This Is How They Tell Me the World Ends Pdf ; Introduction

Six months before Edward Joseph Snowden became a household name, I found myself flanked by Germany’s preeminent industrial security specialist and two Italian hackers at a restaurant in South Beach. We were all in Miami to attend the same bizarre conference—an annual invite-only gathering of the smartest fifty-plus minds in industrial-control security, a particularly terrifying subset of the industry that examines the myriad ways hackers can break into oil and water pipelines, power grids, and nuclear facilities.

                            This Is How They Tell Me the World Ends PDF Book by Nicole Perlroth

That evening the conference organizer, a former NSA cryptographer, invited some of us out to dinner. Looking back, the invitation had all the makings of a twisted joke: A reporter, an NSA codebreaker, a German, and two Italian hackers walk into a bar … After only a year on the hacking beat, I was still figuring out my new normal—who was good, who was bad, who was playing it both ways. Let’s just say I stood out. For one, there are not many petite blondes in cybersecurity.

To any woman who has ever complained about the ratio of females to males in tech, I say: try going to a hacking conference. With few exceptions, most hackers I met were men who showed very little interest in anything beyond code. And jiujitsu. Hackers love jiujitsu. It is the physical equivalent of solving puzzles, they tell me. I was neither male, a coder, nor particularly interested in getting squashed in a ground fight. So, you see, I had problems.

Growing up, the New York Times was my family’s bible. I memorized bylines and imagined Times reporters being greeted like emissaries from the Lord himself. Not so in cybersecurity. Most people treated me like a child—the less I knew, they told me, the better. Also, as many, many men on Twitter regularly point out to me, nobody in cybersecurity actually uses “cyber” anymore. It’s “information security,” or preferably “infosec.” More than a few times, after introducing myself as a cybersecurity reporter at a hacking conference, I was told to GTFO. (Dear reader, I leave the deciphering of that code to you.)

As it turns out, introducing yourself as “cyber” anything is the quickest way to the door. I was learning that this was a small, eerie industry with an intriguing mix of eccentrics. Every bar, at every conference, was reminiscent of the Mos Eisley cantina in Star Wars. Ponytailed hackers mingled with lawyers, tech execs, bureaucrats, intelligence operatives, revolutionaries, cryptographers, and the occasional undercover agent. “Spot the Fed” was a crowd favorite. If you correctly spotted a federal agent at the annual Def Con hacking conference in Las Vegas, you got a T-shirt.

For the most part, everyone seemed to know everyone else, at least by reputation. Some despised each other, but there was also a surprising amount of mutual respect, even between opposing sides, so long as you had skills. Incompetence— from a reporter, or especially from those who made their living selling digitized mousetraps—was an unforgiveable offense. But that night, in Miami, seated between the German with his bespoke suit, ostrich loafers, and neatly combed hair and the two T-shirt-clad Italians with their unkempt ’fros, I felt a tension I had not encountered before.

The German’s job title—industrial security specialist— did not quite do him justice. Ralph Langner had dedicated his life to preventing a catastrophic cyber meltdown, the kind of crippling cyberattack that could easily send a Deutsche Bahn train careening off the tracks, take the world’s trading hubs offline, blow up a chemical plant, or trigger a tsunami by unlocking the gates of a dam. The Italians, and a growing number of hackers just like them, were getting in his way.

The two had traveled to Miami from the tiny Mediterranean nation of Malta, where they spent their days combing the world’s industrial control systems for zero-days, weaponizing them into exploits that could be used for espionage or physical harm, and then selling them off to the highest bidder.

This Is How They Tell Me the World Ends Pdf :About The Book

I suppose they were invited under the “Keep your friends close and your enemies closer” banner. That evening I was determined to find out to whom the Italians sold their digital arms and if there were any nationstates, three-letter agencies, or criminal groups to whom they would not. It was a question I’d be asking for years. I waited until we were two Beaujolais deep. “So Luigi, Donato, your business model, it’s interesting,” I stammered.

I directed the words at Luigi Auriemma, whose English proved the better of the two, trying my best to lighten my tone and mask my next question as a casual inquiry, no different from asking about the stock market. “So tell me. Who do you sell to? The U.S.? Who won’t you sell to? Iran? China? Russia?” As much as I attempted to disguise the gravity of the question with a forkful of food, I wasn’t fooling anyone. The first rule of the zero-day market was: Nobody talks about the zero-day market. The second rule of the zero-day market was: Nobody talks about the zero-day market. I’d posed this question many times, and I knew it was the one question nobody in his business would answer.

The Luigis and Donatos of the world had rationalized their trade long ago. If companies like Microsoft didn’t want them finding zero-day bugs in their software, they shouldn’t have written vulnerable code in the first place. Zero-days were critical to national intelligence gathering, and only becoming more so as encryption shrouded the world’s communications in secrecy. In a growing number of cases, zero-days were the only way governments could keep from “going dark.” But those rationalizations often ignored the dark side of their business.

Book This Is How They Tell Me the World Ends: The Cyberweapons Arms Race PDF Download – Nicole Perlroth

➡ https://t.co/LQlkhW7MRs

Download or Read Online This Is How They Tell Me the World Ends: The Cyberweapons Arms Race Free Book (PDF ePub Mobi) by pic.twitter.com/RLez1FRzDz

— Kelly Sanders (@KellySande78791) December 2, 2023

Nobody was willing to admit that one day these tools could be used in a life-threatening attack, that they were increasingly finding their way to oppressive regimes looking to silence and punish their critics, or infiltrating industrial controls at chemical plants and oil refineries, and that possibly, perhaps inevitably, those who dealt in this trade might one day find blood on their hands. Everyone at our table knew that I had just casually asked the Italians to stare the shadier side of their business in the face. For a long moment knives and forks went still, and nobody said a word.

