Skip to main content

Wonderland of Words by Shashi Tharoor PDF Download

This Is How They Tell Me the World Ends PDF Download

This Is How They Tell Me the World Ends PDF Download

This Is How They Tell Me the World Ends PDF Download

  • Book Name: This Is How They Tell Me the World Ends
  • Authors:  Nicole Perlroth
  • Pages: 528
  • Publish Date: 9 February 2021
  • Language: English
  • Genre: fiction


Nicole pearl roth this is how they tell me the world ends the cyber weapons arms race narrated by amanda maher and thomas florio on december 23, 2015 just before christmas celebrations were about to start russia shut off the electricity and heat across western ukraine ever since ukraine had won its independence in 2014 

russia had been retaliating by unleashing a digital assault on ukraine's government and media agencies and now they were proving just how effective those attacks had been russian hackers had embedded themselves in networks that controlled 

ukraine's infrastructure and to prove that they still had control over the nation they turned the power off for six hours in the dead of winter for good measure they did it again a year later blacking out the city of kiev never before had a nation crossed this line and hijacked another country's grit 

but the reality of the situation is that this attack wasn't something that just happened out of the blue for years there'd been an escalating arms race going on around the world only this time 

It wasn't rockets and ballistic weapons it was lines of digital code that allow almost any device that uses a computer chip to be hacked this is the story of how we got to this point and how increasingly vulnerable we're making ourselves by connecting more and more things to an internet that's anything but secure.

Blink one of nine ground zero days the author began covering the cyber security beat for the new york times in 2010 by 2013 she was already feeling the side effects of the job she'd uncovered stories of Chinese hackers getting inside everything from printers to thermostats and trying to steal intellectual property 

That ranged from military planes to the formula for coca-cola Iranian hackers had already brought down the network for the Saudi oil company Aramco wiped its data and destroyed 30 000 computers 

While leaving an image of a burning american flag on every screen so after just a few years reporting on the topic anything with a plug was beginning to look suspicious as a much needed escape from the internet the author booked a week-long tour through kenya but our african vacation was cut short 

when edward snowden decided to give the world a peek into the dark recesses of america's national security agency or nsa and his position as an nsa contractor snowden leaked thousands of highly classified nsa documents these documents revealed that america's premier spy agency was surprise pretty good at spying 

In fact its tools and capabilities were better than most the bigger surprise was that many people believed that digital encryption was still keeping networks and information safe snowden's leak blew that line of thinking wide open 

It was clear that the nsa had found a myriad of ways to hack around encryption in some cases the nsa was paying companies to give it back door access to their data but in other cases the back doors came from what are known as zero days now a zero day is essentially a flaw in a piece of hardware or software that 

when exploited allows someone undetected access this means the flaw hasn't been made public so there have been zero days for the company to come up with a patch for example if you surf the web using microsoft explorer a zero day flaw for that web browser could 

allow someone to invisibly hack into your browser steal your passwords credit card information or emails and even download your data or record your keystrokes the snowden leaks showed that the nsa had accumulated a good number of zero days that provided it with access to all of the most widely used apps social media platforms phones computers and operating

systems when this news got out some people assumed that companies like apple and microsoft were in cahoots with the nsa but this wasn't the case these companies were livid when they learned that the nsa knew about these zero days and didn't let them fix 

The flaws perhaps even more worrisome is the fact that the nsa didn't always find and develop these zero days itself it bought them with taxpayer money from hackers around the world as we'll see 

In the next blink the marketplace for zero days is a morally dubious gray zone that has only gotten darker in recent years blink two of nine the first rule of the zero day market the snowden leaks offered a glimpse of what zero days are capable of but people familiar with cyber security and the hacking community 

Were already well aware the author knew that hackers earned a lot of money by selling zero days and exploits to brokers and bidders what she didn't know was who those buyers were months before edward snowden became a household name 

The author was attending one of the world's many hacker conventions this one was in south beach florida after a while she found herself sitting at a table with ralph langner a german security specialist and two italian hackers 

The author wanted to learn more about how the zero day market worked so she asked the two italians to elaborate on their business practices for instance who do they typically sell to are there countries like russia or turkey that they might think twice about selling to but neither of the italians would offer even a hint it turns out there's often a legal component to such silence 

The author later learned that selling a zero day often involves the seller signing a non-disclosure agreement such ndas usually stipulate that the hacker won't mention the details of the sale for a certain period of time but this doesn't mean 

