More on this book
Community
Kindle Notes & Highlights
Read between
July 22 - July 31, 2025
We could now control our entire lives, economy, and grid via a remote web control. And we had never paused to think that, along the way, we were creating the world’s largest attack surface.
In the United States, government hackers and spies hoarded zero-days for the sake of espionage, or in the event they might need to do what the Pentagon calls D5—“deny, degrade, disrupt, deceive, or destroy”—an adversary’s critical infrastructure in the event of war one day.
Hackers, McManus explained, aren’t in it for money. At least, not in the beginning. They are in it for the rush, the one that comes with accessing information never meant to be seen.
At their core, hackers are just natural tinkerers. They can’t see a system and not want to break it down to its very last bit, see where it takes them, and then build it back up for some alternate use. Where Watters saw a computer, a machine, a tool, McManus saw a portal.
Most hackers didn’t realize there was legitimate value—in some cases six-figure value—in what they were doing. They were too focused on avoiding lawsuits.
“Even if you found something, you could never be confident you found everything,” Gosler said. “That’s the awful nature of this business.”
So long as computer operating systems accepted software updates without question, the report concluded, computers would be manipulated to accept trapdoors.
“You begin to understand both the opportunity and the challenge,” Gosler told me, when you stop to consider that one terabyte is equivalent to a thirty-one-mile-high stack of paper, each sheet packed with single-spaced data.
Pulling out critical, credible, actionable intelligence was getting to be nearly impossible as unprecedented flows of noisy, seemingly unrelated data made its way through an endless maze of digital pipes back to the Fort. Solving for Big Data would consume U.S. intelligence agencies for decades.
“You’ll wake up one day and find yourself labeled a terrorist,” Mansoor told me in 2016. “Despite the fact you don’t even know how to put a bullet in a gun.”
Engineers who coded Silicon Valley’s apps and services no longer needed to reverse-engineer a system down to its kernel, or venture far down the stack, to the metal. Increasingly, they were just skimming the surface, and in the process losing the depth of understanding required to find and develop the best zero-day exploits.
When it came to defense, the nation with the most advanced hacking capabilities in the world was reduced to a printout, like the rest of us.
The world soon learned just how neglected OpenSSL had become. The code played a critical role in securing millions of systems, and yet it was maintained by a single engineer working on a shoestring annual budget of $2,000—
After all, it was his job to come up with last-minute desperate solutions to impossible problems created by other fucking people.
“Governments are starting to say, ‘In order to best protect my country, I need to find vulnerabilities in other countries,’ ” Schmidt told me before his passing. “The problem is that we all fundamentally become less secure.”
“Unfortunately, dancing with the devil in cyberspace is pretty common.”
You can no longer cut a hole in something without poking a hole in security for everyone.”
Attaching a process gave the White House some semblance of accountability, but in practice it was a high-stakes game of chicken that was hurtling out of control.
Hutchins’ last-second heroics made him a target for U.S. feds, who picked him up a few months later at the Las Vegas airport, en route home from Def Con, and charged him with writing malware early on his career. The case was a reminder to hackers everywhere that no good deed goes unpunished.
What we need is an approach that governments will adopt that says they will not attack civilians in times of peace. They will not attack hospitals. They will not attack the electrical grid. They will not attack the political processes of other countries; that they will not use cyberweapons to steal the intellectual property of private companies. That they instead will work together to help each other and the private sector respond when there are cyberattacks. In fact, what we really need is not only to recognize the need for rules but, frankly, to know when others are violating them.”
And yet, instead of a multilateral, or even bilateral, treaty, the United States went the other way. At the very moment Smith was wrapping up his speech in Geneva that November 9, 2017, the Pentagon’s hackers—unbeknownst to the commander-in-chief—were busy laying trapdoors and logic bombs in the Russian grid.
We too have forgotten that the internet is borderless. There are no red lines. We are not immune from our own attacks. The enemy is indeed a very good teacher. The cyberarms market is no longer ours to monopolize. We can no longer keep our cyberweapons safe. They can, and have, been turned on us. The vulnerabilities are ours, too. We just have more of them
“Everything can be intercepted,” he told me. “Everything can be captured. People have no way of verifying the integrity of these systems. We weren’t thinking about this back then. But the fact is,” he added ruefully, “everything is vulnerable.”
In our brave new world, these unglamorous open-source protocols have become critical infrastructure and we barely bothered to notice.
They say security is only as good as the weakest link, and we continue to be the weakest link. We are still clicking on malicious links and email attachments. Even when vulnerabilities get fixed, we are not patching them quickly enough. Cybercriminals and nation-states regularly exploit unpatched software. The day patches become available is the day you see the bugs exploited the most. Why? Because we have a horrible track record of running our software updates.
