zero day

72 results back to index


pages: 492 words: 153,565

Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon by Kim Zetter

Ayatollah Khomeini, Brian Krebs, crowdsourcing, data acquisition, Doomsday Clock, drone strike, Edward Snowden, facts on the ground, Firefox, friendly fire, Google Earth, information retrieval, John Markoff, Julian Assange, Kickstarter, Loma Prieta earthquake, Maui Hawaii, MITM: man-in-the-middle, pre–internet, RAND corporation, Silicon Valley, skunkworks, smart grid, smart meter, South China Sea, Stuxnet, undersea cable, uranium enrichment, Vladimir Vetrov: Farewell Dossier, WikiLeaks, Y2K, zero day

He handed his findings off to Chien, who continued working on the code until evening. They worked on it some more on Sunday and by the end of the weekend, they’d uncovered an astonishing three zero-day exploits. These, plus the .LNK exploit already discovered, made four zero-day exploits in a single attack.1 This was crazy, they thought. One zero day was bad enough. Two was overkill. But four? Who did that? And why? You were just burning through valuable zero days at that point. A top-notch zero-day bug and exploit could sell for $50,000 or more on the criminal black market, even twice that amount on the closed-door gray market that sold zero-day exploits to government cyber armies and spies. Either the attackers had an unlimited supply of zero days at their disposal and didn’t care if they lost a handful or more, or they were really desperate and had a really good reason to topload their malware with spreading power to make certain it reached its target.

“I’m just an actor. I want to talk about the movie,” he says. But when it comes to the company, he’s equally close-mouthed—he won’t say how many employees he has, just that the company is small, or reveal their last names. VUPEN’s researchers devote all their time to finding zero-day vulnerabilities and developing exploits—both for already-known vulnerabilities as well as for zero days. Bekrar won’t say how many exploits they’ve sold since they began this part of their business, but says they discover hundreds of zero days a year. “We have zero days for everything,” he says. “We have almost everything for every operating system, for every browser, for every application if you want.” How much of Bekrar’s boasting is true and how much is strategic marketing is unclear, but whatever the case, his tactics seem to be working.

The conference is sponsored by the Department of Homeland Security. 39 Author interview, November 2011. 40 Joseph Menn, “Special Report: US Cyberwar Strategy Stokes Fear of Blowback,” Reuters, May 10, 2013, available at reuters.com/article/2013/05/10/us-usa-cyberweapons-specialreport-idUSBRE9490EL20130510. 41 See chapter 6 for previous mention of how these two vulnerabilities had already been discovered by others before Stuxnet’s authors used them in their attack. 42 Summer Lemon, “Average Zero-Day Bug Has 348-Day Lifespan, Exec Says,” IDG News Service, July 9, 2007, available at computerworld.com/s/article/9026598/Average_zero_day_bug_has_348_day_lifespan_exec_says. 43 Robert Lemos, “Zero-Day Attacks Long-Lived, Presage Mass Exploitation,” Dark Reading, October 18, 2012, available at darkreading.com/vulnerabilities—threats/zero-day-attacks-long-lived-presage-mass-exploitation/d/d-id/1138557. The research was conducted by Symantec. 44 Pennington, Industrial Control Systems–Joint Working Group Conference, 2011. 45 Michael Riley, “U.S. Agencies Said to Swap Data with Thousands of Firms,” Bloomberg, June 14, 2013, available at bloomberg.com/news/2013-06-14/u-s-agencies-said-to-swap-data-with-thousands-of-firms.html. 46 Tom Gjelten, “Stuxnet Raises ‘Blowback’ Risk in Cyberwar,” Morning Edition, NPR, November 2, 2011, available at npr.org/2011/11/02/141908180/stuxnet-raises-blowback-risk-in-cyberwar. 47 Author interview, 2012.


pages: 340 words: 96,149

@War: The Rise of the Military-Internet Complex by Shane Harris

Amazon Web Services, barriers to entry, Berlin Wall, Brian Krebs, centralized clearinghouse, clean water, computer age, crowdsourcing, data acquisition, don't be evil, Edward Snowden, failed state, Firefox, John Markoff, Julian Assange, mutually assured destruction, peer-to-peer, Silicon Valley, Silicon Valley startup, Skype, Stuxnet, undersea cable, uranium enrichment, WikiLeaks, zero day

For the past two decades, NSA analysts have been scouring the world’s software, hardware, and networking equipment looking for vulnerabilities for which it can craft computer attack methods known as zero day exploits, so called because they take advantage of previously unknown flaws for which no defense has been built. (The target has had “zero days” to prepare for the attack.) A zero day is the most effective cyber weapon. It provides the element of surprise, which is the ultimate advantage in battle. The zero day exploit is bespoke, tailor-made to use against a specific vulnerability. And because that defenseless point in a system is likely to be patched as soon as the target realizes he’s been hit with a zero day, it may be used only once. Zero day attacks are especially hard to design because unknown vulnerabilities are hard to find. But the NSA has been stockpiling them for years.

If the NSA is hoarding those vulnerabilities, rather than telling the makers of technology products that they have found flaws in their hardware and software, then the agency is arguably covering up valuable information that could be used to defend against malicious hackers. To be sure, the NSA does use knowledge of zero day exploits to plug holes in technology that it’s using or that might be deployed within the military or intelligence community. But it doesn’t warn the wider world—that would render the zero day exploit less effective, possibly even useless. One of the agency’s eventual targets in China or Iran might be tipped off if the NSA alerted technology companies to flaws in their technology. But in the shadowy zero day market, there are no guarantees that the NSA is always buying exclusive knowledge about zero days. One controversial vendor, the French company Vupen, sells the same zero day vulnerability information and exploits to attack them to multiple clients, including government agencies in different countries.

The only organizations with the means and the motive to buy such a weapon are organized criminal groups and governments. Serious buyers of zero days, such as the NSA, don’t procure them in one-off fashion. They make stockpiles to use in future attacks. The NSA has stored more than two thousand zero day exploits for potential use against Chinese systems alone, according to a former high-ranking government official who was told about the cache in a classified meeting with NSA officials. That is an astonishingly large number of exploits. The Stuxnet computer worm, which the United States built in conjunction with Israel to disable the Iranian nuclear facility, contained four zero day exploits, which is itself a lot for one attack. A collection of two thousand zero day exploits is the cyber equivalent of a nuclear arsenal. It also puts people around the world at risk.


pages: 363 words: 105,039

Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers by Andy Greenberg

air freight, Airbnb, Bernie Sanders, bitcoin, blockchain, call centre, clean water, data acquisition, Donald Trump, Edward Snowden, global supply chain, hive mind, Julian Assange, Just-in-time delivery, Kickstarter, Mikhail Gorbachev, open borders, pirate software, pre–internet, profit motive, ransomware, RFID, speech recognition, Steven Levy, Stuxnet, undersea cable, uranium enrichment, Valery Gerasimov, WikiLeaks, zero day

When Hultquist had arrived at his desk earlier that day in a far-better-lit office, one with actual windows on the opposite side of the iSight building, he’d opened an email from one of his iSight colleagues in the company’s Ukraine satellite operation. Inside, he found a gift: The Kiev-based staff believed they might have gotten their hands on a zero-day vulnerability. A zero day, in hacker jargon, is a secret security flaw in software, one that the company who created and maintains the software’s code doesn’t know about. The name comes from the fact that the company has had “zero days” to respond and push out a patch to protect users. A powerful zero day, particularly one that allows a hacker to break out of the confines of the software application where the bug is found and begin to execute their own code on a target computer, can serve as a kind of global skeleton key—a free pass to gain entrance to any machine that runs that vulnerable software, anywhere in the world where the victim is connected to the internet.

All of this would happen immediately and invisibly, the instant the victim double-clicked the attachment to open it. Erickson, the reverse engineer who first handled the zero day in iSight’s black room, remembers his work disassembling and defusing the attack as a somewhat rare, fascinating, but utterly impersonal event. In his career, he’d dealt with only a handful of real zero days found in the wild. But he’d analyzed thousands upon thousands of other malware samples and had learned to think of them as specimens for study without considering the author behind them—the human who had rigged together their devious machinery. “It was just some unknown guy and some unknown thing I hadn’t seen before,” he said. But zero days do have authors. And when Erickson had first begun to pull apart this one in his blacked-out workshop that morning, he hadn’t simply been studying some naturally occurring, inanimate puzzle.

It began with a phishing email impersonating a message from the Ukrainian parliament. A malicious Word attachment had silently run a script known as a macro, a little program hidden inside the document, on the victims’ machines. The effect was the same as the zero-day technique iSight had first found Sandworm using in its infected Microsoft PowerPoint documents in 2014, but with a new trade-off: Without the zero day, the victims had to be tricked into clicking a button to allow the script to run. Until they clicked, the document would appear to be missing content or broken, so most users unthinkingly clicked to load it. But by using a simpler replacement for their zero-day technique, the hackers had been able to operate much less conspicuously, and their attack didn’t depend on keeping a rare vulnerability secret from Microsoft. The Word script had planted an infection of BlackEnergy, the piece of malware that had by now become practically the official national disease of Ukrainian IT networks.


pages: 448 words: 117,325

Click Here to Kill Everybody: Security and Survival in a Hyper-Connected World by Bruce Schneier

23andMe, 3D printing, autonomous vehicles, barriers to entry, bitcoin, blockchain, Brian Krebs, business process, cloud computing, cognitive bias, computer vision, connected car, corporate governance, crowdsourcing, cryptocurrency, cuban missile crisis, Daniel Kahneman / Amos Tversky, David Heinemeier Hansson, Donald Trump, drone strike, Edward Snowden, Elon Musk, fault tolerance, Firefox, Flash crash, George Akerlof, industrial robot, information asymmetry, Internet of things, invention of radio, job automation, job satisfaction, John Markoff, Kevin Kelly, license plate recognition, loose coupling, market design, medical malpractice, Minecraft, MITM: man-in-the-middle, move fast and break things, move fast and break things, national security letter, Network effects, pattern recognition, profit maximization, Ralph Nader, RAND corporation, ransomware, Rodney Brooks, Ross Ulbricht, security theater, self-driving car, Shoshana Zuboff, Silicon Valley, smart cities, smart transportation, Snapchat, Stanislav Petrov, Stephen Hawking, Stuxnet, The Market for Lemons, too big to fail, Uber for X, Unsafe at Any Speed, uranium enrichment, Valery Gerasimov, web application, WikiLeaks, zero day

HOW GOVERNMENTS CAN PRIORITIZE DEFENSE OVER OFFENSE 160“defense dominant” strategy: Jason Healey (Jan 2017), “A nonstate strategy for saving cyberspace,” Atlantic Council Strategy Paper No. 8, Atlantic Council, http://www.atlanticcouncil.org/images/publications/AC_StrategyPapers_No8_Saving_Cyberspace_WEB.pdf. 160The NSA has two missions: John Ferris (1 Mar 2010), “Signals intelligence in war and power politics, 1914–2010,” in The Oxford Handbook of National Security Intelligence, Oxford, http://www.oxfordhandbooks.com/view/10.1093/oxfordhb/9780195375886.001.0001/oxfordhb-9780195375886-e-0010. 162to criminals on the black market: Dancho Danchev (2 Nov 2008), “Black market for zero day vulnerabilities still thriving,” ZDNet, http://www.zdnet.com/blog/security/black-market-for-zero-day-vulnerabilities-still-thriving/2108. Dan Patterson (9 Jan 2017), “Gallery: The top zero day Dark Web markets,” TechRepublic, https://www.techrepublic.com/pictures/gallery-the-top-zero-day-dark-web-markets. 162and to governments: Andy Greenberg (21 Mar 2012), “Meet the hackers who sell spies the tools to crack your PC (and get paid six-figure fees),” Forbes, http://www.forbes.com/sites/andygreenberg/2012/03/21/meet-the-hackers-who-sell-spies-the-tools-to-crack-your-pc-and-get-paid-six-figure-fees. 162Companies like Azimuth sell: Joseph Cox and Lorenzo Franceschi-Bicchierai (7 Feb 2018), “How a tiny startup became the most important hacking shop you’ve never heard of,” Vice Motherboard, https://motherboard.vice.com/en_us/article/8xdayg/iphone-zero-days-inside-azimuth-security. 162And while vendors offer bounties: Adam Segal (19 Sep 2016), “Using incentives to shape the zero-day market,” Council on Foreign Relations, https://www.cfr.org/report/using-incentives-shape-zero-day-market. 162the not-for-profit Tor Project: Tor Project (last updated 20 Sep 2017), “Policy [re Tor bug bounties],” Hacker One, Inc., https://hackerone.com/torproject. 162the cyberweapons manufacturer Zerodium: Zerodium (13 Sep 2017; expired 1 Dec 2017), “Tor browser zero-day exploits bounty (expired),” https://zerodium.com/tor.html. 163“Every offensive weapon is”: Jack Goldsmith (12 Apr 2014), “Cyber paradox: Every offensive weapon is a (potential) chink in our defense—and vice versa,” Lawfare, http://www.lawfareblog.com/2014/04/cyber-paradox-every-offensive-weapon-is-a-potential-chink-in-our-defense-and-vice-versa. 163Many people have weighed in: Joel Brenner (14 Apr 2014), “The policy tension on zero-days will not go away,” Lawfare, http://www.lawfareblog.com/2014/04/the-policy-tension-on-zero-days-will-not-go-away. 163Activist and author Cory Doctorow: Cory Doctorow (11 Mar 2014), “If GCHQ wants to improve national security it must fix our technology,” Guardian, http://www.theguardian.com/technology/2014/mar/11/gchq-national-security-technology. 163I have said similar things: Bruce Schneier (20 Feb 2014), “It’s time to break up the NSA,” CNN, http://edition.cnn.com/2014/02/20/opinion/schneier-nsa-too-big/index.html. 163Computer security expert Dan Geer: Dan Geer (3 Apr 2013), “Three policies,” http://geer.tinho.net/three.policies.2013Apr03Wed.PDF. 163Both Microsoft’s Brad Smith: Brad Smith (14 May 2017), “The need for urgent collective action to keep people safe online: Lessons from last week’s cyberattack,” Microsoft on the Issues, https://blogs.microsoft.com/on-the-issues/2017/05/14/need-urgent-collective-action-keep-people-safe-online-lessons-last-weeks-cyberattack. 163and Mozilla: Heather West (7 Mar 2017), “Mozilla statement on CIA/WikiLeaks,” Open Policy & Advocacy, https://blog.mozilla.org/netpolicy/2017/03/07/mozilla-statement-on-cia-wikileaks.

Dan Patterson (9 Jan 2017), “Gallery: The top zero day Dark Web markets,” TechRepublic, https://www.techrepublic.com/pictures/gallery-the-top-zero-day-dark-web-markets. 162and to governments: Andy Greenberg (21 Mar 2012), “Meet the hackers who sell spies the tools to crack your PC (and get paid six-figure fees),” Forbes, http://www.forbes.com/sites/andygreenberg/2012/03/21/meet-the-hackers-who-sell-spies-the-tools-to-crack-your-pc-and-get-paid-six-figure-fees. 162Companies like Azimuth sell: Joseph Cox and Lorenzo Franceschi-Bicchierai (7 Feb 2018), “How a tiny startup became the most important hacking shop you’ve never heard of,” Vice Motherboard, https://motherboard.vice.com/en_us/article/8xdayg/iphone-zero-days-inside-azimuth-security. 162And while vendors offer bounties: Adam Segal (19 Sep 2016), “Using incentives to shape the zero-day market,” Council on Foreign Relations, https://www.cfr.org/report/using-incentives-shape-zero-day-market. 162the not-for-profit Tor Project: Tor Project (last updated 20 Sep 2017), “Policy [re Tor bug bounties],” Hacker One, Inc., https://hackerone.com/torproject. 162the cyberweapons manufacturer Zerodium: Zerodium (13 Sep 2017; expired 1 Dec 2017), “Tor browser zero-day exploits bounty (expired),” https://zerodium.com/tor.html. 163“Every offensive weapon is”: Jack Goldsmith (12 Apr 2014), “Cyber paradox: Every offensive weapon is a (potential) chink in our defense—and vice versa,” Lawfare, http://www.lawfareblog.com/2014/04/cyber-paradox-every-offensive-weapon-is-a-potential-chink-in-our-defense-and-vice-versa. 163Many people have weighed in: Joel Brenner (14 Apr 2014), “The policy tension on zero-days will not go away,” Lawfare, http://www.lawfareblog.com/2014/04/the-policy-tension-on-zero-days-will-not-go-away. 163Activist and author Cory Doctorow: Cory Doctorow (11 Mar 2014), “If GCHQ wants to improve national security it must fix our technology,” Guardian, http://www.theguardian.com/technology/2014/mar/11/gchq-national-security-technology. 163I have said similar things: Bruce Schneier (20 Feb 2014), “It’s time to break up the NSA,” CNN, http://edition.cnn.com/2014/02/20/opinion/schneier-nsa-too-big/index.html. 163Computer security expert Dan Geer: Dan Geer (3 Apr 2013), “Three policies,” http://geer.tinho.net/three.policies.2013Apr03Wed.PDF. 163Both Microsoft’s Brad Smith: Brad Smith (14 May 2017), “The need for urgent collective action to keep people safe online: Lessons from last week’s cyberattack,” Microsoft on the Issues, https://blogs.microsoft.com/on-the-issues/2017/05/14/need-urgent-collective-action-keep-people-safe-online-lessons-last-weeks-cyberattack. 163and Mozilla: Heather West (7 Mar 2017), “Mozilla statement on CIA/WikiLeaks,” Open Policy & Advocacy, https://blog.mozilla.org/netpolicy/2017/03/07/mozilla-statement-on-cia-wikileaks.

AUTHENTICATION IS GETTING HARDER, AND CREDENTIAL STEALING IS GETTING EASIER In 2016, Rob Joyce, then the head of the NSA’s since-renamed Tailored Access Operations (TAO) group—basically, the country’s chief hacker—gave a rare public talk. In a nutshell, he said that zero-day vulnerabilities are overrated, and credential stealing is how he gets into networks. He’s right. As bad as software vulnerabilities are, the most common way hackers break into networks is by abusing the authentication process. They steal passwords, set up man-in-the-middle attacks to piggyback on legitimate log-ins, or masquerade as authorized users. Credential stealing doesn’t require finding a zero-day or an unpatched vulnerability, plus there’s less chance of discovery, and it gives the attacker more flexibility in technique. This isn’t just true for the NSA; it’s true for all attackers. It’s how the Chinese hackers breached the Office of Personnel Management in 2015.


pages: 383 words: 105,021

Dark Territory: The Secret History of Cyber War by Fred Kaplan

Cass Sunstein, computer age, data acquisition, drone strike, dumpster diving, Edward Snowden, game design, hiring and firing, index card, Internet of things, Jacob Appelbaum, John Markoff, John von Neumann, kremlinology, Mikhail Gorbachev, millennium bug, national security letter, packet switching, pre–internet, RAND corporation, Ronald Reagan, Silicon Valley, Skype, Stuxnet, uranium enrichment, Y2K, zero day

As this race between hacking and patching intensified, practitioners of both arts, worldwide, came to place an enormous value on “zero-day vulnerabilities”—holes that no one had yet discovered, much less patched. In the ensuing decade, private companies would spring up that, in some cases, made small fortunes by finding zero-day vulnerabilities and selling their discoveries to governments, spies, and criminals of disparate motives and nationalities. This hunt for zero-days preoccupied some of the craftiest mathematical minds in the NSA and other cyber outfits, in the United States and abroad. Once, in the late 1990s, Richard Bejtlich, a computer network defense analyst at Kelly Air Force Base discovered a zero-day vulnerability—a rare find—in a router made by Cisco. He phoned a Cisco technical rep and informed him of the problem, which the rep then quickly fixed.

Another recommendation was to bar the government from doing anything to “subvert, undermine, weaken, or make vulnerable generally available commercial software.” Specifically, if NSA analysts discovered a zero-day exploit—a vulnerability that no one had yet discovered—they should be required to patch the hole at once, except in “rare instances,” when the government could “briefly authorize” using zero-days “for high-priority intelligence collection,” though, even then, they could do so only after approval by a “senior interagency review involving all appropriate departments.” This was one of the group’s more esoteric, but also radical, recommendations. Zero-day vulnerabilities were the gemstones of modern SIGINT, prized commodities that the agency trained its top sleuths—and sometimes paid private hackers—to unearth and exploit.

