Coffee and book
"This is How They Tell Me the World Ends" By, Nicole Perlroth

Review: 'This is How They Tell Me The World Ends'

The true stories rarely have happy endings. I finished my journey through "This is How They Tell Me the World Ends", a readable tour through the shady and yet still shadier parts of cyber weapons market by New York Times journalist Nicole Perlroth. It's not such a spoiler to let you know that we're all the canon fodder in the ongoing escalation of nation states to corner access on hacking tools that can allow them to disable their adversaries. But as someone who casually pays attention to the market of offensive tech, this book offers a staggering breadth of coverage, introducing a wide cast of players on all sides.

It's readable and fast paced and Perlroth has a relatable narrative voice and also makes for a good central character navigating from one technology nightmare to the next. She's good at avoiding the technical jargon where it's not needed and explaining it where it's unavoidable. I think her short-cuts to educating readers on what are sometimes really complicated topics are like fingernails on a chalkboard to experts in cyber security fields, but this book isn't aimed at them. And it's better for it.

I decided to read the book actually after catching some critical reviews by people more on the engineering side of technology. One thing they had in common aside from being male was they hadn't actually gotten that far through it. I wonder if even finished. It's fast paced and at time reads a bit like a spy thriller though with occasional reminders that it's all happening, and by the way, the controls that run all of our water, electricity, telecommunications and more are online and not that terribly secure. 

Update: If you do want to read a detailed and well-written dive into the book's technical faults, Tarah Wheeler has written this in Foreign Policy magazine.

There's a lot of inside baseball in the early chapters about the New York Times and how it operates on these kinds of stories, and how it plays well, or doesn't play well, with others. the book starts off with her involvement in reporting on the Snowden leaks of NSA programs, and there's no shortage of snark about The Guardian. But that soon gives way to a world tour of various hacker communities, brokers of the unpatched holes in your mobile's operating system, and national security experts whose names you may not see in the papers very much because they're actually doing the work. To be honest, if the book can make a general audience more interested in these kinds of issues, then I think that's a good thing overall.

It's one of these books that I think I'll hit again with the highlighter and the PostIt notes. It was around page 137, in the chapter called "The Kurd" that I started folding corners of pages to return to.  It's not that if I leave a book completely un-ravaged that it was a bad read, but the highest honour my nonfiction reads have are to be well worn, with ugly misshapen spines from being left open, creases in the corners from bookmarking and little semi-legible notes in the margins. 

In a nutshell, everything's exploitable if you look hard enough, long enough. And there are governments that will pay a lot of money to obtain this. The Snowden leaks showed some of this and how the NSA and GSHQ exploited this. Later on, through Wikileaks and others, we've all been able to learn about hacking tools of the CIA. These tools are exploited by Russia, China, Saudi Arabia, Israel, etc. against targets ranging from political leaders, corporate giants like Jeff Bezos to investigative journalists and human rights investigators. And often, such as attacks that hit things the NHS, the rest of us.

There are reasonable actions governments can take that governments can do, summarised in the books' closing. Don't run elections online. Patch software instead of hoarding these security holes for some potential use. Secure more infrastructure. Encourage people to use end to end encryption, or even set government limits on what's considered minimally secure instead of lobbying for back doors. Consider some kinds of rigorous standards for people put in places of high trust for securing the things we all use.

But it's a complexity trap. If you want to scale systems that growing numbers of people need (clean water, telecommunications, power grid management, etc.) then the place to do that is online. And once there, can't take it back off again. All this combined digital infrastructure that runs civilisation exists where it does for a reason: that's where It works. And that's where it's going to be attacked. Attackers can be wrong ever day, and keep trying. Defence can't be wrong any day.

The book focuses a lot on the 0day market. These are exploits that the makers of software don't know exist (and have had zero days to fix, get it?). It's an expensive market as these are harder to find than the loads of exploits that just exist because so many systems we rely on use outdated operating systems or built with old or unsupported code. The book gets into both of these kind of vulnerabilities, plus the human side of things, such as how social networks can game human perceptions for political ends. But the 0day industry is maybe the most symbolic of the whole trade. Bug hunters can either get paid thousands to turn them over to the companies that can fix them, or tens if not hundreds of thousands to sell them on to brokers that will sell them to governments for millions. Companies can't compete with that. I don't think some even really want to.

So read this one but there's a warning: You may start to appreciate the off-grid types in new ways.

This article was updated on 6 May 2021