zero day

72 results back to index


pages: 651 words: 186,130

This Is How They Tell Me the World Ends: The Cyberweapons Arms Race by Nicole Perlroth

4chan, active measures, activist lawyer, air gap, Airbnb, Albert Einstein, Apollo 11, barriers to entry, Benchmark Capital, Bernie Sanders, Big Tech, bitcoin, Black Lives Matter, blood diamond, Boeing 737 MAX, Brexit referendum, Brian Krebs, Citizen Lab, cloud computing, commoditize, company town, coronavirus, COVID-19, crony capitalism, crowdsourcing, cryptocurrency, dark matter, David Vincenzetti, defense in depth, digital rights, disinformation, don't be evil, Donald Trump, driverless car, drone strike, dual-use technology, Edward Snowden, end-to-end encryption, failed state, fake news, false flag, Ferguson, Missouri, Firefox, gender pay gap, George Floyd, global pandemic, global supply chain, Hacker News, index card, information security, Internet of things, invisible hand, Jacob Appelbaum, Jeff Bezos, John Markoff, Ken Thompson, Kevin Roose, Laura Poitras, lockdown, Marc Andreessen, Mark Zuckerberg, mass immigration, Menlo Park, MITM: man-in-the-middle, moral hazard, Morris worm, move fast and break things, mutually assured destruction, natural language processing, NSO Group, off-the-grid, offshore financial centre, open borders, operational security, Parler "social media", pirate software, purchasing power parity, race to the bottom, RAND corporation, ransomware, Reflections on Trusting Trust, rolodex, Rubik’s Cube, Russian election interference, Sand Hill Road, Seymour Hersh, Sheryl Sandberg, side project, Silicon Valley, Skype, smart cities, smart grid, South China Sea, Steve Ballmer, Steve Bannon, Steve Jobs, Steven Levy, Stuxnet, supply-chain attack, TED Talk, the long tail, the scientific method, TikTok, Tim Cook: Apple, undersea cable, unit 8200, uranium enrichment, web application, WikiLeaks, zero day, Zimmermann PGP

James, here, here world, destroying the, here, here World Trade Center bombing, here Wray, Christopher, here Xi Jinping, here, here, here Yahoo, here, here, here, here, here, here Yanukovych, Viktor, here Yasinsky, Oleksii, here YouTube, here al-Zawahiri, Ayman, here Zelensky, Volodymyr, here Zemlin, Jim, here zero-click exploits, here zero-day brokers, here, here, here, here, here zero-day bug market, here zero-day bugs identifying and eliminating, here registering, here underground market, here zero-day buyers human rights offenders, here morality, here zero-day capability, NSA NSA (National Security Agency), here, here Zero-Day Charlie (Miller, Charlie), here, here, here zero-day espionage, here, here, here, here zero-day exploits accuracy of, here, here Chinese clients, here copyright protections, here customers, here encryption piercing, here life span, here, here Microsoft Windows, here NSA, online posting of, here, here, here, here, here outsourcing, here patents, here power of, here prices paid for, here putting people at risk, here sold to government agencies, here timing, here, here weaponizing, here zero-day hunters, here zero-day market accountability, here beginnings, here buyers, here commoditization of, here controlling the, here deal-making structure, trust in the, here Desautels, Adriel (Cyanide/Simon Smith), here early days, here ethics, here, here, here, here exposing the, here government agencies, here government duplication of effort, here government interference, here inefficiencies, here morality, here, here, here, here morality in the, here, here, here, here, here, here morality of the, here NSA, here NSA budget, here outsourcing in the, here, here prices, here, here, here, here, here, here, here, here, here, here, here, here, here, here, here profit margins, here regulating the, here, here secrecy in the, here, here, here, here, here, here, here trust in the, here underground, here U.S. control over, here, here U.S. responsibility for, here, here valuation, here VRL (Vulnerability Research Labs), here zero-day market customers foreign buyers and sellers, here, here foreign governments, here, here government agencies, here, here, here, here, here security companies, here United States, here U.S. government customers, here U.S. in the, here zero-days (0 days) capabilities of, here, here defined, here life span, here used for physical harm, here, here, here zero-day stockpile NSA, here, here, here, here, here, here, here, here U.S., here, here, here, here Zerodium, here, here, here Zfone, here Zhang Yesui, here Zhengfei, Ren, here Zhou Yongkang, here Zimmermann, Phil, here Zork subversion, here Zott’s (Alpine Inn Beer Garden), here Zuckerberg, Mark, here, here, here A NOTE ON THE AUTHOR NICOLE PERLROTH is a staff writer at the New York Times, where she covers cybersecurity and digital espionage.

As much as I attempted to disguise the gravity of the question with a forkful of food, I wasn’t fooling anyone. The first rule of the zero-day market was: Nobody talks about the zero-day market. The second rule of the zero-day market was: Nobody talks about the zero-day market. I’d posed this question many times, and I knew it was the one question nobody in his business would answer. The Luigis and Donatos of the world had rationalized their trade long ago. If companies like Microsoft didn’t want them finding zero-day bugs in their software, they shouldn’t have written vulnerable code in the first place. Zero-days were critical to national intelligence gathering, and only becoming more so as encryption shrouded the world’s communications in secrecy.

If efficient markets require high levels of transparency and free flows of information, then the zero-day market was just about the least efficient model you could imagine. Sellers were sworn to never speak a word about their zero-day sale. Without data, it was impossible to know whether they had achieved a fair price. And it was often impossible for sellers to find buyers without cold-calling multiple interested parties. If they described their zero-day or handed it over for evaluation, a buyer might simply feign disinterest and use it anyway. The time lag between a hacker’s zero-day demo and when he got paid was brutally long. Zero-days took weeks, if not months, to vet—all the more time for the vulnerability to be found and patched.


pages: 492 words: 153,565

Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon by Kim Zetter

air gap, Ayatollah Khomeini, Brian Krebs, crowdsourcing, data acquisition, Doomsday Clock, drone strike, Edward Snowden, facts on the ground, false flag, Firefox, friendly fire, Google Earth, information retrieval, information security, John Markoff, Julian Assange, Kickstarter, Loma Prieta earthquake, machine readable, Maui Hawaii, military-industrial complex, MITM: man-in-the-middle, Morris worm, pre–internet, RAND corporation, rolling blackouts, Silicon Valley, skunkworks, smart grid, smart meter, South China Sea, Stuxnet, Timothy McVeigh, two and twenty, undersea cable, unit 8200, uranium enrichment, Vladimir Vetrov: Farewell Dossier, WikiLeaks, Y2K, zero day

They worked on it some more on Sunday and by the end of the weekend, they’d uncovered an astonishing three zero-day exploits. These, plus the .LNK exploit already discovered, made four zero-day exploits in a single attack.1 This was crazy, they thought. One zero day was bad enough. Two was overkill. But four? Who did that? And why? You were just burning through valuable zero days at that point. A top-notch zero-day bug and exploit could sell for $50,000 or more on the criminal black market, even twice that amount on the closed-door gray market that sold zero-day exploits to government cyber armies and spies. Either the attackers had an unlimited supply of zero days at their disposal and didn’t care if they lost a handful or more, or they were really desperate and had a really good reason to topload their malware with spreading power to make certain it reached its target.

But when it comes to the company, he’s equally close-mouthed—he won’t say how many employees he has, just that the company is small, or reveal their last names. VUPEN’s researchers devote all their time to finding zero-day vulnerabilities and developing exploits—both for already-known vulnerabilities as well as for zero days. Bekrar won’t say how many exploits they’ve sold since they began this part of their business, but says they discover hundreds of zero days a year. “We have zero days for everything,” he says. “We have almost everything for every operating system, for every browser, for every application if you want.” How much of Bekrar’s boasting is true and how much is strategic marketing is unclear, but whatever the case, his tactics seem to be working.

The conference is sponsored by the Department of Homeland Security. 39 Author interview, November 2011. 40 Joseph Menn, “Special Report: US Cyberwar Strategy Stokes Fear of Blowback,” Reuters, May 10, 2013, available at reuters.com/article/2013/05/10/us-usa-cyberweapons-specialreport-idUSBRE9490EL20130510. 41 See chapter 6 for previous mention of how these two vulnerabilities had already been discovered by others before Stuxnet’s authors used them in their attack. 42 Summer Lemon, “Average Zero-Day Bug Has 348-Day Lifespan, Exec Says,” IDG News Service, July 9, 2007, available at computerworld.com/s/article/9026598/Average_zero_day_bug_has_348_day_lifespan_exec_says. 43 Robert Lemos, “Zero-Day Attacks Long-Lived, Presage Mass Exploitation,” Dark Reading, October 18, 2012, available at darkreading.com/vulnerabilities—threats/zero-day-attacks-long-lived-presage-mass-exploitation/d/d-id/1138557. The research was conducted by Symantec. 44 Pennington, Industrial Control Systems–Joint Working Group Conference, 2011. 45 Michael Riley, “U.S.


pages: 340 words: 96,149

@War: The Rise of the Military-Internet Complex by Shane Harris

air gap, Amazon Web Services, barriers to entry, Berlin Wall, Brian Krebs, centralized clearinghouse, Citizen Lab, clean water, computer age, crowdsourcing, data acquisition, don't be evil, Edward Snowden, end-to-end encryption, failed state, Firefox, information security, John Markoff, Julian Assange, military-industrial complex, mutually assured destruction, peer-to-peer, Silicon Valley, Silicon Valley startup, Skype, Stuxnet, systems thinking, undersea cable, uranium enrichment, WikiLeaks, zero day

For the past two decades, NSA analysts have been scouring the world’s software, hardware, and networking equipment looking for vulnerabilities for which it can craft computer attack methods known as zero day exploits, so called because they take advantage of previously unknown flaws for which no defense has been built. (The target has had “zero days” to prepare for the attack.) A zero day is the most effective cyber weapon. It provides the element of surprise, which is the ultimate advantage in battle. The zero day exploit is bespoke, tailor-made to use against a specific vulnerability. And because that defenseless point in a system is likely to be patched as soon as the target realizes he’s been hit with a zero day, it may be used only once. Zero day attacks are especially hard to design because unknown vulnerabilities are hard to find.

Raytheon and Harris Corporation are two major players in the zero day market. They also design traditional weapons systems for the military and are two of the best-established and largest Pentagon contractors. Their ties to the military and to the NSA are deep and long-standing. Also collecting and selling zero days are smaller boutique firms, a number of which are run by former military officers or intelligence officials. Once the middlemen have the zero days, they sell them to their customer—the NSA. But the supply chain begins with the hacker. To be a good zero day hunter, a hacker has to put himself in the original programmer’s shoes and find the flaws in his design.

To be sure, the NSA does use knowledge of zero day exploits to plug holes in technology that it’s using or that might be deployed within the military or intelligence community. But it doesn’t warn the wider world—that would render the zero day exploit less effective, possibly even useless. One of the agency’s eventual targets in China or Iran might be tipped off if the NSA alerted technology companies to flaws in their technology. But in the shadowy zero day market, there are no guarantees that the NSA is always buying exclusive knowledge about zero days. One controversial vendor, the French company Vupen, sells the same zero day vulnerability information and exploits to attack them to multiple clients, including government agencies in different countries.


pages: 363 words: 105,039

Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers by Andy Greenberg

"World Economic Forum" Davos, air freight, air gap, Airbnb, Bellingcat, Bernie Sanders, bitcoin, blockchain, call centre, Citizen Lab, clean water, data acquisition, disinformation, Donald Trump, Edward Snowden, false flag, global supply chain, Hacker News, hive mind, information security, Julian Assange, Just-in-time delivery, Kickstarter, machine readable, Mikhail Gorbachev, no-fly zone, open borders, pirate software, pre–internet, profit motive, ransomware, RFID, speech recognition, Steven Levy, Stuxnet, supply-chain attack, tech worker, undersea cable, unit 8200, uranium enrichment, Valery Gerasimov, WikiLeaks, zero day

When Hultquist had arrived at his desk earlier that day in a far-better-lit office, one with actual windows on the opposite side of the iSight building, he’d opened an email from one of his iSight colleagues in the company’s Ukraine satellite operation. Inside, he found a gift: The Kiev-based staff believed they might have gotten their hands on a zero-day vulnerability. A zero day, in hacker jargon, is a secret security flaw in software, one that the company who created and maintains the software’s code doesn’t know about. The name comes from the fact that the company has had “zero days” to respond and push out a patch to protect users. A powerful zero day, particularly one that allows a hacker to break out of the confines of the software application where the bug is found and begin to execute their own code on a target computer, can serve as a kind of global skeleton key—a free pass to gain entrance to any machine that runs that vulnerable software, anywhere in the world where the victim is connected to the internet.

Erickson, the reverse engineer who first handled the zero day in iSight’s black room, remembers his work disassembling and defusing the attack as a somewhat rare, fascinating, but utterly impersonal event. In his career, he’d dealt with only a handful of real zero days found in the wild. But he’d analyzed thousands upon thousands of other malware samples and had learned to think of them as specimens for study without considering the author behind them—the human who had rigged together their devious machinery. “It was just some unknown guy and some unknown thing I hadn’t seen before,” he said. But zero days do have authors. And when Erickson had first begun to pull apart this one in his blacked-out workshop that morning, he hadn’t simply been studying some naturally occurring, inanimate puzzle.

A malicious Word attachment had silently run a script known as a macro, a little program hidden inside the document, on the victims’ machines. The effect was the same as the zero-day technique iSight had first found Sandworm using in its infected Microsoft PowerPoint documents in 2014, but with a new trade-off: Without the zero day, the victims had to be tricked into clicking a button to allow the script to run. Until they clicked, the document would appear to be missing content or broken, so most users unthinkingly clicked to load it. But by using a simpler replacement for their zero-day technique, the hackers had been able to operate much less conspicuously, and their attack didn’t depend on keeping a rare vulnerability secret from Microsoft.


pages: 448 words: 117,325

Click Here to Kill Everybody: Security and Survival in a Hyper-Connected World by Bruce Schneier

23andMe, 3D printing, air gap, algorithmic bias, autonomous vehicles, barriers to entry, Big Tech, bitcoin, blockchain, Brian Krebs, business process, Citizen Lab, cloud computing, cognitive bias, computer vision, connected car, corporate governance, crowdsourcing, cryptocurrency, cuban missile crisis, Daniel Kahneman / Amos Tversky, David Heinemeier Hansson, disinformation, Donald Trump, driverless car, drone strike, Edward Snowden, Elon Musk, end-to-end encryption, fault tolerance, Firefox, Flash crash, George Akerlof, incognito mode, industrial robot, information asymmetry, information security, Internet of things, invention of radio, job automation, job satisfaction, John Gilmore, John Markoff, Kevin Kelly, license plate recognition, loose coupling, market design, medical malpractice, Minecraft, MITM: man-in-the-middle, move fast and break things, national security letter, Network effects, Nick Bostrom, NSO Group, pattern recognition, precautionary principle, printed gun, profit maximization, Ralph Nader, RAND corporation, ransomware, real-name policy, Rodney Brooks, Ross Ulbricht, security theater, self-driving car, Seymour Hersh, Shoshana Zuboff, Silicon Valley, smart cities, smart transportation, Snapchat, sparse data, Stanislav Petrov, Stephen Hawking, Stuxnet, supply-chain attack, surveillance capitalism, The Market for Lemons, Timothy McVeigh, too big to fail, Uber for X, Unsafe at Any Speed, uranium enrichment, Valery Gerasimov, Wayback Machine, web application, WikiLeaks, Yochai Benkler, zero day

HOW GOVERNMENTS CAN PRIORITIZE DEFENSE OVER OFFENSE 160“defense dominant” strategy: Jason Healey (Jan 2017), “A nonstate strategy for saving cyberspace,” Atlantic Council Strategy Paper No. 8, Atlantic Council, http://www.atlanticcouncil.org/images/publications/AC_StrategyPapers_No8_Saving_Cyberspace_WEB.pdf. 160The NSA has two missions: John Ferris (1 Mar 2010), “Signals intelligence in war and power politics, 1914–2010,” in The Oxford Handbook of National Security Intelligence, Oxford, http://www.oxfordhandbooks.com/view/10.1093/oxfordhb/9780195375886.001.0001/oxfordhb-9780195375886-e-0010. 162to criminals on the black market: Dancho Danchev (2 Nov 2008), “Black market for zero day vulnerabilities still thriving,” ZDNet, http://www.zdnet.com/blog/security/black-market-for-zero-day-vulnerabilities-still-thriving/2108. Dan Patterson (9 Jan 2017), “Gallery: The top zero day Dark Web markets,” TechRepublic, https://www.techrepublic.com/pictures/gallery-the-top-zero-day-dark-web-markets. 162and to governments: Andy Greenberg (21 Mar 2012), “Meet the hackers who sell spies the tools to crack your PC (and get paid six-figure fees),” Forbes, http://www.forbes.com/sites/andygreenberg/2012/03/21/meet-the-hackers-who-sell-spies-the-tools-to-crack-your-pc-and-get-paid-six-figure-fees. 162Companies like Azimuth sell: Joseph Cox and Lorenzo Franceschi-Bicchierai (7 Feb 2018), “How a tiny startup became the most important hacking shop you’ve never heard of,” Vice Motherboard, https://motherboard.vice.com/en_us/article/8xdayg/iphone-zero-days-inside-azimuth-security. 162And while vendors offer bounties: Adam Segal (19 Sep 2016), “Using incentives to shape the zero-day market,” Council on Foreign Relations, https://www.cfr.org/report/using-incentives-shape-zero-day-market. 162the not-for-profit Tor Project: Tor Project (last updated 20 Sep 2017), “Policy [re Tor bug bounties],” Hacker One, Inc., https://hackerone.com/torproject. 162the cyberweapons manufacturer Zerodium: Zerodium (13 Sep 2017; expired 1 Dec 2017), “Tor browser zero-day exploits bounty (expired),” https://zerodium.com/tor.html. 163“Every offensive weapon is”: Jack Goldsmith (12 Apr 2014), “Cyber paradox: Every offensive weapon is a (potential) chink in our defense—and vice versa,” Lawfare, http://www.lawfareblog.com/2014/04/cyber-paradox-every-offensive-weapon-is-a-potential-chink-in-our-defense-and-vice-versa. 163Many people have weighed in: Joel Brenner (14 Apr 2014), “The policy tension on zero-days will not go away,” Lawfare, http://www.lawfareblog.com/2014/04/the-policy-tension-on-zero-days-will-not-go-away. 163Activist and author Cory Doctorow: Cory Doctorow (11 Mar 2014), “If GCHQ wants to improve national security it must fix our technology,” Guardian, http://www.theguardian.com/technology/2014/mar/11/gchq-national-security-technology. 163I have said similar things: Bruce Schneier (20 Feb 2014), “It’s time to break up the NSA,” CNN, http://edition.cnn.com/2014/02/20/opinion/schneier-nsa-too-big/index.html. 163Computer security expert Dan Geer: Dan Geer (3 Apr 2013), “Three policies,” http://geer.tinho.net/three.policies.2013Apr03Wed.PDF. 163Both Microsoft’s Brad Smith: Brad Smith (14 May 2017), “The need for urgent collective action to keep people safe online: Lessons from last week’s cyberattack,” Microsoft on the Issues, https://blogs.microsoft.com/on-the-issues/2017/05/14/need-urgent-collective-action-keep-people-safe-online-lessons-last-weeks-cyberattack. 163and Mozilla: Heather West (7 Mar 2017), “Mozilla statement on CIA/WikiLeaks,” Open Policy & Advocacy, https://blog.mozilla.org/netpolicy/2017/03/07/mozilla-statement-on-cia-wikileaks.

Dan Patterson (9 Jan 2017), “Gallery: The top zero day Dark Web markets,” TechRepublic, https://www.techrepublic.com/pictures/gallery-the-top-zero-day-dark-web-markets. 162and to governments: Andy Greenberg (21 Mar 2012), “Meet the hackers who sell spies the tools to crack your PC (and get paid six-figure fees),” Forbes, http://www.forbes.com/sites/andygreenberg/2012/03/21/meet-the-hackers-who-sell-spies-the-tools-to-crack-your-pc-and-get-paid-six-figure-fees. 162Companies like Azimuth sell: Joseph Cox and Lorenzo Franceschi-Bicchierai (7 Feb 2018), “How a tiny startup became the most important hacking shop you’ve never heard of,” Vice Motherboard, https://motherboard.vice.com/en_us/article/8xdayg/iphone-zero-days-inside-azimuth-security. 162And while vendors offer bounties: Adam Segal (19 Sep 2016), “Using incentives to shape the zero-day market,” Council on Foreign Relations, https://www.cfr.org/report/using-incentives-shape-zero-day-market. 162the not-for-profit Tor Project: Tor Project (last updated 20 Sep 2017), “Policy [re Tor bug bounties],” Hacker One, Inc., https://hackerone.com/torproject. 162the cyberweapons manufacturer Zerodium: Zerodium (13 Sep 2017; expired 1 Dec 2017), “Tor browser zero-day exploits bounty (expired),” https://zerodium.com/tor.html. 163“Every offensive weapon is”: Jack Goldsmith (12 Apr 2014), “Cyber paradox: Every offensive weapon is a (potential) chink in our defense—and vice versa,” Lawfare, http://www.lawfareblog.com/2014/04/cyber-paradox-every-offensive-weapon-is-a-potential-chink-in-our-defense-and-vice-versa. 163Many people have weighed in: Joel Brenner (14 Apr 2014), “The policy tension on zero-days will not go away,” Lawfare, http://www.lawfareblog.com/2014/04/the-policy-tension-on-zero-days-will-not-go-away. 163Activist and author Cory Doctorow: Cory Doctorow (11 Mar 2014), “If GCHQ wants to improve national security it must fix our technology,” Guardian, http://www.theguardian.com/technology/2014/mar/11/gchq-national-security-technology. 163I have said similar things: Bruce Schneier (20 Feb 2014), “It’s time to break up the NSA,” CNN, http://edition.cnn.com/2014/02/20/opinion/schneier-nsa-too-big/index.html. 163Computer security expert Dan Geer: Dan Geer (3 Apr 2013), “Three policies,” http://geer.tinho.net/three.policies.2013Apr03Wed.PDF. 163Both Microsoft’s Brad Smith: Brad Smith (14 May 2017), “The need for urgent collective action to keep people safe online: Lessons from last week’s cyberattack,” Microsoft on the Issues, https://blogs.microsoft.com/on-the-issues/2017/05/14/need-urgent-collective-action-keep-people-safe-online-lessons-last-weeks-cyberattack. 163and Mozilla: Heather West (7 Mar 2017), “Mozilla statement on CIA/WikiLeaks,” Open Policy & Advocacy, https://blog.mozilla.org/netpolicy/2017/03/07/mozilla-statement-on-cia-wikileaks.

AUTHENTICATION IS GETTING HARDER, AND CREDENTIAL STEALING IS GETTING EASIER In 2016, Rob Joyce, then the head of the NSA’s since-renamed Tailored Access Operations (TAO) group—basically, the country’s chief hacker—gave a rare public talk. In a nutshell, he said that zero-day vulnerabilities are overrated, and credential stealing is how he gets into networks. He’s right. As bad as software vulnerabilities are, the most common way hackers break into networks is by abusing the authentication process. They steal passwords, set up man-in-the-middle attacks to piggyback on legitimate log-ins, or masquerade as authorized users. Credential stealing doesn’t require finding a zero-day or an unpatched vulnerability, plus there’s less chance of discovery, and it gives the attacker more flexibility in technique.


pages: 383 words: 105,021

Dark Territory: The Secret History of Cyber War by Fred Kaplan

air gap, Big Tech, Cass Sunstein, Charles Babbage, computer age, data acquisition, drone strike, dumpster diving, Edward Snowden, game design, hiring and firing, index card, information security, Internet of things, Jacob Appelbaum, John Markoff, John von Neumann, kremlinology, Laura Poitras, Mikhail Gorbachev, millennium bug, Morris worm, national security letter, Oklahoma City bombing, operational security, packet switching, pre–internet, RAND corporation, Ronald Reagan, seminal paper, Seymour Hersh, Silicon Valley, Skype, Stuxnet, tech worker, Timothy McVeigh, unit 8200, uranium enrichment, Wargames Reagan, Y2K, zero day

As this race between hacking and patching intensified, practitioners of both arts, worldwide, came to place an enormous value on “zero-day vulnerabilities”—holes that no one had yet discovered, much less patched. In the ensuing decade, private companies would spring up that, in some cases, made small fortunes by finding zero-day vulnerabilities and selling their discoveries to governments, spies, and criminals of disparate motives and nationalities. This hunt for zero-days preoccupied some of the craftiest mathematical minds in the NSA and other cyber outfits, in the United States and abroad. Once, in the late 1990s, Richard Bejtlich, a computer network defense analyst at Kelly Air Force Base discovered a zero-day vulnerability—a rare find—in a router made by Cisco.

Another recommendation was to bar the government from doing anything to “subvert, undermine, weaken, or make vulnerable generally available commercial software.” Specifically, if NSA analysts discovered a zero-day exploit—a vulnerability that no one had yet discovered—they should be required to patch the hole at once, except in “rare instances,” when the government could “briefly authorize” using zero-days “for high-priority intelligence collection,” though, even then, they could do so only after approval by a “senior interagency review involving all appropriate departments.” This was one of the group’s more esoteric, but also radical, recommendations. Zero-day vulnerabilities were the gemstones of modern SIGINT, prized commodities that the agency trained its top sleuths—and sometimes paid private hackers—to unearth and exploit.

No U.S. newspaper or magazine reprinted the list (the reporters and editors working the story considered it genuinely damaging to national security), but Der Spiegel did, in its entirety (Jacob Appelbaum, Judith Horchert, and Christian Stöcker, “Shopping for Spy Gear: Catalog Advertises NSA Toolbox,” Dec. 29, 2013), and computer security analyst Bruce Schneier subsequently reprinted each item, one day at a time, on his blog. As hackers and spies discovered vulnerabilities: “Inside TAO.” In the ensuing decade, private companies: For more on zero-day exploits, see Neal Ungerleider, “How Spies, Hackers, and the Government Bolster a Booming Software Exploit Market,” Fast Company, May 1, 2013; Nicole Perlroth and David E. Sanger, “Nations Buying as Hackers Sell Flaws in Computer Code,” New York Times, July 13, 2013; Kim Zetter, Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon (New York: Crown, 2014). Specific stories come from interviews. During the first few months of Bush’s term: Richard A.


pages: 302 words: 85,877

Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World by Joseph Menn

"World Economic Forum" Davos, 4chan, A Declaration of the Independence of Cyberspace, Andy Rubin, Apple II, autonomous vehicles, Berlin Wall, Bernie Sanders, Big Tech, bitcoin, Black Lives Matter, Cambridge Analytica, Chelsea Manning, Citizen Lab, commoditize, corporate governance, digital rights, disinformation, Donald Trump, dumpster diving, Edward Snowden, end-to-end encryption, fake news, Firefox, Gabriella Coleman, Google Chrome, Haight Ashbury, independent contractor, information security, Internet of things, Jacob Appelbaum, Jason Scott: textfiles.com, John Gilmore, John Markoff, John Perry Barlow, Julian Assange, Laura Poitras, machine readable, Mark Zuckerberg, military-industrial complex, Mitch Kapor, Mondo 2000, Naomi Klein, NSO Group, Peter Thiel, pirate software, pre–internet, Ralph Nader, ransomware, Richard Stallman, Robert Mercer, Russian election interference, self-driving car, Sheryl Sandberg, side project, Silicon Valley, Skype, slashdot, Steve Jobs, Steve Wozniak, Steven Levy, Stewart Brand, Stuxnet, tech worker, Whole Earth Catalog, WikiLeaks, zero day

As the American government ramped up its spying efforts after 9/11, it needed to discover new vulnerabilities that would enable digital break-ins. In the trade, these were often called “zero-days,” because the software maker and its customers had zero days of warning that they needed to fix the flaw. A ten-day flaw is less dangerous because companies have more time to develop and distribute a patch, and customers are more likely to apply it. The increased demand for zero-days drove up prices. After the dollars multiplied, hackers who had the strongest skills in finding bugs that others could not—on their own or with specialized tools—could now make a living doing nothing but this.

“Some operatives installed keyloggers”: This was reported in Sean Naylor’s recent history of JSOC, Relentless Strike (New York: St. Martin’s Press, 2015). “Others had similar experiences”: Thieme provided me with the emails from veterans. “The first mainstream articles on the zero-day business”: Andy Greenberg profiled the @stake veteran who calls himself the Grugq in “Shopping for Zero-Days: A Price List for Hackers’ Secret Software Exploits,” Forbes, March 23, 2012, www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/. I later wrote a deeper story and a sidebar for Reuters: “Special Report: U.S. Cyberwar Strategy Stokes Fear of Blowback,” Reuters, May 10, 2013, www.reuters.com/article/us-usa-cyberweapons-specialreport/special-report-u-s-cyberwar-strategy-stokes-fear-of-blowback-idUSBRE 9490EL20130510, and “Booming ‘Zero-Day’ Trade Has Washington Cyber Experts Worried,” Reuters, May 10, 2013, www.reuters.com/article/us-usa-cyberweapons-policy/booming-zero-day-trade-has-washington-cyber-experts-worried-idUSBRE9490EQ20130510.

The brokers’ clients did not want attention being paid to their supply chain. And the majority of hackers did not want to announce themselves as mercenaries or paint a target on themselves for other hackers or governments that might be interested in hacking them for an easy zero-day harvest. So the gray trade grew, driven by useful rumors at Def Con and elsewhere, and stayed out of public sight for a decade. The first mainstream articles on the zero-day business appeared not long before Edward Snowden disclosed that it was a fundamental part of US government practice, in 2013. As offensive capabilities boomed, defense floundered. Firms like @stake tried to protect the biggest companies and, more importantly, get the biggest software makers to improve their products.


pages: 409 words: 112,055

The Fifth Domain: Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats by Richard A. Clarke, Robert K. Knake

"World Economic Forum" Davos, A Declaration of the Independence of Cyberspace, Affordable Care Act / Obamacare, air gap, Airbnb, Albert Einstein, Amazon Web Services, autonomous vehicles, barriers to entry, bitcoin, Black Lives Matter, Black Swan, blockchain, Boeing 737 MAX, borderless world, Boston Dynamics, business cycle, business intelligence, call centre, Cass Sunstein, cloud computing, cognitive bias, commoditize, computer vision, corporate governance, cryptocurrency, data acquisition, data science, deep learning, DevOps, disinformation, don't be evil, Donald Trump, Dr. Strangelove, driverless car, Edward Snowden, Exxon Valdez, false flag, geopolitical risk, global village, immigration reform, information security, Infrastructure as a Service, Internet of things, Jeff Bezos, John Perry Barlow, Julian Assange, Kubernetes, machine readable, Marc Benioff, Mark Zuckerberg, Metcalfe’s law, MITM: man-in-the-middle, Morris worm, move fast and break things, Network effects, open borders, platform as a service, Ponzi scheme, quantum cryptography, ransomware, Richard Thaler, Salesforce, Sand Hill Road, Schrödinger's Cat, self-driving car, shareholder value, Silicon Valley, Silicon Valley startup, Skype, smart cities, Snapchat, software as a service, Steven Levy, Stuxnet, technoutopianism, The future is already here, Tim Cook: Apple, undersea cable, unit 8200, WikiLeaks, Y2K, zero day

Government regarding attacks that exploit a previously unknown vulnerability in a computer application or system. These are often called ‘Zero Day’ attacks because developers have had zero days to address and patch the vulnerability. U.S. policy should generally move to ensure that Zero Days are quickly blocked, so that the underlying vulnerabilities are patched on U.S. Government and other networks. In rare instances, U.S. policy may briefly authorize using a Zero Day for high priority intelligence collection, following senior, interagency review involving all appropriate departments.” See “Liberty and Security in a Changing World,” Report and Recommendations of the President’s Review Group on Intelligence and Communications Technologies, December 12, 2013.