No U.S. newspaper or magazine reprinted the list (the reporters and editors working the story considered it genuinely damaging to national security), but Der Spiegel did, in its entirety (Jacob Appelbaum, Judith Horchert, and Christian Stöcker, “Shopping for Spy Gear: Catalog Advertises NSA Toolbox,” Dec. 29, 2013), and computer security analyst Bruce Schneier subsequently reprinted each item, one day at a time, on his blog. As hackers and spies discovered vulnerabilities: “Inside TAO.” In the ensuing decade, private companies: For more on zero-day exploits, see Neal Ungerleider, “How Spies, Hackers, and the Government Bolster a Booming Software Exploit Market,” Fast Company, May 1, 2013; Nicole Perlroth and David E. Sanger, “Nations Buying as Hackers Sell Flaws in Computer Code,” New York Times, July 13, 2013; Kim Zetter, Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon (New York: Crown, 2014). Specific stories come from interviews. During the first few months of Bush’s term: Richard A. Clarke, Against All Enemies (New York: Free Press, 2004); Steve Coll, Ghost Wars: The Secret History of the CIA, Afghanistan, and Bin Laden, from the Soviet Invasion to September 10, 2001 (New York: Penguin, 2004), 435.


pages: 302 words: 85,877

Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World by Joseph Menn

4chan, A Declaration of the Independence of Cyberspace, Apple II, autonomous vehicles, Berlin Wall, Bernie Sanders, bitcoin, Chelsea Manning, commoditize, corporate governance, Donald Trump, dumpster diving, Edward Snowden, Firefox, Google Chrome, Haight Ashbury, Internet of things, Jacob Appelbaum, Jason Scott: textfiles.com, John Markoff, Julian Assange, Mark Zuckerberg, Mitch Kapor, Naomi Klein, Peter Thiel, pirate software, pre–internet, Ralph Nader, ransomware, Richard Stallman, Robert Mercer, self-driving car, side project, Silicon Valley, Skype, slashdot, Steve Jobs, Steve Wozniak, Steven Levy, Stewart Brand, Stuxnet, Whole Earth Catalog, WikiLeaks, zero day

“The first mainstream articles on the zero-day business”: Andy Greenberg profiled the @stake veteran who calls himself the Grugq in “Shopping for Zero-Days: A Price List for Hackers’ Secret Software Exploits,” Forbes, March 23, 2012, www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/. I later wrote a deeper story and a sidebar for Reuters: “Special Report: U.S. Cyberwar Strategy Stokes Fear of Blowback,” Reuters, May 10, 2013, www.reuters.com/article/us-usa-cyberweapons-specialreport/special-report-u-s-cyberwar-strategy-stokes-fear-of-blowback-idUSBRE 9490EL20130510, and “Booming ‘Zero-Day’ Trade Has Washington Cyber Experts Worried,” Reuters, May 10, 2013, www.reuters.com/article/us-usa-cyberweapons-policy/booming-zero-day-trade-has-washington-cyber-experts-worried-idUSBRE9490EQ20130510.

Even if they weren’t, it was dangerous to use the same technique elsewhere, because the target or a third country could realize the attacks were connected and draw conclusions about who was responsible. As the American government ramped up its spying efforts after 9/11, it needed to discover new vulnerabilities that would enable digital break-ins. In the trade, these were often called “zero-days,” because the software maker and its customers had zero days of warning that they needed to fix the flaw. A ten-day flaw is less dangerous because companies have more time to develop and distribute a patch, and customers are more likely to apply it. The increased demand for zero-days drove up prices. After the dollars multiplied, hackers who had the strongest skills in finding bugs that others could not—on their own or with specialized tools—could now make a living doing nothing but this. And then they had to choose. They could sell directly to a government contractor and hope that the flaw would be used in pursuit of a target they personally disliked.

The contractors were likewise bound to secrecy. The brokers’ clients did not want attention being paid to their supply chain. And the majority of hackers did not want to announce themselves as mercenaries or paint a target on themselves for other hackers or governments that might be interested in hacking them for an easy zero-day harvest. So the gray trade grew, driven by useful rumors at Def Con and elsewhere, and stayed out of public sight for a decade. The first mainstream articles on the zero-day business appeared not long before Edward Snowden disclosed that it was a fundamental part of US government practice, in 2013. As offensive capabilities boomed, defense floundered. Firms like @stake tried to protect the biggest companies and, more importantly, get the biggest software makers to improve their products.


pages: 409 words: 112,055

The Fifth Domain: Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats by Richard A. Clarke, Robert K. Knake

A Declaration of the Independence of Cyberspace, Affordable Care Act / Obamacare, Airbnb, Albert Einstein, Amazon Web Services, autonomous vehicles, barriers to entry, bitcoin, Black Swan, blockchain, borderless world, business cycle, business intelligence, call centre, Cass Sunstein, cloud computing, cognitive bias, commoditize, computer vision, corporate governance, cryptocurrency, data acquisition, DevOps, don't be evil, Donald Trump, Edward Snowden, Exxon Valdez, global village, immigration reform, Infrastructure as a Service, Internet of things, Jeff Bezos, Julian Assange, Kubernetes, Mark Zuckerberg, Metcalfe’s law, MITM: man-in-the-middle, move fast and break things, move fast and break things, Network effects, open borders, platform as a service, Ponzi scheme, ransomware, Richard Thaler, Sand Hill Road, Schrödinger's Cat, self-driving car, shareholder value, Silicon Valley, Silicon Valley startup, Skype, smart cities, Snapchat, software as a service, Steven Levy, Stuxnet, technoutopianism, Tim Cook: Apple, undersea cable, WikiLeaks, Y2K, zero day

One of those recommendations: Recommendation 30 of the NSA Review Group reads, “We recommend that the National Security Council staff should manage an interagency process to review on a regular basis the activities of the U.S. Government regarding attacks that exploit a previously unknown vulnerability in a computer application or system. These are often called ‘Zero Day’ attacks because developers have had zero days to address and patch the vulnerability. U.S. policy should generally move to ensure that Zero Days are quickly blocked, so that the underlying vulnerabilities are patched on U.S. Government and other networks. In rare instances, U.S. policy may briefly authorize using a Zero Day for high priority intelligence collection, following senior, interagency review involving all appropriate departments.” See “Liberty and Security in a Changing World,” Report and Recommendations of the President’s Review Group on Intelligence and Communications Technologies, December 12, 2013.

These “blacklist” technologies, like legacy antivirus programs, would scan files against signatures of known bad files and block them. Avoiding these technologies could be as simple as making a single change to the file so that it no longer matched the bad file. Now, Aitel is worried that the superweapons of his craft are increasingly getting discovered. As we’ve seen, a zero day is a vulnerability that is not known to defenders and therefore has yet to be patched. Aitel, from an offensive perspective, is concerned that security firms are actually finding zero day attacks with increasing regularity, to the point that detection of zero days is becoming commoditized. “Microsoft’s Advanced Threat Detection, CrowdStrike, Kaspersky, the new FireEye stuff, all that stuff actually works and that is a huge change,” Aitel says. Thinking from an attacker’s perspective, he is not happy about it. It’s getting harder to find vulnerabilities in new systems and even harder to exploit them.

Year Two Thousand (Y2K): Refers to an international effort prior to January 1, 2000, to modify computer software in order to avoid an expected malfunction on that date. There was a belief that failure to modify such software in time would result in widespread failure of software-controlled devices and machinery at 12:01 A.M. of 01/01/2000. Zero-day vulnerability: A software attack tool that has never been used before and for which, therefore, no defense currently exists. A zero-day attack tool is an exploit that utilizes a previously unused vulnerability in software or hardware. Zero Days is also the name of a 2016 documentary film about Stuxnet, directed by Alex Gibney. Acknowledgments and Disclosures As we note in the text, the cyber workforce is stretched thin. We observed this firsthand as we tried to schedule time with many of the people who appear in or have otherwise influenced what we write.


pages: 587 words: 117,894

Cybersecurity: What Everyone Needs to Know by P. W. Singer, Allan Friedman

4chan, A Declaration of the Independence of Cyberspace, Apple's 1984 Super Bowl advert, barriers to entry, Berlin Wall, bitcoin, blood diamonds, borderless world, Brian Krebs, business continuity plan, Chelsea Manning, cloud computing, crowdsourcing, cuban missile crisis, data acquisition, do-ocracy, drone strike, Edward Snowden, energy security, failed state, Fall of the Berlin Wall, fault tolerance, global supply chain, Google Earth, Internet of things, invention of the telegraph, John Markoff, Julian Assange, Khan Academy, M-Pesa, MITM: man-in-the-middle, mutually assured destruction, Network effects, packet switching, Peace of Westphalia, pre–internet, profit motive, RAND corporation, ransomware, RFC: Request For Comment, risk tolerance, rolodex, Silicon Valley, Skype, smart grid, Steve Jobs, Stuxnet, uranium enrichment, We are Anonymous. We are Legion, web application, WikiLeaks, zero day, zero-sum game

Chamber of Commerce Leads Defeat of Cyber-Security Bill,” Los Angeles Times, August 3, 2012, http://articles.latimes.com/2012/aug/03/nation/la-na-cyber-security-20120803. EXERCISE IS GOOD FOR YOU: HOW CAN WE BETTER PREPARE FOR CYBER INCIDENTS? malicious computer code Dan Goodin, “At Facebook, Zero-Day Exploits, Backdoor Code, Bring War Games Drill to Life,” Ars Technica, February 10, 2013, http://arstechnica.com/security/2013/02/at-facebook-zero-day-exploits-backdoor-code-bring-war-games-drill-to-life/. no major damage Sean Gallagher, “Facebook Computers Compromised by Zero-Day Java Exploit,” Ars Technica, February 15, 2013, http://arstechnica.com/security/2013/02/facebook-computers-compromised-by-zero-day-java-exploit/. tried to harm Facebook Dennis Fisher, “How Facebook Prepared to Be Hacked,” Threatpost, March 8, 2013, http://threatpost.com/en_us/blogs/how-facebook-prepared-be-hacked-030813.

Curious, Ralph began to dissect the code of “Stuxnet,” as it became known. The more he and his team explored it, the more interested they became. It was a wonderfully complex piece of malware like none the world had ever seen. It had at least four new “zero days” (previously unknown vulnerabilities), utilized digital signatures with the private keys of two certificates stolen from separate well-known companies, and worked on all Windows operating systems down to the decade-old Windows 95 edition. The number of new zero days particularly stood out. Hackers prize zero days and don’t like to reveal them when they don’t have to. To use four at once was unprecedented and almost illogical given that one new open door is enough. It was a pretty good sign that Stuxnet’s makers had enormous resources and wanted to be absolutely certain they would penetrate their target.

Exercise Is Good for You: How Can We Better Prepare for Cyber Incidents? Twice in six months sophisticated attackers were able to gain access to the production code that runs Facebook’s website, used by over a billion people around the world. The first time, a Facebook engineer’s computer was compromised by an unpatched, zero-day exploit. This enabled the attacker to “push” their own malicious computer code into the “live build” that runs the website. The second time, in early 2013, several engineers’ computers were compromised after visiting a website that launched a zero-day exploit on its victims. But this time, the attacker was unable to get inside sensitive systems, and could cause no major damage. The reason these two attacks caused such differing effects lies in their origin. The attackers in the first incident were actually part of a security training exercise in 2012, led by an independent “red team.”


pages: 598 words: 134,339

Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World by Bruce Schneier

23andMe, Airbnb, airport security, AltaVista, Anne Wojcicki, augmented reality, Benjamin Mako Hill, Black Swan, Boris Johnson, Brewster Kahle, Brian Krebs, call centre, Cass Sunstein, Chelsea Manning, citizen journalism, cloud computing, congestion charging, disintermediation, drone strike, Edward Snowden, experimental subject, failed state, fault tolerance, Ferguson, Missouri, Filter Bubble, Firefox, friendly fire, Google Chrome, Google Glasses, hindsight bias, informal economy, Internet Archive, Internet of things, Jacob Appelbaum, Jaron Lanier, John Markoff, Julian Assange, Kevin Kelly, license plate recognition, lifelogging, linked data, Lyft, Mark Zuckerberg, moral panic, Nash equilibrium, Nate Silver, national security letter, Network effects, Occupy movement, Panopticon Jeremy Bentham, payday loans, pre–internet, price discrimination, profit motive, race to the bottom, RAND corporation, recommendation engine, RFID, Ross Ulbricht, self-driving car, Shoshana Zuboff, Silicon Valley, Skype, smart cities, smart grid, Snapchat, social graph, software as a service, South China Sea, stealth mode startup, Steven Levy, Stuxnet, TaskRabbit, telemarketer, Tim Cook: Apple, transaction costs, Uber and Lyft, uber lyft, undersea cable, urban planning, WikiLeaks, zero day

Office of the Secretary of Defense (4 Feb 2014), “Military and security developments involving the Democratic People’s Republic of North Korea 2013,” http://www.defense.gov/pubs/North_Korea_Military_Power_Report_2013-2014.pdf. discoverers can sell to criminals: Dancho Danchev (2 Nov 2008), “Black market for zero day vulnerabilities still thriving,” ZDNet, http://www.zdnet.com/blog/security/black-market-for-zero-day-vulnerabilities-still-thriving/2108. Undiscovered zero-day vulnerabilities: Here is the most important research into that question. Eric Rescorla (7 Feb 2005), “Is finding security holes a good idea?” RTFM, Inc., http://www.rtfm.com/bugrate.pdf. Sandy Clark et al. (6–10 Dec 2010), “Familiarity breeds contempt: The honeymoon effect and the role of legacy code in zero-day vulnerabilities,” 26th Annual Computer Security Applications Conference, Austin, Texas, http://dl.acm.org/citation.cfm?id=1920299. Andy Ozment and Stuart E. Schechter (11 May 2006), “Milk or wine: Does software security improve with age?”

Serge Egelman, Cormac Herley, and Paul C. van Oorschot (9-12 Sep 2013), “Markets for zero-day exploits: Ethics and implications,” New Security Paradigms Workshop, Banff, Alberta, Canada, http://www.nspw.org/papers/2013/nspw2013-egelman.pdf. a robust market in zero-days: Stefan Frei (5 Dec 2013), “The known unknowns: Empirical analysis of publicly-unknown security vulnerabilities,” NSS Labs, https://www.nsslabs.com/system/files/public-report/files/The%20Known%20Unknowns_1.pdf. both governments and: Andy Greenberg (21 Mar 2012), “Meet the hackers who sell spies the tools to crack your PC (and get paid six-figure fees),” Forbes, http://www.forbes.com/sites/andygreenberg/2012/03/21/meet-the-hackers-who-sell-spies-the-tools-to-crack-your-pc-and-get-paid-six-figure-fees. Both Russia and North Korea are big spenders when it comes to zero-days. Nicole Perlroth and David E.

Danielle Kehl et al. (29 Jul 2014), “Surveillance costs: The NSA’s impact on the economy, Internet freedom and cyberspace,” Open Technology Institute, New America Foundation, http://www.newamerica.net/publications/policy/surveillance_costs_the_nsas_impact_on_the_economy_internet_freedom_cybersecurity. the White House tried to clarify: Michael Daniel (28 Apr 2014), “Heartbleed: Understanding when we disclose cyber vulnerabilities,” White House Blog, http://www.whitehouse.gov/blog/2014/04/28/heartbleed-understanding-when-we-disclose-cyber-vulnerabilities. Stuxnet, used four zero-days: Ryan Naraine (14 Sep 2010), “Stuxnet attackers used 4 Windows zero-day exploits,” ZDNet, http://www.zdnet.com/blog/security/stuxnet-attackers-used-4-windows-zero-day-exploits/7347. agency jargon NOBUS: Andrea Peterson (4 Oct 2013), “Why everyone is left less secure when the NSA doesn’t help fix security flaws,” Washington Post, http://www.washingtonpost.com/blogs/the-switch/wp/2013/10/04/why-everyone-is-left-less-secure-when-the-nsa-doesnt-help-fix-security-flaws. it discloses and closes: David E.


pages: 317 words: 98,745

Black Code: Inside the Battle for Cyberspace by Ronald J. Deibert

4chan, Any sufficiently advanced technology is indistinguishable from magic, Brian Krebs, call centre, citizen journalism, cloud computing, connected car, corporate social responsibility, crowdsourcing, cuban missile crisis, data acquisition, failed state, Firefox, global supply chain, global village, Google Hangouts, Hacker Ethic, informal economy, invention of writing, Iridium satellite, jimmy wales, John Markoff, Kibera, Kickstarter, knowledge economy, low earth orbit, Marshall McLuhan, MITM: man-in-the-middle, mobile money, mutually assured destruction, Naomi Klein, new economy, Occupy movement, Panopticon Jeremy Bentham, planetary scale, rent-seeking, Ronald Reagan, Ronald Reagan: Tear down this wall, Silicon Valley, Silicon Valley startup, Skype, smart grid, South China Sea, Steven Levy, Stuxnet, Ted Kaczynski, the medium is the message, Turing test, undersea cable, We are Anonymous. We are Legion, WikiLeaks, zero day

“It’s a lot more fun to fight the adversary than to guard against him,” Mandiant company founder Kevin Mandia told NPR, citing another industry expert who says that “there are dozens, if not hundreds, of service providers doing similar things to Mandiant.” One extremely lucrative part of this market involves the sale of fresh “exploitations” or undiscovered computer vulnerabilities not yet detected by the antivirus industry, like Gamma’s Zero Day. A 2012 Forbes magazine investigation acquired a price list of zero-day vulnerabilities, offering another peek inside this otherwise closed industry. Want a fresh exploit that will target Adobe? That will cost anywhere from $5,000 to $30,000. Mac OS X? $20,000 to $50,000. Android? $30,000 to $60,000. One exploit targeting Apple’s iOS system was reportedly sold to a U.S. agency for $250,000. The Forbes report profiles a Bangkok middleman, “The Grugq,” who was set to earn over $1 million annually acting as a digital-age arms broker between those who engineer fresh exploitations and their purchasers, usually U.S. and European government agencies.

Big Data: They Reap What We Sow 4. The China Syndrome 5. The Next Billion Digital Natives 6. We the People of … Facebook 7. Policing Cyberspace: Is There an “Other Request” on the Line? 8. Meet Koobface: A Cyber Crime Snapshot 9. Digitally Armed and Dangerous 10. Fanning the Flames of Cyber Warfare 11. Stuxnet and the Argument for Clean War 12. The Internet Is Officially Dead 13. A Zero Day No More 14. Anonymous: Expect Us 15. Towards Distributed Security and Stewardship in Cyberspace Not an Epilogue Notes Acknowledgements PREFACE It always takes long to come to what you have to say, you have to sweep this stretch of land up around your feet and point to the signs, pleat whole histories with pins in your mouth and guess at the fall of words. —Dionne Brand, “Land to Light On” May 24, 2012.

In the early days, cyber crime was primarily a loner’s calling, an annoying but affordable by-product of an open Internet. Today, the loners find each other, network together, and professionalize their activities. Underground forums have emerged in the dark recesses of the Internet where specialized tools and techniques are now bought, sold, and traded. Malicious software packages – known as “Ødays” or “zero days,” because antivirus companies have no known protections against them – are now as readily available as songs on iTunes. “Botnet herders” – individuals who control tens of thousands of compromised computers – market their wares in underground auctions. Stolen credit cards and email addresses are sold, bought, and traded like candy. (Rik Ferguson, of the Internet security firm Trend Micro, provides a detailed list of illicit products and services sold.


pages: 677 words: 206,548

Future Crimes: Everything Is Connected, Everyone Is Vulnerable and What We Can Do About It by Marc Goodman

23andMe, 3D printing, active measures, additive manufacturing, Affordable Care Act / Obamacare, Airbnb, airport security, Albert Einstein, algorithmic trading, artificial general intelligence, Asilomar, Asilomar Conference on Recombinant DNA, augmented reality, autonomous vehicles, Baxter: Rethink Robotics, Bill Joy: nanobots, bitcoin, Black Swan, blockchain, borderless world, Brian Krebs, business process, butterfly effect, call centre, Charles Lindbergh, Chelsea Manning, cloud computing, cognitive dissonance, computer vision, connected car, corporate governance, crowdsourcing, cryptocurrency, data acquisition, data is the new oil, Dean Kamen, disintermediation, don't be evil, double helix, Downton Abbey, drone strike, Edward Snowden, Elon Musk, Erik Brynjolfsson, Filter Bubble, Firefox, Flash crash, future of work, game design, global pandemic, Google Chrome, Google Earth, Google Glasses, Gordon Gekko, high net worth, High speed trading, hive mind, Howard Rheingold, hypertext link, illegal immigration, impulse control, industrial robot, Intergovernmental Panel on Climate Change (IPCC), Internet of things, Jaron Lanier, Jeff Bezos, job automation, John Harrison: Longitude, John Markoff, Joi Ito, Jony Ive, Julian Assange, Kevin Kelly, Khan Academy, Kickstarter, knowledge worker, Kuwabatake Sanjuro: assassination market, Law of Accelerating Returns, Lean Startup, license plate recognition, lifelogging, litecoin, low earth orbit, M-Pesa, Mark Zuckerberg, Marshall McLuhan, Menlo Park, Metcalfe’s law, MITM: man-in-the-middle, mobile money, more computing power than Apollo, move fast and break things, move fast and break things, Nate Silver, national security letter, natural language processing, obamacare, Occupy movement, Oculus Rift, off grid, offshore financial centre, optical character recognition, Parag Khanna, pattern recognition, peer-to-peer, personalized medicine, Peter H. Diamandis: Planetary Resources, Peter Thiel, pre–internet, RAND corporation, ransomware, Ray Kurzweil, refrigerator car, RFID, ride hailing / ride sharing, Rodney Brooks, Ross Ulbricht, Satoshi Nakamoto, Second Machine Age, security theater, self-driving car, shareholder value, Silicon Valley, Silicon Valley startup, Skype, smart cities, smart grid, smart meter, Snapchat, social graph, software as a service, speech recognition, stealth mode startup, Stephen Hawking, Steve Jobs, Steve Wozniak, strong AI, Stuxnet, supply-chain management, technological singularity, telepresence, telepresence robot, Tesla Model S, The Future of Employment, The Wisdom of Crowds, Tim Cook: Apple, trade route, uranium enrichment, Wall-E, Watson beat the top human players on Jeopardy!, Wave and Pay, We are Anonymous. We are Legion, web application, Westphalian system, WikiLeaks, Y Combinator, zero day

One of the reasons it is proving difficult to counter the wide variety of technological threats in our lives today is that there has been a burgeoning increase in the number of so-called zero-day attacks. A zero-day exploit takes advantage of a previously unknown vulnerability in a computer application that developers and security staff have not had time to address. Rather than proactively looking for these vulnerabilities themselves, antivirus software companies generally only consider known data points. They’ll block a malicious bit of code if it’s just like the other malicious bits of code they have seen previously. It’s essentially like putting up a wanted poster for Bonnie and Clyde because we know they have robbed banks previously. Bank tellers would know to be on the lookout for the couple, but as long as no one fitting that description materialized, they might let their guard down—until a different bank robber struck, that is. These zero days are increasingly being generated for a wide variety of techno-products commonly used in our lives, affecting everything from Microsoft Windows to Linksys routers to Adobe’s ubiquitous PDF Reader and Flash Player.

