Così mi hanno detto che finirà il mondo

by Nicole Perlroth, Valentina Muccichini (Translator)

Questa è una storia che inizia da due semplici numeri e che potrebbe concludersi con la prossima guerra mondiale. È il racconto di come ogni giorno l’equilibrio politico di interi stati sia deciso da una sequenza di zero e uno combinati in un codice. Di come dietro gli stessi dispositivi che usiamo per lavorare o connetterci in rete si combattano battaglie in grado di mettere fuori uso agenzie governative, ferrovie, bancomat e persino distributori di benzina. Di come, mentre scorriamo tranquillamente la nostra homepage, eserciti di hacker mercenari stiano creando virus informatici capaci di causare danni paragonabili all’11 settembre. E questo nel silenzio più assoluto.

Nicole Perlroth ha passato sette anni in giro per il mondo a investigare gli abissi del mercato delle armi digitali: è volata in Ucraina mentre i programmatori russi lanciavano violenti attacchi via web per destabilizzare la situazione politica interna; ha esaminato gli hard disk con i dati trafugati da Edward Snowden alla National Security Agency, in un ripostiglio senza finestre né apparecchi elettronici per proteggersi dai laser che avrebbero potuto intercettare le sue conversazioni; ha incontrato i cacciatori di bug che inseguono le ricche ricompense pagate da Google per scoprire le proprie falle interne prima di eventuali nemici esterni; ha viaggiato tra il Messico e gli Emirati Arabi, l’Argentina e Israele, intervistando funzionari governativi e dissidenti politici, esperti di sicurezza informatica e cybercriminali, per comprendere in che modo e fino a che punto gli armamenti cibernetici in circolazione oggi disegneranno gli scenari geopolitici di domani.

Così mi hanno detto che finirà il mondo è un’appassionante narrazione in presa diretta degli invisibili combattimenti in atto attorno a noi per il controllo della nostra vita digitale, dei nostri consumi e perfino delle nostre istituzioni. Un’opera che ci svela come anche una guerra senza morti possa essere devastante, se combattuta dentro il buio senza fondo di uno schermo nero.

Un racconto in prima persona della guerra invisibile combattuta ogni giorno da hacker, servizi segreti e mercenari digitali. Un’appassionante inchiesta lunga sette anni sulle forze silenziose che dominano il nostro presente e plasmeranno il nostro futuro.

Genres: Nonfiction, Technology, Politics, Science, History, Business, Audiobook

640 pages, Paperback

First published February 9, 2021

Reviews

[Maureen · Rating 4 out of 5]

New York Times cyber security reporter, Nicole Perlroth, gives us a frightening look at the new kind of global warfare - hacking. Hackers have actually been around for more than a century. In the 1870’s, a group of teenagers were caught tampering with their country’s telephone system. However, things have moved on considerably since then, and it makes for a terrifying read.

At the heart of this tale is a scary software bug known as Zero Day. This little demon enables hackers to break in to computer networks around the world. It’s invisible until discovered, and amongst other things, it can tap into any iPhone, and is capable of shutting down the power of a whole nation, as the Ukraine discovered to its cost.

Some years ago, two security researchers, actually discovered one Zero-day exploit in the Jeep Cherokee, which allowed them to seize control of the steering wheel, disable the brakes, screw with the headlights, indicators, wipers, and radio, and even cut the engine from a remote computer thousands of miles away! And that’s just one example of its capabilities.

An extensive and illuminating look into the darkest corners of the internet, where the click of a button can utterly decimate both countries, and people alike. I’ll never look at technology in the same way ever again.

* Thank you to Netgalley and Bloomsbury Publishing plc for an ARC in exchange for an honest unbiased review *

[Trevor · Rating 5 out of 5]

The short version of this is that when people build software they mostly think about functionality – you know, if someone is making a word processer they are likely to spend time working out how to get the words to appear on the screen than to think about how some nasty arse-wipe might plant some malicious code into the software to steal your credit card details. The problem is that hiding malicious code seems to be much easier than you might expect. Even kids, it seems, can even do it.

The problem is that we don’t just use software for typing rather dull book reviews for Goodreads. As a society, and over the last couple of decades in particular, we have become increasingly reliant on the net for just about all aspects of our lives. And not just for computer-based stuff, but also for ‘the internet of things’ – some of us even attaching our fridges to the web. In fact, we are becoming reliant in ways we are likely to not even notice. This state of being unaware of how technology works in our lives has been true of society for most of our history, of course. Things happen in technology, but most of us don’t have a clue how they happen (you know, try explaining how television works to your five year old, for instance. I mean literally, even just how they keep the image and sound in sync). For most of our history, most of science has always been strictly on a ‘need to know’ basis – and very few of us have ever really needed to know. With the internet, that law of human existence is now true on steroids. After the apocalypse, and if this book is anything to go by, we won’t have long to wait to find out, it will be best to not come asking me the difference between 3G and 5G, since I’ll have my hands full trying to work out how to get a plough attached to the back of a horse, or perhaps how to chip a stone axe without losing any fingers.

This book offers a glimmer of hope in what, if you had been paying any attention at all, is a totally hopeless situation. It goes a bit like this. A long time ago, the US had near total dominance when it came to finding ways to hack software so that it could spy on its enemies – and friends too, obviously enough, for as Kissinger liked to say, the US doesn’t have friends, it only has interests. Anyway, the US was not only able to spy on just about anybody and just about at will, it also had developed lots and lots of ways to take over software to use it as a weapon of war against those it didn’t like – this book documents one such attack on Iran. But the US has lots of enemies. The list is pretty long, you know. The US could turn off the lights, open the dam gates, make petroleum fractionating towers go boom, all those fun sorts of things. But this ability was much more fun while no one else could do it back, because there is nothing the empire likes more than having a weapon of mass destruction all to its very own. You know, its very own death star. What could possibly go wrong?

Well, what went wrong was that lots of little nations – think Russia – also had lots of people who were also good a mathematics and computer programming. And they liked to hack computer systems almost as much as people in the US did. And like the pale young men in the US who liked to hack computer systems, the ones in Russia and Iran and China and Israel and god knows where else, were also on the payroll of their own local spy networks too. Well, except this is capitalism, and so not actually on the payroll as such, they were paid piecemeal and after a kind of blind auction and to the highest bidder – true capitalism, paid in cash and with no idea of the actual going rate.

This created a market in what are called in this book Zero Days. Of course, these aren’t really ‘days’ as such. They are faults in computer software that if you manipulate them, you can cause lots and lots of excrement to hit a near infinite number of fans all in a remarkably short time. How much excrement? More than a thousand elephants could ever swim in throughout an entire summer. How short a time? Well, that’s where the ‘zero’ in ‘zero days’ comes in. Some faults in computer software don’t really need to be fixed all that quickly – you know, that’s why Microsoft ships its software with ‘known bugs’ – ‘to market, to market, to buy a fat pig’, etc.. Some bugs need to be fixed relatively quickly – maybe in a week or even in a couple of days after they have been found – but other bugs are called zero days because that is how long they should be left alive in a system before they are fixed. Zero days.

There are also ways of putting bugs into software code. Little Trojan Horses that might tick away for years before doing their nasty things. In this book some spies were split into two teams. In team one the programmers decided they would plug malicious code into a piece of software, then team two got to see if they could find it. Team two didn’t do particularly well. The problem is that there is so much code now, and so many places to hide nasty stuff within it.

This book also mentions Pegasus – the Israeli code that has helped to kill any number of journalists, freedom fighters and people seeking democracy. I have to say, when I first read about this I had to laugh – the Israeli government said it made sure that the company selling Pegasus did not do so to any bad countries – and then it provided the list of clients… Saudi Arabia, Mexico, Turkey… Really, you couldn’t make this stuff up. Who needs satire?

Like I said, this book says that we can and should do something about this, because, well, you can use nasty software to target hospitals, or nuclear power stations, or just about anything – maybe even your toaster and your fridge. Cars are increasingly software dependant, as are planes, as are so many other forms of key infrastructure, as are pace makers. The more dependant we are on software, the more attractive it is to flick the switch and cause lots and lots of trouble. And not just the sort of trouble Russians make in electing Trump – there are more than enough home-grown crazies in the US for me to have no hope at all that anything will ever be able to be done. You know, I expect there will be a solution to the gun issue in the US before I expect a solution to this software problem. Like I said, no hope at all.

If there is any hope it is that this book has massively overstating the problem – in much the same way that our only hope with climate change is that the scientists are wrong, and with the COVID virus that the immunologists are wrong. Because if any of these scientists are right, and our survival requires some sort of concerted and ongoing effort to save humanity, well, we are all doomed. We are simply not up to that kind of common effort. There is too much money to be made killing us all.

So, yeah, go ahead, have another piece of chocolate cake, you might as well, you’re worth it.

[Max · Rating 5 out of 5]

As we become completely dependent on automated computer systems and the internet for the economy to function and to go about our daily lives, the issue of security to keep these systems operating becomes paramount. How serious is the threat? How much should we worry about it? Perlroth gives us the perspective we need to answer those questions. She gives us some history of hacking and the search for “zero days”, the name for unknown or secret vulnerabilities in computer systems that can be exploited for penetration by malware to collect information secretly, take control of a system or destroy a system and the machines it controls. She begins going back to the eighties to the predigital world when IBM typewriters were used in the U.S. Moscow embassy. The Russians secretly inserted magnetic coils in the typewriters that transmitted signals identifying the keystrokes used. The Russians had a treasure-trove.

In the nineties with the internet and Windows taking off, common hardware and software developed with little thought to security was deployed around the world. Hackers found zero days easily. Soon brokers began paying for them as government agencies saw the opportunity to expand their data collection efforts. The market for zero days expanded quickly to criminals and governments interested more in using them for exploitation than the defense of their own systems. After 9-11 the U.S. doubled and tripled its efforts. Perlroth focuses on the NSA which before long had a staff of many thousands devoted to finding zero days, developing software to exploit them and implant the exploits in computers, smartphones and networks everywhere possible. To deploy and manage the tens of thousands of exploits implanted, software was written to automate the task, no human intervention required. Of course, other countries are doing the same, particularly Russia and China, and they may well be ahead of the U.S.

It was the U.S, however, that first crossed the Rubicon, deploying what became known as Stuxnet which didn’t just spy but took control of a system and the equipment it was controlling. Stuxnet was able to manipulate the controllers of Iranian centrifuges in such a way that it destroyed the centrifuges. This changed the whole nature of cyber warfare. Now in addition to data collection, denial of service, erasing data and bringing down computer networks, software could actually target and find specific equipment and destroy it. Utilities and manufacturers use computers extensively to interface with controllers on generators and other industrial machines to direct their activities. Now not only could operations be disrupted by implanted malware, but equipment permanently destroyed. When Stuxnet escaped its Iranian confines and was finally discovered meandering around world wide networks looking for Iranian centrifuges, the world noticed. It was the cyber equivalent of the atom bomb. Every nation had to have a version of it. Such capabilities are now in the arsenals of many nations. There is no telling how many such implants are already placed around the world waiting only for the order to activate.