Avoiding these technologies could be as simple as making a single change to the file so that it no longer matched the bad file. Now, Aitel is worried that the superweapons of his craft are increasingly getting discovered. As we’ve seen, a zero day is a vulnerability that is not known to defenders and therefore has yet to be patched. Aitel, from an offensive perspective, is concerned that security firms are actually finding zero day attacks with increasing regularity, to the point that detection of zero days is becoming commoditized. “Microsoft’s Advanced Threat Detection, CrowdStrike, Kaspersky, the new FireEye stuff, all that stuff actually works and that is a huge change,” Aitel says.

There was a belief that failure to modify such software in time would result in widespread failure of software-controlled devices and machinery at 12:01 A.M. of 01/01/2000. Zero-day vulnerability: A software attack tool that has never been used before and for which, therefore, no defense currently exists. A zero-day attack tool is an exploit that utilizes a previously unused vulnerability in software or hardware. Zero Days is also the name of a 2016 documentary film about Stuxnet, directed by Alex Gibney. Acknowledgments and Disclosures As we note in the text, the cyber workforce is stretched thin.


pages: 587 words: 117,894

Cybersecurity: What Everyone Needs to Know by P. W. Singer, Allan Friedman

4chan, A Declaration of the Independence of Cyberspace, air gap, Apple's 1984 Super Bowl advert, barriers to entry, Berlin Wall, bitcoin, blood diamond, borderless world, Brian Krebs, business continuity plan, Chelsea Manning, cloud computing, cognitive load, crowdsourcing, cuban missile crisis, data acquisition, do-ocracy, Dr. Strangelove, drone strike, Edward Snowden, energy security, failed state, fake news, Fall of the Berlin Wall, fault tolerance, Free Software Foundation, global supply chain, Google Earth, information security, Internet of things, invention of the telegraph, John Markoff, John Perry Barlow, Julian Assange, Khan Academy, M-Pesa, military-industrial complex, MITM: man-in-the-middle, mutually assured destruction, Network effects, packet switching, Peace of Westphalia, pre–internet, profit motive, RAND corporation, ransomware, RFC: Request For Comment, risk tolerance, rolodex, Seymour Hersh, Silicon Valley, Skype, smart grid, SQL injection, Steve Jobs, Stuxnet, Twitter Arab Spring, uranium enrichment, vertical integration, We are Anonymous. We are Legion, web application, WikiLeaks, Yochai Benkler, zero day, zero-sum game

EXERCISE IS GOOD FOR YOU: HOW CAN WE BETTER PREPARE FOR CYBER INCIDENTS? malicious computer code Dan Goodin, “At Facebook, Zero-Day Exploits, Backdoor Code, Bring War Games Drill to Life,” Ars Technica, February 10, 2013, http://arstechnica.com/security/2013/02/at-facebook-zero-day-exploits-backdoor-code-bring-war-games-drill-to-life/. no major damage Sean Gallagher, “Facebook Computers Compromised by Zero-Day Java Exploit,” Ars Technica, February 15, 2013, http://arstechnica.com/security/2013/02/facebook-computers-compromised-by-zero-day-java-exploit/. tried to harm Facebook Dennis Fisher, “How Facebook Prepared to Be Hacked,” Threatpost, March 8, 2013, http://threatpost.com/en_us/blogs/how-facebook-prepared-be-hacked-030813.

The more he and his team explored it, the more interested they became. It was a wonderfully complex piece of malware like none the world had ever seen. It had at least four new “zero days” (previously unknown vulnerabilities), utilized digital signatures with the private keys of two certificates stolen from separate well-known companies, and worked on all Windows operating systems down to the decade-old Windows 95 edition. The number of new zero days particularly stood out. Hackers prize zero days and don’t like to reveal them when they don’t have to. To use four at once was unprecedented and almost illogical given that one new open door is enough.

Twice in six months sophisticated attackers were able to gain access to the production code that runs Facebook’s website, used by over a billion people around the world. The first time, a Facebook engineer’s computer was compromised by an unpatched, zero-day exploit. This enabled the attacker to “push” their own malicious computer code into the “live build” that runs the website. The second time, in early 2013, several engineers’ computers were compromised after visiting a website that launched a zero-day exploit on its victims. But this time, the attacker was unable to get inside sensitive systems, and could cause no major damage. The reason these two attacks caused such differing effects lies in their origin.


pages: 598 words: 134,339

Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World by Bruce Schneier

23andMe, Airbnb, airport security, AltaVista, Anne Wojcicki, AOL-Time Warner, augmented reality, behavioural economics, Benjamin Mako Hill, Black Swan, Boris Johnson, Brewster Kahle, Brian Krebs, call centre, Cass Sunstein, Chelsea Manning, citizen journalism, Citizen Lab, cloud computing, congestion charging, data science, digital rights, disintermediation, drone strike, Eben Moglen, Edward Snowden, end-to-end encryption, Evgeny Morozov, experimental subject, failed state, fault tolerance, Ferguson, Missouri, Filter Bubble, Firefox, friendly fire, Google Chrome, Google Glasses, heat death of the universe, hindsight bias, informal economy, information security, Internet Archive, Internet of things, Jacob Appelbaum, James Bridle, Jaron Lanier, John Gilmore, John Markoff, Julian Assange, Kevin Kelly, Laura Poitras, license plate recognition, lifelogging, linked data, Lyft, Mark Zuckerberg, moral panic, Nash equilibrium, Nate Silver, national security letter, Network effects, Occupy movement, operational security, Panopticon Jeremy Bentham, payday loans, pre–internet, price discrimination, profit motive, race to the bottom, RAND corporation, real-name policy, recommendation engine, RFID, Ross Ulbricht, satellite internet, self-driving car, Shoshana Zuboff, Silicon Valley, Skype, smart cities, smart grid, Snapchat, social graph, software as a service, South China Sea, sparse data, stealth mode startup, Steven Levy, Stuxnet, TaskRabbit, technological determinism, telemarketer, Tim Cook: Apple, transaction costs, Uber and Lyft, uber lyft, undersea cable, unit 8200, urban planning, Wayback Machine, WikiLeaks, workplace surveillance , Yochai Benkler, yottabyte, zero day

discoverers can sell to criminals: Dancho Danchev (2 Nov 2008), “Black market for zero day vulnerabilities still thriving,” ZDNet, http://www.zdnet.com/blog/security/black-market-for-zero-day-vulnerabilities-still-thriving/2108. Undiscovered zero-day vulnerabilities: Here is the most important research into that question. Eric Rescorla (7 Feb 2005), “Is finding security holes a good idea?” RTFM, Inc., http://www.rtfm.com/bugrate.pdf. Sandy Clark et al. (6–10 Dec 2010), “Familiarity breeds contempt: The honeymoon effect and the role of legacy code in zero-day vulnerabilities,” 26th Annual Computer Security Applications Conference, Austin, Texas, http://dl.acm.org/citation.cfm?id=1920299. Andy Ozment and Stuart E.

the White House tried to clarify: Michael Daniel (28 Apr 2014), “Heartbleed: Understanding when we disclose cyber vulnerabilities,” White House Blog, http://www.whitehouse.gov/blog/2014/04/28/heartbleed-understanding-when-we-disclose-cyber-vulnerabilities. Stuxnet, used four zero-days: Ryan Naraine (14 Sep 2010), “Stuxnet attackers used 4 Windows zero-day exploits,” ZDNet, http://www.zdnet.com/blog/security/stuxnet-attackers-used-4-windows-zero-day-exploits/7347. agency jargon NOBUS: Andrea Peterson (4 Oct 2013), “Why everyone is left less secure when the NSA doesn’t help fix security flaws,” Washington Post, http://www.washingtonpost.com/blogs/the-switch/wp/2013/10/04/why-everyone-is-left-less-secure-when-the-nsa-doesnt-help-fix-security-flaws.

Thompson II (5 Jun 2014), “The Fourth Amendment third-party doctrine,” Congressional Research Service, http://fas.org/sgp/crs/misc/R43586.pdf. also hoarding vulnerabilities: In 2014, the Russians used a zero-day vulnerability in Windows to spy on both NATO and the Ukrainian government. Ellen Nakashima (13 Oct 2014), “Russian hackers use ‘zero-day’ to hack NATO, Ukraine in cyber-spy campaign,” Washington Post, http://www.washingtonpost.com/world/national-security/russian-hackers-use-zero-day-to-hack-nato-ukraine-in-cyber-spy-campaign/2014/10/13/f2452976-52f9-11e4-892e-602188e70e9c_story.html. Some people believe the NSA: Cory Doctorow (11 Mar 2014), “If GCHQ wants to improve national security it must fix our technology,” Guardian, http://www.theguardian.com/technology/2014/mar/11/gchq-national-security-technology.


pages: 317 words: 98,745

Black Code: Inside the Battle for Cyberspace by Ronald J. Deibert

4chan, air gap, Any sufficiently advanced technology is indistinguishable from magic, Brian Krebs, call centre, citizen journalism, Citizen Lab, cloud computing, connected car, corporate social responsibility, crowdsourcing, cuban missile crisis, data acquisition, digital divide, disinformation, end-to-end encryption, escalation ladder, Evgeny Morozov, failed state, Firefox, Gabriella Coleman, global supply chain, global village, Google Hangouts, Hacker Ethic, Herman Kahn, informal economy, information security, invention of writing, Iridium satellite, jimmy wales, John Gilmore, John Markoff, Kibera, Kickstarter, knowledge economy, Lewis Mumford, low earth orbit, Marshall McLuhan, military-industrial complex, MITM: man-in-the-middle, mobile money, mutually assured destruction, Naomi Klein, new economy, Occupy movement, off-the-grid, Panopticon Jeremy Bentham, planetary scale, rent-seeking, Ronald Reagan, Ronald Reagan: Tear down this wall, Silicon Valley, Silicon Valley startup, Skype, smart grid, South China Sea, Steven Levy, Streisand effect, Stuxnet, Ted Kaczynski, the medium is the message, Turing test, Twitter Arab Spring, undersea cable, unit 8200, We are Anonymous. We are Legion, WikiLeaks, Yochai Benkler, zero day

“It’s a lot more fun to fight the adversary than to guard against him,” Mandiant company founder Kevin Mandia told NPR, citing another industry expert who says that “there are dozens, if not hundreds, of service providers doing similar things to Mandiant.” One extremely lucrative part of this market involves the sale of fresh “exploitations” or undiscovered computer vulnerabilities not yet detected by the antivirus industry, like Gamma’s Zero Day. A 2012 Forbes magazine investigation acquired a price list of zero-day vulnerabilities, offering another peek inside this otherwise closed industry. Want a fresh exploit that will target Adobe? That will cost anywhere from $5,000 to $30,000. Mac OS X? $20,000 to $50,000. Android? $30,000 to $60,000. One exploit targeting Apple’s iOS system was reportedly sold to a U.S. agency for $250,000.

We the People of … Facebook 7. Policing Cyberspace: Is There an “Other Request” on the Line? 8. Meet Koobface: A Cyber Crime Snapshot 9. Digitally Armed and Dangerous 10. Fanning the Flames of Cyber Warfare 11. Stuxnet and the Argument for Clean War 12. The Internet Is Officially Dead 13. A Zero Day No More 14. Anonymous: Expect Us 15. Towards Distributed Security and Stewardship in Cyberspace Not an Epilogue Notes Acknowledgements PREFACE It always takes long to come to what you have to say, you have to sweep this stretch of land up around your feet and point to the signs, pleat whole histories with pins in your mouth and guess at the fall of words.

In the early days, cyber crime was primarily a loner’s calling, an annoying but affordable by-product of an open Internet. Today, the loners find each other, network together, and professionalize their activities. Underground forums have emerged in the dark recesses of the Internet where specialized tools and techniques are now bought, sold, and traded. Malicious software packages – known as “Ødays” or “zero days,” because antivirus companies have no known protections against them – are now as readily available as songs on iTunes. “Botnet herders” – individuals who control tens of thousands of compromised computers – market their wares in underground auctions. Stolen credit cards and email addresses are sold, bought, and traded like candy.


pages: 677 words: 206,548

Future Crimes: Everything Is Connected, Everyone Is Vulnerable and What We Can Do About It by Marc Goodman

23andMe, 3D printing, active measures, additive manufacturing, Affordable Care Act / Obamacare, Airbnb, airport security, Albert Einstein, algorithmic trading, Alvin Toffler, Apollo 11, Apollo 13, artificial general intelligence, Asilomar, Asilomar Conference on Recombinant DNA, augmented reality, autonomous vehicles, Baxter: Rethink Robotics, Bill Joy: nanobots, bitcoin, Black Swan, blockchain, borderless world, Boston Dynamics, Brian Krebs, business process, butterfly effect, call centre, Charles Lindbergh, Chelsea Manning, Citizen Lab, cloud computing, Cody Wilson, cognitive dissonance, computer vision, connected car, corporate governance, crowdsourcing, cryptocurrency, data acquisition, data is the new oil, data science, Dean Kamen, deep learning, DeepMind, digital rights, disinformation, disintermediation, Dogecoin, don't be evil, double helix, Downton Abbey, driverless car, drone strike, Edward Snowden, Elon Musk, Erik Brynjolfsson, Evgeny Morozov, Filter Bubble, Firefox, Flash crash, Free Software Foundation, future of work, game design, gamification, global pandemic, Google Chrome, Google Earth, Google Glasses, Gordon Gekko, Hacker News, high net worth, High speed trading, hive mind, Howard Rheingold, hypertext link, illegal immigration, impulse control, industrial robot, information security, Intergovernmental Panel on Climate Change (IPCC), Internet of things, Jaron Lanier, Jeff Bezos, job automation, John Harrison: Longitude, John Markoff, Joi Ito, Jony Ive, Julian Assange, Kevin Kelly, Khan Academy, Kickstarter, Kiva Systems, knowledge worker, Kuwabatake Sanjuro: assassination market, Large Hadron Collider, Larry Ellison, Laura Poitras, Law of Accelerating Returns, Lean Startup, license plate recognition, lifelogging, litecoin, low earth orbit, M-Pesa, machine translation, Mark Zuckerberg, Marshall McLuhan, Menlo Park, Metcalfe’s law, MITM: man-in-the-middle, mobile money, more computing power than Apollo, move fast and break things, Nate Silver, national security letter, natural language processing, Nick Bostrom, obamacare, Occupy movement, Oculus Rift, off grid, off-the-grid, offshore financial centre, operational security, optical character recognition, Parag Khanna, pattern recognition, peer-to-peer, personalized medicine, Peter H. Diamandis: Planetary Resources, Peter Thiel, pre–internet, printed gun, RAND corporation, ransomware, Ray Kurzweil, Recombinant DNA, refrigerator car, RFID, ride hailing / ride sharing, Rodney Brooks, Ross Ulbricht, Russell Brand, Salesforce, Satoshi Nakamoto, Second Machine Age, security theater, self-driving car, shareholder value, Sheryl Sandberg, Silicon Valley, Silicon Valley startup, SimCity, Skype, smart cities, smart grid, smart meter, Snapchat, social graph, SoftBank, software as a service, speech recognition, stealth mode startup, Stephen Hawking, Steve Jobs, Steve Wozniak, strong AI, Stuxnet, subscription business, supply-chain management, synthetic biology, tech worker, technological singularity, TED Talk, telepresence, telepresence robot, Tesla Model S, The future is already here, The Future of Employment, the long tail, The Wisdom of Crowds, Tim Cook: Apple, trade route, uranium enrichment, Virgin Galactic, Wall-E, warehouse robotics, Watson beat the top human players on Jeopardy!, Wave and Pay, We are Anonymous. We are Legion, web application, Westphalian system, WikiLeaks, Y Combinator, you are the product, zero day

Though millions around the world rely on these tools, it’s pretty clear the antivirus era is over. One of the reasons it is proving difficult to counter the wide variety of technological threats in our lives today is that there has been a burgeoning increase in the number of so-called zero-day attacks. A zero-day exploit takes advantage of a previously unknown vulnerability in a computer application that developers and security staff have not had time to address. Rather than proactively looking for these vulnerabilities themselves, antivirus software companies generally only consider known data points.

As we saw with the Stuxnet attack against the Iranian nuclear enrichment site at Natanz, such operations can take years of planning and cost millions of dollars. Fortunately for those without the time and budget to devise their own cyber weapons, there is a vast shadowy black market where spies, soldiers, thieves, and hacktivists can shop for so-called zero-day exploits. As mentioned previously, these zero-day bugs have not yet been discovered by software and antivirus companies and thus handily defeat common security and firewall measures without sounding an alarm. In the old days, hackers used to hold on to these exploits for their personal use or attempt to sell them to software giants such as Microsoft, Yahoo!

Companies such as Vupen in France, Netragard in Massachusetts, Endgame of Georgia, Exodus Intelligence in Texas, and ReVuln in Malta are all heavily involved in selling offensive exploits to customers around the world. While some zero-day trafficking firms vet their clients, others will sell to anybody, from Crime, Inc. to notorious dictators, no questions asked. The result, as pointed out by the noted security researcher Tom Kellermann, is that now anybody can download a cyber Kalashnikov or cyber grenade from a myriad of sites. Many zero-day exploits enable particularly stealthy and sophisticated attacks against specific targets, giving rise to what security researchers have termed the advanced persistent threat, or APT.


pages: 443 words: 116,832

The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics by Ben Buchanan

active measures, air gap, Bernie Sanders, bitcoin, blockchain, borderless world, Brian Krebs, British Empire, Cass Sunstein, citizen journalism, Citizen Lab, credit crunch, cryptocurrency, cuban missile crisis, data acquisition, disinformation, Donald Trump, drone strike, Edward Snowden, fake news, family office, Hacker News, hive mind, information security, Internet Archive, Jacob Appelbaum, John Markoff, John von Neumann, Julian Assange, Kevin Roose, Kickstarter, kremlinology, Laura Poitras, MITM: man-in-the-middle, Nate Silver, operational security, post-truth, profit motive, RAND corporation, ransomware, risk tolerance, Robert Hanssen: Double agent, rolodex, Ronald Reagan, Russian election interference, seminal paper, Silicon Valley, South China Sea, Steve Jobs, Stuxnet, subscription business, technoutopianism, undersea cable, uranium enrichment, Vladimir Vetrov: Farewell Dossier, Wargames Reagan, WikiLeaks, zero day

For the first reporting of this test, see William Broad, John Markoff, and David Sanger, “Israeli Test on Worm Called Crucial in Iran Nuclear Delay,” New York Times, January 15, 2011. 10. Sanger, Confront and Conceal, 197. 11. For the first reporting of this order, see Sanger, Confront and Conceal, ch. 8. 12. For a good discussion of this propagation, see Zetter, Countdown to Zero Day, 91. See also Zetter and Modderkolk, “Revealed.” 13. Zetter, Countdown to Zero Day, 97. For more detailed technical analysis of this point, see Kaspersky Lab, “Stuxnet: Victims Zero,” November 18, 2014. Note that not all five contractors were used to spread each version of Stuxnet. 14. The two command-and-control sites used the domain names mypremierfutbol.com and todaysfutbol.com. 15.

Brian Krebs, “Experts Warn of New Windows Shortcut Flaw,” Krebs on Security, July 15, 2010. 29. One of these companies was Siemens, which made the industrial controllers that Stuxnet targeted. But after a July statement, the firm was curiously silent. Zetter, Countdown to Zero Day, 168. 30. For a good discussion of Stuxnet’s relative size, see Zetter, Countdown to Zero Day, 20. 31. Symantec posted a series of blog posts throughout the summer and fall of 2010 updating what it knew about Stuxnet. For an archived list of these posts as of early 2011, see “Security Response (Posts Tagged with W32.Stuxnet),” Symantec, January 20, 2011, https://web.archive.org/web/20110120133017/https://www.symantec.com/connect/symantec-blogs/security-response/11761/all/all/all/all. 32.

For an archived list of these posts as of early 2011, see “Security Response (Posts Tagged with W32.Stuxnet),” Symantec, January 20, 2011, https://web.archive.org/web/20110120133017/https://www.symantec.com/connect/symantec-blogs/security-response/11761/all/all/all/all. 32. Emphasis in the original. Kim Zetter, “How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in History,” Wired, July 11, 2011. 33. Zetter, Countdown to Zero Day, 173. 34. Zetter, Countdown to Zero Day, 177. 35. Ralph Langner, “Stuxnet Is a Directed Attack: ‘Hack of the Century,’ ” Langner Group, September 13, 2010. 36. Ralph Langner, “Stuxnet Logbook, Sep 16 2010, 1200 Hours MESZ,” Langner Group, September 16, 2010. 37. Kaspersky Global Research & Analysis Team (GReAT), “What Was That Wiper Thing?”


pages: 568 words: 164,014

Dawn of the Code War: America's Battle Against Russia, China, and the Rising Global Cyber Threat by John P. Carlin, Garrett M. Graff

1960s counterculture, A Declaration of the Independence of Cyberspace, Aaron Swartz, air gap, Andy Carvin, Apple II, Bay Area Rapid Transit, bitcoin, Brian Krebs, business climate, cloud computing, cotton gin, cryptocurrency, data acquisition, Deng Xiaoping, disinformation, driverless car, drone strike, dual-use technology, eat what you kill, Edward Snowden, fake news, false flag, Francis Fukuyama: the end of history, Hacker Ethic, information security, Internet of things, James Dyson, Jeff Bezos, John Gilmore, John Markoff, John Perry Barlow, Ken Thompson, Kevin Roose, Laura Poitras, Mark Zuckerberg, Menlo Park, millennium bug, Minecraft, Mitch Kapor, moral hazard, Morris worm, multilevel marketing, Network effects, new economy, Oklahoma City bombing, out of africa, packet switching, peer-to-peer, peer-to-peer model, performance metric, RAND corporation, ransomware, Reflections on Trusting Trust, Richard Stallman, Robert Metcalfe, Ronald Reagan, Saturday Night Live, self-driving car, shareholder value, side project, Silicon Valley, Silicon Valley startup, Skype, Snapchat, South China Sea, Steve Crocker, Steve Jobs, Steve Wozniak, Steven Levy, Stewart Brand, Stuxnet, The Hackers Conference, Tim Cook: Apple, trickle-down economics, Wargames Reagan, Whole Earth Catalog, Whole Earth Review, WikiLeaks, Y2K, zero day, zero-sum game

In January 2010, VeriSign’s iDefense publicly accused the Chinese government of stealing the source code—the crown jewels of a tech company, the secret back-end recipe for how a website works—for at least 33 companies, including the tech giant Google, as well as Yahoo, Symantec, Northrop Grumman, and Dow Chemical.13* The hackers had relied upon previously unknown vulnerabilities in both Microsoft’s Internet Explorer and Adobe’s PDF reader—so-called zero-day exploits—to deliver malware onto targeted computers.14 Zero-day exploits represent the crown jewels in the cyber realm, incredibly rare and valuable commodities to both regular hackers and, especially, nation-states, which rely on zero days to conduct high-level espionage and prepare military attacks on unsuspecting targets. They were not used routinely, but instead were hoarded and stockpiled for special access or emergency situations. Tech companies were often willing to pay big money privately for zero days, as were governments interested in using them for future hacking.

Inside the US government, there were often intense philosophical discussions about when and whether companies should be made aware of zero-day vulnerabilities to issue software or hardware patches; often the FBI or DHS preferred to let companies know quickly, to help them harden their systems, while intelligence agencies might prefer to hold on to them to exploit in their own work. This debate, which continues to this day, led to a formal system known as the VEP, the Vulnerabilities Equities Process, which brought together government agencies to weigh in on zero days to industry. The high value of a zero day meant that spotting one in the wild was exceedingly rare—upward of 90 percent of hacking efforts didn’t involve exploiting any unique vulnerabilities—which meant that someone had really wanted the information they were after if they were willing to burn one or more zero days on the attack.

In 2011, a team from the Republic of Georgia laid a trap for a hacker rummaging through its network: they hid an intriguing document, titled “Georgian-NATO agreement,” that actually contained malware of its own that, once exfiltrated and downloaded, allowed the Georgian team to turn on the hacker’s camera and photograph him sitting, wearing a yellow shirt, hunched over his computer examining his stolen take.20 In 2018, researchers announced that they’d been able to trace a particular attack to North Korea in part because the hacker had infected his own computer with his own malware. Similarly, most of the methods hackers use aren’t fancy so-called zero-day exploits, hidden and unknown flaws in software or hardware that can fetch top dollar in online marketplaces. In fact, little in the cyberworld relies on sophisticated black magic. Most hacks—even the most damaging ones—have come through relatively unsophisticated means exploiting obvious vulnerabilities: software patches that haven’t been installed, weak or default passwords protecting sensitive data, or “phishing” techniques where a user has clicked a nefarious link in an email and allowed hackers access to an account.


Reset by Ronald J. Deibert

23andMe, active measures, air gap, Airbnb, Amazon Web Services, Anthropocene, augmented reality, availability heuristic, behavioural economics, Bellingcat, Big Tech, bitcoin, blockchain, blood diamond, Brexit referendum, Buckminster Fuller, business intelligence, Cal Newport, call centre, Cambridge Analytica, carbon footprint, cashless society, Citizen Lab, clean water, cloud computing, computer vision, confounding variable, contact tracing, contact tracing app, content marketing, coronavirus, corporate social responsibility, COVID-19, crowdsourcing, data acquisition, data is the new oil, decarbonisation, deep learning, deepfake, Deng Xiaoping, disinformation, Donald Trump, Doomsday Clock, dual-use technology, Edward Snowden, Elon Musk, en.wikipedia.org, end-to-end encryption, Evgeny Morozov, failed state, fake news, Future Shock, game design, gig economy, global pandemic, global supply chain, global village, Google Hangouts, Great Leap Forward, high-speed rail, income inequality, information retrieval, information security, Internet of things, Jaron Lanier, Jeff Bezos, John Markoff, Lewis Mumford, liberal capitalism, license plate recognition, lockdown, longitudinal study, Mark Zuckerberg, Marshall McLuhan, mass immigration, megastructure, meta-analysis, military-industrial complex, move fast and break things, Naomi Klein, natural language processing, New Journalism, NSO Group, off-the-grid, Peter Thiel, planetary scale, planned obsolescence, post-truth, proprietary trading, QAnon, ransomware, Robert Mercer, Sheryl Sandberg, Shoshana Zuboff, Silicon Valley, single source of truth, Skype, Snapchat, social distancing, sorting algorithm, source of truth, sovereign wealth fund, sparse data, speech recognition, Steve Bannon, Steve Jobs, Stuxnet, surveillance capitalism, techlash, technological solutionism, the long tail, the medium is the message, The Structural Transformation of the Public Sphere, TikTok, TSMC, undersea cable, unit 8200, Vannevar Bush, WikiLeaks, zero day, zero-sum game

“The Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender,” Citizen Lab Research Report No. 78, University of Toronto. Retrieved from https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/ “Zero days” — or “open doors that the vendor does not know it should lock”: Lindsay, Restrained by design; Greenberg, A. (2012, March 23). Shopping for zero-days: A price list for hackers’ secret software exploits. Forbes; Meakins, J. (2019). A zero-sum game: The zero-day market in 2018. Journal of Cyber Policy, 4(1), 60–71; Zetter. Countdown to Zero Day. Throughout 2017 and 2018, we partnered with Mexican human rights investigators at organizations: Scott-Railton, J., Marczak, B., Anstis, S., Abdul Razzak, B., Crete-Nishihata, B., and Deibert, R.

Clicking on those links in a laboratory setting allowed us to infect an iPhone we controlled and inspect a copy of NSO Group’s custom Pegasus spyware. The spyware was extraordinarily sophisticated; it included exploits that took advantage of three separate flaws in Apple’s operating system that even Apple was unaware of at the time. (Known in the industry as “zero days” — or “open doors that the vendor does not know it should lock,” as University of Toronto professor Jon Lindsay put it — a single one of these exploitable software flaws in Apple products can fetch as much as $1 million for those who discover it.)215 After disclosing the vulnerabilities to Apple, which pushed out a security patch to more than one billion users, and publishing our report on the targeting of Mansoor, we reverse-engineered Pegasus and began scanning for and monitoring NSO’s infrastructure and government client base.

What goes for spyware is equally applicable to the broad range of insecurities introduced by governments into our communications ecosystem in the name of national security. For years, government military, intelligence, and law enforcement agencies have not only stockpiled knowledge of software bugs (“zero days”) as tools that could facilitate their investigations and other operations, they’ve also deliberately introduced such flaws into critical systems as “back doors” — a kind of insecurity by design.427 Very little is known about these practices, how extensive they are, and what criteria guide the decision making around them, because they are shrouded in secrecy.


pages: 1,380 words: 190,710

Building Secure and Reliable Systems: Best Practices for Designing, Implementing, and Maintaining Systems by Heather Adkins, Betsy Beyer, Paul Blankinship, Ana Oprea, Piotr Lewandowski, Adam Stubblefield

air gap, anti-pattern, barriers to entry, bash_history, behavioural economics, business continuity plan, business logic, business process, Cass Sunstein, cloud computing, cognitive load, continuous integration, correlation does not imply causation, create, read, update, delete, cryptocurrency, cyber-physical system, database schema, Debian, defense in depth, DevOps, Edward Snowden, end-to-end encryption, exponential backoff, fault tolerance, fear of failure, general-purpose programming language, Google Chrome, if you see hoof prints, think horses—not zebras, information security, Internet of things, Kubernetes, load shedding, margin call, microservices, MITM: man-in-the-middle, NSO Group, nudge theory, operational security, performance metric, pull request, ransomware, reproducible builds, revision control, Richard Thaler, risk tolerance, self-driving car, single source of truth, Skype, slashdot, software as a service, source of truth, SQL injection, Stuxnet, the long tail, Turing test, undersea cable, uranium enrichment, Valgrind, web application, Y2K, zero day

In the context of short-term changes, we’ll focus on vulnerabilities where Google learned about the vulnerability on day zero. Although Google is often involved in embargoed vulnerability responses—for example, when developing patches—a short-term change for a zero-day vulnerability is common behavior for most organizations in the industry. Note Although zero-day vulnerabilities get a lot of attention (both externally and within the organization), they’re not necessarily the vulnerabilities that are most exploited by attackers. Before you tackle a same-day zero-day vulnerability response, make sure you’re patched for the “top hits” to cover critical vulnerabilities from recent years. When you discover a new vulnerability, triage it to determine its severity and impact.

