The reason you can’t buy a car is the same reason that your health insurer let hackers dox you

ALT

On July 14, I’m giving the closing keynote for the fifteenth HACKERS ON PLANET EARTH, in QUEENS, NY. Happy Bastille Day! On July 20, I’m appearing in CHICAGO at Exile in Bookville.

In 2017, Equifax suffered the worst data-breach in world history, leaking the deep, nonconsensual dossiers it had compiled on 148m Americans and 15m Britons, (and 19k Canadians) into the world, to form an immortal, undeletable reservoir of kompromat and premade identity-theft kits:

https://en.wikipedia.org/wiki/2017_Equifax_data_breach

Equifax knew the breach was coming. It wasn’t just that their top execs liquidated their stock in Equifax before the announcement of the breach – it was also that they ignored years of increasingly urgent warnings from IT staff about the problems with their server security.

Things didn’t improve after the breach. Indeed, the 2017 Equifax breach was the starting gun for a string of more breaches, because Equifax’s servers didn’t just have one fubared system – it was composed of pure, refined fubar. After one group of hackers breached the main Equifax system, other groups breached other Equifax systems, over and over, and over:

https://finance.yahoo.com/news/equifax-password-username-admin-lawsuit-201118316.html

Doesn’t this remind you of Boeing? It reminds me of Boeing. The spectacular 737 Max failures in 2018 weren’t the end of the scandal. They weren’t even the scandal’s start – they were the tipping point, the moment in which a long history of lethally defective planes “breached” from the world of aviation wonks and into the wider public consciousness:

https://en.wikipedia.org/wiki/List_of_accidents_and_incidents_involving_the_Boeing_737

Just like with Equifax, the 737 Max disasters tipped Boeing into a string of increasingly grim catastrophes. Each fresh disaster landed with the grim inevitability of your general contractor texting you that he’s just opened up your ceiling and discovered that all your joists had rotted out – and that he won’t be able to deal with that until he deals with the termites he found last week, and that they’ll have to wait until he gets to the cracks in the foundation slab from the week before, and that those will have to wait until he gets to the asbestos he just discovered in the walls.

Drip, drip, drip, as you realize that the most expensive thing you own – which is also the thing you had hoped to shelter for the rest of your life – isn’t even a teardown, it’s just a pure liability. Even if you razed the structure, you couldn’t start over, because the soil is full of PCBs. It’s not a toxic asset, because it’s not an asset. It’s just toxic.

Equifax isn’t just a company: it’s infrastructure. It started out as an engine for racial, political and sexual discrimination, paying snoops to collect gossip from nosy neighbors, which was assembled into vast warehouses full of binders that told bank officers which loan applicants should be denied for being queer, or leftists, or, you know, Black:

https://jacobin.com/2017/09/equifax-retail-credit-company-discrimination-loans

This witch-hunts-as-a-service morphed into an official part of the economy, the backbone of the credit industry, with a license to secretly destroy your life with haphazardly assembled “facts” about your life that you had the most minimal, grudging right to appeal (or even see). Turns out there are a lot of customers for this kind of service, and the capital markets showered Equifax with the cash needed to buy almost all of its rivals, in mergers that were waved through by a generation of Reaganomics-sedated antitrust regulators.

There’s a direct line from that acquisition spree to the Equifax breach(es). First of all, companies like Equifax were early adopters of technology. They’re a database company, so they were the crash-test dummies for ever generation of database. These bug-riddled, heavily patched systems were overlaid with subsequent layers of new tech, with new defects to be patched and then overlaid with the next generation.

These systems are intrinsically fragile, because things fall apart at the seams, and these systems are all seams. They are tech-debt personified. Now, every kind of enterprise will eventually reach this state if it keeps going long enough, but the early digitizers are the bow-wave of that coming infopocalypse, both because they got there first and because the bottom tiers of their systems are composed of layers of punchcards and COBOL, crumbling under the geological stresses of seventy years of subsequent technology.

The single best account of this phenomenon is the British Library’s postmortem of their ransomware attack, which is also in the running for “best hard-eyed assessment of how fucked things are”:

https://www.bl.uk/home/british-library-cyber-incident-review-8-march-2024.pdf

There’s a reason libraries, cities, insurance companies, and other giant institutions keep getting breached: they started accumulating tech debt before anyone else, so they’ve got more asbestos in the walls, more sagging joists, more foundation cracks and more termites.

