Countdown to Zero Day

Book Notes

Whoa. Another non-fiction book. It's like my goal to finish all my started books is demonstrating I'm not a big fan of non-fiction books, post-school.

Or something.

This book describes the exposure and investigation of the Stuxnet computer virus. Because the book is describing the virus, and its subsequent children, parents, and cousins, it has to give some background of the world as it existed when the virus was released. This particular form of story-telling, the form of chronological progression, makes the first part of this book slooooooooooooow. Rob warned me when he handed me the book, told me to keep going, it'll get better. The fact that I started this book in December of 2015, and am only now finishing it, testifies somewhat to how slow I found the beginning of the book.

The middle of the book, however, and the end, those went much faster. Around chapter eight or so, the story line picks up and becomes interesting and engaging.

If you have a good library and interest in this book, I recommend starting out with the audiobook version, to get through the first part, then switch to reading. The whole story is politically and technically fascinating.

That there are people who believe in making the computing world safe for the rest of us, despite some of the bad guys being on our own team, helps me sleep better at night. Not well, but better. That the world described in the book still exists and that we have Cheetoh instead of Obama is a terrifying prospect.

In amassing zero-day exploits for the government to use in attacks, instead of passing the information about holes to vendors to be fixed, the government has put critical-infrastructure owners and computer users in the United States at risk of attack from criminal hackers, corporate spies, and foreign intelligence agencies who no doubt will discover and use the same vulnerabilities for their own operations.
Location 4019

But it’s a government model that relies on keeping everyone vulnerable so that a targeted few can be attacked — the equivalent of withholding a vaccination from an entire population so that a select few can be infected with a virus.
Location 4032

Dagan was known to favor assassination as a political weapon.
Location 4433

Bencsáth’s heart was pounding as he clicked Send to e-mail the report. “I was really excited,” he says. “You throw down something from the hill, and you don’t know what type of avalanche there will be [ as a result ].”
Location 4686

On one, he’d circled the URL of a website he’d visited that contained the letters “en/us” — proof that the US government was watching his computer, he ...
Location 4702

Okay, I laughed out loud at this one. en/us is a designation to display a web page with US English, instead of say, Canadian English or UK English (you know, that color versus colour thing).

Another correspondent, a female cookbook author, sent Chien a few e-mails via Hushmail — an anonymous encrypted e-mail service used by activists and criminals to hide their identity.
Location 4704

I have to wonder why the "female" part of the author's identity had to be explicitly stated. Because male cookbook authors aren't technically clueless? Something about the balls make male cooks more technically sophisticated than women cooks?

A nuclear-armed Iran, he said, would be “a grave threat” to peace not just in the Middle East, but around the world. 37 He promised that under his leadership all options would remain on the table to prevent Iran from obtaining nuclear weapons. Although in essence this meant a military option as well, Obama, like Bush, wanted to avoid a military engagement at all costs.
Location 6048

"Avoid a military engagement at all costs."

This isn't something I think I hear nearly enough. The cost of war is incredible. It destroys people, the victors and the defeated. Everyone but the arms dealers who don't see the results of their product are damaged in some way.

But don't tell my dead brother that. He thinks violence solves all problems.

“Together with the international community, the United States acknowledges your right to peaceful nuclear energy — we insist only that you adhere to the same responsibilities that apply to other nations,” he said. “We are familiar with your grievances from the past — we have our own grievances as well, but we are prepared to move forward. We know what you’re against; now tell us what you’re for.”
Location 6392

“Faced with an extended hand,” Obama said, “Iran’s leaders have shown only a clenched fist.”
Location 6396

US military and intelligence agencies had been penetrating foreign systems in Iran and elsewhere, building stockpiles of digital weapons, and ushering in a new age of warfare, all without public discussion about the rules of engagement for conducting such attacks or the consequences of doing so.
Location 6907

Of all the nations that have a cyberwarfare program, however, the United States and Israel are the only ones known to have unleashed a destructive cyberweapon against another sovereign nation — a nation with whom it was not at war. In doing so, it lost the moral high ground from which to criticize other nations for doing the same and set a dangerous precedent for legitimizing the use of digital attacks to further political or national security goals.
Location 6926

Civil War general Robert E. Lee said famously that it was a good thing war was so terrible, “otherwise we should grow too fond of it.” The horrors and costs of war encourage countries to choose diplomacy over battle, but when cyberattacks eliminate many of these costs and consequences, and the perpetrators can remain anonymous, it becomes much more tempting to launch a digital attack than engage in rounds of diplomacy that might never produce results.
Location 6932

The targets most in danger from a digital attack in the United States are not just military systems but civilian ones — transportation, communication, and financial networks; food manufacturing and chemical plants; gas pipelines, water, and electric utilities; even uranium enrichment plants. 13
Location 6970

Any future use of digital weapons will likely be as an enhancement to conventional battle, not as a replacement for it. Critics of digital doomsayers also point to the fact that no catastrophic attack has occurred to date as evidence that the warnings are overblown. But others argue that no passenger jets had been flown into skyscrapers, either, before 9 / 11.
Location 7051