In the following sections, we discuss three different time horizons for change and include examples to show what each has looked like at Google: A short-term change in reaction to a new security vulnerability A medium-term change, where new product adoption could happen gradually A long-term change for regulatory reasons, where Google had to build new systems in order to implement the change Short-Term Change: Zero-Day Vulnerability Newly discovered vulnerabilities often require short-term action. A zero-day vulnerability is one that is known by at least some attackers, but that hasn’t been disclosed publicly or discovered by the targeted infrastructure provider. Typically, a patch either isn’t available yet or hasn’t been widely applied. There are a variety of ways to find out about new vulnerabilities that might affect your environment, including regular code reviews, internal code scanning (see “Sanitize Your Code”), fuzzing (see “Fuzz Testing”), external scans like penetration tests and infrastructure scans, and bug bounty programs.

hardening with fixits, Testing programming language choice, Programming Language Choice resiliency for CA key material, Resiliency for the CA Key Material securing third-party/open source components, Securing Third-Party and Open Source Components testing, Testing certificate revocation (see explicit revocation mechanism) Certificate Signing Requests (CSRs), Programming Language Choice certification (security specialists), Certifications and Academia certification validity database, A centralized service to revoke certificates CFG (control-flow graph), Abstract Interpretation champions, IR team, Identify Team Members and Roles changebuilding a case for, Build a Case for Change picking your battles, Pick Your Battles reducing fear with risk-reduction mechanisms, Reduce Fear with Risk-Reduction Mechanisms-Reduce Fear with Risk-Reduction Mechanisms resistance to, Changing Culture Through Good Practice slowing down a change, Complications: When Plans Change change budget, A foothold for humans change, designing for, Design for a Changing Landscape-Conclusionarchitecture decisions to make changes easier, Architecture Decisions to Make Changes Easier-Example: Google’s frontend design best practices for designing your change, Designing Your Change complications: when plans change, Complications: When Plans Change containers, Use Containers factors influencing speed of change, Different Changes: Different Speeds, Different Timelines-Example: Increasing HTTPS usage Heartbleed security bug example, Example: Growing Scope—Heartbleed keeping dependencies up to date, Keep Dependencies Up to Date and Rebuild Frequently long-term change: external demand, Long-Term Change: External Demand-Example: Increasing HTTPS usage medium-term change: improvement to security posture, Medium-Term Change: Improvement to Security Posture-Example: Strong second-factor authentication using FIDO security keys microservices, Use Microservices-Example: Google’s frontend design rebuilding, Keep Dependencies Up to Date and Rebuild Frequently releasing frequently using automated testing, Release Frequently Using Automated Testing second-factor authentication using FIDO security keys, Example: Strong second-factor authentication using FIDO security keys-Example: Strong second-factor authentication using FIDO security keys short-term change: zero-day vulnerability, Short-Term Change: Zero-Day Vulnerability-Example: Shellshock types of security changes, Types of Security Changes chaos engineering, Fuzz Testing charter, IR team, Establish a Team Charter checksums, Distinguish horses from zebras China, Criminal Actors choke points, Deployment Choke Points Chrome security team, Case Study: Chrome Security Team-Conclusion, Example: Embedding Security at Googlebackground, Background and Team Evolution designing for defense in depth, Design for Defense in Depth helping users safely navigate the web, Help Users Safely Navigate the Web security as team responsibility, Security Is a Team Responsibility speed of detecting and fixing security flaws, Speed Matters stages of evolution, Background and Team Evolution-Background and Team Evolution transparency and community engagement, Be Transparent and Engage the Community CI/CD (see continuous integration/continuous deployment) CIA (confidentiality, integrity, availability) triad, Confidentiality, Integrity, Availability Cisco, Risk Assessment Considerations CL (communications lead), Keeping the Right People Informed with the Right Levels of Detail, Preparing Communications and Remediation Clang-Tidy, Automated Code Inspection Tools-Automated Code Inspection Tools CLI (command-line interface), Google Tool Proxy-Google Tool Proxy client software, Client Retry Behavior cloud access security brokers (CASBs), Cloud logs cloud assetscompromised cloud instances, Compromised Cloud Instances identifying/inventorying, Cloud logs Cloud Key Management Service (KMS), Example: Secure cryptographic APIs and the Tink crypto framework ClusterFuzz, Example: ClusterFuzz and OSSFuzz codedeploying (see deploying code) testing (see testing (code)) writing (see writing code) code inspection tools, automated, Automated Code Inspection Tools-Automated Code Inspection Tools code reviews, Require Code Reviews code signing, What to put in binary provenance Code Spaces, Crisis Response Codenomicon, Example: Growing Scope—Heartbleed collaborative debugging, Collaborative Debugging: A Way to Teach Colombia, Criminal Actors Columbia Disaster Investigation Board, Culture of Inevitably command-line interface (CLI), Google Tool Proxy-Google Tool Proxy common object model, Prefer interfaces that enforce a common object model communicationcrisis management and, Communications-Keeping the Right People Informed with the Right Levels of Detail emergency access and, Communications foundation for trust, Invisibility hedging, Hedging hypothetical crisis management example, Communications and Operational Security keeping the right people informed with the right levels of detail, Keeping the Right People Informed with the Right Levels of Detail meetings in crisis management situations, Meetings misunderstandings, Misunderstandings overcommunication and transparency when advocating for change, Overcommunicate and Be Transparent preparing, Preparing Communications and Remediation when email or instant messaging system is compromised, Develop Response Plans when taking a break from debugging, Take a break communications lead (CL), Keeping the Right People Informed with the Right Levels of Detail, Preparing Communications and Remediation community engagement, Be Transparent and Engage the Community compartmentalization, Controlling the Blast Radius-Controlling the Blast Radius(see also blast radius, controlling) location separation, Location Separation-Isolation of confidentiality role separation, Role Separation complexitybreaking down, Breaking Down Complexity evolution and, Evolution in evolving systems, Evolution least privilege and, Impact on Developer Complexity managing (see understandability) understandability versus, Complexity Versus Understandability concolic testing, Integration of Static Analysis in the Developer Workflow confidentialityisolation of, Isolation of confidentiality reliability/security intersection, Confidentiality configuration distributioncustom HTTP receiver (in-process), Custom HTTP Receiver (In-Process) custom HTTP receiver (sidecar), Custom HTTP Receiver (Sidecar) custom OpenSSH ForceCommand, Custom OpenSSH ForceCommand in least-privilege environment, Worked Example: Configuration Distribution-Tradeoffs POSIX API via OpenSSH, POSIX API via OpenSSH software update API, Software Update API tradeoffs, Tradeoffs configuration-as-code, Treat Configuration as Code conformance checks, Example: Microservices and the Google Web Application Framework containers, Use Containers continuous integration/continuous deployment (CI/CD), Initial Velocity Versus Sustained Velocityimplementing verifiable builds, Implementing verifiable builds-Unauthenticated inputs provenance-based deployment policies, Provenance-Based Deployment Policies unit tests, Unit Testing continuous validationdesigning for recovery, Design for Testing and Continuous Validation exercising emergency components as part of normal workflows, Exercise emergency components as part of normal workflows Google's CA, Data Validation injecting anticipated changes in behavior, Inject anticipated changes of behavior key rotation cycle measurement, Measure key rotation cycles oversubscribing but preventing complacency, Oversubscribe but prevent complacency resilient design and, Continuous Validation-Measure key rotation cycles scenarios for, Validation in Practice-Measure key rotation cycles splitting when you cannot mirror traffic, Split when you cannot mirror traffic validation focus areas, Validation Focus Areas control plane, Example: Google’s frontend design control-flow graph (CFG), Abstract Interpretation coordinated vulnerability disclosure (CVD), Compromises Versus Bugs costsadding reliability/security to existing systems, Balancing Requirements computing resources consumed by failure, Computing resources differentiating costs of failures, Differentiate Costs of Failures-Speed of mitigation logging, Budget for Logging recovery speed's effect on, Speed of mitigation reliability/security failures, Invisibility resilience solutions, Practical Advice: Where to Begin third-party service providers, Costs and nontechnical risks credentialsdefined, Identities revocation system, Use an Explicit Revocation Mechanism-Avoiding risky exceptions rotation of, Credential and Secret Rotation-Credential and Secret Rotation criminal actorsas attackers, Criminal Actors-Protecting your systems from criminal actors protecting your systems from, Protecting your systems from criminal actors crises, incidents versus, Is It a Crisis or Not?


pages: 394 words: 117,982

The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age by David E. Sanger

active measures, air gap, autonomous vehicles, Bernie Sanders, Big Tech, bitcoin, Black Lives Matter, Bletchley Park, British Empire, call centre, Cambridge Analytica, Cass Sunstein, Chelsea Manning, computer age, cryptocurrency, cuban missile crisis, disinformation, Donald Trump, drone strike, Edward Snowden, fake news, Google Chrome, Google Earth, information security, Jacob Appelbaum, John Markoff, Kevin Roose, Laura Poitras, Mark Zuckerberg, MITM: man-in-the-middle, mutually assured destruction, off-the-grid, RAND corporation, ransomware, Sand Hill Road, Sheryl Sandberg, Silicon Valley, Silicon Valley ideology, Skype, South China Sea, Steve Bannon, Steve Jobs, Steven Levy, Stuxnet, Tim Cook: Apple, too big to fail, Twitter Arab Spring, undersea cable, unit 8200, uranium enrichment, Valery Gerasimov, WikiLeaks, zero day

But the silence and obsession with secrecy may have had a deeper motivation: American intelligence services had a menu of other cyber operations brewing around the world. These ranged from classic espionage to highly destructive malware—the kind that could knock a whole country back into the analog age. *1 A zero-day flaw is a previously unidentified software vulnerability—so named because there are zero days of notice to get it fixed before the damage is done. *2 The reason for the delay may lie in a coincidence of timing. That first big story was published just hours before Egypt erupted into the chaos of the Tahrir Square uprising, which then occupied all the headlines, and forced President Obama into a tense effort to get President Hosni Mubarak to leave office

Malicious code always has bugs inside of it. This wasn’t the case with Stuxnet.” He admired the malware as if he were an art collector who had just discovered a never-before-seen Rembrandt. The code appeared to be partially autonomous; it didn’t require anyone to pull the trigger. Instead, it relied on four sophisticated “zero-day” exploits, which allowed the code to spread without human help, autonomously looking for its target.*1 This fact provided a crucial clue to Chien and O’Murchu: such vulnerabilities are rare commodities, hoarded by hackers, and sold for hundreds of thousands of dollars on the black market. It became clear that Stuxnet couldn’t be the work of an individual hacker, or even a team of hobbyists.

And if all the king’s men can’t turn the lights back on, or filter the water for weeks, then lots of people die. And something we can do to others, they can do to us too. Is that something that we should keep quiet? Or should we talk about it? —An NSA employee, speaking through a composite character in Zero Days After the Russian hack of the Pentagon’s secret networks in 2008, two things seemed clear to the newly inaugurated Obama administration. First, Putin’s hackers were sure to come back. And second, America needed a full-fledged Cyber Command, far more capable than the small units spread among the army, the navy, the air force, and Cartwright’s Strategic Command.


pages: 350 words: 115,802

Pegasus: How a Spy in Your Pocket Threatens the End of Privacy, Dignity, and Democracy by Laurent Richard, Sandrine Rigaud

activist lawyer, Airbnb, Amazon Web Services, centre right, Charlie Hebdo massacre, Chelsea Manning, citizen journalism, Citizen Lab, corporate governance, COVID-19, David Vincenzetti, Donald Trump, double helix, Edward Snowden, food desert, Jeff Bezos, Julian Assange, Kevin Kelly, knowledge worker, lockdown, Mohammed Bouazizi, NSO Group, offshore financial centre, operational security, Stuxnet, Tim Cook: Apple, unit 8200, WikiLeaks, Yom Kippur War, zero day

The sophisticated weaponry that NSO’s Pegasus system was deploying to inject its quite ordinary spyware was engineered to exploit vulnerabilities in, say, the Apple software and apps running on an iPhone. The Security Lab had already detected exploits engineered to attack through iMessage and Apple Photos. These weapons are known in the cybersecurity field as “zero-day exploits” because that’s exactly how much time a tech company like Apple or Google or Microsoft has known about the issue and that’s exactly how much time they have to fix the problem before an attack. Zero days! None. It’s already too late. If an exploit can evade enough security protections and technical mitigations, it can eventually jailbreak the device and write whatever malicious code it desires into the iPhone.

Which means these sorts of weapons require a lot of man-hours and money to develop, and they all start with a really skilled hacker or cyber-researcher discovering a weakness in Apple’s software and making sure it’s kept a secret until they can sell to the highest bidder. Claudio and Donncha understood enough about the zero-days market to know that a single reliable exploit chain might go for a million dollars or more. They had also seen and heard enough to believe that NSO was likely expending considerable cash on in-house research to develop its own proprietary zero-day weapons. The scale of NSO’s business operations—with paying customers in dozens of countries—almost demanded it. “It’s completely worth it for NSO if they have to spend five million a year on an exploit room for iPhone,” Claudio told us, “if they can sell [Pegasus] to fifty different customers and they all pay millions.”

He also offered the journalists in the room a brief history lesson, walking them through the various stages of the evolving and improving Pegasus technology: from the crude, social engineering- and SMS-based one-click exploits, to the multiple reconstitutions of the Pegasus internet infrastructure, to the deviously tweaked process execution names that mimicked legitimate iOS process names, and finally to NSO’s mastery of zero-click, zero-day exploits that took advantage of vulnerabilities its researchers had discovered in iMessage and Apple Photos. Even if Apple found a breach and patched it, Claudio explained, NSO was often capable of finding a new vulnerability and engineering a new exploit. Craig Timberg, who covered tech and tech companies for the Post, stopped Claudio for clarification.


pages: 326 words: 103,170

The Seventh Sense: Power, Fortune, and Survival in the Age of Networks by Joshua Cooper Ramo

air gap, Airbnb, Alan Greenspan, Albert Einstein, algorithmic trading, barriers to entry, Berlin Wall, bitcoin, Bletchley Park, British Empire, cloud computing, Computing Machinery and Intelligence, crowdsourcing, Danny Hillis, data science, deep learning, defense in depth, Deng Xiaoping, drone strike, Edward Snowden, Fairchild Semiconductor, Fall of the Berlin Wall, financial engineering, Firefox, Google Chrome, growth hacking, Herman Kahn, income inequality, information security, Isaac Newton, Jeff Bezos, job automation, Joi Ito, Laura Poitras, machine translation, market bubble, Menlo Park, Metcalfe’s law, Mitch Kapor, Morris worm, natural language processing, Neal Stephenson, Network effects, Nick Bostrom, Norbert Wiener, Oculus Rift, off-the-grid, packet switching, paperclip maximiser, Paul Graham, power law, price stability, quantitative easing, RAND corporation, reality distortion field, Recombinant DNA, recommendation engine, Republic of Letters, Richard Feynman, road to serfdom, Robert Metcalfe, Sand Hill Road, secular stagnation, self-driving car, Silicon Valley, Skype, Snapchat, Snow Crash, social web, sovereign wealth fund, Steve Jobs, Steve Wozniak, Stewart Brand, Stuxnet, superintelligent machines, systems thinking, technological singularity, The Coming Technological Singularity, The Wealth of Nations by Adam Smith, too big to fail, Vernor Vinge, zero day

And even once a patch is developed, it can take weeks or months before it’s widely installed. It’s not uncommon, therefore, that within hours of the announcement of a newly found zero day hole, attacks using that method explode around the net. Thousands of hackers try to take advantage of the vulnerability, to kick at the defensive walls of systems while they are down for repair or restart—or simply left vulnerable by slower-witted system administrators who don’t yet know that it is now open hunting season on a particular bit of code. Heartbleed, a zero day that permitted hackers to slip into your computer through holes in your Web browser, was disclosed to the world on April 7, 2014—more than two years after it had apparently been put in place because of a programming error.

It is better to hack, discover, and patch than to be hacked and have the hack remain undiscovered. But the good guys are racing against equivalently sophisticated teams with indecent motives. The development and sale of zero-day bugs is, after all, a business. Modern versions of Cap’n Crunch whistles can crack open some of the most essential financial, political, and security data stores on the planet. As the value of hacking targets has increased, so has the price of the exploits. Public “zero-day markets” pay hundreds of thousands of dollars to researchers who discover holes in their systems. Better to find them ourselves, the thinking goes, though that does not always make the embarrassment less acute.

Such a hack would be like having a foreign spy win the presidency, turning the whole U.S. government into a weird machine. That prize of immediate, high-level, and totally trusted access is the warez dude gold standard. The most dangerous—and therefore the most alluringly valuable—of these sorts of attacks are known as zero-day exploits. The danger they represent becomes apparent only at some awful instant, “day zero,” when they are revealed to have been running wild inside some hapless network or machine. That first moment of awareness of the bug is like day zero in a cancer diagnosis, and it begins an immediate race to find and deliver a cure.


pages: 282 words: 92,998

Cyber War: The Next Threat to National Security and What to Do About It by Richard A. Clarke, Robert Knake

air gap, barriers to entry, complexity theory, data acquisition, Dr. Strangelove, escalation ladder, Golden arches theory, Herman Kahn, information security, Just-in-time delivery, launch on warning, military-industrial complex, MITM: man-in-the-middle, nuclear winter, off-the-grid, packet switching, RAND corporation, Robert Hanssen: Double agent, Ronald Reagan, Seymour Hersh, Silicon Valley, smart grid, South China Sea, Steve Jobs, systems thinking, Timothy McVeigh, trade route, undersea cable, Y2K, zero day

The black box inspectors would have to be connected to each other on a closed network, what is called “out-of-band communications” (not on the Internet), so that they could be updated quickly and reliably even if the Internet were experiencing difficulties. Imagine that a new piece of attack software enters into cyberspace, one that no one has ever seen before. This “Zero Day” malware begins to cause a problem by attacking some sites. The deep-packet inspection system would be tied into Internet security companies, research centers, and government agencies that are looking for Zero Day attacks. Within minutes of the malware being seen, its signature would be flashed out to the scanners, which would start blocking it and would contain the attack. A precursor to this kind of deep-packet inspection system is already being deployed.

If you were a senior research scientist at Google, you might have received an e-mail containing a link to a website that looked like it was from a colleague. The message might have said, “Hey, Chuck, I think this story will interest you…” and then provided a link to fairly innocuous site. When the target clicked on the link and visited the site, the hackers used a zero-day flaw in Internet Explorer, one that was not publicly known and had yet to be patched, to download the malware silently and in such a fashion that no antivirus software or other measures would detect it. The malware created a back door to the computer so the hackers could maintain their access and used the first compromised computer to work their way across the corporate network until they reached the servers containing the source code, the crown jewel of a software company.

You are the Assistant to the President for Homeland Security and you get a call from the White House Situation Room as you are packing up to leave the office for the day, at eight p.m. NSA has issued a “CRITIC” message, a rare alert that something important has just happened. The one-line message says only: “large scale movement of several different zero day malware programs moving on Internet in the US, affecting critical infrastructure.” The Situation Room’s Senior Duty Officer suggests that you come down and help him figure out what is going on. By the time you get to the Situation Room, the Director of the Defense Information Systems Agency is waiting on the secure phone for you.


pages: 457 words: 126,996

Hacker, Hoaxer, Whistleblower, Spy: The Story of Anonymous by Gabriella Coleman

1960s counterculture, 4chan, Aaron Swartz, Amazon Web Services, Bay Area Rapid Transit, bitcoin, Chelsea Manning, citizen journalism, cloud computing, collective bargaining, corporate governance, creative destruction, crowdsourcing, data science, David Graeber, Debian, digital rights, disinformation, do-ocracy, East Village, Eben Moglen, Edward Snowden, false flag, feminist movement, Free Software Foundation, Gabriella Coleman, gentrification, George Santayana, Hacker News, hive mind, impulse control, information security, Jacob Appelbaum, jimmy wales, John Perry Barlow, Julian Assange, Laura Poitras, lolcat, low cost airline, mandatory minimum, Mohammed Bouazizi, Network effects, Occupy movement, Oklahoma City bombing, operational security, pirate software, power law, Richard Stallman, SETI@home, side project, Silicon Valley, Skype, SQL injection, Steven Levy, Streisand effect, TED Talk, Twitter Arab Spring, WikiLeaks, zero day

People who just run LOIC are considered beneath the “hacker” moniker, mere “script kiddies,” or “skiddies” for short. gibnut announces that he has an “0day,” which is much more powerful. A “zero day” exploit, or “oh day” as people sometimes jokingly call it, is a previously unknown security vulnerability in a piece of software. It is called a zero-day because it is unknown by the public—or the software authors who could fix it—for zero days and counting. A zero day is gold; anyone who knows the zero day can exploit it over and over until it is patched. The most coveted zero days provide access to a computer or network, which is why they are sold for high profit in a thriving black market.

Many, many governments participate in this ethically problematic market, including the US government, who, according to technology reporter Joseph Menn, “has become the biggest buyer in a burgeoning gray market where hackers and security firms sell tools for breaking into computers.”16 The US government largely purchases 0days from private firms that “spend at least tens of millions of dollars a year just on exploits,” which are so valuable for granting direct access to wherever the exploit exists.17 Which is to say, gibnuts’s news was received with excitement: gibnut: lets see fuck loic, we’ll hurt them a different way p-ground: oh yes please gibnut: I have 0day local root exploit against openwebmail and Tunisia’s NIC servers run it gibnut: https://risala.ati.tn/cgi-bin/openwebmail/openwebmail.pl gibnut: if we can get into that server we can root tunisias .tn tld nameservers and control its entire internet space p-ground: oshit gibnut: redirect it all to wikileaks ;) p-ground: shit just got real due to gibnut With this zero day, gibnut is suggesting that they can compromise the domain name registrar in Tunisia (the NIC) and control the entire Tunisian top-level domain (TLD) name space. An example of a TLD is .com or .org. Each country has its own TLD; Tunisia’s is “.tn”. If the Anons can compromise this Tunisian registrar, they can redirect everyone who tries to navigate to a website that ends in .tn to any server they wish. gibnut suggests WikiLeaks.

The chat logs in particular go a long way towards confirming, as Cameron wrote, “longstanding accusations that federal investigators allowed an informant to repeatedly break computer-crime laws while in pursuit of Hammond and other Anonymous figures.”27 Allegations that Sabu aided and abetted illegal activity (recall that it was Sabu who brought the Stratfor vulnerability to Hammond in the first place) were not limited to the Stratfor hack. During Hammond’s sentencing hearing in November 2014, he read a statement that included another explosive accusation: After Stratfor, I continued to break into other targets, using a powerful “zero day exploit” allowing me administrator access to systems running the popular Plesk webhosting platform. Sabu asked me many times for access to this exploit, which I refused to give him. Without his own independent access, Sabu continued to supply me with lists of vulnerable targets. I broke into numerous websites he supplied, uploaded the stolen email accounts and databases onto Sabu’s FBI server, and handed over passwords and backdoors that enabled Sabu (and, by extension, his FBI handlers) to control these targets.


pages: 590 words: 152,595

Army of None: Autonomous Weapons and the Future of War by Paul Scharre

"World Economic Forum" Davos, active measures, Air France Flight 447, air gap, algorithmic trading, AlphaGo, Apollo 13, artificial general intelligence, augmented reality, automated trading system, autonomous vehicles, basic income, Black Monday: stock market crash in 1987, brain emulation, Brian Krebs, cognitive bias, computer vision, cuban missile crisis, dark matter, DARPA: Urban Challenge, data science, deep learning, DeepMind, DevOps, Dr. Strangelove, drone strike, Elon Musk, en.wikipedia.org, Erik Brynjolfsson, facts on the ground, fail fast, fault tolerance, Flash crash, Freestyle chess, friendly fire, Herman Kahn, IFF: identification friend or foe, ImageNet competition, information security, Internet of things, Jeff Hawkins, Johann Wolfgang von Goethe, John Markoff, Kevin Kelly, Korean Air Lines Flight 007, Loebner Prize, loose coupling, Mark Zuckerberg, military-industrial complex, moral hazard, move 37, mutually assured destruction, Nate Silver, Nick Bostrom, PalmPilot, paperclip maximiser, pattern recognition, Rodney Brooks, Rubik’s Cube, self-driving car, sensor fusion, South China Sea, speech recognition, Stanislav Petrov, Stephen Hawking, Steve Ballmer, Steve Wozniak, Strategic Defense Initiative, Stuxnet, superintelligent machines, Tesla Model S, The Signal and the Noise by Nate Silver, theory of mind, Turing test, Tyler Cowen, universal basic income, Valery Gerasimov, Wall-E, warehouse robotics, William Langewiesche, Y2K, zero day

It was a form of malware that security professionals have long speculated was possible but had never seen before: a digital weapon. Stuxnet, as the worm came to be called, could do more than spy, steal things, and delete data. Stuxnet could break things, not just in cyberspace but in the physical world as well. Stuxnet was a serious piece of malware. Zero-day exploits take advantage of vulnerabilities that software developers are unaware of. (Defenders have known about them for “zero days.”) Zero-days are a prized commodity in the world of computer security, worth as much as $100,000 on the black market. Stuxnet had four. Spreading via removable USB drives, the first thing Stuxnet did when it spread to a new a system was to give itself “root” access in the computer, essentially unlimited access.

Alexander* on the Future of Warfare before the Senate Armed Services Committee,” November 3, 2015, http://www.armed-services.senate.gov/imo/media/doc/Alexander_11-03-15.pdf. 213 team of professional hackers months if not years: David Kushner, “The Real Story of Stuxnet,” IEEE Spectrum: Technology, Engineering, and Science News, February 26, 2013, http://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet. 213 “zero days”: Kim Zetter, “Hacker Lexicon: What Is a Zero Day?,” WIRED, November 11, 2014, https://www.wired.com/2014/11/what-is-a-zero-day/. 213 Stuxnet had four: Michael Joseph Gross, “A Declaration of Cyber War.” Vanity Fair, March 2011, https://www.vanityfair.com/news/2011/03/stuxnet-201104. 214 programmable logic controllers: Gross, “A Declaration of Cyber War.”

Once it arrives at its target, Stuxnet carries out the attack on its own. In that sense, Stuxnet is analogous to a homing munition. A human chooses the target and Stuxnet conducts the attack. Autonomy is also essential for cyberdefense. The sheer volume of attacks means it is impossible to catch them all. Some will inevitably slip through defenses, whether by using zero-day vulnerabilities, finding systems that have not yet been updated, or exploiting users who insert infected USB drives or click on nefarious links. This means that in addition to keeping malware out, security specialists have also adopted “active cyberdefenses” to police networks on the inside to find malware, counter it, and patch network vulnerabilities.


Active Measures by Thomas Rid

1960s counterculture, 4chan, active measures, anti-communist, back-to-the-land, Berlin Wall, Bernie Sanders, bitcoin, Black Lives Matter, call centre, Charlie Hebdo massacre, Chelsea Manning, continuation of politics by other means, cryptocurrency, cuban missile crisis, disinformation, Donald Trump, dual-use technology, East Village, Edward Snowden, en.wikipedia.org, end-to-end encryption, facts on the ground, fake news, Fall of the Berlin Wall, false flag, guest worker program, information security, Internet Archive, Jacob Appelbaum, John Markoff, Julian Assange, kremlinology, Mikhail Gorbachev, military-industrial complex, Norman Mailer, nuclear winter, operational security, peer-to-peer, Prenzlauer Berg, public intellectual, Ronald Reagan, Russian election interference, Silicon Valley, Stewart Brand, technoutopianism, We are Anonymous. We are Legion, Whole Earth Catalog, WikiLeaks, zero day

Some of the code names referred to what computer security experts call zero-days, previously undiscovered cracks and fissures in widespread computer software—in this case, Microsoft Windows, the single most widespread operating system on the planet. The NSA had found and used secret doors into Windows, but had notified no one, not even Microsoft. One former NSA employee told The Washington Post later that the intelligence haul of one particular tool, ETERNALBLUE, was “unreal.” Another said using the tool was “like fishing with dynamite.”10 Whoever had the zero-days could get in undetected, not into one machine, but any number, and not just to steal things, but to break them.

Another said using the tool was “like fishing with dynamite.”10 Whoever had the zero-days could get in undetected, not into one machine, but any number, and not just to steal things, but to break them. So far only two parties knew that several zero-days were on the list and likely to come out soon: the Shadow Brokers and the NSA. The mysterious group was sending a secret, terrifying message to America’s intelligence community, in plain daylight on public social media platforms. To many in the NSA, the message was clear: a brazen foreign actor had gained access to some of America’s most valuable digital spy equipment. One of the NSA’s worst nightmares had become reality. Matt Tait, the former GCHQ exploit developer and operator, assessed the damage caused by the Shadow Brokers as “easily the biggest single tactical loss to the NSA in a generation.”11 The agency knew what to do next: destroy the tools by closing the holes they exploited before anybody could light up the dynamite or, even worse, publish the dynamite recipe.

Matt Tait, the former GCHQ exploit developer and operator, assessed the damage caused by the Shadow Brokers as “easily the biggest single tactical loss to the NSA in a generation.”11 The agency knew what to do next: destroy the tools by closing the holes they exploited before anybody could light up the dynamite or, even worse, publish the dynamite recipe. Fort Meade notified Microsoft,12 where developers began to patch the vulnerabilities that the NSA had been using to such “unreal” effect. On March 14, about two months after the ominous first post that exposed the zero-days had appeared, Microsoft issued a “critical” update for all versions of Windows.13 Meanwhile, early on the morning of April 7, the U.S. Navy struck a Syrian airbase with 59 Tomahawk cruise missiles in retaliation against Syria’s use of chemical weapons on its own civilians. Russia was a Syrian ally, and later that day a Kremlin spokesperson strongly condemned the American strikes as an “act of aggression against a sovereign country.”14 The next day, after months of silence, the Shadow Brokers reappeared with a long, rambling message expressing disappointment in the Trump administration’s decision to strike Syria, denied any links to Russia, and—as “our form of protest”—published the secret key to the encrypted, once-for-sale EQGRP-AUCTION-FILE archive.


pages: 322 words: 84,752

Pax Technica: How the Internet of Things May Set Us Free or Lock Us Up by Philip N. Howard

Aaron Swartz, Affordable Care Act / Obamacare, Berlin Wall, bitcoin, blood diamond, Bretton Woods, Brian Krebs, British Empire, butter production in bangladesh, call centre, Chelsea Manning, citizen journalism, Citizen Lab, clean water, cloud computing, corporate social responsibility, creative destruction, crowdsourcing, digital map, Edward Snowden, en.wikipedia.org, Evgeny Morozov, failed state, Fall of the Berlin Wall, feminist movement, Filter Bubble, Firefox, Francis Fukuyama: the end of history, Google Earth, Hacker News, Howard Rheingold, income inequality, informal economy, information security, Internet of things, John Perry Barlow, Julian Assange, Kibera, Kickstarter, land reform, M-Pesa, Marshall McLuhan, megacity, Mikhail Gorbachev, mobile money, Mohammed Bouazizi, national security letter, Nelson Mandela, Network effects, obamacare, Occupy movement, off-the-grid, packet switching, pension reform, prediction markets, sentiment analysis, Silicon Valley, Skype, spectrum auction, statistical model, Stuxnet, Tactical Technology Collective, technological determinism, trade route, Twitter Arab Spring, undersea cable, uranium enrichment, WikiLeaks, zero day

Rebecca MacKinnon, “Keynote Speech on Surveillance,” in Opening Ceremony of the Freedom Online Conference, 2013, accessed September 30, 2014, http://consentofthenetworked.com/2013/06/17/freedom-online-keynote/. 10. “Aaron Swartz,” Wikipedia, accessed June 29, 2014, http://en.wikipedia.org/wiki/Aaron_Swartz. 11. “Russian Business Network,” Wikipedia, accessed June 19, 2014, http://en.wikipedia.org/wiki/Russian_Business_Network. 12. “Zero-Day Attack,” Wikipedia, accessed June 21, 2014, http://en.wikipedia.org/wiki/Zero-day_attack. 13. “U.S.-Style Personal Data Gathering Is Spreading Worldwide,” Forbes, accessed June 29, 2014, http://www.forbes.com/sites/adamtanner/2013/10/16/u-s-style-personal-data-gathering-spreading-worldwide/; Paul Schwartz, Managing Global Privacy (Berkeley: ThePrivacyProjects.org, January 2009), accessed September 30, 2014, http://theprivacyprojects.org/wp-content/uploads/2009/08/The-Privacy-Projects-Paul-Schwartz-Global-Data-Flows-20093.pdf. 14.