The NSA also bought zero days on the open market and many companies formed to develop and/or broker them. It could be cheaper to purchase them than find your own especially if you needed something special in a hurry. One source of employees for these companies were the NSA and other agencies. Why should the best hackers work for civil service pay when they could make many times that amount on the open market. As the 21st century unfolded; the market grew exponentially. Every country wanted zero days, some to use on foreign adversaries and many to use on law enforcement or internal dissidents or political opponents. Many times, profit was the motive: Steal industrial secrets or just find out what the competition was up to. And personal computers were no longer the biggest target. You could find out everything you wanted to know about someone on their phone. iPhones and Android phones were penetrated time and again by many entities. The most frightening is the zero click exploit found on the iPhone which infects your phone without you clicking on a link or file or doing anything and you’ll never know it’s there. While Apple patched the software for the one found, the magnitude of exploits being implemented is such that all phones must always be considered vulnerable and likely infected if they have been targeted. The Saudi hack of Jeff Bezos’ phone is a recent example.

In 2009 Google realized it was under a massive cyberattack from the Chinese government. Google started to take defense seriously, even withdrawing from the Chinese market for a while. Google began paying hackers for zero days to find the vulnerabilities in its software. Microsoft soon followed suit. As more and more companies joined the market, the price of zero days skyrocketed. iPhone and Android phone zero days brought the highest prices. In 2015 $1.0 million was offered to anyone who could produce a zero day exploit to remotely jailbreak an iPhone. By 2020 a zero click exploit for WhatsApp or iMessage went for $1.5 million, remote jailbreaking an iPhone $2.0 million, remote jailbreaking an Android phone $2.5 million. By 2020, Google had upped its offer to $1.5 million for a full remote jailbreak of its Android phone. Google had an advantage since it was patching the vulnerability it could let the hacker take public credit for the discovery, whereas brokers demanded the hacker remain silent. A jailbreak unlocks the phone allowing complete control.

Following the Snowden leaks Apple encrypted its phones in 2014 by creating keys based on the customers password. Apple itself did not have the keys and couldn’t help the government break into its phones. Things came to a head when two gunmen killed fourteen and injured 22 at the San Bernadino Health Department in 2015. The shooters were killed by police, but one of the shooters left behind his iPhone. The FBI took Apple to court to compel Apple to help them break into the phone, but dropped the case after the FBI paid a hacker at least $1.3 million to unlock the phone.

Iran struck back in 2012 taking out the computers and data at ARAMCO, the huge Saudi oil company. Over the next few years Iran followed up getting malware into infrastructure that controlled a US dam, halting operations at major US banks with denial-of-service attacks, and taking down the operations of Sheldon Addison’s Sands casinos. He had suggested bombing Iran. Meanwhile China continued to use its malware for espionage stealing US business, industrial, government and defense department secrets at will. Russia was implanting its malware in the computers and controllers that operate US power stations putting the whole grid including nuclear facilities at risk. Unlike China Russia wasn’t just stealing data, it was putting itself in a position to turn the lights out across America, just what it did to Ukraine in 2015. Using malware dubbed Sandworm Russia didn’t just disrupt Ukraine’s power stations, it took complete control of them. Operators watched helplessly as cursors moved across their computer screens under the malware’s control shutting down everything including at the end battery backups leaving operators and much of the country completely in the dark. The book Sandworm by Andy Greenberg gives all the gritty details.

Getting ready for the 2016 U.S. presidential election, Russia in 2014 began setting up fake accounts using stolen identities to spread misinformation and chaos. In September 2014, Russia set up the Heart of Texas Facebook Group spouting secessionist themes and telling fans Hillary was going to take away your guns. It got 5.5 million likes. Russia also created the United Muslims of America Facebook Group and set up rallies outside of a Houston Islamic Center. At the same time the Russian trolls invited the Heart of Texas Group to counterrally which set up a real confrontation as the groups faced each other across the street, all of it organized and manipulated from Russia.

In June 2016 Russia started releasing information they had hacked from the Democratic National Committee’s computers and John Podesta’s emails. In August Russian trolls using the name Shadow Brokers began releasing some of the arsenal of cyber weapons they had hacked from the NSA. They got the most sophisticated elite zero days the agency had, some that struck leaving hardly a trace. The NSA had been hoarding zero days never knowing if Russia, China or others had discovered and held the same ones. Who would use them first? Actually, the most dangerous time is when the zero days become public. Even though software vendors may offer patches, many if not most people and businesses don’t keep their software up to date. When Shadow Brokers released code for NSA’s crown jewel, Eternal Blue, amazingly Microsoft had put out a patch for it just a month earlier. NSA had given the code to Microsoft knowing that Russia had it now. Cyber security companies pinged computers around the world to find Eternal Blue. 100,000 came up. Two weeks later 400,000 came up. With Shadow Brokers making the code public cyber criminals began using it immediately infecting unpatched computers everywhere.

Eternal Blue was used by the North Koreans in their sloppily executed ransomware attack known as WannaCry in 2017 that shut down businesses around the globe. However, paying ransom didn’t work. North Korea couldn’t decrypt the files it encrypted. Fortunately, a lone UK hacker found a way to circumvent WannaCry, for which he was arrested for malware he had written in the past. More precisely and devastatingly Russia used Eternal Blue to paralyze Ukraine, denying access to ATMs, gas station and other payment terminals. Airport, train station, shipping, banking, postal service and media company computers just displayed ransom messages, but this was not a ransomware attack. It was meant to let Ukraine know who was in charge. The Russians too lost control and the malware spread around the world shutting down large companies like Merck, Reckitt Benckiser, Mondelez and the world’s largest shipper, Maersk. The Trump administration would not blame Russia for this cyber-attack, the most destructive in history, known as NotPetya. Trump prevented intelligence and security officials from speaking out. Putin was free to do as he wished. Tom Bossert, Trump’s Homeland Security Adviser, was silenced but later put the damages at $10 billion. Many think that is a gross underestimate.

In September 2015, Obama reached an agreement with Xi Jinping under the threat of heavy sanctions to stop cyber espionage of American businesses and critical infrastructure. Cyber security firms reported an immediate 80% drop in Chinese activity in America. This held until the Trump administration started a trade war with China. Similarly, when Trump withdrew from the Iranian nuclear deal, Iranian hacking of US agencies, telecoms and critical infrastructure reached an all-time high. It had been restrained since the nuclear deal was struck. Trump’s buddy Putin kept Russia hacking election systems and infrastructure. Trump’s sucking up changed nothing. In addition to Russian state hackers, Russia uses its free lancers. Perlroth quotes an expert on Russia “Russia’s cybercriminals are treated as a national asset who provide the regime free access to victims of ransomware and financial crime. And in exchange they get untouchable status. It’s a protection racket and it works both ways.” North Korea became preoccupied making hundreds of millions hacking Bitcoin to cash exchanges. China used its zero days, including many it discovered in its systems that were planted by the NSA, to surveil its own people, dissidents and Uighurs.

In 2019 and 2020 there were over 600 ransomware attacks on American cities and counties, taking down everything from water utilities to election offices. These attackers were also stealing data and selling personal information on the dark web. With Trump falsely blaming China and Iran as the primary source for election interference rather than Russia, Putin and his minions were free to operate. With the Trump administration putting its head in the sand, cybersecurity was left to the Pentagon. The responsibility fell to NSA director, General Nakasone, who took an aggressive stance to Russia planting exploits in Russian and Iranian systems and infrastructure. The NSA let the Russian trolls know they were in their system and could do damage perhaps forestalling attacks on the 2020 election. Essentially the defense of the Cold War, is being reprised in cyber space – Mutual Assured Destruction. Biden said as much to Putin following the ransomware attack on Colonial Pipeline noting American capabilities and telling Putin to back off on such attacks or face cyber retaliation.

Perlroth’s book makes a great compliment to Greenberg’s Sandworm. Sandworm is more narrowly focused on Russia and Ukraine, but detailing the actual experience of an attack and the hunt for the source made for a more compelling read to me. Perlroth offers more background, history and broader scope. I found the style a little chattier than I cared for, but many readers may prefer it and the message is very important. Together the two books convince me that cyber war and cyber terrorism is as big a threat to the future as are nuclear proliferation and climate change.

[Henk · Rating 5 out of 5]

A highly readable and often scary book on the global cyber arms race. A pandora’s box opened with the advent of the internet and the hubris of the US intelligence community that their tools would not be used against themselves
The fact is, everything is vulnerable

Both a easy to read book and a terrifying book, a rare combination! The dependence on the internet and technology leaves everyone vulnerable to power outages, dams being remote controlled, chemical plants security being overridden or voter registration being manipulated.

Nicole Perlroth takes us back to the cyberattacks of 2015 and 2016, with the NotPetya cyberattack costing $10b and disrupting Ukrainian computer systems.
Russia used Ukraine as a start base for experimenting what it does with USA, including election fraud and vaccination disinformation. But the real source of cyber warfare is the USA: It was only a matter of time before our weapons turn on us, starting in the 1990s and the nascent internet.
iDefence pioneering payment to hackers for discovered bugs, initially only $75, but rapidly scaling to 6 or even 7 number figures

Safety concerns are inherent to software, but hacking in the early 2000s led Bill Gates to issue a memorandum, post 9/11, that security is essential and employing 10.000 developers to redesign Microsoft’s products.

Zero day bugs, backdoors to key systems, that haven’t been patched yet, with one bug that for years transmitted everything a certain HP printer printed to anyone who exploited it for instance.
This Is How They Tell Me the World Ends: The Cyberweapons Arms Race offers reports of 16 year old teenagers from Israel earning 6 figures by reporting bugs.

Meanwhile mass duplication of buying zero days by US government agencies leads to a revamp of US policies from Cold War typewriters to the Internet being embedded in intelligence collection.
Still the agencies have a hard time catching up compared to commercial players, with NSA paying half of the starting salaries in Silicon Valley.
Due to this book I completely understand why USB drives are banned at work.

More into 2000s and 2010s we have Chinese mass infiltration into IP of American companies and new entities like Dark Matter, an UAE company that bought IT experts for $500k salaries and NSO group, who launched the Pegasus spy software for a $500.000 flatfee installation fee, and an additional $650.000 for 10 iPhones to hack. Mexico, Finland, Croatia, Saudi-Arabia and many more countries where on the waiting list of the company, which also enabled the capturing of El Chapo in Mexico.

All this is exemplary for the creeping surveillance state, with commercial companies trying to defend themselves with $100.000 sign on bonuses to security staff who helped Google face a cyber attack in 2009. Interesting is that Microsoft being the least hated tech company by hackers even though the bounties are significant: the more incentives offered to hackers the more they where to be tempted to leave defence.

Russian Compramat campaign against the Clinton DNC in critical purple swing states.
Our candidate is chaos - On Russian election intervention in 2020, and: We had become Putins useful idiots
Leaking in 2016 of zero day exploits of the NSA on the web by the Shadow Brokers group and 200.000 machines in over 150 countries infected with Eternal Blue.

Internet and the first email only being 40 years old and energy networks and hospitals already being infiltrated by Russians, the barrier between the digital and physical world is wearing thin and we are in the midst of a global cyber arms race. Trump's elimination of the US cybersecurity coordinator is even more disturbing from this perspective, and the 2024 elections are undoubtedly, fuelled by AI, going to be more wild...

