Security Market Segment LS
Wednesday, 10 February 2021 11:34

Ex-NSA man Aitel launches fresh attack on NYT reporter's cyber security book Featured


UPDATED 11 February: Ex-NSA hacker and former owner of security company Immunity, Dave Aitel, has launched a fresh salvo of tweets against a book published by New York Times cyber security reporter Nicole Perlroth, after securing and reading a copy of the tome which was published on Tuesday US time.

But he ignored the major accusation made in the book against his company Immunity which he sold to Cyxtera in 2019: that Immunity trained the Turkish army in cyber techniques during its early days.

In a number of tweets based on what he said was his first reading of the book, Aitel, a well-known figure in the American cyber security sector, picked what he said were holes in what had been covered by Perlroth and also cited data that he felt should have been covered.

As iTWire reported, a spat erupted between Aitel and Perlroth on Twitter; it was kindled after the journalist published an article on 6 February which she said was adapted from her book, This is how they tell me the world ends. Aitel said at the time, "I critique this kind of reporting when I don't think it accurately represents the space. I'll have more after I read the book." He clearly meant this, judging by the number of criticisms he made on Tuesday.

His first salvo on Tuesday was: "I think we need to educate reporters better on the difference between an implant and an exploit. I don't know why this is hard, but it clearly is."

When a reply to this said: "Escalation of privilege? Command and control? Data exfiltration? What are all those? I am so confused, Dave!", Aitel responded: "Even if it's not directly covered in the reporting, having a reporter that understood these issues better would result in a more informed audience."

Asked to explain the difference between an exploit and an implant, former NSA hacker Jake Williams told iTWire: "An exploit compromises software to get you on the target machine. The implant is the backdoor that you install.

"Implant really just means malware, but it sounds nicer for lawmakers. Kind of how you NEVER say breaking and entering, you just call it non-consensual entry."

Aitel then expanded his criticism, saying: "Everything in this book is a slight misrepresentation. Like there are historical parts in this book no-one can either confirm nor deny, but if you had a choice, it would be deny. :) The bits of this book on export control are so uneducated and off it's annoying. I get that export control is a fairly wonky space... but it ends up being fairly central to the thesis of the book."

He said it was odd that anyone would write a book on zero-days and the zero-day market and not make mention of lsd-pl, the Last Stage Delirium Research Group of Poland, a prominent black hat group. They were well-known in the early 2000s for cracking open nearly every version of Windows available at the time.

Aitel has close connections to the cracker community, having sold zero-days to rustle up cash when he was starting out in business. He founded Immunity when he was just 24, after spending six years with the NSA, and sold it to Cyxtera Technologies in 2019. He has stepped down from an active role in the company as of 31 December.

Immunity has a business model of discovering or buying exploits and then using that knowledge to protect its own customers. The exploits are never revealed to the companies whose software is affected, something that mirrors the practice of the NSA.

"I mean, the essential thesis of this book is wrong in that 0-days did not start with the US Government," Aitel said in another tweet. "And that's a weird thing to get wrong. You could MAYBE make an argument that various people in the US were more active in creating an actual 'market' but that's probably just a function that the US is bigger in general than most countries and has a bigger economy.

"It's just so weird to see someone describe DoublePulsar as an exploit that is 'used to implant EternalBlue onto machines'. Like, all the little details are askew here.

"There's definitely a cast of professionals out there whose visage is continually stretched into a rigour of astonished opprobrium at the mere thought of 0-days, and this book continues that trend in the various asides and italicised commentary. I mean clearly we should be more explicit about what the term NOBUS means, because this book gets it very wrong and you don't want that to propagate."

Asked about NOBUS, Williams told iTWire that it meant "Nobody but us".

"[It] means that we're the only ones who could possibly build a particular capability," explained Williams, who now runs his own infosec outfit, Rendition Infosec. "Basically it means for instance 'this SMB vulnerability might be a danger to others, but we don't have to worry about anyone else weaponising it because it took all our super secret technology to make it happen'."

Aitel said: "... this book describes [computer security analyst and risk management specialist] Dan Geer as a 'CIA Insider' because of his stint at In-Q-Tel, which is not how I would describe Dan Geer, or how he would describe himself or really how anyone I know would describe him. I guess this book taught me that INFILTRATE is a very good conference full of people who can keep their mouth shut even drunk and are good at BJJ (Brazilian Jiu-Jitsu). :)" INFILTRATE is a conference that Immunity holds every year.

Aitel said timelines in Perlroth's book tended to be fluid and incorrect and this had stuck out to him. "It's usually little things, that don't matter, but it's offputting if you lived through the history."

A review of the book on the Publishers' Weekly site had these criticisms: "Perlroth’s searing account of the role American hubris played in creating the zero-day market hits the mark, but she leaves many technical details about cyberweapons unexplained, and stuffs the book with superfluous details about getting her sources to spill. This breathless account raises alarms but adds little of substance to the debate over cyberweapons."

