The Cybersecurity Canon: The Girl With the Dragon Tattoo

Mar 26, 2014
6 minutes
... views

cybersec canon red

For the past decade, I have had this notion that there must be a Cybersecurity Canon: a list of must-read books where the content is timeless, genuinely represents an aspect of the community that is true and precise and that, if not read, leaves a hole in a cybersecurity professional’s education.

I presented on this topic at RSA Conference 2014 and will also be discussing it at Ignite 2014. I love a good argument, so feel free to let me know what you think.

The Girl with the Dragon Tattoo (2005) by Stieg Larsson

When I read The Girl with the Dragon Tattoo for the first time a few years ago, I got the idea that there must be a lot of books published involving hackers and how they hack. I started to seek them out to see if any of them were any good.

What I discovered was that you could categorize these hacker books into two broad categories. In one category, the author does not really understand hacking at all and does not even attempt to describe how anything is done. I call this the “Harry Potter School of Hacking”: the hackers do a lot of hand-waving and say a lot of magic words like “Sending spike now!” or “Breaking encryption, this will just take a couple of seconds,” but you never really see how they accomplish those tasks. A good example of this kind of hacker storytelling is The Zenith Angle by Bruce Sterling. I loved the story, but Harry Potter might as well have been the main character because the hacking accomplished is magically done.

In the other category, the author has spent some time trying to understand hacking culture and to describe exactly how the hacker did what he or she did. A good example of this kind of storytelling is The Blue Nowhere by Jeffery Deaver, which I reviewed for a previous Cybersecurity Canon post. Deaver gets the technical details right by describing real-world and fictional tools that the two main hackers use against each other. The Girl with the Dragon Tattoo also falls into this latter category. Not only is it a fantastic story, but Larsson also gets the technical details right.

You probably have seen the popular movie versions, but this is one case where you definitely need to check out the book.

The Story

The Girl with the Dragon Tattoo is a ripping-good detective story set in the vicinity of Stockholm, Sweden, during a time when the only way to connect to the Internet from your home was with inexpensive modem lines or expensive ADSL lines.

The story revolves around a disgraced journalist, Mikael Blomkvist, who agrees to take a research case from a very old family patriarch, Henrik Vanger. The case involves the disappearance of Vanger’s favorite niece, Harriet, some forty years prior.

At a family gathering on their private island, Harriet disappeared without a trace. The local law enforcement officials suspected a runaway, then suicide, then murder, but were unable to find any meaningful clues one way or the other. Vanger suspects murder and is convinced that someone in his own family was behind the crime, but because the members of his extended family all vehemently hate each other and have a long list of fetishes and prejudices, any one of them could have had the motive to do it.

For the seven years before Harriet disappeared, she gave Vanger a framed exotic flower to hang on his wall for his birthday. For the next thirty-seven years after Harriet’s disappearance, he anonymously received another framed exotic flower in the mail on his birthday. Each flower is a reminder that Harriet is gone, that Vanger has no clue what happened, and that the person sending the flower may be the killer, taunting him. Before he dies, which could be very soon, Vanger wants resolution and hires Blomkvist to solve the case.

With the mystery laid out, Larsson walks the reader through what he really wants to talk about: a culture of violence against women. The working title to the book before he published it translates as Men Who Hate Women, so you know what Larsson had in mind. Lisbeth Salander is the tattooed girl referred to by the book’s title. She is an orphan, a ward of the state, a hacker with a photographic memory who works for a private investigation firm, and a young woman who refuses to be a victim.

Lisbeth is an amazing character -- a real woman with strengths and flaws but who can be held up as someone to admire for her intelligence and determination. Blomkvist hires her to help him with the Vanger mystery, and although the story is told from Blomkvist’s perspective, you come to realize that the story is really about Salander.

The Tech

The story is so engulfing that when I read it for the first time, I got through about 75 percent of it and realized that I had not seen a lot of hacking by the Tattoo Girl. All that Larsson did describe was a lot of innuendo. Phrases like “the Tattoo Girl hacked my password and looked at my hard drive” pepper the narrative, but Larsson would never explain how Salander hacked things.

I was ready to chalk the entire book up as a good read, but put it squarely in the Harry Potter School of Hacking stories, when I arrived at the second climax of the story. There are two parallel plots running through the book, and the final climax is where the hacking comes in. Larsson describes in fairly good detail how Salander was able to defeat an e-mail encryption scheme central to one of the story’s main resolutions, install a piece of stealthy malcode over time, remotely control a bad guy’s Dell laptop with her Apple MacBook (I think there is a political statement in there somewhere), and reroute his money stored in numerous bank accounts around the world to equally numerous anonymous accounts that she had sole control over. The hacking description is very realistic.


If you like mysteries and if you like stories about hackers, you have to read this book. Be warned: there are a number of scenes that Larsson describes in gory detail regarding the sexual abuse of women. But it’s because of the hacking explanations that I think The Girl with the Dragon Tattoo is Canon-worthy – the techniques described and outcomes created are realistic.

Start with the book, but I’d also recommend you watch both movie versions of the book: the original 2009 Swedish version with Noomi Rapace as Salander and the American 2011 remake with Rooney Mara as Salander. Both actresses provide a compelling and completely different take on Salander, and each is fascinating to watch.

Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.