I enjoyed this book and the passion of Perlroth with her over a decade of immersion in cybersecurity is clear. There is a lot to get anxious about, but security by design, security audits on open source code, end users being weakest link, with over 98% of cyberattacks starting with phishing mails, are still assuredly mundane ways we can employ to be more safe.
Haunting, extremely readable and very interesting, definitely go read this non-fiction book that reads like a thriller!

[Trudie · Rating 4 out of 5]

I seem to be slowly morphing into a non-fiction reader in 2021. Books by journalists on topics I know very little about are proving to be my reading happy place so far.

This doorstopper on the Cyberweapons Arms Race by New York Times reporter Nicole Perlroth would, on the face of it, seem an onerous task but it turns out to be quite the page-turner. The goal of this book is to alert the layperson to the seeming inevitability of the world ending in a nation-state hacking debacle. One in which nefarious agents turn the power off, open the floodgates on a dam or meddle in an election (all of which have been done to varying degrees of success ).

Perlroth guides the reader through the development of Infosec ( Information Security ) while giving us some humourous insights into life as a female reporter on the cyber beat.

To any woman who has ever complained about the ratio of females to males in tech, I say: try going to a hacking conference. ...Most hackers I met were men who showed very little interest in anything beyond code. And jiujitsu. Hackers love jiujitsu.

as many many men on Twitter regularly point out to me, nobody in cybersecurity actually uses "cyber" anymore.

Perlroth's tenacity to draw back the curtain even a little way on this secretive and highly technical field is admirable even when you get the feeling it takes years to get hold of the full story.

Nevertheless, this book has plenty of juicy tales, the STUXNET story, if you don't already know it, opens your eyes as to what cyber-warfare can actually achieve. It also opens Pandora's box of thorny questions about what can be done in the name of "defence" and who will be to blame when these technologies rebound back on "the good guys". It causes you to reframe your idea of where battlefields exist now. It gradually becomes apparent that an almighty battle is occurring daily in cyberspace, defences are breached, attack surfaces prodded and bugs planted in systems that can be detonated at some future time. It is somewhat amazing to me in hindsight that this is barely registering on the cultural Zeitgeist, shouldn't I be knitting socks or something?

This is repetitive in places, occasionally suffers from the acronym overload and unexplained cyber slang - I was puzzled by pen-testing for much longer than I should have been. I fear some readers will not stay the distance, which is unfortunate.

I am left feeling it was insanity we all thought this internet lark was a good idea. I also now take it as a given my every keystroke is logged and a character straight out of Mr Robot is reading this as he slurps Red Bull ( hello there, see you at Jiujitsu practice! ).

[David Wineberg · Rating 5 out of 5]

We’ve all heard about the theft of passwords, personal data and the takeover of systems. How ransomware is crippling the budgets of towns across the country. How hospitals and utilities are caught up in it. But Nicole Perlroth, a New York Times reporter whose beat is cybersecurity, shows how they are all tied together. In her remarkable book that reads like a secret agent thriller, she proves It all boils down to a handful of shady players. And most of them are countries, not criminal masterminds.

In This Is How They Tell Me The World Ends, Perlroth demonstrates with great flair and endless drama that it is Russia, China, Iran and North Korea that are behind almost all the mayhem. And they got all the tools from the United States, which created a market for zero-day exploits, and promptly lost control to the rest of the world. Everyone is using “secret” American tools to invade American systems.

The book traces the birth and development of a strange, disorganized, inefficient and largely unknown market. It trades in software defects that allow anyone to break into a website or a computer system or individual computer, never be noticed, and take control of it from within. This happens in the USA every 39 seconds, she says.

And it is not limited to computers. It works in cellphones, industrial equipment, newer cars, and all the gadgets that make up the Internet of Things, from thermostats to baby cameras, smart doorbells to refrigerators. Even printers can be hacked. Governments can sit and watch documents being printed in a piece of equipment most administrators never worry about.

Hackers can take control of cars from anywhere in the world, wipe hard drives clean, steal address books and passwords, lock up the whole system, change the password to shut out the owner, shut off the electricity while changing all passwords so engineers can’t get back in… it is endless fun in our rush to digitize absolutely everything. Without adequate security.

When the power goes out, the economy stops. ATMs don’t work, bank accounts can’t be checked, credit and debit cards don’t work in stores. Neither will gas pumps, electric rechargers, medical histories, traffic lights, elevators or refrigerators. And if the hackers choose to cripple the power generating facilities and not just turn them off, it could take as long as two years for them to come back online, because electrical substations and generators are all custom designed and built. There is no way to replace them quickly. We are that close to total disaster, all day long.
This is not just theory. Russia does this to Ukraine, at will. It is a reminder of who is running their world, as well as a real world training ground for the hackers back in Moscow. The USA has seen fit to at least threaten this sort of action too, if only to try to stop others from using it on America. It’s another instance of mutually assured destruction, like we needed another one. This one is child’s play and costs essentially nothing. And anyone can participate. It is frightening to Perlroth, and she works hard to make readers feel it too. She succeeds only too well.

The hottest area of hacking is zero-day. Zero-day defects are holes that hackers discover by trying to break into systems. Once they succeed, they need to pretty up the package for sales, making the exploit easy to use, reliable, repeatedly usable, and which keeps the intruder invisible to the IT departments overseeing the target systems. Buyers want exclusivity so no one else can get in, and certainly not the company that made the software or the IT system, as that would spoil the fun when they patched it.

It all began before there was an internet, at the American Embassy in Moscow. The Russians managed to plant small, anonymous-looking bars inside the IBM Selectric typewriters the Americans were so proud of. The bars were transmitters, sending every keystroke made right to Russian intelligence. It meant the Russians didn’t have to bother over sophisticated American encryption, because they saw all the information before it was encrypted. This went on for years until some Selectrics were sent back to the US for inspection.

It was a wakeup call for American intelligence, which correctly saw itself as way behind. Its overreaction was to create numerous spy agencies dedicated to both defense - making sure this never happened again - and offense – doing it to others.

By 1967, there were already official warnings that “computers in an open environment could offer no safety whatsoever.” But the government never acted to change that by regulating computers. Instead, everything became a race to be first, and security be damned. It didn’t matter how buggy the software was; the main thing was to get it out there. The result is a global colander of unreliability. The US government did not insist on quality; anything a company wanted to sell was okay with Washington.

In the early days before mass hacking, it seemed unnecessary to worry about the bugs. Market share was all that mattered, and speed was of the essence (Move fast and break things, Facebook said).

Nothing changed the surveillance game more than Apple’s unveiling of the first iPhone in 2007. “[NSA –ie. government] hackers developed ways to track an iPhone user’s “every keystroke, text message, email, purchase, contact, calendar, appointment, location and search, and even capture live audio and video of her life by hijacking her phone camera or hot-miking her microphone,” Perlroth says.

It is only in the past few years that the biggest companies in the world have woken up to how insecure their products are. For example, Apple famously got out of the password business, leaving it entirely and securely in the hands of the customer. When a terrorist shot up a bar in San Bernardino, Apple refused to help the FBI break into his phone. The Bureau took Apple to court to force it to help. But then the FBI suddenly withdrew its suit, because a hacker supplied it with a zero-day exploit to get around the iOS password system. And the FBI refused to share it with Apple. It liked having exclusive access (The FBI has fewer of these tools than most other agencies, so snagging the Apple exploit was a coup it would not give up for the mere good of all).

The various security agencies (as I recall there are 17 of them, maybe more by now) compete rather than co-operate. They are in a race to stockpile zero-day exploits, hire hackers, and stay ahead of the other agencies. It’s an absurd system that is causing hacker salaries and payments for exploits to skyrocket – all at the expense of the taxpayer.

Sadly, everyone else has plunged in as well. So-called allies like Saudi Arabia and the Emirates are among the most active government hackers invading US systems.
-The Chinese have stolen billions in intellectual property, manufacturing processes, design and patents, by hacking into untold numbers of systems across the country. They tapped Google’s undersea cables to steal tens of millions of passwords, address books, and documents.
-Russia prefers meddling in elections, giving Americans real insecurity about what is true anymore. They are enjoying the wild west of social media and fake news. This has had the (desired) result of making people forego voting altogether.
-The North Koreans are in it for the cash thanks to American embargoes of everything it does. The massive ransomware campaigns that cripple institutions have cost the US economy billions, with most of the cash goes into bitcoin for North Korea. It’s American money that keeps North Korea going.

Mike McConnell, former director of national intelligence put it this way: “In looking at any computers of consequence – in government, in Congress, at the Department of Defense, aerospace, companies with valuable trade secrets – we have not examined one yet that has not been infected.”

As usual, there is constant hypocrisy throughout. For all the noise the USA makes about Huawei telephone equipment providing personal data to the Chinese government, “NSA was doing everything it accused Beijing of doing, and then some.” Perlroth says.

The book becomes overwhelming, which accurately represents Perlroth’s feelings about what she has found. Anyone could tip the whole house of cards over with an errant keystroke. Damage and retaliatory strikes could easily wipe society blank overnight. Perlroth has made sense of it all, dividing the exploits among the players, showing their persistence in damaging the USA, thanks to the USA’s own tools.

It was Edward Snowden who revealed the extent of US aggression. It even hacked Chancellor Angela Merkel’s phone. With friends like the USA, morality has lost all meaning. Soon, hackers were forming companies to sell their services to government agencies. Some dumped exploits publicly, showing the power they had accumulated, and so providing secret tools of the NSA and others to the entire world for free. They have since been used extensively – against the USA.

What is probably most valuable in the book is Perlroth’s assembling of the steps that got the world here. When hackers started finding bugs, they would report them to the company. But rather than gratitude, companies threatened to sue the hackers, for things like copyright infringement. It took a long time for them to realize the hackers were actually doing them a favor. Middlemen began to appear, offering to buy zero-day exploits for a pittance. But in those days, any payment at all was an improvement. As time went on, government began to outbid the middlemen, raising prices substantially. Then at long last, the makers themselves got in on the action, paying even more. They had to, because the government agencies hoarded the exploits for themselves. The last thing government wanted was for the companies to patch the holes. The American government had its own plans for the weaknesses people brought in. And none of it was beneficial to Americans. All along, the companies and their customers lost billions of dollars to invaders and ransomware exploits.

Here’s how it took shape:
-discovering how sophisticated the Russians were in bugging the US embassy.
-taking hackers onboard and purchasing zero-day exploits from them.
-developing offensive weapons like Olympic Games’ Stuxnet to destroy Iranian nuclear production equipment.
-watching as Stuxnet escaped and infected equipment all over the world.
-bored civil service hackers into quitting government and starting their own consultancies, replicating their work for governments and business all over the world, spreading their knowledge over scores of countries.
-working for foreign clients, American hackers broke into First Lady Michelle Obama’s computer, received copies of all her correspondence as it was sent, opening a new era of zero morality and anything for a buck.

Possibly the most famous incident was Stuxnet, a worm created in the USA to pacify the Israelis, who wanted to bomb the uranium enrichment plant Iran had built 30 feet underground. The worm worked beautifully. It caused vast numbers of centrifuges to spin out of control and break down. Because the machines were not very reliable anyway, it took the Iranians a while to realize there was something more wrong than usual. And then it backfired. The worm escaped, infecting every machine it could find, doing all kinds of damage all over the world. America had unleashed the first cyber plague, all by itself.

