But he ignored the major accusation made in the book against his company Immunity which he sold to Cyxtera in 2019: that Immunity trained the Turkish army in cyber techniques during its early days.
In a number of tweets based on what he said was his first reading of the book, Aitel, a well-known figure in the American cyber security sector, picked what he said were holes in what had been covered by Perlroth and also cited data that he felt should have been covered.
Timelines in this book tend to be fluid and incorrect is one of the things that stuck out to me.
— daveaitel (@daveaitel) February 9, 2021
As iTWire reported, a spat erupted between Aitel and Perlroth on Twitter; it was kindled after the journalist published an article on 6 February which she said was adapted from her book, This is how they tell me the world ends. Aitel said at the time, "I critique this kind of reporting when I don't think it accurately represents the space. I'll have more after I read the book." He clearly meant this, judging by the number of criticisms he made on Tuesday.
|
|
When a reply to this said: "Escalation of privilege? Command and control? Data exfiltration? What are all those? I am so confused, Dave!", Aitel responded: "Even if it's not directly covered in the reporting, having a reporter that understood these issues better would result in a more informed audience."
Asked to explain the difference between an exploit and an implant, former NSA hacker Jake Williams told iTWire: "An exploit compromises software to get you on the target machine. The implant is the backdoor that you install.
"Implant really just means malware, but it sounds nicer for lawmakers. Kind of how you NEVER say breaking and entering, you just call it non-consensual entry."
You could MAYBE make an argument that various people in the US were more active in creating an actual "market" but that's probably just a function that the US is bigger in general than most countries and has a bigger economy.
— daveaitel (@daveaitel) February 9, 2021
Aitel then expanded his criticism, saying: "Everything in this book is a slight misrepresentation. Like there are historical parts in this book no-one can either confirm nor deny, but if you had a choice, it would be deny. :) The bits of this book on export control are so uneducated and off it's annoying. I get that export control is a fairly wonky space... but it ends up being fairly central to the thesis of the book."
He said it was odd that anyone would write a book on zero-days and the zero-day market and not make mention of lsd-pl, the Last Stage Delirium Research Group of Poland, a prominent black hat group. They were well-known in the early 2000s for cracking open nearly every version of Windows available at the time.
Aitel has close connections to the cracker community, having sold zero-days to rustle up cash when he was starting out in business. He founded Immunity when he was just 24, after spending six years with the NSA, and sold it to Cyxtera Technologies in 2019. He has stepped down from an active role in the company as of 31 December.
Immunity has a business model of discovering or buying exploits and then using that knowledge to protect its own customers. The exploits are never revealed to the companies whose software is affected, something that mirrors the practice of the NSA.
"I mean, the essential thesis of this book is wrong in that 0-days did not start with the US Government," Aitel said in another tweet. "And that's a weird thing to get wrong. You could MAYBE make an argument that various people in the US were more active in creating an actual 'market' but that's probably just a function that the US is bigger in general than most countries and has a bigger economy.
Just a LOL for Halvar and co. pic.twitter.com/xGqB0TrB2X
— daveaitel (@daveaitel) February 9, 2021
"It's just so weird to see someone describe DoublePulsar as an exploit that is 'used to implant EternalBlue onto machines'. Like, all the little details are askew here.
"There's definitely a cast of professionals out there whose visage is continually stretched into a rigour of astonished opprobrium at the mere thought of 0-days, and this book continues that trend in the various asides and italicised commentary. I mean clearly we should be more explicit about what the term NOBUS means, because this book gets it very wrong and you don't want that to propagate."
Asked about NOBUS, Williams told iTWire that it meant "Nobody but us".
"[It] means that we're the only ones who could possibly build a particular capability," explained Williams, who now runs his own infosec outfit, Rendition Infosec. "Basically it means for instance 'this SMB vulnerability might be a danger to others, but we don't have to worry about anyone else weaponising it because it took all our super secret technology to make it happen'."
I searched this whole 0day book for NEEL MEHTA and didn't see a reference btw. Like, knowing there is a puzzle is not the same as being able to put that puzzle together. :)
— daveaitel (@daveaitel) February 9, 2021
Aitel said: "... this book describes [computer security analyst and risk management specialist] Dan Geer as a 'CIA Insider' because of his stint at In-Q-Tel, which is not how I would describe Dan Geer, or how he would describe himself or really how anyone I know would describe him. I guess this book taught me that INFILTRATE is a very good conference full of people who can keep their mouth shut even drunk and are good at BJJ (Brazilian Jiu-Jitsu). :)" INFILTRATE is a conference that Immunity holds every year.
Aitel said timelines in Perlroth's book tended to be fluid and incorrect and this had stuck out to him. "It's usually little things, that don't matter, but it's offputting if you lived through the history."
