Threat Intel
Published in

Threat Intel

When fiction is stranger than reality: 5 novels with hacking plot holes that need to be patched

“It is a truth universally acknowledged that an individual in possession of a computer must be in want of antivirus software.”
— Me, with apologies to Jane Austen

As computing technology has become as ubiquitous and commonplace as breathing, it’s no surprise that popular culture would explore both the upsides and downsides of having this technology within everyone’s reach. In the age of headline-hogging data breaches, identity theft, destructive worms that cripple whole industries, and ransomware outbreaks, we’ve come to expect the line between real-world threat scenarios and fictional narratives to blur.

Hacking isn’t big only on TV and film, it has also set afire many an author’s imagination, thereby seeping into the most analog of media: books. For the purposes of this post, I am only concerning myself with books that feature hackers, white and black hat alike.

But first, a disclaimer: I am neither a proper book critic nor a h4x0r with leet skillz who could pwn your digital life. I only know these strange words from a cumulative seven years in the industry writing about the threat landscape. The most sophisticated “hack” I’ve ever done (and which I can’t promise not to do again) is to pause the TV when someone is watching in the living room (and eventually freaking out), while I snicker behind my bedroom door, smartphone in hand. (There’s an app for that.)

So what gives me the right to put these books under the tech microscope, you ask. Nothing, really, except that I spent the last three months with my nose buried in these pages — about 2,382 of them in all. If I have any cred to go by, it is being an avid reader my whole life, with a modest collection of around 3,000 books (definitely modest by fashion designer slash bookworm Karl Lagerfeld’s standards).

And since hacker novels and techno-thrillers are a dime a dozen these days, I took it upon myself to read both prose and graphic novels with absurd scenes, storylines, or plot twists related to hacking and technology in general, so you won’t have to. Or maybe you should, if you want to throw away your life like that. That’s your prerogative. Anyway, only five books made it to this exclusive list, and something tells me their authors won’t be too thrilled about it.

Digital Fortress (1998)

In pre-Snowden America, where most of this story is set, only about three percent of Americans have heard of the NSA. “Malware” hasn’t even entered the lexicon, or the author’s vocabulary, yet; mentions are limited to “virus.” The agency houses a supposedly invincible supercomputer called TRANSLTR on eight floors in its Maryland HQ, because it’s the late ‘90s and any supercomputer worth its salt requires serious real estate, according to author Dan Brown, who needs no further introduction.

TRANSLTR could crack any code, however complex, within minutes. Until one day it couldn’t . . . thanks to a new unbreakable, encrypted code called — you guessed it — Digital Fortress. Enter Susan Fowler, head cryptographer and right hand to Trevor Strathmore, NSA deputy director. To speed things up, Strathmore dispatches Fowler’s fiancé, the linguist David Becker, on a wild goose chase that starts in Spain to retrieve a ring on which the passcode to Digital Fortress is believed to be engraved.

This ring belonged to Ensei Tankado, a disgruntled ex-NSA employee (ring any bells?) and crypto whiz who had issues with the agency playing Big Brother and compels it to go public about its surveillance dragnet, otherwise he will destroy both the NSA and its most expensive toy. Should he die, his associate, code-named North Dakota, will see to it that the plan is executed.

The characters eventually wise up that the code being brute-forced by TRANSLTR for 18 hours and counting — when it should’ve been done in 10 minutes — is malicious, and is actually a virus. In the first place, could a computer brute-force encrypted text even though the algorithm is unknown? Also, why are only two people, at least at the outset, privy to such an enormous threat to the organization?

Unless it was cracked in time, Digital Fortress would spread to the NSA data bank even without being manually executed, and there it would open a vulnerability, which anyone with a modem could take advantage of, and thereafter steal or expose government secrets. Alas, it’s not the supposedly top NSA cryptographers — who get stumped by a simple anagram that should’ve been obvious from the get-go (NDAKOTA = TANKADO) — but the linguist who saves the day. There’s even a countdown to the vulnerability opening — cinematic, yes, but also comically so. In the end, the passcode turns out to be so anticlimactically simple that any self-respecting cracking tool should’ve been able to get it in three seconds or less.

