Author Scott J. Shapiro explains the role of ‘upcode’ in famous hacks

Author Scott J. Shapiro explores this debate in a book called Fancy Bear Goes Phishing, The Dark History of the Information Age in Five Extraordinary Hacks, which breaks down how some of the most fascinating cybercrimes were committed and what we can learn from them. Matt Davey, Chief Experience Officer at 1Password, spoke with Shapiro on the Random but Memorable podcast about when it makes sense to use technology to solve a problem like cybersecurity – and when it doesn’t.

Hint: The answer has to do with “upcode” and “downcode” and lawyers being programmers – sort of. Read the interview below or listen to the full podcast episode to get Shapiro’s perspective on why fixing cybersecurity will involve rewiring more than just our technology.

Listen to episode 107 ›

Matt Davey: Can you give us a bit of background on you and why you decided to write this book?

Scott J. Shapiro: I had been a developer-coder through college. I gave it up when I was in the middle of law school and got a PhD in philosophy. Then the World Wide Web came on the scene, and there was just a lot of stuff that I didn’t stay up with. As my career went on, I just forgot all about computers and the internet. I mean, I used it of course. When I wrote a book with my colleague Oona Hathaway on the history of war from 1600 to the present, people kept asking me, “What about cyber war? That’s the new thing, isn’t it?” And I was like, “I don’t know.”

I started doing research on it and I found it almost impenetrable, which was really strange, because I had a very strong background in programming and theoretical computer science, and I had no idea what was going on.

MD: That’s cool that you learned about cybersecurity while writing the book. That gives you an interesting angle to translate it to others who are going to learn along with you.

SS: In my career I’ve always tried to write books that I wish existed so I could read them. And there was no book like this because cybersecurity is a very young field. You either have sensationalistic books that tell us how we’re all going to die, or books that yell at us because our passwords aren’t long enough or because we don’t use a password manager.

I wished there was a book that was readable that would explain how these cybersecurity-related things happen. So that’s what I did. It was really hard to do because it’s really hard to learn about the subject.

MD: In the book, you outline five hacks. One of them I’m assuming has something to do with the Fancy Bear group. What are the details of one or two others?

SS: The five hacks are the Morris worm, the first time that somebody had taken down the internet in 1988. The second was the Bulgarian virus writers from the early 1990s, who were extremely good at writing computer viruses generally for DOS machines and PCs.

Then the hack of Paris Hilton’s cell phone in 2005, and the eponymous Fancy Bear hack of the Democratic National Committee in 2016, which some people think might have led to the election of Donald Trump. And then finally, the Mirai botnet by three teenage boys who put together an Internet of Things (IoT) botnet that took down the internet in October 2016.

“I tried to pick things that were interesting and had an element of mystery."

I chose these five hacks in part because they interested me and they also dealt with different aspects of computer security: viruses, worms, IoT, botnets, nation-state espionage, and just kids acting like idiots. I tried to pick things that were interesting and had an element of mystery. A lot of these hacks, people don’t exactly know how they happened, and so I found it interesting to try to figure them out.

MD: The technologies involved in these hacks are wide-ranging, from IoT to what people might describe as quite easy social engineering-style hacks. Were there commonalities between any of them?

SS: There are commonalities but I just picked stories that I was interested in, so I don’t want to draw too much from any patterns. But the first thing that I would say is that we tend to think of hacking – because obviously it’s very technical – as a strictly technical activity.

But there’s also an enormous amount of social engineering going on. There’s a lot of human manipulation happening in the background, not only in terms of the hack, but because the vulnerabilities that are exploited by these hackers really come about because of some kind of political vulnerability in the rules that regulate our behavior.

In the book I make a distinction between what I call “downcode”, which is all the computer code below our fingertips, and the “upcode”, which is all the rules above our fingertips. That includes our personal ethics, our habits, the organizational norms that were part of our social norms, our legal norms, industrial standards in terms of service – all these kinds of rules that give us incentives to either produce technology or to use technology.

“I make a distinction between what I call “downcode”, which is all the computer code below our fingertips, and the “upcode”, which is all the rules above our fingertips."

What I try to show is that there’s always some glitch, some bug, some vulnerability in the upcode which generates vulnerabilities in the downcode. When we see hackers exploiting the downcode, in some sense, it’s already too late. There have already been so many mistakes beforehand in the upcode.

One of the messages of the book is not to treat cybersecurity as this purely technical activity but also as this political inquiry into why the rules we have give us bad incentives. That’s one commonality.

Another commonality is that in almost every one of these cases the intelligence agencies and analysts confuse young, teenage boys for nation-state actors, and that’s kind of funny.

MD: The upcode, as you say, is always a lot harder and a lot slower to change than the downcode; reprogramming something is usually the easiest route. What do you think we need to change as a society to avoid issues with the upcode?

