade the World, an in-depth historical analysis of the law of war from Hugo de Groot, the founder of international law from the early 17th century, up to 2014. That experience raised numerous questions about the future of warfare, namely cyber warfare and whether the same is. rules” apply. The topic seemed like a logical choice for his next book, especially given Shapiro’s background in computer science and coding.
Despite that background, “I honestly had no idea what to say about it,” Shapiro told Ars. “I just found it all very confusing.” He was then asked to teach a special course, “The Law and Technology of Cyber Conflict”, with Hathaway and Yale’s computer science department. But the equal mix of law students and computer science students trying to learn about two very different, highly technical fields proved to be a challenging combination. “It was the worst class I’ve ever taught in my career,” said Shapiro. “At one point, half the class was bored and the other half was confused. I learned nothing from it, and neither did any of the students.”
That experience propelled Shapiro to try and crack that particular nut for the next few years. He learned C, x86 assembly code and Linux and delved into the history of hacking, achieving his first hack at the age of 52. But he also approached the problem from his field of expertise. “I’m a philosopher, so I like going to first principles,” he said. “But computer science is only a century old, and hacking, or cybersecurity, is maybe a few decades old. It’s a very young field and part of the problem is that people haven’t thought about it from the first principles.” The result was Fancy Bear goes phishing.
The book is a lively, engaging read full of fascinating stories and colorful characters: the infamous Bulgarian hacker known as Dark Avenger, whose identity is still unknown; Cameron LaCroix, a 16-year-old from south Boston, infamous for hacking into Paris Hilton’s Sidekick II in 2005; Paras Jha, a Rutgers student who designed the “Mirai botnet” — apparently to get out of a calculus exam — and nearly destroyed the internet in 2016 when he hacked Minecraft; and, of course, the titular Fancy Bear hack by Russian military intelligence that was so central to the 2016 presidential election. (Fun fact: Shapiro notes that John von Neumann “built a self-replicating automaton in 1949, decades before any other hacker. .. [and] he wrote it without a computer.”)
But Shapiro also provides a penetrating insight into why the Internet remains so insecure decades after its invention, and how and why hackers do what they do. And his conclusion about what can be done about it can be a bit controversial: there is no permanent solution to the cybersecurity problem. “Cybersecurity is not primarily a technology problem that requires a primarily technical solution,” Shapiro writes. “It’s a human problem that requires an understanding of human behavior.” That’s his mantra throughout the book: “Hacking is about people.” And it predicts, for Shapiro, “the death of ‘solutionism’.”
Ars spoke to Shapiro for more information.