Dan Brown is a favorite whipping boy among critics and this book was an easy target, but in this case, they’re not wide of the mark. At the end of the book, what we learn is that the NSA, even with billions in funding, does not keep backups of their data and would crumble with the exploitation of a single vulnerability.

The Girl with the Dragon Tattoo (2005)

This is an internationally bestselling psychological thriller by the late Swedish author Stieg Larsson, published posthumously in 2005. The general consensus is that, as a whole, the book and its sequels — collectively known as the Millennium series — make for great crime fiction. Reviews I’ve read also laud the accuracy of the hacking scenes, and that’s where I mildly disagree.

The hacker in it is the titular girl with the dragon (and wasp) tattoo, Lisbeth Salander, who is decked out in stereotypical hacker fashion: multiple piercings, distressed jeans, black leather jacket, heavy black boots, black hair, black everything. In this first book, her backstory and hacking adventures are more the subplot than the main feature.

Salander is a social maladroit who makes a living as a freelancer doing research and surveillance work, mostly for a firm that provides bodyguard protection and physical security solutions. Her eidetic memory and legendary hacking skills come in handy when she takes on an assignment to investigate Mikael Blomkvist, an embattled journalist recently convicted of libel against a billionaire industrialist named Hans-Erik Wennerström. Salander eventually comes to work for Blomkvist and *SPOILER ALERT* helps him bring down Wennerström by collecting damning documents to prove the business magnate has ties to the Mafia and is involved in more than purely legitimate businesses.

Toward the end of the book, Lisbeth explains how she made use of a cuff invented by a hacker friend that was fastened around Wennerström’s broadband cable to perform what is understood to be a man-in-the-middle attack. This enabled her to eavesdrop on his online activities, add padded code each time Wennerström clicked on something on his computer, and install malware that helped her exfiltrate data, and even mirror his computer to a server under her control.

Why Salander had to go to all that trouble instead of making her life relatively easier by employing social engineering techniques and designing spear-phishing emails to install keyloggers and spyware (don’t try it at home, kids), we’d never get to ask Larsson.

Some of the hacking scenarios described in these novels are not very realistic

Zero Day (2012)

Seemingly unrelated events — including a commercial airplane suddenly nosediving after its aviation controls abruptly die over the Atlantic, a nuclear power plant seeing its cooling systems malfunction, patients dying when hospitals are forced to go offline because of inexplicable glitches — take place within days of each other. Two-thirds of the way through this book, the events still seemed unrelated, but they all lead to Zero Day, the designated date when the West and its beloved internet is brought down all at once by (at this point) unknown malicious actors.

Jeff Aiken, a former government analyst to whom 9/11 is both a professional and personal tragedy, senses a large-scale coordinated attack coming, and he is forced out of his private practice to offer his expertise to the government.

I have no beef with the hacking scenes here per se. In fact, this book could be the most technically accurate depiction of an ethical hacker trying to solve, literally, the world’s problems. That’s probably because the author, Mark Russinovich, is a true-blue techie — a co-founder of Winternals, which Microsoft acquired in 2006 — and is now, Wikipedia tells me, the CTO of Microsoft Azure.

Russinovich lets readers watch over Aiken’s shoulder while the latter does some reverse-engineering magic on his computer. And therein lies the problem — only Aiken seems to be on the case. Sure, he eventually gets assistance from a US-CERT engineer and the DHS, but for the most part, he goes it alone.

The most problematic aspect to the book, in my opinion, is how such a confluence of events — a veritable fire sale — would not invite more alarm and scrutiny from government types and would be ignored by major security companies. It doesn’t sound like how a proper threat response team, which would ideally have 24/7 global operations, would react, especially in the wake of 9/11. Symantec and Microsoft, for example, don’t get involved until the end, and are mentioned only in passing.