There are truly idiotic passages in the book, in which hackers, middlemen, agencies and manufacturers decide who should see the exploits, who should be allowed to buy them and who should hire themselves out to redeploy them for the new buyers. Their bizarre rationales and attempts to be moral are laughable. Who is trustworthy, who is an ally, whose policies are moral are all ephemera. How is a hacker to judge who would be an acceptable client? What is to prevent that acceptable client from then passing it on to an unacceptable accomplice? And will the client still be acceptable tomorrow? (It reminds me of a Mort Sahl line: “Anyone who consistently holds a foreign policy position in this country must eventually be tried for treason.”)

The bigger players all understand their power: “The most likely way for the world to be destroyed is by accident. That’s where we come in; we’re computer professionals. We cause accidents,” one major player told Perlroth. And back in the USA, the competing agencies are so narrowly focused, they have missed the forest: “We are looking through straws at a much bigger problem,” she quotes John Hultquist, threat analyst and director of intelligence at FireEye.

Perlroth is not having a good time with all this. Her life seems to be a series of chases and investigations every time a break in occurs somewhere. It could be Iranians trying to take over the controls of a dam, the Chinese inside a nuclear power plant, Russians playing with the banking system, or North Koreans extorting money from a hospital. This is her daily grind and it is stressful and depressing. She begs readers several times to download and install the patches companies are forever offering, no matter how often, and how big a pain they are. It is necessary and it is critical. Everything is at risk.

On the other hand, she says one of the most sophisticated ways hackers have of invading systems is by piggybacking on automatic updates and installing their malware as part of the update download.

One important takeaway for Perlroth is that online voting should be banned right now before it takes hold anywhere. It would be the fattest target for thousands of hackers worldwide, and nothing can be done to make it secure at this time. Vendors claiming their systems are totally secure clearly can’t be trusted.

The USA is entirely at fault. Perlroth says it “spawned and sponsored” the hacker market for decades. It never devised a national policy on cybersecurity. There are no laws or regulations to follow. Donald Trump closed down the only vestige – the Office of Cybersecurity Co-ordination – in 2018. America does not require companies to certify the security of their wares. It does not regulate the sale of discovered flaws. No one speaks for the United States in the field of cybersecurity. It is anarchy – everyone going in their own direction. The market is a joke, with prices for exploits going from two digits to seven. Everyone is waiting to take advantage of young hackers, too.

Perlroth says other countries, even more digitized than the USA, suffer far fewer attacks because they regulate and require testing. Norway, Denmark, Sweden, Finland and Japan are the best at it. The USA is everyone’s favorite target, because it’s so easy, and the pickings so rich.

(See the entire review at https://medium.com/the-straight-dope/... )

[Emily Carlin · Rating 2 out of 5]

I Read 411 Pages About Cyberweapons and Still Don't Get What is "Hacking" (like, really, really on a general but technical level. May go look for youtube videos of hacking occurring).

After reading a lot of great non-fiction recently, this book was a bit like getting a cold bucket of water dumped on my head. This feeling started to build when the book opened with an account of her going on a long trip to Africa (sadly, this is a college-essay-vibe motif continues throughout....near the end, in a moment of morose cyberweapon reflection, she writes, "I had never missed the elephants more.")

At the beginning of the book she also recounts being tapped by the NYTimes to cover cybersecurity, despite not knowing anything about cybersecurity: "When they told me they were considering me for the cybersecurity beat, I was sure they were joking. Not only did I not know anything about cybersecurity, I had actively gone out of my way to not know anything about cybersecurity. Surely they could find cybersecurity reporters who were more qualified." This was a bit concerning, but I ended up feeling that the content itself is really good (at least from my decidedly non-expert perspective). And there is undoubtedly a ton of work that went into connecting with certain sources, getting people to talk, etc. that ends up feeling kind of invisible in the book. So it isn't necessarily a lack of cybersecurity mastery or lackluster info that was the issue for me.

I think there were two things that made this book not really work for me: the writing and her political perspective. The main one is the structure of the writing (/lack thereof). I guess it's loosely chronological but she constantly jumped between years, scenes, etc. For example, one second she's reflecting on maskless, pro-Trump, stop the steal protesters summer 2020 and then a few lines later she starts talking about how she had always known we were headed for something really bad, cybersecurity-wise, and she cuts to a scene of getting a call about it while driving through the Colorado rockies with her husband in....2017? Not sure if I'm describing this well, but reading this was just this feeling of being tossed from one time period to another, adrift in an endless sea of proper nouns (bugs, exploits, people, places) that I really struggled to track. I could feel the copy and pasting of big chunks of text in a word doc. The writing wasn't bad on a word-by-word level at all, it just felt rushed.

For example, on page 93 she writes, of the iPhone, "...circuitry, encryption chips, flash memory, cameras, logic boards, battery cells, speakers, sensors, and mystery chips--pieced together by faceless, haggard workers on a factory floor somewhere far beyond my reach."

And then a few pages later, "As Gosler spoke, my mind went straight to Apple's haggard, faceless factory workers in China."

Putting aside how dehumanizing "faceless and haggard" is, it felt like she came up with a descriptor she was into and then accidentally used it twice. If she was intentionally trying to do a callback to the original use, why not put the words in the same order? Idk, maybe this is a bad example, but it's one that gave me that feeling of "I am reading a book, written by a fallible human" ... obviously always true, but not something you want to occur to you frequently while reading.

The other thing that didn't sit right with me was her sort of unquestioningly pro-America perspective. I guess this could be because I'm coming off a string of books about the CIA wreaking havoc and really ethically shameful decisions the American government has made but I would have liked a bit more nuance in the us vs them (Russia, China, Iran) kind of mentality. It wasn't like Trumpian mindless patriotism by any means, it just didn't feel very critical.

Anyway....I learned from this book and don't regret having read it, but it is by no means a masterful work of writing (imo).

[Gumble's Yard - Golden Reviewer · Rating 4 out of 5]

2021 Financial Times and McKinsey Business Book of the Year

A lengthy although very readable non-fiction exploration of the topic of the Cyber Weapons Arms Race between the US and other countries (with a particular emphasis on Russia, China, Iran, North Korea and more recently some Gulf States)

The books main focus, within this context, is on the history of zero day attacks (from the back cover) “a software bug that allows a hacker to break into a device undetected” – it is written by the New York Times cybersecurity correspondent since 2013 and is based off copious interviews and investigative journalism with both current and past players in the field (both state and non-state sponsored).

The book reads like it is very much based around newspaper articles turned into much longer profiles (the acknowledgement to what became her Agent and who effectively pitched the book to her with a proposed chapter and article list confirms this) – and the book is effectively grouped into a series of chapters based around some key protagonists from a similar background: starting with a group of capitalists wo realised there was money to be made in acting as a broker between buyers and sellers of exploits; then a number of America intelligence operatives; then a group of stateless mercenaries; then a group of people who concentrated more on defending attacks.

The actual structure is a little more messy than this though as the author also develops themes and ideas as she goes along and timescales can be a little messy – the book has an overall forward chronological momentum – starting with the nascent market for exploits in the early 2000s and coming right up to the 2020 election – but often heading back in time to explore a theme from outset.

Although never less than gripping, the book does feel like some better signposting or more drastic editing would have assisted. I think it may also frustrate those looking for real technical understanding – this is a book which tries to bring a story alive using personalities and protagonists (and some fairly breathless journalism) rather than with copious explanation.

The author defends this approach

There is a reason why I wrote this book for the lay audience, why I chose to focus primarily on people, not machinery, why I hope it will be “user friendly”. And that is because there are no cyber silver bullets: it is going to take people ot hack our way out of this mess. The technical community will argue I have overgeneralized and over simplified, and indeed, some of the issues and solutions are highly technical and best left to them. But I would also argue that many are not techincla at all, that we wach have a role to play, and that the longer we keep everyday people in the dark, the more we relinquish control of the problem to those with the least incentive to actually solve it

The core premise of the book is that the US Security agents have allowed a thriving industry to emerge in the development of new zero-day attacks through a series of missteps: first underpaying any hackers that discovered and reported them (or even at an extreme arresting them) so setting a base for a thriving private market to set up; secondly when they did start paying realistically for attacks by making things worse by not really requesting or if they did enforcing exclusivity – so that greedy or naïve hackers could sell the attacks either directly or more commonly indirectly to hostile states; thirdly by keeping secret the many zero-day attacks they discovered themselves and not notifying software providers or users, so as to save up the attacks for future use against other states; fourthly by not realising that due to the disparate nature of the US infrastructure the US is perhaps more vulnerable to attack than anywhere.

A key point here is that due to the global nature of technology plaforms – the same attacks that the US could use elsewhere could be used on it.

On the one hand, retaining a zero day vulnerability undercuts our collective cybersecurity. On the other, disclosing a zero-day so vendors can patch it undercuts intelligence agencies’ ability to conduct [their own] digital espionage, the military’s ability to carry out offensive cyberattacks and law enforcements to investigate crimes …………. “In the 1970s and 1980s Russia was using technology we did not. We were using technology that they didn’t. If we found a hole in their systems, we exploited it. Period. But now it’s not so cut and dried. We’ve all migrated to the same technology. You can no longer cut a hole in something without picking a hole in security for everyone.

Some particular key events around which the book hinges include:

The 2017 “Not Petya” attack on Ukraine – this (and some follow up attacks by Russia on Ukraine) bookend the story with a strong sense of the US may be next. The attacks also showed the difficulty of attackers containing Zero Days to their intended target – as the attacks split out wider including to Mondelez (who in turn ended up in a Cyber dispute with Zurich over the warlike/hostile action exclusion in their clients all risks policy.

The Operation Olympic Games/Stuxnet attack on the Iranian Nuclear Facilities – which both showed the world some of the things that US (and possibly Israel) had developed and effectively legitimized state on state cyber infrastructure attacks as well as inviting retaliation.

The WannaCry attacks which used Eternal Blue - a zero day exploit for old Window Systems developed (and not revealed to Microsoft for many years) by the National Security Agency (NSA) and then leaked in a huge dump of the NSA’s arsenal by the ShadowBrokers group.

The book politically betrays a double bias of the author’s employing paper: firstly it is US centric – portrayed very much as the US versus hostile actors – with say Israel or the UK only really seen when they act as US allies, and with very little feel for an increasingly multi-polar world; secondly, and particularly towards the last quarter of the book, the book is extremely anti-Trump and pro-Democrat – although no expert I feel that some of her treatment of the interference in the 2016 and 2020 elections while probably correct in its overall message, lacked any nuance or counterbalance.

Some of the author’s conclusions and recommendations are:

For individuals:

Change passwords from any defaults,
Use different passwords on different sites
Use multi-factor verification (for example text updates)
Always download latest safety patches and software updates.

