Author's Opinion

The views in this column are those of the author and do not necessarily reflect the views of iTWire.

Have your say and comment below.

Sunday, 14 March 2021 07:00

NYT reporter's infosec book: a worthy tale, but poorly told

NYT reporter's infosec book: a worthy tale, but poorly told Image by Gerd Altmann from Pixabay

Whenever one picks up a book with an eye to writing about it, one necessarily needs to know the subject matter therein. The recent book This Is How They Tell Me The World Ends — an ungrammatical title if anything — claims to be a book about the zero-day "industry" as per the author, Nicole Perlroth, a staff reporter for the New York Times, who covers cyber security. (I dislike that word "cyber" and will use infosec right through this piece.)

But the NYT review of the book, by Jonathan Tepperman, a Foreign Policy staffer, says the book "looks at the history of cyber attacks and why they are only likely to get worse". Lest we forget, only a small fraction of all attacks are driven by zero-days.

It is only when one reads the book that it becomes apparent that a goodly part of its 400-odd pages are rehashings of what Perlroth has covered during her years at the NYT. Being upfront about this would have been good, though it would probably have affected sales: "just another book about cyber security..." does not sell many hard copies.

The book was published in February and I asked Perlroth for a review copy on two occasions, but she did not respond. No issue there, iTWire is a very small publication – though Bruce Schneier, one of the world's best-known technologists, did send a copy of his last book over for review, when requested.

Given that, this is not a review; it is merely a series of observations about the book. There are numerous technical errors in the tome; for that, the best people to read are veteran researchers Thomas Dullier aka Halvar Flake, and Robert Graham aka Errata Rob. And there are few spoilers if any in what follows: I am aware that many people would like to throw away their hard-earned, despite the poor quality product.

Before the book was put on sale, Perlroth wrote an article in the NYT in order to publicise it. Dave Aitel, a former NSA hacker and someone who has been in the infosec business for a long time before selling his company, Immunity, to Cyxtera Technologies in 2019, got all riled up because he was said to have trained people from the Turkish military in infosec techniques. It must be noted here that doing business with a government organisation from Turkey is not against US law.

So Aitel went on the attack, only to be met with some spirited resistance from Perlroth. As soon as the book landed in stores, Aitel was up and running with some fresh barbs, which were again countered by Perlroth. But the reviews by Dullier and Graham had a different effect; Perlroth blocked access to her Twitter account and that is how things stand even today.

Exactly why journalists cannot take criticism is a mystery to this author who has been in the business for longer than he would have cared to be and has been called every name under the sun. Perlroth appears to be very sensitive to any bad takes, with at least one of her supporters trying to attribute the criticism of the book to misogyny and sexism. In truth, none of the criticism has been driven by anything but the normal nerd tendency to demand accuracy.

The book is a somewhat painful read, with the prose being turgid in many places. There is a great deal of over-writing and the language is not merely flowery, but unnecessarily so. A good editor could have cut it down by a third without missing anything of substance, but it looks like Bloomsbury, the publisher, has no good subs on its staff. One example that struck me was when the author mentions that she received an "audible pat" (presumably on the back) from Michael Hayden, a former head of the NSA and the CIA, when he heard of her book project. Is the word "audible" really needed there?

The lack of a good overseer is evident in a number of places, one being where the author shows that she is unaware of the difference between "affect" and "effect". There is another place where Chaouki Bekrar, a Frenchman of Algerian origin, is described as the "Wolf of Wuln Street", when in reality that should be "Vuln Street". Little things, sure, but they do matter.

The date of publication is given as 2020, something peculiar, since such dates are normally specified to the month. It looks like the writing was all done and finished by November 2020, else there would have been mention of the SolarWinds attacks which surfaced in the first week of December 2020.