That was the starting point for Equifax – a company with a massive tech debt that it would struggle to pay down under the most ideal circumstances.

Then, Equifax deliberately made this situation infinitely worse through a series of mergers in which it bought dozens of other companies that all had their own version of this problem, and duct-taped their failing, fucked up IT systems to its own. The more seams an IT system has, the more brittle and insecure it is. Equifax deliberately added so many seams that you need to be able to visualized additional spatial dimensions to grasp them – they had fractal seams.

But wait, there’s more! The reason to merge with your competitors is to create a monopoly position, and the value of a monopoly position is that it makes a company too big to fail, which makes it too big to jail, which makes it too big to care. Each Equifax acquisition took a piece off the game board, making it that much harder to replace Equifax if it fucked up. That, in turn, made it harder to punish Equifax if it fucked up. And that meant that Equifax didn’t have to care if it fucked up.

Which is why the increasingly desperate pleas for more resources to shore up Equifax’s crumbling IT and security infrastructure went unheeded. Top management could see that they were steaming directly into an iceberg, but they also knew that they had a guaranteed spot on the lifeboats, and that someone else would be responsible for fishing the dead passengers out of the sea. Why turn the wheel?

That’s what happened to Boeing, too: the company acquired new layers of technical complexity by merging with rivals (principally McDonnell-Douglas), and then starved the departments that would have to deal with that complexity because it was being managed by execs whose driving passion was to run a company that was too big to care. Those execs then added more complexity by chasing lower costs by firing unionized, competent, senior staff and replacing them with untrained scabs in jurisdictions chosen for their lax labor and environmental enforcement regimes.

(The biggest difference was that Boeing once had a useful, high-quality product, whereas Equifax started off as an irredeemably terrible, if efficient, discrimination machine, and grew to become an equally terrible, but also ferociously incompetent, enterprise.)

Keep reading

Microsoft pinky swears that THIS TIME they’ll make security a priority

ALT

One June 20, I’m live onstage in LOS ANGELES for a recording of the GO FACT YOURSELF podcast. On June 21, I’m doing an ONLINE READING for the LOCUS AWARDS at 16hPT. On June 22, I’ll be in OAKLAND, CA for a panel and a keynote at the LOCUS AWARDS.

As the old saying goes, “When someone tells you who they are and you get fooled again, shame on you.” That goes double for Microsoft, especially when it comes to security promises.

Microsoft is, was, always has been, and always will be a rotten company. At every turn, throughout their history, they have learned the wrong lessons, over and over again.

That starts from the very earliest days, when the company was still called “Micro-Soft.” Young Bill Gates was given a sweetheart deal to supply the operating system for IBM’s PC, thanks to his mother’s connection. The nepo-baby enlisted his pal, Paul Allen (whom he’d later rip off for billions) and together, they bought someone else’s OS (and took credit for creating it – AKA, the “Musk gambit”).

Microsoft then proceeded to make a fortune by monopolizing the OS market through illegal, collusive arrangements with the PC clone industry – an industry that only existed because they could source third-party PC ROMs from Phoenix:

https://www.eff.org/deeplinks/2019/08/ibm-pc-compatible-how-adversarial-interoperability-saved-pcs-monopolization

Bill Gates didn’t become one of the richest people on earth simply by emerging from a lucky orifice; he also owed his success to vigorous antitrust enforcement. The IBM PC was the company’s first major initiative after it was targeted by the DOJ for a 12-year antitrust enforcement action. IBM tapped its vast monopoly profits to fight the DOJ, spending more on outside counsel to fight the DOJ antitrust division than the DOJ spent on all its antitrust lawyers, every year, for 12 years.

IBM’s delaying tactic paid off. When Reagan took the White House, he let IBM off the hook. But the company was still seriously scarred by its ordeal, and when the PC project kicked off, the company kept the OS separate from the hardware (one of the DOJ’s major issues with IBM’s previous behavior was its vertical monopoly on hardware and software). IBM didn’t hire Gates and Allen to provide it with DOS because it was incapable of writing a PC operating system: they did it to keep the DOJ from kicking down their door again.