For the US government:

Put as much effort into defence as attack
Give departments like Homeland Security and equal voice to say the National Security Agency in deciding which zero days to disclose to manufacturers and which to hold back
Change production of code from a “Move fast and Break Things” mentality to a “Move Slow and Fix your garbage” mentality – with security engineers involved in design and code sign off
Involve and reward hackers as part of code design – not after the event
Address the issues of open source code
Discover at a national/governmental which third party systems which are widely used in critical infrastructure and then assess their security and if necessary mandate improvements or ban their use
In hardware use more sandboxing of components as used by iPhones

Although published in 2021, the book ends in 2020 which means that two high profile attacks which seem to me to almost entirely validate many of the author’s theses: SolarWinds and the Microsoft Exchange Server Data Breach, are not included – I think these would have made a very interesting Appendix (and will perhaps be addressed in a future edition).

Overall a fascinating read.

[Matt (Fully supports developing sentient AGI) · Rating 3 out of 5]

Interesting at times, mainly for the overview of the evolution of information security in the modern era. I'm familiar with most of the modern material, but will probably forget I read this book in the very near future.

[Nigel · Rating 4 out of 5]

Briefly - Highly readable - scarily fascinating. Probably 4.5/5

In full
The author was recruited by the New York Times to write about cybersecurity. She knew little about the subject however that was 10 years ago. In that time she has learnt a lot and this book gives some insight into her learning journey. While her knowledge might not have been great, in the early days, the issues she was finding out about were quite primitive too. By the end of this period - 2020 - both the sophistication of attacks and the players involved had changed a lot.

The book opens with a prologue addressing what the book is about in part and about fairly current tensions in eastern Europe with Russian hackers and the impact of that. It then goes back in time to look at the topic of the original leaked documents that came out via Edward Snowdon - reviewing these was an early part of Nicole's work on this general subject. As these documents reveal, security agencies were using zero-day access to gather information. This is a major topic for this book and is well introduced/explained here.

When reading review books I keep notes as I read. With a book like this the notes are extensive. I will simply offer some thoughts on one or two particular aspects of this book that I found particularly interesting. The rest I would recommend you find out about for yourself.

Early on the book Nicole tells the story of iDEFENCE. This was a software security company which early in current century was going bankrupt. A colourful entrepreneur took it on and realised that a change of direction was needed. The Internet was growing and so were flaws in software. Rather than treating hackers as an annoyance they took the view that they should be paid for revealing flaws in major software. The business became very successful. It allows the author to expand on the topic of hacking and the changing approaches of the big players in the software market such as Microsoft.

The book also reaches back in time to look at the early days of interception of information by electronic and quasi electronic means in the period after the 2nd World War. This leads on to an insight into early attempts to put back doors into software code. Gosler, known as the father of cyberwarfare, was able to introduce bugs in code that no one could find and worked for some time for the National Security Agency. I found this background fascinating.

There was a major change in 2009 when Google (and other major companies/institutions) found they were being hacked. The investigations into this were another part of the book I found very interesting. Ultimately it turned out to have been state sponsored rather than something done by isolated individuals. The intention was to steal commercial Intellectual Property. This changed the approach to both offense and defence. The zero-day market is under scrutiny for much of the book and it is definitely a "market". The payments for usable exploits rises astronomically.

The book comes up to date with the 2020 USA presidential election and other recent issues. After that there is a good round up of the situation generally together with the rationale for her book. Finally there is sensible advice for all us readers.

In the end I found this a very readable insight into a dark corner of modern life. The idea of escalating warfare is something we are quite familiar with in this, and recent past, eras. Our experience has generally been of news about visible military style action. However this unseen escalation of threat to all our lives gives some pause for thought to say the least.

The author does seem to have had access to some very useful sources. Few of them are very openly acknowledged but that is simply a facet of this subject. She also faced other difficulties researching this. Some was simply based on gender - the industry is very male dominated. However inherent secrecy and the code of revealing nothing made her work on this very challenging. Equally her research did not make her popular at times.

We all know about viruses, computers and online security don't we... Read this and think again! It lifts the lid on the subject and peers into a murky underworld that has threats for all of us.

Highly readable - scarily fascinating

Note - I received an advance digital copy of this book from the publisher in exchange for a fair review

[Voice_of_Reason · Rating 3 out of 5]

While I found the book a fascinating read, much of it is unbearably repetitive and a good editor could have pared between 100 and 200 pages from this book. Remember that quote, "If I had more time, I would have written a shorter letter."? If Ms Perlroth had had more time, she could have written a shorter book.

After I was done reading it on Kindle, I went to the "About this book" section, saw that the average time to read the book was over twelve hours, and vowed to never again read a book of that length unless the subject matter was of extraordinary interest to me or the reviews were over the moon.

We only have so many hours given to us and getting stuck in an interesting but overlong read means we aren't reading that next book on our list which we might find more interesting and entertaining...and a shorter read.

[Judith E · Rating 2 out of 5]

This is full of important and eye-opening information about the vulnerability of our digital society, but unfortunately it’s bogged down by unnecessary and detailed journalistic fact finding. It turned into a big, giant snooze fest.

Three takeaways:
Your password manager has been or will be hacked.
Use two factor identification on your personal devices.
Don’t worry about your devices being hacked because China, Russia, Iran, Tunisia, Argentina, etc. have already done that.

[Ben · Rating 3 out of 5]

Solid overview of infosec as it relates to natsec

Well sourced and entertaining but melodramatic and the author let herself and her biases make their way into the story too much. Needed an editor.

[Nick Black · Rating 2 out of 5]

first, i was surprised to see just how many of the people in here i know personally. i always knew Atlanta to be overrepresented in the security scene, but damn. several players are folks i used to get drunk with when they were members of the X-Force of Information Security Systems, founded by Chris Klaus (the eponymous benefactor of Georgia Tech's Klaus Fortress of Advanced Computing, home to many happy days and nights), a guy whom I hail walking around Midtown now and again. Dmitri Alperovitch, founder of CrowdStrike, was a coworker at my second startup; he became head of the research group there, and on my living room bookshelves stands the Impact Engineer of the Year 2008 award he presented me. I could have been lead engineer at CrowdStrike (and be several billion dollars richer today), but I decided around that time that I wanted to move into supercomputing and away from infosec, oh well. Chris Krebs (no relation to infosec journalist Brian Krebs), first director of the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, went to my first high school; we attended football practice on the same field, and I spent long nights writing code over the phone with his little brother. Tavis Ormandy is not a close friend or anything, but he did turn in a CVE i found last month. I did some contract work two years ago for Dave Aitel's company. And I, of course, sold a few zerodays myself in the early aughts; one of the vulnbrokers mentioned within helped pay for my undergraduate. I was recruited by the NSA (no great honor; they recruit broadly at America's Technical Institutes), and had I have gained my security clearance (I didn't, and oughtn't have; my failure to gain a clearance is one of the few things where I can totally credit the federal government as having done their job correctly), I might very well have spent some years inside TAO. so i came to this book reasonably well-informed.

it starts off strong, and i even cautiously recommended it to some friends early on. unfortunately, it devolves into repetition "I talked to this person. They said it's easy to blow up this network. Turns out they were right." there's very little technical information...honestly no technical information (in the epilogue, Mrs. Perlroth says she chose to write about "people not technology, because there aren't technical solutions"....in which case we're fucked, because there are definitely no people solutions). her main thrust appears to be against NSA hoarding/weaponizing of zerodays under the federal government's VEP, which is all well and good, except that many of these intrusions happen well after disclosure, so what help would that be exactly? now i wasn't expecting a NYT journalist to have solutions, but i did expect deeper reporting than "i went to this con, and people wouldn't talk to me." most damningly, the final third of the book suffers deeply from the Trump Derangement Syndrome that effectively reduced much of our Fourth Estate to foaming partisans over the past five years; everything that went on during his term, simple logical outgrowths and continuations of things which had been going on effectively since computers were first networked up, suddenly becomes Orange Man's fault. indeed, i had to laugh when within two sentences, she blamed Russians for COVID conspiracy theories and also "tagging the Black Lives Matter 'protests' as far-left activity". i lost most interest in mainstream journalism around the time they were saying "no one can go outside, we'll all die! (unless it's to throw down for BLM; that's somehow safe)", and i similarly pretty much lost faith in this book.

if you know nothing about vulndev and the market for zerodays, this is probably the best book on the topic, but it's in no way an authoritative reference; for that, we must continue to wait.

[Eric_W · Rating 5 out of 5]

Putin loves his hackers, comparing them to artists who feel great in the morning and immediately start work on some new masterpiece. He told them, feel free to hack away, just anywhere except the homeland, and if your hacks coincide with Russian goals, well so much the better.

They went at it with a vengeance in 2014 and Ukraine became a testing ground for election interference, disinformation campaigns, interference and destruction of infrastructure, and cast doubt on the election process. There was little Ukraine could do to retaliate, given it history and geographic dependence on Russia. The hackers were wildly successful and our 2016 campaign reflected many of their techniques. The Mueller report has laid out exactly how they went about it.

One interesting chapter examines the market for zero-day exploits, how it works and how it has changed from companies suing hackers who find bugs, to actively soliciting and paying for bugs and especially the zero-day exploits. ( A zero-day exploit is a vulnerability that has yet to be discovered and patched, making it extremely valuable for anyone with malicious intent. The Stuxnet worm created by the U.S. and Israel to destroy the Iranian centrifuges used several.) Paying for the bugs meant a rise in prices, from mere hundreds of dollars to many thousands and countries found themselves competing against bad actors, other countries, and companies for the zero-day exploits.

The Stuxnet exploit is discussed in more detail than I had read before. Of particular interest were the policy determinations and the effect of the Iraq war on those decisions. Deaths of American soldiers in Iraq ere at their highest level when the Israelis, wanting to repeat their successful attack on the Syrian nuclear reactor strike (see ShadowStrike) insisted they wanted the U.S. to bomb the Iranian facility. Bush couldn't afford such a provocative action, one the military's war games revealed would result in WW III. So he authorized the unique and first-ever cyber strike to result in physical destruction of an opponent's infrastructure. It used an unheard-of seven zero-day exploits, and the preparation was boosted by an Iranian intelligence error of Trumpian proportions when the Iranian leader bragged to the press about the facility and gave them a tour, allowing pictures, of their centrifuges. This gave the Stuxnet planners all the information they needed about the brand and type of centrifuges being used allowing them to target those directly with the Stuxnet malware. The Israelis were kept informed and must have assisted because Bush could not have them operating unilaterally.

Stuxnet showed the world the power and destructiveness of the cyber-world, and soon the value of zero-day exploits exploded as smaller countries and those without a large military realized that with little expense they could equal the United States and China in offensive capability. The attack on Saudi Arabia's oil network** that destroyed thousands of their computers and disrupted oil networks, used some of the same code the U.S. had utilized in an attack a few months prior and was clearly retaliation for that attack. The hackers got in through an email someone in ARAMCO had opened.

One of the mantras I try to inculcate in my students is to NEVER click on a link in an email. If you have reason to believe it might be valid, go to the web site and investigate there, never via a link in an email. The Russian hack of the DNC email resulted in a typo error. Podesta got an email purportedly from gmail claiming he needed to reset his password. He ran it by their IT guy who meant to write back that the link was ILlegitimate but left off the initial IL. What the IT guy should have insisted on besides noting it was illegitimate was to hammer away at the danger of clicking on email links. So Podesta, thinking it was legit, click on it and gave the Russian hackers instant access to the DNC's emails.