That nothing is known about the zero-day market in the early 2000s hackers often posted their zero-day exploits on message boards some would also attempt to bring flaws to the attention of companies like microsoft but for the most part they were treated like someone 

who's just told you they broke into your house last night instead of thanks the hackers were handed lawsuits one of the first companies to see a different way of doing things was i defense a fledgling security outfit idefense offered 

Its clients information about potential dangers so that they could start working on a patch for the most part early security companies simply monitored places like bug track but idefense knew that not every hacker wanted to settle for the street cred 

That came with posting an exploit on a message board so in 2002 idefense started a new plan it would offer hackers money for their zero days then the security company could inform 

Its clients everyone would benefit the only problem was companies like idefense could only spend so much the most it could afford was a couple of thousand dollars per verified exploit by 2005 government intelligence agencies were entering 

The market armed with much bigger budgets the key difference here is that agencies like the nsa weren't spending big bucks to inform the companies affected instead they did the exact opposite and kept the zero days under wraps after all a digital spy tool is only good 

If the vulnerabilities remain unpatched this is how americans ended up having their tax dollars spent on keeping the vulnerabilities in their computers and phones a secret both from the companies that made the products and from themselves blink 

Three of nine money versus morals any market where details are hidden where buyers and sellers can't discuss things is bound to be trouble the zero-day market is no exception for starters since zero day sales are private sellers can't estimate a fair price for their work sellers also don't know how their zero day will be used and if sellers 

think they've been cheated or misled there could be consequences to further complicate things buyers need to verify that a zero day works before money changes hands what prevents them from testing it declining to buy and then using it anyway on the other hand buyers have to put a lot of trust in sellers as well who's to say that a hacker won't sell a zero day to multiple countries around 

the world even if that hacker has agreed not to it's not like these agencies are going to openly compare their inventory as a result the market relies on a ridiculous amount of trust sellers essentially promise not to talk about their activities much as mobsters adhere to omerta a code of silence and everyone likes to think that buyers operate on a samurai code of bushido which dictates a

morally upstanding way of life these are very dangerous things to rely upon when dealing with information that erodes liberties and puts the safety of the world at risk when the author was at the florida hacker convention and the two italians refused to answer her question 

ralph langner the german security specialist grew irritated he turned to the author and spoke loud and clearly these men are young they have no idea what they are doing all they care about is money 

they have no interest in learning how their tools will be used or how badly this will end it wasn't until 2015 that a broker from the zero day market finally agreed to speak openly but anonymously to the author starting in the late 1990s 

the broker began working at one of the major contractors who bought zero days for the u.s intelligence agencies the agencies came with requests like finding 

a way into a russian embassy or a pakistani consulate the broker's team would find out what kind of technology these places had and then find a way in so while a microsoft windows bug in the early 2000s might have earned someone 50 000 a bug for 

some obscure program that was being used by a foreign target could go for double that amount but as the 2000s rolled on it wasn't just u.s agencies that were looking to buy other governments began cold calling hackers and brokers asking 

what have you got the international market came in strong in the mid-2000s offering unprecedented amounts of money for zero days for some the money was enough to trump any questions about morality for others there wasn't a question at all 

these people merely exposed flaws in programs and systems they didn't weaponize them or use them to spy on people they were happy to let somebody else worry about that blink four of nine going public of course some hackers 

do have a strong sense of right and wrong take charlie miller for example miller worked at the nsa before stepping down for family reasons but he never stopped dismantling code and finding new vulnerabilities 

in fact he once created a fake stock market app for the iphone that gave him access to every other app a person had installed this proved to apple that its screening process wasn't 

so flawless after all and earned miller the nickname zero day charlie but that wasn't his biggest discovery he later uncovered a zero day for the linux operating system worth a lot of money but when he went to try and sell it 

he immediately discovered just how inefficient and unfair the market was he couldn't tell how much he should be asking and he couldn't be sure that a potential buyer wouldn't just rip it off and not pay him ultimately miller sold a zero day to an unnamed government agency for fifty thousand dollars and a two year period of silence 

but he wanted to expose the problems in the market so that sellers weren't at such a disadvantage after the two-year waiting period miller planned on publishing an academic paper entitled the legitimate vulnerability market inside 

the secretive world of zero-day exploit sales unsurprisingly the nsa wasn't too happy about this agents even flew out to st louis to meet with miller at the airport miller was expecting a buy out a nice bag of cash in order to keep him quiet instead the agent simply urged him to keep his mouth shut but miller didn't shut up in 2007 