The Russian Business Network has become a service that essentially provides IT support for criminal networks.11 For a while it was openly selling a key-logging software for $150. The organization is probably behind the Storm botnet described earlier, and it actually specializes in identity theft services. The Russian government taps it for work projects. It contributes to the international market for zero-day exploits, trading in software flaws that a buyer can only use once against a device.12 For such dubious businesses and criminal actors, the internet of things will serve as a vast array for gathering data and a means of providing illegal information services. Coupled with the largely unregulated but not illegal markets in data about people from around the world, much of what is collected over the inter net of things will be valuable—and valued—by lobbyists every where.13 Denial-of-service attacks can be ordered online for between five and one hundred dollars, depending on the size of the target.14 Hacktivists and whistle blowers will continue to teach us the most about political actors’ use of inconspicuous devices to manipulate public opinion and manage political life.

See also Assange, Julian; Manning, Chelsea; Snowden, Edward; WikiLeaks wicked problems, 112 WikiLeaks, 13, 43–44, 201, 216 Wilson, Chris, 121 Witness Project, 20 World Bank, 55, 56, 251 World Social Forum, 49–50 Xi Jinping, 192 Xinhua news agency, 191 Yahoo!, 248 Yang, Guobin, 186 Yeltsin, Boris, 37 youth, attraction of, to digital media, 239–40 YouTube, 8–9, 45; in Turkey, 116; white supremacist videos on, 217 Zapatistas (Zapatista Liberation Army), 38, 47–53, 135, 229 zero-day exploits, 236 Zhang, Haiyan, 177a Zimbabwe, 92; anarchy in, 94; infrastructure deals with China, 114; receiving Chinese training on networks, 215 ZTE, 113–14 Zuckerman, Ethan, 138


pages: 294 words: 81,292

Our Final Invention: Artificial Intelligence and the End of the Human Era by James Barrat

AI winter, air gap, AltaVista, Amazon Web Services, artificial general intelligence, Asilomar, Automated Insights, Bayesian statistics, Bernie Madoff, Bill Joy: nanobots, Bletchley Park, brain emulation, California energy crisis, cellular automata, Chuck Templeton: OpenTable:, cloud computing, cognitive bias, commoditize, computer vision, Computing Machinery and Intelligence, cuban missile crisis, Daniel Kahneman / Amos Tversky, Danny Hillis, data acquisition, don't be evil, drone strike, dual-use technology, Extropian, finite state, Flash crash, friendly AI, friendly fire, Google Glasses, Google X / Alphabet X, Hacker News, Hans Moravec, Isaac Newton, Jaron Lanier, Jeff Hawkins, John Markoff, John von Neumann, Kevin Kelly, Law of Accelerating Returns, life extension, Loebner Prize, lone genius, machine translation, mutually assured destruction, natural language processing, Neil Armstrong, Nicholas Carr, Nick Bostrom, optical character recognition, PageRank, PalmPilot, paperclip maximiser, pattern recognition, Peter Thiel, precautionary principle, prisoner's dilemma, Ray Kurzweil, Recombinant DNA, Rodney Brooks, rolling blackouts, Search for Extraterrestrial Intelligence, self-driving car, semantic web, Silicon Valley, Singularitarianism, Skype, smart grid, speech recognition, statistical model, stealth mode startup, stem cell, Stephen Hawking, Steve Jobs, Steve Jurvetson, Steve Wozniak, strong AI, Stuxnet, subprime mortgage crisis, superintelligent machines, technological singularity, The Coming Technological Singularity, Thomas Bayes, traveling salesman, Turing machine, Turing test, Vernor Vinge, Watson beat the top human players on Jeopardy!, zero day

At the Natanz plant PCs were running software that permits users to visualize, monitor, and control plant operations from their computers. Once Stuxnet got access to one computer, phase one of its invasion began. It used four zero day vulnerabilities in the Microsoft Windows operating system to take control of that computer and search for others. Zero day vulnerabilities are holes in the computer’s operating software that no one has discovered yet, holes that permit unauthorized access to the computer. Hackers covet zero day vulnerabilities—their specs can sell for as much as $500,000 on the open market. Using four at the same time was extravagant, but it greatly enhanced the virus’s chances of success.

Three Mile Island tightly coupled systems Thrun, Sebastian transhumans transistors Traveller Trillion Credit Squadron Turing, Alan Turing machine Turing test Tversky, Amos two-minute problem 2001: A Space Odyssey Ulam, Stanislaw utility function Vassar, Michael Vicarious Systems Vinge, Vernor violence Virginia Tech Massacre Virtually You (Aboujaoude) voice recognition von Neumann, John Voss, Peter Wallach, Wendall Wall Street Warwick, Kevin Washington Post Watson weapons, see military Whitby, Blay “Why the Future Doesn’t Need Us” (Joy) Wired for Thought (Stibel) Wissner-Gross, Alexander D. Wolfram, Stephen Wozniak, Steve You Are Not a Gadget: A Manifesto (Lanier) Yudkowsky, Eliezer Yudkowsky, Yehuda Zeitgist ’06 zero day vulnerabilities Zeroth Law Zeus malware About the Author James Barrat is a documentary filmmaker who’s written and produced films for National Geographic, Discovery, PBS, and many other broadcasters in the United States and Europe. He lives near Washington, D.C., with his wife and two children.


pages: 302 words: 82,233

Beautiful security by Andy Oram, John Viega

Albert Einstein, Amazon Web Services, An Inconvenient Truth, Bletchley Park, business intelligence, business process, call centre, cloud computing, corporate governance, credit crunch, crowdsourcing, defense in depth, do well by doing good, Donald Davies, en.wikipedia.org, fault tolerance, Firefox, information security, loose coupling, Marc Andreessen, market design, MITM: man-in-the-middle, Monroe Doctrine, new economy, Nicholas Carr, Nick Leeson, Norbert Wiener, operational security, optical character recognition, packet switching, peer-to-peer, performance metric, pirate software, Robert Bork, Search for Extraterrestrial Intelligence, security theater, SETI@home, Silicon Valley, Skype, software as a service, SQL injection, statistical model, Steven Levy, the long tail, The Wisdom of Crowds, Upton Sinclair, web application, web of trust, zero day, Zimmermann PGP

Or think about it for more than 30 seconds at a time? To people tasked with creating secure systems, the effort seems hopeless. Nobody at their site cooperates with their procedures, and the business managers refuse to allocate more than a pittance to security. Jaded from the endless instances of zero-day exploits and unpatched vulnerabilities in the tools and languages they have to work with, programmers and system administrators become lax. This is why books on security sell poorly (although in the last year or two, sales have picked up a bit). Books on hacking into systems sell much better than books about how to protect systems, a trend that really scares me.

Rustock.C, one of the most dangerous Windows-based rootkits found to date, is a good example of this, having been in the wild for over a year before it was discovered, analyzed, and added to detection signatures. Even daily updates would not give manufacturers enough time to find, analyze, and distribute defenses against new malware, so users are vulnerable to yet unknown attacks (zero-day exploits). From this description, it would be legitimate to assume that a researcher is seeing an old version of the malware and that it has had time to make the rounds with other malware developers and “users.” Each malicious attack quickly changes into something completely new or incorporates some of its capabilities into something else.

He served on the Roundtable on Scientific Communication and National Security, a collaborative project of the National Research Council and the Center for Strategic and International Studies. 268 CONTRIBUTORS INDEX Numbers 3-D Secure protocol account holder domain, 76 acquirer domain, 76 e-commerce security and, 76–78 evaluation of, 77 issuer domain, 76 transaction process, 76 802.11b standard, 51, 52 802.11i standard, 51 A ABA (American Bar Association), 203 Access Control Server (ACS), 77 accountability, 213, 214 ACS (Access Control Server), 77 ActionScript, 93 ad banners (see banner ads) Adams, Douglas, 158 Advanced Monitor System (AMS), 254, 256 advertising (see online advertising) adware (see spyware) Aegenis Group, 66 Agriculture, Department of, 196 AHS (Authentication History Server), 77 AI (artificial intelligence), 254, 257 AllowScriptAccess tag, 94 Amazon Web Services platform, 152 Amazon.com, 102 American Bar Association (ABA), 203 AMS (Advanced Monitor System), 254, 256 analyst confirmation traps, 12 Anderson, Chris, 165 Andreessen, Marc, 165, 166 Anna Carroll (barge), 206 anti-executables, 253 anti-spyware software evolution of, 251 initial implementation, 251 intrusive performance, 254 strict scrutiny, 252 anti-virus software diminished effectiveness, 249 functional fixation, 15 functionality, 232 historical review, 248–249 honeyclients and, 141 intrusive performance, 254 malware signature recognition, 251 need for new strategies, 248 strict scrutiny, 252 zero-day exploits and, 252 Apgar score, 37 Apgar, Virginia, 37 Apple Computer, 8 artificial intelligence (AI), 254, 257 Ascom-Tech AG, 117 Ashenfelter, Orley, 164 Aspect Security, 188 Atkins, Derek, 119 ATMs, early security flaws, 36 attacks (see malicious attacks) attribute certificates, 111 Attrition.org, 55 authentication 3-D Secure protocol, 77 auto-update and, 15 CV2 security code, 76 e-commerce security, 83, 84 federated programs, 210 NTLM, 6 password security, 7 PGP Global Directory and, 127 portability of, 85 security pitfall in, 71 SET protocol, 78 WEP support, 52 Authentication History Server (AHS), 77 authoritative keys, 123 authorization We’d like to hear your suggestions for improving our indexes.


Spies, Lies, and Algorithms by Amy B. Zegart

2021 United States Capitol attack, 4chan, active measures, air gap, airport security, Apollo 13, Bellingcat, Bernie Sanders, Bletchley Park, Chelsea Manning, classic study, cloud computing, cognitive bias, commoditize, coronavirus, correlation does not imply causation, COVID-19, crowdsourcing, cryptocurrency, cuban missile crisis, Daniel Kahneman / Amos Tversky, deep learning, deepfake, DeepMind, disinformation, Donald Trump, drone strike, dual-use technology, Edward Snowden, Elon Musk, en.wikipedia.org, end-to-end encryption, failed state, feminist movement, framing effect, fundamental attribution error, Gene Kranz, global pandemic, global supply chain, Google Earth, index card, information asymmetry, information security, Internet of things, job automation, John Markoff, lockdown, Lyft, Mark Zuckerberg, Nate Silver, Network effects, off-the-grid, openstreetmap, operational security, Parler "social media", post-truth, power law, principal–agent problem, QAnon, RAND corporation, Richard Feynman, risk tolerance, Robert Hanssen: Double agent, Ronald Reagan, Rubik’s Cube, Russian election interference, Saturday Night Live, selection bias, seminal paper, Seymour Hersh, Silicon Valley, Steve Jobs, Stuxnet, synthetic biology, uber lyft, unit 8200, uranium enrichment, WikiLeaks, zero day, zero-sum game

What if the United States attacked Iran’s centrifuges with a cyberweapon?98 The result was Stuxnet, the most sophisticated cyber weapon in the world, with code fifty times larger than typical malware.99 The CIA, the NSA, and Israel’s elite cyber Unit 8200 reportedly joined forces.100 Forensics revealed that Stuxnet used four rare and valuable “zero day” vulnerabilities (coding flaws unknown to security researchers or software vendors) to find the precise software operating Iran’s centrifuges, spread inside, hide, and destroy without a trace.101 Still, the operation needed humans. The Natanz computers were “air gapped”—they weren’t connected to the Internet.

Andrew Glass, “U.S. planes bomb Libya, April 15, 1986,” Politico, April 15, 2019, https://www.politico.com/story/2019/04/15/reagan-bomb-libya-april-15-1986-1272788. 69. President Reagan’s Address to the Nation on the Bombing on Libya, April 14, 1986, Reagan Library, Youtube, https://www.youtube.com/watch?v=pjYMVSA6xM8. 70. Sanger, Perfect Weapon; Kim Zetter, Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon (New York: Crown Publishers, 2014). 71. Greg Miller, “Under Obama, An Emerging Global Apparatus for Drone Killing,” Washington Post, December 27, 2011, https://www.washingtonpost.com/national/national-security/under-obama-an-emerging-global-apparatus-for-drone-killing/2011/12/13/gIQANPdILP_story.html. 72.

., “Mysterious Explosion and Fire Damage”; Guilbert Gates, “How a Secret Cyberwar Program Worked,” New York Times, June 1, 2012, https://archive.nytimes.com/www.nytimes.com/interactive/2012/06/01/world/middleeast/how-a-secret-cyberwar-program-worked.html?ref=middleeast; David E. Sanger, The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age (New York: Crown, 2018), 9, 41. 11. For details, see Kim Zetter, Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon (New York: Crown Publishers, 2014); Sanger, Perfect Weapon. 12. Sanger et al., “Mysterious Explosion and Fire Damage.” 13. See July 2, 2020, Tweets by @fabhinz and @ThegoodISIS; Gambrell, “Analysts: Fire at Iran Nuke Site”; and Sanger et al., “Mysterious Explosion and Fire Damage.” 14.


pages: 315 words: 93,522

How Music Got Free: The End of an Industry, the Turn of the Century, and the Patient Zero of Piracy by Stephen Witt

4chan, Alan Greenspan, AOL-Time Warner, autism spectrum disorder, barriers to entry, Berlin Wall, big-box store, cloud computing, collaborative economy, company town, crowdsourcing, Eben Moglen, game design, hype cycle, Internet Archive, invention of movable type, inventory management, iterative process, Jason Scott: textfiles.com, job automation, late fees, mental accounting, moral panic, operational security, packet switching, pattern recognition, peer-to-peer, pirate software, reality distortion field, Ronald Reagan, security theater, sharing economy, side project, Silicon Valley, software patent, Stephen Fry, Steve Jobs, Tipper Gore, zero day

Scene members organized themselves into loosely affiliated digital crews, and those crews raced one another to be the first to release newly pirated material. Often this material was available the same day it was officially released. Sometimes it was even possible, by hacking company servers, or by accessing unscrupulous employees or vendors, to pirate a piece of software before it was available in stores. These prerelease leaks were called “zero-day” warez, and the ability to regularly source them earned one the ultimate accolade in digital piracy: to be among the “elite.” Now the Scene was moving from software to music, and it was their enthusiasm for the technology that sparked the mp3 craze. The first industrial-scale mp3 pirate was a Scene player by the screen name “NetFraCk,” who, in September 1996, offered an interview to Affinity, an underground Scene newsletter, which like the earliest cracked software, was distributed through snail mail on a 3.5-inch floppy disk.

They called it RNS for short. The group had formed a few weeks after Compress ’Da Audio, the pioneering mp3 releasing group. Within months they had eclipsed the originals, and quickly competed them out of existence. Instead of pirating individual songs, RNS was pirating whole albums, and bringing the same elite “zero-day” mentality from software to music. The goal was to beat the official release date wherever possible, and that meant a campaign of infiltration against the music majors. The founders of RNS had gone by the handles “NOFX” and “Bonethug,” although Dockery never interacted with these two. They dated back to the distant mists of 1996, as might be inferred by the musical acts their screen names referred to.

He knew all the beefs, all the disses, and all the details of the internecine label feuds. And he also knew that, in the aftermath of the murders of Biggie and Tupac, those feuds were dying down and the labels were consolidating. Death Row, Bad Boy, Cash Money, and Aftermath were all going corporate. In his relentless quest for zero-day leaks, Kali tracked these pressing and distribution deals carefully, and his research kept bringing him back to Universal. But without consistent access inside that company, rival release crews had been beating him. Glover was his ticket in. The two hashed out the details of their partnership.


pages: 453 words: 114,250

The Great Firewall of China by James Griffiths;

A Declaration of the Independence of Cyberspace, activist fund / activist shareholder / activist investor, Albert Einstein, anti-communist, bike sharing, bitcoin, Black Lives Matter, borderless world, call centre, Cambridge Analytica, Chelsea Manning, Citizen Lab, Deng Xiaoping, digital divide, digital rights, disinformation, don't be evil, Donald Trump, Edward Snowden, end-to-end encryption, Evgeny Morozov, fake news, gig economy, Great Leap Forward, high-speed rail, jimmy wales, John Gilmore, John Perry Barlow, Mark Zuckerberg, megacity, megaproject, microaggression, Mikhail Gorbachev, Mitch Kapor, mobile money, Occupy movement, pets.com, profit motive, QR code, race to the bottom, RAND corporation, ride hailing / ride sharing, Ronald Reagan, Silicon Valley, Silicon Valley startup, Skype, Snapchat, South China Sea, Steve Jobs, Stewart Brand, Stuxnet, technoutopianism, The future is already here, undersea cable, WikiLeaks, zero day

The hackers had built up a profile of the target based on information they gleaned via Facebook, LinkedIn and other social networks, then, appearing to be someone the employee trusted, they sent them a link via instant message.12 When clicked, the link took the employee to a website poisoned with malware capable of enacting a ‘zero-day’ exploit, a never before seen vulnerability, in the Internet Explorer browser.13 The zero-day was used to download more malware onto the employee’s computer, and with that the attackers were inside the Google network.14 With the China team employee’s credentials in their possession, the attackers had access to Moma, the Google intranet, which contained detailed breakdowns of teams, employee contact information, and progress reports for various projects.

They were horrified to discover that the attackers had not just compromised the company’s core systems, but had also broken into the individual Gmail accounts of Chinese and Tibetan dissidents, including artist Ai Weiwei and Tenzin Seldon, a twenty-year-old regional coordinator of Students for a Free Tibet.19 This and other clues pointed to the attack coming from China, while the sophistication of it, as well as the resources poured in to keep it going for months on end, suggested it was the work of a state-sponsored group.20 Security researchers at Symantec later dubbed the group ‘Elderwood’ and revealed that it had targeted dozens of other US companies, including Yahoo, Adobe, weapons manufacturer Northrop Grumman, and Dow Chemical.21 Some reports suggested the victims could have numbered over a hundred.22 As a Symantec report recounted: In most cases, Elderwood uses a convincing ‘spear-phishing’ fake email to fool an employee into clicking an infected emailed link or into opening a Trojan software-infected attachment that creates a digital backdoor for the cyberspies. In many cases, these attacks have utilised costly ‘zero-day’ malware that takes advantage of a previously unknown flaw against which no defence exists. Such technology would sell for at least six figures on the cyber black market, leading many to conclude the group is exceedingly well funded.23 Although they apparently did not share this information with Google, leaked State Department cables show that US diplomats had also concluded the attack was linked to the Chinese government.

Wu, X. (2005) Chinese Cyber Nationalism: evolution, characteristics and implications, Lanham MD: Lexington Books. Xin, X. (2012) How the Market Is Changing China’s News: the case of Xinhua news agency, Lanham MD: Lexington Books. Yang, G. (2009) The Power of the Internet in China: citizen activism online, New York NY: Columbia University Press. Zetter, J. (2014) Countdown to Zero Day: Stuxnet and the launch of the world’s first digital weapon, New York NY: Crown/Archetype. Zhu, Y. (2012) Two Billion Eyes: the story of China Central Television, New York NY: The New Press. Zittrain, J. and B. Edelman (2003) ‘Empirical analysis of internet filtering in China’, Cambridge MA: Berkman Klein Center for Internet and Society, https://cyber.harvard.edu/filtering/china/.


pages: 264 words: 79,589

Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground by Kevin Poulsen

Apple II, Brian Krebs, Burning Man, corporate governance, dumpster diving, Exxon Valdez, fake news, gentrification, Hacker Ethic, hive mind, index card, Kickstarter, McMansion, Mercator projection, offshore financial centre, packet switching, pirate software, Ponzi scheme, Robert Hanssen: Double agent, Saturday Night Live, Silicon Valley, SQL injection, Steve Jobs, Steve Wozniak, Steven Levy, traffic fines, web application, WikiLeaks, zero day, Zipcar

Even if the bugs were not made public, the bad guys could figure them out by reverse-engineering the vulnerability from Microsoft’s patches. Security experts had been watching with dismay as the time between a vulnerability’s announcement and its exploitation by black hats shrank from months to days. In the worst-case scenario, the black hats found a bug first: a “zero day” vulnerability that left the good guys playing catch-up. With new Microsoft patches coming out nearly every week, even vigilant corporations tended to lag in installing them, and average users often didn’t patch at all. A global survey of one hundred thousand Internet Explorer users conducted around the time of Max’s effort found that 45 percent suffered from unpatched remote access vulnerabilities; narrowing the field to American users cooled the number only slightly, to 36 percent.

But the scheme was hung up on Chris’s end. Chris had to find a safe harbor for the money Max would steal—an offshore repository where they could park the cash without it being recalled by the victim bank. So far, he’d failed. So when, in September, Max got his hands on a deadly new Internet Explorer zero day, he shared the news not with Chris but with a different partner, one who had more knowledge of international finance, the Carders Market admin called NightFox. The security hole was a monster: another buffer overflow, this time in the Internet Explorer code designed to let websites draw vector graphics on a visitor’s screen.

He visited the San Francisco courthouse and filled out the necessary paperwork. On August 14, a judge approved his legal name change from Max Butler to Max Ray Vision. He already had an idea for a new website that could catapult him back into the white-hat scene: a system for disclosing and managing zero-day vulnerabilities. He could seed it with the security holes he was privy to in the underground, bringing the exploits into the white-hat world like a defector crossing Checkpoint Charlie with a suitcase full of state secrets. But after all his work making Carders Market the top crime forum in the English-speaking world, he couldn’t bring himself to just abandon it.


pages: 306 words: 82,909

A Hacker's Mind: How the Powerful Bend Society's Rules, and How to Bend Them Back by Bruce Schneier

4chan, Airbnb, airport security, algorithmic trading, Alignment Problem, AlphaGo, Automated Insights, banking crisis, Big Tech, bitcoin, blockchain, Boeing 737 MAX, Brian Krebs, Capital in the Twenty-First Century by Thomas Piketty, cloud computing, computerized trading, coronavirus, corporate personhood, COVID-19, cryptocurrency, dark pattern, deepfake, defense in depth, disinformation, Donald Trump, Double Irish / Dutch Sandwich, driverless car, Edward Thorp, Elon Musk, fake news, financial innovation, Financial Instability Hypothesis, first-past-the-post, Flash crash, full employment, gig economy, global pandemic, Goodhart's law, GPT-3, Greensill Capital, high net worth, Hyman Minsky, income inequality, independent contractor, index fund, information security, intangible asset, Internet of things, Isaac Newton, Jeff Bezos, job automation, late capitalism, lockdown, Lyft, Mark Zuckerberg, money market fund, moral hazard, move fast and break things, Nate Silver, offshore financial centre, OpenAI, payday loans, Peter Thiel, precautionary principle, Ralph Nader, recommendation engine, ride hailing / ride sharing, self-driving car, sentiment analysis, Skype, smart cities, SoftBank, supply chain finance, supply-chain attack, surveillance capitalism, systems thinking, TaskRabbit, technological determinism, TED Talk, The Wealth of Nations by Adam Smith, theory of mind, TikTok, too big to fail, Turing test, Uber and Lyft, uber lyft, ubercab, UNCLOS, union organizing, web application, WeWork, When a measure becomes a target, WikiLeaks, zero day

In every case, the vulnerability was discovered by researchers or the manufacturer itself, privately disclosed to the system designers, patched by the designers, and only afterwards published along with the fact that the system was no longer vulnerable. In computer security, we have a name for this: “responsible disclosure.” The opposite of that is a “zero-day vulnerability.” This is a vulnerability that is first discovered in secret, by criminals, governments, or hackers that sell to criminals or governments—and the organization in charge of the system doesn’t learn about it until it’s used in the wild. No one receives any advance warning in those cases.

Katzenbach, 164 spam, 46–47 spear phishing, 192 Spectre, 48 sponsored content, 194 spoofing, 81, 82 sports hacks, 41–44, 46, 103, 259n Summers, Larry, 97 sumptuary laws, 110 supply chain attacks, 145 Susskind, Jamie, 248 Suzuki, Daichi, 42 systems additional for hacking defense, 54, 60 biological, 19–20 defined, 17–18, 19 hierarchy and, 200 multiple levels of, 32 norms and, 66–67 resilience in, 152 rigidity of, 27 rules and, 18–19 thinking based on, 20 TaskRabbit, 124 Tata, Anthony, 160 tax code bugs in, 14–15 complexity of, 13–14 See also tax hacks Tax Cuts and Jobs Act (2017), 14, 15–16, 129, 146–47, 149 tax hacks architecture and, 109 creative hackers and, 22 cum-ex trading, 104–5 de minimis rule and, 249 defenses against, 15–16, 51, 61 jurisdictional rules and, 128–31 morality and, 263n wealth/power advantages and, 120 tax havens, 128–31 Tay (chatbot), 210 technological change, 251–52 telephone hacks, 26–27, 46 Terminator, 243 terrorism, 196 Tetzel, Johann, 72, 260n Theranos, 101 Thiel, Peter, 3, 4 threat modeling, 62–63, 64–65, 96 title-only bills, 154 “too big to fail” hack, 95–98 travel hacks, 179–80 trespass law, 135–36 tribal courts, 113 tribalism, 196–97 Troubled Asset Relief Program, 96 Trump, Donald banking hacks and, 77 cognitive hacks and, 182 destruction as result of hacking and, 173 legislative process hacks and, 147 norms and, 66–67 payday loans and, 126 social media and, 185 tax hacks and, 105 trust hacking, 27, 191–94, 218 TurboTax, 190 turducken, 110, 263n Turkle, Sherry, 218–19 Twenty-Fourth Amendment, 164 Twitter, 81 typos, 84–85 Uber, 99, 100, 101, 116, 123, 125, 264n unemployment insurance, 132–33 United Nations Convention on the Law of the Sea (1994), 130 user interface design, 189–90 Vacancies Reform Act (1998), 160 variable rewards, 186 venture capital (VC), 99–101, 125 Violence Against Women Act (2013), 114 voice assistants, 217 Volcker Rule, 77 Volkswagen, 234 Voltaire, 172 voter eligibility hacks, 161–63 voter ID laws, 164–65 Voting Rights Act (1965), 164 vulnerabilities acceptance of, 16 AI ability to find, 229–30, 238–39 ATM hacks and, 31, 33, 34 bugs as, 14–15 hacking as parasitical and, 48, 49 hacking hierarchy and, 201 hacking life cycle and, 21 identifying, 56–57, 77–78, 237–38 legislative process hacks and, 147–48, 267n of AI systems, 4, 209–11, 226–27 real estate hacks and, 86 responsible disclosure, 89–90 secure systems design and, 59 zero-day, 90 See also patching Walker, Scott, 166–67 WannaCry, 50 Warner, Mark, 190 Watts, Duncan, 97 wealth/power access and, 22 administrative burdens and, 134 democratic growth and, 250 election hacks and, 168–71 hacking advantages of, 103–4, 119–22 hacking governance systems and, 248 hacking normalization and, 73, 104, 119, 120, 122 impact on vulnerability patches and, 24 market hacks and, 97 trust breakdown and, 251 West, Kanye, 170 Westphal, Paul, 41 WeWork, 100 WikiLeaks, 191 Wilson, Edward O., 251 Winston, Patrick, 206 Women, Infants, and Children (WIC) program, 134 work-to-rule, 115–16, 121 YouTube, 185, 236 Zelenskyy, Volodymyr, 193 zero-day vulnerabilities, 90 Zone of Death jurisdictional loophole, 112–13 Zuckerberg, Mark, 94 Zuckerman, Ethan, 183 ALSO BY BRUCE SCHNEIER We Have Root Click Here to Kill Everybody Data and Goliath Carry On Liars and Outliers Cryptography Engineering Schneier on Security Practical Cryptography Beyond Fear Secrets and Lies The Twofish Encryption Algorithm The Electronic Privacy Papers E-Mail Security Protect Your Macintosh Applied Cryptography Copyright © 2023 by Bruce Schneier All rights reserved First Edition For information about permission to reproduce selections from this book, write to Permissions, W.

Katzenbach, 164 spam, 46–47 spear phishing, 192 Spectre, 48 sponsored content, 194 spoofing, 81, 82 sports hacks, 41–44, 46, 103, 259n Summers, Larry, 97 sumptuary laws, 110 supply chain attacks, 145 Susskind, Jamie, 248 Suzuki, Daichi, 42 systems additional for hacking defense, 54, 60 biological, 19–20 defined, 17–18, 19 hierarchy and, 200 multiple levels of, 32 norms and, 66–67 resilience in, 152 rigidity of, 27 rules and, 18–19 thinking based on, 20 TaskRabbit, 124 Tata, Anthony, 160 tax code bugs in, 14–15 complexity of, 13–14 See also tax hacks Tax Cuts and Jobs Act (2017), 14, 15–16, 129, 146–47, 149 tax hacks architecture and, 109 creative hackers and, 22 cum-ex trading, 104–5 de minimis rule and, 249 defenses against, 15–16, 51, 61 jurisdictional rules and, 128–31 morality and, 263n wealth/power advantages and, 120 tax havens, 128–31 Tay (chatbot), 210 technological change, 251–52 telephone hacks, 26–27, 46 Terminator, 243 terrorism, 196 Tetzel, Johann, 72, 260n Theranos, 101 Thiel, Peter, 3, 4 threat modeling, 62–63, 64–65, 96 title-only bills, 154 “too big to fail” hack, 95–98 travel hacks, 179–80 trespass law, 135–36 tribal courts, 113 tribalism, 196–97 Troubled Asset Relief Program, 96 Trump, Donald banking hacks and, 77 cognitive hacks and, 182 destruction as result of hacking and, 173 legislative process hacks and, 147 norms and, 66–67 payday loans and, 126 social media and, 185 tax hacks and, 105 trust hacking, 27, 191–94, 218 TurboTax, 190 turducken, 110, 263n Turkle, Sherry, 218–19 Twenty-Fourth Amendment, 164 Twitter, 81 typos, 84–85 Uber, 99, 100, 101, 116, 123, 125, 264n unemployment insurance, 132–33 United Nations Convention on the Law of the Sea (1994), 130 user interface design, 189–90 Vacancies Reform Act (1998), 160 variable rewards, 186 venture capital (VC), 99–101, 125 Violence Against Women Act (2013), 114 voice assistants, 217 Volcker Rule, 77 Volkswagen, 234 Voltaire, 172 voter eligibility hacks, 161–63 voter ID laws, 164–65 Voting Rights Act (1965), 164 vulnerabilities acceptance of, 16 AI ability to find, 229–30, 238–39 ATM hacks and, 31, 33, 34 bugs as, 14–15 hacking as parasitical and, 48, 49 hacking hierarchy and, 201 hacking life cycle and, 21 identifying, 56–57, 77–78, 237–38 legislative process hacks and, 147–48, 267n of AI systems, 4, 209–11, 226–27 real estate hacks and, 86 responsible disclosure, 89–90 secure systems design and, 59 zero-day, 90 See also patching Walker, Scott, 166–67 WannaCry, 50 Warner, Mark, 190 Watts, Duncan, 97 wealth/power access and, 22 administrative burdens and, 134 democratic growth and, 250 election hacks and, 168–71 hacking advantages of, 103–4, 119–22 hacking governance systems and, 248 hacking normalization and, 73, 104, 119, 120, 122 impact on vulnerability patches and, 24 market hacks and, 97 trust breakdown and, 251 West, Kanye, 170 Westphal, Paul, 41 WeWork, 100 WikiLeaks, 191 Wilson, Edward O., 251 Winston, Patrick, 206 Women, Infants, and Children (WIC) program, 134 work-to-rule, 115–16, 121 YouTube, 185, 236 Zelenskyy, Volodymyr, 193 zero-day vulnerabilities, 90 Zone of Death jurisdictional loophole, 112–13 Zuckerberg, Mark, 94 Zuckerman, Ethan, 183 ALSO BY BRUCE SCHNEIER We Have Root Click Here to Kill Everybody Data and Goliath Carry On Liars and Outliers Cryptography Engineering Schneier on Security Practical Cryptography Beyond Fear Secrets and Lies The Twofish Encryption Algorithm The Electronic Privacy Papers E-Mail Security Protect Your Macintosh Applied Cryptography Copyright © 2023 by Bruce Schneier All rights reserved First Edition For information about permission to reproduce selections from this book, write to Permissions, W.


pages: 464 words: 127,283

Smart Cities: Big Data, Civic Hackers, and the Quest for a New Utopia by Anthony M. Townsend

1960s counterculture, 4chan, A Pattern Language, Adam Curtis, air gap, Airbnb, Amazon Web Services, anti-communist, Apple II, Bay Area Rapid Transit, Big Tech, bike sharing, Boeing 747, Burning Man, business process, call centre, carbon footprint, charter city, chief data officer, clean tech, clean water, cloud computing, company town, computer age, congestion charging, congestion pricing, connected car, crack epidemic, crowdsourcing, DARPA: Urban Challenge, data acquisition, Deng Xiaoping, digital divide, digital map, Donald Davies, East Village, Edward Glaeser, Evgeny Morozov, food desert, game design, garden city movement, General Motors Futurama, gentrification, Geoffrey West, Santa Fe Institute, George Gilder, ghettoisation, global supply chain, Grace Hopper, Haight Ashbury, Hedy Lamarr / George Antheil, Herman Kahn, hive mind, Howard Rheingold, interchangeable parts, Internet Archive, Internet of things, Jacquard loom, Jane Jacobs, Jevons paradox, jitney, John Snow's cholera map, Joi Ito, Khan Academy, Kibera, Kickstarter, knowledge worker, Lewis Mumford, load shedding, lolcat, M-Pesa, machine readable, Mark Zuckerberg, megacity, megaproject, messenger bag, mobile money, mutually assured destruction, new economy, New Urbanism, Norbert Wiener, Occupy movement, off grid, One Laptop per Child (OLPC), openstreetmap, packet switching, PalmPilot, Panopticon Jeremy Bentham, Parag Khanna, patent troll, Pearl River Delta, place-making, planetary scale, popular electronics, power law, RFC: Request For Comment, RFID, ride hailing / ride sharing, Robert Gordon, scientific management, self-driving car, sharing economy, Shenzhen special economic zone , Silicon Valley, SimCity, Skype, smart cities, smart grid, smart meter, social graph, social software, social web, SpaceShipOne, special economic zone, Steve Jobs, Steve Wozniak, Stuxnet, supply-chain management, technoutopianism, Ted Kaczynski, telepresence, The Death and Life of Great American Cities, too big to fail, trade route, Twitter Arab Spring, Tyler Cowen, Tyler Cowen: Great Stagnation, undersea cable, Upton Sinclair, uranium enrichment, urban decay, urban planning, urban renewal, Vannevar Bush, working poor, working-age population, X Prize, Y2K, zero day, Zipcar

Stuxnet’s payload was highly targeted. It was programmed to only attack the Natanz centrifuges, and do so in a very specific way. Most importantly, it expended a highly valuable arsenal of “zero-day” attacks, undocumented vulnerabilities that can only be exploited once, after which a simple update will be issued by the software’s supplier. In its report on the virus, security software firm Symantec wrote “Incredibly, Stuxnet exploits four zero-day vulnerabilities, which is unprecedented.”43 Stuxnet’s unique attributes aside, most embedded systems aren’t located in bunkers, and they are increasingly vulnerable to much simpler attacks on their human operators.

