Carey Nachenberg's new novel raises questions about the relationship between fact and fiction in security, writes David Harley
For years my wife was trying to persuade me to write a Tom Clancy-ish novel, but with a cybersecurity twist. Not that she finds what I do for a living particularly exciting, but she thought that there was far more earning potential in that area than in the matter-of-fact writing about security in general, and malware in particular, that has characterized all my vaguely technical books to date. (Well, I can’t argue with that: if I’d written security books in the hope of making a fortune, I’d be a disappointed man.)
I had read and enjoyed several of Clancy’s books, even though politically and geographically I come from a very different place. I wasn’t convinced that I had a Clancy-ish thriller lurking in my subconscious (I’m pretty sure there isn’t), but I did go as far as dipping into the Net Force books, only to find that they had been written by someone else entirely, and – perhaps unsurprisingly – didn’t read much like Clancy at all, except maybe in some of the characterization. The dialogue was flatter, and I missed the painstaking technical groundwork behind the ‘real’ Clancy books. In fact, their mingling of virtual reality with some version of the ‘real’ world was slightly reminiscent of (and probably influenced by) Neal Stephenson (especially his 1992 novel Snow Crash), but without the broad cultural references or the entertainingly trippy delirium.
If there’s one predominant disadvantage to spending more than a quarter of a century in and around the security industry, it’s the fact that you become hypersensitized to the sort of mangled terminology and fantasy passed off as current science that make NCIS and CSI scenes so cringeworthy. (I have yet to see CSI:Cyber but I have a bad feeling about it.)
The older I (and the internet) get, the more the issues I deal with in my day job spill over into some of the fiction I read (not to mention the movies and TV shows I sometimes watch), and the harder it gets to avoid the sort of nonsense – ‘OMG: he’s breaking down our firewall with a keylogger!’ – that makes me want to lie down in a darkened room with the collected works of Wilkie Collins.
Apparently I’m not the only person in the security business to feel this way. At any rate, when Carey Nachenberg – a stalwart of the anti-malware business – brought out his book The Florentine Deception, social media soon became clogged with security luminaries expressing gratitude for a book that wasn’t based on a lack of technical understanding. To quote directly from the ‘accolades’ page on the book’s website:
“Finally, a Techno Thriller that gets the details right!”
– Mikko Hypponen, international computer security expert
“The Florentine Deception is a gripping and well-paced thriller where, for a change, the “science bit” is actually credible – a great read.”
– John Hawes, Virus Bulletin
In fact, I commented myself when I first became aware of the book that, “I haven’t read it yet, but I like the idea of a book on the topic written by someone who actually knows (a lot!) about the technology.”
The book even has a foreword by security maven Professor Eugene Spafford, and as he also provided a foreword for one of my books (Viruses Revealed, which I wrote with Robert Slade and Urs Gattiker), I know very well that he’s not the kind of guy to let a few manifest impossibilities go by without comment. And now I have read it, I feel more qualified to make a few brief comments of my own.
"If there’s one disadvantage to spending more than a quarter of a century in security, it’s that you become hypersensitized to mangled terminology and fantasy passed off as current science"
Technical accuracy is obviously a draw for those of us who work in security (and in an area that’s not always well understood by specialists in other areas of security), but it’s probably not the most important criterion for other readers of a book’s value and readability. Otherwise, my books might outsell JK Rowling.
John Hawes subsequently expanded his appreciation of the book into a review for Virus Bulletin and noted that Carey took due note of the advice (usually attributed to Mark Twain) to ‘write what you know’. That’s not always the best possible advice but I think it worked quite well here. Despite his hero’s background in the security industry, there’s no over-literal account of a more typical malware researcher’s life along the lines of:
Tuesday: Disassembled a new bot; spent the afternoon tweaking broken code.
Wednesday: Spent the morning re-compiling broken module; disassembled some boring adware.
Thursday: Inspected several megabytes of log file; got misquoted by the Daily Mail.
Indeed, having teased us with the suggestion of a serious breach in a software house not a million miles from a PC near you and allowing his hero to indulge in a little light data recovery, the story ranges over an assortment of locations (mostly in California), some of them involving the sort of rocky and/or underground clambering that most of us would prefer to watch from our living rooms or a cinema seat. It also features some smart backchat and episodes ranging from farce to drama with a leavening of murder and mayhem.
Later in the book, the author does return to a computer-driven doomsday scenario somewhere between Dan Brown and Dr Alan Solomon (who actually wrote a story with a somewhat similar premise in 1987 even before he’d actually seen a virus) with a sprinkling of National Treasure.
It seems slightly paradoxical that while the imaginings of the media continue to operate on the basis of hardware and software very different to the technology used by most security specialists, the scary scenarios they invoke often seem almost tame compared to the scenarios that the future holds in an insanely interconnected world.
In the words of Bruce Schneier (not one to indulge in hype and security theatre): “Future attacks will be exactly like what’s happening on the internet today with your computer and smartphones, only they will be with everything. It’s all one network, and it’s all critical infrastructure.”
Since I’m largely in agreement with John Hawes’ assessment of the novel, I won’t try to duplicate his effort (no wonder no-one ever invites me to review fiction): besides, literary criticism isn’t exactly what Infosecurity Magazine expects from me. Nonetheless, The Florentine Deception is – though not The Great American Novel – at least a good read, and proceeds are donated to charities benefiting underprivileged students, with a first goal of selling 2000 books and donating $10k. And if this is the sort of book that interests you, Robert Slade has a page on his book review site devoted to reviews of Fiction (with Computer and Technical Themes).