SS: I imagine your listeners are very familiar with the idea of a stack of code. People talk about having a “full stack”. So we have a downcode stack, but we also have an upcode stack, or a set of interlocking and hierarchical rules which govern our behavior. There are many ways to intervene in the upcode stack to change our incentives.

One example is the Mirai botnet from 2016. A bunch of teenagers put together an IoT botnet – DVRs, security cameras, things like that – and created a very powerful distributed denial-of-service (DDoS) attack apparatus for taking down Minecraft servers. They were able to do this because the IoT devices that they were exploiting had default passwords. In many cases, nobody was able to change the default passwords or they were very hard to change.

The teenagers exploited these default passwords because the passwords were Googleable. They were listed in the DVR manuals. One very simple change in the law, which was a California-enacted security law, required users of IoT devices to change the password when they set it up or take other kinds of precautions. This change essentially eliminated the problem, at least in the United States. It’s not to say that it doesn’t exist anymore, but that one change in a California law had a ripple effect throughout the entire United States, because of how big California’s market is.

“Teenagers exploited these default passwords because the passwords were Googleable. They were listed in the DVR manuals."

That’s just one basic example of a targeted upcode change. Another example of a much more general upcode change is imposing software liability for negligently constructed software that has very bad security vulnerabilities. The book gives lots of examples of how you might be able to change upcode in order to create stronger and more secure downcode.

MD: As someone who works for a technology company, we talk about companies leading solutions, solving things like phishing with technology like passkeys. That might solve a chunk of the problem but you make a great point about how there’s also societal change that needs to happen.

SS: People say, “You’re a law professor, why are you writing a book on cybersecurity? Lawyers are coders! They’re just upcoders, not downcoders. I would like to see lawyers become technologists and, more importantly, work with technology people to try to come up with the right sort of upcode-downcode fixes so that we’re not constantly trying to fix problems that were caused way earlier in the upcode stack and could have been solved sooner and more efficiently.

MD: I think that missed connection between technology and the law happens around encryption as well. It’s “let’s outlaw this little bit of encryption and not this bit.” There’s a huge misunderstanding of one side believing it’s a moral argument and the other side believing it’s a mathematical one.

SS: That’s right. That’s an upcode thing too. In the privacy community, you have people who have very strong values about privacy, which I’m not sure are shared by people outside that community, to be perfectly honest with you. Not that I’m anti-privacy, of course not. I’m actually very strongly pro-encryption. I’m also very against any type of backdoors, and not only for the obvious reasons of breaking security protocols.

“The law has many solutions to the problem of encryption that we can avail ourselves of instead of changing the entire way that the entire world encrypts information."

One thing that people don’t realize is that in U.S. law, which has very strict rules about these things, there are lots of ways of getting around the problem of encryption that we ought to be exploring. That is, the law has many solutions to the problem of encryption that we can avail ourselves of instead of changing the entire way that the entire world encrypts information on the internet. There are so many easier ways of doing it than we are currently exploring right now.

MD: Did writing this book change your outlook on security or cybercrime or the landscape in general?

SS: Yes. The first thing I learned was never believe what you read about the cause of a hack. People say crazy things all the time, but they really don’t know. My favorite example is that The New York Times had this big story about how Paris Hilton’s cell phone probably was hacked, and found that all these celebrities were using Bluetooth-enabled devices, so maybe Paris Hilton’s Bluetooth was hacked. And this is The New York Times! So you think, oh man, maybe her Bluetooth was hacked – until you find out that the cell phone she had didn’t have Bluetooth.

The other thing is, I think so much of the industry is built on fear and freaking people out and making us feel like anything we do to protect ourselves is going to be ultimately futile. But just because a device is hackable doesn’t mean that it’s going to be hacked. The person who’s doing it has to have some incentive to do it. In so many instances, there’s just no incentive to hack your device, because there’s no money to be made from it.

“just because a device is hackable doesn’t mean that it’s going to be hacked."

If you’re a normal person, follow the very basic things that people tell you not to do. Don’t click on links and emails. Use a password manager. Don’t write it on a sticky note and put it on your laptop. If you’re a high value target, I think it’s a very different story. If you’re a journalist, human rights activist, in the C-suite, have control over money, all those things, then you really need to take it seriously, because people really are out to get you.

MD: What’s the main thing that you’d like readers to take away from your book?

SS: I tried to at least make the book fun to read. The stories are just wild, crazy stories. There are a lot of amazing and somewhat funny things that are happening in these stories. I also want readers to learn. I’m a professor. I like teaching, and I would love for people to read the book and walk away thinking, “Oh wow, I learned how the internet works. I learned how passwords are stored as hashes in operating systems.” Things like that. So I would like people to become more secure but ultimately I’d like them to become more educated.

Editor’s note: This interview has been lightly edited for clarity and brevity.

1Password