Books: Attack Surface

Attack Surface is the latest novel by amazing author and journalist Cory Doctorow. Cory is one of those people with whom almost anyone interested in digital rights and online privacy is likely at least somewhat familiar. While I followed Cory on Twitter (back when I still used Twitter) from my early days on the platform and regularly read his content on Boing Boing, I never read any of his books until Craft Brew Geek convinced me (not that it took a lot of convincing) to read Little Brother and Homeland. The two are young adult novels in a series that ostensibly address the fallacy of “I don’t need to worry about my privacy if I have nothing to hide.” While categorized as science fiction, the books are set in a very near future, featuring invasive technologies that are either 1.) actually present today or 2.) aren’t that far off. The novels should essentially be required reading at this point for anyone who uses technology (i.e. basically everyone.) They were the topic of Episode 15 of the Unusually Pink Podcast, while Mark and I more recently discussed them in the Same Shade of Difference.

Attack Surface is the 3rd novel in the series. Set a few years after the events of Homeland, it switches things up a little bit by focusing on one of the supporting characters from the first two novels, Masha. In the first two novels, Masha has been on the inside of extremely invasive government surveillance programs and also has had some whistleblower run-ins. Attack Surface zeroes in on her perspective.

In a vacuum, I feel like Attack Surface is an extremely good book, and I would highly recommend that everyone give it a read. It provides a very real and very terrifying look into the type of surveillance that’s possible in the world of state-sponsored threat actors. Operational security guidelines are almost always prefaced with the idea that not everyone has the same opsec requirements. Attack Surface showcases the absolute worst case scenario of state-sponsored ATPs and what they’re capable of doing in terms that aren’t very far-fetched. I also enjoyed the change of Masha becoming the main character. In my opinion, at least for the first two thirds of the novel, she provided a nice dose of realistic pragmatism that contrasts sharply with the almost wistful naïveté provided by Marcus in the first two books. That being said, I’m a bit more critical of the writing in Attack Surface than I was with Little Brother and Homeland for reasons that I’ll get into a little later on. Likewise, I feel like the novel had an excellent opportunity to really set itself apart from the first two books in the series, but in the end it kind of fizzled out into more of the same.

As I mentioned previously, Little Brother and Homeland are categorized as young adult novels; the publisher, Tor, published them under their Tor Teen line. Attack Surface is published under Tor, and from the start of the novel it’s apparent why. I haven’t dug into things to see if this was the intent, but it certainly feels like the novel is aimed at a slightly older audience. Masha regularly drinks to excess and enjoys using colorful language; maybe that’s why I enjoyed her so much as a protagonist. The subject matter for the book often ventures into areas untouched by the first two novels; Masha regularly deals with sexual harassment, the violence depicted is frequently more severe than before, and a rape is described with enough detail to make anyone with a moral compass feel uncomfortable and angry at the same time. Personally, I feel like this setup works well, if indeed that was the goal. Readers who may have actually been in the “young adult” range when the first two books came out would likely now be old enough to be looking for something with a bit more substance to it.

However, I feel like this comes with an additional price tag for an author when it comes to telling the story, and I didn’t feel as though Attack Surface was really up to the task. The story is told alternating between Masha operating at the present and Masha reliving moments of her past. It’s a nice technique that slowly bridges the gap between what happened behind the scenes in material not covered in the first two novels and brings Masha up to speed in the present. Only… it doesn’t. After covering how Masha originally got started with the DHS and how she moved into the private sector with security contracting for the government, it covers how she eventually came under scrutiny for possessing the classified intelligence she had that she gave to Marcus in Homeland. After the resolution of Homeland, though, there’s just a massive gap in time. At the start of Attack Surface, Masha is working for yet another security contract firm… after she was literally kidnapped and imprisoned in Costa Rica by the last one? What on Earth has to happen to make someone decide that’s a good decision? While it may be easy to think sweeping those details under the rug isn’t a big deal, I personally think it’s extremely relevant when she spends such a significant amount of time in the present debating her lifestyle and what her next security job should be even while she grapples with the knowledge that the work she’s been doing doesn’t make the world a better place. She has direct, firsthand knowledge of the seedy inner workings, rife with illegality and no one questioning if because we can means we should. This seems like a hole in the plot extremely relevant to Masha’s present state of mind.

Likewise, the ending just felt haphazard to me. Masha ends up moving back to Berlin to do… what? No one knows. She laments multiple times throughout the novel that she has a lot of money at her disposal but not that much money. Being able to continue earning money is a common quandary for her when she’s trying to figure out her next move, and she ends up giving up many opportunities for that during the climax of the story. Are things good for her? Did she end up making an even bigger sacrifice than she had conceived in the moment? I feel like the latter could have added some gravitas and made the climax less campy.