MIKKO HYPPONEN In order for criminals, spies, militaries, and terrorists to carry out their offensive cyber attacks, they must first figure out how to exploit the information system they wish to target. As we saw with the Stuxnet attack against the Iranian nuclear enrichment site at Natanz, such operations can take years of planning and cost millions of dollars. Fortunately for those without the time and budget to devise their own cyber weapons, there is a vast shadowy black market where spies, soldiers, thieves, and hacktivists can shop for so-called zero-day exploits. As mentioned previously, these zero-day bugs have not yet been discovered by software and antivirus companies and thus handily defeat common security and firewall measures without sounding an alarm. In the old days, hackers used to hold on to these exploits for their personal use or attempt to sell them to software giants such as Microsoft, Yahoo!, and Google via company-established “bug bounty” programs. The rewards, however, were paltry—a mere $500 for uncovering major security holes.

A number of professional firms have emerged whose sole business model is the trafficking in computer malware exploits to governments. Companies such as Vupen in France, Netragard in Massachusetts, Endgame of Georgia, Exodus Intelligence in Texas, and ReVuln in Malta are all heavily involved in selling offensive exploits to customers around the world. While some zero-day trafficking firms vet their clients, others will sell to anybody, from Crime, Inc. to notorious dictators, no questions asked. The result, as pointed out by the noted security researcher Tom Kellermann, is that now anybody can download a cyber Kalashnikov or cyber grenade from a myriad of sites. Many zero-day exploits enable particularly stealthy and sophisticated attacks against specific targets, giving rise to what security researchers have termed the advanced persistent threat, or APT. APTs use extensive targeting research combined with a high degree of covertness to maintain command and control of a marked system for months or years at a time, and their use is growing.


pages: 443 words: 116,832

The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics by Ben Buchanan

active measures, Bernie Sanders, bitcoin, blockchain, borderless world, Brian Krebs, British Empire, Cass Sunstein, citizen journalism, credit crunch, cryptocurrency, cuban missile crisis, data acquisition, Donald Trump, drone strike, Edward Snowden, family office, hive mind, Internet Archive, Jacob Appelbaum, John Markoff, John von Neumann, Julian Assange, Kickstarter, kremlinology, MITM: man-in-the-middle, Nate Silver, profit motive, RAND corporation, ransomware, risk tolerance, Robert Hanssen: Double agent, rolodex, Ronald Reagan, Silicon Valley, South China Sea, Steve Jobs, Stuxnet, technoutopianism, undersea cable, uranium enrichment, Vladimir Vetrov: Farewell Dossier, WikiLeaks, zero day

But after a July statement, the firm was curiously silent. Zetter, Countdown to Zero Day, 168. 30. For a good discussion of Stuxnet’s relative size, see Zetter, Countdown to Zero Day, 20. 31. Symantec posted a series of blog posts throughout the summer and fall of 2010 updating what it knew about Stuxnet. For an archived list of these posts as of early 2011, see “Security Response (Posts Tagged with W32.Stuxnet),” Symantec, January 20, 2011, https://web.archive.org/web/20110120133017/https://www.symantec.com/connect/symantec-blogs/security-response/11761/all/all/all/all. 32. Emphasis in the original. Kim Zetter, “How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in History,” Wired, July 11, 2011. 33. Zetter, Countdown to Zero Day, 173. 34. Zetter, Countdown to Zero Day, 177. 35. Ralph Langner, “Stuxnet Is a Directed Attack: ‘Hack of the Century,’ ” Langner Group, September 13, 2010. 36.

Sanger, Confront and Conceal; Kim Zetter, Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon (New York: Crown, 2014). 8. For a much more detailed technical discussion of Fanny and related pieces of malicious code, see Kaspersky Lab, “A Fanny Equation”; Kaspersky Lab, “Equation: The Death Star of Malware Galaxy,” February 16, 2015; Kaspersky Lab, “Equation Group: Questions and Answers,” February 2015. 9. For the first reporting of this test, see William Broad, John Markoff, and David Sanger, “Israeli Test on Worm Called Crucial in Iran Nuclear Delay,” New York Times, January 15, 2011. 10. Sanger, Confront and Conceal, 197. 11. For the first reporting of this order, see Sanger, Confront and Conceal, ch. 8. 12. For a good discussion of this propagation, see Zetter, Countdown to Zero Day, 91. See also Zetter and Modderkolk, “Revealed.” 13.

See also Zetter and Modderkolk, “Revealed.” 13. Zetter, Countdown to Zero Day, 97. For more detailed technical analysis of this point, see Kaspersky Lab, “Stuxnet: Victims Zero,” November 18, 2014. Note that not all five contractors were used to spread each version of Stuxnet. 14. The two command-and-control sites used the domain names mypremierfutbol.com and todaysfutbol.com. 15. For example, contrast Stuxnet to Flame. sKyWIper Analysis Team, “sKyWIper (a.K.a. Flame a.K.a. Flamer): A Complex Malware for Targeted Attacks,” CrySys, May 31, 2012; Alexander Gostev, “The Flame: Questions and Answers,” SecureList, May 28, 2012. 16. For more on Stuxnet’s target verification, see Zetter, Countdown to Zero Day, 167–175. 17. Ron Rosenbaum, “Richard Clarke on Who Was behind the Stuxnet Attack,” Smithsonian, April 2012. 18.


pages: 1,380 words: 190,710

Building Secure and Reliable Systems: Best Practices for Designing, Implementing, and Maintaining Systems by Heather Adkins, Betsy Beyer, Paul Blankinship, Ana Oprea, Piotr Lewandowski, Adam Stubblefield

anti-pattern, barriers to entry, bash_history, business continuity plan, business process, Cass Sunstein, cloud computing, continuous integration, correlation does not imply causation, create, read, update, delete, cryptocurrency, cyber-physical system, database schema, Debian, defense in depth, DevOps, Edward Snowden, fault tolerance, fear of failure, general-purpose programming language, Google Chrome, Internet of things, Kubernetes, load shedding, margin call, microservices, MITM: man-in-the-middle, performance metric, pull request, ransomware, revision control, Richard Thaler, risk tolerance, self-driving car, Skype, slashdot, software as a service, source of truth, Stuxnet, Turing test, undersea cable, uranium enrichment, Valgrind, web application, Y2K, zero day

In the context of short-term changes, we’ll focus on vulnerabilities where Google learned about the vulnerability on day zero. Although Google is often involved in embargoed vulnerability responses—for example, when developing patches—a short-term change for a zero-day vulnerability is common behavior for most organizations in the industry. Note Although zero-day vulnerabilities get a lot of attention (both externally and within the organization), they’re not necessarily the vulnerabilities that are most exploited by attackers. Before you tackle a same-day zero-day vulnerability response, make sure you’re patched for the “top hits” to cover critical vulnerabilities from recent years. When you discover a new vulnerability, triage it to determine its severity and impact. For example, a vulnerability that allows remote code execution may be considered critical.

In the following sections, we discuss three different time horizons for change and include examples to show what each has looked like at Google: A short-term change in reaction to a new security vulnerability A medium-term change, where new product adoption could happen gradually A long-term change for regulatory reasons, where Google had to build new systems in order to implement the change Short-Term Change: Zero-Day Vulnerability Newly discovered vulnerabilities often require short-term action. A zero-day vulnerability is one that is known by at least some attackers, but that hasn’t been disclosed publicly or discovered by the targeted infrastructure provider. Typically, a patch either isn’t available yet or hasn’t been widely applied. There are a variety of ways to find out about new vulnerabilities that might affect your environment, including regular code reviews, internal code scanning (see “Sanitize Your Code”), fuzzing (see “Fuzz Testing”), external scans like penetration tests and infrastructure scans, and bug bounty programs.

hardening with fixits, Testing programming language choice, Programming Language Choice resiliency for CA key material, Resiliency for the CA Key Material securing third-party/open source components, Securing Third-Party and Open Source Components testing, Testing certificate revocation (see explicit revocation mechanism) Certificate Signing Requests (CSRs), Programming Language Choice certification (security specialists), Certifications and Academia certification validity database, A centralized service to revoke certificates CFG (control-flow graph), Abstract Interpretation champions, IR team, Identify Team Members and Roles changebuilding a case for, Build a Case for Change picking your battles, Pick Your Battles reducing fear with risk-reduction mechanisms, Reduce Fear with Risk-Reduction Mechanisms-Reduce Fear with Risk-Reduction Mechanisms resistance to, Changing Culture Through Good Practice slowing down a change, Complications: When Plans Change change budget, A foothold for humans change, designing for, Design for a Changing Landscape-Conclusionarchitecture decisions to make changes easier, Architecture Decisions to Make Changes Easier-Example: Google’s frontend design best practices for designing your change, Designing Your Change complications: when plans change, Complications: When Plans Change containers, Use Containers factors influencing speed of change, Different Changes: Different Speeds, Different Timelines-Example: Increasing HTTPS usage Heartbleed security bug example, Example: Growing Scope—Heartbleed keeping dependencies up to date, Keep Dependencies Up to Date and Rebuild Frequently long-term change: external demand, Long-Term Change: External Demand-Example: Increasing HTTPS usage medium-term change: improvement to security posture, Medium-Term Change: Improvement to Security Posture-Example: Strong second-factor authentication using FIDO security keys microservices, Use Microservices-Example: Google’s frontend design rebuilding, Keep Dependencies Up to Date and Rebuild Frequently releasing frequently using automated testing, Release Frequently Using Automated Testing second-factor authentication using FIDO security keys, Example: Strong second-factor authentication using FIDO security keys-Example: Strong second-factor authentication using FIDO security keys short-term change: zero-day vulnerability, Short-Term Change: Zero-Day Vulnerability-Example: Shellshock types of security changes, Types of Security Changes chaos engineering, Fuzz Testing charter, IR team, Establish a Team Charter checksums, Distinguish horses from zebras China, Criminal Actors choke points, Deployment Choke Points Chrome security team, Case Study: Chrome Security Team-Conclusion, Example: Embedding Security at Googlebackground, Background and Team Evolution designing for defense in depth, Design for Defense in Depth helping users safely navigate the web, Help Users Safely Navigate the Web security as team responsibility, Security Is a Team Responsibility speed of detecting and fixing security flaws, Speed Matters stages of evolution, Background and Team Evolution-Background and Team Evolution transparency and community engagement, Be Transparent and Engage the Community CI/CD (see continuous integration/continuous deployment) CIA (confidentiality, integrity, availability) triad, Confidentiality, Integrity, Availability Cisco, Risk Assessment Considerations CL (communications lead), Keeping the Right People Informed with the Right Levels of Detail, Preparing Communications and Remediation Clang-Tidy, Automated Code Inspection Tools-Automated Code Inspection Tools CLI (command-line interface), Google Tool Proxy-Google Tool Proxy client software, Client Retry Behavior cloud access security brokers (CASBs), Cloud logs cloud assetscompromised cloud instances, Compromised Cloud Instances identifying/inventorying, Cloud logs Cloud Key Management Service (KMS), Example: Secure cryptographic APIs and the Tink crypto framework ClusterFuzz, Example: ClusterFuzz and OSSFuzz codedeploying (see deploying code) testing (see testing (code)) writing (see writing code) code inspection tools, automated, Automated Code Inspection Tools-Automated Code Inspection Tools code reviews, Require Code Reviews code signing, What to put in binary provenance Code Spaces, Crisis Response Codenomicon, Example: Growing Scope—Heartbleed collaborative debugging, Collaborative Debugging: A Way to Teach Colombia, Criminal Actors Columbia Disaster Investigation Board, Culture of Inevitably command-line interface (CLI), Google Tool Proxy-Google Tool Proxy common object model, Prefer interfaces that enforce a common object model communicationcrisis management and, Communications-Keeping the Right People Informed with the Right Levels of Detail emergency access and, Communications foundation for trust, Invisibility hedging, Hedging hypothetical crisis management example, Communications and Operational Security keeping the right people informed with the right levels of detail, Keeping the Right People Informed with the Right Levels of Detail meetings in crisis management situations, Meetings misunderstandings, Misunderstandings overcommunication and transparency when advocating for change, Overcommunicate and Be Transparent preparing, Preparing Communications and Remediation when email or instant messaging system is compromised, Develop Response Plans when taking a break from debugging, Take a break communications lead (CL), Keeping the Right People Informed with the Right Levels of Detail, Preparing Communications and Remediation community engagement, Be Transparent and Engage the Community compartmentalization, Controlling the Blast Radius-Controlling the Blast Radius(see also blast radius, controlling) location separation, Location Separation-Isolation of confidentiality role separation, Role Separation complexitybreaking down, Breaking Down Complexity evolution and, Evolution in evolving systems, Evolution least privilege and, Impact on Developer Complexity managing (see understandability) understandability versus, Complexity Versus Understandability concolic testing, Integration of Static Analysis in the Developer Workflow confidentialityisolation of, Isolation of confidentiality reliability/security intersection, Confidentiality configuration distributioncustom HTTP receiver (in-process), Custom HTTP Receiver (In-Process) custom HTTP receiver (sidecar), Custom HTTP Receiver (Sidecar) custom OpenSSH ForceCommand, Custom OpenSSH ForceCommand in least-privilege environment, Worked Example: Configuration Distribution-Tradeoffs POSIX API via OpenSSH, POSIX API via OpenSSH software update API, Software Update API tradeoffs, Tradeoffs configuration-as-code, Treat Configuration as Code conformance checks, Example: Microservices and the Google Web Application Framework containers, Use Containers continuous integration/continuous deployment (CI/CD), Initial Velocity Versus Sustained Velocityimplementing verifiable builds, Implementing verifiable builds-Unauthenticated inputs provenance-based deployment policies, Provenance-Based Deployment Policies unit tests, Unit Testing continuous validationdesigning for recovery, Design for Testing and Continuous Validation exercising emergency components as part of normal workflows, Exercise emergency components as part of normal workflows Google's CA, Data Validation injecting anticipated changes in behavior, Inject anticipated changes of behavior key rotation cycle measurement, Measure key rotation cycles oversubscribing but preventing complacency, Oversubscribe but prevent complacency resilient design and, Continuous Validation-Measure key rotation cycles scenarios for, Validation in Practice-Measure key rotation cycles splitting when you cannot mirror traffic, Split when you cannot mirror traffic validation focus areas, Validation Focus Areas control plane, Example: Google’s frontend design control-flow graph (CFG), Abstract Interpretation coordinated vulnerability disclosure (CVD), Compromises Versus Bugs costsadding reliability/security to existing systems, Balancing Requirements computing resources consumed by failure, Computing resources differentiating costs of failures, Differentiate Costs of Failures-Speed of mitigation logging, Budget for Logging recovery speed's effect on, Speed of mitigation reliability/security failures, Invisibility resilience solutions, Practical Advice: Where to Begin third-party service providers, Costs and nontechnical risks credentialsdefined, Identities revocation system, Use an Explicit Revocation Mechanism-Avoiding risky exceptions rotation of, Credential and Secret Rotation-Credential and Secret Rotation criminal actorsas attackers, Criminal Actors-Protecting your systems from criminal actors protecting your systems from, Protecting your systems from criminal actors crises, incidents versus, Is It a Crisis or Not?


pages: 394 words: 117,982

The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age by David E. Sanger

active measures, autonomous vehicles, Bernie Sanders, bitcoin, British Empire, call centre, Cass Sunstein, Chelsea Manning, computer age, cryptocurrency, cuban missile crisis, Donald Trump, drone strike, Edward Snowden, Google Chrome, Google Earth, Jacob Appelbaum, John Markoff, Mark Zuckerberg, MITM: man-in-the-middle, mutually assured destruction, RAND corporation, ransomware, Sand Hill Road, Silicon Valley, Silicon Valley ideology, Skype, South China Sea, Steve Jobs, Steven Levy, Stuxnet, Tim Cook: Apple, too big to fail, undersea cable, uranium enrichment, Valery Gerasimov, WikiLeaks, zero day

(The first limits on nuclear weapons happened in the early 1960s, only after the Soviets had a full arsenal, and Britain, France, and China were building them.) But the silence and obsession with secrecy may have had a deeper motivation: American intelligence services had a menu of other cyber operations brewing around the world. These ranged from classic espionage to highly destructive malware—the kind that could knock a whole country back into the analog age. *1 A zero-day flaw is a previously unidentified software vulnerability—so named because there are zero days of notice to get it fixed before the damage is done. *2 The reason for the delay may lie in a coincidence of timing. That first big story was published just hours before Egypt erupted into the chaos of the Tahrir Square uprising, which then occupied all the headlines, and forced President Obama into a tense effort to get President Hosni Mubarak to leave office

“It’s twenty times the size of the average piece of code,” but contained almost no bugs, Chien recalled later. “That’s extremely rare. Malicious code always has bugs inside of it. This wasn’t the case with Stuxnet.” He admired the malware as if he were an art collector who had just discovered a never-before-seen Rembrandt. The code appeared to be partially autonomous; it didn’t require anyone to pull the trigger. Instead, it relied on four sophisticated “zero-day” exploits, which allowed the code to spread without human help, autonomously looking for its target.*1 This fact provided a crucial clue to Chien and O’Murchu: such vulnerabilities are rare commodities, hoarded by hackers, and sold for hundreds of thousands of dollars on the black market. It became clear that Stuxnet couldn’t be the work of an individual hacker, or even a team of hobbyists. Only a nation-state could have the resources—and the engineering time—to assemble such a sophisticated piece of code.

But my concern, the reason I’m talking, is when you shut down a country’s power grid, it doesn’t just pop back up. It’s more like Humpty-Dumpty. And if all the king’s men can’t turn the lights back on, or filter the water for weeks, then lots of people die. And something we can do to others, they can do to us too. Is that something that we should keep quiet? Or should we talk about it? —An NSA employee, speaking through a composite character in Zero Days After the Russian hack of the Pentagon’s secret networks in 2008, two things seemed clear to the newly inaugurated Obama administration. First, Putin’s hackers were sure to come back. And second, America needed a full-fledged Cyber Command, far more capable than the small units spread among the army, the navy, the air force, and Cartwright’s Strategic Command. It was time for a true military organization, with its own troops, that integrated digital offense and defense.


pages: 326 words: 103,170

The Seventh Sense: Power, Fortune, and Survival in the Age of Networks by Joshua Cooper Ramo

Airbnb, Albert Einstein, algorithmic trading, barriers to entry, Berlin Wall, bitcoin, British Empire, cloud computing, crowdsourcing, Danny Hillis, defense in depth, Deng Xiaoping, drone strike, Edward Snowden, Fall of the Berlin Wall, Firefox, Google Chrome, income inequality, Isaac Newton, Jeff Bezos, job automation, Joi Ito, market bubble, Menlo Park, Metcalfe’s law, Mitch Kapor, natural language processing, Network effects, Norbert Wiener, Oculus Rift, packet switching, Paul Graham, price stability, quantitative easing, RAND corporation, recommendation engine, Republic of Letters, Richard Feynman, road to serfdom, Robert Metcalfe, Sand Hill Road, secular stagnation, self-driving car, Silicon Valley, Skype, Snapchat, social web, sovereign wealth fund, Steve Jobs, Steve Wozniak, Stewart Brand, Stuxnet, superintelligent machines, technological singularity, The Coming Technological Singularity, The Wealth of Nations by Adam Smith, too big to fail, Vernor Vinge, zero day

Software and hardware manufacturers usually struggle to keep such exploits secret until they can deliver a fix, but this doesn’t always work. Secrets get out. And even once a patch is developed, it can take weeks or months before it’s widely installed. It’s not uncommon, therefore, that within hours of the announcement of a newly found zero day hole, attacks using that method explode around the net. Thousands of hackers try to take advantage of the vulnerability, to kick at the defensive walls of systems while they are down for repair or restart—or simply left vulnerable by slower-witted system administrators who don’t yet know that it is now open hunting season on a particular bit of code. Heartbleed, a zero day that permitted hackers to slip into your computer through holes in your Web browser, was disclosed to the world on April 7, 2014—more than two years after it had apparently been put in place because of a programming error.

