The Cybersecurity Canon - The Dark Net: Inside the Digital Underworld

We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite. 

The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!

Executive Summary:

Not all cybersecurity professionals need to read this book, but if you have an interest in learning about the underside of the internet, the “darknet” – a shadowy realm of pornography, illicit markets, and fringe political groups then this is the book for you.

Why did I chose this book in the first place? In my mind, cybersecurity goes beyond purely technical areas like software vulnerabilities, network configurations, and malware. In fact, cybersecurity professionals are often called upon to investigate corporate employees engaged in other questionable behavior like viewing pornography using corporate PCs, participating in online hate groups, or conducting cyberbullying attacks. Anyone who has been involved in this type of investigation understands that there’s an abundance of internet subcultures for every behavior, belief, and fetish.

The Dark Net pulls back the curtain on a number of these areas, providing a bit of color on a world of taboo online subjects and behaviors like trolling, dark markets, and pornography. To be clear, this is not a sleazy book meant to titillate the reader, rather it is an expose on some of the people and activities happening down the darker alleys of the internet. Bartlett not only describes these areas but looks at the motivations and psychologies of participants. While some of this behavior is truly deviant, Bartlett demonstrates that it isn’t all bad. For example, illicit drug sales would take place without the internet, but some of the darknet markets make transactions more efficient, and even safer for buyers and sellers.

I found The Dark Net to be a well-written, informative, and entertaining book. I wasn’t always comfortable with the subject matter, but I found it worthwhile to plough through the book nonetheless.  To quote Sun Tzu, “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” It is my contention that by reading The Dark Net, cybersecurity professionals will learn some useful lessons about the culture of the internet underworld that they may find useful sometime in their careers.

Book Review:

As stated on its website, the objective of the Cybersecurity Canon project is, “To identify a list of must-read books for all cybersecurity practitioners – be they from industry, government or academia — where the content is timeless, genuinely represents an aspect of the community that is true and precise, reflects the highest quality and, if not read, will leave a hole in the cybersecurity professional’s education that will make the practitioner incomplete.” Given this definition, I can’t endorse The Dark Net as a book for induction into the Canon. I can, however, recommend Bartlett’s book as an entertaining, insightful, educational, and easy-to-read book that many InfoSec pros will thoroughly enjoy.

The title of this book is a bit deceptive, at least to a cybersecurity veteran like me. When I first saw the title, I expected a book about the development of the TOR browser, descriptions of hacker chat sites, and an analysis of how the cybercrime underground uses these tools to cooperate, exchange malware, and launch destructive cyberattacks. The book barely scratches the surface on these topics, rather the hint at what this book covers lies in its subtitle, “Inside the Digital Underworld.”

The Dark Net is really an investigative study of some of the questionable, unprincipled, unethical, and illegal activity happening online every day. Bartlett describes this focus on the very first page of the author’s notes, saying: “The Dark Net is an examination of what are, in many cases, extremely sensitive and contentious subjects. My primary aim was to shine a light on a world that is frequently discussed, but rarely explored…”

The book begins by addressing an obvious question: How did we get to a place where deviance, debauchery, and outright hatred are readily available, often “one click away” from popular websites?  Bartlett looks at communication and behavioral patterns dating back to the original ARPANET connections. This includes historical activities like the use of Finger to identify users on BBSs, the development of “alt” discussion groups on Usenet, and the roots of “trolling,” which seemed to be more of a practical joke (i.e., for the Lulz) than a confrontational act in the early- to mid-1990s.

These behaviors paralleled a growing proliferation of libertarianism associated with online networks. As Bartlett explains, “users saw it (i.e., the internet) as a ‘new kind of place,’ with its own culture, its own identity, and its own rules.” This view was further articulated by John Perry Barlow’s 1996 Declaration of Independence of Cyberspace: “With its declared separation from the offline world, your legal concepts of property, expression, identity, movement and context do not apply to us (i.e., online users) … our identities have no bodies, so unlike you, we cannot obtain order by physical coercion.”

Anonymity is central to a lot of the deviant behavior taking place on the internet. Bartlett reminds (or educates) the reader about John Suler’s Disinhibition Effect from 2001. The basics of Suler’s thesis is that people tend to disregard social norms when they perceive that they are anonymous beings on the internet. An online persona named Penny Arcade paraphrases Suler’s with her, “greater Internet F*ck-wad Theory: normal person + anonymity + audience = total F*ckwad.”

Once Bartlett convinces readers that internet users will behave badly if given the chance, he then guides them through a series of examples throughout the rest of the book:

• A group of young men who persuade a woman to post nude pictures on 4chan’s random board (aka: /b/). They then to proceed to “dox” her (i.e., publish her nude pictures publicly in an attempt to embarrass her). Why do they do this? For the lulz, of course! The examination of 4chan should be of interest to cybersecurity purists as hacking groups Anonymous and Lulzsec are rooted in this website.
• The online and even real-world activities of a few individuals participating in a right-wing group called the English Defense League (EDL). Bartlett meets one leading member who appears to be “normal” in person, but his online personality transforms him into a confrontational troll, ready to attack anyone who disagrees with his opinion. This chapter was especially thought-provoking today as it aligns well with bot, sock puppet, and trolling activities associated with the 2016 U.S. Election.
• A bitcoin devotee, dedicated to developing a “dark wallet” that can provide even greater anonymity. His goal is to use bitcoin and anonymous payment to totally disrupt the world’s monetary system.
• The author looks at underground markets like the infamous Silk Road, where buyers can readily purchase all types of illicit material. Bartlett is surprised to learn how well these markets work, complete with a rating system, customer service tools, refunds, etc. The author even purchases a small amount of marijuana as part of his research. While he claims that he doesn’t partake, he does say that a friend tested and approved his purchase.
• Once on the darknet, Bartlett demonstrates that some of the world’s most vile child pornography can be had with three simple clicks. The author doesn’t proceed down this path, but he does interview some of the characters who did. Many profess that they weren’t actively looking to explore child pornography but stumbled upon it through varies other roads. Through this example, Bartlett asks the reader to contemplate whether easy access to pornography may promote aberrant behavior.
• Bartlett follows a successful “cam girl” and her friends who earn decent livings performing live peep shows on a website called Chaturbate. The author takes the reader through some of the hidden details describing the business model of these websites, the performers’ compensation model, the audience, etc.
• Finally, the book concludes with a brief chapter focused on the debate between those who believe in a computer/human mind meld called “transhumanism” and those who think that true thinking machines will ultimately decide that true humans are unnecessary and eliminate humankind altogether – a bit of a detour from the rest of the book but still interesting.

There are certainly books that explore each of these topics in more detail, but Bartlett isn’t trying to demonstrate great depth. Rather, his goal is to give the reader a cursory look at some of the darker sections of the online world. These views may not always be pretty, but they are certainly fascinating and informative to the reader.

This is not a must-read book for all cybersecurity professionals, but it is an entertaining and educational book.  The topics may not be right down information security Broadway; however, they could certainly be considered some of the side streets. Cybersecurity professionals interested in going beyond IP addresses, indicators of compromise (IoCs), and antivirus signatures to learn about internet culture will find this book a worthwhile read.