A review of the book on the Publishers' Weekly site had these criticisms: "Perlroth’s searing account of the role American hubris played in creating the zero-day market hits the mark, but she leaves many technical details about cyberweapons unexplained, and stuffs the book with superfluous details about getting her sources to spill. This breathless account raises alarms but adds little of substance to the debate over cyberweapons."
Contacted for comment, Perlroth said she was not surprised Aitel was unhappy with the book, or that he was making vague criticisms of "fluid timelines" and titles, instead of the merit of the work.
"The book includes a well-sourced, on-the-record account by Aitel's own employees, describing the one topic his Twitter memes do not address: his willingness to train and sell tools to customers, such as Turkey's military, who would inevitably turn that same tradecraft on their own people," she told iTWire.
"Aitel was given ample opportunity to dispute employee accounts, across several interviews, and chose not to. Instead he offered only, 'I would never comment on my customers'."
Addressing Aitel's specific rebuke that Dan Geer, the chief executive of the CIA-funded In-Q-Tel, was not a "CIA insider", Perlroth said the full passage in question said: "Geer was chief information security officer at In-Q-Tel, the CIA's investment arm."
About Aitel's criticism that zero-days did not start in the US, Perlroth said she was not even sure she understood his argument.
"But I would note the book makes it clear that the early supply side of this market originated in Eastern Europe," she pointed out. "The book makes this abundantly clear: 'The bulk of their suppliers were hackers in Eastern Europe. With the break-up of the Soviet Union, you had a lot of people with skills, without jobs', a source is quoted as saying."
Perlroth also addressed Aitel's criticism that the book did not differentiate between exploits and implants, saying the tome spoke for itself. "They wanted the entire kill chain — a way in, a way to beacon out to their command-and-control server, an exfiltration capability, an obfuscation capability," Perlroth quoted from the book, adding: "There are many other such passages."
She said Aitel had been a vocal critic of any regulation of an industry from which he had profited for a long time.
"His followers appear to have swallowed his arguments whole, without a complete understanding of his business model – and the human rights he was willing to sacrifice in the name of profit," Perlroth said.
"Finally, I am disappointed to see Williams — someone who was very helpful for my research — comment on a book that he openly admits he has not read. It does not speak well of a forensic analyst, who deals in evidence and data, to form an opinion off vague criticisms from a less-than-disinterested Twitter account."
She added: "Regarding the unfounded criticism that I previously criticised the lack of 'opsec' that led to Reality Winner’s arrest, but was 'hanging out with Snowden documents', anyone who reads the book would immediately see the strict opsec measures we [the New York Times] took in the case of the Snowden leaks.
"This included the prevention of any devices anywhere near the documents in question. This was described in the first chapter, so it is strange Aitel missed it. But again, I am not surprised he chose to make baseless attacks rather than address the actual substance of a book that shines a bright light on business practices he has tried to obfuscate for years."
And it's some kind of sick irony when a reporter starts a book with "I was hanging with some Snowden documents", laments the "opsec failure" that led to Reality Winner getting caught, and then ends it with a call for more controls over what people do with infosec trainings.
— daveaitel (@daveaitel) February 9, 2021
Asked for his take on Aitel's comments, Williams said: "I haven't read the book, so I'm bowing out of this until I read it, or listen to the audiobook. Saw his tweets though and it sounds like [there are] some pretty huge errors."
This is not the first time that ex-NSA hackers have attacked Perlroth's reporting. In May 2019, she and two others, Scott Shane and David Sanger, came under fire after they wrote a yarn based on a leak from security firm Symantec, claiming that Chinese spies had gained access to a number of NSA exploits and used them for attacks, well before they were leaked by the Shadow Brokers.
On that occasion, Aitel was joined by another NSA alumnus, Robert M. Lee, the head of security firm Dragos, and Williams, in defending his former employer, the premier US spook agency..
But some of Aitel's peers took aim at him, pointing out that he had a conflict of interest. One, named Chad Loder, wrote: "You own a company in the exploit market that @nicoleperlroth has been asking hard questions about."
Like, this book describes Dan Geer as a "CIA Insider" because of his stint at In-Q-Tel, which is not how I would describe Dan Geer, or how he would describe himself or really how anyone I know would describe him.
— daveaitel (@daveaitel) February 9, 2021
More recently, Williams took issue with a piece that Perlroth and Sanger wrote along with a third reporter, Julian Barnes, claiming that the wares of a software company known as JetBrains could have a connection to the supply chain incident involving SolarWinds' network management software known as Orion.
He blasted the authors for wasting the time of infosec practitioners who had to divert their attention from other tasks to check for compromises in JetBrains' software.
In September last year, Perlroth and Sanger were criticised in these columns over an article in which they tried to hype up the so-called Russian threat to the US ahead of the 2020 presidential poll.
iTWire has twice requested a copy of Perlroth's book for review, but she has not given any indication of acquiescing to the requests.