Well, for Seaborn and Dullien, the drive was part of a “discover and publish” effort to keep the overall system clean. It is better to hack, discover, and patch than to be hacked and have the hack remain undiscovered. But the good guys are racing against equivalently sophisticated teams with indecent motives. The development and sale of zero-day bugs is, after all, a business. Modern versions of Cap’n Crunch whistles can crack open some of the most essential financial, political, and security data stores on the planet. As the value of hacking targets has increased, so has the price of the exploits. Public “zero-day markets” pay hundreds of thousands of dollars to researchers who discover holes in their systems. Better to find them ourselves, the thinking goes, though that does not always make the embarrassment less acute. At one of the most carefully watched public hacking competitions in early 2015, for instance, a skinny, smiling South Korean named Jung Hoon Lee took home $225,000 in prize money by pwning a series of some of the most important programs on the planet, including Apple’s Safari and Google’s Chrome Web browsers.

Mastery of the heart of a system means control over all the information it sees and how it makes decisions. Such a hack would be like having a foreign spy win the presidency, turning the whole U.S. government into a weird machine. That prize of immediate, high-level, and totally trusted access is the warez dude gold standard. The most dangerous—and therefore the most alluringly valuable—of these sorts of attacks are known as zero-day exploits. The danger they represent becomes apparent only at some awful instant, “day zero,” when they are revealed to have been running wild inside some hapless network or machine. That first moment of awareness of the bug is like day zero in a cancer diagnosis, and it begins an immediate race to find and deliver a cure. Such vulnerabilities represent fissures in the walls of computers that their manufacturers, system engineers, and security experts usually don’t realize are there.


pages: 282 words: 92,998

Cyber War: The Next Threat to National Security and What to Do About It by Richard A. Clarke, Robert Knake

barriers to entry, complexity theory, data acquisition, Just-in-time delivery, MITM: man-in-the-middle, nuclear winter, packet switching, RAND corporation, Robert Hanssen: Double agent, Ronald Reagan, Silicon Valley, smart grid, South China Sea, Steve Jobs, trade route, undersea cable, Y2K, zero day

The black box inspectors would have to be connected to each other on a closed network, what is called “out-of-band communications” (not on the Internet), so that they could be updated quickly and reliably even if the Internet were experiencing difficulties. Imagine that a new piece of attack software enters into cyberspace, one that no one has ever seen before. This “Zero Day” malware begins to cause a problem by attacking some sites. The deep-packet inspection system would be tied into Internet security companies, research centers, and government agencies that are looking for Zero Day attacks. Within minutes of the malware being seen, its signature would be flashed out to the scanners, which would start blocking it and would contain the attack. A precursor to this kind of deep-packet inspection system is already being deployed. Verizon and AT&T can, at some locations, scan for signatures that they have identified, but they have been reluctant to “black hole” (or kill) malicious traffic because of the risk that they might be sued by customers whose service is interrupted.

While most phishing scams cast a wide net and try to catch a few peope who are gullible enough to fall for Nigerian scammer e-mails, spear-phishing specifically targets an individual, figures out who their acquaintances are on Facebook or Linked-in, and then tailors a message to look like it is from someone they would trust. If you were a senior research scientist at Google, you might have received an e-mail containing a link to a website that looked like it was from a colleague. The message might have said, “Hey, Chuck, I think this story will interest you…” and then provided a link to fairly innocuous site. When the target clicked on the link and visited the site, the hackers used a zero-day flaw in Internet Explorer, one that was not publicly known and had yet to be patched, to download the malware silently and in such a fashion that no antivirus software or other measures would detect it. The malware created a back door to the computer so the hackers could maintain their access and used the first compromised computer to work their way across the corporate network until they reached the servers containing the source code, the crown jewel of a software company.

Obviously, we have not had a full-scale cyber war yet, but we have a good idea what it would look like if we were on the receiving end. Imagine a day in the near future. You are the Assistant to the President for Homeland Security and you get a call from the White House Situation Room as you are packing up to leave the office for the day, at eight p.m. NSA has issued a “CRITIC” message, a rare alert that something important has just happened. The one-line message says only: “large scale movement of several different zero day malware programs moving on Internet in the US, affecting critical infrastructure.” The Situation Room’s Senior Duty Officer suggests that you come down and help him figure out what is going on. By the time you get to the Situation Room, the Director of the Defense Information Systems Agency is waiting on the secure phone for you. He has just briefed the Secretary of Defense, who suggested he call you.


pages: 457 words: 126,996

Hacker, Hoaxer, Whistleblower, Spy: The Story of Anonymous by Gabriella Coleman

1960s counterculture, 4chan, Amazon Web Services, Bay Area Rapid Transit, bitcoin, Chelsea Manning, citizen journalism, cloud computing, collective bargaining, corporate governance, creative destruction, crowdsourcing, David Graeber, Debian, do-ocracy, East Village, Edward Snowden, feminist movement, George Santayana, hive mind, impulse control, Jacob Appelbaum, jimmy wales, Julian Assange, low cost airline, mandatory minimum, Mohammed Bouazizi, Network effects, Occupy movement, pirate software, Richard Stallman, SETI@home, side project, Silicon Valley, Skype, Steven Levy, WikiLeaks, zero day

Real hackers find exploits. People who just run LOIC are considered beneath the “hacker” moniker, mere “script kiddies,” or “skiddies” for short. gibnut announces that he has an “0day,” which is much more powerful. A “zero day” exploit, or “oh day” as people sometimes jokingly call it, is a previously unknown security vulnerability in a piece of software. It is called a zero-day because it is unknown by the public—or the software authors who could fix it—for zero days and counting. A zero day is gold; anyone who knows the zero day can exploit it over and over until it is patched. The most coveted zero days provide access to a computer or network, which is why they are sold for high profit in a thriving black market. Many, many governments participate in this ethically problematic market, including the US government, who, according to technology reporter Joseph Menn, “has become the biggest buyer in a burgeoning gray market where hackers and security firms sell tools for breaking into computers.”16 The US government largely purchases 0days from private firms that “spend at least tens of millions of dollars a year just on exploits,” which are so valuable for granting direct access to wherever the exploit exists.17 Which is to say, gibnuts’s news was received with excitement: gibnut: lets see fuck loic, we’ll hurt them a different way p-ground: oh yes please gibnut: I have 0day local root exploit against openwebmail and Tunisia’s NIC servers run it gibnut: https://risala.ati.tn/cgi-bin/openwebmail/openwebmail.pl gibnut: if we can get into that server we can root tunisias .tn tld nameservers and control its entire internet space p-ground: oshit gibnut: redirect it all to wikileaks ;) p-ground: shit just got real due to gibnut With this zero day, gibnut is suggesting that they can compromise the domain name registrar in Tunisia (the NIC) and control the entire Tunisian top-level domain (TLD) name space.

Many, many governments participate in this ethically problematic market, including the US government, who, according to technology reporter Joseph Menn, “has become the biggest buyer in a burgeoning gray market where hackers and security firms sell tools for breaking into computers.”16 The US government largely purchases 0days from private firms that “spend at least tens of millions of dollars a year just on exploits,” which are so valuable for granting direct access to wherever the exploit exists.17 Which is to say, gibnuts’s news was received with excitement: gibnut: lets see fuck loic, we’ll hurt them a different way p-ground: oh yes please gibnut: I have 0day local root exploit against openwebmail and Tunisia’s NIC servers run it gibnut: https://risala.ati.tn/cgi-bin/openwebmail/openwebmail.pl gibnut: if we can get into that server we can root tunisias .tn tld nameservers and control its entire internet space p-ground: oshit gibnut: redirect it all to wikileaks ;) p-ground: shit just got real due to gibnut With this zero day, gibnut is suggesting that they can compromise the domain name registrar in Tunisia (the NIC) and control the entire Tunisian top-level domain (TLD) name space. An example of a TLD is .com or .org. Each country has its own TLD; Tunisia’s is “.tn”. If the Anons can compromise this Tunisian registrar, they can redirect everyone who tries to navigate to a website that ends in .tn to any server they wish. gibnut suggests WikiLeaks.

The chat logs in particular go a long way towards confirming, as Cameron wrote, “longstanding accusations that federal investigators allowed an informant to repeatedly break computer-crime laws while in pursuit of Hammond and other Anonymous figures.”27 Allegations that Sabu aided and abetted illegal activity (recall that it was Sabu who brought the Stratfor vulnerability to Hammond in the first place) were not limited to the Stratfor hack. During Hammond’s sentencing hearing in November 2014, he read a statement that included another explosive accusation: After Stratfor, I continued to break into other targets, using a powerful “zero day exploit” allowing me administrator access to systems running the popular Plesk webhosting platform. Sabu asked me many times for access to this exploit, which I refused to give him. Without his own independent access, Sabu continued to supply me with lists of vulnerable targets. I broke into numerous websites he supplied, uploaded the stolen email accounts and databases onto Sabu’s FBI server, and handed over passwords and backdoors that enabled Sabu (and, by extension, his FBI handlers) to control these targets.


pages: 590 words: 152,595

Army of None: Autonomous Weapons and the Future of War by Paul Scharre

active measures, Air France Flight 447, algorithmic trading, artificial general intelligence, augmented reality, automated trading system, autonomous vehicles, basic income, brain emulation, Brian Krebs, cognitive bias, computer vision, cuban missile crisis, dark matter, DARPA: Urban Challenge, DevOps, drone strike, Elon Musk, en.wikipedia.org, Erik Brynjolfsson, facts on the ground, fault tolerance, Flash crash, Freestyle chess, friendly fire, IFF: identification friend or foe, ImageNet competition, Internet of things, Johann Wolfgang von Goethe, John Markoff, Kevin Kelly, Loebner Prize, loose coupling, Mark Zuckerberg, moral hazard, mutually assured destruction, Nate Silver, pattern recognition, Rodney Brooks, Rubik’s Cube, self-driving car, sensor fusion, South China Sea, speech recognition, Stanislav Petrov, Stephen Hawking, Steve Ballmer, Steve Wozniak, Stuxnet, superintelligent machines, Tesla Model S, The Signal and the Noise by Nate Silver, theory of mind, Turing test, universal basic income, Valery Gerasimov, Wall-E, William Langewiesche, Y2K, zero day

It was a form of malware that security professionals have long speculated was possible but had never seen before: a digital weapon. Stuxnet, as the worm came to be called, could do more than spy, steal things, and delete data. Stuxnet could break things, not just in cyberspace but in the physical world as well. Stuxnet was a serious piece of malware. Zero-day exploits take advantage of vulnerabilities that software developers are unaware of. (Defenders have known about them for “zero days.”) Zero-days are a prized commodity in the world of computer security, worth as much as $100,000 on the black market. Stuxnet had four. Spreading via removable USB drives, the first thing Stuxnet did when it spread to a new a system was to give itself “root” access in the computer, essentially unlimited access. Then it hid, using a real—not fake—security certificate from a reputable company to mask itself from antivirus software.

Alexander* on the Future of Warfare before the Senate Armed Services Committee,” November 3, 2015, http://www.armed-services.senate.gov/imo/media/doc/Alexander_11-03-15.pdf. 213 team of professional hackers months if not years: David Kushner, “The Real Story of Stuxnet,” IEEE Spectrum: Technology, Engineering, and Science News, February 26, 2013, http://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet. 213 “zero days”: Kim Zetter, “Hacker Lexicon: What Is a Zero Day?,” WIRED, November 11, 2014, https://www.wired.com/2014/11/what-is-a-zero-day/. 213 Stuxnet had four: Michael Joseph Gross, “A Declaration of Cyber War.” Vanity Fair, March 2011, https://www.vanityfair.com/news/2011/03/stuxnet-201104. 214 programmable logic controllers: Gross, “A Declaration of Cyber War.” Nicolas Falliere, Liam O Murchu, and Eric Chien, “W32.Stuxnet Dossier,” Symantec Security Response, February 2011, https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf. 214 two encrypted “warheads”: Gross, “A Declaration of Cyber War.” 214 Computer security specialists widely agree: Falliere et al., “W32.Stuxnet Dossier,” 2, 7. 214 Natanz nuclear enrichment facility: Gross, “A Declaration of Cyber War.”

AUTONOMY IN CYBERSPACE Autonomy is essential to offensive cyberweapons, such as Stuxnet, that are intended to operate on closed networks separated from the internet. Once it arrives at its target, Stuxnet carries out the attack on its own. In that sense, Stuxnet is analogous to a homing munition. A human chooses the target and Stuxnet conducts the attack. Autonomy is also essential for cyberdefense. The sheer volume of attacks means it is impossible to catch them all. Some will inevitably slip through defenses, whether by using zero-day vulnerabilities, finding systems that have not yet been updated, or exploiting users who insert infected USB drives or click on nefarious links. This means that in addition to keeping malware out, security specialists have also adopted “active cyberdefenses” to police networks on the inside to find malware, counter it, and patch network vulnerabilities. In 2015, I testified to the Senate Armed Services Committee alongside retired General Keith Alexander, former head of the National Security Agency, on the future of warfare.


Active Measures by Thomas Rid

1960s counterculture, 4chan, active measures, anti-communist, back-to-the-land, Berlin Wall, Bernie Sanders, bitcoin, call centre, Chelsea Manning, continuation of politics by other means, cryptocurrency, cuban missile crisis, Donald Trump, East Village, Edward Snowden, en.wikipedia.org, facts on the ground, Fall of the Berlin Wall, guest worker program, Internet Archive, Jacob Appelbaum, John Markoff, Julian Assange, kremlinology, Mikhail Gorbachev, Norman Mailer, nuclear winter, peer-to-peer, Ronald Reagan, Silicon Valley, Stewart Brand, technoutopianism, We are Anonymous. We are Legion, Whole Earth Catalog, WikiLeaks, zero day

Some of the code names referred to what computer security experts call zero-days, previously undiscovered cracks and fissures in widespread computer software—in this case, Microsoft Windows, the single most widespread operating system on the planet. The NSA had found and used secret doors into Windows, but had notified no one, not even Microsoft. One former NSA employee told The Washington Post later that the intelligence haul of one particular tool, ETERNALBLUE, was “unreal.” Another said using the tool was “like fishing with dynamite.”10 Whoever had the zero-days could get in undetected, not into one machine, but any number, and not just to steal things, but to break them. So far only two parties knew that several zero-days were on the list and likely to come out soon: the Shadow Brokers and the NSA.

Matt Tait, the former GCHQ exploit developer and operator, assessed the damage caused by the Shadow Brokers as “easily the biggest single tactical loss to the NSA in a generation.”11 The agency knew what to do next: destroy the tools by closing the holes they exploited before anybody could light up the dynamite or, even worse, publish the dynamite recipe. Fort Meade notified Microsoft,12 where developers began to patch the vulnerabilities that the NSA had been using to such “unreal” effect. On March 14, about two months after the ominous first post that exposed the zero-days had appeared, Microsoft issued a “critical” update for all versions of Windows.13 Meanwhile, early on the morning of April 7, the U.S. Navy struck a Syrian airbase with 59 Tomahawk cruise missiles in retaliation against Syria’s use of chemical weapons on its own civilians. Russia was a Syrian ally, and later that day a Kremlin spokesperson strongly condemned the American strikes as an “act of aggression against a sovereign country.”14 The next day, after months of silence, the Shadow Brokers reappeared with a long, rambling message expressing disappointment in the Trump administration’s decision to strike Syria, denied any links to Russia, and—as “our form of protest”—published the secret key to the encrypted, once-for-sale EQGRP-AUCTION-FILE archive.

Mitte, Die MKULTRA experiments Møller-Maersk monarchist émigrés (Whites) Monarchist Organization of Central Russia (MOTsR) Monde, Le Mondelēz International Moonlight Maze Moore, Pamela (sock puppet) Morgan, Vernon Moro, Aldo Mossack Fonseca Motherboard MOTsR (Monarchist Organization of Central Russia) Mulligan, Gerry Murphy, David Mut Mutz, Wolfgang N Nair, Kunhanandan Nannen, Henri Nation, The National-European Youth Congress National Review National Security Agency (NSA); ANT catalog and; ETERNALBLUE and; leak of hacking tools from; Merkel spied on by; NotPetya attack and; Shadow Brokers and; Snowden and; Tailored Access Operations of; zero-days and Nation Europa Natsios, Deborah Nazi gold hunts Nazis; see also Kampfverband für Unabhängiges Deutschland NEPTUN operation: Bittman and; Cyrillic notes and; documents for; forgery and; impact of; international press and; mock discovery in; myth creation in; objectives of Netherlands, the Netyksho, Viktor Neue Nachhut, Die Neuer Weg Neues Deutschland Neue Zeit neutron bomb New American, The Newens, Stan New Statesman Newsweek New Yorker, The New York Post New York Times, The Nieuwe, De Niezbrzycki, Jerzy 1984 (Orwell) Nixon, Richard Norden, Albert North Korea NotPetya attacks Novoe Russkoe Slovo NSA, see National Security Agency nuclear disarmament nuclear war threats; see also neutron bomb Nuclear Weapons Freeze Campaign nuclear winter: Alexandrov and; CIA on; KGB and; scenarios of; self-disinformation and; TTAPS project and Nuland, Victoria O Obama, Barack Office of Strategic Services OGPU (Joint State Political Directorate) Olympic Games Operation GRAVEYARD Operations Plan (OPLAN) 10-1: authenticity of; forgery added to; Johnson, R.


pages: 322 words: 84,752

Pax Technica: How the Internet of Things May Set Us Free or Lock Us Up by Philip N. Howard

Affordable Care Act / Obamacare, Berlin Wall, bitcoin, blood diamonds, Bretton Woods, Brian Krebs, British Empire, butter production in bangladesh, call centre, Chelsea Manning, citizen journalism, clean water, cloud computing, corporate social responsibility, creative destruction, crowdsourcing, digital map, Edward Snowden, en.wikipedia.org, failed state, Fall of the Berlin Wall, feminist movement, Filter Bubble, Firefox, Francis Fukuyama: the end of history, Google Earth, Howard Rheingold, income inequality, informal economy, Internet of things, Julian Assange, Kibera, Kickstarter, land reform, M-Pesa, Marshall McLuhan, megacity, Mikhail Gorbachev, mobile money, Mohammed Bouazizi, national security letter, Nelson Mandela, Network effects, obamacare, Occupy movement, packet switching, pension reform, prediction markets, sentiment analysis, Silicon Valley, Skype, spectrum auction, statistical model, Stuxnet, trade route, undersea cable, uranium enrichment, WikiLeaks, zero day

Rebecca MacKinnon, “Keynote Speech on Surveillance,” in Opening Ceremony of the Freedom Online Conference, 2013, accessed September 30, 2014, http://consentofthenetworked.com/2013/06/17/freedom-online-keynote/. 10. “Aaron Swartz,” Wikipedia, accessed June 29, 2014, http://en.wikipedia.org/wiki/Aaron_Swartz. 11. “Russian Business Network,” Wikipedia, accessed June 19, 2014, http://en.wikipedia.org/wiki/Russian_Business_Network. 12. “Zero-Day Attack,” Wikipedia, accessed June 21, 2014, http://en.wikipedia.org/wiki/Zero-day_attack. 13. “U.S.-Style Personal Data Gathering Is Spreading Worldwide,” Forbes, accessed June 29, 2014, http://www.forbes.com/sites/adamtanner/2013/10/16/u-s-style-personal-data-gathering-spreading-worldwide/; Paul Schwartz, Managing Global Privacy (Berkeley: ThePrivacyProjects.org, January 2009), accessed September 30, 2014, http://theprivacyprojects.org/wp-content/uploads/2009/08/The-Privacy-Projects-Paul-Schwartz-Global-Data-Flows-20093.pdf. 14.

The Russian Business Network has become a service that essentially provides IT support for criminal networks.11 For a while it was openly selling a key-logging software for $150. The organization is probably behind the Storm botnet described earlier, and it actually specializes in identity theft services. The Russian government taps it for work projects. It contributes to the international market for zero-day exploits, trading in software flaws that a buyer can only use once against a device.12 For such dubious businesses and criminal actors, the internet of things will serve as a vast array for gathering data and a means of providing illegal information services. Coupled with the largely unregulated but not illegal markets in data about people from around the world, much of what is collected over the inter net of things will be valuable—and valued—by lobbyists every where.13 Denial-of-service attacks can be ordered online for between five and one hundred dollars, depending on the size of the target.14 Hacktivists and whistle blowers will continue to teach us the most about political actors’ use of inconspicuous devices to manipulate public opinion and manage political life.

