But the NYT review of the book, by Jonathan Tepperman, a Foreign Policy staffer, says the book "looks at the history of cyber attacks and why they are only likely to get worse". Lest we forget, only a small fraction of all attacks are driven by zero-days.
It is only when one reads the book that it becomes apparent that a goodly part of its 400-odd pages are rehashings of what Perlroth has covered during her years at the NYT. Being upfront about this would have been good, though it would probably have affected sales: "just another book about cyber security..." does not sell many hard copies.
Okay, okay, you guys are forcing me to read Perlroth's book. It's hard because every page has some gross distortion in service of hyperbole, rhetoric, and narrative.— Robᵉʳᵗ Graham?, provocateur (@ErrataRob) February 26, 2021
Such as this one. It's not true. pic.twitter.com/njUQGarL9C
The book was published in February and I asked Perlroth for a review copy on two occasions, but she did not respond. No issue there, iTWire is a very small publication – though Bruce Schneier, one of the world's best-known technologists, did send a copy of his last book over for review, when requested.
The reason NotPetya was so damaging wasn't because of the unpatched NSA vuln, but #1 because it was included in a software update (supply chain attack) and #2 because it used psexec lateral movement (configuration error).— Robᵉʳᵗ Graham?, provocateur (@ErrataRob) February 26, 2021
Before the book was put on sale, Perlroth wrote an article in the NYT in order to publicise it. Dave Aitel, a former NSA hacker and someone who has been in the infosec business for a long time before selling his company, Immunity, to Cyxtera Technologies in 2019, got all riled up because he was said to have trained people from the Turkish military in infosec techniques. It must be noted here that doing business with a government organisation from Turkey is not against US law.
So Aitel went on the attack, only to be met with some spirited resistance from Perlroth. As soon as the book landed in stores, Aitel was up and running with some fresh barbs, which were again countered by Perlroth. But the reviews by Dullier and Graham had a different effect; Perlroth blocked access to her Twitter account and that is how things stand even today.
Exactly why journalists cannot take criticism is a mystery to this author who has been in the business for longer than he would have cared to be and has been called every name under the sun. Perlroth appears to be very sensitive to any bad takes, with at least one of her supporters trying to attribute the criticism of the book to misogyny and sexism. In truth, none of the criticism has been driven by anything but the normal nerd tendency to demand accuracy.
The book is a somewhat painful read, with the prose being turgid in many places. There is a great deal of over-writing and the language is not merely flowery, but unnecessarily so. A good editor could have cut it down by a third without missing anything of substance, but it looks like Bloomsbury, the publisher, has no good subs on its staff. One example that struck me was when the author mentions that she received an "audible pat" (presumably on the back) from Michael Hayden, a former head of the NSA and the CIA, when he heard of her book project. Is the word "audible" really needed there?
The book seems written by someone who reads Infosec Thot Leader twitter accounts and took the self importance seriously.— Kelly Shortridge (@swagitda_) February 26, 2021
How is a crappy pop-history book about 0day not an obvious result of multiple decades of zine drama and circlejerk narcissism about security research?
The lack of a good overseer is evident in a number of places, one being where the author shows that she is unaware of the difference between "affect" and "effect". There is another place where Chaouki Bekrar, a Frenchman of Algerian origin, is described as the "Wolf of Wuln Street", when in reality that should be "Vuln Street". Little things, sure, but they do matter.
The date of publication is given as 2020, something peculiar, since such dates are normally specified to the month. It looks like the writing was all done and finished by November 2020, else there would have been mention of the SolarWinds attacks which surfaced in the first week of December 2020.
There is a marked streak of narcissism running through the volume: I lost count of the number of times the author uses "told me" (to make sure that the reader does not think a quote is second-hand?), when simpler words like "said", "commented", "recounted", "explained" or "pointed out" could have been used. There are places where this obsession with self is laughable; one I recall is a mention of journalists, which the author has used this way: "...journalists, like me..." True, it is a hallmark of many a modern day scribe to think that he/she is more important than the story, but Perlroth is close to 40 and such delusions should have disappeared by now.
Another shortcoming is the fact that this book is not exactly driven by events; it is based on a conclusion that has been drawn, after which supporting material has been sought, perhaps the wrong way to go about writing anything.
The David Sanger School of Journalistic Enquiry:— Joe Słowik ⛄ (@jfslowik) March 5, 2021
Make unfounded public claims to force a statement from a third party, and call it a win when they either confirm or actively deny the unfounded claim as a win for journalistic practice.
For a book that claims to be about the zero-day industry — a sector which is notoriously populated by cowboys — the book offers a surprisingly tame read, sticking mostly to the establishment view. The author is convinced that the zero-day business started in the US and the country has now made things worse by not guarding its crown jewels — aka the store of zero-days retained by the NSA — carefully. The leak of a good number of exploits based on these zero-days in 2016-17 by a group known as the Shadow Brokers is well known and this incident is used to justify the thesis that the NSA does not know how to look after its own wares.
The book propagates the myth of "USA the beautiful, the guardian of human rights and morals" which has even less currency than a fairy tale now, after more than 70 years of American atrocities around the globe. But then it is very likely that if Perlroth had not gone down this route, then her access to government sources — the main avenue for all infosec stories in the NYT from my reading — would have been put at risk.
Both Sergei Brin, the co-founder of Google, and Tim Cook, the chief executive of Apple, are painted as warriors operating for the good of the tech community, when the reality is somewhat different. Cook is praised in the context of the 2016 fight between Apple and the FBI when the latter demanded that Apple provide access to the contents of an iPhone used by a terrorist in December 2015. But Perlroth omits the fact that two years later, Cook backtracked on security that he had promised to his users. As to Google, one does not need to say much; the way that company treats its users is too well-known and too recent to bear repeating.
part of my job is tracking zero day vulnerabilities, exploits and usage for a living, and it's not nearly as glamorous, prevalent or interesting as pop culture would have you believe.— Kevin Beaumont (@GossiTheDog) February 16, 2021
The book also seems somewhat dated in that it promulgates old Cold War stereotypes, including paying homage to the disputed theory that Russia influenced the 2016 US presidential elections. This has been debunked so well by the few journalists who actually practise their trade the way it should that it is risible to repeat old takes in the hope that someone will buy them.
The author goes down the unnecessary path of trying to theorise how the infosec industry could reform itself when she has never been on the frontlines. This is an exercise in vanity and is best avoided; tell the story in direct prose and leave it there. Opinions are all very good, but advice on things far beyond one's scope are an indication of taking oneself more seriously than one ought to. Journalists are not players, but increasingly seek to be; we are merely the ones who provide the copy to wrap around advertisements which bring in the money.
Finally, the theory that a "cyber Pearl Harbour" is around the corner is for the birds. One site that used to disabuse people of such fanciful notions, Cyber Squirrel, has unfortunately stopped publication. Run by Cris "SpaceRogue" Thomas and Brian Martin aka Jericho, the site shut down because Thomas did not have enough time to keep updating it.
Asked about it recently, Jericho said: "It was Sprog that was running it 99% for most of its life, I would do occasional updates and a pet project of trying to fill in countries that had no incidents. He found someone else to run it for a while, but they only lasted a few months. So the decision was made to shutter it."
My recommendation to any individual who is unfamiliar with infosec is: don't buy this book, it will confuse you no end. To those who keep track of events, the advice is the same, but for different reasons; it will annoy you and is not an easy read.