The Western Star« an older post
a newer one »Sleeping Giants

Countdown to Zero Day

Book Notes

Whoa. Another non-fiction book. It's like my goal to finish all my started books is demonstrating I'm not a big fan of non-fiction books, post-school.

Or something.

This book describes the exposure and investigation of the Stuxnet computer virus. Because the book is describing the virus, and its subsequent children, parents, and cousins, it has to give some background of the world as it existed when the virus was released. This particular form of story-telling, the form of chronological progression, makes the first part of this book slooooooooooooow. Rob warned me when he handed me the book, told me to keep going, it'll get better. The fact that I started this book in December of 2015, and am only now finishing it, testifies somewhat to how slow I found the beginning of the book.

The middle of the book, however, and the end, those went much faster. Around chapter eight or so, the story line picks up and becomes interesting and engaging.

If you have a good library and interest in this book, I recommend starting out with the audiobook version, to get through the first part, then switch to reading. The whole story is politically and technically fascinating.

That there are people who believe in making the computing world safe for the rest of us, despite some of the bad guys being on our own team, helps me sleep better at night. Not well, but better. That the world described in the book still exists and that we have Cheetoh instead of Obama is a terrifying prospect.

In amassing zero-day exploits for the government to use in attacks, instead of passing the information about holes to vendors to be fixed, the government has put critical-infrastructure owners and computer users in the United States at risk of attack from criminal hackers, corporate spies, and foreign intelligence agencies who no doubt will discover and use the same vulnerabilities for their own operations.
Location 4019

But it’s a government model that relies on keeping everyone vulnerable so that a targeted few can be attacked — the equivalent of withholding a vaccination from an entire population so that a select few can be infected with a virus.
Location 4032

Dagan was known to favor assassination as a political weapon.
Location 4433

Bencsáth’s heart was pounding as he clicked Send to e-mail the report. “I was really excited,” he says. “You throw down something from the hill, and you don’t know what type of avalanche there will be [ as a result ].”
Location 4686

On one, he’d circled the URL of a website he’d visited that contained the letters “en/us” — proof that the US government was watching his computer, he ...
Location 4702

Okay, I laughed out loud at this one. en/us is a designation to display a web page with US English, instead of say, Canadian English or UK English (you know, that color versus colour thing).

Another correspondent, a female cookbook author, sent Chien a few e-mails via Hushmail — an anonymous encrypted e-mail service used by activists and criminals to hide their identity.
Location 4704

I have to wonder why the "female" part of the author's identity had to be explicitly stated. Because male cookbook authors aren't technically clueless? Something about the balls make male cooks more technically sophisticated than women cooks?

A nuclear-armed Iran, he said, would be “a grave threat” to peace not just in the Middle East, but around the world. 37 He promised that under his leadership all options would remain on the table to prevent Iran from obtaining nuclear weapons. Although in essence this meant a military option as well, Obama, like Bush, wanted to avoid a military engagement at all costs.
Location 6048

"Avoid a military engagement at all costs."

This isn't something I think I hear nearly enough. The cost of war is incredible. It destroys people, the victors and the defeated. Everyone but the arms dealers who don't see the results of their product are damaged in some way.

But don't tell my dead brother that. He thinks violence solves all problems.

“Together with the international community, the United States acknowledges your right to peaceful nuclear energy — we insist only that you adhere to the same responsibilities that apply to other nations,” he said. “We are familiar with your grievances from the past — we have our own grievances as well, but we are prepared to move forward. We know what you’re against; now tell us what you’re for.”
Location 6392

“Faced with an extended hand,” Obama said, “Iran’s leaders have shown only a clenched fist.”
Location 6396

US military and intelligence agencies had been penetrating foreign systems in Iran and elsewhere, building stockpiles of digital weapons, and ushering in a new age of warfare, all without public discussion about the rules of engagement for conducting such attacks or the consequences of doing so.
Location 6907

Of all the nations that have a cyberwarfare program, however, the United States and Israel are the only ones known to have unleashed a destructive cyberweapon against another sovereign nation — a nation with whom it was not at war. In doing so, it lost the moral high ground from which to criticize other nations for doing the same and set a dangerous precedent for legitimizing the use of digital attacks to further political or national security goals.
Location 6926

Civil War general Robert E. Lee said famously that it was a good thing war was so terrible, “otherwise we should grow too fond of it.” The horrors and costs of war encourage countries to choose diplomacy over battle, but when cyberattacks eliminate many of these costs and consequences, and the perpetrators can remain anonymous, it becomes much more tempting to launch a digital attack than engage in rounds of diplomacy that might never produce results.
Location 6932

The targets most in danger from a digital attack in the United States are not just military systems but civilian ones — transportation, communication, and financial networks; food manufacturing and chemical plants; gas pipelines, water, and electric utilities; even uranium enrichment plants. 13
Location 6970

Any future use of digital weapons will likely be as an enhancement to conventional battle, not as a replacement for it. Critics of digital doomsayers also point to the fact that no catastrophic attack has occurred to date as evidence that the warnings are overblown. But others argue that no passenger jets had been flown into skyscrapers, either, before 9 / 11.
Location 7051

“For cyber deterrence to work,” Cartwright said in 2012, “you have to believe a few things : One, that we have the intent; two, that we have the capability; and three, that we practice — and people know that we practice.”
Location 7065

But while deterrence of this sort might work for some nations — as long as they believe an attack could be attributed to them — irrational actors, such as rogue states and terrorist groups, aren’t deterred by the same things that deter others.
Location 7069

Though one can argue that the 9 / 11 attacks required at least as much planning and coordination as a destructive cyberattack would require, a well-planned digital assault — even a physically destructive one — would likely never match the visual impact or frightening emotional effect that jets flying into the Twin Towers had.
Location 7097

Richard Clarke, former cybersecurity czar under the Bush administration and a member of the panel, later explained the rationale for highlighting the use of zero days in their report. “If the US government finds a zero-day vulnerability, its first obligation is to tell the American people so that they can patch it, not to run off [ and use it ] to break into the Beijing telephone system,” he said at a security conference. “The first obligation of government is to defend.” 40
Location 7167

Under the new policy, any time the NSA discovers a major flaw in software, it must disclose the vulnerability to vendors and others so the flaw can be patched. But the policy falls far short of what the review board had recommended and contains loopholes. 43 It applies only to flaws discovered by the NSA, without mentioning ones found by government contractors, and any flaw that has “a clear national security or law enforcement” use can still be kept secret by the government and exploited. The review board had said exploits should be used only on a temporary basis and only for “high priority intelligence collection” before being disclosed.
Location 7181

Then in 2012, the president signed a secret directive establishing some policies for computer network attacks, the details of which we know about only because Edward Snowden leaked the classified document. 50 Under the directive, the use of a cyberweapon outside a declaration of war requires presidential approval, but in times of war, military leaders have advance approval to take quick action at their discretion.
Location 7265

The presidential directive addresses only the military’s use of digital operations, however. A list of exceptions in the document excludes intelligence agencies like the NSA and CIA from it, as well as law enforcement agencies like the FBI and Secret Service.
Location 7281