More on this book
Community
Kindle Notes & Highlights
Read between
November 21, 2024 - January 26, 2025
On June 27, 2017, Russia fired the NSA’s cyberweapons into Ukraine in what became the most destructive and costly cyberattack in world history.
Goncharov was a man of few words. Even as he described the worst day of his life, he spoke in monotone. He was not one prone to loud emotion. But the day of the NotPetya attack, he told me, “I went into psychological shock.” Two years later, I could not tell if he’d come out of it.
What had saved Ukraine is precisely what made the United States the most vulnerable nation on earth. Ukraine wasn’t fully automated. In the race to plug everything into the internet, the country was far behind.
The biggest secret in cyberwar—the one our adversaries now know all too well—is that the same nation that maintains the greatest offensive cyber advantage on earth is also among its most vulnerable.
Be careful. Journalism is more addictive than crack cocaine. Your life can get out of balance. —DAN RATHER
The documents were littered with references to NSA backdoors in nearly every piece of commercial hardware and software on the market. The agency appeared to have acquired a vast library of invisible backdoors into almost every major app, social media platform, server, router, firewall, antivirus software, iPhone, Android phone, BlackBerry phone, laptop, desktop, and operating system.
Zero-day exploitation is the most direct application of the cliché “Knowledge is power if you know how to use it.”
To any woman who has ever complained about the ratio of females to males in tech, I say: try going to a hacking conference. With few exceptions, most hackers I met were men who showed very little interest in anything beyond code. And jiujitsu. Hackers love jiujitsu. It is the physical equivalent of solving puzzles, they tell me. I was neither male, a coder, nor particularly interested in getting squashed in a ground fight. So, you see, I had problems.
“Nicole,” he said, loudly for the others to hear. “These men are young. They have no idea what they are doing. All they care about is money. They have no interest in learning how their tools will be used, or how badly this will end.” Then, shifting his gaze back to Luigi, he said, “But go ahead. Tell us. Tell us about your fucking salmon.”
And so, in 2003, iDefense became the first shop to publicly open its doors to hackers and start paying bounties for zero-day bugs.
The New Hacker’s Dictionary, which offers definitions for just about every bit of hacker jargon you can think of, defines hacker as “one who enjoys the intellectual challenge of creatively overcoming or circumventing limitations.”
Often you found something. If not, patience was critical. There was a reason, years later, that security experts began to call nation-state hacking groups “advanced persistent threats.” If they were patient and persistent, they would inevitably find a way to get in and stay in.
There are more than a hundred contractors in this business, probably only a dozen that know what they’re doing.”
“The most likely way for the world to be destroyed,” it read, “most experts agree, is by accident. That’s where we come in; we’re computer professionals. We cause accidents.”
“Keep going,” he told me. “You’re onto something. This will not end well.”
“That’s why the Europeans are so good at writing exploits,” he says. “After babies, European parents get like a year to hack.”
The enemy is a very good teacher. —THE DALAI LAMA
Deeley didn’t bother with niceties. “We’re meeting here in this fucking shithole because I don’t want any rubberneckers in OPS3 [the main information security building] getting curious. You’ve all been told this project is VRK [very restricted knowledge], right?”
“You know what VRK really means?” Deeley didn’t waste a breath. “It means I’ll cut your fucking balls off if you breathe a word about what you’re doing to anyone, and I mean anyone.” He motioned to the door. “You do this my way or it’s the highway.”
Instead, he credits his colleagues and bosses in the intel world and a host of New Age management gurus. Gosler frequently cites Malcolm Gladwell—“The Outlier is fantastic!” he told me, more than once. Gordon Moore and Andy Grove, two former chief executives of Intel, were his heroes. Grove’s book Only the Paranoid Survive is his bible. But his all-time favorite is Price Pritchett, the organizational management guru.
Organizations can’t stop the world from changing. The best they can do is adapt. The smart ones change before they have to. The lucky ones manage to scramble and adjust, when push comes to shove. The rest are losers, and they become history.
Accidents and malfunctions were more common than one would think. One Sandia study found that between 1950 and 1968, at least twelve hundred nuclear weapons had been involved in “significant” accidents.
Little Boy—the very first nuclear weapon America dropped in war—killed eighty thousand people on Hiroshima. But the destruction could have been much worse—only 1.38 percent of its nuclear core fissioned. Three days later, when Americans dropped their second bomb—codename “Fat Man”—on Nagasaki, it accidentally detonated one mile off target, though it still managed to kill forty thousand.
“Reflections on Trusting Trust,” and his conclusion was this: unless you wrote the source code yourself, you could never be confident that a computer program wasn’t a Trojan horse.
“How complex can software be for you to have total knowledge of what it could do?”
“Contemporary technology cannot provide a secure system in an open environment.”
“Why did Willie Sutton rob banks?” Gosler would repeatedly ask his bosses and underlings at the intel agencies. “Because that’s where the money is!”
“It was ‘Here’s your work. Here’s the death count. Good job. Keep up the great work.’ Until then, it was all about breaking an algorithm. It was about math. Suddenly it was about killing people. That’s when things changed. There was no going back.”
NSA had pried its way into Huawei’s headquarters in Shenzhen, years ago, stolen its source code, and planted its own backdoors in the company’s routers, switches, and smartphones.
In the post–9/11 urgency to capture and analyze as much data as humanly possible, leaked classified documents and my interviews with intelligence officials made it clear that few had stopped to question what the potential implications might be if word of their digital escapades ever got out.
