The moral of the story is that Russian hackers are scary.

Fatal System Error is an absolutely scary as shit, totally frightening book about today’s hackers and their ties to the Russian mob and how billions of US dollars in terms of identity theft and credit card fraud make their way to the Russian Mafia through this new breed of hacker. The author is a technology journalist who is a decent writer and the book could have been good, and at times, is, but it has some major flaws as well. First through, Menn, the author, traces the lives and paths of new cybercrime fighters in America and Britain, Barrett Lyon and Andy Crocker, as they develop ways to defend against hacker attacks and ultimately carry the battle to them. What they find out and how they did it is shocking.

Lyon, a young California computer geek helped a friend’s company stop something called a DDOS attack (denial-of-service) in the early 2000s. This was fairly new and some hackers had figured out they could start using their computers and other people’s computers in what later became known as bots and botnets to flood a person or company’s single server with data requests, thus bringing it down and bringing it offline. They initially started doing this to offshore gambling sites, where there was majorly big money to be made, and they demanded “ransoms” of some $5,000, $10,000, $20,0000, and as time went by, as much as $200,000, payable in hours, or else these sites would be shut down on a big game day and these betting sites would lose many millions of dollars. One of these major gambling sites heard about what Lyon had done and hired him to quickly defeat a DDOS attack against its company, which Lyon did. The thing I don’t really understand, since this became Lyon’s thing and since the author made such a big deal about this for about half the book and made such a big deal about Lyon’s computer genius, is that it seems to me that Lyon merely obtained and later bought large server farms to build up bandwidth and capacity to defeat the DDOS attacks – and it worked. But that’s not genius! Anyone could figure that out! That’s just brute force defense. There’s no brilliant coding. There’s not even any brilliant networking. No virus traps, no Trojans, no sniffers, nothing. Just server farms. Okay, whatever. He started his own company, with the backing of a number of these gambling companies he was now working for, all offshore, and which he rather stupidly and naively didn’t realize were themselves criminals, er, US mobsters. So, he started his own business with mob money. At some point, he rats them out, loses his business, somehow survives, starts a new business, and discovers that the world of hacking has passed him by, as DDOS is a thing of the past and he has to catch up if he’s going to sell his security skills. Lyon at some point started tracking hackers though various networks, finding that many of them were Russian punks, just teens. As part of this investigation, he came into contact with an English policeman named Andy Crocker, who was doing the same sort of investigation, but on an official basis for his government. Simultaneously, though acting independently, the two began to move in on the “bad” guys, watching as they transitioned from basic hacking to DDOS ransom schemes, then to identify theft and credit card fraud, and finally to government-sponsored cyber attacks on other governments and multinational corporations.

Andy Crocker was a British policeman, former military, now working a national task force dedicated to eliminating Internet crime. As noted, he came across Lyon while researching these hackers who were also hitting British gambling companies. He traced them, like Lyon, to Russia and other Eastern European countries, such as Kazakhstan, Latvia, and Estonia. Like Lyon, he was able to trace the originators of some of these DDOS attacks to actual hackers and found out some of their true identities and locations. He actually traveled to Russia to begin a cooperative effort with the FSB and MVD to locate, arrest, and prosecute these Russian hackers. And although it took great effort and a hell of a long time, they got three of the prominent ones, all young kids who had done a hell of a lot of damage and were responsible for millions of dollars of theft and destruction. But they obviously weren’t the only ones, by far. There were thousands of others and these were low level hackers. They wanted to go after bigger ones. And to their dismay, they found they couldn’t. One they tried to get was the son of the province’s police chief and he was untouchable. The biggest, someone called King Arthur, who was allegedly making a million a day, was unknown and unreachable and was a god in the hacking world. They eventually found his country and he was also untouchable. Andy was told by everyone that no one could go after him. That no one could arrest him, sorry. Someone big was looking out for him. Crocker came to the conclusion that either the Russian mob and or, and more likely, the Russian government was using and protecting the big Russian hackers. It was depressing. In fact, after Crocker returned to England, the Russian prosecutor of these hackers who was so gung ho about prosecuting more Russian hackers was found murdered!

Another depressing thing was just how deeply into Russian society this world of hacking and cybercrime runs. Apparently, St. Petersburg is a monster crime haven. Apparently there’s a mob organization so big and so powerful and so feared that they brazenly run ads advertising their services and skills openly and offer a home to over 100 big league hackers, carders, virus makers, botnet owners, scammers, spammers, crackers, etc. It’s called the Russian Business Network (RBN), and although it’s theoretically merely a network provider, it’s widely thought to be a government-sponsored, mob controlled crime syndicate that is extremely violent, horrendously violent, and very dangerous. And there’s not a damn thing anyone can do about it. It’s completely protected. It seems that virtually everything seriously big, bad, and evil goes through the RBN. No one can penetrate it. It’s a god.