There is a marked streak of narcissism running through the volume: I lost count of the number of times the author uses "told me" (to make sure that the reader does not think a quote is second-hand?), when simpler words like "said", "commented", "recounted", "explained" or "pointed out" could have been used. There are places where this obsession with self is laughable; one I recall is a mention of journalists, which the author has used this way: "...journalists, like me..." True, it is a hallmark of many a modern day scribe to think that he/she is more important than the story, but Perlroth is close to 40 and such delusions should have disappeared by now.

Another shortcoming is the fact that this book is not exactly driven by events; it is based on a conclusion that has been drawn, after which supporting material has been sought, perhaps the wrong way to go about writing anything.

For a book that claims to be about the zero-day industry — a sector which is notoriously populated by cowboys — the book offers a surprisingly tame read, sticking mostly to the establishment view. The author is convinced that the zero-day business started in the US and the country has now made things worse by not guarding its crown jewels — aka the store of zero-days retained by the NSA — carefully. The leak of a good number of exploits based on these zero-days in 2016-17 by a group known as the Shadow Brokers is well known and this incident is used to justify the thesis that the NSA does not know how to look after its own wares.

The book propagates the myth of "USA the beautiful, the guardian of human rights and morals" which has even less currency than a fairy tale now, after more than 70 years of American atrocities around the globe. But then it is very likely that if Perlroth had not gone down this route, her access to government sources — the main avenue for all infosec stories in the NYT from my reading — would have been put at risk.

Both Sergei Brin, the co-founder of Google, and Tim Cook, the chief executive of Apple, are painted as warriors operating for the good of the tech community, when the reality is somewhat different. Cook is praised in the context of the 2016 fight between Apple and the FBI when the latter demanded that Apple provide access to the contents of an iPhone used by a terrorist in December 2015. But Perlroth omits the fact that two years later, Cook backtracked on security that he had promised to his users. As to Google, one does not need to say much; the way that company treats its users is too well-known and too recent to bear repeating.

The book also seems somewhat dated in that it promulgates old Cold War stereotypes, including paying homage to the disputed theory that Russia influenced the 2016 US presidential elections. This has been debunked so well by the few journalists who actually practise their trade the way it should that it is risible to repeat old takes in the hope that someone will buy them.

The author goes down the unnecessary path of trying to theorise how the infosec industry could reform itself when she has never been on the frontlines. This is an exercise in vanity and is best avoided; tell the story in direct prose and leave it there. Opinions are all very good, but advice on things far beyond one's scope are an indication of taking oneself more seriously than one ought to. Journalists are not players, but increasingly seek to be; we are merely the ones who provide the copy to wrap around advertisements which bring in the money.

Finally, the theory that a "cyber Pearl Harbour" is around the corner is for the birds. One site that used to disabuse people of such fanciful notions, Cyber Squirrel, has unfortunately stopped publication. Run by Cris "SpaceRogue" Thomas and Brian Martin aka Jericho, the site shut down because Thomas did not have enough time to keep updating it.

Asked about it recently, Jericho said: "It was Sprog that was running it 99% for most of its life, I would do occasional updates and a pet project of trying to fill in countries that had no incidents. He found someone else to run it for a while, but they only lasted a few months. So the decision was made to shutter it."

My recommendation to any individual who is unfamiliar with infosec is: don't buy this book, it will confuse you no end. To those who keep track of events, the advice is the same, but for different reasons; it will annoy you and is not an easy read.

Read 3883 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


The past year has seen a meteoric rise in ransomware incidents worldwide.

Over the past 12 months, SonicWall Capture Labs threat researchers have diligently tracked the meteoric rise in cyberattacks, as well as trends and activity across all threat vectors, including:

Encrypted threats
IoT malware
Zero-day attacks and more

These exclusive findings are now available via the 2022 SonicWall Cyber Threat Report, which ensures SMBs, government agencies, enterprises and other organizations have the actionable threat intelligence needed to combat the rising tide of cybercrime.

Click the button below to get the report.



It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.


Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News