All eyes turned to Luigi, who would only look down at his plate. I took a long sip of my wine and felt an intense craving for a cigarette. I could sense that Donato understood my question too but was not about to break the silence. After several tense moments, Luigi finally murmured, “I could answer your question, but I would much rather talk about my salmon.

” To my right, I could sense the German fidgeting in his seat. Two years earlier, Ralph Langner had been among the first to crack the code and unveil the plot behind Stuxnet, the most sophisticated and destructive cyberweapon the world had ever seen. Stuxnet—as the computer worm came to be called—had been discovered in bits and pieces in 2010 as it slithered its way through computers around the globe, using an unheard-of number of zero-day exploits, seven to be precise. Some were clearly designed to infect hard-to-reach —even offline—computers.

One Microsoft zero-day allowed the worm to invisibly spread from an infected USB flash drive onto a computer undetected. Others allowed it to crawl across the network from there, climbing ever higher up the digital chain of command in search of its final destination: Iran’s Natanz nuclear plant, where it burrowed deep into the offline, or “air-gapped,” computers that controlled the rotors that spun Iran’s uranium centrifuges. And then, by remote command, Stuxnet silently spun some of Iran’s centrifuges out of control, while stopping others from spinning entirely.

By the time Iran’s nuclear scientists discovered that a computer worm was responsible for the destruction of their centrifuges, Stuxnet had already destroyed a fifth of Tehran’s uranium centrifuges and set Iran’s nuclear ambitions back years. Langner had made a name for himself with his analysis of the Stuxnet code—and for having the chutzpah to be the first to call out the weapon’s two architects: the United States and Israel. But these days Langner worried endlessly about what might happen when those same capabilities ended up in the wrong hands.

The Stuxnet code could work just as well in an attack on a power or nuclear plant, or a water treatment facility in the United States. In fact, Langner had mapped out “target-rich environments”— industrial systems still vulnerable to Stuxnet’s code around the globe. The bulk were not in the Middle East. They were in the United States.

It was only a matter of time before our weapons turned on us. “What you end up with is a cyberweapon of mass destruction,” Langner told the audience of hundreds that day. “That’s the consequence that we have to face. And we better start to prepare right now.” Since his discovery, Langner had been traversing the globe, consulting with the world’s largest utility companies, chemical plants, and oil and gas firms, preparing them for what he and others now believed was an impending and inevitable cyberattack of mass destruction. In his eyes, Luigi and Donato were cold-blooded cyber mercenaries, catalysts for our impending doom.

Getting to the bottom of the zero-day market was a fool’s errand, they told me. When it came to zero-days, governments weren’t regulators; they were clients. They had little incentive to disclose a highly secretive program, which dealt in highly secretive goods, to a reporter like me. “You’re going to run into a lot of walls, Nicole,” Leon Panetta, the Secretary of Defense, warned me. Michael Hayden, the former director of both the CIA and the NSA whose tenure oversaw the greatest expansion of digital surveillance in the agency’s history, laughed when I told him what I was up to. “Good luck,” Hayden told me, with an audible pat on the back. Word about my quest traveled fast. My competitors told me they didn’t envy my mission.

Zero-day brokers and sellers prepared for me with bug spray. My calls went unreturned. I was disinvited from hacking conferences. At one point cybercriminals offered good money to anyone who could hack my email or phone. But there came a point when I knew backing off this story would haunt me more than moving forward.

I’d glimpsed enough to know where this was all going. The world’s infrastructure was racing online. So was the world’s data. The most reliable way to access those systems and data was a zero-day. In the United States, government hackers and spies hoarded zero-days for the sake of espionage, or in the event they might need to do what the Pentagon calls D5—“deny, degrade, disrupt, deceive, or destroy”—an adversary’s critical infrastructure in the event of war one day. Zero-days had become a critical component of American espionage and war planning. The Snowden leaks made clear that the U.S. was the biggest player in this space, but I knew from my reporting that it was hardly the only player. Oppressive regimes were catching on. And a market was cropping up to meet their demand.

There were vulnerabilities everywhere, many of them of our own making, and powerful forces—including our own government—were ensuring that it stayed this way. There were many people and institutions that did not want this story to be told. I came to believe that the only way to contain the spread of the world’s most secretive, invisible market was to shine a big fat light on it. As with most journalistic endeavors, getting started was the hardest part. I moved ahead the only way I knew how. I started with what little was already public and peeled the onion back from there. To do that, I had to travel back more than a decade, to the zero-day market’s first public glimmer.

I had to track down the men who—in their folly— were under the mistaken impression that they’d pioneered it. Every market starts with a small wager. I’d discover that the zero-day market—at least the public face of it— launched with ten bucks. That’s all it took for John P. Watters to buy his first cybersecurity company in the late summer of 2002.

That was a heck of a lot less than he paid to engrave his initials —J.P.W.—on the crocodile cowboy boots he wore the evening he marched into iDefense’s Chantilly, Virginia, headquarters to figure out whether there was anything left worth salvaging. But Watters figured $10 was a fair price for a company that had been hemorrhaging $1 million a month with no obvious plans to make it back.

                                               I think we spent our best years fighting on the wrong side.
                                                                —LARRY MCMURTRY, LONESOME DOVE