The book goes on to assert that the battle against hackers and cybercrime has essentially been lost. That those who argue that real-time, live use of credit cards is riskier than online use are insane and dead wrong (which is interesting, cause I just read a carding book by uberhacker and now-Wired editor Kevin Poulsen stating this very assertion the author’s denying). That over 30% of America’s credit card numbers, as well as Social Security card numbers and other forms of ID, are in the hands of the Russian mobsters. This book was written in 2010. I imagine if this was true then, it’s probably worse now. It’s depressing as hell. Still, the two times I’ve been victimized by credit card fraud and theft, it’s not been online; it’s been live use theft.

The thing that really irritated me about this book, though, was that the author relied virtually exclusively on these two “experts” (one of whom I question is actually even a real expert) to write the book. Shouldn’t he have sought out sources from CERT, the much maligned (in this book) FBI, Secret Service, FBS (since he went there), big name hackers (go to the source), white hat hackers, other security professionals, etc.? Why rely on two people who may have had five years of varying degrees of success in the mid-2000s, neither of which I’ve ever heard of, and I’ve heard of many major security professionals, when there are so many sources to choose from? It seems short sighted and it seems like you’re limiting your book and your readers’ educations and experiences. I don’t like it. But that’s what he chose to do, so that’s what I have to live with. Still, I dislike it so much, and I dislike the fact that he focuses so damn much of the book on one figure who focuses almost exclusively on a hacking technique (DDOS) that went out of style even before the mid-2000s, that I’m knocking the book down from four stars max to three max. This could and should have been a much better and broader book and it wasn’t. I think the author did the reader a grave disservice. Not a great book with unusual sources, but slightly recommended if you want to wake up sweating in the middle of the night.

I found a number of interesting reviews, one of which impressed me so much, that I’m going to print it here without the author’s knowledge or permissions, but while giving him full credit and hoping he approves. I think he makes some excellent points about the book and they’re worth reading.

Joe White rated it did not like it · review of another edition
Shelves: on-shelf, techread

One star

Thank goodness for Goodreads reviews and bookswap. Reading the prior reviews I had low expectations for this book, and through swap I only wasted money on the postage.
The book can almost be divided into 3 segments. The author seems to only have interviewed two main participants against internet crime, and came away with an incomplete and incoherent understanding of any details of the problem. He almost attributes all the evil on the internet as having a denial of service as the source. Even during the second part of the book, which included the topic of identity theft, he was attributing most of the theft activity to DDoS. I think he just like to bring up the acronym.
Some of the problems I had with the book :

1. There were 90 pages attributed to crimes of US mafia figures, in which the dollar amounts of each occurrence were laboriously spelled out like a Bob Cratchet accountant listing personal losses and moaning about the inability of the FBI to pursue the Gumbas and delegate justice. Literary style could have been extended to a two-page spreadsheet report detailing the who, how, and how much figures. This segment of the book generated the feeling of watching a Godfather marathon movie session, and I felt really diverged from the intent of discussing internet crime in terms of how the internet is the enabling tool. I already suspected that mules carry money, people get killed, and identities are just handles to hide behind.

2. The swashbuckling crime fighting DDoS buster had a girlfriend to whom a few pages were wasted on. Since she was irrelevant to the overall topic, she could have been mentioned once for background, and not introduced as what might have become a significant character (but never did).

3. The mechanics of defeating a DDos attack were never detailed. The server farm set up in Phoenix had the bandwidth and number of servers to defeat an attack, but there were no details provided as to why it was specifically set up in Phoenix, what its components were, and how a direct attack defense was managed.

4. Because the author seemed obsessed with DDoS, he mentioned bots and botnets at least once on every 3rd page. He never described a bot to the laymen. He never made it clear whether a bot could consist of a virtual machine created for a purpose, or whether it had to be an independent 3rd party box belonging to an unsuspecting bystander. The author never fully explained the mechanics of a trojan horse implant, and didn't clarify the difference between a virus and trojan horse. He also never explained what can be done at the individual user level to fend off trojans and viruses, except in a short subject dealing with phishing emails generated by spam during --- DDoS attacks. He never clarified that DDoS isn't necessary for phishing, and neither are bots.

5. Only once was it mentioned that one group switched to Macs because they seemed less susceptible to attack. He mentioned at least twice that you can't sue Microsoft for providing a faulty OS combined with a poorly updated integrated browser, because purchasing a machine with Windows provides only a license to use the software and provides no firm sale transaction in which a person owns the software running on the hardware that they do own. He did mention the Microsoft monopoly on the OS, but failed to mention that Microsoft was prosecuted in conjunction with monopolistic powers only related to installation of a browser. It was never mentioned that Microsoft to this day controls hardware vendor access to Windows, and if the hardware companies dare install anything else but Windows or MS products, they will be heavily penalized in regard to being able to install Windows. If anyone says the Dell sells Linux, I must say that I've only ever been able to find minimal hardware boxes in the very basic desktop configuration, and in selecting one of those choices, there is a radio selection button for the OS that would full form advance to a Windows selection. Phone inquiries were even worse at the individual customer level. Only institutional server customers could purchase equipment with Linux pre-installed. Same story at all vendors except Lenovo, and then only through individual providers.