The post-antitrust, gunshy IBM kept delivering dividends for Microsoft. When IBM turned a blind eye to the cloned PC-ROM and allowed companies like Compaq, Dell and Gateway to compete directly with Big Blue, this produced a whole cohort of customers for Microsoft – customers Microsoft could play off on each other, ensuring that every PC sold generated income for Microsoft, creating a wide moat around the OS business that kept other OS vendors out of the market. Why invest in making an OS when every hardware company already had an exclusive arrangement with Microsoft?

The IBM PC story teaches us two things: stronger antitrust enforcement spurs innovation and opens markets for scrappy startups to grow to big, important firms; as do weaker IP protections.

Microsoft learned the opposite: monopolies are wildly profitable; expansive IP protects monopolies; you can violate antitrust laws so long as you have enough monopoly profits rolling in to outspend the government until a Republican bootlicker takes the White House (Microsoft’s antitrust ordeal ended after GW Bush stole the 2000 election and dropped the charges against them). Microsoft embodies the idea that you either die a rebel hero or live long enough to become the evil emperor you dethroned.

From the first, Microsoft has pursued three goals:

1. Get too big to fail;
2. Get too big to jail;
3. Get too big to care.

It has succeeded on all three counts. Much of Microsoft’s enduring power comes from succeeded IBM as the company that mediocre IT managers can safely buy from without being blamed for the poor quality of Microsoft’s products: “Nobody ever got fired for buying Microsoft” is 2024’s answer to “Nobody ever got fired for buying IBM.”

Microsoft’s secret sauce is impunity. The PC companies that bundle Windows with their hardware are held blameless for the glaring defects in Windows. The IT managers who buy company-wide Windows licenses are likewise insulated from the rage of the workers who have to use Windows and other Microsoft products.

Microsoft doesn’t have to care if you hate it because, for the most part, it’s not selling to you. It’s selling to a few decision-makers who can be wined and dined and flattered. And since we all have to use its products, developers have to target its platform if they want to sell us their software.

This rarified position has afforded Microsoft enormous freedom to roll out harebrained “features” that made things briefly attractive for some group of developers it was hoping to tempt into its sticky-trap. Remember when it put a Turing-complete scripting environment into Microsoft Office and unleashed a plague of macro viruses that wiped out years worth of work for entire businesses?

https://web.archive.org/web/20060325224147/http://www3.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=33338

It wasn’t just Office; Microsoft’s operating systems have harbored festering swamps of godawful defects that were weaponized by trolls, script kiddies, and nation-states:

https://en.wikipedia.org/wiki/EternalBlue

Microsoft blamed everyone except themselves for these defects, claiming that their poor code quality was no worse than others, insisting that the bulging arsenal of Windows-specific malware was the result of being the juiciest target and thus the subject of the most malicious attention.

Keep reading

The antitrust case against Apple

ALT

I’m on tour with my new, nationally bestselling novel The Bezzle! Catch me TONIGHT (Mar 22) in TORONTO, then SUNDAY (Mar 24) with LAURA POITRAS in NYC, then Anaheim, and beyond!

ALT

The foundational tenet of “the Cult of Mac” is that buying products from a $3t company makes you a member of an oppressed ethnic minority and therefore every criticism of that corporation is an ethnic slur:

https://pluralistic.net/2024/01/12/youre-holding-it-wrong/#if-dishwashers-were-iphones

Call it “Apple exceptionalism” – the idea that Apple, alone among the Big Tech firms, is virtuous, and therefore its conduct should be interpreted through that lens of virtue. The wellspring of this virtue is conveniently nebulous, which allows for endless goal-post shifting by members of the Cult of Mac when Apple’s sins are made manifest.

Take the claim that Apple is “privacy respecting,” which is attributed to Apple’s business model of financing its services though cash transactions, rather than by selling it customers to advertisers. This is the (widely misunderstood) crux of the “surveillance capitalism” hypothesis: that capitalism is just fine, but once surveillance is in the mix, capitalism fails.