See also Assange, Julian; Manning, Chelsea; Snowden, Edward; WikiLeaks wicked problems, 112 WikiLeaks, 13, 43–44, 201, 216 Wilson, Chris, 121 Witness Project, 20 World Bank, 55, 56, 251 World Social Forum, 49–50 Xi Jinping, 192 Xinhua news agency, 191 Yahoo!, 248 Yang, Guobin, 186 Yeltsin, Boris, 37 youth, attraction of, to digital media, 239–40 YouTube, 8–9, 45; in Turkey, 116; white supremacist videos on, 217 Zapatistas (Zapatista Liberation Army), 38, 47–53, 135, 229 zero-day exploits, 236 Zhang, Haiyan, 177a Zimbabwe, 92; anarchy in, 94; infrastructure deals with China, 114; receiving Chinese training on networks, 215 ZTE, 113–14 Zuckerman, Ethan, 138


pages: 294 words: 81,292

Our Final Invention: Artificial Intelligence and the End of the Human Era by James Barrat

AI winter, AltaVista, Amazon Web Services, artificial general intelligence, Asilomar, Automated Insights, Bayesian statistics, Bernie Madoff, Bill Joy: nanobots, brain emulation, cellular automata, Chuck Templeton: OpenTable:, cloud computing, cognitive bias, commoditize, computer vision, cuban missile crisis, Daniel Kahneman / Amos Tversky, Danny Hillis, data acquisition, don't be evil, drone strike, Extropian, finite state, Flash crash, friendly AI, friendly fire, Google Glasses, Google X / Alphabet X, Isaac Newton, Jaron Lanier, John Markoff, John von Neumann, Kevin Kelly, Law of Accelerating Returns, life extension, Loebner Prize, lone genius, mutually assured destruction, natural language processing, Nicholas Carr, optical character recognition, PageRank, pattern recognition, Peter Thiel, prisoner's dilemma, Ray Kurzweil, Rodney Brooks, Search for Extraterrestrial Intelligence, self-driving car, semantic web, Silicon Valley, Singularitarianism, Skype, smart grid, speech recognition, statistical model, stealth mode startup, stem cell, Stephen Hawking, Steve Jobs, Steve Wozniak, strong AI, Stuxnet, superintelligent machines, technological singularity, The Coming Technological Singularity, Thomas Bayes, traveling salesman, Turing machine, Turing test, Vernor Vinge, Watson beat the top human players on Jeopardy!, zero day

But one flash drive could infect multiple PCs, or infest an entire local area network (LAN) by plugging into one node. At the Natanz plant PCs were running software that permits users to visualize, monitor, and control plant operations from their computers. Once Stuxnet got access to one computer, phase one of its invasion began. It used four zero day vulnerabilities in the Microsoft Windows operating system to take control of that computer and search for others. Zero day vulnerabilities are holes in the computer’s operating software that no one has discovered yet, holes that permit unauthorized access to the computer. Hackers covet zero day vulnerabilities—their specs can sell for as much as $500,000 on the open market. Using four at the same time was extravagant, but it greatly enhanced the virus’s chances of success. That’s because in between Stuxnet’s deployment and when the attacks took place, one or more of the exploits could have been discovered and patched.

Three Mile Island tightly coupled systems Thrun, Sebastian transhumans transistors Traveller Trillion Credit Squadron Turing, Alan Turing machine Turing test Tversky, Amos two-minute problem 2001: A Space Odyssey Ulam, Stanislaw utility function Vassar, Michael Vicarious Systems Vinge, Vernor violence Virginia Tech Massacre Virtually You (Aboujaoude) voice recognition von Neumann, John Voss, Peter Wallach, Wendall Wall Street Warwick, Kevin Washington Post Watson weapons, see military Whitby, Blay “Why the Future Doesn’t Need Us” (Joy) Wired for Thought (Stibel) Wissner-Gross, Alexander D. Wolfram, Stephen Wozniak, Steve You Are Not a Gadget: A Manifesto (Lanier) Yudkowsky, Eliezer Yudkowsky, Yehuda Zeitgist ’06 zero day vulnerabilities Zeroth Law Zeus malware About the Author James Barrat is a documentary filmmaker who’s written and produced films for National Geographic, Discovery, PBS, and many other broadcasters in the United States and Europe. He lives near Washington, D.C., with his wife and two children. Learn more at www.JamesBarrat.com. OUR FINAL INVENTION. Copyright © 2013 by James Barrat.


pages: 302 words: 82,233

Beautiful security by Andy Oram, John Viega

Albert Einstein, Amazon Web Services, business intelligence, business process, call centre, cloud computing, corporate governance, credit crunch, crowdsourcing, defense in depth, Donald Davies, en.wikipedia.org, fault tolerance, Firefox, loose coupling, Marc Andreessen, market design, MITM: man-in-the-middle, Monroe Doctrine, new economy, Nicholas Carr, Nick Leeson, Norbert Wiener, optical character recognition, packet switching, peer-to-peer, performance metric, pirate software, Robert Bork, Search for Extraterrestrial Intelligence, security theater, SETI@home, Silicon Valley, Skype, software as a service, statistical model, Steven Levy, The Wisdom of Crowds, Upton Sinclair, web application, web of trust, zero day, Zimmermann PGP

Office workers roll their eyes and curse as they read the password off the notepad next to their desk (lying on top of the budget printout that an office administrator told them should be in a locked drawer). If this is security, who would want to make a career of it? Or buy a book from O’Reilly about it? Or think about it for more than 30 seconds at a time? To people tasked with creating secure systems, the effort seems hopeless. Nobody at their site cooperates with their procedures, and the business managers refuse to allocate more than a pittance to security. Jaded from the endless instances of zero-day exploits and unpatched vulnerabilities in the tools and languages they have to work with, programmers and system administrators become lax. This is why books on security sell poorly (although in the last year or two, sales have picked up a bit). Books on hacking into systems sell much better than books about how to protect systems, a trend that really scares me. Well, this book should change that.

The problem is that the researcher can isolate and view the sample only after the malware has been released, sometimes months or even years previously. Rustock.C, one of the most dangerous Windows-based rootkits found to date, is a good example of this, having been in the wild for over a year before it was discovered, analyzed, and added to detection signatures. Even daily updates would not give manufacturers enough time to find, analyze, and distribute defenses against new malware, so users are vulnerable to yet unknown attacks (zero-day exploits). From this description, it would be legitimate to assume that a researcher is seeing an old version of the malware and that it has had time to make the rounds with other malware developers and “users.” Each malicious attack quickly changes into something completely new or incorporates some of its capabilities into something else. Furthermore, although anti-virus companies maintain research teams that can number in the hundreds, they are facing an ever-growing backlog of malware identification and signature production.

He served on the Roundtable on Scientific Communication and National Security, a collaborative project of the National Research Council and the Center for Strategic and International Studies. 268 CONTRIBUTORS INDEX Numbers 3-D Secure protocol account holder domain, 76 acquirer domain, 76 e-commerce security and, 76–78 evaluation of, 77 issuer domain, 76 transaction process, 76 802.11b standard, 51, 52 802.11i standard, 51 A ABA (American Bar Association), 203 Access Control Server (ACS), 77 accountability, 213, 214 ACS (Access Control Server), 77 ActionScript, 93 ad banners (see banner ads) Adams, Douglas, 158 Advanced Monitor System (AMS), 254, 256 advertising (see online advertising) adware (see spyware) Aegenis Group, 66 Agriculture, Department of, 196 AHS (Authentication History Server), 77 AI (artificial intelligence), 254, 257 AllowScriptAccess tag, 94 Amazon Web Services platform, 152 Amazon.com, 102 American Bar Association (ABA), 203 AMS (Advanced Monitor System), 254, 256 analyst confirmation traps, 12 Anderson, Chris, 165 Andreessen, Marc, 165, 166 Anna Carroll (barge), 206 anti-executables, 253 anti-spyware software evolution of, 251 initial implementation, 251 intrusive performance, 254 strict scrutiny, 252 anti-virus software diminished effectiveness, 249 functional fixation, 15 functionality, 232 historical review, 248–249 honeyclients and, 141 intrusive performance, 254 malware signature recognition, 251 need for new strategies, 248 strict scrutiny, 252 zero-day exploits and, 252 Apgar score, 37 Apgar, Virginia, 37 Apple Computer, 8 artificial intelligence (AI), 254, 257 Ascom-Tech AG, 117 Ashenfelter, Orley, 164 Aspect Security, 188 Atkins, Derek, 119 ATMs, early security flaws, 36 attacks (see malicious attacks) attribute certificates, 111 Attrition.org, 55 authentication 3-D Secure protocol, 77 auto-update and, 15 CV2 security code, 76 e-commerce security, 83, 84 federated programs, 210 NTLM, 6 password security, 7 PGP Global Directory and, 127 portability of, 85 security pitfall in, 71 SET protocol, 78 WEP support, 52 Authentication History Server (AHS), 77 authoritative keys, 123 authorization We’d like to hear your suggestions for improving our indexes.


pages: 315 words: 93,522

How Music Got Free: The End of an Industry, the Turn of the Century, and the Patient Zero of Piracy by Stephen Witt

4chan, barriers to entry, Berlin Wall, big-box store, cloud computing, collaborative economy, crowdsourcing, game design, Internet Archive, invention of movable type, inventory management, iterative process, Jason Scott: textfiles.com, job automation, late fees, mental accounting, moral panic, packet switching, pattern recognition, peer-to-peer, pirate software, Ronald Reagan, security theater, sharing economy, side project, Silicon Valley, software patent, Steve Jobs, zero day

Scene members organized themselves into loosely affiliated digital crews, and those crews raced one another to be the first to release newly pirated material. Often this material was available the same day it was officially released. Sometimes it was even possible, by hacking company servers, or by accessing unscrupulous employees or vendors, to pirate a piece of software before it was available in stores. These prerelease leaks were called “zero-day” warez, and the ability to regularly source them earned one the ultimate accolade in digital piracy: to be among the “elite.” Now the Scene was moving from software to music, and it was their enthusiasm for the technology that sparked the mp3 craze. The first industrial-scale mp3 pirate was a Scene player by the screen name “NetFraCk,” who, in September 1996, offered an interview to Affinity, an underground Scene newsletter, which like the earliest cracked software, was distributed through snail mail on a 3.5-inch floppy disk.

This was the Scene, and Dockery, on IRC, had joined one of its most elite groups: Rabid Neurosis. They called it RNS for short. The group had formed a few weeks after Compress ’Da Audio, the pioneering mp3 releasing group. Within months they had eclipsed the originals, and quickly competed them out of existence. Instead of pirating individual songs, RNS was pirating whole albums, and bringing the same elite “zero-day” mentality from software to music. The goal was to beat the official release date wherever possible, and that meant a campaign of infiltration against the music majors. The founders of RNS had gone by the handles “NOFX” and “Bonethug,” although Dockery never interacted with these two. They dated back to the distant mists of 1996, as might be inferred by the musical acts their screen names referred to.

He knew its history and culture and could rhyme along with his favorite rappers. He knew all the beefs, all the disses, and all the details of the internecine label feuds. And he also knew that, in the aftermath of the murders of Biggie and Tupac, those feuds were dying down and the labels were consolidating. Death Row, Bad Boy, Cash Money, and Aftermath were all going corporate. In his relentless quest for zero-day leaks, Kali tracked these pressing and distribution deals carefully, and his research kept bringing him back to Universal. But without consistent access inside that company, rival release crews had been beating him. Glover was his ticket in. The two hashed out the details of their partnership. Kali would track release dates of upcoming albums online and alert Glover to the material he was interested in.


pages: 453 words: 114,250

The Great Firewall of China by James Griffiths;

A Declaration of the Independence of Cyberspace, activist fund / activist shareholder / activist investor, Albert Einstein, anti-communist, bitcoin, borderless world, call centre, Chelsea Manning, Deng Xiaoping, don't be evil, Donald Trump, Edward Snowden, gig economy, jimmy wales, Mark Zuckerberg, megacity, Mikhail Gorbachev, Mitch Kapor, mobile money, Occupy movement, pets.com, profit motive, QR code, race to the bottom, RAND corporation, ride hailing / ride sharing, Ronald Reagan, Silicon Valley, Silicon Valley startup, Skype, Snapchat, South China Sea, Steve Jobs, Stewart Brand, Stuxnet, technoutopianism, undersea cable, WikiLeaks, zero day

Patient zero was an employee in the Beijing office. The hackers had built up a profile of the target based on information they gleaned via Facebook, LinkedIn and other social networks, then, appearing to be someone the employee trusted, they sent them a link via instant message.12 When clicked, the link took the employee to a website poisoned with malware capable of enacting a ‘zero-day’ exploit, a never before seen vulnerability, in the Internet Explorer browser.13 The zero-day was used to download more malware onto the employee’s computer, and with that the attackers were inside the Google network.14 With the China team employee’s credentials in their possession, the attackers had access to Moma, the Google intranet, which contained detailed breakdowns of teams, employee contact information, and progress reports for various projects.

They were horrified to discover that the attackers had not just compromised the company’s core systems, but had also broken into the individual Gmail accounts of Chinese and Tibetan dissidents, including artist Ai Weiwei and Tenzin Seldon, a twenty-year-old regional coordinator of Students for a Free Tibet.19 This and other clues pointed to the attack coming from China, while the sophistication of it, as well as the resources poured in to keep it going for months on end, suggested it was the work of a state-sponsored group.20 Security researchers at Symantec later dubbed the group ‘Elderwood’ and revealed that it had targeted dozens of other US companies, including Yahoo, Adobe, weapons manufacturer Northrop Grumman, and Dow Chemical.21 Some reports suggested the victims could have numbered over a hundred.22 As a Symantec report recounted: In most cases, Elderwood uses a convincing ‘spear-phishing’ fake email to fool an employee into clicking an infected emailed link or into opening a Trojan software-infected attachment that creates a digital backdoor for the cyberspies. In many cases, these attacks have utilised costly ‘zero-day’ malware that takes advantage of a previously unknown flaw against which no defence exists. Such technology would sell for at least six figures on the cyber black market, leading many to conclude the group is exceedingly well funded.23 Although they apparently did not share this information with Google, leaked State Department cables show that US diplomats had also concluded the attack was linked to the Chinese government.