Speaking of the novel’s climax, as mentioned before I couldn’t help but feel disappointed that it just turned out to essentially be the same as the first two novels. The book started out very strong and very different from the rest of the series, with Masha doing contract work in a fictional eastern European country simmering on the brink of revolution against an authoritarian government. Masha is playing both sides, installing intrusive Internet trackers by day and helping protesters avoid them by night. Shit hits the fan almost immediately, which leads to Masha being terminated from her position. She ends up going back to the United States, and by the halfway point of the novel Marcus and Ange are once again prominent characters. The story settles into a bit of a familiar routine, and suddenly it’s up to the same handful of white kids to save the Bay Area… for the third time. I know I’m tainted a bit by my view as a jaded millennial, but that was why I liked Masha’s pragmatic and frankly realistic outlook so much. While I understand that part of the novel is exploring her personal growth while she changes her viewpoint, I saw the erosion of that pragmatism to the same flavor of “everything’s going to work out if we stick together and do the right thing!” viewpoint coming straight from Saturday morning cartoons in the 90’s and spouted by Marcus as disappointing. The unrealistic kumbaya session after the final protest could have been tempered a bit if we had more details of Masha’s aftermath, but as I mentioned that information wasn’t shared.

If anyone is still reading this, they’re likely confused as to why I said at the start of the post that Attack Surface is an extremely good book since all I’ve done over the past 5 paragraphs is rip into it. I really do think it was a good book, but it’s a good book in the way that Little Brother and Homeland were already good books. I don’t feel like Attack Surface did anything to differentiate itself; it’s basically telling the same story for the third time, and that’s why I’m so critical of it. I feel as though the first half of the novel set the plot up to tell a fresh story with a fresh take and fresh consequences to a more mature audience. Instead, it played things safe by going back to the same story we’ve heard twice before. While that’s a strong and important story, don’t get me wrong, Attack Surface could have been so much more.

Books: Hands On Hacking

While I’ve been stuck at home as the global coronavirus pandemic rages on (currently on day 241 of quarantine, for those who listen to the Same Shade Of Difference), I’ve been trying to make the most of my time in captivity with lots of reading, training, and personal projects to learn as much new stuff as I can. One of the items that came on to my radar a few months ago was a new infosec book titled Hands On Hacking from Wiley. Written in part by Hacker Fantastic, who I’ve followed on Twitter for quite a few years across my various accounts, I figured it would be a good refresher for some of the hacking concepts I’ve used before and a primer for newer tooling that I’m not as familiar with.

As you can see from the book’s cover, the idea is to teach “purple teaming”, which is the idea of doing away with the silos for the “red team” that tries to breach systems and the “blue team” that tries to defend them. The book covers the full gamut of hacking, starting with open source information gathering to get as much data as you can about your target before actively engaging with any of their systems all the way through compromising web applications and moving laterally through internal systems.

All throughout, the book uses purple teaming as a focus; it very clearly outlines that taking part in any of the activities covered without the express consent of the owners of the system can carry severe legal penalties. The goal is to assist you with either a career as a penetration tester or to give you the tools and knowledge to be able to pen test and secure your own systems that you manage. You will not read the book and immediately find yourself living the life of a Mr. Robot character.

The book, in my opinion, is very well written. While I was familiar with most of the concepts covered, I think it was written in a way that makes the material approachable even for readers without much prior knowledge in the world of infosec. That being said, while there is a good bit of hand-holding in the introduction to Linux, I think there are some basic, assumed competencies in the world of computing. I don’t think that’s a fault; you really have to draw the line somewhere, and I think the authors did a fantastic job of making everything as approachable as possible.

The book comes with a complete lab environment with virtual machines pre-configured to be exploitable in a fashion to demonstrate the concepts covered in each chapter of the book, giving readers the option to either read the book purely for information or to work through the labs and practice executing the material discussed. In my mind it’s essentially like a self-guided, DIY version of something like the excellent Foundstone Ultimate Hacking class that I was fortunate enough to take a few years ago.

If you’re already a skilled hacker, is the book going to enlighten you to new, next-level exploits? Definitely not. But if you’re a systems administrator who is responsible for the managing servers at your company, a SaaS admin responsible for identities, or a developer responsible for creating applications exposed to the Internet at large, it’ll give you a very solid baseline for making sure that your own systems aren’t vulnerable to the most egregious of issues. I personally found the open source intelligence gathering chapter very useful; it covered techniques and services for determining the amount of information about your company and specific details regarding the employees that’s available to literally anyone with an interest in finding out more. It’s allowed me to work through setting up some scripts to automatically check on this and notify me when perhaps more information is leaking out than it should due to things like 3rd party breaches where users may have signed up with a company email address.

Similarly, I think the book is also a good read for leadership-level people who may not need to know the technical details of how hacks are accomplished but need to be mindful of what’s possible and what their employees should be looking for when developing and administering systems. These readers likely don’t need to go through things like achieving the exploits themselves in the lab (though obviously it’s cool if they want to), but the book can serve as a nice reference for what the company’s employees should be looking for when they decide to roll out a new service or application.