I grew up as a computer nerd catching the end of the BBS era and the dawn of the World Wide Web right about the time I started high school. Much time was spent using Qmodem to access local BBSs, play Legend of the Red Dragon, download shareware, and eventually browse Usenet. I idolized hackers so some of the files I was downloading were issues of 2600 and Phrack even if I understood little of what was covered (still the case today).
That interest in computer security, and those that break it, remains to this day. One of the most interesting things I read in the last year was the blog post, We Hacked Apple for 3 Months: Here’s What We Found, which chronicled the discovery of 55 exploits in Apple’s software and websites.
I recently read a couple of books about hackers and their exploits (both definitions of the word apply here) and thought I would take the time to review them. The first, The Cuckoo’s Egg by Clifford Stoll, tells a fun story of a hack from a system administrator’s point of view while the second, This Is How They Tell Me the World Ends by Nicole Perlroth, is a look at the state of cybersecurity today. Both are alarming but for different reasons.
by Clifford Stoll
Catch-22 is my favorite novel as well as being an exceptional look at the dysfunction that plagues large organizations. This is something that no 18-year-old fully appreciates but one all of us encounter upon our entry into the corporate world.
While the setting of The Cuckoo’s Egg (a lab in Berkely) is a far cry from a U.S. Air Force base in Italy during World War II, the spirit of Catch-22 is captured as one is left pondering the question, “Is there really a problem if only one person thinks there is?”
The Cuckoo’s Egg is the tale of Clifford Stoll’s real life one-man crusade to figure out who is breaking into the computer he manages in the astronomy department of the University of California Berkeley and using it as a launching point for attacks on U.S. military computers around the globe.
The stakes are high.
Unfortunately, in Stoll’s quest to identify the hacker, he frustratingly finds that he seems to be the only one who cares that our nation’s digital infrastructure is being systematically mapped and exposed to person(s) whose aims are not known. Curiosity? Disruption? Something more sinister would be a safe assumption considering the events occurred in 1986 when the U.S. was still in the midst of the Cold War with the USSR.
The indifference the FBI, CIA, NSA, and the Air Force meet Stoll with is mind-baffling to an outside observer. Like Yossarian, Stoll futilely tries to reason with bureaucrats only to find that reason is nowhere to be found. Every road is a dead end. There is a fire and the bureaucratic bucket brigade is passing the bucket around a circle.
As a narrative Stoll’s story succeeds in the Hero’s Journey sense: an every-man receiving a call for adventure and turning into a reluctant hero . That makes for a pleasurable read with the technical details of the hack and Stoll’s efforts to unmask the hacker being icing on the cake for Unix users and system administrators. If you know what Emacs is and what Sendmail does then you will likely enjoy this book.
by Nicole Perlroth
This Is How They Tell Me the World Ends is the book the CTO gives the CEO in order to increase her budget. It contains a truly alarming overview of the state of computer security without getting bogged down in details. Unfortunately for this reader, it is the details that are the most interesting and they are largely absent.
We follow the author, Nicole Perlroth, in her journey trying to uncover the major players in the buying and selling of exploits that allow countries (we learn it is largely nation states after our data rather than the stereotypical black t-shirt wearing Eastern European in a basement looking for extortion targets) to see each other’s secrets as well as spy on their own citizens. Nobody comes out looking good from the scrupleless hackers who have abandoned their raw intellectual curiosity for the quick buck, the brokers who are 21st century arms dealers with blood on their hands, or the governments who are using these exploits to steal intellectual property at best and facilitate genocide at worst.
Perlroth travels the world meeting with people who for the most part don’t want to talk to her and risk their reputation or incriminating themselves. As with the military-industrial complex we learn there are a bunch of secretive firms located around the Beltway that were started by former three-letter agency employees and are now selling their services to governments–foreign and domestic.
As someone who has given more thought to computer security than the average person, yet far less than someone like Bruce Schneier, I was surprised by the book in a couple of ways. The first being the sheer quantity of exploits that are out there. If one was targeted it sounds like it is nearly impossible to be safe. The second thing that surprised me is what seemed like fairly low prices being paid for zero-day exploits. If cyberwarfare is the arms race of the future one might think the arms would cost more than they do. Perlroth quoted prices in the five and six figure range for most exploits and topping out in the seven figure range. Possibly a supply and demand imbalance that will correct itself over time?
As I said, my issue with this book is that it wide and shallow rather than narrow and deep. For all of the talk about zero-days we are left not knowing all that much about them. Rather than the countless accounts of who targeted whom, I would have preferred to learn in depth about a handful of exploits–how a bug is discovered, tested, weaponized, sold, used, and then discovered again by the target or vendor.
One review compared this to John le Carre and while Perlroth does an adequate job describing the people involved and their backgrounds, le Carre’s strength was making the sausage-making interesting. George Smiley didn’t just call on someone for an interview. He spent weeks or months looking into them–reading their school records, staking them out, learning their routine, seeing when they do their grocery shopping and what they buy, when they call their mom, and ultimately what their secrets are.
The little bit of true intrigue, when the author’s hotel room safe is broken into and her laptop presumably hacked, is covered in a few sentences but is the mystery that I would have liked to see explored. The author was paranoid enough to lock up her laptop but not curious enough to try to find out who targeted her? Maybe I have watched too many detective shows and read too many spy novels and in real life the crimes will forever remain unsolved.
On her topic Perlroth answers the who and the why but largely leaves the questions of what and how unanswered. That was intentional. She does provide a disclaimer to this effect:
There is a reason I wrote this book for the lay audience, why I chose to focus primarily on people, not machinery, why I hope it will be “user-friendly.” And that is because there are no cyber silver bullets; it is going to take people to hack our way out of this mess. The technical community will argue I have overgeneralized and oversimplified, and indeed, some of the issues and solutions are highly technical and better left to them. But I would also argue that many are not technical at all, that we each have a role to play, and that the longer we keep everyday people in the dark, the more we relinquish control of the problem to those with the least incentive to actually solve it.
She is not a novice, having covered cybersecurity for the New York Times for ten years. I don’t find fault with her reasoning and hope that this book may lead to more conversations on the topic between users and practitioners and ultimately lead to our elected officials being more educated on the topic.
For that last group I would argue that this book should be required reading. The accounts of Stuxnet and Sandworm were genuinely interesting and provided some background and details that I had not known previously. And the NSO Group coverage was far more comprehensive than I had seen elsewhere. Those serve as wake up calls for anyone whose job is to protect our nation’s physical infrastructure, weapons, and secrets, or whose job is to decide the budget of the people who do.
The last part of the book was the strongest section where Perlroth explored a question that governments around the world are facing. When a government knows of an exploit should they notify the vendor thus making their own systems and citizens safer? Or should they hold onto the exploit and use it to attack others? Perlroth argues for the former but concludes that governments are mostly doing the latter. One could probably sum up the government’s position as “Don’t hate the player. Hate the game.”
If the book’s goal was to make me feel less certain that my phone, systems, and servers are secure then it accomplished that. As I type this on a Linux desktop, in a file that is stored on my local file server, and that is synced in the cloud, I am wondering at what point is someone else accessing it. I am of little interest to anyone but as Joseph Heller wrote in Catch-22, “Just because you’re paranoid doesn’t mean they aren’t after you.”