Walton, G. et al. (2009) ‘Tracking Ghostnet: investigating a cyber espionage network’, Information Warfare Monitor, 29 March. Wu, X. (2005) Chinese Cyber Nationalism: evolution, characteristics and implications, Lanham MD: Lexington Books. Xin, X. (2012) How the Market Is Changing China’s News: the case of Xinhua news agency, Lanham MD: Lexington Books. Yang, G. (2009) The Power of the Internet in China: citizen activism online, New York NY: Columbia University Press. Zetter, J. (2014) Countdown to Zero Day: Stuxnet and the launch of the world’s first digital weapon, New York NY: Crown/Archetype. Zhu, Y. (2012) Two Billion Eyes: the story of China Central Television, New York NY: The New Press. Zittrain, J. and B. Edelman (2003) ‘Empirical analysis of internet filtering in China’, Cambridge MA: Berkman Klein Center for Internet and Society, https://cyber.harvard.edu/filtering/china/. Index Abbott, Tony, 203 acceptable criticism, boundaries of, 75 Access Now, 236 Adelaide, Australia, 206 Adkins, Heather, 169 Admiralty, camp, 19 Adobe, 170 Africa: China presence, 287–8; Huawei earnings, 304; internet in, 291; Xinhua success, 80 Agora, dark web, 100 Ahmadinejad, Mahmoud, 111 AI software, 200 Ai Weiwei, 170, 214 Albert Einstein College of Medicine, 38 Al-Assad, Bashir, 209 Al-Bashir, Omar, 291 Al-Ghanim, Mohamed Nasser, 231 Algeria, 230 Ali, Guzelnur, 195, 198 Alibaba, 200, 235, 242, 279; Alipay, 281; Taobao online marketplace, 210; Yahoo stake in, 67 Allawi, Ayad, 223 Alphabet, 315 Al Qaeda, 199 American Civil Liberties Union, 245 Amir-Ebrahimi, Masserat, 150 Amnesty International, 280 Andreessen Horowitz, 279 Angola, 289 Anhui province, 78 Anite, Evelyn, 303 Anonymous, 185–6, 188 Anti, Michael, 36, 93, 116 anti-Rightist Movement, Xinjiang avoidance, 133 anti-surveillance tools, 5 Antonov, Polina, 254–5 Antonov, Vadim, 253–4 Apple, 1990s faltering, 277 Applebaum, Jacob, 104–5 APT1, 186–7 Arab Spring, 8, 10, 264, 311 Artux, 132, 134 Asia-America Gateway, underwater cable system, 155 AsiaInfo, 31 Asiaweek, 54 Associated Press, 80 Aum Shinrikyo cult, 49 Australia, censorship, 315 Aximujiang Aimaiti, killing of, 146 Azat, Nijat, 157 baby formula scandal, 204 Badiucao, 175, 178–9, 184, 204–5, 207–8, 211–12, 215; smear attempts, 214; ‘traitor’ accusation, 210; Weibo account deleted, 206 Baidu, 4, 63, 171–2, 242, 260; Baike web site, 210; market share growth, 126; party members, 235; patriotism boast, 124; search engine, 165 balinghou generation, 204 Bandurski, David, 212 Bardin, Valery, 253, 255–6 Barlow, John Perry, 6, 243, 246; utopian language, 7 Barlow, Norman, 243 Barr, Aaron, 185–6, 188 Bastrykin, Alexander, 251 Beach, Sophie, 212 Beidaihe, China resort, 47, 89 Beijing, 29; academia elite circles, 134; Beihang University, 234; Engagement Centre ICANN, 234; jamming signals, 107; Medical University, 37; Niujie mosque, 138; Youth Daily, 73 Berners-Lee, Tim, 252 Besigye, Kizza, 292–3, 295–6; ‘preventative arrest’, 298; treason charge, 299 Big Vs, 180 Bijie, 95 Bildt, Carl, 223 Bingtuan, 134 BitTorrent, 5 Blocked on Weibo, 183 blogging, 93 Bloomberg, 80 Bluetooth, communication use, 19 Brand, Stewart, 244 Brautigam, Deborah, 290 Brin, Sergey, 62–3, 116, 119, 168, 315; family history, 171 Brito, Jerry, 229 broadband connection, 155 Brown University, USA, 85 Burkina Faso, 288 Burkov, Dmitry, 253 Bush, George W., 110, 246 BuzzFeed, 199 Charlie Hebdo, attacks on, 209 Callahan, Michael, 119 Cambridge Analytica, 313, 317 Cambridge University, 162 Canada, 232; Tibet Committee, 85–6 Cankao Xiaoxi, 36 Cao Guowei, 182–3 Carnegie, Dale, 117 Cartoonists, persecution of, 209 Catalonia, 2017 referendum, 316 Causeway Bay, camp, 19 CCTV International, 287 censorship: AI-based, 315; anti-tools, 102–3; in-house, 183; manual, 75; software, 101 Cerf, Vint, 221, 228 CERN, 252 Chan, Connie, 279 Chen Jieren, 171 Chen, Kathy, 312 Cheney, Dick, 243–4 Cheng Jianping, 74 China, People’s Republic of, 137, 204; Academy of Sciences, 49, 51; Africa criticism Western hypocrisy, 290–1; Africa investments, 305; censorship, 27; Central Television, 181; Civil Aviation Administration, 310; courts conviction rates, 198; cyber sovereignty doctrine, 8, 234, 292; cybersecurity law 2017, 280; Cyberspace Administration of, 3; Democracy Party, 41–2, 92; Development Bank, 304;domestic security profits, 201; early internet enthusiasm, 32; elite, 90, 117; elite hackers, 172, 192; entertainment industry, 215; factory sexual harassment, 145; first commercial internet service, 25; globalised online influence, 212; Google compromised, 315; high-speed rail system, 176–7; human rights lawyers, 206; internet companies overseas business, 236; Internet Network Information Centre, 235; Internet Society of, 64; Ministry of Foreign Affairs, 165, 167; Ministry of Public Security, 26; National Electronics Import & Export Corporation, 303; National Defence Daily, 153; nationalised internet, 231; Netcom Communications, 31–2; official aid budget, 289; PLA, see below; Qigong Science Research Society, 48; Qing Empire era, 205; social credit system, 281–3; State Council, 42, 11, 181, 241; tech firms security contracts, 200; Telecom, 30–1, 156; telecoms buying, 30; 2008 Olympics, 180; UN advocacy, 233; Unicom, 156; US Embassy in, 180; -US relations, 109; WTO joining, 91, 92; Youth Daily, 64, 172 China Digital Times, US-based, 76 ChinaNet, 30 Chinese Communist Party (CCP), CCP, 8, 42, 74, 288; internal politics, 312; Politburo Standing Committee, 165 Chinese Golden Shield, 104 Chinese Institute of Computer Applications, 24 Chinese People’s Political Consultative Conference, 77 choke points, China internet, 29 CIA (US Central Intelligence Agency), 85, 161; Q-Tel venture capital arm, 108 circumvention tools: Tor, 101; user lack, 71 Cisco, 29, 32, 115, 119, 236, 304; basic filtering technology, 32 Citizen Lab, 159–60, 163–4, 276 Civic Square, Hong Kong, 15, 17, 20; pro-democracy rally 2014, 16 ‘civilized behaviour’, as censorship, 240 Clarke, Ian, 99 Clinton, Bill, 43, 246; China internet optimism, 42 Clinton, Hillary, 173, 211, 264 CNET.com, 84 CNN, 56–7 Coca Cola, 187 Cohen, Jared, 111 Cold War, 106 collective action, China surveillance attention, 74 Columbia Law School, 241 Comey, James, 190–1 Comment Crew, 187 Communications Decency Act, USA, 245 Communist Youth League, 171 “Complete IT Intrusion Portfolio”, 293 Confucius Institute, 288 Connaught Road camp, Hong Kong, 17 Contemporary Business News, 64 Crimea, Russian invasion, 267 CQRS, 49 Crowley, P.J., 111 Cuba, 237 Cultural Revolution, 8, 23, 24, 48, 176, 205; Xinjing avoidance, 133 ‘cyber-sovereignty’, China doctrine, 8, 234, 237–8, 242, 250 Cyberspace Administration of China, 181 Da Cankao, 35–6, 79, 91, 93, 97; back issues, 100; defeat of, 92; first issue, 39 Dalai Lama, 84–5, 87, 160, 206, 309; office hacked, 162 Darfur, 291 Deibert, Ron, 159–60 Delta Airlines, 309 Democracy Forum, 65, 66 Democratic National Committee, Russian hacking of, 192 Demos/Relcom, Russia, 252–3, 255–6 Deng Xiaoping, 21–4, 47, 89; martial law declaration, 37 Dharamsala, 85–8, 160, 163, 276; internet, 84, 160 ‘digital divide’, 222 Dilshat Perhat, 150 Ding, James, 30–1 DIT, Broadcasting Board of Governors, 108 Diyarim.com, 150–1, 157 Djibouti naval base, 289 domain name system (DNS), 220 Dorsey, Jack, 111 dot.com bubble, first, 84 Dourado, Eli, 228–32 Dow Chemical, 170 Dow Jones, 81 Downey, Brandon, 314 Dreazen, Yochi, 110 DropBox, 276 Drummond, David, 61–2, 171 Dunhuang, 154 Durov, Pavel, 259–63, 265–6, 268–9, 272; Dubai exile, 270; flight, 267 Dynamic Internet Technology, 104, 106–7; Broadcasting Board of Governors, 108 DynaWeb, 101–2; Foundation, 106 Dzungaria, 136 ‘East Turkestan’, 136, 149; question of, 152 Eastern Buddhas Study Falun Dafa Association, 97 Education Computer Resource Centre, India, 86 Egypt, 230–1; Twitter, 264 Eiffel Tower, website crash, 2 Electronic Frontier Foundation, 244–6 elite, Chinese, 90, 117 email address grabbing, 35 encryption, 268–9 Epoch Times, 96–8 Epstein, Helen, 297 Ethiopia, 10, 289, 304 EU (European Union), WSIS stance, 223 Eudora, 88 Eximbank, 288 Facebook, 18, 242, 264, 282, 286, 297, 301, 303, 312–13, 317; banned, 183; censoring by, 314; Firewall blocked, 259, 278; Internet.org, 291 ‘fake news’ panic, 311, 314 Falun Gong, 9, 28, 45–6, 49, 59, 62, 91, 96, 102, 107–8, 112, 118; anti- campaign, 48, 58; blocking of, 99; China mass detentions, 54; community, 103; CRQS withdrawal, 51; members self-immolating, 56; -neoconservatives link, 98; North America shift, 96–7; online censorship, 55; origins, 47 Research Society, 54 FalunDafa.org, 97 Fang Binxing, 249–50 FBI (US Federal Bureau of Investigations), 186, 190–1 FDC (Forum for Democratic Change, 294–6, 300 Ferzat, Ali, 209 filters, border, 29 financial crash 2008, 8, 289 FinFisher, 293, 294 FireChat, 19 FireEye, 192 foreign media coverage, importance of, 255 France, Rwanda Hutu aid, 291 Freedom House, 104 FreeGate, 95–6, 103, 105, 107–9, 110, 112–13; successful, 104; user-friendly, 102 FreeNet China, 99, 101; 2001 launched, 100 freetibet.org, 163 Friedman, Tom, 90, 246 Friendster, 260 Friends of Tibet, 308 FSB, Russia, 265–6, 269 Fuyou Street, Beijing, 45 Gaddafi, Muammar, 290 Gallagher, Ryan, 314 Gamma Group, 293 Gang of Eight, USSR, 254–5 Gauthier, Ursula, 199 George Mason University, 228 Geshe Sopa, 84 Ghost Remote Administration Tool (Gh0st Rat), 162–3; hackers, 164 Gilmore, John, 244 Github, DDos attack, 1–4, 310 global governance, cycles of, 236 Global Internet Freedom Consortium (GIFC), 102, 110; funding boom, 109; projects, 112 Global Internet Inc, 106 Global Times, 172 GoAgent, 5, 6 Golden Shield project, 26–7, 91 Goldsmith, Jack, 30, 219, 243 gongfu, Chinese martial art, 48 Google, 64, 113; 2002 blocked, 91, 2006 China attitude, 115, 2009 accusations, 167, censorship compliance, 118, censorship reversal, 172, China ‘foreignness’ accusation, 125, China blocked, 166, China brand, 117, China cultural errors, 126, China operating, 116, China strategy, 119, Chinese-language search engine, 62, Congressional hearing, 120, 124, cultural mistakes, 125; Dragonfly, 314, Google China, 61, 62, 165, 246; Google Drive, 162; hacked, 168, Schrage accusation, 121, shareholder critique, 168, US criticism, 173, US media criticism, 115 Google.cn search engine, 117 Gorbachev, Mikhail, 75, 173, 252, 255–6; KGB detained, 253 Gordon, Richard, 176 Gore, Al, 31 government commentators employed, 213 Grateful Dead, 244 Great Cannon, China cyber weapon, 3–4 ‘Great Firewall’, 5, 8, 9, 26–7, 29, 43, 46, 58, 66, 71, 90, 92, 99, 101, 107, 112, 117, 159, 199, 207, 242, 311; Cisco help, 116; costs of fighting it, 106; export of, 10; Google brief ejection, 124; international spreading of, 310; keywords detection, 28; Kremlin copy, 260; Uganda import, 287; upgrading of, 92; US components, 30 Great Hall of the People, 23 Great Leap Forward, 8, 138; Xinjiang avoidance, 133 Great Wall, historical, 25 GreatFire.org, 3–4 ‘Green Dam Youth Escort’, 27, 98 Greenwald, Glenn, 268 Group of 77, 237 Gu Ge, name error, 125 see also NoGuGe Guangdong, 143, 201 Guangxi, 78 Guangzhou, 29 Gulf of Aden, 289 Guo Wengui, 92 Guomindang, 49 Guonei Dongtai Qingyang, 79 Haig, Dan, 83–4, 86–8, 160 Hainan, Lingshui: signals intelligence, 164; servers in, 163 ‘Harmony’ CCP-speak, 72 Harris, Rachel, 151 Harvard, 71, 74, 91; Law, 244 HBGary Federal, 185–6; hack, 188 He Guoqiang, 171 He Zuoxiu, 49 Hefei, anti-corruption case, 280 Hinton, Carma, 176 Hitchens, Christopher, 49 Hoglund, Greg, 186 Holder, Eric, 189 Holdstock, Nick, 137, 149 home routers, 217 Hong Kong: Admiralty, 18; Broadband, 155; Chinese University, 217; Civic Square, 15; independence discussions, 20; Internet Exchange, 217–18; parliamentary elections, 19; Science Park, 200; 2014 effect, 19; Umbrella Movement, 255 Horowitz, Michael, 107, 109 hosts.txt file, 219 HP corporation, 245 Hsu, Stephen, 108 Hu Jintao, 184 Hu Qiheng, 234 Hu Yaobang, 21 Huai Jinping, 234 Huang Cuilian, 145 Huang Shike, arrest of, 280 Huang, Alan, 102 Huawei, 251, 288; military ties, 235; Uganda censorship profits, 304 Hudson Institute, 107 Human Rights in China, New York, 76 Human Rights Watch, 147, 234 Hvistendahl, Mara, 281 IBM Nazi Germany connection comparison, 119, 122–3 ICANN see Corporation for Assigned Names and Numbers Ilham, Jewher, 141, 195–8 images, censorship challenges, 208 India, blackouts, 87 Indiana University, 195–6 Infocom, 222; prosecution of, 223 Inner Mongolia massacre, 133 Instagram, 309, 316 intellectuals, anti-qigong, 49 International Centre for Human Rights and Democracy, 30 International Criminal Court, 299 international telecommunications, access as human right, 232 internet: access points, 28; Africa blackouts, 10; China war on, 6; Chinese characters, 31; construction control, 156; content providers government registration, 72; founders, 219; governance, 225, 228; intergovernmental control, 223; unwritten rules, 72; US control conflict, 222; utopianism, 245; workings of, 155 Internet Assigned Numbers Authority, 219, 222 Internet Corporation for Assigned Names and Numbers (ICANN), 221–5, 228, 230, 256; China influence, 234; China pushing, 237 Internet Engineering Task Force (IETF), 234 Internet Explorer browser, 169 Internet Governance Forum, 224 Internet Society of China, 234–5 IP server connection, 28, 155; addresses workings of, 154; numbers, 219 Iran, 111; Green revolution, 311; social networking blocking, 111; 2009 election protests, 110, 112, 246 Iraq: US invasion of 2003, 223; Uyghur fighters, 199 ‘iron rice bowl’ jobs, 47 Isa, Aziz, 151 Islamic State, 199; internet use, 9; Paris attacks, 269 Islamists, 195 Israeli intelligence, 190 Jacobs, Justin, 137 Jiang Qing, 133 Jiang Zemin, 32, 78, 90–1, 184 Jiangsu province, 74 Jiao Guobiao, dismissal of, 95 Jilin, China, 47–8 Jobs, Steve, 117, 259 Jones, Roy, 307–9 Kadeer, Rebiya, China riots blame, 152 Kaifu Lee, 116–17, 124–6, 165–6, 171–2; government fights, 167; Making a World of Difference, 118 Kalathil, Shanthi, 236 Kang Xiaoguang, 54 Kapor, Mitch, 244 Kaspersky Labs, Moscow, 192 keywords, 184; Chinese language filtering, 208; detection, 28 KGB/FSB (USSR/Russia), 256–7, 265–6, 269 Kirillovich, Vladimir, 249 Kiselyov, Dmitry, 247 Kissinger, Henry, 108 Kleinwächter, Wolfgang, 223 Kot, Edward, 264–5 Kramer, Terry, 228–9, 232–3 Kremlin, deep packet inspection, 266 Kristof, Nick, 46 Krumholtz, Jack, 122–3 Kryuchkov, Vladimir, 253 Kurchatov Institute of Atomic Energy, 252, 256, 261 LAN protocols, 241 Lantos, Tom, 122 Leach, Jim, 120; censorship accusation, 121 Leavy, Penny, 186 Leo Technology, Urumqi-based, 200 letter substitutions, 107 Leung Chun-ying, 19 Leviev, Lev, 267 Levy, Stephen, 118 Lhasa, 85 Li Chang, 54 Li Changchun, 165–6, 171 Li Dongxiao, 178 Li Gang, 5 Li Hongkuan, 35–6, 38–9, 79, 91–3, 99 Li Hongzhi, 47–50, 53–6, 96–7, 99, 103; books banned, 46; teachings of, 52; USA move, 51 Li Keqiang, 240 Li Peng, 26, 42; martial law declaration, 21 Li Yuanlong, 95; son’s arrest, 96 Li Zhi, 148 Li, Robin, 124–6, 172 Lin Hai, 39 Link, Parry, 73 Liu Xiaobo, 66, 198 LiveJournal, DDoS attack, 264 Lo, Kenneth, 217–18 Lockheed Martin, 187 Lokodo, Simon, 304 love bug, 161 Lu, Phus, 5–6 Lu Wei, 78, 80–1, 207, 237, 242, 249, 312; downfall of, 313; promotion, 181; rise of, 79 Luo Fuhe, 77 Ma Zhaoxu, 173 Ma, Jack, 67 Ma, Pony, 280 MacArthur Genius Grant, 76 MacKinnon, Rebecca, Consent of the Networked, 72 Mail.ru, 267 Makanim.com, 149 Makerere University, 295, 300 Malofeev, Konstantin, 248–51 malware, 162; specialised, 163 Mandiant, malware, 186, 188–90 Manitsme, malware family, 188 Manning, Chelsea, 229; defence fund, 186 Mao Zedong, 184, 240; Anti-Rightist campaigns, 205; death of, 23; Great Leap Forward, 89 Marczak, Bill, 3 Marriott Global Reservations Sales and Customer Care Centre, 307–8; China apology, 309; Chinese language website, 308 Martínez, Antonio García, 317 mass mailings, 103 May Fourth Movement, 176 McLaughlin, Andrew, 117 Medvedev, Dmitry, 263 melamine, contaminated, 204 Messi, Lionel, 278 Micek, Peter, 236 Microsoft, 115–16, 119, 245 Millward, James, 133, 137 Minghui.org, 97 Ministry of Industry and Information Technology, 235–6 Minzu Iniversity, 134 Mirilashvili, Vyacheslav, 260, 267 MIT Media Lab, 243 mobile payments, 279 Moma, Google intranet, targeted, 169 Mong Kok, camp, 19 Montreal, 85 Morozov, Evgeny, 110 Mountain View Google HQ, 116, 169 Mugabe, Robert, 285, 290 Murong Xuecun, 205 Museveni, Yoweri, 285, 287, 292–3, 296–8, 300, 301–3, 305; Kampala opposition, 286; 2016 swearing in, 299 Museveni, Janet, 286 MySpace, 260 Nagaraja, Shishir, 162 Nairobi, Chinese language signs, 288 Namubiru, Lydia, 305 Nanfang Daily, 64 Nanjing, 36; University, 212 Nasa, Goddard Space Flight Center, 99 National Endowment for Democracy, 92, 108 National Reconciliation Day, 158 nationalism, Chinese, 8 Navalny, Alexei, 263–5 Negroponte, Nicholas, 243 Network Solutions, 220–1 New Tang Dynasty Television, 97 Newland, Jesse, 2 Ng, Jason Q., 183 Nigeria, 232 Noah, Trevor, 302 NoGuGe.com, 126 non-aggression, cyber pact, 251 Northrop Grumman, 170 Nossik, Anton, 257, 262 Nur Bekri, 146, 148 Nureli, 157 Nyanzi, Stella, 286–7, 303, 305; imprisoned, 301–2; Stella, persecution of, 300 Obama, Barack, 157, 165, 191, 228, 246; ‘pivot to Asia’, 192 Obote, Milton, 292; overthrow of, 285 Occupy movement, 9 Office of Personnel Management (OPM), 190, Chinese hacked, 191 “Operation Fungua Macho”, 293 Ownby, David, 55, 98 Page, Larry, 116, 168, 171 Palmer, David, 50 Palmer, Mark, 107–9 Pan Shiyi, 180–2 Pan Yiheng, 177 Panama Papers, 251 ‘patriotic hackers’,161 peer-to-peer software, Chinese, 101 Pegasus, early email software, 86 Pentagon, the, 161 perestroika, 75 Perhat, Dilshat, 157 Pfeifle, Mark, 110 Philippines, 161; China boycotts call, 77 Piccuta, Dan, 165–6 Pirate Bay, file-sharing website, 185 PLA (Chinese People’s Liberation Army), 22, 37, 132, 240, 242, 251, 312; Third Technical Department, 164; US indictment, 189 pornography, 91, 105–6 Postel, John, 219, 221–2, 228; ‘benevolent dictator’, 220 Press, Larry, 254–5 Prophet Muhammed, image forbidden, 209 proxies: sharing of, 102; use of, 101 ‘public opinion channellers’, 214 ‘public order’, CCP-speak, 72 Public Pledge on Self-Discipline for the Chinese Internet, 64 Public Security Bureau, 149 Putin, Vladimir, 228, 247, 249, 251, 257, 262–6; internet concern, 261 qigong, 55; enthusiasm for, 47; groups, 50 masters’ absurd claims, 49; opinion shift against, 48 Qin Yongmin, 42 Qin Zhihui, arrest, 182 Qing Gang, 35 QQ, 182, 277 Qzone, 182, 278 Radio Free Asia, 106, 147, 248, 311 Rajagopalan, Megha, 199 Rand Corporation, 192 Razak, Najib, 209 Reagan, Ronald, 248 Rebel Pepper, 212, 215 Red Guards, 133 Reincarnation Party, 209 Relcom see Demos/Relcom Ren Zhengfei, 251 RenRen, 182 Reporters Without Borders, 64 Republic of China (ROC/Taiwan), 288 Reuters, 80–1 RFA, 108; 1994 launch, 107 riots, Urumqi, 148 ‘River Elegy’, TV programme, 20 Robinson, Michael, 30–2 Roldugin, Sergei, 251 root authority, 201 rootkit.com, 186, 188 Rosenberg, Jonathan, 117 Roskomnadzor, 266, 269, 270 Ross, Alec, 264 Rossiya Segodnya, 247–8 RSA, hacked, 187 RT, TV station, 247, 311 Runet, 257, 270 Russian Federation, 10, 237; early years of, 256; FAPSI, 257; firewall urgency of, 251; internet blacklist, 266; internet use surge, 257; liberal internet era, 262; Libertarian Party, 272 nationalised internet, 231; Safe Internet Forum, 248; 2012 election protests, 251 Sadikejiang Kaze, killing of, 146 Safe Internet League, 249–50 Safe Web, Triangle Boy, 108 Sakharov, Andrei, 270 Salkin.com, 157 Samdup, Thubten, 85–6, 160 Saudi Arabia, 230 Saulsbury, Brendan, 190 Schmidt, Eric, 116, 124, 127, 168; China strategy support, 126; Google outvoted, 171 Schneider, Rick, 87 Schrage, Elliot, 120–4 ‘secret backdoors’, 162 Seldon, Tenzin, 170 self-censorship, Google justification, 120 self-immolation, 58 SenseTime, 200 Sha Tin New Town, Hong Kong, 217 Shambaugh, David, 233 Shanghai, 29; Cooperation Organisation, 251; Cyberspace Administration, 308; European Jews haven, 205; Expo 2010, 180; police computer security, 35 Shaoguan incident see Xuri Toy factory Shchyogolev, Igor, 248, 250 Shen Yun, performance group, 97 Shenzhen, 143; public security bureau, surveillance division, 72–3 Shi Caidong, 51–3 Shi Tao, 64–5 67, 76, 116, 119; prison sentence, 66 Sichuan province, 201 Siemens BS2000 mainframe computer, 24 Signal, encryption app, 268 Silicon Valley, 1; biggest companies, 59; private enterprise victory, 7 Silk Road, dark web, 100 Sima Nan, 49 Sina Weibo, 182–3, 278; censors at, 75 Sino-Soviet split, 288 Sither, Lobsang Gyatso, 276–7, 283 Smirnov, Sergei, 266 Smith, Chris, 115 Smith, Craig, 90, 309 Snapchat, 260 Snowden, Edward, 190, 268, 269; revelations of, 313 Sobel, David, 245 social media, companies, 7 Soldatov, Alexey, 256, 261 solidarity: surveillance attention, 74; threat of, 10 Solzhenitsyn, Alexander, 5 Song Zheng, 235 South China Sea: Chinese ambitions, 192; international court ruling, 77 spammers, trading among, 39 ‘spear-phishing’, 159, 187 ‘spiritual pollution’, 35 Sprint, 30–1 St Petersburg: briefcase bomb 2017, 269; State University, 260 Stanford Research Institute, 220 State Commission of Machine Industry, 24 Steve Jackson Games, 245 Stevens, John Paul, 245 Students for a Free Tibet, 170 Stuxnet virus, 190 Sudan, 230, 290 Sullivan, Andrew, 110 Sulzberger Jr, Arthur Ochs, 89–90 supremacist ideology, Han, 133 Surkov, Vladislav, 262–3 Sweden, 232 Symantec, 108, 170 Syria, Uyghur fighters, 199 System of Operative Search Measures, Russia, 257 Taiwan see Republic of China Tanzania, 288; Tan–Zam railway line, 287 Tarim Basin, 136 Tarnoff, Ben, 317 tear gas, 18 tech giants, collaboration accusation, 119 techno-libertarians, 243, 246 Telegram app, 268, 272; banned, 269; blocked, 270 Tencent, 182, 235, 279, 281–2; data hoovering, 280; leg up, 278; WeChat, 277; Weibo, 278 The Atlantic, 110 The Gate of Heavenly Peace, subtitled version, 176 The New Republic, 110 The New York Times, 3, 89–90, 100, 111, 179, 211, 223, 257 The People’s Daily, 21, 79, 172, 178, 246 The Wall Street Journal, 110, 309 The Washington Post, 57, 110, 302 Third World Academy of Sciences, 24 Tian, David, 99 Tian, Edward, 30–1 Tiananmen Square, 9, 21, 25, 46, 62, 99, 175; anger, 38; crackdown, 89, 107; massacre, 22, 26, 3, 208; massacre 20th anniversary, 166; Mothers, 65; movement, 20, 76; Papers, 100; protests, 78; self-immolation, 56–7; Tianjin protest, 52–4 Tibet, 83–4, 98, 106, 138, 149, 210; Action Institute, 274, 276; Computer Resource Centre, 86, 161; diaspora battling cyberspies, 276; Freedom Movement fund for, 163; Institute of the Performing Arts, 85; PLA victory, 85; Youth Congress, 85 Tohti, Ilham, 132, 134, 140–1, 143, 150, 152, 158, 195, 199; detention, 157; father killing, 133; harassment experience, 135; trial of, 131, US exile, 140 Tor Browser, 100, 102 Touré, Hamadoun, 228, 231, 236 traffic spikes, websites, 2 Trivedi, Aseem, 209 trolls: Badiucao attacks, 211; pro-China government, 92, 212 Trump, Donald, 192 Tsai Ing-wen, 212 Tsang, Donald, 15 Tunis Agreement 2005, 237 Tunisia, 9; Facebook, 264 Turnbull, Malcolm, 203 Tusiime, Samson, 295–6, 304; arrest of, 300 Twitter, 111, 207, 211, 246, 296–7, 303, 307, 309, 311–12; banned, 183; blocked, 27; ‘Revolution’, 110 UAE (United Arab Emirates), 230 Uganda: Chieftaincy of Military Intelligence, 293; Communications Commission, 303–4; Computer Misuse Act, 300; fake wireless hotspots, 294; security services, China learning, 295, 303; Special Investigations Unit, 300; Telecom, 304; Trojan horse viruses, 294; Twitter, 300; 2016 election, 296–8; ‘walk to work’ protests, 292 UgandaDecides, hashtag, 297 UglyGorilla, 187–8 UK (United Kingdom), 232 Ukraine, 250 Ulhaque, Zulkiflee Anwar (Zunar), 209 UltraSurf, 102, 105, 107–10, 112; programming, 106; successful, 104 Umbrella Movement/generation, 16, 19–20 United Nations, 10, 313; ‘cyber-sovereignty’, concept of, 224; ITU, 225, 227–32, 236; ITRs, 225, 233; WSIS, 222 Unit 61398, 190–1; indictment of, 189 United Arab Emirates, 230 United Russia party 2011 rally, 263 University of British Columbia, 309 University of California, Berkeley, 30 University of Edinburgh, 99 University of Helsinki, 253 University of Southern California, 220–1 University of Toronto, 159; Citizen Lab, 3–4 university servers, 35 URLs: blocking of, 29; proxies, 102–3 Urumqi, 132, 136, 153–4, 201; -Beijing link, 156; Han revenge attacks, 149; internet cut-off, 151; People’s Intermediate Court, 131; police attack, 148; proxies, 102–3; riots, 183; student protest, 146–7 USA: Chinese Embassy protests, 98; -China relationship, 112; Commerce Department, 222; Defense Advanced Research Projects Agency, 219; Google Congressional hearing, 122; House Subcommittee on Human Rights, 115; imperialism internet use, 112; National Security Agency, 170, 244, 268, 293, 313; Republican Party, 244; Senate Sub-Committee on Human Rights, 108; State Department, 22, 81, 109–11, 166, 298 UseNet, 253 Usmanov, Alisher, 261, 267 USSR (Union of Soviet Socialist Republics): dissolution of, 256; 1990s internet start, 252 Uyghurs, Chinese language forums, 157, dangerous vagabonds characterised, 132; discrimination against, 138–9, 152; doppa headgear, 132; internet, 143, 150; pervasive unemployment, 134; stereotyping of, 140; terrorism label, 140; Uyghur Online, 131, 135, 139, 151, 157; websites control, 149 Villeneuve, Nart, 159–60, 162–3 VIP Reference, 35 virtual private networks (VPNs), 9, 103, 113, 157, 299; apps, 297; users, 28 VKontakte (VK), 259–60, 262, 267; customer support, 265; groups, 270; user base growth, 261 Voice of America, 106–8, 248, 311 Voice of China, 287 Voice of Russia, 247 “Walk to Work” protests, 294 Walton, Greg, 160–3, 276 Wang Baodong, 109 Wang Dong, 188–9 Wang Lequan, 152 Wang Liming, 209, 210 Wang Yongping, 178 Wang Youcai, 42 Wang Yunfeng, 24, 25 Wang Zhiwen, 54 Wang, Jack, 188 ‘War on Terror’, 290 WCITLeaks, 229–31, 233, 236 Weaver, Nicholas, 3 WeChat (Weixin), 207, 242, 277–8, 281–3; censorship challenge, 268; monopoly of, 278; payments system, 279–80 Weibo, 46, 177–9, 181, 184, 206–7, 210, 268, 277; failure, 215; ingenuity of, 182; microbloggers use, 180; muzzling of, 214; public offering, 182; surveillance sidestep attempts, 208; Weiboscope, 77 Weigel, Moira, 317 Weir, Bob, 244 Wen Jiabao, 79–80 Wenhui Daily, 173 Wenzhou train crash, 177, 179; internet revealed, 178 Westinghouse, 187 Wexler, Robert, 123 WhatsApp, 16, 268, 278, 296, 303, 316 Whole Earth ‘Lectronic Link, 244 WikiLeaks, 104, 185–6, 315–16 Wikipedia, specific pages blocked, 27 Wired, 84, 106, 243–4 World Bank, 24 World Conference on International Telecommunications, 227; Leaks see above World Internet Conference 2015, 241 World Uyghur Congress, 152 World Wide Web Consortium (W3C), 234 WSIS 10, 237; US victory, 224 WTO (World Trade Organization), 80–1; China joining, 42, 91–2 Wu, Dandan, 125 Wu, Tim, 30, 219, 241, 243 wumao, 212 wumaodang, recruited students, 213 Wuyi, Zhejiang province, 310 Wuzhen, 239–40 Xabnam.com, 157 Xi Jinping, 81, 181, 191, 203, 207, 238–40, 281, 312; internet clampdown, 78 Xia, Bill, 99–100, 102–3, 107, 112 Xiao Qiang, 76, 21 Xi’an, Shaanxi province, 154 Xinhua, 56–7, 64, 77, 78, 156, 181; commercial offerings, 80; Hong Kong bureau, 79; journalists’ watchdog role, 79; official line, 148 Xinjiang Autonomous Region, 107, 131–2, 135, 140, 148, 156, 195, 199, 210, 280; Beijing terrorism lens, 152; famine avoidance, 138; internet access, 156; internet blackout, 153; new policies of control, 200; Qing Empire, 137; Shanshan county, 201; University, 150 Xu Hong, 39 Xu Wendi, 42 Xue, Charles, 180, 181 Xuri Toy Factory/Shaoguan incident, 143, 146; footage of, 151; Uyghur workers, 144–5 Yahoo, 115, 119, 170; arrest responsibility, 116; China subsidiary, 63–4, 67; informer role criticised, 66 Yanayev, Gennady, 253 Yang Jisheng, 20 Yang, Jerry, 66–7 Yanukovych, Viktor, 267 Yeltsin, Boris, 75, 254–5, 257; resignation, 261 YouTube, 167, 246, 274, 303, 314, 316; blocked, 183 Yu Jie, China’s Best Actor, 80 Yu Wanli, 173–4, 246 Yuan Zengxin, 138 Zambia, 304 Zara, 309 Zhang Zhenhuan, 49 Zhang Jianchuan, 235 Zhang, Shawn, 309 Zhao Houlin, 236–7 Zhao Jing, 36 Zhao Ziyang, 80, 889; house arrest, 21–2 Zhongnanhai complex, 45; 1999 protest, 46, 52–3, 55 Zhou Yongkang, 171 Zhu Rongji, 53 Zhu, Julie, 62 Zhuan Falun, 50; text banned, 52 Zimbabwe, 10, 290, 304 Zorn, Werner, 24–5 ZTE, 288 Zuckerberg, Mark, 260, 312 Zed is a platform for marginalised voices across the globe.


