Tuesday, September 20, 2016

Interview with Author Andrew Diamond

Today, Feathered Quill reviewer Ellen Feld is talking with Andrew Diamond, author of Impala

FQ: Your protagonist, Russell Fitzpatrick, is a software engineer, as are you. How much of your real life experiences did you inject into the story?

DIAMOND: A few of Russ’ attitudes and observations come from my experience as a developer. At the beginning of the book, he’s burnt out and feeling a little empty. I think that’s fairly common in the tech world, particularly among workers in startups and small entrepreneurial companies, where there is a culture of overwork. There’s a cycle, where you throw yourself wholly into something, give it everything, wear yourself out, and then need to recharge before you go on to the next thing. And you don’t necessarily know what that next thing is going to be.
Russ is at that point of being worn out and needing to recharge. He has no idea what’s about to happen to him. Poor guy. But the intensity and unexpectedness of it all, that fact that he can’t turn away from it forces him to wake up and be present in his own life, which is exactly what he needs.

FQ: When I first realized there’d be ‘computer lingo’ in the story, I thought, “oh, oh, this is going to be hard to follow.” Fortunately, I was wrong. Was it a challenge to keep the language simple enough for readers who aren’t computer savvy to understand, while still making sense and advancing the story?

DIAMOND: No. I like to keep a tight focus on the story. Technical details are usually a distraction, so I include them only where and when they’re pertinent. I explain as much as the reader needs to know for the action to make sense. The funny thing is that when you put technical information into a narrative, people find it much more meaningful than when it’s presented in the abstract, or in textbook format.

Several early readers said they learned a lot about computers and hacking from reading Impala. That surprised me. I wasn’t trying to teach anyone anything. The technical details were just there because they needed to be there for the story to make sense. I have to say, though, I took it as a good sign when an editor whose eyes glaze over at the mention of technology said she loved the book, and when another reader who hates technology and doesn’t read thrillers also loved it.

FQ: My new favorite term is ‘zero-day.’ Would you briefly explain to our readers what it means?

DIAMOND: Most software companies these days offer what are called "bug bounties." When developers find a bug that compromises the security of commercial software, they report it to the manufacturer and get a reward, on the condition that they not reveal the bug to anyone else for 60 or 90 days. That gives the software company time to fix the problem.

Zero-day exploits, or "zero-days," are security bugs that have not been reported to the software manufacturer. Hackers start exploiting them before the software companies even know they exist, which means the companies have had exactly zero days to prepare for them.

The Dark Web, where people buy and sell all sorts of illegal goods, has whole markets for zero-days. Organized criminals who want to steal data, and governments who want to snoop on their enemies will buy zero-day information from independent hackers to help them break into their targets. If a hacker finds a zero-day that affects a large number of computers—for example, a major security flaw in Microsoft Windows—he can get a high price for it.

The funny thing is that security consultants, law enforcement agents, anti-virus researchers and others lurk on the same Dark Web sites as the criminals, because they want to find out about zero-days as soon as they can. No one knows who anyone is on the Dark Web, so sometimes hackers wind up selling their zero-days to the very security analysts they’re trying to outsmart. Once a software vendor is tipped off to a zero-day, the clock starts ticking. Maybe they can fix it in five days. After that, the bug is worthless to hackers.

Author Andrew Diamond
FQ: I also found the idea of “Whisper” (a sound-based network) to be fascinating. Is this, or will it one day, be possible, in your opinion?

DIAMOND: It already exists. Some computer researchers in the 1960s built sound-based networks in their labs, where the computers would talk to each other, using speakers to speak and microphones to listen. They didn’t talk in words. It was more like simple tones.

A few years ago, a Google engineer named Boris Smus built a program that let computers talk to each other using ultrasound, which is inaudible to humans. A few years before that, a security consultant named Dragos Ruiu discovered an incredibly insidious computer virus called badBIOS that infected all of his computers, regardless of what operating system they were running.