The chapter on how the WannaCry ransomware was unleashed on the world and its origin is alone worth the price of the book. The role of the NSA in hiding its zero-day exploits rather than alerting Microsoft so they could be patched was highlighted by Brad Smith, Microsoft's CEO, in an essay. "We have seen vulnerabilities stored by the CIA show up on Wikileaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage." Ironically, the ransomware, garnered little in the way of financial rewards for the North Korean malefactors, but it caused billions in damage to computers around the world, especially because the originators had not built in a workable way to pay the ransom. In another travesty, the teenager who discovered a built-in kill switch to the malware, was arrested by the FBI for hacking! (see the Wikipaedia article for more information.)

An important book. I recommend reading it along with Cyberspies by Gordon Corera.

[สฤณี อาชวานันทกุล · Rating 5 out of 5]

หนังสือสารคดีสนุกติดหนึบเข้าขั้นวางไม่ลง เขียนโดย Nicole Perlroth อดีตนักข่าวโต๊ะความมั่นคงไซเบอร์ (cybersecurity) ประจำ The New York Times เน้นเล่าเรื่องตลาดช่องโหว่ไม่เปิดเผย (undisclosed vulnerabilities) ในซอฟต์แวร์และระบบคอมพิวเตอร์ทั่วโลก ซึ่งผู้เขียนอธิบายว่าช่องโหว่เหล่านี้มีมูลค่าสูงมาก เพราะมันสามารถถูกเอาไปต่อยอดและใช้เป็น “อาวุธ” สำหรับการจารกรรมอุตสาหกรรม และที่น่ากลัวที่สุดคือก่อวินาศกรรมกับโครงสร้างพื้นฐานในรัฐอื่น ๆ ที่รัฐบาลมองว่าเป็นศัตรู ทำให้สุดท้ายหนังสือเล่มนี้เป็นหนังสือที่อธิบายและเล่าประวัติศาสตร์ของสงครามไซเบอร์ระหว่างรัฐที่ยอดเยี่ยมที่สุดที่เคยอ่าน สงครามที่ดำเนินมานานและเข้มข้นขึ้นเรื่อย ๆ โดยที่เราส่วนใหญ่ไม่รู้ตัว

สนุกทุกบทไม่แพ้นิยายชั้นดีเพราะ Nicole เล่าจากประสบการณ์ส่วนตัวของเธอที่ถูก บ.ก. ส่งไปทำข่าวแนวนี้อย่างต่อเนื่อง และความสนใจส่วนตัวที่อยากเจาะลึกวงการ “อาวุธไซเบอร์” ซึ่งเป็นวงการลึกลับซับซ้อนที่หาแหล่งข่าวยากมาก (จนผู้เขียนเองยอมรับหลายตอนว่า แม้หลังจากที่เขียนเล่มนี้จบแล้ว ยังมีอีกหลายอย่างที่เธอยังไม่รู้) อย่างไรก็ตาม หนังสือเล่มนี้ก็ฉายภาพวิธีทำงานของทั้ง “รัฐ” และ “ตลาด” ที่เกี่ยวข้องอย่างน่าตื่นตะลึง บนฐานการสัมภาษณ์บุคคลต่าง ๆ มากกว่า 300 คน ตลอดระยะเวลา 7 ปีที่เธอทำงานเป็นนักข่าวด้านนี้ เราจะได้พบกับเหตุการณ์จารกรรมหรือวินาศกรรมครั้งสำคัญที่บางครั้งไม่เป็นข่าว หลายครั้งน่ากลัวกว่าความลับของ NSA เมกันที่ Edward Snowden เอามาเปิดโปง (ซึ่งผู้เขียนก็อยู่ในทีมนักข่าวที่ทำข่าวรอบนั้นด้วย) บทที่ส่วนตัวชอบมากคือทุกบทที่อธิบายแรงจูงใจของ “สายลับ” และ “พ่อค้า” ในวงการนี้ รวมถึงเหตุผลเบื้องหลังการกำหนดราคา “ช่องโหว่” แต่ละอย่าง รวมถึงความอิหลักอิเหลื่อทางศีลธรรมที่แฮ็กเกอร์ต้องเผชิญ เวลาต้องตัดสินใจว่าจะขาย “ช่องโหว่” ในซอฟต์แวร์ที่เขาค้นพบดีไหม ถ้ามันตกไปอยู่ในมือ “ศัตรู” ของประเทศแล้วจะรู้สึกอย่างไร หรือว่ารัฐบาลประเทศเราก็เป็น “ผู้ร้าย” ที่แย่พอ ๆ กับศัตรูหรือแย่กว่าอีก ดังนั้นไม่ต้องสนใจ ? :>

เขียนอย่างเข้าใจง่าย อ่านง่ายโดยไม่ต้องมีความรู้พื้นฐานใด ๆ เกี่ยวกับคอมพิวเตอร์มาก่อน พลเมืองทุกคนควรอ่านเพื่อรู้เท่าทันวงการดำมืด รัฐบาลของตัวเอง และรอดูว่าวงการนี้จะถูกกำกับได้หรือไม่อย่างไร ในเมื่อสงครามไซเบอร์ระหว่างรัฐ โดยเฉพาะระหว่างจีนกับเมกา ดูจะขยายวงกว้างเกินการควบคุมแล้วในยุคนี้

[Wick Welker · Rating 5 out of 5]

We are on the precipice of a cyber war catastrophe.

I am a total dullard when it comes to computers, hacking, cyber crime and anything along those lines. Like many Americans, I’ve gotten alert fatigue from the daily news reports of forheign hacking in American business and government agencies. I was the exact person who should read This is How They Tell Me The World Ends. Perlorth does a masterful job explaining to the layman the complete and utter cluster cuss that ensnares the current geopolitical landscape and the certain doom that lies in wait for all everyone. Make no mistake: we are living in a precarious time.

Let’s back it up: what’s a zero day exploit? It is a vulnerability unwittingly written into software code that a hacker can discover to gain entry and manipulate anything which that software controls. Zero days are terrifying because the designer by definition doesn’t know the vulnerabilities even exist until it is discovered and when the company does find out it is “day zero” to try to fix the exploit with a patch. Back in the early 2000s, zero day exploits were rarely spoken of openly. Some companies started creating a market wherein they paid hackers for zero days as a bounty and then would sell the zero day information back to the company so that they could patch the vulnerability. What was at first viewed as a vile, illegal practice suddenly became more acceptable especially once the US government started buying these zero days exploits.

The US government started the zero day market, stockpiling massive amounts of coding vulnerabilities about US companies with the excuse that it would aid in terrorist surveillance. This spurred the market into a frenzy where companies, foregin governments and private buyers started shelling out big bucks for zero days, especially if they could hack into big tech companies like Google, Microsoft and Apple. With the right zero day, anyone could enter someone else's code unawares and even surveil the comings and goings for months to years before being discovered.

Under the reckless direction of Barack Obama and Israel, an incredibly sophisticated zero day, called Stuxnet, was used to sabotage machinery in an Iranian nuclear enrichment facility. Stuxnet was a little too much of a success. Not only did it set back the Iranians back a decade, but the zero day proliferated around the world like a virus and even came back to infect US companies. A zero day arms race ensued involving not only Iran but Russia, China, Saudi Arabia, North Korea and pretty much any country that wanted to defend itself or provoke havoc on a global enemy.

In 2014, Russia attacked Ukraine with a cyber weapon that knocked out power, public transportation and supply chains. Why would they do this? It was a testing ground and an open shot to the US. Only a few years later, Russians were hacking their way through the US 2016 election, public voting registries, the DNC and much more. Russian trolls reached 126M voters with 288M Twitter impressions. Russian breached voter registration data. I’m not even mentioning the successful hacking of Google by China and other cyber attacks on US companies by Iran and North Korea. I would be writing all day if I were to mention all of the significant cyber attacks that have happened in the last ten years.

Think about every little bit of hardware and software that controls not only private citizens' lives but public facilities, power plants, railways, and computer systems. RIght at this moment, they are all vulnerable. Russia is deeply integrated into the American online ecosystem. By reneging on the Iranian nuclear deal and provoking a trade war with China, Donald Trump did the US no favors in stopping what was likely a cyber war ceasefire with these countries. Trump literally got rid of a national cyber security leader and insisted that Russia played no part in hacking in the 2016 election despite literally every American agency offering proof to the contrary.

This book was absolutely terrifying. After reading, I believe that major fallout from a cyber attack is inevitable. Diplomacy across countries is as important as ever. Why? Because the internet has no borders, country leaders have no scruples and there are shadow brokers out there right now selling vulnerabilities to the highest bidder. Make no doubt about it: cyberwarfare is an existential threat to human beings up there with nuclear warfare and climate change.

I highly recommend this book to which my review has done poor justice. Oh and also, update to the most recent patch.

[Danika Jones · Rating 4 out of 5]

[Originally posted to Reader Jones]

Most people are vaguely aware that cybersecurity threats have been a significant problem since the internet became ubiquitous for global commerce and communication. But I’d argue that few people are aware of just how significant those threats are, how much damage they’ve done in recent years, and how much they’ll likely do in years to come.

Largely because a lot of the literature available regarding cybersecurity topics is either steeped in scientific jargon that makes it difficult for lay people to understand, or because the truth of the matter is obscured by articles with doom-and-gloom clickbait titles whose bodies are lacking in substance.

Well, if you’ve been looking for a good resource to learn about the history of the global cybersecurity arms race—or even if you’ve just been mildly interested in learning a bit about how hackers and their lot might threaten you in the imminent future—look no further. In This Is How They Tell Me the World Ends, Nicole Perlroth describes, specifically in lay terms, the in-depth history of cybersecurity. And cyberwarfare.

Covering everything from the Snowden NSA leaks to the Russian cyberattack that brought Ukraine to its knees to Stuxnet and beyond, Perlroth provides a highly detailed look into the ways that private companies, solo hackers, and national governments alike have fueled the development of a competitive cyber arms race over the preceding two decades.

Weaved around a personal narrative about the roadblocks and successes Perlroth encountered while trying to gather the information critical to writing this book—much of it gleamed from government insiders—is a terrifying series of stories about state-sanctioned cyberattacks on enemy nations, cyber infiltration of critical infrastructure systems, and the arrogant refusal of both government entities and private enterprises to focus on cyber-defense instead of offense.

Overall, this book presents a very chilling picture of a globally connected online environment, one that controls everything from healthcare systems to banking, that sits on the verge of all-out cyberwarfare. And if, like many people, most major aspects of your life include some element that relies on the internet, then it would do you well to learn just what sorts of cyber-based dangers are ready and waiting to strike.

This Is How They Tell Me the World Ends was a long haul, for sure—it’s a whopper of a book—but it tells a story, and gives fair warnings, that are vitally important to the average person’s everyday modern life.

Rating: 4/5 stars

[Ryan · Rating 5 out of 5]

This is a great book about several somewhat distinct topics in the computer security/national security crossover world, although it could really use an editor, and some topics were handled rather poorly compared to others. Typical for "book by a journalist", a lot of the content was interviews with experts, but the problem is the author has a specific set of sources she relies on to tell a few stories. The main message of the book is "be afraid" and "this is an incestuous and nefarious collaboration of markets and governments", which I guess is true.