That summer Dillon Beresford, a security researcher at (oddly coincidentally) Houston-based network security outfit NSS Labs, had demonstrated several flaws in SIMATIC and ways to exploit them. Siemens managed to dodge the collateral damage of Stuxnet, but the holes in SIMATIC are indicative of far more serious risks it must address. Another troubling development is the growing number of “forever day” vulnerabilities being discovered in older control systems. Unlike zero-day exploits, for which vendors and security firms can quickly deploy countermeasures and patches, forever-day exploits target holes in legacy embedded systems that manufacturers no longer support—and therefore will never be patched. The problem affects industrial-control equipment sold in the past by both Siemens and GE, as well as a host of smaller firms.45 It has drawn increased interest from the Cyber Emergency Response Team, the government agency that coordinates American cyber-security efforts.

., 62 “Web 2.0,” 237 Web start-ups, 240 Weinberger, David, 297 Welter, Volker, 96 West, Geoffrey, 160, 250, 312–15 Western Union, 5 White Oak Plantation, 21 Wiener, Norbert, 75, 77, 277–78 Wi-Fi, 28, 55, 68, 126–34, 154, 195 limitations of, 196 public network for, 217–18 Wikipedia, 200 Wilde, Oscar, 282 Wilson, Fred, 152, 154 wireless networks, 52, 178, 195, 198–99 local area networks of (WLAN), 128 RFID barcode technology in, 318–19 U.S. investment in, 3 Wire, The, 211 Wireless Web, 122 World Bank, 12, 169–71, 178, 189 Apps for Development contest, 201 estimate of global GDP, 30 Worldnet, 36–37 World War I, U.S. postwar period of, 99–100 World War II, 51, 128 World Wildlife Foundation, 30 Wrestling with Moses (Flint), 103–4 Wright, Frank Lloyd, 26 X.25, 109 Y2K bug, 257 Yackinach, Mark, 302 Yahoo, 157 Yale University, 69 YouTube, 115 in Arab Spring, 12 Zakaria, Fareed, 107 Zaragoza, 217–23 Center for Art and Technology in, 219–20, 222–23 “citizen card” for, 221–22 Digital Diamond in, 220 Digital Mile in, 218–22 Digital Water Pavilion in, 220 as “open source city,” 218 Zehnder, Joe, 83–85 “zero-day” attacks, 267–68 Zipcar, 162–63 Zoellick, Robert, 169–70 Copyright Copyright © 2013 by Anthony M. Townsend All rights reserved Printed in the United States of America First Edition For information about permission to reproduce selections from this book, write to Permissions, W. W. Norton & Company, Inc., 500 Fifth Avenue, New York, NY 10110 For information about special discounts for bulk purchases, please contact W.


pages: 246 words: 16,997

Financial Modelling in Python by Shayne Fletcher, Christopher Gardner

Brownian motion, discrete time, financial engineering, functional programming, interest rate derivative, London Interbank Offered Rate, stochastic volatility, yield curve, zero day, zero-coupon bond

Accordingly the ppf.core.generate observables module offers the function generate libor observables() for this purpose. def generate libor observables( start , end , roll period = 6 , roll duration = ppf.date time.months , reset period = 6 , reset duration = ppf.date time.months , tenor period = 6 , tenor duration = ppf.date time.months , reset currency = "USD" , reset basis = ppf.date time.basis act 360 , reset holiday centres = None , reset shift method = ppf.date time.modified following , reset lag = 0 , *arguments , **keywords): from ppf.date time import days shift = ppf.date time.shift if reset lag > 0: raise RuntimeError, "index lag expected less or equal to zero" day, flow id, all observables = 0, 0, [] while day < end: roll start = start + roll duration(flow id*roll period) roll end = start + roll duration((flow id+1)*roll period) Data Model reset id = 0 proj roll = roll start observables = [] while proj roll < roll end: proj start = shift( proj roll , reset shift method, reset holiday centres) proj end = shift( proj roll+tenor duration(tenor period) , reset shift method, reset holiday centres) reset date = shift( proj start+days(reset lag) , reset shift method, reset holiday centres) observables.append( libor rate(None, flow id, reset id, reset date , reset currency, proj start, proj end , reset basis, fixing(False))) reset id += 1 proj roll = roll start+reset duration(reset id*reset period) day = roll end all observables.append(observables) flow id += 1 return all observables Here is an example of generate libor observables() in use. >>> observables = generate libor observables( ... start = date(2007, Jun, 29) ... , end = date(2012, Jun, 29) ... , roll period = 6 ... , roll duration = ppf.date time.months ... , reset period = 3 ... , reset duration = ppf.date time.months ... , tenor period = 3 ... , tenor duration = ppf.date time.months ... , reset currency = "JPY" ... , reset basis = basis act 360 ... , reset shift method = shift convention.modified following) >>> for obs per flow in observables: ... for obs in obs per flow: ... print obs 0, 0, JPY, [2007-Jun-29, 2007-Sep-28], basis act 360, 0, 1, JPY, [2007-Sep-28, 2007-Dec-31], basis act 360, 1, 0, JPY, [2007-Dec-31, 2008-Mar-31], basis act 360, 1, 1, JPY, [2008-Mar-31, 2008-Jun-30], basis act 360, 2, 0, JPY, [2008-Jun-30, 2008-Sep-29], basis act 360, 2, 1, JPY, [2008-Sep-29, 2008-Dec-29], basis act 360, 3, 0, JPY, [2008-Dec-29, 2009-Mar-30], basis act 360, 3, 1, JPY, [2009-Mar-30, 2009-Jun-29], basis act 360, 73 74 Financial Modelling in Python 4, 4, 5, 5, 6, 6, 7, 7, 8, 8, 9, 9, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, JPY, JPY, JPY, JPY, JPY, JPY, JPY, JPY, JPY, JPY, JPY, JPY, [2009-Jun-29, [2009-Sep-29, [2009-Dec-29, [2010-Mar-29, [2010-Jun-29, [2010-Sep-29, [2010-Dec-29, [2011-Mar-29, [2011-Jun-29, [2011-Sep-29, [2011-Dec-29, [2012-Mar-29, 2009-Sep-29], 2009-Dec-29], 2010-Mar-29], 2010-Jun-29], 2010-Sep-29], 2010-Dec-29], 2011-Mar-29], 2011-Jun-29], 2011-Sep-29], 2011-Dec-29], 2012-Mar-29], 2012-Jun-29], basis basis basis basis basis basis basis basis basis basis basis basis act act act act act act act act act act act act 360, 360, 360, 360, 360, 360, 360, 360, 360, 360, 360, 360, The sample invocation above has generated a sequence of LIBOR rate observables.

The constructor invokes the generate() method which uses the information contained in that dictionary together with the projection start and end dates to generate the underlying legs of the swap. from from from from fixing import * observable import * generate flows import * generate observables import * class swap rate(observable): def init (self , attributes , flow id , reset id , reset date , reset ccy , proj start date , proj end date , fix , spread=None): observable. init (self , attributes Data Model , flow id , reset id , reset ccy , reset date , proj end date , fix , spread) self. proj start date = proj start date self. proj end date = proj end date self. generate() def def def def def def def proj start date(self): return self. proj start date proj end date(self): return self. proj end date fixed pay basis(self) : return self. fixed pay basis float pay basis(self) : return self. float pay basis proj basis(self): return self. proj basis fixed flows(self): return self. fixed flows float flows(self): return self. float flows def generate(self): start = self. proj start date until = self. proj end date attributes = self.attributes() fixed fixed fixed fixed fixed float float float float float period = attributes["fixed-pay-period"] period duration = attributes["fixed-pay-period-duration"] pay basis = attributes["fixed-pay-basis"] pay holiday centres = attributes["fixed-pay-holiday-" "centres"] shift convention = attributes["fixed-shift-convention"] period = attributes["float-pay-period"] period duration = attributes["float-pay-period-duration"] pay basis = attributes["float-pay-basis"] pay holiday centres = attributes["float-pay-holiday-" "centres"] shift convention = attributes["float-shift-convention"] libor basis = attributes["index-basis"] libor holiday centres = attributes["index-holiday-centres"] libor shift convention = attributes["index-shift-convention"] self. fixed flows = \ generate flows(start , until , period = fixed period , duration = fixed period duration , pay shift method = fixed shift convention , pay currency = self.reset currency() , pay basis = fixed pay basis , pay holiday centres = fixed pay holiday centres , accrual shift method = fixed shift convention 75 76 Financial Modelling in Python , accrual holiday centres = \ fixed pay holiday centres) libor observables = \ generate libor observables( start , until , roll period = float period , roll duration = float period duration , reset period = float period , reset duration = float period duration , tenor period = float period , tenor duration = float period duration , reset currency = self.reset currency() , reset basis = libor basis , reset holiday centres = libor holiday centres , reset shift method = libor shift convention) self. float flows = \ generate flows(start , until , period = float period , duration = float period duration , pay shift method = float shift convention , pay currency = self.reset currency() , pay basis = float pay basis , pay holiday centres = float pay holiday centres , accrual shift method = float shift convention , accrual holiday centres = \ float pay holiday centres , observables = libor observables) def str (self): s = "%d, " % self.flow id() s += "%d, " % self.reset id() s += "%s, " % self.reset currency() s += "[%s, %s], " % (self. proj start date, self. proj end date) return s Once again for completeness the swap rate class provides a method forward for determining the value of the swap rate at a particular point in time. class swap rate(observable): def forward(self, t, curve): fund pv = 0 for f in self. float flows: obs = f.observables()[0] proj start, proj end, reset accrual dcf = \ (obs.proj start date(), obs.proj end date(), obs.year fraction()) dfs, dfe = \ curve(int(proj start - t)/365.0), curve(int(proj end - t)/365.0) Data Model 77 libor = (dfs/dfe - 1.0)/reset accrual dcf pay date, accrual dcf = (f.pay date(), f.year fraction()) dfp = curve(int(pay date - t)/365.0) fund pv += dfp*libor*accrual dcf fixed pv = 0 for f in self. fixed flows: pay date, accrual dcf = (f.pay date(), f.year fraction()) dfp = curve(int(pay date - t)/365.0) fixed pv += dfp*accrual dcf return fund pv/fixed pv Like the generate libor observables() function of section 6.1.1, a function for generating a sequence of swap rate observables, generate swap observables(), can be found in the ppf.core.generate observables module. def generate swap observables( start , end , attributes , spread = 0 , roll period = 6 , roll duration = ppf.date time.months , tenor period = 10 , tenor duration = ppf.date time.years , reset currency = "USD" , reset basis = ppf.date time.basis act 360 , reset holiday centres = None , reset shift method = ppf.date time.modified following , reset lag = 0 , *arguments , **keywords): from ppf.date time import days shift = ppf.date time.shift if reset lag > 0: raise RuntimeError, "index lag expected less or equal to zero" day, flow id, all observables = 0, 0, [] while day < end: roll start = start + roll duration(flow id*roll period) roll end = start + roll duration((flow id+1)*roll period) reset id = 0 proj roll = roll start proj start = \ shift( proj roll , reset shift method , reset holiday centres ) 78 Financial Modelling in Python proj end = \ shift( proj roll+tenor duration(tenor period) , reset shift method, reset holiday centres ) reset date = \ shift( proj start+days(reset lag) , reset shift method, reset holiday centres ) all observables.append( swap rate( attributes , flow id , reset id , reset date , reset currency , proj start , proj end , fixing(False) , spread) ) flow id += 1; reset id += 1; day = roll end return all observables The following is an example session demonstrating the generation of a sequence of swap rate observables. >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> ... ... ... ... ... ... ... >>> props = {} props["fixed-pay-period"] = 1 props["fixed-pay-period-duration"] = years props["fixed-pay-basis"] = basis act 360 props["fixed-pay-holiday-centres"] = None props["fixed-shift-convention"] = modified following props["float-pay-period"] = 6 props["float-pay-period-duration"] = months props["float-pay-basis"] = basis act 365 props["float-pay-holiday-centres"] = None props["float-shift-convention"] = modified following props["index-basis"] = basis act 365 props["index-holiday-centres"] = None props["index-shift-convention"] = modified following observables = generate swap observables( start = date(2007, Jun, 29) , end = date(2017, Jun, 29) , attributes = props , roll period = 1 , roll duration = years , tenor period = 10 , tenor duration = years) for o in observables: print o Data Model 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, USD, USD, USD, USD, USD, USD, USD, USD, USD, USD, [2007-Jun-29, [2008-Jun-30, [2009-Jun-29, [2010-Jun-29, [2011-Jun-29, [2012-Jun-29, [2013-Jun-28, [2014-Jun-30, [2015-Jun-29, [2016-Jun-29, 79 2017-Jun-29], 2018-Jun-29], 2019-Jun-28], 2020-Jun-29], 2021-Jun-29], 2022-Jun-29], 2023-Jun-29], 2024-Jun-28], 2025-Jun-30], 2026-Jun-29], 6.2 FLOWS A fl w describes a cash fl w to be made at some point in time.


pages: 437 words: 113,173

Age of Discovery: Navigating the Risks and Rewards of Our New Renaissance by Ian Goldin, Chris Kutarna

"World Economic Forum" Davos, 2013 Report for America's Infrastructure - American Society of Civil Engineers - 19 March 2013, 3D printing, Airbnb, Albert Einstein, AltaVista, Asian financial crisis, asset-backed security, autonomous vehicles, banking crisis, barriers to entry, battle of ideas, Bear Stearns, Berlin Wall, bioinformatics, bitcoin, Boeing 747, Bonfire of the Vanities, bread and circuses, carbon tax, clean water, collective bargaining, Colonization of Mars, Credit Default Swap, CRISPR, crowdsourcing, cryptocurrency, Dava Sobel, demographic dividend, Deng Xiaoping, digital divide, Doha Development Round, double helix, driverless car, Edward Snowden, Elon Musk, en.wikipedia.org, epigenetics, experimental economics, Eyjafjallajökull, failed state, Fall of the Berlin Wall, financial innovation, full employment, Galaxy Zoo, general purpose technology, Glass-Steagall Act, global pandemic, global supply chain, Higgs boson, Hyperloop, immigration reform, income inequality, indoor plumbing, industrial cluster, industrial robot, information retrieval, information security, Intergovernmental Panel on Climate Change (IPCC), intermodal, Internet of things, invention of the printing press, Isaac Newton, Islamic Golden Age, Johannes Kepler, Khan Academy, Kickstarter, Large Hadron Collider, low cost airline, low skilled workers, Lyft, Mahbub ul Haq, Malacca Straits, mass immigration, Max Levchin, megacity, Mikhail Gorbachev, moral hazard, Nelson Mandela, Network effects, New Urbanism, non-tariff barriers, Occupy movement, On the Revolutions of the Heavenly Spheres, open economy, Panamax, Paris climate accords, Pearl River Delta, personalized medicine, Peter Thiel, post-Panamax, profit motive, public intellectual, quantum cryptography, rent-seeking, reshoring, Robert Gordon, Robert Metcalfe, Search for Extraterrestrial Intelligence, Second Machine Age, self-driving car, Shenzhen was a fishing village, Silicon Valley, Silicon Valley startup, Skype, smart grid, Snapchat, special economic zone, spice trade, statistical model, Stephen Hawking, Steve Jobs, Stuxnet, synthetic biology, TED Talk, The Future of Employment, too big to fail, trade liberalization, trade route, transaction costs, transatlantic slave trade, uber lyft, undersea cable, uranium enrichment, We are the 99%, We wanted flying cars, instead we got 140 characters, working poor, working-age population, zero day

Unexpected data loss and downtime cost businesses as much as $1.7 trillion in 2014, according to one global industry survey.78 As we become more dependent on the Internet, for example through wider adoption of cloud services, those costs will escalate.79 And the exploitation of so-called zero-day vulnerabilities—unknown bugs buried deep inside the code of widely distributed software or operating systems—threatens to interrupt services deliberately. Often these bugs are fixed only after hackers have made use of them. In September 2014, a wave of attacks known as ShellShock exploited a core vulnerability in Mac and Linux operating systems to run malicious code on millions of computers. The bug had gone unnoticed for 20 years. Another zero-day vulnerability uncovered in November 2014, called Unicorn, had been present in every release of Microsoft Internet Explorer going back to 1995.80 The complexity of Internet networks allows attacks like zero-day exploits to be performed with near-perfect anonymity.

Another zero-day vulnerability uncovered in November 2014, called Unicorn, had been present in every release of Microsoft Internet Explorer going back to 1995.80 The complexity of Internet networks allows attacks like zero-day exploits to be performed with near-perfect anonymity. The most frequent kind of attack, distributed denial of service (DDoS), arranges to send dummy data requests to a victim’s server from thousands of hijacked computers simultaneously, so that legitimate users can’t get their own requests through. The Internet was originally designed for sharing, not security, and perpetrators can hide in the open amidst the unwitting crowds they convene. Even when perpetrators are discovered—often overseas somewhere—limits of jurisdiction make it hard to bring them to justice.


pages: 349 words: 114,038

Culture & Empire: Digital Revolution by Pieter Hintjens

4chan, Aaron Swartz, airport security, AltaVista, anti-communist, anti-pattern, barriers to entry, Bill Duvall, bitcoin, blockchain, Boeing 747, bread and circuses, business climate, business intelligence, business process, Chelsea Manning, clean water, commoditize, congestion charging, Corn Laws, correlation does not imply causation, cryptocurrency, Debian, decentralized internet, disinformation, Edward Snowden, failed state, financial independence, Firefox, full text search, gamification, German hyperinflation, global village, GnuPG, Google Chrome, greed is good, Hernando de Soto, hiring and firing, independent contractor, informal economy, intangible asset, invisible hand, it's over 9,000, James Watt: steam engine, Jeff Rulifson, Julian Assange, Kickstarter, Laura Poitras, M-Pesa, mass immigration, mass incarceration, mega-rich, military-industrial complex, MITM: man-in-the-middle, mutually assured destruction, Naomi Klein, national security letter, Nelson Mandela, new economy, New Urbanism, no silver bullet, Occupy movement, off-the-grid, offshore financial centre, packet switching, patent troll, peak oil, power law, pre–internet, private military company, race to the bottom, real-name policy, rent-seeking, reserve currency, RFC: Request For Comment, Richard Feynman, Richard Stallman, Ross Ulbricht, Russell Brand, Satoshi Nakamoto, security theater, selection bias, Skype, slashdot, software patent, spectrum auction, Steve Crocker, Steve Jobs, Steven Pinker, Stuxnet, The Wealth of Nations by Adam Smith, The Wisdom of Crowds, trade route, transaction costs, twin studies, union organizing, wealth creators, web application, WikiLeaks, Y2K, zero day, Zipf's Law

The measured level is 42%, for known vulnerabilities. What about unknown holes in Windows, a so-called "zero-day attack"? In June 2010, the Stuxnet worm was found to be sabotaging Iran's nuclear program in a very sophisticated attack that looked for specific Siemens industrial control hardware, and interfered with it when it found it. Stuxnet is significant for several reasons, two of which are worth paying particular attention to. It was built by the NSA's hackers, and it used no less than four Windows zero-days. Zero-days are very rare in theory. For a group of hackers to use four, in a single worm, hints that there are many more we know nothing about.


When Computers Can Think: The Artificial Intelligence Singularity by Anthony Berglas, William Black, Samantha Thalind, Max Scratchmann, Michelle Estes

3D printing, Abraham Maslow, AI winter, air gap, anthropic principle, artificial general intelligence, Asilomar, augmented reality, Automated Insights, autonomous vehicles, availability heuristic, backpropagation, blue-collar work, Boston Dynamics, brain emulation, call centre, cognitive bias, combinatorial explosion, computer vision, Computing Machinery and Intelligence, create, read, update, delete, cuban missile crisis, David Attenborough, DeepMind, disinformation, driverless car, Elon Musk, en.wikipedia.org, epigenetics, Ernest Rutherford, factory automation, feminist movement, finite state, Flynn Effect, friendly AI, general-purpose programming language, Google Glasses, Google X / Alphabet X, Gödel, Escher, Bach, Hans Moravec, industrial robot, Isaac Newton, job automation, John von Neumann, Law of Accelerating Returns, license plate recognition, Mahatma Gandhi, mandelbrot fractal, natural language processing, Nick Bostrom, Parkinson's law, patent troll, patient HM, pattern recognition, phenotype, ransomware, Ray Kurzweil, Recombinant DNA, self-driving car, semantic web, Silicon Valley, Singularitarianism, Skype, sorting algorithm, speech recognition, statistical model, stem cell, Stephen Hawking, Stuxnet, superintelligent machines, technological singularity, Thomas Malthus, Turing machine, Turing test, uranium enrichment, Von Neumann architecture, Watson beat the top human players on Jeopardy!, wikimedia commons, zero day

In June 2014 new, high quality malware, known as Dragonfly or Havex, was found to have infected many energy producers, mainly in the USA and Western Europe. The perpetrators are unknown, but the malware appears to have been well resourced, although it has not caused any damage. Zero day exploits Stuxnet used four “zero day” exploits. These are bugs in system software that enable malicious programs to perform actions not otherwise permitted. One of these known as CPLINK, was particularly ugly because it enabled any USB thumb drive to automatically execute its code whenever it was plugged into a PC, without any action being required by the user.

Single AGI 13. Goal consistency 14. Unpredictable algorithms 15. Ethics 16. Defeating natural selection 17. Wishful thinking 18. Whole brain emulation 19. Chain of AGIs 20. Running away 21. Just do not build an AGI 8. Political Will 1. Atom bombs 2. Iran's atomic ambitions 3. Stuxnet 4. Glass houses 5. Zero day exploits 6. Practicalities of abstinence 7. Restrict computer hardware 8. Asilomar conference 9. Patent trolls 10. Does it really matter? 9. Conclusion 1. Geological history 2. History of science 3. Natural selection 4. Human instincts 5. Intelligence 6. AI technologies 7. Building an AGI 8. Semi-intelligent machines 9.


pages: 525 words: 116,295

The New Digital Age: Transforming Nations, Businesses, and Our Lives by Eric Schmidt, Jared Cohen

access to a mobile phone, additive manufacturing, airport security, Amazon Mechanical Turk, Amazon Web Services, Andy Carvin, Andy Rubin, anti-communist, augmented reality, Ayatollah Khomeini, barriers to entry, bitcoin, borderless world, call centre, Chelsea Manning, citizen journalism, clean water, cloud computing, crowdsourcing, data acquisition, Dean Kamen, disinformation, driverless car, drone strike, Elon Musk, Evgeny Morozov, failed state, false flag, fear of failure, Filter Bubble, Google Earth, Google Glasses, Hacker Conference 1984, hive mind, income inequality, information security, information trail, invention of the printing press, job automation, John Markoff, Julian Assange, Khan Academy, Kickstarter, knowledge economy, Law of Accelerating Returns, market fundamentalism, Mary Meeker, means of production, military-industrial complex, MITM: man-in-the-middle, mobile money, mutually assured destruction, Naomi Klein, Nelson Mandela, no-fly zone, off-the-grid, offshore financial centre, Parag Khanna, peer-to-peer, peer-to-peer lending, personalized medicine, Peter Singer: altruism, power law, Ray Kurzweil, RFID, Robert Bork, self-driving car, sentiment analysis, Silicon Valley, Skype, Snapchat, social graph, speech recognition, Steve Jobs, Steven Pinker, Stewart Brand, Stuxnet, Susan Wojcicki, The Wisdom of Crowds, upwardly mobile, Whole Earth Catalog, WikiLeaks, young professional, zero day

The resources involved also suggested government production: Experts thought the worm was written by as many as thirty people over several months. And it used an unprecedented number of “zero-day” exploits, malicious computer attacks exposing vulnerabilities (security holes) in computer programs that were unknown to the program’s creator (in this case, the Windows operating system) before the day of the attack, thus leaving zero days to prepare for it. The discovery of one zero-day exploit is considered a rare event—and exploited information can be sold for hundreds of thousands of dollars on the black market—so security analysts were stunned to discover that an early variant of Stuxnet took advantage of five.


pages: 362 words: 86,195

Fatal System Error: The Hunt for the New Crime Lords Who Are Bringing Down the Internet by Joseph Menn

Brian Krebs, dumpster diving, fault tolerance, Firefox, John Markoff, Menlo Park, offshore financial centre, pirate software, plutocrats, popular electronics, profit motive, RFID, Silicon Valley, zero day

Again like the Russians, the Chinese have used cyberattacks to harass and silence civilian foes based outside the country’s borders. Proponents of the Falun Gang and Tibetan independence movements have been targeted, and at least one small Tibetan alliance disbanded rather than risk further electronic communications. Chinese hackers have hit virtually all the groups with “zero-day exploits,” those that use a vulnerability that has not been openly identified and patched. One especially clever email used a previously unknown flaw in Microsoft Word to try to infiltrate a pro-Taiwan group. Two weeks later, the same gambit was used against a big defense contractor in the U.K., according to Finnish expert Mikko Hypponen, strongly suggesting the hand of Chinese government.

See the author’s LATimes article “Industry at Odds Over ID Theft Liability,” available at http://articles.latimes.com/2005/mar/07/business/fi-idtheft7. The most comprehensive analysis of the culpability of the financial industry in identity theft is by USAToday reporters Byron Acohido and Jon Swartz, in their insightful book Zero Day Threat. 115 harassed by debt collectors after such fraud: According to the 2003 FTC report, available at www.josephmenn.com/FatalSystemError. 116 advisors on the 2005 report: The author covered the Javelin report’s problems in “Data Brokers Press for U.S. Law” at http://articles.latimes.com/2005/dec/26/business/fi-idlobby26. 117 the Waff StreetJournal,and elsewhere: See, for example, “Net Fraud Study,” http://query.nytimes.com/gst/fullpage.html?


pages: 295 words: 84,843

There's a War Going on but No One Can See It by Huib Modderkolk

AltaVista, ASML, Berlin Wall, Big Tech, call centre, COVID-19, disinformation, Donald Trump, drone strike, Edward Snowden, end-to-end encryption, Evgeny Morozov, fake news, Fall of the Berlin Wall, Firefox, Google Chrome, information security, Jacob Appelbaum, John Markoff, Julian Assange, Laura Poitras, machine translation, millennium bug, NSO Group, ransomware, Skype, smart meter, speech recognition, Stuxnet, undersea cable, unit 8200, uranium enrichment, WikiLeaks, zero day

There are plenty more tips like these, and all kinds of resources are available to readers looking for ways to protect themselves. Wired offers some guidelines on ‘How to Protect Your Digital Self’. Other journalists have also published about the risks of the digital age. Kim Zetter has written an excellent book about Stuxnet, Counting Down to Zero Day. Nicole Perlroth describes the development of cyberweapons in her fascinating This Is How They Tell Me the World Ends, and Andy Greenberg’s Sandworm dives deep inside the Russian hacking world. To read more about the risks surrounding digitisation, a good place to start is the reporting of Zach Dorfman, Jenna McLaughlin and Ryan Gallagher.