pages: 264 words: 79,589

Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground by Kevin Poulsen

Apple II, Brian Krebs, Burning Man, corporate governance, dumpster diving, Exxon Valdez, Hacker Ethic, hive mind, index card, Kickstarter, McMansion, Mercator projection, offshore financial centre, packet switching, pirate software, Ponzi scheme, Robert Hanssen: Double agent, Saturday Night Live, Silicon Valley, Steve Jobs, Steve Wozniak, Steven Levy, traffic fines, web application, WikiLeaks, zero day, Zipcar

Just looking at the Web page would yield control of the victim’s computer, without any outward sign of infection. Even if the bugs were not made public, the bad guys could figure them out by reverse-engineering the vulnerability from Microsoft’s patches. Security experts had been watching with dismay as the time between a vulnerability’s announcement and its exploitation by black hats shrank from months to days. In the worst-case scenario, the black hats found a bug first: a “zero day” vulnerability that left the good guys playing catch-up. With new Microsoft patches coming out nearly every week, even vigilant corporations tended to lag in installing them, and average users often didn’t patch at all. A global survey of one hundred thousand Internet Explorer users conducted around the time of Max’s effort found that 45 percent suffered from unpatched remote access vulnerabilities; narrowing the field to American users cooled the number only slightly, to 36 percent.

He’d delivered on his end—from the very start of their partnership, back when he was working from Chris’s garage, he’d been breaching small banks and savings and loans. He was in hundreds of them now and could transfer money out of customers’ accounts at will. But the scheme was hung up on Chris’s end. Chris had to find a safe harbor for the money Max would steal—an offshore repository where they could park the cash without it being recalled by the victim bank. So far, he’d failed. So when, in September, Max got his hands on a deadly new Internet Explorer zero day, he shared the news not with Chris but with a different partner, one who had more knowledge of international finance, the Carders Market admin called NightFox. The security hole was a monster: another buffer overflow, this time in the Internet Explorer code designed to let websites draw vector graphics on a visitor’s screen. Sadly for Max, Eastern European hackers had found the bug first, and they’d been using it.

She was fiercely independent, but she couldn’t argue that he hadn’t given her space. It was time, he decided, for Max Vision, white hat, to return. It would be official. He visited the San Francisco courthouse and filled out the necessary paperwork. On August 14, a judge approved his legal name change from Max Butler to Max Ray Vision. He already had an idea for a new website that could catapult him back into the white-hat scene: a system for disclosing and managing zero-day vulnerabilities. He could seed it with the security holes he was privy to in the underground, bringing the exploits into the white-hat world like a defector crossing Checkpoint Charlie with a suitcase full of state secrets. But after all his work making Carders Market the top crime forum in the English-speaking world, he couldn’t bring himself to just abandon it. Max returned to his safe house.


pages: 464 words: 127,283

Smart Cities: Big Data, Civic Hackers, and the Quest for a New Utopia by Anthony M. Townsend

1960s counterculture, 4chan, A Pattern Language, Airbnb, Amazon Web Services, anti-communist, Apple II, Bay Area Rapid Transit, Burning Man, business process, call centre, carbon footprint, charter city, chief data officer, clean water, cleantech, cloud computing, computer age, congestion charging, connected car, crack epidemic, crowdsourcing, DARPA: Urban Challenge, data acquisition, Deng Xiaoping, digital map, Donald Davies, East Village, Edward Glaeser, game design, garden city movement, Geoffrey West, Santa Fe Institute, George Gilder, ghettoisation, global supply chain, Grace Hopper, Haight Ashbury, Hedy Lamarr / George Antheil, hive mind, Howard Rheingold, interchangeable parts, Internet Archive, Internet of things, Jacquard loom, Jane Jacobs, jitney, John Snow's cholera map, Joi Ito, Khan Academy, Kibera, Kickstarter, knowledge worker, load shedding, M-Pesa, Mark Zuckerberg, megacity, mobile money, mutually assured destruction, new economy, New Urbanism, Norbert Wiener, Occupy movement, off grid, openstreetmap, packet switching, Panopticon Jeremy Bentham, Parag Khanna, patent troll, Pearl River Delta, place-making, planetary scale, popular electronics, RFC: Request For Comment, RFID, ride hailing / ride sharing, Robert Gordon, self-driving car, sharing economy, Silicon Valley, Skype, smart cities, smart grid, smart meter, social graph, social software, social web, special economic zone, Steve Jobs, Steve Wozniak, Stuxnet, supply-chain management, technoutopianism, Ted Kaczynski, telepresence, The Death and Life of Great American Cities, too big to fail, trade route, Tyler Cowen: Great Stagnation, undersea cable, Upton Sinclair, uranium enrichment, urban decay, urban planning, urban renewal, Vannevar Bush, working poor, working-age population, X Prize, Y2K, zero day, Zipcar

So you will find the same products in a power plant, even in elevators.”42 Skeptics argue that the threat of Stuxnet is overblown. Stuxnet’s payload was highly targeted. It was programmed to only attack the Natanz centrifuges, and do so in a very specific way. Most importantly, it expended a highly valuable arsenal of “zero-day” attacks, undocumented vulnerabilities that can only be exploited once, after which a simple update will be issued by the software’s supplier. In its report on the virus, security software firm Symantec wrote “Incredibly, Stuxnet exploits four zero-day vulnerabilities, which is unprecedented.”43 Stuxnet’s unique attributes aside, most embedded systems aren’t located in bunkers, and they are increasingly vulnerable to much simpler attacks on their human operators. Little more than a year after Stuxnet was uncovered, a lone hacker known only as “pr0f” attacked the water utility of South Houston, a small town of seventeen thousand people just outside Texas’s most populous city.

That summer Dillon Beresford, a security researcher at (oddly coincidentally) Houston-based network security outfit NSS Labs, had demonstrated several flaws in SIMATIC and ways to exploit them. Siemens managed to dodge the collateral damage of Stuxnet, but the holes in SIMATIC are indicative of far more serious risks it must address. Another troubling development is the growing number of “forever day” vulnerabilities being discovered in older control systems. Unlike zero-day exploits, for which vendors and security firms can quickly deploy countermeasures and patches, forever-day exploits target holes in legacy embedded systems that manufacturers no longer support—and therefore will never be patched. The problem affects industrial-control equipment sold in the past by both Siemens and GE, as well as a host of smaller firms.45 It has drawn increased interest from the Cyber Emergency Response Team, the government agency that coordinates American cyber-security efforts.

., 62 “Web 2.0,” 237 Web start-ups, 240 Weinberger, David, 297 Welter, Volker, 96 West, Geoffrey, 160, 250, 312–15 Western Union, 5 White Oak Plantation, 21 Wiener, Norbert, 75, 77, 277–78 Wi-Fi, 28, 55, 68, 126–34, 154, 195 limitations of, 196 public network for, 217–18 Wikipedia, 200 Wilde, Oscar, 282 Wilson, Fred, 152, 154 wireless networks, 52, 178, 195, 198–99 local area networks of (WLAN), 128 RFID barcode technology in, 318–19 U.S. investment in, 3 Wire, The, 211 Wireless Web, 122 World Bank, 12, 169–71, 178, 189 Apps for Development contest, 201 estimate of global GDP, 30 Worldnet, 36–37 World War I, U.S. postwar period of, 99–100 World War II, 51, 128 World Wildlife Foundation, 30 Wrestling with Moses (Flint), 103–4 Wright, Frank Lloyd, 26 X.25, 109 Y2K bug, 257 Yackinach, Mark, 302 Yahoo, 157 Yale University, 69 YouTube, 115 in Arab Spring, 12 Zakaria, Fareed, 107 Zaragoza, 217–23 Center for Art and Technology in, 219–20, 222–23 “citizen card” for, 221–22 Digital Diamond in, 220 Digital Mile in, 218–22 Digital Water Pavilion in, 220 as “open source city,” 218 Zehnder, Joe, 83–85 “zero-day” attacks, 267–68 Zipcar, 162–63 Zoellick, Robert, 169–70 Copyright Copyright © 2013 by Anthony M. Townsend All rights reserved Printed in the United States of America First Edition For information about permission to reproduce selections from this book, write to Permissions, W. W. Norton & Company, Inc., 500 Fifth Avenue, New York, NY 10110 For information about special discounts for bulk purchases, please contact W.


pages: 246 words: 16,997

Financial Modelling in Python by Shayne Fletcher, Christopher Gardner

Brownian motion, discrete time, interest rate derivative, London Interbank Offered Rate, stochastic volatility, yield curve, zero day, zero-coupon bond

Accordingly the ppf.core.generate observables module offers the function generate libor observables() for this purpose. def generate libor observables( start , end , roll period = 6 , roll duration = ppf.date time.months , reset period = 6 , reset duration = ppf.date time.months , tenor period = 6 , tenor duration = ppf.date time.months , reset currency = "USD" , reset basis = ppf.date time.basis act 360 , reset holiday centres = None , reset shift method = ppf.date time.modified following , reset lag = 0 , *arguments , **keywords): from ppf.date time import days shift = ppf.date time.shift if reset lag > 0: raise RuntimeError, "index lag expected less or equal to zero" day, flow id, all observables = 0, 0, [] while day < end: roll start = start + roll duration(flow id*roll period) roll end = start + roll duration((flow id+1)*roll period) Data Model reset id = 0 proj roll = roll start observables = [] while proj roll < roll end: proj start = shift( proj roll , reset shift method, reset holiday centres) proj end = shift( proj roll+tenor duration(tenor period) , reset shift method, reset holiday centres) reset date = shift( proj start+days(reset lag) , reset shift method, reset holiday centres) observables.append( libor rate(None, flow id, reset id, reset date , reset currency, proj start, proj end , reset basis, fixing(False))) reset id += 1 proj roll = roll start+reset duration(reset id*reset period) day = roll end all observables.append(observables) flow id += 1 return all observables Here is an example of generate libor observables() in use. >>> observables = generate libor observables( ... start = date(2007, Jun, 29) ... , end = date(2012, Jun, 29) ... , roll period = 6 ... , roll duration = ppf.date time.months ... , reset period = 3 ... , reset duration = ppf.date time.months ... , tenor period = 3 ... , tenor duration = ppf.date time.months ... , reset currency = "JPY" ... , reset basis = basis act 360 ... , reset shift method = shift convention.modified following) >>> for obs per flow in observables: ... for obs in obs per flow: ... print obs 0, 0, JPY, [2007-Jun-29, 2007-Sep-28], basis act 360, 0, 1, JPY, [2007-Sep-28, 2007-Dec-31], basis act 360, 1, 0, JPY, [2007-Dec-31, 2008-Mar-31], basis act 360, 1, 1, JPY, [2008-Mar-31, 2008-Jun-30], basis act 360, 2, 0, JPY, [2008-Jun-30, 2008-Sep-29], basis act 360, 2, 1, JPY, [2008-Sep-29, 2008-Dec-29], basis act 360, 3, 0, JPY, [2008-Dec-29, 2009-Mar-30], basis act 360, 3, 1, JPY, [2009-Mar-30, 2009-Jun-29], basis act 360, 73 74 Financial Modelling in Python 4, 4, 5, 5, 6, 6, 7, 7, 8, 8, 9, 9, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, JPY, JPY, JPY, JPY, JPY, JPY, JPY, JPY, JPY, JPY, JPY, JPY, [2009-Jun-29, [2009-Sep-29, [2009-Dec-29, [2010-Mar-29, [2010-Jun-29, [2010-Sep-29, [2010-Dec-29, [2011-Mar-29, [2011-Jun-29, [2011-Sep-29, [2011-Dec-29, [2012-Mar-29, 2009-Sep-29], 2009-Dec-29], 2010-Mar-29], 2010-Jun-29], 2010-Sep-29], 2010-Dec-29], 2011-Mar-29], 2011-Jun-29], 2011-Sep-29], 2011-Dec-29], 2012-Mar-29], 2012-Jun-29], basis basis basis basis basis basis basis basis basis basis basis basis act act act act act act act act act act act act 360, 360, 360, 360, 360, 360, 360, 360, 360, 360, 360, 360, The sample invocation above has generated a sequence of LIBOR rate observables.