He could tell the infected machines were communicating with each other, but he couldn’t figure out how. He unplugged the network cables, removed the WiFi hardware and the Bluetooth hardware, and the machines were still exchanging data. Finally, he made a guess that they were sending ultrasound messages to each other. So he ripped out the speakers and microphones, and the communication stopped.

Some Israeli researchers recently came up with a way to steal data from a computer by manipulating its cooling fan. A virus takes control of the computer’s cooling functions. A nearby cell phone listens for subtle changes in the fan speed and translates those into meaningful data, kind of like morse code. It’s crazy. Most people would never even imagine that their bank account information might be leaking through their fan onto someone’s iPhone, but those are the kinds things clever hackers do.

FQ: Russell, your protagonist, is very conflicted about his life, at one point saying, “Half of me wants to walk the narrow road of responsibility...half of me wants to destroy everything.” What was the reason behind making him so conflicted rather than a man who knows exactly what he wants and goes out and gets it?

DIAMOND: I think many people have this same conflict in them, though it’s less persistent, and maybe not at such a deep, existential level. Almost everyone has been in the position where they’re looking at something major in their life and trying to decide, “Should I try to fix this? Or should I just abandon it?” People think that about their jobs, their relationships, their homes, their cars, the city they live in.

Those can be interesting times, when you’re not sure of what you want. You wind up seeing the world and the people in it from many different angles, and you’re open to change. There’s both hardship and opportunity there.

A conflicted character really becomes fascinating when you throw him into a series of tough situations that really force him to choose what is valuable, what is worth fighting for, and what is worth having. Russ’ enemies close in on him from all sides, and none of them have any idea how he’s going to behave, which really puts them in danger. Russ himself doesn’t know what he’s going to, and the reader doesn’t either. That makes for an engaging story.

FQ: I loved the names Russell gave to those chasing him, such as “Donkey Kong” and “Mario” (from Mario Brothers). Was it fun to write their scenes?

DIAMOND: It was fun. Those guys do some pretty nasty things to people, and while I like noir and crime fiction, I don’t really like dwelling on graphic violence or rubbing people’s faces in it. Mocking the thugs every now and then kind of lightens the mood. Russ makes fun of his pursuers, in part because of his contempt for their crude brutality, and in part to make them a little less terrifying to himself.

FQ: I was familiar with Bitcoin before reading Impala. Do you think that it is used for nefarious purposes as suggested in the book?

DIAMOND: Yes. Bitcoin is the de facto currency of the Dark Web. People access sites on the Dark Web using special software that protects their anonymity and makes their activities difficult or impossible to trace. They don’t want to use credit cards to buy drugs online, because then the transaction is tied to an account with their name on it. So they use Bitcoin, which is anonymous.
The first major Dark Web market was called The Silk Road. It was run by this hacker named Ross Ulbricht, and you could buy drugs and even arrange assassinations using Bitcoin. Wired magazine has a long and fascinating article about the rise and fall Silk Road. It’s remarkable how this one hacker could have the FBI and law enforcement agencies all around the world on their heels for so long without being caught. How the FBI finally brought him down is equally remarkable. What Russ’ friend Charlie does in Impala is very similar to what Ross Ulbricht was doing in real life with Silk Road.

Purchasing on Silk Road and other Dark Web markets goes through an escrow system. Say a person wants to buy $1000 worth of cocaine. He sends $1000 in Bitcoin into an account run by the administrator of the ecommerce site. The administrator tells the seller that he has the money, and the seller ships the cocaine to the buyer. When the buyer says he has received the shipment, the administrator transfers the $1000 from the escrow account to the seller. Actually, the administrator takes a little cut for himself. That’s how he earns his keep.

The buyers and sellers rate each other, just like on eBay. No one wants to buy from a seller with bad ratings, and sellers don’t want to do business with buyers who have a reputation for complaining or not paying.

The transactions are fraught with risk from beginning to end, but still, the markets thrive. One risk is that the buyer might get caught receiving the cocaine in the mail—and they do send this stuff through the US mail. Buyers will often hire intermediaries to receive the drugs. In some cases, the intermediaries are real estate agents who have keys to empty houses that are waiting to be sold. The drugs are mailed to the empty house, addressed to some made-up name. The realtor stops in every day or two, makes sure there are no cops around, and picks up any mail not addressed to the actual owner of the house.