he presented his paper at a conference at carnegie mellon this was the day the world at large was made aware of the zero-day market to the general public it barely made a ripple but to hackers and the companies whose hardware and software were being exploited 

it was a momentous occasion some hackers thought miller was committing a grave offense breaking the omerta but others cheered him on by exposing the government-funded market he was showing that hackers weren't just 

the criminals the computer companies were making them out to be their work was worth something for a while miller thought this would change everything he soon uncovered a zero day that could remotely control someone's iPhone 

but this time he handed it over to apple and when he found another zero day for the new android operating system he brought it to google at first google seemed interested in working with miller to patch the vulnerability 

but he soon discovered that google was communicating with miller's boss trying to get him fired this was the last straw in 2009 miller started a no more free bugs campaign that caught on like wildfire after all this they still wanted to treat hackers like the enemy 

then it would only mean that those hackers would go back to selling their zero days elsewhere blink 5 of 9 an impossible mission for a long time each country used different equipment russia had its 

hardware and software the us had its and never the twain shall meet if something infected a russian computer the us didn't have to worry about that infection crossing the globe and plaguing u.s computers of course those days are long gone 

now everyone's using the same type of hardware and software and we're all connected by the same internet so anything that gets used on an adversary can easily turn around and bite the hand that released it in the u.s the ever-growing stockpile of weaponized zero days grew 

incredibly in the wake of 9 11. after 9 11 new cyber security laws meant that electronic surveillance no longer required a court order and the intelligence budget ballooned from a few billion to 75 billion suddenly agencies had a lot more money to buy and develop zero days just as more and more people around the world 

were getting online and digitizing their information american advancement in using and weaponizing zero days can best be understood by looking at what happened in tehran in 2007 as iran was ramping up its nuclear weapons program israel was getting ready to strike things weren't looking good in the u.s george w bush 

was being briefed on possible outcomes of this conflict and many were pointing to a possible world war iii situation bush called for a new option naturally the nsa had already analyzed every detail of iran's nuclear facilities it already had zero days lined up for every kind of machine

 being used at the time this was all standard espionage stuff used for information gathering but now it was going to weaponize these tools in the hopes of preventing war from breaking out it was called operation olympic games and in some ways 

it was a marvel of ingenuity a string of seven zero days found its way into a compound that wasn't connected to the internet it then spread throughout the computers undetected found its way to the program that controlled the centrifuges and attacked those centrifuges without anyone noticing what was happening 

it took a long time before iran figured out what was wrong and then in june 2010 the worm escaped the facility an outside laptop was probably brought in to conduct a test but whatever the case may be once the worm got onto a connected computer 

it was pandemonium russia california india europe indonesia the bug was everywhere and it quickly picked up an official name stuxnet over a hundred countries and tens of thousands of machines were infected and one german ralph langner 

put the pieces together he took apart the code and noticed one important target number 164 which happened to be the number of centrifuges in iran's nuclear facility but langner wasn't the only one pulling stuxnet's code apart and figuring out 

how this unprecedented cyber weapon worked now the weapon was ready to be turned against its maker blink 6 of 9 a booming stockpile in 2011 langner gave a presentation at an annual ted conference 

he provided a thorough and understandable description of stuxnet and explained the ramifications of what happened when this advanced cyber weapon found its way into the wild his point was clear there was nothing stopping a person from making a few adjustments and pointing stuxnet at a chemical plant a factory or a power grid 

this was serious the irony wasn't lost on langner the us had used a dangerous cyber weapon to avert a conventional war in the process that weapon had become available to enemies of the u.s and this had happened right at the dawn of a new cyber-based era in 

warfare meanwhile iran was upset and looking for revenge with the ingenuity of stuxnet making headlines around the world the marketplace for zero days only got bigger every country with a security agency was eager to start its own stockpile of cyber weapons 

some nsa employees were getting poached to start working overseas in places like the emirates where a company called cyberpoint paid a lot more than a government agency like the nsa ever could one such employee was david evanden he abruptly left 

when it became apparent that more often than not his efforts were being used to spy on activists and political dissidents not terrorists in the u.s alone from 2013 to 2016 

there was a two-fold increase in the number of brokers selling surveillance technology vupen a french company run by xiaoki bekrar saw its sales to government agencies double year over year israel russia india 