Apple, then, is said to be a virtuous company because its behavior is disciplined by market forces, unlike its spying rivals, whose ability to “hack our dopamine loops” immobilizes the market’s invisible hand with “behavior-shaping” shackles:

http://pluralistic.net/HowToDestroySurveillanceCapitalism

Apple makes a big deal out of its privacy-respecting ethos, and not without some justification. After all, Apple went to the mattresses to fight the FBI when they tried to force Apple to introduced defects into its encryption systems:

https://www.eff.org/deeplinks/2018/04/fbi-could-have-gotten-san-bernardino-shooters-iphone-leadership-didnt-say

And Apple gave Ios users the power to opt out of Facebook spying with a single click; 96% of its customers took them up on this offer, costing Facebook $10b (one fifth of the pricetag of the metaverse boondoggle!) in a single year (you love to see it):

https://arstechnica.com/gadgets/2021/02/facebook-makes-the-case-for-activity-tracking-to-ios-14-users-in-new-pop-ups/

Bruce Schneier has a name for this practice: “feudal security.” That’s when you cede control over your device to a Big Tech warlord whose “walled garden” becomes a fortress that defends you against external threats:

https://pluralistic.net/2021/06/08/leona-helmsley-was-a-pioneer/#manorialism

The keyword here is external threats. When Apple itself threatens your privacy, the fortress becomes a prison. The fact that you can’t install unapproved apps on your Ios device means that when Apple decides to harm you, you have nowhere to turn. The first Apple customers to discover this were in China. When the Chinese government ordered Apple to remove all working privacy tools from its App Store, the company obliged, rather than risk losing access to its ultra-cheap manufacturing base (Tim Cook’s signal accomplishment, the one that vaulted him into the CEO’s seat, was figuring out how to offshore Apple manufacturing to China) and hundreds of millions of middle-class consumers:

https://www.reuters.com/article/us-china-apple-vpn/apple-says-it-is-removing-vpn-services-from-china-app-store-idUSKBN1AE0BQ

Keep reading

How I got scammed

ALT

If you’d like an essay-formatted version of this post to read or share, here’s a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:

https://pluralistic.net/2024/02/05/cyber-dunning-kruger/#swiss-cheese-security

I wuz robbed.

More specifically, I was tricked by a phone-phisher pretending to be from my bank, and he convinced me to hand over my credit-card number, then did $8,000+ worth of fraud with it before I figured out what happened. And then he tried to do it again, a week later!

Here’s what happened. Over the Christmas holiday, I traveled to New Orleans. The day we landed, I hit a Chase ATM in the French Quarter for some cash, but the machine declined the transaction. Later in the day, we passed a little credit-union’s ATM and I used that one instead (I bank with a one-branch credit union and generally there’s no fee to use another CU’s ATM).

A couple days later, I got a call from my credit union. It was a weekend, during the holiday, and the guy who called was obviously working for my little CU’s after-hours fraud contractor. I’d dealt with these folks before – they service a ton of little credit unions, and generally the call quality isn’t great and the staff will often make mistakes like mispronouncing my credit union’s name.

That’s what happened here – the guy was on a terrible VOIP line and I had to ask him to readjust his mic before I could even understand him. He mispronounced my bank’s name and then asked if I’d attempted to spend $1,000 at an Apple Store in NYC that day. No, I said, and groaned inwardly. What a pain in the ass. Obviously, I’d had my ATM card skimmed – either at the Chase ATM (maybe that was why the transaction failed), or at the other credit union’s ATM (it had been a very cheap looking system).

I told the guy to block my card and we started going through the tedious business of running through recent transactions, verifying my identity, and so on. It dragged on and on. These were my last hours in New Orleans, and I’d left my family at home and gone out to see some of the pre-Mardi Gras krewe celebrations and get a muffalata, and I could tell that I was going to run out of time before I finished talking to this guy.

“Look,” I said, “you’ve got all my details, you’ve frozen the card. I gotta go home and meet my family and head to the airport. I’ll call you back on the after-hours number once I’m through security, all right?”

He was frustrated, but that was his problem. I hung up, got my sandwich, went to the airport, and we checked in. It was total chaos: an Alaska Air 737 Max had just lost its door-plug in mid-air and every Max in every airline’s fleet had been grounded, so the check in was crammed with people trying to rebook. We got through to the gate and I sat down to call the CU’s after-hours line. The person on the other end told me that she could only handle lost and stolen cards, not fraud, and given that I’d already frozen the card, I should just drop by the branch on Monday to get a new card.