If there are cops around and they spot the package, there’s no way the can tie it to any real person. The package doesn’t have the homeowner’s name on it. It doesn’t have the realtor’s name, and it was sent to a house that no one lives in. There’s no one they can arrest.

The other big risk in the online markets is that the administrators will run off with all the money in the escrow account. That actually happened to a site called Evolution Market. The administrators disappeared with $12 million in Bitcoin that was sitting in escrow.

I came up with the idea of the escrow heist in Impala before I ever knew about Evolution Market. After I finished the first draft of the book, I asked myself how plausible such a heist would be. I looked it up and found it had already been done.

FQ: As a software engineer, I’m guessing you’ve run into hacking ‘issues’ in your work. Can you share one of the more interesting cases?

DIAMOND: I always try to hack my own code, and I used to always try to hack my coworkers’ code, which was frighteningly easy. Early in my career, I was working at a startup in Seattle that built software to run online surveys. I noticed some code that opened files and sent the content back to the user.

I thought to myself, “This isn’t coded right. I bet I can type in any file name, and I can view the contents of it right in my browser.” In a few seconds, I got the application to show me the server’s password file, which lists all of the user account information.

I found the programmer who had written the code and asked him why he hadn’t added any safeguards to prevent people from reading random files. His response was, “Why would I? Who goes around reading random files off of other people’s servers?”

“I do.” I showed him how anyone could read the password file, and he was horrified. I fixed the problem for him, but I was always put off by other programmers’ disregard for security. Most of them had no awareness whatsoever, like toddlers at a cookout who hold their hamburgers three inches in front of the dog’s mouth. They’re always shocked when the animal takes the food from their hand.
In the early days of the web, security was terrible. An amateur could learn how to break into thousands of websites in just a few hours. It’s gotten better in recent years, but it’s still not that great.

FQ: Charlie Taylor warned to keep secrets away from the computer world. With so many aspects of our lives being played out on computers, via social media, etc., this is getting harder and harder. Will it one day be impossible?

DIAMOND: I think it will be nearly impossible to keep your personal information to yourself, unless you specifically engineer your entire life to achieve that goal. Some organizations are already taking steps in that direction. Russian and German security services have reverted to writing sensitive reports on typewriters because it’s easier to secure a file cabinet full of paper than a computer full of data.

Most people have no idea how much information they’re giving away, or who they’re giving it to. Google and Facebook and a thousand other companies know much more about you than you think, and a reasonably savvy person can dig up a lot of that information without much effort.

I don’t like the idea of having so much of my personal information accessible to so many people. But on the other hand, I often think, “What if all information was freely available to everyone? What if we could know everything everyone does and thinks?”

I think that might be a good thing, in the long run, because people would start to see that strangers all around them think and feel a lot like them. They have many of the same dreams and hopes and doubts and fears. And maybe people wouldn’t be so ashamed of their worst thoughts and feelings if they could see that the people they look up to and revere often think and feel the same way.

But to answer your original question, yes, I think it is already virtually impossible to keep private information private in a world in which our devices are silently gathering and sharing data 24 hours a day.

FQ: Impala is your first venture into the world of computer hackers. Will there be another with Russell Fitzpatrick or are you going in a different direction with your next book?

DIAMOND: I’m not planning anything new with Russ. I have drafts of two other novels: a dark, brooding mystery, and a romping, irreverent satire. I’ve also done about a year of research on a fascinating criminal from the early 20th century whose life was so bizarre and improbable that, if it were a novel, people would toss it aside and say, “That’s just not believable.”

Someone once said that reality is stranger than fiction because fiction has to portray what’s probable, while reality is only limited by what’s possible. The realm of the possible is much broader than the realm of the probable, as this guy’s life illustrates again and again. So my next book might just be a true-crime biography.

To learn more about Impala please read the review at: Feathered Quill Book Reviews.