BBC China vessel intercepted in Italy Robin Wright, ‘Ship Incident May Have Swayed Libya’, Washington Post, 1 January 2004. Iraqi communication systems attacked in 2003 John Markoff and Thom Shanker, ‘Halted ’03 Iraq Plan Illustrates [U.S] Fear of Cyberwar Risk’, The New York Times, 1 August 2009. Natanz and its centrifuges Kim Zetter, Counting down to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon, Broadway Books, 2015. Casualties resulting from Natanz operation Kim Zetter and Huib Modderkolk, ‘Revealed: How a secret Dutch mole aided the U.S.-Israeli Stuxnet cyberattack on Iran’, Yahoo News, 2 September 2019. 4 Red Alert Publication of kpn customer passwords Colin Hoek and Brenno de Winter, ‘Wachtwoorden KPN-klanten gepubliceerd’, NU.nl, 10 February 2012.


pages: 523 words: 154,042

Fancy Bear Goes Phishing: The Dark History of the Information Age, in Five Extraordinary Hacks by Scott J. Shapiro

3D printing, 4chan, active measures, address space layout randomization, air gap, Airbnb, Alan Turing: On Computable Numbers, with an Application to the Entscheidungsproblem, availability heuristic, Bernie Sanders, bitcoin, blockchain, borderless world, Brian Krebs, business logic, call centre, carbon tax, Cass Sunstein, cellular automata, cloud computing, cognitive dissonance, commoditize, Compatible Time-Sharing System, Computing Machinery and Intelligence, coronavirus, COVID-19, CRISPR, cryptocurrency, cyber-physical system, Daniel Kahneman / Amos Tversky, Debian, Dennis Ritchie, disinformation, Donald Trump, double helix, Dr. Strangelove, dumpster diving, Edward Snowden, en.wikipedia.org, Evgeny Morozov, evil maid attack, facts on the ground, false flag, feminist movement, Gabriella Coleman, gig economy, Hacker News, independent contractor, information security, Internet Archive, Internet of things, invisible hand, John Markoff, John von Neumann, Julian Assange, Ken Thompson, Larry Ellison, Laura Poitras, Linda problem, loss aversion, macro virus, Marc Andreessen, Mark Zuckerberg, Menlo Park, meta-analysis, Minecraft, Morris worm, Multics, PalmPilot, Paul Graham, pirate software, pre–internet, QWERTY keyboard, Ralph Nader, RAND corporation, ransomware, Reflections on Trusting Trust, Richard Stallman, Richard Thaler, Ronald Reagan, Satoshi Nakamoto, security theater, Shoshana Zuboff, side hustle, Silicon Valley, Skype, SoftBank, SQL injection, Steve Ballmer, Steve Jobs, Steven Levy, Stuxnet, supply-chain attack, surveillance capitalism, systems thinking, TaskRabbit, tech billionaire, tech worker, technological solutionism, the Cathedral and the Bazaar, the new new thing, the payments system, Turing machine, Turing test, Unsafe at Any Speed, vertical integration, Von Neumann architecture, Wargames Reagan, WarGames: Global Thermonuclear War, Wayback Machine, web application, WikiLeaks, winner-take-all economy, young professional, zero day, éminence grise

apply it to cyberwar: On the history of cyber-conflict, see Healey, A Fierce Domain; Fred Kaplan, Dark Territory: The Secret History of Cyber War (New York: Simon and Schuster, 2016); Ben Buchanan, The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics (Cambridge, MA: Harvard University Press, 2020); Adam Segal, The Hacked World Order: How Nations Fight, Trade, Maneuver, and Manipulate in the Digital Age (New York: Public Affairs, 2015); Kim Zetter, Countdown to Zero Day (New York: Crown, 2014); Andy Greenberg, Sandworm (New York: Doubleday, 2019). Stuxnet: Zetter, Countdown to Zero Day. monocultures are at serious risk: Paul Rosenzweig, “The Cyber Monoculture Risk,” Lawfare, October 1, 2021, https://www.lawfareblog.com/cyber-monoculture-risk. In a federal system: By the same reasoning, we should expect, all other things being equal, digital homogeneity in the federal government.

Seligman, “Learned Helplessness at Fifty: Insights from Neuroscience,” Psychological Review 123, no. 4 (2016): 349–67, https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4920136/. five hacks: Some hacks have been extensively discussed by others, so I did not tell those stories again; e.g., STUXNET, in Kim Zetter, Countdown to Zero Day: STUXNET and the Launch of the World’s First Digital Weapon (New York: Crown, 2014); Conficker, in Mark Bowden, Worm: The First Digital World War (New York: Grove Press, 2012); Dark Energy, in Andy Greenberg, Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers (New York: Doubleday, 2019). 1.


pages: 305 words: 93,091

The Art of Invisibility: The World's Most Famous Hacker Teaches You How to Be Safe in the Age of Big Brother and Big Data by Kevin Mitnick, Mikko Hypponen, Robert Vamosi

4chan, big-box store, bitcoin, Bletchley Park, blockchain, connected car, crowdsourcing, data science, Edward Snowden, en.wikipedia.org, end-to-end encryption, evil maid attack, Firefox, Google Chrome, Google Earth, incognito mode, information security, Internet of things, Kickstarter, Laura Poitras, license plate recognition, Mark Zuckerberg, MITM: man-in-the-middle, off-the-grid, operational security, pattern recognition, ransomware, Ross Ulbricht, Salesforce, self-driving car, Silicon Valley, Skype, Snapchat, speech recognition, Tesla Model S, web application, WikiLeaks, zero day, Zimmermann PGP

The DarkHotel group in general uses a low-level spear-phishing attack for mass targets and reserves the hotel attacks for high-profile, singular targets—such as executives in the nuclear power and defense industries. One early analysis suggested that DarkHotel was South Korea–based. A keylogger—malware used to record the keystrokes of compromised systems—used in the attacks contains Korean characters within the code. And the zero-days—vulnerabilities in software that are unknown to the vendor—were very advanced flaws that were previously unknown. Moreover, a South Korean name identified within the keylogger has been traced to other sophisticated keyloggers used by Koreans in the past. It should be noted, however, that this is not enough to confirm attribution.

Chapter Eleven: Hey, KITT, Don’t Share My Location 1. http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/. 2. This is silly. Just because something is prohibited doesn’t mean it won’t happen. And this creates a dangerous scenario in which hacked cars can still affect the driving public. Zero-days for automobiles, anyone? 3. http://keenlab.tencent.com/en/2016/06/19/Keen-Security-Lab-of-Tencent-Car-Hacking-Research-Remote-Attack-to-Tesla-Cars/. 4. http://www.buzzfeed.com/johanabhuiyan/uber-is-investigating-its-top-new-york-executive-for-privacy. 5. http://www.theregister.co.uk/2015/06/22/epic_uber_ftc/. 6. http://nypost.com/2014/11/20/uber-reportedly-tracking-riders-without-permission/. 7. https://www.uber.com/legal/usa/privacy. 8. http://fortune.com/2015/06/23/uber-privacy-epic-ftc/. 9. http://www.bbc.com/future/story/20150206-biggest-myth-about-phone-privacy. 10. http://tech.vijay.ca/of-taxis-and-rainbows-f6bc289679a1. 11. http://arstechnica.com/tech-policy/2014/06/poorly-anonymized-logs-reveal-nyc-cab-drivers-detailed-whereabouts/. 12.


pages: 340 words: 97,723

The Big Nine: How the Tech Titans and Their Thinking Machines Could Warp Humanity by Amy Webb

"Friedman doctrine" OR "shareholder theory", Ada Lovelace, AI winter, air gap, Airbnb, airport security, Alan Turing: On Computable Numbers, with an Application to the Entscheidungsproblem, algorithmic bias, AlphaGo, Andy Rubin, artificial general intelligence, Asilomar, autonomous vehicles, backpropagation, Bayesian statistics, behavioural economics, Bernie Sanders, Big Tech, bioinformatics, Black Lives Matter, blockchain, Bretton Woods, business intelligence, Cambridge Analytica, Cass Sunstein, Charles Babbage, Claude Shannon: information theory, cloud computing, cognitive bias, complexity theory, computer vision, Computing Machinery and Intelligence, CRISPR, cross-border payments, crowdsourcing, cryptocurrency, Daniel Kahneman / Amos Tversky, data science, deep learning, DeepMind, Demis Hassabis, Deng Xiaoping, disinformation, distributed ledger, don't be evil, Donald Trump, Elon Musk, fail fast, fake news, Filter Bubble, Flynn Effect, Geoffrey Hinton, gig economy, Google Glasses, Grace Hopper, Gödel, Escher, Bach, Herman Kahn, high-speed rail, Inbox Zero, Internet of things, Jacques de Vaucanson, Jeff Bezos, Joan Didion, job automation, John von Neumann, knowledge worker, Lyft, machine translation, Mark Zuckerberg, Menlo Park, move fast and break things, Mustafa Suleyman, natural language processing, New Urbanism, Nick Bostrom, one-China policy, optical character recognition, packet switching, paperclip maximiser, pattern recognition, personalized medicine, RAND corporation, Ray Kurzweil, Recombinant DNA, ride hailing / ride sharing, Rodney Brooks, Rubik’s Cube, Salesforce, Sand Hill Road, Second Machine Age, self-driving car, seminal paper, SETI@home, side project, Silicon Valley, Silicon Valley startup, skunkworks, Skype, smart cities, South China Sea, sovereign wealth fund, speech recognition, Stephen Hawking, strong AI, superintelligent machines, surveillance capitalism, technological singularity, The Coming Technological Singularity, the long tail, theory of mind, Tim Cook: Apple, trade route, Turing machine, Turing test, uber lyft, Von Neumann architecture, Watson beat the top human players on Jeopardy!, zero day

“Deep Learning with Differential Privacy.” In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS 2016), 308–318. New York: ACM Press, 2016. Abstract, last revised October 24, 2016. https://arxiv.org/abs/1607.00133. Ablon, L., and A. Bogart. Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits. Santa Monica, CA: RAND Corporation, 2017. https://www.rand.org/pubs/research_reports/RR1751.html. Adams, S. S., et al. “Mapping the Landscape of Human-Level Artificial General Intelligence.” AI Magazine 33, no. 1 (2012). Agar, N. “Ray Kurzweil and Uploading: Just Say No!”


pages: 446 words: 102,421

Network Security Through Data Analysis: Building Situational Awareness by Michael S Collins

business process, cloud computing, create, read, update, delete, data science, Firefox, functional programming, general-purpose programming language, index card, information security, Internet Archive, inventory management, iterative process, operational security, OSI model, p-value, Parkinson's law, peer-to-peer, slashdot, statistical model, zero day

Host-based collection systems require knowing that the host exists in the first place, and there are numerous cases where you’re likely not to know that a particular service is running until you see its traffic on the wire. Network traffic provides a view of the network with minimal assumptions—it tells you about hosts on the network you don’t know existed, backdoors you weren’t aware of, attackers already inside your border, and routes through your network you never considered. At the same time, when you face a zero-day vulnerability or new malware, packet data may be the only data source you have. The remainder of this chapter is broken down as follows. The next section covers network vantage: how packets move through a network and how to take advantage of that when instrumenting the network. The next section covers tcpdump, the fundamental network traffic capture protocol, and provides recipes for sampling packets, filtering them, and manipulating their length.

The most extreme version of this problem is associated with vulnerabilities. AV primarily, but also NIDS and HIDS, rely on specific binary signatures in order to identify malware (see On Code Red and Malware Evasiveness for a more extensive discussion on this). These signatures require that some expert have access to an exploit; these days, exploits are commonly “zero-day,” meaning that they’re released and in the wild before anyone has the opportunity to write a signature. Anomaly-based IDSes are built by training (or optionally configuring) the IDS on traffic data in order to create a model of normal activity. Once this model is created, deviations from the model are anomalous, suspicious, and produce events.


pages: 719 words: 181,090

Site Reliability Engineering: How Google Runs Production Systems by Betsy Beyer, Chris Jones, Jennifer Petoff, Niall Richard Murphy

"Margaret Hamilton" Apollo, Abraham Maslow, Air France Flight 447, anti-pattern, barriers to entry, business intelligence, business logic, business process, Checklist Manifesto, cloud computing, cognitive load, combinatorial explosion, continuous integration, correlation does not imply causation, crowdsourcing, database schema, defense in depth, DevOps, en.wikipedia.org, exponential backoff, fail fast, fault tolerance, Flash crash, George Santayana, Google Chrome, Google Earth, if you see hoof prints, think horses—not zebras, information asymmetry, job automation, job satisfaction, Kubernetes, linear programming, load shedding, loose coupling, machine readable, meta-analysis, microservices, minimum viable product, MVC pattern, no silver bullet, OSI model, performance metric, platform as a service, proprietary trading, reproducible builds, revision control, risk tolerance, side project, six sigma, the long tail, the scientific method, Toyota Production System, trickle-down economics, warehouse automation, web application, zero day

This additional measure adds protection from the types of errors replication doesn’t protect against—user errors and application-layer bugs—but does nothing to guard against losses introduced at a lower layer. This measure also introduces a risk of bugs during data conversion (in both directions) and during storage of the native file, in addition to possible mismatches in semantics between the two formats. Imagine a zero-day attack5 at some low level of your stack, such as the filesystem or device driver. Any copies that rely on the compromised software component, including the database exports that were written to the same filesystem that backs your database, are vulnerable. Thus, we see that diversity is key: protecting against a failure at layer X requires storing data on diverse components at that layer.

Of course Google has such resources, but the principle of Defense in Depth dictates providing multiple layers of protection to guard against the breakdown or compromise of any single protection mechanism. Backing up online systems such as Gmail provides defense in depth at two layers: A failure of the internal Gmail redundancy and backup subsystems A wide failure or zero-day vulnerability in a device driver or filesystem affecting the underlying storage medium (disk) This particular failure resulted from the first scenario—while Gmail had internal means of recovering lost data, this loss went beyond what internal means could recover. One of the most internally celebrated aspects of the Gmail data recovery was the degree of cooperation and smooth coordination that comprised the recovery.

SQL databases such as MySQL and PostgreSQL strive to achieve these properties. 2 Basically Available, Soft state, Eventual consistency; see https://en.wikipedia.org/wiki/Eventual_consistency. BASE systems, like Bigtable and Megastore, are often also described as “NoSQL.” 3 For further reading on ACID and BASE APIs, see [Gol14] and [Bai13]. 4 Binary Large Object; see https://en.wikipedia.org/wiki/Binary_large_object. 5 See https://en.wikipedia.org/wiki/Zero-day_(computing). 6 Clay tablets are the oldest known examples of writing. For a broader discussion of preserving data for the long haul, see [Con96]. 7 Upon reading this advice, one might ask: since you have to offer an API on top of the datastore to implement soft deletion, why stop at soft deletion, when you could offer many other features that protect against accidental data deletion by users?


pages: 392 words: 114,189

The Ransomware Hunting Team: A Band of Misfits' Improbable Crusade to Save the World From Cybercrime by Renee Dudley, Daniel Golden

2021 United States Capitol attack, Amazon Web Services, Bellingcat, Berlin Wall, bitcoin, Black Lives Matter, blockchain, Brian Krebs, call centre, centralized clearinghouse, company town, coronavirus, corporate governance, COVID-19, cryptocurrency, data science, disinformation, Donald Trump, fake it until you make it, Hacker News, heat death of the universe, information security, late fees, lockdown, Menlo Park, Minecraft, moral hazard, offshore financial centre, Oklahoma City bombing, operational security, opioid epidemic / opioid crisis, Picturephone, pirate software, publish or perish, ransomware, Richard Feynman, Ross Ulbricht, seminal paper, smart meter, social distancing, strikebreaker, subprime mortgage crisis, tech worker, Timothy McVeigh, union organizing, War on Poverty, Y2K, zero day

DarkSide justified such attacks by saying, “We only attack companies that can pay the requested amount, we do not want to kill your business.” DarkSide’s “name and shame” wall on its dark web site identified dozens of victims that it was pressuring to pay and described the confidential data it claimed to have filched from them. To infiltrate networks, the gang relied on advanced methods such as “zero-day exploits,” which immediately took advantage of software vulnerabilities before they could be patched. Once inside, they moved swiftly, looking not only for sensitive data to use as leverage but also for the victim’s cyber insurance policy so that they could peg their demands to the coverage. After two to three days of poking around, DarkSide would encrypt the files.

Conference of Mayors Vachon-Desjardins, Sebastien van der Wiel, Jornt van Hofweegen, Peter VashSorena Vasinskyi, Yaroslav Vatis, Michael Ventrone, Melissa Virus Bulletin VirusTotal Wall Street Journal, The WannaCry WastedLocker Waters, Michael Wazix West, Nigel Whitacre, Mark White, Sarah WhiteRose Wildfire Wilding, Edward Willems, Eddy Wilson, Tina Witherspoon, Joel Witt, Stephen WND Wonderful Wizard of Oz, The (Baum) World War II Worters, Loretta Wosar, Fabian; Apocalypse and; DarkSide and; early life of; EpsilonRed and; Evil Corp and; FBI and; Operation Bleeding Cloud of; REvil and Wray, Christopher Xerox Yakubets, Maksim YARA rules Young, Adam Young, Bernard “Jack” Yung, Moti Zbot Trojan Zeppelin ZeroAccess zero-day exploits Zeus Ziggy ZoomInfo ALSO BY DANIEL GOLDEN Spy Schools: How the CIA, FBI, and Foreign Intelligence Secretly Exploit America’s Universities The Price of Admission: How America’s Ruling Class Buys Its Way into Elite Colleges—and Who Gets Left Outside the Gates A NOTE ABOUT THE AUTHORS Renee Dudley is a technology reporter at ProPublica.


pages: 416 words: 129,308

The One Device: The Secret History of the iPhone by Brian Merchant

Airbnb, animal electricity, Apollo Guidance Computer, Apple II, Apple's 1984 Super Bowl advert, Black Lives Matter, Charles Babbage, citizen journalism, Citizen Lab, Claude Shannon: information theory, computer vision, Computing Machinery and Intelligence, conceptual framework, cotton gin, deep learning, DeepMind, Douglas Engelbart, Dynabook, Edward Snowden, Elon Musk, Ford paid five dollars a day, Frank Gehry, gigafactory, global supply chain, Google Earth, Google Hangouts, Higgs boson, Huaqiangbei: the electronics market of Shenzhen, China, information security, Internet of things, Jacquard loom, John Gruber, John Markoff, Jony Ive, Large Hadron Collider, Lyft, M-Pesa, MITM: man-in-the-middle, more computing power than Apollo, Mother of all demos, natural language processing, new economy, New Journalism, Norbert Wiener, offshore financial centre, oil shock, pattern recognition, peak oil, pirate software, profit motive, QWERTY keyboard, reality distortion field, ride hailing / ride sharing, rolodex, Shenzhen special economic zone , Silicon Valley, Silicon Valley startup, skeuomorphism, skunkworks, Skype, Snapchat, special economic zone, speech recognition, stealth mode startup, Stephen Hawking, Steve Ballmer, Steve Jobs, Steve Wozniak, Steven Levy, TED Talk, Tim Cook: Apple, Tony Fadell, TSMC, Turing test, uber lyft, Upton Sinclair, Vannevar Bush, zero day

For five hundred dollars, University of Michigan professor Anil Jain was able to build a device that fooled the iPhone’s fingerprint sensors. In 2015, the security firm Zerodium paid a bounty of one million dollars for a chain of zero-day exploits (vulnerabilities that the vendor isn’t aware of) on the iPhone, though no one knows who won the money. And no one, save Zerodium, knows what became of the zero days. And in 2016, Toronto’s Citizen Lab revealed that a very sophisticated form of malware, called Trident, had been used to try to infect a civil rights activist’s phone in the UAE. The hack was revealed to have been the work of an Israeli company, which was believed to have sold its spyware for as much as $500,000—likely to authoritarian regimes like the UAE government.


pages: 181 words: 52,147

The Driver in the Driverless Car: How Our Technology Choices Will Create the Future by Vivek Wadhwa, Alex Salkever

23andMe, 3D printing, Airbnb, AlphaGo, artificial general intelligence, augmented reality, autonomous vehicles, barriers to entry, benefit corporation, Bernie Sanders, bitcoin, blockchain, clean water, correlation does not imply causation, CRISPR, deep learning, DeepMind, distributed ledger, Donald Trump, double helix, driverless car, Elon Musk, en.wikipedia.org, epigenetics, Erik Brynjolfsson, gigafactory, Google bus, Hyperloop, income inequality, information security, Internet of things, job automation, Kevin Kelly, Khan Academy, Kickstarter, Law of Accelerating Returns, license plate recognition, life extension, longitudinal study, Lyft, M-Pesa, Mary Meeker, Menlo Park, microbiome, military-industrial complex, mobile money, new economy, off-the-grid, One Laptop per Child (OLPC), personalized medicine, phenotype, precision agriculture, radical life extension, RAND corporation, Ray Kurzweil, recommendation engine, Ronald Reagan, Second Machine Age, self-driving car, seminal paper, Silicon Valley, Skype, smart grid, stem cell, Stephen Hawking, Steve Wozniak, Stuxnet, supercomputer in your pocket, synthetic biology, Tesla Model S, The future is already here, The Future of Employment, Thomas Davenport, Travis Kalanick, Turing test, Uber and Lyft, Uber for X, uber lyft, uranium enrichment, Watson beat the top human players on Jeopardy!, zero day

Dan Kloeffler and Alexis Shaw, “Dick Cheney feared assassination via medical device hacking: ‘I was aware of the danger,’ ” ABC News 19 October 2013, http://abcnews.go.com/US/vice-president-dick-cheney-feared-pacemaker-hacking/story?id=20621434 (accessed 21 October 2016). 2. Kim Zetter, “An unprecedented look at Stuxnet, the world’s first digital weapon,” WIRED 3 November 2014, https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet (accessed 21 October 2016) 3. “What happened,” U.S. Office of Personnel Management (undated), https://www.opm.gov/cybersecurity/cybersecurity-incidents (accessed 21 October 2016). 4. Casey Newton, “The mind-bending messiness of the Ashley Madison data dump,” the Verge 19 August 2015, http://www.theverge.com/2015/8/19/9178855/ashley-madison-data-breach-implications (accessed 21 October 2016). 5.


pages: 200 words: 54,897

Flash Boys: Not So Fast: An Insider's Perspective on High-Frequency Trading by Peter Kovac

bank run, barriers to entry, bash_history, Bernie Madoff, compensation consultant, computerized markets, computerized trading, Flash crash, housing crisis, index fund, locking in a profit, London Whale, market microstructure, merger arbitrage, payment for order flow, prediction markets, price discovery process, proprietary trading, Sergey Aleynikov, Spread Networks laid a new fibre optics cable between New York and Chicago, transaction costs, zero day

And why compare to 2010, 2011, and 2012, with the European debt crisis threatening to blow apart Europe in a way that the U.S. housing crisis couldn’t?[57] The answer is that the data fits his argument best when you slice it this way. The period from 2004 to 2006 comprises the quietest years on record – there were absolutely zero days where the market dropped by 2% or more, and only two days in those three years where the market rose by 2%. For contrast, in 2003 alone the market had 15 days where it rose or fell more than 2%. In 2002, there were more than 50 such days. So it’s no surprise that Lewis excluded 2002 and 2003 from his “quiet” years.


pages: 365 words: 56,751

Cryptoeconomics: Fundamental Principles of Bitcoin by Eric Voskuil, James Chiang, Amir Taaki

bank run, banks create money, bitcoin, blockchain, break the buck, cashless society, cognitive dissonance, cryptocurrency, delayed gratification, en.wikipedia.org, foreign exchange controls, Fractional reserve banking, Free Software Foundation, global reserve currency, Joseph Schumpeter, market clearing, Metcalfe’s law, Money creation, money market fund, Network effects, peer-to-peer, price stability, reserve currency, risk free rate, seigniorage, smart contracts, social graph, time value of money, Turing test, zero day, zero-sum game

Similarly, dependency on external independently updated libraries has the same effect. In other words it is not possible for there to be just one implementation . In the case of the initial Bitcoin implementation both upgrade of the client [469] and upgrade of an external dependency [470] have resulted in unintended chain splits and material financial loss [471] . Additionally, zero-day [472] flaws in this implementation have been published without notice [473] and could have produced a global stall. A single implementation would produce a weakness directly analogous to that of a living species with genetic uniformity. In the case of a single implementation, both internal and external updates penetrate the economy quickly and deeply.


pages: 547 words: 160,071

Underground by Suelette Dreyfus

airport security, Free Software Foundation, invisible hand, John Markoff, Julian Assange, Loma Prieta earthquake, military-industrial complex, packet switching, PalmPilot, pirate software, profit motive, publish or perish, RFC: Request For Comment, Ronald Reagan, Stephen Hawking, Steven Levy, Strategic Defense Initiative, Stuxnet, uranium enrichment, urban decay, WikiLeaks, zero day

Sanger, ‘Israeli Test on Worm Called Crucial in Iran Nuclear Delay’, New York Times online, 15 January, 2011. See: http://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html?pagewanted=3&_r=1 11. Ibid. 12. Ryan Naraine, ‘Stuxnet attackers used 4 Windows zero-day exploits’, Zdnet, 14 September, 2010. See: http://www.zdnet.com/blog/security/stuxnet-attackers-used-4-windows-zero-day-exploits/7347 13. Thomas Erdbrink, ‘Iranian nuclear scientist killed, another injured in Tehran bombings’, The Washington Post, 29 November, 2010. See: http://www.washingtonpost.com/wp-dyn/content/article/2010/11/29/AR2010112901560.html 14.


pages: 562 words: 153,825

Dark Mirror: Edward Snowden and the Surveillance State by Barton Gellman

4chan, A Declaration of the Independence of Cyberspace, Aaron Swartz, active measures, air gap, Anton Chekhov, Big Tech, bitcoin, Cass Sunstein, Citizen Lab, cloud computing, corporate governance, crowdsourcing, data acquisition, data science, Debian, desegregation, Donald Trump, Edward Snowden, end-to-end encryption, evil maid attack, financial independence, Firefox, GnuPG, Google Hangouts, housing justice, informal economy, information security, Jacob Appelbaum, job automation, John Perry Barlow, Julian Assange, Ken Thompson, Laura Poitras, MITM: man-in-the-middle, national security letter, off-the-grid, operational security, planetary scale, private military company, ransomware, Reflections on Trusting Trust, Robert Gordon, Robert Hanssen: Double agent, rolodex, Ronald Reagan, Saturday Night Live, seminal paper, Seymour Hersh, Silicon Valley, Skype, social graph, standardized shipping container, Steven Levy, TED Talk, telepresence, the long tail, undersea cable, Wayback Machine, web of trust, WikiLeaks, zero day, Zimmermann PGP

He guided them on a virtual tour of Chinese hacking consortia, illustrating a range of attacks from simple phishing emails to sophisticated “intrusion sets” of computer code that burrowed into an exposed machine and stayed there. The Beijing government often exploited previously unknown security flaws to gain entry. That kind of flaw was called a Zero Day because attackers used it before the first day, Day 1, that anyone else became aware of the threat. Despite the stealth of that kind of attack, Snowden showed participants how to work and communicate safely in an untrusted environment. One of the habits he taught them became a signature moment in the Laura Poitras film Citizen Four.

., 275–76 in intelligence community, 368 need for action as core value of, 296 and public’s right to know, 334–35 rarity of, 295–96 WikiLeaks, 25, 256 Williams, Pete, 186 Williams & Connolly, 100, 102, 185 Wizner, Ben, 321–22 Wyden, Ron, NSA hearings of, 164–65 XKEYSCORE (NSA targeting interface), 86, 87, 332 Yahoo, 299–300, 337 Zarqawi, Abu Musab, killing of, 212 Zero Day cyber attacks, 58 Zimmerman, Phil, 365 ABCDEFGHIJKLMNOPQRSTUVWXYZ ABOUT THE AUTHOR Barton Gellman is a critically honored author, journalist and blogger based at the Century Foundation in New York. A longtime writer for The Washington Post, Gellman has led multiple teams to a Pulitzer Prize and was a member of the team that won the 2002 Pulitzer for National Reporting for coverage of the 9/11 attacks and their aftermath.


pages: 592 words: 161,798

The Future of War by Lawrence Freedman

Albert Einstein, autonomous vehicles, Berlin Wall, Black Swan, Boeing 747, British Empire, colonial rule, conceptual framework, crowdsourcing, cuban missile crisis, currency manipulation / currency intervention, disinformation, Donald Trump, Dr. Strangelove, driverless car, drone strike, en.wikipedia.org, energy security, Ernest Rutherford, failed state, Fall of the Berlin Wall, Francis Fukuyama: the end of history, global village, Google Glasses, Herman Kahn, Intergovernmental Panel on Climate Change (IPCC), John Markoff, long peace, megacity, Mikhail Gorbachev, military-industrial complex, moral hazard, mutually assured destruction, New Journalism, Norbert Wiener, nuclear taboo, open economy, pattern recognition, Peace of Westphalia, RAND corporation, Ronald Reagan, South China Sea, speech recognition, Steven Pinker, Strategic Defense Initiative, Stuxnet, Suez canal 1869, Suez crisis 1956, systematic bias, the scientific method, uranium enrichment, urban sprawl, Valery Gerasimov, Wargames Reagan, WarGames: Global Thermonuclear War, WikiLeaks, zero day

Strategic Studies Institute: US Army War College, 2009. Zartman, William. Collapsed States: The disintegration and restoration of legitimate authority. Boulder, CO: Lynne Rienner, 1995. Zedong, Mao. On Guerrilla Warfare, trans. Samuel B. Griffith. Urbana: University of Illinois Press, 2000. Zetter, Kim. Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon. New York: Crown, 2014. Zimmerman, Warren. Origins of a Catastrophe: Yugoslavia and its Destroyers. New York: Times Books, 1996. Zwierzchowski, Jan, and Ewa Tabeau. ‘The 1992–95 War in Bosnia and Herzegovina: Census-based Multiple System Estimation of Casualties’ Undercount’.

Anna Mulrine, ‘CIA Chief Leon Panetta: The Next Pearl Harbor Could Be a Cyberattack’, Christian Science Monitor, 9 June 2011. Adm. Mike Mullen, quoted in Marcus Weisgerber, ‘DoD to Release Public Version of Cyber Strategy’, Defense News, 8 July 2011. Both cited by Lindsay. 20. Berkowitz 143. 21. Kim Zetter, Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon (New York: Crown, 2014). 22. Kaplan 275. 23. Cited in Aaron Franklin Brantly, The Decision to Attack: Military and Intelligence Cyber-Decision-Making (Athens, GA: University of Georgia Press, 2016) 39. 24. Thomas Rid and Ben Buchanan, ‘Attributing Cyber Attacks’, Journal of Strategic Studies 38. (2015): 1–2. 25.


pages: 678 words: 159,840

The Debian Administrator's Handbook, Debian Wheezy From Discovery to Mastery by Raphaal Hertzog, Roland Mas

bash_history, Debian, distributed generation, do-ocracy, en.wikipedia.org, end-to-end encryption, failed state, Firefox, Free Software Foundation, GnuPG, Google Chrome, Jono Bacon, MITM: man-in-the-middle, Neal Stephenson, NP-complete, precautionary principle, QWERTY keyboard, RFC: Request For Comment, Richard Stallman, Skype, SpamAssassin, SQL injection, Valgrind, web application, zero day, Zimmermann PGP

In the Free Software world, there is generally ample room for choice, and choosing one piece of software over another should be a decision based on the criteria that apply locally. More features imply an increased risk of a vulnerability hiding in the code; picking the most advanced program for a task may actually be counter-productive, and a better approach is usually to pick the simplest program that meets the requirements. VOCABULARY Zero-day exploit A zero-day exploit attack is hard to prevent; the term covers a vulnerability that is not yet known to the authors of the program. 14.5.4. Managing a Machine as a Whole Most Linux distributions install by default a number of Unix services and many tools. In many cases, these services and tools are not required for the actual purposes for which the administrator set up the machine.