The buildup was constant and unrelenting, which I guess made some readers say it was fast-paced, but every new chapter seemed to introduce a new character, even towards the end. Russinovich makes no qualms about who the antagonists in his novel are: cyber jihadists with well-oiled (pun intended) palms — even Osama bin Laden makes a cameo.

Meanwhile, the malware supposedly responsible for all the computer failures are *drumroll* rootkits. While that’s not exactly how things in the real world panned out since the book was published, such attacks are still plausible, so I’d still pick up the next two books in the series. Hey, maybe Symantec’s Security Technology and Response team (which — full disclosure — I belong to) will be more involved next time. Well, one can wish.

The Private Eye (2015)

Oh, man. I revere Brian K. Vaughan (Runaways, Y: The Last Man, Saga) as a storyteller, and I’m not sure I would dare to knock any work of his. This is more of a suggestion than a critique, really.

It is 2076 in L.A., and people are extreme privacy nuts, overprotective of their identities, so much so that everyone wears a mask in public and uses multiple nyms (aliases) to hide who they really are. This new social order is a consequence of the Cloudburst, when all personally identifiable information stored in the cloud spilled out for everyone else’s consumption. All passwords, emails, tweets, private messages, Facebook posts, medical records, credit card information, and search histories were exposed, thus ruining careers, friendships, and in some cases, even families.

The internet is no more, and the world hasn’t been the same since. How this info-pocalypse came about exactly, I would like to know in a future installment, if any is forthcoming. Was this cataclysmic event triggered by server overcapacity? How did the whole infrastructure come down all at once? I need answers. There may be a hacking backdrop here that needs to be told. While the story might seem far-fetched, present-day iCloud celebrity hacks, hacktivist leaks, and the string of AWS storage bucket misconfigurations and breaches all suggest this scenario could be inevitable in the future.

The book, which started out as a web-exclusive comic series, is a clever and visually arresting (props to artist Marcos Martin) socio-political satire that is as terrifying as it is fascinating. Reading the hardbound deluxe edition, which collects issues 1–10, feels like flipping through a widescreen movie in your hands. Okay, geekout over.

The Dark Net (2017)

I had read one of Benjamin Percy’s previous novels, Red Moon, which I thoroughly enjoyed, and which Stephen King even praised in a tweet back in 2013. This one, by comparison, required too much suspension of disbelief. To be fair, The Dark Net was well-researched, but ran away with the technical concepts too much as it crossed over into the supernatural.

See, there is a visually impaired 12-year-old girl named Hannah who starts to see shadows after she is fitted with Mirage, an approximation of Google Glass, if only the technology actually took off (ouch). Hannah has an aunt, Lela, a journalist who stumbles upon the occult while pursuing a story. A fight between good and evil ensues.

According to the book, if you go down the Deep Web deep enough, you reach the Dark Net, which is not only where illegal drugs and stolen goods and identities are exchanged, but also where evil with a capital E resides. This ancient darkness latches on to a computer virus to spread electronically, and then possesses anyone with a computing device. Virtually all people are susceptible to it because their digital footprints are already inextricably linked with their physical selves.

It was good fun until it fell upon Hannah to become a “human anti-virus,” the only one who could clean up the system from the inside; she is even transported via a USB stick. When she hacks away at the pulsating red worms (red for malicious, get it?), they explode into bits of code…

I can appreciate a horror novel every once in a while, but let’s just say reading this was approximately five hours of my life I will never get back.

Check out the Security Response blog and follow Threat Intel on Twitter to keep up-to-date with the latest happenings in the world of threat intelligence and cybersecurity.

Like this story? Recommend it by hitting the heart button so others on Medium see it, and follow Threat Intel on Medium for more great content.



Insights into the world of threat intelligence, cybercrime and IT security. Brought to you by researchers at Symantec.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Mayee Corpin

Information Developer at Symantec. Writes for a living, lives to read.