Contacted for comment, Perlroth said she was not surprised Aitel was unhappy with the book, or that he was making vague criticisms of "fluid timelines" and titles, instead of the merit of the work.

"The book includes a well-sourced, on-the-record account by Aitel's own employees, describing the one topic his Twitter memes do not address: his willingness to train and sell tools to customers, such as Turkey's military, who would inevitably turn that same tradecraft on their own people," she told iTWire.

"Aitel was given ample opportunity to dispute employee accounts, across several interviews, and chose not to. Instead he offered only, 'I would never comment on my customers'."

Addressing Aitel's specific rebuke that Dan Geer, the chief executive of the CIA-funded In-Q-Tel, was not a "CIA insider", Perlroth said the full passage in question said: "Geer was chief information security officer at In-Q-Tel, the CIA's investment arm."

About Aitel's criticism that zero-days did not start in the US, Perlroth said she was not even sure she understood his argument.

"But I would note the book makes it clear that the early supply side of this market originated in Eastern Europe," she pointed out. "The book makes this abundantly clear: 'The bulk of their suppliers were hackers in Eastern Europe. With the break-up of the Soviet Union, you had a lot of people with skills, without jobs', a source is quoted as saying."

Perlroth also addressed Aitel's criticism that the book did not differentiate between exploits and implants, saying the tome spoke for itself. "They wanted the entire kill chain — a way in, a way to beacon out to their command-and-control server, an exfiltration capability, an obfuscation capability," Perlroth quoted from the book, adding: "There are many other such passages."

She said Aitel had been a vocal critic of any regulation of an industry from which he had profited for a long time.

"His followers appear to have swallowed his arguments whole, without a complete understanding of his business model – and the human rights he was willing to sacrifice in the name of profit," Perlroth said.

"Finally, I am disappointed to see Williams — someone who was very helpful for my research — comment on a book that he openly admits he has not read. It does not speak well of a forensic analyst, who deals in evidence and data, to form an opinion off vague criticisms from a less-than-disinterested Twitter account."

She added: "Regarding the unfounded criticism that I previously criticised the lack of 'opsec' that led to Reality Winner’s arrest, but was 'hanging out with Snowden documents', anyone who reads the book would immediately see the strict opsec measures we [the New York Times] took in the case of the Snowden leaks.

"This included the prevention of any devices anywhere near the documents in question. This was described in the first chapter, so it is strange Aitel missed it. But again, I am not surprised he chose to make baseless attacks rather than address the actual substance of a book that shines a bright light on business practices he has tried to obfuscate for years."


Asked for his take on Aitel's comments, Williams said: "I haven't read the book, so I'm bowing out of this until I read it, or listen to the audiobook. Saw his tweets though and it sounds like [there are] some pretty huge errors."

This is not the first time that ex-NSA hackers have attacked Perlroth's reporting. In May 2019, she and two others, Scott Shane and David Sanger, came under fire after they wrote a yarn based on a leak from security firm Symantec, claiming that Chinese spies had gained access to a number of NSA exploits and used them for attacks, well before they were leaked by the Shadow Brokers.

On that occasion, Aitel was joined by another NSA alumnus, Robert M. Lee, the head of security firm Dragos, and Williams, in defending his former employer, the premier US spook agency..

But some of Aitel's peers took aim at him, pointing out that he had a conflict of interest. One, named Chad Loder, wrote: "You own a company in the exploit market that @nicoleperlroth has been asking hard questions about."

More recently, Williams took issue with a piece that Perlroth and Sanger wrote along with a third reporter, Julian Barnes, claiming that the wares of a software company known as JetBrains could have a connection to the supply chain incident involving SolarWinds' network management software known as Orion.

He blasted the authors for wasting the time of infosec practitioners who had to divert their attention from other tasks to check for compromises in JetBrains' software.

In September last year, Perlroth and Sanger were criticised in these columns over an article in which they tried to hype up the so-called Russian threat to the US ahead of the 2020 presidential poll.

iTWire has twice requested a copy of Perlroth's book for review, but she has not given any indication of acquiescing to the requests.

Read 5494 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


Thoughtworks presents XConf Australia, back in-person in three cities, bringing together people who care deeply about software and its impact on the world.

In its fifth year, XConf is our annual technology event created by technologists for technologists.

Participate in a robust agenda of talks as local thought leaders and Thoughtworks technologists share first-hand experiences and exchange new ways to empower teams, deliver quality software and drive innovation for responsible tech.

Explore how at Thoughtworks, we are making tech better, together.

Tickets are now available and all proceeds will be donated to Indigitek, a not-for-profit organisation that aims to create technology employment pathways for First Nations Peoples.

Click the button below to register and get your ticket for the Melbourne, Sydney or Brisbane event



It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.


Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News