Engineering Security by Peter Gutmann

active measures, address space layout randomization, air gap, algorithmic trading, Amazon Web Services, Asperger Syndrome, bank run, barriers to entry, bitcoin, Brian Krebs, business process, call centre, card file, cloud computing, cognitive bias, cognitive dissonance, cognitive load, combinatorial explosion, Credit Default Swap, crowdsourcing, cryptocurrency, Daniel Kahneman / Amos Tversky, Debian, domain-specific language, Donald Davies, Donald Knuth, double helix, Dr. Strangelove, Dunning–Kruger effect, en.wikipedia.org, endowment effect, false flag, fault tolerance, Firefox, fundamental attribution error, George Akerlof, glass ceiling, GnuPG, Google Chrome, Hacker News, information security, iterative process, Jacob Appelbaum, Jane Jacobs, Jeff Bezos, John Conway, John Gilmore, John Markoff, John von Neumann, Ken Thompson, Kickstarter, lake wobegon effect, Laplace demon, linear programming, litecoin, load shedding, MITM: man-in-the-middle, Multics, Network effects, nocebo, operational security, Paradox of Choice, Parkinson's law, pattern recognition, peer-to-peer, Pierre-Simon Laplace, place-making, post-materialism, QR code, quantum cryptography, race to the bottom, random walk, recommendation engine, RFID, risk tolerance, Robert Metcalfe, rolling blackouts, Ruby on Rails, Sapir-Whorf hypothesis, Satoshi Nakamoto, security theater, semantic web, seminal paper, Skype, slashdot, smart meter, social intelligence, speech recognition, SQL injection, statistical model, Steve Jobs, Steven Pinker, Stuxnet, sunk-cost fallacy, supply-chain attack, telemarketer, text mining, the built environment, The Death and Life of Great American Cities, The Market for Lemons, the payments system, Therac-25, too big to fail, Tragedy of the Commons, Turing complete, Turing machine, Turing test, Wayback Machine, web application, web of trust, x509 certificate, Y2K, zero day, Zimmermann PGP

Actually determining the amount of signed malware in circulation is a more or less unsolvable problem (you’d have to have a facility for scanning the entire world’s computers and reliably detecting all malware on them, which, if you could do that, means that you could also remove it all and put an end to malware), but the MMPC results at least provide a representative value for the subset of recent Windows machines with automatic updates active that regularly run the MSRT. The MMPC reports that a staggering one in ten digitally signed files found on Windows PCs is malware, and the majority of this authenticated malware falls into Microsoft’s “severe” or “high” risk category, roughly equivalent in threat level to a zero-day rootkit (presumably the malware authors know which of their products are the most effective and only bother signing those, leaving the less effective malware to take its chances as ordinary unsigned content). So in this case the use of code-signing really does provide a “trust and quality assurance mechanism” [387], because when users encounter a CA-certified signed rootkit or worm they can trust that they’ve been infected by the best-quality malware.

Making the Realtek/JMicron signed-malware debacle even more entertaining was the fact that one of the principal systems targeted by the malware is a Siemens SCADA (industrial control) system that uses a hardcoded password 2WSXcder that can’t be changed because doing so causes the system to stop working [429] and that had been circulating on the Internet for years, including being posted to a Siemens online forum in Russia [430] as well as in online lists of default passwords [431] (this situation isn’t unique to Siemens embedded systems, with one Internet scan finding over half a million embedded devices across more than 17,000 organisations in 144 countries that were publicly accessible and used manufacturer-default passwords [432]. Even the well-known secret password was a relatively minor issue compared to (apparently unfixable) exploitable design flaws in the SCADA control software [433], a so-called forever-day exploit (named as a play on the term zero-day or 0-day exploit), one that the vendor has no intention of ever fixing [434] with all manner of alarming security implications [435]. (The reason for this poor level of security is that SCADA systems rate availability above everything else, so that anything that affects, or potentially affects, availability is strongly avoided.

[426] “Another Signed Stuxnet Binary”, Sean Sullivan, 20 July 2010, http://www.f-secure.com/weblog/archives/00001993.html. [427] “New Stuxnet-Related Malware Signed Using Certificate from JMicron”, Lucian Constantin, 20 July 2010, http://news.softpedia.com/news/NewStuxnet-Related-Malware-Signed-Using-Certificate-from-JMicron148213.shtml. [428] “Adobe Reader zero-day attack — now with stolen certificate”, ‘Roel’, 8 September 2010, http://www.securelist.com/en/blog?weblogid=2287. [429] “Siemens warns users: Don’t change passwords after worm attack”, Robert McMillan, 20 July 2010, http://www.infoworld.com/d/securitycentral/siemens-warns-users-dont-change-passwords-after-wormattack-915


pages: 200 words: 72,182

Nickel and Dimed: On (Not) Getting by in America by Barbara Ehrenreich

Alan Greenspan, business process, full employment, housing crisis, income inequality, independent contractor, McMansion, PalmPilot, place-making, post-work, sexual politics, telemarketer, union organizing, wage slave, WeWork, women in the workforce, working poor, zero day

[21] True, this is the one job where my references were actually checked, but what if I were one of those angel-of-death type health workers, who decided to free my charges from their foggy half-lives? More to the point, I am wondering what the two-job way of life would do to a person after a few months with zero days off. In my writing life I normally work seven days a week, but writing is ego food, totally self-supervised and intermittently productive of praise. Here, no one will notice my heroism on that Saturday's shift. (I will later make a point of telling Linda about it and receive only a distracted nod.)


pages: 283 words: 73,093

Social Democratic America by Lane Kenworthy

affirmative action, Affordable Care Act / Obamacare, Alan Greenspan, barriers to entry, basic income, benefit corporation, business cycle, carbon tax, Celtic Tiger, centre right, clean water, collective bargaining, corporate governance, David Brooks, desegregation, Edward Glaeser, endogenous growth, full employment, Gini coefficient, hiring and firing, Home mortgage interest deduction, illegal immigration, income inequality, invisible hand, Kenneth Arrow, labor-force participation, manufacturing employment, market bubble, minimum wage unemployment, new economy, off-the-grid, postindustrial economy, purchasing power parity, race to the bottom, rent-seeking, rising living standards, Robert Gordon, Robert Shiller, Ronald Reagan, school choice, shareholder value, sharing economy, Skype, Steve Jobs, too big to fail, Tyler Cowen, Tyler Cowen: Great Stagnation, union organizing, universal basic income, War on Poverty, working poor, zero day

Here, four changes are needed. One is sickness insurance. We are the only rich nation without a public sickness insurance program.6 Though many large private-sector firms offer employees some paid sickness days, and a few cities and states have a public program, one in three employed Americans gets zero days of paid sick leave.7 FIGURE 3.1 Health expenditures and life expectancy, 1960–2010 The data points are years. The lines are loess curves. Life expectancy: years at birth. Health expenditures: public plus private, as percent of GDP. The other countries are Australia, Austria, Belgium, Canada, Denmark, Finland, France, Germany, Ireland, Italy, Japan, the Netherlands, New Zealand, Norway, Portugal, Spain, Sweden, Switzerland, and the United Kingdom.


pages: 268 words: 76,702

The System: Who Owns the Internet, and How It Owns Us by James Ball

"World Economic Forum" Davos, behavioural economics, Big Tech, Bill Duvall, bitcoin, blockchain, Cambridge Analytica, Chelsea Manning, cryptocurrency, digital divide, don't be evil, Donald Trump, Douglas Engelbart, Edward Snowden, en.wikipedia.org, fake news, financial engineering, Firefox, Frank Gehry, Internet of things, invention of movable type, Jeff Bezos, jimmy wales, John Gilmore, John Perry Barlow, Julian Assange, Kickstarter, Laura Poitras, Leonard Kleinrock, lock screen, Marc Andreessen, Mark Zuckerberg, Menlo Park, military-industrial complex, Minecraft, Mother of all demos, move fast and break things, Network effects, Oculus Rift, packet switching, patent troll, Peter Thiel, pre–internet, ransomware, RFC: Request For Comment, risk tolerance, Ronald Reagan, Rubik’s Cube, self-driving car, Shoshana Zuboff, Silicon Valley, Silicon Valley startup, Skype, Snapchat, Steve Crocker, Stuxnet, surveillance capitalism, systems thinking, The Chicago School, the long tail, undersea cable, uranium enrichment, WikiLeaks, yield management, zero day

v=XEVlyP4_11M 8Optic Nerve was first disclosed in a 2014 Snowden story, reported with Spencer Ackerman: https://www.theguardian.com/world/2014/feb/27/gchq-nsa-webcam-images-internet-yahoo 9https://www.ft.com/content/93fe2e28-d83c-11e2-b4a4-00144feab7de 10https://www.propublica.org/article/claim-on-attacks-thwarted-by-nsa-spreads-despite-lack-of-evidence 11https://www.npr.org/2018/12/28/677414459/in-chinas-push-for-high-tech-hackers-target-cutting-edge-u-s-firms?t=1550197762515 12To learn more about Stuxnet, and the massive cyber-programme it was part of, the best source is Alex Gibney’s documentary Zero Days. I reported some of its revelations, with independent corroboration, here: https://www.buzzfeednews.com/article/jamesball/us-hacked-into-irans-critical-civilian-infrastructure-for-ma 13https://www.thebureauinvestigates.com/stories/2018-09-13/bureau-wins-case-to-defend-press-freedom-at-the-european-court-of-human-rights 14https://www.theguardian.com/world/2013/oct/24/nsa-surveillance-world-leaders-calls 15As with other stories, they did agree to redact certain specific details (for example, particular models of software, or company names, when specific reasons were given). 16The Guardian version of this story can be viewed here: https://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security 17This was helpfully tweeted by the BBC’s technology editor, Rory Cellan-Jones: https://twitter.com/ruskin147/status/1096327971131088896/photo/1 18The following account of WannaCry is based on interviews with the Symantec staff in the chapter, my own reporting from the time (https://www.buzzfeed.com/jamesball/heres-why-its-unlikely-the-nhs-was-deliberately-targeted-in, https://www.buzzfeed.com/jamesball/gchq-is-facing-questions-over-last-weeks-ransomware-attack, https://www.buzzfeed.com/jamesball/a-highly-critical-report-says-the-nhs-was-hit-by-the), and some details from this later Washington Post report: https://www.washingtonpost.com/world/national-security/us-set-to-declare-north-korea-carried-out-massive-wannacry-cyber-attack/2017/12/18/509deb1c-e446-11e7-a65d-1ac0fd7f097e_story.html?


pages: 232 words: 72,483

Immortality, Inc. by Chip Walter

23andMe, Airbnb, Albert Einstein, Arthur D. Levinson, bioinformatics, Buckminster Fuller, cloud computing, CRISPR, data science, disintermediation, double helix, Elon Musk, Isaac Newton, Jeff Bezos, Larry Ellison, Law of Accelerating Returns, life extension, Menlo Park, microbiome, mouse model, pattern recognition, Peter Thiel, phenotype, radical life extension, Ray Kurzweil, Recombinant DNA, Rodney Brooks, self-driving car, Silicon Valley, Silicon Valley startup, Snapchat, South China Sea, SpaceShipOne, speech recognition, statistical model, stem cell, Stephen Hawking, Steve Jobs, TED Talk, Thomas Bayes, zero day

What is the one thing none of us can control? Time, right? At your age, if all goes well, maybe you’ll live another 30 years? That’s 365 x 30, so let’s say 10,000 days.” (That got Doerr’s attention. The idea of days somehow didn’t seem to feel as far away as years.) But wait, it could be worse: What about zero days? Maris told the story of his father’s brain cancer diagnosis. His father asked the doctor how much time he had. The doctor said he never made those predictions anymore, because one time he told a cancer patient that he only had six months to live: 180 days. Well, the man thought, at least I have time to get my affairs in order.


pages: 274 words: 85,557

DarkMarket: Cyberthieves, Cybercops and You by Misha Glenny

Berlin Wall, Bretton Woods, Brian Krebs, BRICs, call centre, Chelsea Manning, Fall of the Berlin Wall, illegal immigration, James Watt: steam engine, Julian Assange, military-industrial complex, MITM: man-in-the-middle, pirate software, Potemkin village, power law, reserve currency, Seymour Hersh, Silicon Valley, Skype, SQL injection, Stuxnet, urban sprawl, white flight, WikiLeaks, zero day

For a broader introduction into some of the challenges emerging as a consequence of Internet technology, Jonathan Zittrain’s The Future of the Internet: And How to Stop It should be the first port of call. Other blogs of real value include Krebsonsecurity by Brian Krebs; Bruce Schneier’s newsletter, Crypto-gram; the blog of F-Secure, the Finnish Computer Security company; and, finally, Dancho Danchev and Ryan Naraine’s Zero Day blog on Znet. ACKNOWLEDGEMENTS Writing this book presented many challenges which I could never have met had it not been for the generous assistance I received from a number of friends and colleagues around the world. In Britain, two people played a vital role. Leonida Krushelnycky has proved to be an indefatigable researcher, often uncovering vital material long after I had given up any hope of finding it.


pages: 330 words: 83,319

The New Rules of War: Victory in the Age of Durable Disorder by Sean McFate

Able Archer 83, active measures, anti-communist, barriers to entry, Berlin Wall, blood diamond, Boeing 747, Brexit referendum, cognitive dissonance, commoditize, computer vision, corporate governance, corporate raider, cuban missile crisis, disinformation, Donald Trump, double helix, drone strike, escalation ladder, European colonialism, failed state, fake news, false flag, hive mind, index fund, invisible hand, John Markoff, joint-stock company, military-industrial complex, moral hazard, mutually assured destruction, Nash equilibrium, nuclear taboo, offshore financial centre, pattern recognition, Peace of Westphalia, plutocrats, private military company, profit motive, RAND corporation, ransomware, Ronald Reagan, Silicon Valley, South China Sea, Steve Bannon, Stuxnet, Suez crisis 1956, technoutopianism, vertical integration, Washington Consensus, Westphalian system, yellow journalism, Yom Kippur War, zero day, zero-sum game

On varmint threat, see: Cyber Squirrel 1, 31 January 2018, http://cybersquirrel1.com. 9. Stuxnet hype: Michael Joseph Gross, “A Declaration of Cyber-War,” Vanity Fair, 21 March 2011, www.vanityfair.com/news/2011/03/stuxnet-201104; Kim Zetter, “An Unprecedented Look at Stuxnet, the World’s First Digital Weapon,” Wired, 3 November 2014, www.wired.com/2014/11/countdown-to-zero-day-stuxnet. 10. Billy Mitchell predicts age of air power: William Mitchell, Winged Defense: The Development and Possibilities of Modern Air Power—Economic and Military (New York: G. P. Putnam’s Sons, 1924), 25–26. 11. Billy Mitchell predicts Pearl Harbor: “Billy Mitchell’s Prophecy,” American Heritage 13, no. 2 (February 1962): www.americanheritage.com/content/billy-mitchell’s-prophecy. 12.


pages: 304 words: 80,143

The Autonomous Revolution: Reclaiming the Future We’ve Sold to Machines by William Davidow, Michael Malone

2013 Report for America's Infrastructure - American Society of Civil Engineers - 19 March 2013, agricultural Revolution, Airbnb, AlphaGo, American Society of Civil Engineers: Report Card, Automated Insights, autonomous vehicles, basic income, benefit corporation, bitcoin, blockchain, blue-collar work, Bob Noyce, business process, call centre, Cambridge Analytica, cashless society, citizen journalism, Clayton Christensen, collaborative consumption, collaborative economy, collective bargaining, creative destruction, crowdsourcing, cryptocurrency, deep learning, DeepMind, disintermediation, disruptive innovation, distributed ledger, en.wikipedia.org, Erik Brynjolfsson, fake news, Filter Bubble, Ford Model T, Francis Fukuyama: the end of history, general purpose technology, Geoffrey West, Santa Fe Institute, gig economy, Gini coefficient, high-speed rail, holacracy, Hyperloop, income inequality, industrial robot, Internet of things, invention of agriculture, invention of movable type, invention of the printing press, invisible hand, Jane Jacobs, job automation, John Maynard Keynes: Economic Possibilities for our Grandchildren, John Maynard Keynes: technological unemployment, Joseph Schumpeter, license plate recognition, low interest rates, Lyft, Mark Zuckerberg, mass immigration, Network effects, new economy, peer-to-peer lending, QWERTY keyboard, ransomware, Richard Florida, Robert Gordon, robo advisor, Ronald Reagan, Second Machine Age, self-driving car, sharing economy, Shoshana Zuboff, Silicon Valley, Simon Kuznets, Skinner box, Snapchat, speech recognition, streetcar suburb, Stuxnet, surveillance capitalism, synthetic biology, TaskRabbit, The Death and Life of Great American Cities, The Rise and Fall of American Growth, the scientific method, trade route, Turing test, two and twenty, Uber and Lyft, uber lyft, universal basic income, uranium enrichment, urban planning, vertical integration, warehouse automation, zero day, zero-sum game, Zipcar

“Robert Tappan Morris,” Wikipedia, https://en.wikipedia.org/wiki/Robert_Tappan_Morris (accessed June 27, 2019); and “Computer Fraud and Abuse Act,” Wikipedia, https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act (accessed June 27, 2019). 43. Kim Zetter, “An Unprecedented Look at Stuxnet, the World’s First Digital Weapon,” Wired, November 3, 2014, https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/ (accessed June 28, 2019). 44. Gordon Corera, “21st Century Warfare,” BBC, http://www.bbc.co.uk/guides/zq9jmnb#ztq6nbk (accessed June 28, 2019). 45. Steve Morgan, “Cybercrime Damages $6 Trillion by 2021,” Cybersecurity Ventures, October 16, 2017, https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/ (accessed June 28, 2019). 46.


pages: 309 words: 79,414

Going Dark: The Secret Social Lives of Extremists by Julia Ebner

23andMe, 4chan, Airbnb, anti-communist, anti-globalists, augmented reality, Ayatollah Khomeini, Bellingcat, Big Tech, bitcoin, blockchain, Boris Johnson, Cambridge Analytica, citizen journalism, cognitive dissonance, Comet Ping Pong, crisis actor, crowdsourcing, cryptocurrency, deepfake, disinformation, Donald Trump, Dunning–Kruger effect, Elon Musk, fake news, false flag, feminist movement, game design, gamification, glass ceiling, Google Earth, Greta Thunberg, information security, job satisfaction, Mark Zuckerberg, mass immigration, Menlo Park, Mikhail Gorbachev, Network effects, off grid, OpenAI, Overton Window, pattern recognition, pre–internet, QAnon, RAND corporation, ransomware, rising living standards, self-driving car, Silicon Valley, Skype, Snapchat, social intelligence, Social Justice Warrior, SQL injection, Steve Bannon, Steve Jobs, Transnistria, WikiLeaks, zero day

Apart from learning these technical skills, he also recommends a range of infiltration and forgery techniques to get around security boundaries that cannot be solved with hacks alone: • Get jobs that fill roles that you might find useful to compromise people working within in the future. This means sysadmin stuff, helpdesk stuff, etc. Also, you can usually get into everything at a company just by being hired as a sysad. If you can talk your way into a systems role repeatedly, you don’t need zero-days,25 you can get given the keys to everything. • Getting a job as a skiptracer26 in the collections industry will give you access to datasets that will turbocharge your ability to dox individuals. • Become a more competent programmer by submitting git pull27 requests for fixes on outstanding bugs and desired features on well used open source products.


pages: 335 words: 95,549

Confessions of a Bookseller by Shaun Bythell

Airbnb, British Empire, cashless society, credit crunch, Donald Trump, fulfillment center, mail merge, Neil Armstrong, period drama, Skype, zero day

Till Total £162.89 17 Customers WEDNESDAY, 8 APRIL Online orders: 6 Orders found: 5 One of the orders was for three books, one of which was brought in by the banana box man yesterday – Outrage, by Ian Nairn, an unusual book. Nairn was an architectural critic who coined the word ‘subtopia’. One person ordering three books online means that the total number of books that went out today was eight: total value £99. Unusually high for our online sales, but it compensates for the two zero days we’ve had in the past week. At 10 a.m. a young Italian woman came in to discuss life in a bookshop for an article she’s writing for a blog. While we were chatting about the hardships facing bookshops today, a customer was browsing and came to the counter with three books. The total was £23. He said ‘You’ll do them for £20, won’t you.’


pages: 360 words: 100,991

Heart of the Machine: Our Future in a World of Artificial Emotional Intelligence by Richard Yonck

3D printing, AI winter, AlphaGo, Apollo 11, artificial general intelligence, Asperger Syndrome, augmented reality, autism spectrum disorder, backpropagation, Berlin Wall, Bletchley Park, brain emulation, Buckminster Fuller, call centre, cognitive bias, cognitive dissonance, computer age, computer vision, Computing Machinery and Intelligence, crowdsourcing, deep learning, DeepMind, Dunning–Kruger effect, Elon Musk, en.wikipedia.org, epigenetics, Fairchild Semiconductor, friendly AI, Geoffrey Hinton, ghettoisation, industrial robot, Internet of things, invention of writing, Jacques de Vaucanson, job automation, John von Neumann, Kevin Kelly, Law of Accelerating Returns, Loebner Prize, Menlo Park, meta-analysis, Metcalfe’s law, mirror neurons, Neil Armstrong, neurotypical, Nick Bostrom, Oculus Rift, old age dependency ratio, pattern recognition, planned obsolescence, pneumatic tube, RAND corporation, Ray Kurzweil, Rodney Brooks, self-driving car, Skype, social intelligence, SoftBank, software as a service, SQL injection, Stephen Hawking, Steven Pinker, superintelligent machines, technological singularity, TED Talk, telepresence, telepresence robot, The future is already here, The Future of Employment, the scientific method, theory of mind, Turing test, twin studies, Two Sigma, undersea cable, Vernor Vinge, Watson beat the top human players on Jeopardy!, Whole Earth Review, working-age population, zero day

Its developers will certainly do what they can to make their work and devices user-friendly, but beyond this there will be the hackers, the entrepreneurs, the DIY innovators who will seek to unravel the mysteries of the technology and in doing so bestow far more of its awesome power upon anyone who wants it, including the technically unskilled. It sounds ridiculous, but this is exactly what we’ve seen in recent years as hackers have made what was once hard-won knowledge and skill available to all at very affordable prices. Distributed denial of service (DDOS) attacks, SQL injections, brute force password cracking, botnet services, and zero-day exploits are all hacking methods that once required sophisticated expertise to perform. Today anyone with money and an Internet connection can access the “Dark Web” and find these tools available for purchase—complete with user-friendly interfaces. Tomorrow’s world will find much more for sale, and emotional computing tools will most certainly be among them.


pages: 324 words: 96,491

Messing With the Enemy: Surviving in a Social Media World of Hackers, Terrorists, Russians, and Fake News by Clint Watts

4chan, active measures, Affordable Care Act / Obamacare, barriers to entry, behavioural economics, Bellingcat, Berlin Wall, Bernie Sanders, Black Lives Matter, Cambridge Analytica, Chelsea Manning, Climatic Research Unit, crowdsourcing, Daniel Kahneman / Amos Tversky, disinformation, Donald Trump, drone strike, Edward Snowden, en.wikipedia.org, Erik Brynjolfsson, failed state, fake news, Fall of the Berlin Wall, false flag, Filter Bubble, global pandemic, Google Earth, Hacker News, illegal immigration, information security, Internet of things, Jacob Silverman, Julian Assange, loss aversion, Mark Zuckerberg, Mikhail Gorbachev, mobile money, mutually assured destruction, obamacare, Occupy movement, offshore financial centre, operational security, pre–internet, Russian election interference, Sheryl Sandberg, side project, Silicon Valley, Snapchat, Steve Bannon, the long tail, The Wisdom of Crowds, Turing test, University of East Anglia, Valery Gerasimov, WikiLeaks, Yochai Benkler, zero day

APTs, unlike common cybercriminals or hacker collectives, have sufficient resourcing to stay on their targets until they penetrate the systems they desire to access. APTs use a range of techniques, from the simple to the complex, employing all forms of social engineering and specifically tailored malware known as “zero days.” The Russian APTs were known in the cybersecurity world as APT28 (code name: Fancy Bear) and APT29 (Cozy Bear). Cozy and Fancy Bear represented competing Russian hacker groups seeking access and compromising information from democratically elected officials adversarial to Russia, media personalities (particularly reporters who interfaced with anonymous sources), military leaders, and academic researchers and policy think tanks studying Russia.


pages: 309 words: 96,168

Masters of Scale: Surprising Truths From the World's Most Successful Entrepreneurs by Reid Hoffman, June Cohen, Deron Triff

"Susan Fowler" uber, 23andMe, 3D printing, Airbnb, Anne Wojcicki, Ben Horowitz, bitcoin, Blitzscaling, Broken windows theory, Burning Man, call centre, chief data officer, clean water, collaborative consumption, COVID-19, crowdsourcing, data science, desegregation, do well by doing good, Elon Musk, financial independence, fulfillment center, gender pay gap, global macro, growth hacking, hockey-stick growth, Internet of things, knowledge economy, late fees, Lean Startup, lone genius, Marc Benioff, Mark Zuckerberg, minimum viable product, move fast and break things, Network effects, Paul Graham, Peter Thiel, polynesian navigation, race to the bottom, remote working, RFID, Ronald Reagan, Rubik’s Cube, Ruby on Rails, Salesforce, Sam Altman, Sheryl Sandberg, Silicon Valley, Silicon Valley startup, social distancing, Steve Jobs, Susan Wojcicki, TaskRabbit, TechCrunch disrupt, TED Talk, the long tail, the scientific method, Tim Cook: Apple, Travis Kalanick, two and twenty, work culture , Y Combinator, zero day, Zipcar

“The customer experience of Rent the Runway is not the website or an app. That is easy,” Jenn says. “The customer experience is receiving back millions of units of worn clothing, capturing data on those units, restoring them to perfect condition, dry-cleaning them, repairing them, reassembling them with new units and shipping them out—often with a zero-day turnaround time.” Jenn hadn’t anticipated any of that process when the idea first came to her. “We’ve had to build all of our underlying logistics technology from scratch,” she says. “I really did think that we were going to be able to outsource part of our technology stack. I thought that we’d be able to outsource, potentially, our dry-cleaning at the very beginning.”


pages: 350 words: 107,834

Halting State by Charles Stross

augmented reality, book value, Boris Johnson, call centre, forensic accounting, game design, Google Earth, hiring and firing, illegal immigration, impulse control, indoor plumbing, Intergovernmental Panel on Climate Change (IPCC), invention of the steam engine, Ken Thompson, lifelogging, Necker cube, no-fly zone, operational security, Potemkin village, RFID, Schrödinger's Cat, Vernor Vinge, zero day

“The question isn’t where Team Red got the keys to the realm from: Hayek Associates have a copy of the one-time pad, because they’re sniffing on everything. The question is, Who inside Hayek Associates leaked the pad, via the blacknet? Barry’s gotten through to the disaster planning people. They’ve generated fresh master pads, and they’re pushing copies out to the main switches by courier—they’re implementing the national zero-day exploit plan. The goal is to throw the switch at noon, at which point all Team Red’s careful work goes down the toilet. Then they’ll reboot CopSpace completely and load freshly signed certificates for the dot-sco domain by hand on the root servers, and a bunch more fiddly stuff. But the main thing is, once they change the one-time pads for admin access to the national backbone routers, Team Red will be unable to tap traffic at will.


pages: 324 words: 106,699

Permanent Record by Edward Snowden

A Declaration of the Independence of Cyberspace, Aaron Swartz, air gap, Berlin Wall, call centre, Chelsea Manning, cloud computing, cognitive dissonance, company town, disinformation, drone strike, Edward Snowden, Fall of the Berlin Wall, Free Software Foundation, information security, it's over 9,000, job-hopping, John Perry Barlow, Julian Assange, Laura Poitras, Mark Zuckerberg, McMansion, Neal Stephenson, Occupy movement, off-the-grid, operational security, pattern recognition, peak oil, pre–internet, Rubik’s Cube, Silicon Valley, Skype, Snow Crash, sovereign wealth fund, surveillance capitalism, trade route, WikiLeaks, zero day

Yet even given that knowledge, I still struggle to accept the sheer magnitude and speed of the change, from an America that sought to define itself by a calculated and performative respect for dissent to a security state whose militarized police demand obedience, drawing their guns and issuing the order for total submission now heard in every city: “Stop resisting.” This is why whenever I try to understand how the last two decades happened, I return to that September—to that ground-zero day and its immediate aftermath. To return to that fall means coming up against a truth darker than the lies that tied the Taliban to al-Qaeda and conjured up Saddam Hussein’s illusory stockpile of WMDs. It means, ultimately, confronting the fact that the carnage and abuses that marked my young adulthood were born not only in the executive branch and the intelligence agencies, but also in the hearts and minds of all Americans, myself included.


pages: 339 words: 103,546

Blood and Oil: Mohammed Bin Salman's Ruthless Quest for Global Power by Bradley Hope, Justin Scheck

"World Economic Forum" Davos, augmented reality, Ayatollah Khomeini, Boston Dynamics, clean water, coronavirus, distributed generation, Donald Trump, Downton Abbey, Elon Musk, Exxon Valdez, financial engineering, Google Earth, high net worth, Jeff Bezos, Marc Andreessen, Mark Zuckerberg, Masayoshi Son, megaproject, MITM: man-in-the-middle, new economy, NSO Group, Peter Thiel, public intellectual, ride hailing / ride sharing, Sand Hill Road, Silicon Valley, SoftBank, South of Market, San Francisco, sovereign wealth fund, starchitect, Steve Bannon, Steve Jobs, tech billionaire, Tim Cook: Apple, trade route, traumatic brain injury, Travis Kalanick, Uber for X, urban planning, Virgin Galactic, Vision Fund, WeWork, women in the workforce, young professional, zero day

It only sold the system to governments that it deemed would use it for acceptable purposes and required Israeli government permission for each sale. Qatar was denied access, while the UAE purchased not one but three $50 million annual subscriptions for different intelligence-related organizations in its government. The high cost came down to NSO’s use of “zero-day” exploits, a term for loopholes in widely used software that even big companies like Microsoft, Google, and Apple don’t know about. Its researchers work to find those holes and create programs that exploit them to gain control of or access to devices. The only problem with providing such a powerful tool to other governments, including authoritarian monarchies, is their extremely limited oversight.


pages: 386 words: 116,233

The Millionaire Fastlane: Crack the Code to Wealth and Live Rich for a Lifetime by Mj Demarco

8-hour work day, Albert Einstein, AltaVista, back-to-the-land, Bernie Madoff, bounce rate, business logic, business process, butterfly effect, buy and hold, cloud computing, commoditize, dark matter, delayed gratification, demand response, do what you love, Donald Trump, drop ship, fear of failure, financial engineering, financial independence, fixed income, housing crisis, Jeff Bezos, job-hopping, Lao Tzu, Larry Ellison, low interest rates, Mark Zuckerberg, multilevel marketing, passive income, passive investing, payday loans, planned obsolescence, Ponzi scheme, price anchoring, Ronald Reagan, subscription business, upwardly mobile, wealth creators, white picket fence, World Values Survey, zero day

While I worked my plan, I gave 7-for-0 (I worked seven days and didn't take a day off) because I knew the roads on my roadmap converged with dreams. I worked for a better ratio in the near future, not in 40 years. I controlled my destiny and eventually my time trade investment yielded a dividend of 40 years. Now I do 0-for-7. I work zero days and get seven days of freedom. Sadly, if you are entrenched in the Slowlane, your options to shatter this negative 60% return for your freedom is restricted. Remember, wealth is defined by freedom, and if you require proof, look no further than Friday night when people celebrate freedom as the Slowlane dictatorship takes a weekend furlough.