We flew home, and later the next day, I logged into my account and made a list of all the fraudulent transactions and printed them out, and on Monday morning, I drove to the bank to deal with all the paperwork. The folks at the CU were even more pissed than I was. The fraud that run up to more than $8,000, and if Visa refused to take it out of the merchants where the card had been used, my little credit union would have to eat the loss.

I agreed and commiserated. I also pointed out that their outsource, after-hours fraud center bore some blame here: I’d canceled the card on Saturday but most of the fraud had taken place on Sunday. Something had gone wrong.

One cool thing about banking at a tiny credit-union is that you end up talking to people who have actual authority, responsibility and agency. It turned out the the woman who was processing my fraud paperwork was a VP, and she decided to look into it. A few minutes later she came back and told me that the fraud center had no record of having called me on Saturday.

“That was the fraudster,” she said.

Keep reading

Demon-haunted computers are back, baby

ALT

Catch me in Miami! I’ll be at Books and Books in Coral Gables on Jan 22 at 8PM.

As a science fiction writer, I am professionally irritated by a lot of sf movies. Not only do those writers get paid a lot more than I do, they insist on including things like “self-destruct” buttons on the bridges of their starships.

Look, I get it. When the evil empire is closing in on your flagship with its secret transdimensional technology, it’s important that you keep those secrets out of the emperor’s hand. An irrevocable self-destruct switch there on the bridge gets the job done! (It has to be irrevocable, otherwise the baddies’ll just swarm the bridge and toggle it off).

But c’mon. If there’s a facility built into your spaceship that causes it to explode no matter what the people on the bridge do, that is also a pretty big security risk! What if the bad guy figures out how to hijack the measure that – by design – the people who depend on the spaceship as a matter of life and death can’t detect or override?

I mean, sure, you can try to simplify that self-destruct system to make it easier to audit and assure yourself that it doesn’t have any bugs in it, but remember Schneier’s Law: anyone can design a security system that works so well that they themselves can’t think of a flaw in it. That doesn’t mean you’ve made a security system that works – only that you’ve made a security system that works on people stupider than you.

I know it’s weird to be worried about realism in movies that pretend we will ever find a practical means to visit other star systems and shuttle back and forth between them (which we are very, very unlikely to do):

https://pluralistic.net/2024/01/09/astrobezzle/#send-robots-instead

But this kind of foolishness galls me. It galls me even more when it happens in the real world of technology design, which is why I’ve spent the past quarter-century being very cross about Digital Rights Management in general, and trusted computing in particular.

It all starts in 2002, when a team from Microsoft visited our offices at EFF to tell us about this new thing they’d dreamed up called “trusted computing”:

https://pluralistic.net/2020/12/05/trusting-trust/#thompsons-devil

The big idea was to stick a second computer inside your computer, a very secure little co-processor, that you couldn’t access directly, let alone reprogram or interfere with. As far as this “trusted platform module” was concerned, you were the enemy. The “trust” in trusted computing was about other people being able to trust your computer, even if they didn’t trust you.

Keep reading

Kinkslump Linkdump

ALT

This is my dozenth linkdump! The world comes at you fast, and even though I’m writing 4-5 essays a week for this newsletter, many’s the week that ends with more stray links than will fit in that format. Here’s the previous ones:

https://pluralistic.net/tag/linkdump/

I managed to turn out five posts last week, despite being on tour with my latest novel, The Lost Cause, a hopeful solarpunk novel endorsed by Rebecca Solnit, Bill McKibben and Kim Stanley Robinson. The tour went great – the book’s now a national bestseller on the USA Today list! Here’s an essay I wrote explaining the structure of the feeling that the book is meant to convey:

https://www.torforgeblog.com/2023/11/14/cory-doctorow-the-swerve/

This is a climate emergency novel full of rising seas, terrible storms, wildfires and zoonotic plagues, and yet – it is a hopeful novel. What makes it hopeful? It depicts a future in which we are treating these phenomena with the gravitas and urgency they warrant, with our whole society’s focus shifting to moving coastal cities inland, weatherizing and solarizing our housing, and creating permanent housing for internal refugees.