Main areas are:

1) the exploit market (where vulnerabilities in computer programs and systems are alternately reported to the creators, withheld for personal use by the discoverers, or sold through brokers, often to government agencies, increasingly around the world)

2) several of the larger security compromises in the wild, often caused by nation states -- Stuxnet, Sandworm (NotPetya...), Guccifer 2.0 and information operations around the 2016 election, etc. There were references to other major infosec stories (Snowden and US/UK subversion of Western infrastructure; compromise of Equation Group, Chinese hacking of Google) -- particularly how these relate to the 0day market

3) Some people, particularly those who are less widely known but influential, such as Jim Gosler from NSA, and people known only really within the infosec industry (Morgan Marquis-Boire, Katie Moussouris, etc)

Upside: most of the book doesn't treat the reader like an idiot -- concepts are explained at a high level, and while technically correct jargon is not always used, it's often used with minimal superfluous explanation. Downside: there are some pretty overwrought analogies when a simple explanation would have been far more clear. Not sure if that's "clickbait" training, or if people actually prefer that. Generally the book is fairly good at explaining the topics without presuming much knowledge on the part of the reader, though.

I've worked in this industry since the 1990s, and a few parts were details I didn't know (because they were pretty niche at the time -- e.g. iDefense, an early 0-day broker -- most of the folks I know just exploited vulnerabilities back then directly), and some which I'd forgotten just how entertaining they were at the time they happened (the whole shadowbrokers incident was both scary and entertaining, for me mostly because it was a test of how secure Bitcoin could be against nation states, but also "KEK...last week theshadowbrokers be trying to help peoples. This week theshadowbrokers be thinking fuck peoples. Any other peoples be having same problem? So this week is being about money.")

Also, a lot of sections of the book are repeated. In some cases this makes sense (telling the same story from multiple sources), but in some places it seems like genuine copyediting mistakes or failures of editing, where sections are repeated almost verbatim, particularly toward the end of the book.

[Robert Muller · Rating 3 out of 5]

This book is far too long for its actual content and is very disorganized. The disorganization obscures the point the author is trying to make. It's also unfortunate that the author published before the latest Solarwinds breach became known, as it makes her point in spades. The trojan-in-the-middle attack through the Solarwinds security update is just like the attacks she repetitiously outlines, but its goal was not to make our nuclear reactors explode--it was a huge espionage operation that is probably going to become the go-to cautionary tale in the intelligence community for years to come. And she missed the implications of her own work, focusing on screwing up elections, turning off the lights, and blowing up reactors. And a minor point--she really screwed up the reference to the book Dune, which she obviously hasn't read. This could have been so much better if it had been more focused and better edited.

[Isaac Gill · Rating 1 out of 5]

The 4.36 star rating on Goodreads for this book makes me genuinely worry about the welfare of the 4,600+ people majority of whom seemingly rated this book very highly. A truly horrible book! Do not read this 400 plus page nonsense if you value your time. For those even moderately versed in info security you are likely to find this book to be a total waste of your time. I am shocked at the high praise poured on this book and the author (which conned me into reading this garbage). If you're used to books by Kim Zetter, David Sanger, Brian Krebs, Bruce Schneier or Ben Buchanan don't expect the same quality from this (or even close). Perlroth is a sad lightweight who doesn't do well dealing with high complexity and tries to make up for her gross incompetence with bombast and name dropping. And in addition to being a complete lightweight when it comes to infosec she's a dreadfully bad writer (just based on this book, some offense meant if you're to read this - unlikely).

I found the generally alarmist cassandra-like tone Perlroth takes to be incredibly annoying. And obviously that seems to be her only trump card to play (oh, a hyper-connected digital world is dangerous). Yes, this is obvious to most people who work in technology/policy and or have their head screwed on straight.

"That evening the conference organizer, a former NSA cryptographer, invited some of us out to dinner. Looking back, the invitation had all the makings of a twisted joke: A reporter, an NSA codebreaker, a German, and two Italian hackers walk into a bar … After only a year on the hacking beat, I was still figuring out my new normal—who was good, who was bad, who was playing it both ways. Let’s just say I stood out. For one, there are not many petite blondes in cybersecurity." Roll eyes!

Perlroth is inexact in her writing and the subject matter of the book is really not optimal for a writer to be taking liberties with specifics. Case in point "North Korean hackers torched Sony’s servers with code" - they didn't literally torch the servers. She could've used the word "attacked" or "hacked" or anything more reasonable than "torched", another one "Iran had brought down U.S. banking websites and obliterated computers at the Las Vegas Sands casino" - why? Why?? Why??? Why does the author feel the need to write like this, Iran used wiper malware to erase data and cause havoc but describing it as "obliterate" seems gratuitous. I am not a pedant (not always), the book is just dreadfully bad and SOOOOOO long 400 plus pages of nonsense.

"But there was no question that in terms of sophistication, Russia was always at the top of the heap. Russian hackers had infiltrated the Pentagon, the White House, the Joint Chiefs of Staff, the State Department, and Russia’s Nashi youth group—either on direct orders from the Kremlin or simply because they were feeling patriotic —knocked the entire nation of Estonia offline after Estonians dared to move a Soviet-era statue. In one cyberattack Russian hackers, posing as Islamic fundamentalists, took a dozen French television channels off the air. They were caught dismantling the safety controls at a Saudi petrochemical company—bringing Russian hackers one step closer to triggering a cyber-induced explosion. They bombarded the Brexit referendum, hacked the American grid, meddled with the 2016 U.S. elections, the French elections, the World Anti-Doping Agency, and the holy goddamn Olympics." - holy in what sense? "Goddamn"? Why does the author feel the need to write with such bombast. JFC!

And, she name drops soo much! Jeez. This is a sad book.

"“You’re going to run into a lot of walls, Nicole,” Leon Panetta, the Secretary of Defense, warned me. Michael Hayden, the former director of both the CIA and the NSA whose tenure oversaw the greatest expansion of digital surveillance in the agency’s history, laughed when I told him what I was up to. “Good luck,” Hayden told me, with an audible pat on the back." - name drop central.

"Beyond dates and essentially meaningless job titles, Gosler won’t say much about what transpired between the day he walked into Sandia National Laboratories in 1979 as a bright-eyed twenty-seven- year-old and the day he retired as a fellow there in 2013. For the most part, it is all highly classified. You have to press him for basic details. At dinner parties, when others inquired, Gosler would say only that he worked for the federal government. “You had to be very careful about what you say, especially when abroad, for personal safety reasons,” he told me with a whisper. We were seated at a restaurant. Like so many others I would meet, Gosler made a point of arriving early, finding a table near an exit, and sizing up everyone inside. He had taken the seat facing the entrance—the best position for survival." - Perlroth really tries to make normal things sound dramatic in transparently idiotic ways.

"“Think about it,” he told me one day. “Nothing is American-made anymore. Do you really know what’s in your phone, or in your laptop?” I looked down at my iPhone with a renewed sense of intrigue, the kind of look you might give a beautiful stranger. “I do not.”" - So profound (sarcasm, puke).

"We still do not know where—with two glaring exceptions—these zero-days came from, whether they were developed “in-house” by TAO or Israel’s Unit 8200 or procured off the underground market. What we do know is that the worm—in its final form, 500 kilobytes—was fifty times bigger than anything discovered before it. It was one hundred times the kilobytes required to send Apollo 11 to the moon." - this is factually inaccurate. Stuxnet was 1.5 MB in size. And 500 KB is not a lot. Apollo 11 code was apparently 3 MB in size (based on some cursory google searches, not an expert on this specific topic, but larger than Stuxnet).

"By the time I got back to my hotel that evening, I was looking forward to clean sheets and a good night’s sleep. I caught a glimpse of myself in the elevator mirror. My eyes were sunken; I was still adjusting to the jet lag. When I got to my room, the door was ajar. I wondered if maybe I’d left it that way in haste. Maybe a maid was still doing turn-down service? I walked inside, and no one was there. Everything was just how I had left it, except the safe that had held my laptop. It was wide open. My computer was still inside, but in a different position. I checked for any trace of an intruder in the bathroom, the closets, the balcony. Nothing. Everything else was untouched. My passport, even the cash I’d exchanged at the cueva. I wondered if this was some kind of warning shot. Or if I’d tripped some kind of wire. I took a sober look at the laptop. It was a loaner. I’d left my real computer at home and stuck to pen and paper at the conference. There’d been nothing on the laptop when I’d left; I wondered what was on it now. I wrapped it in an empty garbage bag, took the elevator back down to the lobby, and threw it in the trash." - JFC, brilliant forensics move. Just like any infosec expert journalist would do. Sarcasm!

"The code searched for Cyrillic keyboard settings and when it found them, moved right along—technical proof they were abiding by Putin’s first rule: no hacking inside the Motherland." - gee I wonder where Putin wrote this rule down?

"By 2019, ransomware attacks were generating billions of dollars for Russian cybercriminals and were becoming more lucrative. Even as cybercriminals raised their ransom demands to unlock victims’ data from three figures to six, to millions of dollars, local officials—and their insurers—calculated it was still cheaper to pay their digital extortionists than to rebuild their systems and data from scratch." - The statement is not based on facts. 

I detest the orange asshole but Perlroth's focus on him also seems unbalanced and her creation of a smooth narrative about election meddling seems biased (keep in mind I HATE the orange asshole) e.g. "false investigations and innuendo—not truth—had killed Hillary Clinton’s campaign.".

"The day the printer exploit was discovered and patched by Hewlett-Packard, Sabien said, “I just remember thinking to myself, ‘A lot of people are having a very bad day.’ ”" - Here Perlroths source is saying a vulnerability in a printer was found and patched by HP therefore stopping attackers from being able to make use of that vulnerability. Perlroth's stupidity shows itself, if HP found a bug in a printer firmware, it'd take months for them to create a patch then months to years for them to roll it out, so this would not be one bad day but access going dark over the span of months-years. Dumb, dumb, dumb.

There were a few good insights (but these could fill all of 2 pages, I kid you not). Below is one:"It was not exactly a well-oiled operation. Every step in this insanely complex deal-making structure was filled with shady characters and relied on omertà. Every interaction necessitated a startling amount of trust: government clients had to trust their cyberarms dealers to deliver a zero-day that would work when they needed it to. Contractors had to trust hackers not to blow the exploit by using it themselves, or reselling it. Hackers had to trust that contractors would pay them after their demonstration, not just take what they’d gleaned and develop their own  variation."

This is a book that'd have been great had someone like Ronen Bergman (author of the extensive and awesome book Rise and Kill First) had written it. 

Parts describing the hack on Google were interesting. Perlroths fascination with Sergey Brin is a bit disconcerting. He was likely a source. Authors veneration of Brin (with weird undertones) was highly off putting.

"We made our way through Palermo, Buenos Aires’ hippest boutique-and-restaurant zone. American dollars went a long way here. The country’s official exchange rate was a complete fiction. The “blue dollar”—the unofficial exchange rate—was nearly twice the official rate of 9.5 pesos per dollar. Cristina Fernández de Kirchner, Argentina’s soon-to-be-deposed president, refused to correct the situation. The porteños—as locals referred to themselves—likened Kirchner to a “female Gaddafi,” and she much preferred a veneer of lies to reality. It showed in her face. She’d had more plastic surgery work than anyone in recent memory, save for Michael Jackson. To adjust exchange rates to suit Argentina’s current reality would be, for her, to admit to Argentina’s chronic inflation." - one of the few things I liked in this book (But should it be in here? Who even knows?).