6. The author in the last 50 pages provides a conglomerated synopsis of headline events and trends regarding contemporary internet warfare across national borders. China is mentioned as a war opponent in cyberhacking, but it is never mentioned that China manufactures a significant volume of the circuitry used in electronics and could very easily, using the subversion techniques described by R.J. Pineiro, hide logic bombs and covert data skimmers within circuit boards and components. This could happen to Apple and all the phone manufacturers, so that their equipment could be subverted despite the installed software. Of course the title of the book was "the hunt for the internet crime lords", so hardware subversion might have been beyond the scope.

7. Since the title was the "hunt for the New Crime Lords who are bringing down the internet", some credit must be given to the author for remaining in the hunt venue, and not providing the extraneous technical details that readers might be led to expect by the book-cover blurb adulations such as "A fascinating high-tech whodunit". The high tech here would be synonymous to an interstate highway providing speeders the ability to go faster.

8. The middle segment dealing with a physical legal pursuit presence in Russia, was in my opinion the redeeming revelation of the book. Life in Russia has never been painted as a Disneyland experience, but the adverse conditions both politically and physically presented here, really underscored the futility of pursuit of Soviet area bad guys in their home territory. ( )

I never really had much intrest in how my computer works until a couple of years ago when particularly gross spam started showing up all over a board that I liked to visit. The spam was so persistant and insideous that the board owners finally gave up and just shut it down. Kind of a shame but not really a tragedy in the grand sceme of things and all the users went on with thier lives. After reading this book, I've learned a lot more all in one place about how spam works and just what the senders of it are after, it may appear to be increaded traffic to dubious web sites but it's really a short cut into your PC that they are fishing for and the program that got onto the board I liked most likely came from the PC of a completely innocent and fully unaware user's computer that basicly "coughed" while in session and gave the whole board a nasty cold.
I really liked this book for the way that it documented past serious cyber crimes, how cyber criminals are not just Matthew Broderick styled sweet kids playing around to see what they can do but nasty folks with Mob and other "real" criminal organization connections. (Corrupt governments also have much to gain from spamming the bejeezus out of even the smallest web site if they feel the voices there are not in step with government policies. Bear in mind that EVERYTHING is computer based these days, you can not use electricity in your house and say with honesty that you don't use a computer. Even if you don't OWN a computer and never intend to, your bank does, your electric company does and so do, most terrifying of all, air traffic controllers.
I am not an alarmist and have no intention of tossing my PC and that is also not the intention of this book, to get everyone so afraid that they stop using computers. I think the point of the book is that we all need to use our computers more, find out how they work so we can protect our friends, family and society as whole as we would by staying in bed and taking cough medicine while sick.
Most well functioning memebers of society use the web an at least a weekly basis and most of us have not a clue as to how it works or what could go wrong with it, we're just happy that we can pay our bills, chat about rock bands and watch stupid videos on demand.
As long as what we want to use our computer for works fine than we don't really look at it's other functions, and that ignorance can be very dangerous for ourselves, our friends and society as a whole.
Using the computer often, keeping up with updates and virus scans can keep us from passing the nastiest viruses on to others.
In the case of computer knowledge, we are at a stage where we just don't have the luxury to say "I don't need to know about that." The more this type of ignorance perpetuates, the happier the criminal element is. We all need to dig our heads out of the sand and start learning about the machines that run our lives lest someone else slips in and starts running them for us.
Absolutely fascinating book full of international espionage, terrorism and men on the frontier of a new age in crime fighting.
This book is not dumbed down but is written well enough that even someone with only basic common knowledge about thier PC, or someone who knows about thier computer but has little intrest in true crime can gain very useful information from it. ( )

"Fatal System Error" is an excellent non-technical introduction to cybercrime and a particular thread of this online activity that took place over the last decade.

Anyone who spends any amount of time using the Internet is familiar with the themes Menn covers in this book: e-mail scams, viruses, hacking, identity theft. He tells the story of two individuals - one a technologist, the other a police officer - and their experiences identifying and developing a legal case against a Russian cyber theft ring. Menn also outlines U.S. and other national organized crime involvement and online gambling's contribution to cybercrime.

"Fatal System Error" is relatively light on technological detail - anyone interested in how botnets work, or better explanations of how the modular viruses emerging in the late 2000's operate, would be better off looking at other texts - but is a straightforward business read.

The last two chapters are the best. The penultimate one deals with how the initially commercial cybercriminals are partnering with national governments to provide infrastructure for cyberwarfare, particularly on behalf of Russian and Chinese interests against their geopolitical opponents. The last chapter is a bit of a wrap-up but looks at some additional successes and how some groups are adapting to block the efforts of the cyber criminals and hackers. ( )