While it would be infinitely preferable to live in a world where none of that is necessary, that’s not the world we have. This is an sf novel, not a fantasy novel, so all the climate harms we’ve locked in through decades of expensively procured inaction are present. But the difference between disaster and catastrophe is how and whether we address those harms. Sure, this is a world where superstorms wipe away whole cities and Miami is a drowned mangrove swamp, but it’s also a world in which oil executives do not chair UN climate summits or complain that oil companies are being “unjustly vilified”:

https://www.cnbc.com/2023/11/27/opec-says-oil-industry-unjustly-vilified-ahead-of-climate-talks-.html

I write a lot, and it’s not just this newsletter. Writing transports me from my anxieties and aches. That’s how I came to write nine books during lockdown (“when life gives you SARS, make sarsaparilla”). Lost Cause was one of three books I published in 2023.

I’m going to greet 2024 with another novel, The Bezzle, a sequel to 2023’s Red Team Blues, about the hard-charging, high-tech forensic accountant Marty Hench:

https://us.macmillan.com/books/9781250865878/thebezzle

The Bezzle is a story about the shitty technology adoption curve – the way that the worst technologies we have are first rolled out on the people least able to complain about them. After these bad technologies have their sharp edges sanded down on the bodies of prisoners, refugees and kids, they move up to blue collar workers and discount store shoppers, and so on, until we’re all living under their thumb.

In The Bezzle, a dear friend of Marty finds himself serving a long sentence in a privatized California prison that flips from one private equity fund to the next, each with even worse, more extractive ways to use technology to bleed prisoners and their families dry. You can read the opening scenes in a just-published excerpt on Tor Books’s site:

https://www.torforgeblog.com/2023/11/20/excerpt-reveal-the-bezzle-by-cory-doctorow/

The period immediately before a book’s publication is always a tense one, as the first reviews trickle in. Library Journal’s Marlene Harris is the first out of the gate, with a spectacular review:

https://www.libraryjournal.com/review/the-bezzle-1802415

Marty’s reminiscences range from obscure financial machinations to heaping helpings of social commentary but always move the underlying thriller story forward in a backwards heist tale that delivers a righteously satisfying ending to the surprise of both the reader and the villain. This novel, like his previous outing, rides on Marty’s voice. He has a jaundiced view of everything, but he tells it with such style and verve that readers are caught up and ride along on the surface until the shark beneath the water jumps out and bites the villain where it hurts.

Keep reading

Booklist on “Red Team Blues”

I’ve published more than 20 books, and I still get nervous in the few months leading up to a new book’s release. It’s one thing for my agent, my editor and my wife to like one of my novels - but what about the rest of the world? Will the book soar, or bomb? I’ve had books do both, and the latter is No Fun. Scarifying, even.

My next novel is Red Team Blues, which Tor Books and Head of Zeus will publish on April 25. It is a significant departure for me in many ways: it’s a heist novel about cryptocurrency, grifters and crime bosses, the first book in a trilogy that runs in reverse chronological order (!):

https://us.macmillan.com/books/9781250865847/red-team-blues

The hero of RTB is Marty Hench, a forensic accountant and digital pioneer. Marty got his start when he discovered spreadsheets as an MIT undergrad. He got so deep into the world of Visicalc and Lotus 1-2-3 that he dropped out of university, moved to Silicon Valley, and pitted his ability to find money with spreadsheets against people who use spreadsheets to hide money.

RTB opens with Marty on the verge of retirement, when he is roped in for one last job - a favor to a friend who has built a new cryptocurrency that is in danger of imploding thanks to some stolen keys. If Marty can recover the keys, his customary 25% commission will come out to more than a quarter of a billion dollars. How could he say no?

I wrote this book in a white-hot fury of the sort that I underwent in 2006, when I wrote Little Brother in eight weeks flat. Red Team Blues took six weeks. It’s good. I sent it to my Patrick Nielsen Hayden, my editor. The next day, I got this email:

That.

Was.

A! Fucking! Ride!

Whoa!