“For cyber deterrence to work,” Cartwright said in 2012, “you have to believe a few things : One, that we have the intent; two, that we have the capability; and three, that we practice — and people know that we practice.”
Location 7065

But while deterrence of this sort might work for some nations — as long as they believe an attack could be attributed to them — irrational actors, such as rogue states and terrorist groups, aren’t deterred by the same things that deter others.
Location 7069

Though one can argue that the 9 / 11 attacks required at least as much planning and coordination as a destructive cyberattack would require, a well-planned digital assault — even a physically destructive one — would likely never match the visual impact or frightening emotional effect that jets flying into the Twin Towers had.
Location 7097

Richard Clarke, former cybersecurity czar under the Bush administration and a member of the panel, later explained the rationale for highlighting the use of zero days in their report. “If the US government finds a zero-day vulnerability, its first obligation is to tell the American people so that they can patch it, not to run off [ and use it ] to break into the Beijing telephone system,” he said at a security conference. “The first obligation of government is to defend.” 40
Location 7167

Under the new policy, any time the NSA discovers a major flaw in software, it must disclose the vulnerability to vendors and others so the flaw can be patched. But the policy falls far short of what the review board had recommended and contains loopholes. 43 It applies only to flaws discovered by the NSA, without mentioning ones found by government contractors, and any flaw that has “a clear national security or law enforcement” use can still be kept secret by the government and exploited. The review board had said exploits should be used only on a temporary basis and only for “high priority intelligence collection” before being disclosed.
Location 7181

Then in 2012, the president signed a secret directive establishing some policies for computer network attacks, the details of which we know about only because Edward Snowden leaked the classified document. 50 Under the directive, the use of a cyberweapon outside a declaration of war requires presidential approval, but in times of war, military leaders have advance approval to take quick action at their discretion.
Location 7265

The presidential directive addresses only the military’s use of digital operations, however. A list of exceptions in the document excludes intelligence agencies like the NSA and CIA from it, as well as law enforcement agencies like the FBI and Secret Service.
Location 7281

The MFTUOAE Award

Blog

Okay, I have a nominee for the most frustrating to use OSX application EVAR, the coveted MFTUOAE Award.

It is, drumroll please, the Kindle App for Mac.

Good lord, is this thing frustrating to use.

If you use the mouse to move forward a page, the app will forward two pages.

If you use the mouse to move backward a page, the app will move backward two pages.

EVERY.

TIME.

If you want to highlight a passage, the app will move the book a page, forward or backward, neither direction is consistent.

If you do manage to select a section for highlighting, the selection will disappear when you move the cursor to the highlight section.

EVERYTHING about this app is frustrating with a mouse. I ended up using the trackpad on my laptop and the keyboard exclusively to track the sections of the books I wanted to highlight for a review.

I need to rethink my audiobook to ebook transfer process, this is so frustrating.

When A Beginner Asks For A Project To Do

Commentary

So, I'm about to start an adventure where I learn a new serverless (also known as 'Backend as a Service' or BaaS) technology and implement a small project with the new technology I've learned. Because there are large number of offerings for serverless(-for-me) technologies, we needed to have a number of projects to implement.

Sidenote, an argument could be made for implementing the same project across multiple serverless technologies, to expose the strengths and weakness of each of the technologies, as well as the service complexity and depth, in comparison with each other. While a worthwhile and valid argument if the adventure goal were to find a good technology fit for my company, the goal of the adventure is to explore the different serverless technologies. Variation is helpful with this exploration.

The first step on this adventure is commit to the adventure. Have done that.

The second step is generate a list of projects to consider for building. Each project needs a front-end app and a (serverless, natch) back-end API. Each needs a level of security. Each needs to store information. Each needs to have a set of models, and a set of actions. None of this is new information: I need a project to build.

So, I go off to the Intarwebs™, and start looking for "small web developer project ideas" and "projects for my web developer portfolio" and "what web project should I build?" and the like.

I'm expecting to find a nice, concise list of "Here, try building these. Each of them is a good, self-contained project that will explore some particular aspect of web development. You can document what you've done, put the code up on GitHub, and explore with potential peers the what-you-did, the why-you-chose-X, and the how-you-did-it."

Instead, there are a number of top posts that tell me, play around with building a form, build something with AJAX, build something with Bootstrap, learn Javascript!, learn about grid systems, and I just want to pull out my hair.

The reason for a project is to learn HOW to use these things. Reading examples or documentation doesn't mean using the code, playing with it, learning the nuances of the technology, and understanding what is going on with the code. Projects do that, they give someone a goal to complete, something with parts that great and parts that you have to trudge through.

Creating something that didn't exist before, making something you want to exist, THAT is where the high of programming starts. Using technology to solve a problem makes programming worth the time and mental energy. Learning for the sake of learning is fun, yes, but building something, THAT is better.