During the Cold War, the NSA did not have to reckon with this dilemma: Americans spied on Russian technology, while Russians backdoored American typewriters. But that was no longer the case. The world was now using the same Microsoft operating systems, Oracle databases, Gmail, iPhones, and microprocessors to power our daily lives. Increasingly, NSA’s work was riddled with conflicts of interest and moral hazards.
“The NSA’s fatal flaw is that it came to believe it was smarter than everyone else,” Peter G. Neumann, one of America’s sages of cybersecurity, told me one day.
“The most likely way for the world to be destroyed, most experts agree, is by accident. That’s where we came in; we’re computer professionals. We cause accidents.”
Keith Alexander, Stuxnet’s architect, was asked what kept him up at night. “My greatest worry,” Alexander told a reporter, was the growing likelihood of zero-day exploits falling into the wrong hands.
A man got to have a code. —OMAR LITTLE, THE WIRE
He co-authored a book with several well-known hackers called The Shellcoder’s Handbook: Discovering and Exploiting Security Holes. It became a bible for aspiring hackers. In it, Aitel detailed specific exploits and attack methodologies that his former bosses felt went too far in disclosing NSA spycraft.
They would not confirm the names of their customers. The fucking salmon. And my pointed questions were often followed by long, silent pauses, as I was put on mute while they deliberated their responses. “Turkey?” I asked. By now, Turkey had become my test case. Ankara jailed more journalists than any other country on record that year. “Would you sell to Turkey?” I asked again. Long pause. “Please hold.” Another long five-minute pause. “No,” finally came the reply.
Other than being from Mexico, I struggled to make sense of what the callers had in common. Eventually, after some digging, I came to this: each had been a vocal proponent of Mexico’s soda tax, the first national soda tax of its kind. On its face, the soda tax made a lot of sense. Mexico is Coca-Cola’s biggest consumer market; it is also a country where diabetes and obesity kill more people than violent crime. But the tax had opponents in the soda industry, and clearly somebody working in government didn’t want their kickbacks getting cut off. Now it appeared that they were going to
...more
You can’t stop the gears of capitalism. But you can always be a pain in the ass. —JARETT KOBAK, I HATE THE INTERNET
That Sunday morning in December 1941 on the Hawaiian island of Honolulu had started peacefully enough. Lieutenants were still familiarizing themselves with the naval base’s new radar system when a radar operator on the far end of the island informed the on-duty lieutenant of an unusually large blip on his radar screen—signs of a fast-approaching aircraft fleet over a hundred miles away. The lieutenant’s first reaction was, “Don’t worry about it.” He assumed the blip was a squadron of B-17 bombers due in from San Francisco, not the first wave of Japanese bombers.
“We didn’t think militaries were allowed to hack civilians in peacetime,” said Grosse. “We didn’t think that could be true because you assume the backlash would be so severe. Now, that’s the new international norm.”
hacker, even though she was now well into her forties. “I’m really old but really well preserved because I never go outside,” she told me.
Once Google had checked everything off its list, it rolled out a new user-friendly email encryption tool to customers. Buried in the code was a winking smiley face ;-)
Cook was famously private himself. He had grown up gay in conservative Alabama, a fact he kept private until 2014, the year after the Snowden revelations dropped. In Alabama, his lingering childhood memory was watching Klansmen burn a cross on the lawn of a black family in his neighborhood while chanting racial slurs. He’d screamed at the men to stop, and when one of the men lifted his white hood, Cook recognized him as the deacon of a local church. Civil liberties were a matter of urgency for him, and he took the Snowden revelations as a personal affront. As Cook saw it, there were few things
...more
It was the first of many times I would hear those three little words—atado con alambre—over the next week. It was Argentine slang for “held together with wire” and encompassed the MacGyver-like nature of so many here who managed to get ahead with so little. It was Argentina’s hacker mantra.
Declassified U.S. diplomatic cables showed that in 1976, Secretary of State Henry Kissinger gave Argentina’s military junta the green light to engage in widespread repression, murder, kidnappings, and torture of its citizens. “We want you to succeed,” Kissinger told an Argentine Admiral that year. “If there are things that have to be done, you should do them quickly.” The episode was still raw for Argentines. To them, America was no democratic savior; it enabled the kidnapping of their children.
The images and conversations of the week had started to blend together, forming a single voice and image. The new nuclear physicists. I wondered who was going home with their code. You may ask yourself, “Am I right, am I wrong?” You may say to yourself, “My God! What have I done?”
several senior administration officials—Janet Napolitano, the secretary of homeland security; Robert Mueller, then FBI director; General Martin Dempsey, chairman of the Joint Chiefs of Staff; and Mike McConnell, the director of national intelligence—tried to persuade senators that the cyber threat to the nation’s critical infrastructure was dire. “For the record, if we were attacked, we would lose,” McConnell told the senators.
“Given enough eyeballs, all bugs are shallow,” is how Eric S. Raymond, one of the elders of the open-source movement put it in his 1997 book, The Cathedral & the Bazaar, a manifesto for the open-source philosophy.
The employee had installed antivirus software made by Kaspersky, the Russian cybersecurity company. The Israelis, I learned from sources, had hacked into Kaspersky’s systems and discovered the firm was using its antivirus software’s access to computers all over the world, to search for and pull back Top Secret documents.