they were all willing to spend just as much as the u.s on cyber weapons by 2013 antarctica seemed to be the only part of the world that wasn't buying beckerar flaunted the fact that vupen's clients didn't heed the moral principles of bushido his twitter avatar was darth vader 

he took no responsibility for what governments did with his zero days in 2015 the hacking team and italian brokerage had its internal emails and contracts leaked to the public the leak revealed the brokerage's callous disregard for vetting clients any government 

was acceptable regardless of its human rights record as long as the money was good so they sold zero days to russia egypt saudi arabia kazakhstan and even sudan a place described by u.s aid workers as one of the most horrendous human rights situations in the world the hacking team as well as other sellers was helping to supply

 all these governments with the tools to monitor and suppress dissidents journalists and innocent people like the nuclear weapons of the cold war some countries weren't stockpiling cyber weapons for everyday use 

there was simply an increasing sense that it was better to have them than not the sheer number of zero days was also increasing rapidly with books like the shellcoders handbook discovering and exploiting security holes giving new hackers a leg up in the business 

but it would all pale in comparison to what would be released in the years to come blink 7 of 9 install 

now in mid-december 2009 google's information security team noticed something was amiss alarms were being triggered throughout its network something was inside ping-ponging wildly around the system usually some malware might show up when a careless intern visited an online gambling site 

but this was different this intruder was looking for something it took weeks of round-the-clock work by a team of around 250 workers but the intruder was eventually rooted out and shown to be of chinese origin remarkably china had hacked google's network and stolen 

its source code more specifically it was an operation pulled off by legion yankee one of the most elite hacking groups that works under contract for the chinese government information about satellite technology missiles aerospace nuclear propulsion elite chinese hackers have broken in and stolen all of this and more and 

now they'd gotten their hands on the backbone technology behind google's operations likely in an effort to set up back doors that would allow china to indefinitely monitor the gmail accounts of political dissidents this break-in changed the way google dealt with zero days from 

then on the general consensus was this can't happen again part of the new plan paying hackers for zero days starting in 2010 hackers who could report verified flaws in google products could earn a bounty of up to 31 337 

that's elite spelled out in hacker code that was nowhere near as much as the amount the international market was paying out but it did come with some bonuses hackers were free to brag about 

their newly discovered exploit and they didn't have to worry about playing a role in helping some nation state stomp on people's liberties companies like microsoft and facebook also began to pay bounties rather than hand out lawsuits to hackers who turned over zero days but some sellers bulked at the low rewards in 2012 

vulpin's xiaoqi bekrar broke into the newest chrome browser in three hours and laughed off the idea of reporting it to google he told a reporter we wouldn't share this with google for even one million dollars we want to keep this for our customers naturally 

this drove the tech companies crazy but it did finally strengthen their resolve to start getting serious about security rather than only concerning themselves with getting products out faster than 

the competition soon microsoft was getting 200 000 vulnerabilities turned over to them every year 200 000 different ways for its products to be abused that translates to 200 000 patches that microsoft one of the best tech companies in the world has to come up with every year 

now just think about all the unreported vulnerabilities across all platforms and all devices for people like bekrar each one is a potential payday needless to say when your operating system offers a verified update 

don't wait install it now blink 8 of 9 cyber weapon diplomacy during the obama administration everything was being digitized smartphones became ubiquitous with social media and cloud servers people were dumping their entire lives onto 

the internet and during this time there were three main threats to us cyber security iran china and russia in 2015 obama tried to neutralize two of these threats first he struck a nuclear deal with iran and it seemed to work attacks from iran largely stopped the focus then shifted to beijing for years chinese hackers had been relentless stealing intellectual property with abandon

they stole everything from the formulas for benjamin moore paints to the plans for the f-35 fighter jets by 2015 they'd even been found sitting inside the network at the office of personnel management the u.s agency that stores the personal information including fingerprints of all government employees they'd likely been hiding there for years before anyone noticed in september 2015 obama invited xi jinping to the white house the red carpet was rolled out 

there was cannon fire a military ban playing the chinese anthem and kids waving chinese flags but it was still a tense couple of days as obama pressed the issue this wasn't about espionage both parties knew that 

the u.s was eavesdropping as well but the stealing had to stop or else there'd be sanctions the two sides agreed no more intellectual property theft and no targeting of critical infrastructure during peace time for two years the chinese cyber attacks dropped by 90 percent but neither of these digital truces was going to last not with trump in the white house meanwhile 