pages: 1,172 words: 114,305

New Laws of Robotics: Defending Human Expertise in the Age of AI by Frank Pasquale

affirmative action, Affordable Care Act / Obamacare, Airbnb, algorithmic bias, Amazon Mechanical Turk, Anthropocene, augmented reality, Automated Insights, autonomous vehicles, basic income, battle of ideas, Bernie Sanders, Big Tech, Bill Joy: nanobots, bitcoin, blockchain, Brexit referendum, call centre, Cambridge Analytica, carbon tax, citizen journalism, Clayton Christensen, collective bargaining, commoditize, computer vision, conceptual framework, contact tracing, coronavirus, corporate social responsibility, correlation does not imply causation, COVID-19, critical race theory, cryptocurrency, data is the new oil, data science, decarbonisation, deep learning, deepfake, deskilling, digital divide, digital twin, disinformation, disruptive innovation, don't be evil, Donald Trump, Douglas Engelbart, driverless car, effective altruism, Elon Musk, en.wikipedia.org, Erik Brynjolfsson, Evgeny Morozov, fake news, Filter Bubble, finite state, Flash crash, future of work, gamification, general purpose technology, Google Chrome, Google Glasses, Great Leap Forward, green new deal, guns versus butter model, Hans Moravec, high net worth, hiring and firing, holacracy, Ian Bogost, independent contractor, informal economy, information asymmetry, information retrieval, interchangeable parts, invisible hand, James Bridle, Jaron Lanier, job automation, John Markoff, Joi Ito, Khan Academy, knowledge economy, late capitalism, lockdown, machine readable, Marc Andreessen, Mark Zuckerberg, means of production, medical malpractice, megaproject, meta-analysis, military-industrial complex, Modern Monetary Theory, Money creation, move fast and break things, mutually assured destruction, natural language processing, new economy, Nicholas Carr, Nick Bostrom, Norbert Wiener, nuclear winter, obamacare, One Laptop per Child (OLPC), open immigration, OpenAI, opioid epidemic / opioid crisis, paperclip maximiser, paradox of thrift, pattern recognition, payday loans, personalized medicine, Peter Singer: altruism, Philip Mirowski, pink-collar, plutocrats, post-truth, pre–internet, profit motive, public intellectual, QR code, quantitative easing, race to the bottom, RAND corporation, Ray Kurzweil, recommendation engine, regulatory arbitrage, Robert Shiller, Rodney Brooks, Ronald Reagan, self-driving car, sentiment analysis, Shoshana Zuboff, Silicon Valley, Singularitarianism, smart cities, smart contracts, software is eating the world, South China Sea, Steve Bannon, Strategic Defense Initiative, surveillance capitalism, Susan Wojcicki, tacit knowledge, TaskRabbit, technological solutionism, technoutopianism, TED Talk, telepresence, telerobotics, The Future of Employment, The Turner Diaries, Therac-25, Thorstein Veblen, too big to fail, Turing test, universal basic income, unorthodox policies, wage slave, Watson beat the top human players on Jeopardy!, working poor, workplace surveillance , Works Progress Administration, zero day

Complaints about privacy violations and excess regimentation are rife. “Virtual charter schools” have taught at least three hundred thousand students in the United States, promising online content for home schoolers. But the track record of many is extraordinarily poor.74 In some instances, 180 days of “learning” at cyber-charters was equivalent to zero days in a regular classroom—in other words, there was no educational attainment whatsoever. Similarly, many online postsecondary institutions are dogged by poor job placement rates, spotty instruction, and, at worst, lawsuits accusing them of simply being scams. As Audrey Watters explains, these failures should not be a surprise.


pages: 444 words: 117,770

The Coming Wave: Technology, Power, and the Twenty-First Century's Greatest Dilemma by Mustafa Suleyman

"World Economic Forum" Davos, 23andMe, 3D printing, active measures, Ada Lovelace, additive manufacturing, agricultural Revolution, AI winter, air gap, Airbnb, Alan Greenspan, algorithmic bias, Alignment Problem, AlphaGo, Alvin Toffler, Amazon Web Services, Anthropocene, artificial general intelligence, Asilomar, Asilomar Conference on Recombinant DNA, ASML, autonomous vehicles, backpropagation, barriers to entry, basic income, benefit corporation, Big Tech, biodiversity loss, bioinformatics, Bletchley Park, Blitzscaling, Boston Dynamics, business process, business process outsourcing, call centre, Capital in the Twenty-First Century by Thomas Piketty, ChatGPT, choice architecture, circular economy, classic study, clean tech, cloud computing, commoditize, computer vision, coronavirus, corporate governance, correlation does not imply causation, COVID-19, creative destruction, CRISPR, critical race theory, crowdsourcing, cryptocurrency, cuban missile crisis, data science, decarbonisation, deep learning, deepfake, DeepMind, deindustrialization, dematerialisation, Demis Hassabis, disinformation, drone strike, drop ship, dual-use technology, Easter island, Edward Snowden, effective altruism, energy transition, epigenetics, Erik Brynjolfsson, Ernest Rutherford, Extinction Rebellion, facts on the ground, failed state, Fairchild Semiconductor, fear of failure, flying shuttle, Ford Model T, future of work, general purpose technology, Geoffrey Hinton, global pandemic, GPT-3, GPT-4, hallucination problem, hive mind, hype cycle, Intergovernmental Panel on Climate Change (IPCC), Internet Archive, Internet of things, invention of the wheel, job automation, John Maynard Keynes: technological unemployment, John von Neumann, Joi Ito, Joseph Schumpeter, Kickstarter, lab leak, large language model, Law of Accelerating Returns, Lewis Mumford, license plate recognition, lockdown, machine readable, Marc Andreessen, meta-analysis, microcredit, move 37, Mustafa Suleyman, mutually assured destruction, new economy, Nick Bostrom, Nikolai Kondratiev, off grid, OpenAI, paperclip maximiser, personalized medicine, Peter Thiel, planetary scale, plutocrats, precautionary principle, profit motive, prompt engineering, QAnon, quantum entanglement, ransomware, Ray Kurzweil, Recombinant DNA, Richard Feynman, Robert Gordon, Ronald Reagan, Sam Altman, Sand Hill Road, satellite internet, Silicon Valley, smart cities, South China Sea, space junk, SpaceX Starlink, stealth mode startup, stem cell, Stephen Fry, Steven Levy, strong AI, synthetic biology, tacit knowledge, tail risk, techlash, techno-determinism, technoutopianism, Ted Kaczynski, the long tail, The Rise and Fall of American Growth, Thomas Malthus, TikTok, TSMC, Turing test, Tyler Cowen, Tyler Cowen: Great Stagnation, universal basic income, uranium enrichment, warehouse robotics, William MacAskill, working-age population, world market for maybe five computers, zero day

The more this is done publicly and collectively, the better, enabling all developers to learn from one another. Again, it’s high time that all big tech companies proactively collaborate here, quickly sharing insights about novel risks, just like the cybersecurity industry has long shared knowledge of new zero-day attacks. It’s also time to create government-funded red teams that would rigorously attack and stress test every system, ensuring that insights discovered along the way are shared widely across the industry. Eventually, this work could be scaled and automated, with publicly mandated AI systems designed specifically to audit and spot problems in others, while also allowing themselves to be audited.


pages: 444 words: 118,393

The Nature of Software Development: Keep It Simple, Make It Valuable, Build It Piece by Piece by Ron Jeffries

Amazon Web Services, anti-pattern, bitcoin, business cycle, business intelligence, business logic, business process, c2.com, call centre, cloud computing, continuous integration, Conway's law, creative destruction, dark matter, data science, database schema, deep learning, DevOps, disinformation, duck typing, en.wikipedia.org, fail fast, fault tolerance, Firefox, Hacker News, industrial robot, information security, Infrastructure as a Service, Internet of things, Jeff Bezos, Kanban, Kubernetes, load shedding, loose coupling, machine readable, Mars Rover, microservices, Minecraft, minimum viable product, MITM: man-in-the-middle, Morris worm, move fast and break things, OSI model, peer-to-peer lending, platform as a service, power law, ransomware, revision control, Ruby on Rails, Schrödinger's Cat, Silicon Valley, six sigma, software is eating the world, source of truth, SQL injection, systems thinking, text mining, time value of money, transaction costs, Turing machine, two-pizza team, web application, zero day

Once you know that vulnerability exists, it should just be a matter of updating to a patched version and redeploying. But who keeps track of the patch level of all their dependencies? Most developers don’t even know what all is in their dependency tree. Sadly, most successful attacks are not the exciting “zero day, rush to patch before they get it” kind of thing that makes those cringe-worthy scenes in big budget thrillers. Most attacks are mundane. A workbench-style tool probes IP addresses for hundreds of vulnerabilities, some of them truly ancient. The attacker may just collect an inventory of targets and weaknesses, or they may run automated exploits to add the machine to a growing collection of compromised minions.


pages: 472 words: 117,093

Machine, Platform, Crowd: Harnessing Our Digital Future by Andrew McAfee, Erik Brynjolfsson

"World Economic Forum" Davos, 3D printing, additive manufacturing, AI winter, Airbnb, airline deregulation, airport security, Albert Einstein, algorithmic bias, AlphaGo, Amazon Mechanical Turk, Amazon Web Services, Andy Rubin, AOL-Time Warner, artificial general intelligence, asset light, augmented reality, autism spectrum disorder, autonomous vehicles, backpropagation, backtesting, barriers to entry, behavioural economics, bitcoin, blockchain, blood diamond, British Empire, business cycle, business process, carbon footprint, Cass Sunstein, centralized clearinghouse, Chris Urmson, cloud computing, cognitive bias, commoditize, complexity theory, computer age, creative destruction, CRISPR, crony capitalism, crowdsourcing, cryptocurrency, Daniel Kahneman / Amos Tversky, data science, Dean Kamen, deep learning, DeepMind, Demis Hassabis, discovery of DNA, disintermediation, disruptive innovation, distributed ledger, double helix, driverless car, Elon Musk, en.wikipedia.org, Erik Brynjolfsson, Ethereum, ethereum blockchain, everywhere but in the productivity statistics, Evgeny Morozov, fake news, family office, fiat currency, financial innovation, general purpose technology, Geoffrey Hinton, George Akerlof, global supply chain, Great Leap Forward, Gregor Mendel, Hernando de Soto, hive mind, independent contractor, information asymmetry, Internet of things, inventory management, iterative process, Jean Tirole, Jeff Bezos, Jim Simons, jimmy wales, John Markoff, joint-stock company, Joseph Schumpeter, Kickstarter, Kiva Systems, law of one price, longitudinal study, low interest rates, Lyft, Machine translation of "The spirit is willing, but the flesh is weak." to Russian and back, Marc Andreessen, Marc Benioff, Mark Zuckerberg, meta-analysis, Mitch Kapor, moral hazard, multi-sided market, Mustafa Suleyman, Myron Scholes, natural language processing, Network effects, new economy, Norbert Wiener, Oculus Rift, PageRank, pattern recognition, peer-to-peer lending, performance metric, plutocrats, precision agriculture, prediction markets, pre–internet, price stability, principal–agent problem, Project Xanadu, radical decentralization, Ray Kurzweil, Renaissance Technologies, Richard Stallman, ride hailing / ride sharing, risk tolerance, Robert Solow, Ronald Coase, Salesforce, Satoshi Nakamoto, Second Machine Age, self-driving car, sharing economy, Silicon Valley, Skype, slashdot, smart contracts, Snapchat, speech recognition, statistical model, Steve Ballmer, Steve Jobs, Steven Pinker, supply-chain management, synthetic biology, tacit knowledge, TaskRabbit, Ted Nelson, TED Talk, the Cathedral and the Bazaar, The Market for Lemons, The Nature of the Firm, the strength of weak ties, Thomas Davenport, Thomas L Friedman, too big to fail, transaction costs, transportation-network company, traveling salesman, Travis Kalanick, Two Sigma, two-sided market, Tyler Cowen, Uber and Lyft, Uber for X, uber lyft, ubercab, Vitalik Buterin, warehouse robotics, Watson beat the top human players on Jeopardy!, winner-take-all economy, yield management, zero day

Patrick Byrne, CEO of online retailer Overstock.com, has been a blockchain advocate since the early days of Bitcoin. Overstock became the first major e-commerce store to accept the digital currency, in September 2014. Byrne went on to create a subsidiary, TØ.com, that uses blockchain to track the exchange of financial assets. The name comes from the fact that trades on the platform settle in zero days as opposed to three days later (T+3), which is the norm on Wall Street. Overstock used TØ.com to offer $25 million in corporate bonds in June of 2015. In March of 2016 it announced it was making a public offering of preferred stock, utilizing blockchain. Both of these were world firsts. In October of 2015, Nasdaq launched Linq, a solution enabling private companies to digitally record share ownership using blockchain technology.


pages: 398 words: 120,801

Little Brother by Cory Doctorow

Aaron Swartz, airport security, Bayesian statistics, Berlin Wall, citizen journalism, Firefox, game design, Golden Gate Park, Haight Ashbury, Internet Archive, Isaac Newton, Jane Jacobs, Jeff Bezos, John Gilmore, John Perry Barlow, mail merge, Mitch Kapor, MITM: man-in-the-middle, Neal Stephenson, RFID, San Francisco homelessness, Sand Hill Road, Silicon Valley, slashdot, Steve Jobs, Steve Wozniak, Thomas Bayes, web of trust, zero day

There are hundreds of people working for the DHS on Xnet right now. I have their names, handles and keys. Private and public. > Within days of the Xnet launch, we went to work on exploiting ParanoidLinux. The exploits so far have been small and insubstantial, but a break is inevitable. Once we have a zero-day break, you're dead. > I think it's safe to say that if my handlers knew that I was typing this, my ass would be stuck in Gitmo-by-the-Bay until I was an old woman. > Even if they don't break ParanoidLinux, there are poisoned ParanoidXbox distros floating around. They don't match the checksums, but how many people look at the checksums?


pages: 368 words: 145,841

Financial Independence by John J. Vento

Affordable Care Act / Obamacare, Albert Einstein, asset allocation, diversification, diversified portfolio, estate planning, financial independence, fixed income, high net worth, Home mortgage interest deduction, low interest rates, money market fund, mortgage debt, mortgage tax deduction, oil shock, Own Your Own Home, passive income, retail therapy, risk tolerance, the rule of 72, time value of money, transaction costs, young professional, zero day

That means benefits can start 0, 20, 30, 60, 90, or 100 days after you start using long-term care or become disabled. How many days you have to wait for benefits to start will depend on the elimination period you pick when you buy your policy. You might be c05.indd 117 26/02/13 11:09 AM 118 Financial Independence (Getting to Point X ) able to choose a policy with a zero-day elimination period but expect it to cost significantly more. Protecting against inflation can be one of the most important additions you can make to a long-term care insurance policy, although it will increase the premium you pay. If your benefits do not increase over time, years from now, you may find that they have not kept up with the rising cost of long-term care.


pages: 458 words: 135,206

CTOs at Work by Scott Donaldson, Stanley Siegel, Gary Donaldson

Amazon Web Services, Andy Carvin, bioinformatics, business intelligence, business process, call centre, centre right, cloud computing, computer vision, connected car, crowdsourcing, data acquisition, distributed generation, do what you love, domain-specific language, functional programming, glass ceiling, Hacker News, hype cycle, Neil Armstrong, orbital mechanics / astrodynamics, pattern recognition, Pluto: dwarf planet, QR code, Richard Feynman, Ruby on Rails, Salesforce, shareholder value, Silicon Valley, Skype, smart grid, smart meter, software patent, systems thinking, thinkpad, web application, zero day, zero-sum game

There are some open source applications to manage big data, and some very well-known large companies are starting to support those standards. S. Donaldson: How about cyber security? Cherches: Cyber security—well, that's a big subject. I always talk about one day walking into the office and everything is wiped out. A new, unknown threat, often called zero-day attack, may come out and computers will be wiped out. So, you need to have a good data recovery strategy in cyber security. Hire a good expert. Hire a company that can do penetration testing for you and can just come from outside and the inside and then report you their concerns. S. Donaldson: How do you handle technology investments for your own company?


Construction Project Management by S. Keoki Sears

8-hour work day, active measures, air freight, independent contractor, inventory management, Parkinson's law, scientific management, supply-chain management, value engineering, zero day

These changes may serve to improve the overall situation or may only further complicate it. In the case of the 10 laborers needed on working day 6, Chart 5.3a on the companion website shows that activity 80 has 19 days of total float and 19 days of free float. Activity 90 has 12 days of total float and zero days of free float. This labor conflict can be remedied easily by moving either activity 80 or 90 to a later date; movement of activity 80 is preferable. 8.9 Heuristic Manpower Leveling A number of operations research techniques are available for obtaining optimal solutions to manpower leveling problems.


pages: 537 words: 149,628

Ghost Fleet: A Novel of the Next World War by P. W. Singer, August Cole

3D printing, Admiral Zheng, air gap, augmented reality, British Empire, digital map, energy security, Firefox, glass ceiling, global reserve currency, Google Earth, Google Glasses, IFF: identification friend or foe, Just-in-time delivery, low earth orbit, Maui Hawaii, military-industrial complex, MITM: man-in-the-middle, new economy, old-boy network, operational security, RAND corporation, reserve currency, RFID, Silicon Valley, Silicon Valley startup, South China Sea, sovereign wealth fund, space junk, stealth mode startup, three-masted sailing ship, trade route, Virgin Galactic, Wall-E, We are Anonymous. We are Legion, WikiLeaks, zero day, zero-sum game

We ended up having to do a top-to-bottom overhaul here,” said Simmons. As they approached a knot of crewmen — some in their teens, others decades older — clambering over a scaffold, the admiral said, “Tell me about the crew. How is the new mix going?” “The mix of generations has its strengths and weaknesses. We have the remnants of the pre–Zero Day fleet. I was given my choice of the best of my old crew, which I understand I have you to thank for. Then there are the draftees, some of whom have never seen the real ocean, let alone been out on it,” said Simmons. “But what they do know are computers; they’ve been with viz in one form or another since birth.


pages: 497 words: 144,283

Connectography: Mapping the Future of Global Civilization by Parag Khanna

"World Economic Forum" Davos, 1919 Motor Transport Corps convoy, 2013 Report for America's Infrastructure - American Society of Civil Engineers - 19 March 2013, 9 dash line, additive manufacturing, Admiral Zheng, affirmative action, agricultural Revolution, Airbnb, Albert Einstein, amateurs talk tactics, professionals talk logistics, Amazon Mechanical Turk, Anthropocene, Asian financial crisis, asset allocation, autonomous vehicles, banking crisis, Basel III, Berlin Wall, bitcoin, Black Swan, blockchain, borderless world, Boycotts of Israel, Branko Milanovic, BRICs, British Empire, business intelligence, call centre, capital controls, Carl Icahn, charter city, circular economy, clean water, cloud computing, collateralized debt obligation, commoditize, complexity theory, continuation of politics by other means, corporate governance, corporate social responsibility, credit crunch, crony capitalism, crowdsourcing, cryptocurrency, cuban missile crisis, data is the new oil, David Ricardo: comparative advantage, deglobalization, deindustrialization, dematerialisation, Deng Xiaoping, Detroit bankruptcy, digital capitalism, digital divide, digital map, disruptive innovation, diversification, Doha Development Round, driverless car, Easter island, edge city, Edward Snowden, Elon Musk, energy security, Ethereum, ethereum blockchain, European colonialism, eurozone crisis, export processing zone, failed state, Fairphone, Fall of the Berlin Wall, family office, Ferguson, Missouri, financial innovation, financial repression, fixed income, forward guidance, gentrification, geopolitical risk, global supply chain, global value chain, global village, Google Earth, Great Leap Forward, Hernando de Soto, high net worth, high-speed rail, Hyperloop, ice-free Arctic, if you build it, they will come, illegal immigration, income inequality, income per capita, industrial cluster, industrial robot, informal economy, Infrastructure as a Service, interest rate swap, Intergovernmental Panel on Climate Change (IPCC), Internet of things, Isaac Newton, Jane Jacobs, Jaron Lanier, John von Neumann, Julian Assange, Just-in-time delivery, Kevin Kelly, Khyber Pass, Kibera, Kickstarter, LNG terminal, low cost airline, low earth orbit, low interest rates, manufacturing employment, mass affluent, mass immigration, megacity, Mercator projection, Metcalfe’s law, microcredit, middle-income trap, mittelstand, Monroe Doctrine, Multics, mutually assured destruction, Neal Stephenson, New Economic Geography, new economy, New Urbanism, off grid, offshore financial centre, oil rush, oil shale / tar sands, oil shock, openstreetmap, out of africa, Panamax, Parag Khanna, Peace of Westphalia, peak oil, Pearl River Delta, Peter Thiel, Philip Mirowski, Planet Labs, plutocrats, post-oil, post-Panamax, precautionary principle, private military company, purchasing power parity, quantum entanglement, Quicken Loans, QWERTY keyboard, race to the bottom, Rana Plaza, rent-seeking, reserve currency, Robert Gordon, Robert Shiller, Robert Solow, rolling blackouts, Ronald Coase, Scramble for Africa, Second Machine Age, sharing economy, Shenzhen special economic zone , Shenzhen was a fishing village, Silicon Valley, Silicon Valley startup, six sigma, Skype, smart cities, Smart Cities: Big Data, Civic Hackers, and the Quest for a New Utopia, South China Sea, South Sea Bubble, sovereign wealth fund, special economic zone, spice trade, Stuxnet, supply-chain management, sustainable-tourism, systems thinking, TaskRabbit, tech worker, TED Talk, telepresence, the built environment, The inhabitant of London could order by telephone, sipping his morning tea in bed, the various products of the whole earth, Tim Cook: Apple, trade route, Tragedy of the Commons, transaction costs, Tyler Cowen, UNCLOS, uranium enrichment, urban planning, urban sprawl, vertical integration, WikiLeaks, Yochai Benkler, young professional, zero day

The Twilight of Sovereignty: How the Information Revolution Is Transforming Our World. Scribner, 1992. Zakaria, Fareed. The Future of Freedom: Illiberal Democracy at Home and Abroad. W. W. Norton, 2007. Zeihan, Peter. The Accidental Superpower: The Next Generation of American Preeminence and the Coming Global Disorder. Twelve, 2015. Zetter, Kim. Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon. Penguin Random House, 2014. Zhang Weiwei. The China Wave: Rise of a Civilizational State. World Century, 2012. Zheng, Y. De Facto Federalism in China: Reforms and Dynamics of Central-Local Relations. World Scientific, 2007. ———. “Institutional Economics and Central-Local Relations in China: Evolving Research.”


pages: 478 words: 149,810

We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous, and the Global Cyber Insurgency by Parmy Olson

4chan, Asperger Syndrome, bitcoin, call centre, Chelsea Manning, corporate governance, crowdsourcing, disinformation, Firefox, Gabriella Coleman, hive mind, it's over 9,000, Julian Assange, lolcat, Minecraft, MITM: man-in-the-middle, Occupy movement, off-the-grid, peer-to-peer, pirate software, side project, Skype, speech recognition, SQL injection, Stephen Hawking, Stuxnet, We are Anonymous. We are Legion, We are the 99%, web application, WikiLeaks, zero day

Then he added, “Kayla.” Joepie reported all of this verbatim back to the crew in #pure-elite. Those nicknames were very well known, pointed out a secondary-crew member called Trollpoll. Another laughed. “He’s just name dropping,” said Sabu. Neuron, a friendly and analytical Anon, suggested asking Egeste to provide a zero-day as proof of his skills. Also known as a 0day, this referred to an as-yet-unknown server vulnerability, and finding one meant big kudos for any hacker, white hat or black hat. Sabu asked Kayla if she’d heard of Egeste, and it turned out the new guy had also been in the #Gnosis channel when she had coordinated the hack on Gawker, but “he did not do shit,” she said.


pages: 477 words: 144,329

How Money Became Dangerous by Christopher Varelas

activist fund / activist shareholder / activist investor, Airbnb, airport security, barriers to entry, basic income, Bear Stearns, Big Tech, bitcoin, blockchain, Bonfire of the Vanities, California gold rush, cashless society, corporate raider, crack epidemic, cryptocurrency, discounted cash flows, disintermediation, diversification, diversified portfolio, do well by doing good, Donald Trump, driverless car, dumpster diving, eat what you kill, fiat currency, financial engineering, fixed income, friendly fire, full employment, Gordon Gekko, greed is good, initial coin offering, interest rate derivative, John Meriwether, junk bonds, Kickstarter, Long Term Capital Management, low interest rates, mandatory minimum, Mary Meeker, Max Levchin, Michael Milken, mobile money, Modern Monetary Theory, mortgage debt, Neil Armstrong, pensions crisis, pets.com, pre–internet, profit motive, proprietary trading, risk tolerance, Saturday Night Live, selling pickaxes during a gold rush, shareholder value, side project, Silicon Valley, Steve Jobs, technology bubble, The Predators' Ball, too big to fail, universal basic income, zero day

For example, when other diamond wholesalers closed a deal, they would typically be paid within six months, but it was different with Barry. His accounts would be settled immediately. “People pay me.” That’s the only answer he gave when I asked him about it. “But, Barry, the industry average is 180 days, and yours is close to zero days.” “People pay me.” I was beginning to understand the value of a tough reputation in the diamond industry, but despite Barry’s intimidating personality, it didn’t take long to recognize that he was good to his core, a man who had built his reputation through honesty and integrity. Over time, he became someone I could call for advice about any loan I was considering making.


pages: 571 words: 162,958

Rewired: The Post-Cyberpunk Anthology by James Patrick Kelly, John Kessel

back-to-the-land, Columbine, dark matter, Extropian, Firefox, flag carrier, Future Shock, gravity well, haute couture, Internet Archive, Kim Stanley Robinson, military-industrial complex, Neal Stephenson, pattern recognition, phenotype, post-industrial society, price stability, Silicon Valley, slashdot, Stephen Hawking, technological singularity, telepresence, the scientific method, Turing test, urban renewal, Vernor Vinge, wage slave, Y2K, zero day

It went down around 1:30 and I got woken up by my process-monitor. I should have called you and told you I was coming down—spared you the trip.” Felix’s own server — a box he shared with five other friends — was in a rack one floor down. He wondered if it was offline too. “What’s the story?” “Massive flashworm attack. Some jackass with a zero-day exploit has got every Windows box on the net running Monte Carlo probes on every IP block, including IPv6. The big Ciscos all run administrative interfaces over v6, and they all fall over if they get more than ten simultaneous probes, which means that just about every interchange has gone down. DNS is screwy, too—like maybe someone poisoned the zone transfer last night.


pages: 572 words: 179,024

Area 51: An Uncensored History of America's Top Secret Military Base by Annie Jacobsen

Albert Einstein, anti-communist, Apollo 11, Berlin Wall, cuban missile crisis, data acquisition, disinformation, drone strike, Jim Simons, Maui Hawaii, military-industrial complex, mutually assured destruction, Neil Armstrong, operation paperclip, orbital mechanics / astrodynamics, Project Plowshare, RAND corporation, Ronald Reagan, Seymour Hersh, South China Sea, Strategic Defense Initiative, uranium enrichment, urban sprawl, zero day

An accidental detonation of a nuclear weapon in an urban area would be far more catastrophic than one in a remote desert area such as Groom Lake, and the Department of Defense wanted to test how city surfaces would respond to plutonium contamination, so mock-ups of sidewalks, curbs, and pavement pieces were set out in the desert landscape. Some fourteen hundred blocks of highway asphalt and wood float finish concrete were fabricated and set around on the ground. To see how automobiles would contaminate when exposed to plutonium, cars and trucks were parked among the juniper bushes and Joshua trees. As zero day got closer, Mingus saw preparations pick up. Giant air-sampling balloons were tethered to the earth and floated over Area 13 at various elevations; some were five feet off the ground and others a thousand feet up, giving things a circus feel. Nine burros, 109 beagles, 10 sheep, and 31 albino rats were put in cages and set to face the dirty bomb.


Seeking SRE: Conversations About Running Production Systems at Scale by David N. Blank-Edelman

Affordable Care Act / Obamacare, algorithmic trading, AlphaGo, Amazon Web Services, backpropagation, Black Lives Matter, Bletchley Park, bounce rate, business continuity plan, business logic, business process, cloud computing, cognitive bias, cognitive dissonance, cognitive load, commoditize, continuous integration, Conway's law, crowdsourcing, dark matter, data science, database schema, Debian, deep learning, DeepMind, defense in depth, DevOps, digital rights, domain-specific language, emotional labour, en.wikipedia.org, exponential backoff, fail fast, fallacies of distributed computing, fault tolerance, fear of failure, friendly fire, game design, Grace Hopper, imposter syndrome, information retrieval, Infrastructure as a Service, Internet of things, invisible hand, iterative process, Kaizen: continuous improvement, Kanban, Kubernetes, loose coupling, Lyft, machine readable, Marc Andreessen, Maslow's hierarchy, microaggression, microservices, minimum viable product, MVC pattern, performance metric, platform as a service, pull request, RAND corporation, remote working, Richard Feynman, risk tolerance, Ruby on Rails, Salesforce, scientific management, search engine result page, self-driving car, sentiment analysis, Silicon Valley, single page application, Snapchat, software as a service, software is eating the world, source of truth, systems thinking, the long tail, the scientific method, Toyota Production System, traumatic brain injury, value engineering, vertical integration, web application, WebSocket, zero day

Rather than developing the same antibot or DDoS mitigation tooling in each application, you can use scriptable load balancers to build a layer of protection against these threats and use them on all web-exposed services.13 Cloudflare has built a business providing such a layer with its web application firewall functionality. Any service behind its middleware gains the same benefits of protection against Open Web Application Security Project (OWASP) vulnerabilities, common DoS vectors, and zero-day exploits. When the danger or authenticity of a request is ambiguous, the middleware is able to redirect to a challenge-response test to validate that the request comes from a legitimate source. Whereas previously protection against attacks below the application layer would require making a decision based on the scope of a single packet, scriptable load balancers allow you to make decisions after analyzing the entire transaction.


pages: 926 words: 312,419

Working: People Talk About What They Do All Day and How They Feel About What They Do by Studs Terkel

activist lawyer, business cycle, call centre, card file, cuban missile crisis, Ford Model T, Ford paid five dollars a day, half of the world's population has never made a phone call, How many piano tuners are there in Chicago?, job satisfaction, planned obsolescence, Ralph Nader, strikebreaker, traveling salesman, urban renewal, War on Poverty, working poor, Yogi Berra, zero day

It has never bothered me. I have a real bad back, by the way. I’ve been in the hospital last year with a bad back. Shoveling coal and mopping is bad. If you have a lot of mopping, you’re throwing your hips around. I tire out very easy because of my back. But I’m better in my job now. A janitor on zero days, when the wind is blowin’ and he has to go up those stairs in ice cold weather—a lot of janitors are up in age. You’re talking about men fifty years old, fifty-five, up into there. He has to clean those porches off, he has to shovel the snow, and the ticker only takes so much. Now I have a jeep.


pages: 945 words: 292,893

Seveneves by Neal Stephenson

Apollo 13, Biosphere 2, clean water, Colonization of Mars, Danny Hillis, digital map, double helix, epigenetics, fault tolerance, Fellow of the Royal Society, Filipino sailors, gravity well, hydroponic farming, Isaac Newton, Jeff Bezos, kremlinology, Kuiper Belt, low earth orbit, machine readable, microbiome, military-industrial complex, Neal Stephenson, orbital mechanics / astrodynamics, phenotype, Potemkin village, pre–internet, random walk, remote working, selection bias, side project, Silicon Valley, Skype, Snow Crash, space junk, statistical model, Stewart Brand, supervolcano, tech billionaire, TED Talk, the scientific method, Tunguska event, VTOL, zero day, éminence grise

New arrivals tended to expect that anything placed elsewhere on the table would roll and slide down toward them. The walls were pale yellow. The usual collection of malfunctioning audiovisual equipment purported to show live video streams of people on the ground, in theory enabling them to teleconference with colleagues in Houston, Baikonur, or Washington. When the meeting began at A+0.0.4 (zero years, zero days, and four hours since the Agent had acted upon the moon), nothing was working, and so the occupants of Izzy had a few minutes to talk among themselves while Frank Casper and Jibran Haroun wiggled connectors, typed commands into computers, and rebooted everything. Relatively new arrivals to Izzy, Frank and Jibran had made the mistake of letting on that they were good at that sort of thing, so they always got saddled with it.