Anyone who has an interest in why Perlroth is the way she is (bombastic, pathologically inexact, prone to exaggeration) please lookup what her mom does (you'll find it well worth your time).

[Monica · Rating 4 out of 5]

Egads, they know everything ever committed to the digital universe. There is no off the grid... rtc

4+ Stars

Listened to the audiobook. Allyson Ryan did a good job narrating.

[Mona · Rating 3 out of 5]

Well researched, poorly written and even more poorly edited book, on a very interesting topic.

That probably summarizes my review out of respect for your time but if I would have to elaborate:

1. Topic of cybersecurity is very interesting and author certainly did put lots of time and effort into this book.

2. Considering secretive nature of the industry and highly classified information involved, I think she did pretty good job obtaining data and explaining basic technical details behind the specific cyber attacks.

3. The general global and political context of the exploits was well presented, as many US readers may not understand those dynamics in Europe and Asia.


Sadly.....

1. This book was a real challenge to go through. I found the writing completely disorganized, repetitive, with no logical, chronological or any other organization. Technically, this book is divided into chapters but nothing really comes out of it. Author moves back and forth on the time line, topics, characters involved etc. If you distill the real substance here, you can easily shorten it by half.

2. Depending on your background and partisan involvement, you will find author's political agenda and avid social justice warrior opinions/comments less or more annoying.

3. Personally, I prefer invisible authors. This one is certainly not one of them. You will read a lot about numerous difficulties she had to overcome to get this or that piece of information, you will read about her outfits, pregnancy, personal points of views, fascination of NYT and generally lots about .... her. That was one of the main reasons why I almost put down this book at the beginning.

4. Author has very unilateral and close minded point of view on a global political and socio-economic situation. The Argentinian hackers very well pointed that out to her, but I don't think she got the point, as her response was: "In the Southern Hemisphere, the moral calculus was flipped".

Generally, sometimes (if not most of the time) it's good to speak less, especially about ourselves and areas we don't really deeply know by being involved directly. And maybe.....well ...listen and hear more. Yes, including to those less affluent than us.

[Matthew Emery · Rating 2 out of 5]

I found this book incredibly frustrating. Perlroth has possibly the deepest access to the American cybersecurity state, and the interviewers (many of whom have never talked to a reporter on record before) are very knowledgeable. However, this book is for a lay audience. I wonder what insights were cut to fit the book into a thriller narrative. I also found myself frustrated that Perlroth didn't seem able to distance herself from her pro-American viewpoint. The most obvious case is when she asks an Argentine hacker if he only sells vulnerabilities to "good, Western nations" only for the hacker to tell her that the US supported the coup there. Another case is when she mentions that the UAE had "avoided" the Arab Spring without noting that they had done so with American and Israeli help, including with spyware.

[Robert · Rating 2 out of 5]

With about 50 pages left, I was surprised to see her go off on a rant and be so oblivious to her own bias it calls into question everything else she has written.

[Ashlyn]

I can't finish reading this book because the author continually makes fun of hackers/programmers as being basement-dwelling, pimply, ponytailed mouthbreathers. Her commitment to stale (and sexist) stereotypes is incredibly distracting from what should be the focus of the book. I also see quite a bit of sensationalism and biases in the first several chapters, so I don't think I can recommend this book as a good resource for current cyber affairs.

[Sarah · Rating 5 out of 5]

https://sarahsdeepdives.blogspot.com/...

Cybercrime has always fascinated me. I don’t understand a whole lot about that sort of thing. I’m not what you’d call a tech wizard or anything, but I think the internet is changing not only how humans interact, but it’s changing how much we know (we basically have the library of Alexandria at our fingertips now), it’s changing how we do business, and even the face of war. This is what fascinates me. All the ways our connectivity, unprecedented in human history, is fundamentally altering the way we do so many things.

I listen to a podcast called Darknet Diaries. It’s absolutely fantastic, and I highly recommend it. Anyway, I was listening to an episode a few weeks ago where the podcast host interviewed the author of this book and reader, I was glued to the episode. It was the first time I’d heard of “zero days” and their capabilities. It was the first time I’d heard of any of this stuff, and as soon as the interview was over, I immediately bought this book and then I proceeded to devour it.

Nicole Perlroth is a cyber security reporter for the New York Times. As she explained in her interview on that podcast, she sort of was dumped into this particular beat, and she had to learn a lot as she went. I think this is probably one big reason why this book worked so well for me. Perlroth knew how to distill the topic into digestible bites, and she understood how important it would be to not get bogged down in overcomplicated jargon which would have completely lost someone like me. She had a way with examining these complicated technical topics that was easy for me to understand, which is important considering I had no idea what a “zero day” was until that interview, and then this book.

Zero Days are a hacker term for a chink in a program’s armor, a doorway that the right person can use for certain aims. Governments use them, hackers use them, spies use them, and companies pay a lot for people to find zero days and then turn them over to the company so the hole can be plugged. But, as you’d expect, there’s also a wild and raging black market for these things as well. People who know how to find zero days can make a whole lot of money off them, and they can do a ton of damage. The right zero day used the right way could shut down an entire city, for example. The code used to hack the Iran nuclear program had four zero days in it (there’s a documentary on this on HBO which is really, really good).

Perlroth doesn’t just throw the reader into the deep end, though. She goes through the history of zero days, the first companies that dealt with zero days, the struggle to get them recognized by companies like Microsoft, and then the growth of the black market, how governments are using them now, as well as how they are used by those who spend time lurking in the internet's shadowy corners. It’s equal parts terrifying and fascinating and has completely changed how I look at the internet in fundamental ways. This book almost reads like a thriller novel, as she crosses the globe and talks to some surprising people to investigate different aspects of this zero day marketplace and impacts it has on the world, nations, and individuals. From government contractors, to spies, to weapons dealers, it's all here.

Some of these zero days she discusses in the book are incredibly surprising. For example, there was a zero day found in Jeep, which would allow a hacker to take over the entire car remotely, from the lights, to the radio, to the steering wheel. When she found out about this, she also learned the elevator at her hotel uses the same technology and started using the stairs after that (Let’s be real, I would too.). There was another zero day which she talks about that dealt with HP printers (patched now). Basically any document sent to an HP printer could be essentially stolen by using this zero day. Hackers could just hang out on these printers and nab documents. Imagine how that could have been used in government offices, for example.

Zero days are called that because no one really knows how long they’ve been hanging out in this program before they were found. So, when they are found, that’s “zero day” and the clock starts ticking after that. The US used to have a real corner on this particular marketplace, the biggest and best cyber security in the world. However, the playing field has evened out now. Now, it seems like nearly every nation has a cyber security team, all on the payroll of the local spy network, and there are an equal amount of bad actors hanging out in the digital sphere finding and selling these things to the highest bidder, whoever that might be. The world becoming increasingly digital, it means there are more chinks in more software to be found and exploited.

Perlroth goes into detail about some of these programs, like the spyware program from Israel called Pegasus, which has been used for any number of nefarious things, from allegedly finding journalists who suddenly end up dead, to tracking people of interest, and the like. This program has been traced down to Saudi Arabia, Mexico, Iran, Russia, and so many more. I believe over 100 nations have used this software. She also talks a bit about the hacking of Russia into Ukraine, where Ukraine has basically functioned as a sort of test field for all sorts of worms, hacking, and the like that Russia is trying out. And the implications of this are vast. In our age of COVID, it is chilling to realize that zero days put entire hospitals at risk.

This is a dark book, and Perlroth doesn’t hold back or pretty any of it up. In her imminently readable style, she takes you through the darkest corners of the internet, to show you not just how far hacking has come, but where it is going. I have long believed that the internet is going to change the nature of war, and in a lot of ways, I think this book examines that very concept, only it’s no longer a theory, it’s really happening. In a world where so much exists in the digital sphere, and so many aspects of our lives are plugged in and online, it’s a chilling concept indeed, to realize how vulnerable we all really are.

Part thriller, part horror, and fundamentally important, This is How They Tell Me the World Ends should be mandatory reading for anyone with an interest in the digital sphere, and the interconnected world we are all part of.

[Bonnie_blu · Rating 2 out of 5]

Cyber security is one of the most pressing issues of our time. The lack of it can cause untold damage and suffering. Perlroth's stated purpose is to explicate the highly complex aspects of cyber security and the lack of nations, especially the U.S., to address vulnerabilities. She recounts numerous security failures, and consistently faults intelligence communities and governments. I agree that cyber security demands a much greater effort than governments are giving it, but Perlroth's book offers little to nothing toward this goal.

The book is written in a sensationalistic manner, rehashes well-documented cyber security failures, is redundant, has no bibliography, and has footnotes that are not tied to specific text (making it hard to tie the two together). For these reasons, I have given the book two stars.

[Ben · Rating 3 out of 5]

A deftly told summary of the recent spread of cyber-weapons. It is largely news-based, and I can't say that any of it was surprising, but still seeing it all in one place is sobering. The writing was just serviceable, though, and I think I would have better enjoyed a Michael Lewis-style narrative with well-drawn characters and a narrower focus.

> Before Stuxnet, the IRGC reportedly budgeted $76 million a year for its fledgling cyber force. After Stuxnet, Iran poured $1 billion into new cyber technologies, infrastructure, and expertise, and began enlisting, and conscripting, Iran’s best hackers into its new digital army.

> It was national security “maverick” Senator John McCain who led Republican opposition to the bill that summer of 2012. The lobbyists had even managed to convince McCain, a senator who prioritized national security over most everything else, that any security regulations would be too onerous for the private companies that oversee the nation’s dams, water sources, pipelines, and grid.

[Manny · Rating 3 out of 5]

The book started off great and it was a walk down memory lane regarding the various attacks throughout my time in the business. She definitely did her research on malware and the business it spawned.

I enjoyed the book until she used it to dive into a anti Trump diatribe. Her hatred for Trump was palpable. She mention "Trump and his minions" while Obama had supporters. She then mention "Proud Boys" as a "Far Right White Supremecists" while its leader is literally a Black Cuban guy.

Apparently in 2016, saying the election was stolen from Clinton and the fraud was real, however in 2020, no one could even mention anything similar. Even today while social media blocks and cancels you for saying the 2020 election had fraud, you could say that Trump cheated and stole the election and not only will you not get blocked, you will be amplified. The last Republican election win that the Democrats did not call “fraud” was Ronald Reagan. Hillary, still today says the election was stolen from her.

The moment I lost all respect for the author is when she said that mail in voting was more secure. The level of ignorance to make such a statement is immeasurable. Even the Fascist Leftist Nadler, Chuck Schumer, Elizabeth Warren and many more in 2004 came out against it.


Finally, she mentions how CISA was purposely not filling Trump in on their plans because they feared he would contact Russia. Meanwhile, Mark Milley, Chairman of the Joint Chief of Staff was the one that colluded with Nancy Peloci to take the nuclear codes from a sitting president and contact his Chinese counter part and told him that Milley would inform China if Trump was planning to attack.

I finished it because I had already invested time into it. Had I known it was a hatchet job, I would have passed.