the russians had embedded themselves in the system by early 2013 there had been at least 198 attacks on u.s infrastructure systems and security outfits trying to pick apart the code kept finding traces of russian language and moscow timestamps russia's weapon of choice for these attacks was dubbed sand worm it specifically targeted general electric software 

the kind used around the world to control water treatment facilities electric grids and oil and gas pipelines in 2014 and 2015 the world got a taste of what this weapon was capable of when on two separate occasions russia turned off the power in ukraine as far as u.s intelligence could determine russia was sitting in the systems and networks of u.s infrastructure

as a warning the message was beware how you respond to our actions in ukraine we can turn off your electricity too it was a new age of mutually assured destruction 

so despite the unprecedented nature of these attacks the world's response has only been to continue hooking up more devices and critical infrastructure to the internet thus increasing our vulnerability blink nine of nine the keys to the kingdom in august 2016 

chaos reigned in the u.s it was an election year and by then russian hackers had already broken into the servers of the democratic national committee as well as the email account of hillary clinton's campaign manager 

they were releasing their stolen goods through wikileaks then more bad news arrived on twitter a group calling themselves the shadow brokers claimed to have found a collection of nsa cyber weapons which it was now dumping onto the internet 

as a free-for-all as one former nsa employee said these are the keys to the kingdom things were getting bad and they were going to get worse while snowden's earlier leaks were an eye-opener the tools he was aware of were just the tip of the iceberg 

he was only a low-level contractor he didn't know what was at the disposal of the elite nsa group formerly known as tao or tailored access operations these tools included a string of xerodays that targeted microsoft software protocol it was called eternal blue and it could jump from server to server barely leaving a trace though 

used for gathering intel eternal blue could if it fell into the wrong hands be turned into a deadly weapon so imagine the nsa's dismay 

when in april 2017 the shadow brokers decided to release eternal blue as part of a collection of 20 of the nsa's best zero day exploits of course now that it was in the open microsoft could theoretically patch the vulnerabilities 

but that would mean that every computer running on an old or bootlegged version of a windows operating system would have to install the right upgrades

 it was essentially an impossibility within weeks the number of computers infected by versions of eternal blue was quadrupling but it soon became apparent that one variation of the weapon was proving most popular ransomware 

this is the practice of taking over a system such as a hospital's patient files or a city's power grid and holding it ransom for a cash payout in particular north korea was discovering that ransomware was an effective way of generating much needed revenue 

one of the most effective ransomware attacks was an exploit known as wannacry released in 2017 and eventually traced back to north korea within 24 hours it had spread to 150 countries why was it so effective its code can be traced back to eternal blue likewise 

new russian cyber attacks like the malware known as not petya also have roots in eternal blue ultimately ransom attacks have generated billions of dollars and they're only becoming more common between 2019 and 2020 over 600 american towns and cities have been held hostage by ransomware all evidence seems to point to things getting worse before they get better 

the author keeps flashing back to a photo she came across of a hacker from new zealand in it he's wearing a t-shirt with an important message plastered across the chest someone should do something you've just listened to our blinks too this is how they tell me the world ends by nicole pearl roth 

the key message in these blinks is that most experts admit that it's an impossibility for a computer network to be made completely impervious and secure however that doesn't mean improvements can't be made for the past few decades the emphasis has always been on offense not defense the us has been busy finding and weaponizing exploits 

while leaving its critical infrastructures and products vulnerable to attacks u.s hardware and software companies have been operating under the philosophy of getting their products out as fast as possible while worrying about the details later and fixing problems with updates and newer models instead

they should be focusing on testing and retesting security before any products are released or any systems and networks are put online in norway and japan government regulations strictly control and test the security for systems being used for communications finance transportation and electricity after japan implemented

these measures in 2005 cyber attacks dropped by 50 percent rather than following suit trump eliminated the role of national cyber security coordinator in 2018 this role must be re-established and strengthened 

it would also help if new rules were put in place regarding vulnerabilities the nsa held on to eternal blues microsoft vulnerabilities for three years this is far too long especially for such widely used software at the very least the u.s should put a time limit 

on how long an intelligence agency can keep a zero day under wraps and when those zero days are turned over advisory notices should be made available to the public so that users are made aware.

Also read: Inner Trek By Mohan Ranga Rao PDF Download 

Also read: Surrounded by idiots pdf download