That night, I rolled over in bed to find my wife wide awake at 2AM, staring at her phone. “What are you doing?” I asked. “Finishing your book,” she said. “I had to find out how it ended.”

I loved writing this book, and after I finished it, I found that Marty Hench was still living in my mind. How could I keep writing about him, though? Red Team Blues is his final adventure. Then, one day, it hit me: now that I knew how Marty’s career ended, I could write about how it started.

I could write prequels - as many as I chose - retelling the storied career of Martin Hench, the scambusting forensic accountant of Silicon Valley. I pitched my editor on two prequels - one a midcareer adventure, the other his origin story - and my editor bought ‘em. For the first time in decades, in dozens of books, I’m writing a trilogy.

It’s nearly done. I finished the second book, “The Bezzle” - about private prisons and financial corruption - late last year. I’m 80%+ through the final one, “Picks and Shovels,” AKA Marty’s origin story, a caper involving an early eighties PC-selling pyramid scheme run by a Mormon bishop, a Catholic priest and an orthodox rabbi, who run their affinity scam through a company called “Three Wise Men Computers.”

But for all that I love these books, love writing these books, I am still nervous. Butterflies-in-stomach. I got some reassurance in December, when the New Yorker’s Chris Byrd said some extraordinarily kind things about RTB when he profiled me:

https://www.newyorker.com/culture/the-new-yorker-interview/cory-doctorow-wants-you-to-know-what-computers-can-and-cant-do

Despite that, though, I continued to have vicious pangs of self-doubt, imposter syndrome, superstitious dread, haunting memories of the mentors and writers I admired as a young man whose careers were snatched away by changing industry trends, market shifts, or just a bad beat. I love this book. Would other people? I’m not a crime writer. Ugh.

Then, this week, my publicist Laura Etzkorn at Tor sent me the first trade review for RTB, Booklist’s starred notice, by David Pitt:

Well, talk about timely. In the wake of the late-2022 collapse of cryptocurrency comes this novel about a forensic accountant who’s hired to work a case involving electronic theft of cryptocurrency. The guy’s name is Martin Hench; he’s in his late sixties, with decades of experience, and he thinks he’s seen it all. Until now. Doctorow, author of such novels as The Rapture of the Nerds (2012) Homeland (2013), and Pirate Cinema (2012), is a leading force in cyberpunk fiction, and here he mixes cyberpunk with traditional private eye motifs (if Martin Hench feels a bit like Philip Marlowe or even Jim Rockford, that’s probably not a coincidence).

Doctorow’s novels are always feasts for the imagination and the intellect, and this one is no exception: it’s jam-packed with cutting-edge ideas about cybersecurity and crypto, and its near-future world is lovingly detailed and completely believable. Another winner from an sf wizard who has always proved himself adept at blending genres for both adults and teens.

To quote a certain editor of my acquaintance:

That.

Was.

A! Fucking! Ride!

Whoa!

Maybe this writing thing is gonna work out after all.

ETA: Well, this is pretty great. Shortly after I hit publish on this, Library Journal published its review of Red Team Blues, by Andrea Dyba:

Cyber detective, forensic accountant—whatever his title, 67-year-old Marty Hench is one of those rare people who tries to prevent financial crimes. He’s spent his whole career as a member of the Red Team, as an attacker, one who always has the advantage. Now ready for retirement, he’s living it up in California and trying to decide what he wants to do when he grows up when he’s hired by an old friend. Danny Lazer, the founder of the new crypto titan Trustlesscoin, needs Marty to recover stolen cryptographic keys and prevent the type of financial crisis that people lose their lives over. Marty delves into the shady underside of the private equity world, where he’s caught between warring international crime syndicates. The sincere and intelligent writing has a noir feel to it, enhanced by Marty’s dry humor. There’s a sense of satisfaction as this unassuming retired man dishes out comeuppance.

VERDICT  This absorbing and ruthless cyberpunk thriller from Doctorow (Attack Surface) tackles modern concerns involving cryptocurrency, security, and the daunting omnipotence of technology. Great for fans of Charles Stross.              

https://www.libraryjournal.com/review/red-team-blues-1794647

[Image ID: Will Stahle’s cover for the Tor Books edition of 'Red Team Blues.’]

How To Bad Python