So, yeah, next time someone asks for a project, don't tell them to learn a technology. Instead, give them a problem to solve, something that you wish existed. Be excited about the project. She will have a project to build, and you'll have a problem solved.

And likely you'll have one fewer rant from me.

The Western Star

Book Notes

Really now, the previous book I read cured me of my current non-fiction streak (of five books! wow!). I really needed a good, fun read to put the enjoyment back in my obsessive daily reading. I had little surprise that Johnson's Longmire would do the trick.

I enjoyed the book. I read a few reviews of the book where the readers were complaining about the cliff-hanger at the end. It didn't bother me. There were two intertwined plots happening in the book, one from 1972 on the Western Star, a train, and the other in contemporary time, which was a continuation of the previous arch-nemesis Longmire books. The first plot's mystery was clever, with a few good misdirections. That Longmire knew more than the reader is fine. The modern-time plot is fine, nothing terribly surprising.

There were fewer hit-you-in-the-gut quotable lines in this book, which is also fine. I enjoyed the book. I'll keep reading the Longmire series. The TV series? Garbage, not watching that any more, as it ruins the book Longmire.

“I can reconcile my devotion to the law and the knowledge that a lawful course can sometimes be immoral.”
Page 144

“You want to know what I learned in Vietnam? I learned that if you’re lucky, I mean really lucky, you find the one thing you want in life and then you go after it; you give up everything else because all the rest of that stuff really doesn’t matter.”
Page 151

“Then what should I do?” He dropped the remains of his unsatisfactory sandwich into a brown paper bag and wiped the corner of his mouth with a folded paper towel.

“The hardest thing in the world—nothing. The wheels of justice grind slow but exceedingly fine.”
Page 157

“You may not always win the war, Walt, but it’s good to know you fought the battle.”
Page 158

“Trees teach us patience, but grass teaches us persistence.”

“And what did grapes teach you?”

“Wine, which assists with both.”
Page 168

“Where you headed, and what are you gonna do?” I stood there for a moment and then forcefully placed the star in his hand, before walking away.

“Nowhere and nothing.”

He called after me. “Well, there ain’t no hurry about nowhere and nothing—they’re always out there waitin’.”
Page 177

“In my limited experience with politicians, I have learned that you do not have to be right all the time, but that it is absolutely essential to never appear wrong.”
Page 192

“Was he a good guy?” I leaned against the side of her truck and studied her.

“Your grandfather?”

“Yeah.”

I glanced back at Vic and Henry, leaning on the fender of the rental car parked just behind Pamela’s trailer. “Yep, he was one of the best.”
Page 217

“My mother hardly ever talked about him.”

“Sometimes that’s the way people deal with the pain of losing a loved one.”
Page 217

“Would you like to call her?” Vic pointed at the utility. “There’s a phone with a cord but it is nonrotary—do you need me to push the buttons for you?”
Page 233

They filed out after giving me hard looks, but I’d had hard looks thrown at me before and had found they bounced off pretty easily.
Page 240

I remembered my father telling me that you knew you were a man when everything went bad and suddenly all eyes were on you for help.
Page 269

I’d found that few people give up the chance to explain themselves, no matter what the reason or environs.
Page 276

“Most people go through their lives doin’ whatever it is that comes along, but every once in a while we stumble onto what it is we’re supposed to do.”
Page 288

The Rational Optimist

Book Notes

This book is awful.

As far as I can tell, anyone who really likes this book, who reads it crtically and tries to follow up with the data presented, is suffering from the Murray Gell-Mann amnesia effect. I can't explain why so many people like and even recommend this book otherwise.

It is full of wild, unsupported statements, blatant lies, and far-fetched predictions. After having recently read The Black Swan, I'm even more disgusted by this book and Ridley's predictions and arguments for everything is great.

The main take aways from this book:

1. Specialization encouraged innovation.
2. Relatively easy commerce is the road to a better future.
3. Because we haven't run out of finite resources yet, we won't run out of finite resources.

Yeah, that last one was more than a little surprising to me, too. Yet, chapter after chapter, this is the underlying message he brings.

Here's the ad hominem attack, just to get it out of the way: Ridley appears to suck as a scientific editor and an economist. Based on his work history, he lost a lot of money because he was unable to accurately assess risks. Based on this book, he doesn't understand how good science works, where you have a hypothesis, you find reproducable evidence to support your hypothesis, you look for evidence that refutes your hypothesis, then you conclude with a working theory. Instead, Ridley likes the Gladwell approach to sounding scientific: make claims using stories as support. As Ben commented, the plural of anecdote is not data.

That out of the way, the way that Ridley either fails to provide a citation for his statement, hides his citations making them difficult to verify, or cites works that don't provide data for review makes even the statements that I want to believe suspect.

I disliked this book so much. It is the first book I've finished that I rate "burn" since I published my book reviews scale. So, why did I finish it? I was hoping that because this book was so highly recommended, it would redeem itself in the end. It did not.

Burn every copy you find.

Extracted parts of the book with my commentary. Too long for this page.

Pages