The constructor invokes the generate() method which uses the information contained in that dictionary together with the projection start and end dates to generate the underlying legs of the swap. from from from from fixing import * observable import * generate flows import * generate observables import * class swap rate(observable): def init (self , attributes , flow id , reset id , reset date , reset ccy , proj start date , proj end date , fix , spread=None): observable. init (self , attributes Data Model , flow id , reset id , reset ccy , reset date , proj end date , fix , spread) self. proj start date = proj start date self. proj end date = proj end date self. generate() def def def def def def def proj start date(self): return self. proj start date proj end date(self): return self. proj end date fixed pay basis(self) : return self. fixed pay basis float pay basis(self) : return self. float pay basis proj basis(self): return self. proj basis fixed flows(self): return self. fixed flows float flows(self): return self. float flows def generate(self): start = self. proj start date until = self. proj end date attributes = self.attributes() fixed fixed fixed fixed fixed float float float float float period = attributes["fixed-pay-period"] period duration = attributes["fixed-pay-period-duration"] pay basis = attributes["fixed-pay-basis"] pay holiday centres = attributes["fixed-pay-holiday-" "centres"] shift convention = attributes["fixed-shift-convention"] period = attributes["float-pay-period"] period duration = attributes["float-pay-period-duration"] pay basis = attributes["float-pay-basis"] pay holiday centres = attributes["float-pay-holiday-" "centres"] shift convention = attributes["float-shift-convention"] libor basis = attributes["index-basis"] libor holiday centres = attributes["index-holiday-centres"] libor shift convention = attributes["index-shift-convention"] self. fixed flows = \ generate flows(start , until , period = fixed period , duration = fixed period duration , pay shift method = fixed shift convention , pay currency = self.reset currency() , pay basis = fixed pay basis , pay holiday centres = fixed pay holiday centres , accrual shift method = fixed shift convention 75 76 Financial Modelling in Python , accrual holiday centres = \ fixed pay holiday centres) libor observables = \ generate libor observables( start , until , roll period = float period , roll duration = float period duration , reset period = float period , reset duration = float period duration , tenor period = float period , tenor duration = float period duration , reset currency = self.reset currency() , reset basis = libor basis , reset holiday centres = libor holiday centres , reset shift method = libor shift convention) self. float flows = \ generate flows(start , until , period = float period , duration = float period duration , pay shift method = float shift convention , pay currency = self.reset currency() , pay basis = float pay basis , pay holiday centres = float pay holiday centres , accrual shift method = float shift convention , accrual holiday centres = \ float pay holiday centres , observables = libor observables) def str (self): s = "%d, " % self.flow id() s += "%d, " % self.reset id() s += "%s, " % self.reset currency() s += "[%s, %s], " % (self. proj start date, self. proj end date) return s Once again for completeness the swap rate class provides a method forward for determining the value of the swap rate at a particular point in time. class swap rate(observable): def forward(self, t, curve): fund pv = 0 for f in self. float flows: obs = f.observables()[0] proj start, proj end, reset accrual dcf = \ (obs.proj start date(), obs.proj end date(), obs.year fraction()) dfs, dfe = \ curve(int(proj start - t)/365.0), curve(int(proj end - t)/365.0) Data Model 77 libor = (dfs/dfe - 1.0)/reset accrual dcf pay date, accrual dcf = (f.pay date(), f.year fraction()) dfp = curve(int(pay date - t)/365.0) fund pv += dfp*libor*accrual dcf fixed pv = 0 for f in self. fixed flows: pay date, accrual dcf = (f.pay date(), f.year fraction()) dfp = curve(int(pay date - t)/365.0) fixed pv += dfp*accrual dcf return fund pv/fixed pv Like the generate libor observables() function of section 6.1.1, a function for generating a sequence of swap rate observables, generate swap observables(), can be found in the ppf.core.generate observables module. def generate swap observables( start , end , attributes , spread = 0 , roll period = 6 , roll duration = ppf.date time.months , tenor period = 10 , tenor duration = ppf.date time.years , reset currency = "USD" , reset basis = ppf.date time.basis act 360 , reset holiday centres = None , reset shift method = ppf.date time.modified following , reset lag = 0 , *arguments , **keywords): from ppf.date time import days shift = ppf.date time.shift if reset lag > 0: raise RuntimeError, "index lag expected less or equal to zero" day, flow id, all observables = 0, 0, [] while day < end: roll start = start + roll duration(flow id*roll period) roll end = start + roll duration((flow id+1)*roll period) reset id = 0 proj roll = roll start proj start = \ shift( proj roll , reset shift method , reset holiday centres ) 78 Financial Modelling in Python proj end = \ shift( proj roll+tenor duration(tenor period) , reset shift method, reset holiday centres ) reset date = \ shift( proj start+days(reset lag) , reset shift method, reset holiday centres ) all observables.append( swap rate( attributes , flow id , reset id , reset date , reset currency , proj start , proj end , fixing(False) , spread) ) flow id += 1; reset id += 1; day = roll end return all observables The following is an example session demonstrating the generation of a sequence of swap rate observables. >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> ... ... ... ... ... ... ... >>> props = {} props["fixed-pay-period"] = 1 props["fixed-pay-period-duration"] = years props["fixed-pay-basis"] = basis act 360 props["fixed-pay-holiday-centres"] = None props["fixed-shift-convention"] = modified following props["float-pay-period"] = 6 props["float-pay-period-duration"] = months props["float-pay-basis"] = basis act 365 props["float-pay-holiday-centres"] = None props["float-shift-convention"] = modified following props["index-basis"] = basis act 365 props["index-holiday-centres"] = None props["index-shift-convention"] = modified following observables = generate swap observables( start = date(2007, Jun, 29) , end = date(2017, Jun, 29) , attributes = props , roll period = 1 , roll duration = years , tenor period = 10 , tenor duration = years) for o in observables: print o Data Model 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, USD, USD, USD, USD, USD, USD, USD, USD, USD, USD, [2007-Jun-29, [2008-Jun-30, [2009-Jun-29, [2010-Jun-29, [2011-Jun-29, [2012-Jun-29, [2013-Jun-28, [2014-Jun-30, [2015-Jun-29, [2016-Jun-29, 79 2017-Jun-29], 2018-Jun-29], 2019-Jun-28], 2020-Jun-29], 2021-Jun-29], 2022-Jun-29], 2023-Jun-29], 2024-Jun-28], 2025-Jun-30], 2026-Jun-29], 6.2 FLOWS A fl w describes a cash fl w to be made at some point in time.


pages: 349 words: 114,038

Culture & Empire: Digital Revolution by Pieter Hintjens

4chan, airport security, AltaVista, anti-communist, anti-pattern, barriers to entry, Bill Duvall, bitcoin, blockchain, business climate, business intelligence, business process, Chelsea Manning, clean water, commoditize, congestion charging, Corn Laws, correlation does not imply causation, cryptocurrency, Debian, Edward Snowden, failed state, financial independence, Firefox, full text search, German hyperinflation, global village, GnuPG, Google Chrome, greed is good, Hernando de Soto, hiring and firing, informal economy, intangible asset, invisible hand, James Watt: steam engine, Jeff Rulifson, Julian Assange, Kickstarter, M-Pesa, mass immigration, mass incarceration, mega-rich, MITM: man-in-the-middle, mutually assured destruction, Naomi Klein, national security letter, Nelson Mandela, new economy, New Urbanism, Occupy movement, offshore financial centre, packet switching, patent troll, peak oil, pre–internet, private military company, race to the bottom, rent-seeking, reserve currency, RFC: Request For Comment, Richard Feynman, Richard Stallman, Ross Ulbricht, Satoshi Nakamoto, security theater, selection bias, Skype, slashdot, software patent, spectrum auction, Steve Crocker, Steve Jobs, Steven Pinker, Stuxnet, The Wealth of Nations by Adam Smith, The Wisdom of Crowds, trade route, transaction costs, twin studies, union organizing, wealth creators, web application, WikiLeaks, Y2K, zero day, Zipf's Law

It's estimated that 40-90% of Windows PCs are infected by some kind of rogue software -- viruses, trojans, worms, and so on. The measured level is 42%, for known vulnerabilities. What about unknown holes in Windows, a so-called "zero-day attack"? In June 2010, the Stuxnet worm was found to be sabotaging Iran's nuclear program in a very sophisticated attack that looked for specific Siemens industrial control hardware, and interfered with it when it found it. Stuxnet is significant for several reasons, two of which are worth paying particular attention to. It was built by the NSA's hackers, and it used no less than four Windows zero-days. Zero-days are very rare in theory. For a group of hackers to use four, in a single worm, hints that there are many more we know nothing about. So that 42% figure is low. It seems logical to assume that the NSA has worked to be able to access any Windows PC anywhere, at any time.


pages: 437 words: 113,173

Age of Discovery: Navigating the Risks and Rewards of Our New Renaissance by Ian Goldin, Chris Kutarna

2013 Report for America's Infrastructure - American Society of Civil Engineers - 19 March 2013, 3D printing, Airbnb, Albert Einstein, AltaVista, Asian financial crisis, asset-backed security, autonomous vehicles, banking crisis, barriers to entry, battle of ideas, Berlin Wall, bioinformatics, bitcoin, Bonfire of the Vanities, clean water, collective bargaining, Colonization of Mars, Credit Default Swap, crowdsourcing, cryptocurrency, Dava Sobel, demographic dividend, Deng Xiaoping, Doha Development Round, double helix, Edward Snowden, Elon Musk, en.wikipedia.org, epigenetics, experimental economics, failed state, Fall of the Berlin Wall, financial innovation, full employment, Galaxy Zoo, global pandemic, global supply chain, Hyperloop, immigration reform, income inequality, indoor plumbing, industrial cluster, industrial robot, information retrieval, Intergovernmental Panel on Climate Change (IPCC), intermodal, Internet of things, invention of the printing press, Isaac Newton, Islamic Golden Age, Johannes Kepler, Khan Academy, Kickstarter, low cost airline, low cost carrier, low skilled workers, Lyft, Malacca Straits, mass immigration, megacity, Mikhail Gorbachev, moral hazard, Nelson Mandela, Network effects, New Urbanism, non-tariff barriers, Occupy movement, On the Revolutions of the Heavenly Spheres, open economy, Panamax, Pearl River Delta, personalized medicine, Peter Thiel, post-Panamax, profit motive, rent-seeking, reshoring, Robert Gordon, Robert Metcalfe, Search for Extraterrestrial Intelligence, Second Machine Age, self-driving car, Shenzhen was a fishing village, Silicon Valley, Silicon Valley startup, Skype, smart grid, Snapchat, special economic zone, spice trade, statistical model, Stephen Hawking, Steve Jobs, Stuxnet, The Future of Employment, too big to fail, trade liberalization, trade route, transaction costs, transatlantic slave trade, uber lyft, undersea cable, uranium enrichment, We are the 99%, We wanted flying cars, instead we got 140 characters, working poor, working-age population, zero day

Unexpected data loss and downtime cost businesses as much as $1.7 trillion in 2014, according to one global industry survey.78 As we become more dependent on the Internet, for example through wider adoption of cloud services, those costs will escalate.79 And the exploitation of so-called zero-day vulnerabilities—unknown bugs buried deep inside the code of widely distributed software or operating systems—threatens to interrupt services deliberately. Often these bugs are fixed only after hackers have made use of them. In September 2014, a wave of attacks known as ShellShock exploited a core vulnerability in Mac and Linux operating systems to run malicious code on millions of computers. The bug had gone unnoticed for 20 years. Another zero-day vulnerability uncovered in November 2014, called Unicorn, had been present in every release of Microsoft Internet Explorer going back to 1995.80 The complexity of Internet networks allows attacks like zero-day exploits to be performed with near-perfect anonymity. The most frequent kind of attack, distributed denial of service (DDoS), arranges to send dummy data requests to a victim’s server from thousands of hijacked computers simultaneously, so that legitimate users can’t get their own requests through.


pages: 525 words: 116,295

The New Digital Age: Transforming Nations, Businesses, and Our Lives by Eric Schmidt, Jared Cohen

access to a mobile phone, additive manufacturing, airport security, Amazon Mechanical Turk, Amazon Web Services, anti-communist, augmented reality, Ayatollah Khomeini, barriers to entry, bitcoin, borderless world, call centre, Chelsea Manning, citizen journalism, clean water, cloud computing, crowdsourcing, data acquisition, Dean Kamen, drone strike, Elon Musk, failed state, fear of failure, Filter Bubble, Google Earth, Google Glasses, hive mind, income inequality, information trail, invention of the printing press, job automation, John Markoff, Julian Assange, Khan Academy, Kickstarter, knowledge economy, Law of Accelerating Returns, market fundamentalism, means of production, MITM: man-in-the-middle, mobile money, mutually assured destruction, Naomi Klein, Nelson Mandela, offshore financial centre, Parag Khanna, peer-to-peer, peer-to-peer lending, personalized medicine, Peter Singer: altruism, Ray Kurzweil, RFID, Robert Bork, self-driving car, sentiment analysis, Silicon Valley, Skype, Snapchat, social graph, speech recognition, Steve Jobs, Steven Pinker, Stewart Brand, Stuxnet, The Wisdom of Crowds, upwardly mobile, Whole Earth Catalog, WikiLeaks, young professional, zero day

(Others argued that the indicators were far too obvious, and thus false flags.) The resources involved also suggested government production: Experts thought the worm was written by as many as thirty people over several months. And it used an unprecedented number of “zero-day” exploits, malicious computer attacks exposing vulnerabilities (security holes) in computer programs that were unknown to the program’s creator (in this case, the Windows operating system) before the day of the attack, thus leaving zero days to prepare for it. The discovery of one zero-day exploit is considered a rare event—and exploited information can be sold for hundreds of thousands of dollars on the black market—so security analysts were stunned to discover that an early variant of Stuxnet took advantage of five. Sure enough, it was revealed in June 2012 that not one but two governments were behind the deployment of the Stuxnet worm.


When Computers Can Think: The Artificial Intelligence Singularity by Anthony Berglas, William Black, Samantha Thalind, Max Scratchmann, Michelle Estes

3D printing, AI winter, anthropic principle, artificial general intelligence, Asilomar, augmented reality, Automated Insights, autonomous vehicles, availability heuristic, blue-collar work, brain emulation, call centre, cognitive bias, combinatorial explosion, computer vision, create, read, update, delete, cuban missile crisis, David Attenborough, Elon Musk, en.wikipedia.org, epigenetics, Ernest Rutherford, factory automation, feminist movement, finite state, Flynn Effect, friendly AI, general-purpose programming language, Google Glasses, Google X / Alphabet X, Gödel, Escher, Bach, industrial robot, Isaac Newton, job automation, John von Neumann, Law of Accelerating Returns, license plate recognition, Mahatma Gandhi, mandelbrot fractal, natural language processing, Parkinson's law, patent troll, patient HM, pattern recognition, phenotype, ransomware, Ray Kurzweil, self-driving car, semantic web, Silicon Valley, Singularitarianism, Skype, sorting algorithm, speech recognition, statistical model, stem cell, Stephen Hawking, Stuxnet, superintelligent machines, technological singularity, Thomas Malthus, Turing machine, Turing test, uranium enrichment, Von Neumann architecture, Watson beat the top human players on Jeopardy!, wikimedia commons, zero day

It essentially provides an excellent manual as to how to produce top quality malware and viruses. In June 2014 new, high quality malware, known as Dragonfly or Havex, was found to have infected many energy producers, mainly in the USA and Western Europe. The perpetrators are unknown, but the malware appears to have been well resourced, although it has not caused any damage. Zero day exploits Stuxnet used four “zero day” exploits. These are bugs in system software that enable malicious programs to perform actions not otherwise permitted. One of these known as CPLINK, was particularly ugly because it enabled any USB thumb drive to automatically execute its code whenever it was plugged into a PC, without any action being required by the user. That sort of bug is inexcusable, but also quite common in the Windows operating system.

Infanticide 8. Three laws of robotics 9. Friendly AGI 10. Friendly AGI research 11. Fast take off 12. Single AGI 13. Goal consistency 14. Unpredictable algorithms 15. Ethics 16. Defeating natural selection 17. Wishful thinking 18. Whole brain emulation 19. Chain of AGIs 20. Running away 21. Just do not build an AGI 8. Political Will 1. Atom bombs 2. Iran's atomic ambitions 3. Stuxnet 4. Glass houses 5. Zero day exploits 6. Practicalities of abstinence 7. Restrict computer hardware 8. Asilomar conference 9. Patent trolls 10. Does it really matter? 9. Conclusion 1. Geological history 2. History of science 3. Natural selection 4. Human instincts 5. Intelligence 6. AI technologies 7. Building an AGI 8. Semi-intelligent machines 9. Goals 10. Prognosis 10. Bibliography and Notes When Computers Can Think The Artificial Intelligence Singularity Anthony Berglas, Ph.D.


pages: 362 words: 86,195

Fatal System Error: The Hunt for the New Crime Lords Who Are Bringing Down the Internet by Joseph Menn

Brian Krebs, dumpster diving, fault tolerance, Firefox, John Markoff, Menlo Park, offshore financial centre, pirate software, plutocrats, Plutocrats, popular electronics, profit motive, RFID, Silicon Valley, zero day

Only after several years of pro-China activities did a profit motive emerge to such an extent that it splintered some of the most important organizations. Again like the Russians, the Chinese have used cyberattacks to harass and silence civilian foes based outside the country’s borders. Proponents of the Falun Gang and Tibetan independence movements have been targeted, and at least one small Tibetan alliance disbanded rather than risk further electronic communications. Chinese hackers have hit virtually all the groups with “zero-day exploits,” those that use a vulnerability that has not been openly identified and patched. One especially clever email used a previously unknown flaw in Microsoft Word to try to infiltrate a pro-Taiwan group. Two weeks later, the same gambit was used against a big defense contractor in the U.K., according to Finnish expert Mikko Hypponen, strongly suggesting the hand of Chinese government. Groups such as Students for a Free Tibet long ago switched to Macs, which are less vulnerable to viruses, stopped opening attachments, and barred sensitive topics from email.

. ,” he wrote: According to a copy of the email. 109 the Bagle family of viruses: Joe Stewart’s “Who Wrote Bagle.” 112 as they became available: Sources include Frank Eissmann, U.S. agents, and court filings against Gembe, Walker, Ashley, and Echouafni. 114 with more than 35 million identities at risk just that year: Identity Theft Resource Center report, www.idtheftcenter.org/artman2/publish/m_press/2008_Data_Breach_Totals_Soar.shtml. 115 actually earned money from many instances of fraud: Interviews with banking and retailing executives, among others. See the author’s LATimes article “Industry at Odds Over ID Theft Liability,” available at http://articles.latimes.com/2005/mar/07/business/fi-idtheft7. The most comprehensive analysis of the culpability of the financial industry in identity theft is by USAToday reporters Byron Acohido and Jon Swartz, in their insightful book Zero Day Threat. 115 harassed by debt collectors after such fraud: According to the 2003 FTC report, available at www.josephmenn.com/FatalSystemError. 116 advisors on the 2005 report: The author covered the Javelin report’s problems in “Data Brokers Press for U.S. Law” at http://articles.latimes.com/2005/dec/26/business/fi-idlobby26. 117 the Waff StreetJournal,and elsewhere: See, for example, “Net Fraud Study,” http://query.nytimes.com/gst/fullpage.html?


pages: 305 words: 93,091

The Art of Invisibility: The World's Most Famous Hacker Teaches You How to Be Safe in the Age of Big Brother and Big Data by Kevin Mitnick, Mikko Hypponen, Robert Vamosi

4chan, big-box store, bitcoin, blockchain, connected car, crowdsourcing, Edward Snowden, en.wikipedia.org, Firefox, Google Chrome, Google Earth, Internet of things, Kickstarter, license plate recognition, Mark Zuckerberg, MITM: man-in-the-middle, pattern recognition, ransomware, Ross Ulbricht, self-driving car, Silicon Valley, Skype, Snapchat, speech recognition, Tesla Model S, web application, WikiLeaks, zero day, Zimmermann PGP

The DarkHotel group in general uses a low-level spear-phishing attack for mass targets and reserves the hotel attacks for high-profile, singular targets—such as executives in the nuclear power and defense industries. One early analysis suggested that DarkHotel was South Korea–based. A keylogger—malware used to record the keystrokes of compromised systems—used in the attacks contains Korean characters within the code. And the zero-days—vulnerabilities in software that are unknown to the vendor—were very advanced flaws that were previously unknown. Moreover, a South Korean name identified within the keylogger has been traced to other sophisticated keyloggers used by Koreans in the past. It should be noted, however, that this is not enough to confirm attribution. Software can be cut and pasted from a variety of sources. Also, software can be made to look as though it is created in one country when it is actually created in another.

v=NEsmw7jpODc. 25. http://motherboard.vice.com/read/glasses-that-confuse-facial-recognition-systems-are-coming-to-japan. Chapter Eleven: Hey, KITT, Don’t Share My Location 1. http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/. 2. This is silly. Just because something is prohibited doesn’t mean it won’t happen. And this creates a dangerous scenario in which hacked cars can still affect the driving public. Zero-days for automobiles, anyone? 3. http://keenlab.tencent.com/en/2016/06/19/Keen-Security-Lab-of-Tencent-Car-Hacking-Research-Remote-Attack-to-Tesla-Cars/. 4. http://www.buzzfeed.com/johanabhuiyan/uber-is-investigating-its-top-new-york-executive-for-privacy. 5. http://www.theregister.co.uk/2015/06/22/epic_uber_ftc/. 6. http://nypost.com/2014/11/20/uber-reportedly-tracking-riders-without-permission/. 7. https://www.uber.com/legal/usa/privacy. 8. http://fortune.com/2015/06/23/uber-privacy-epic-ftc/. 9. http://www.bbc.com/future/story/20150206-biggest-myth-about-phone-privacy. 10. http://tech.vijay.ca/of-taxis-and-rainbows-f6bc289679a1. 11. http://arstechnica.com/tech-policy/2014/06/poorly-anonymized-logs-reveal-nyc-cab-drivers-detailed-whereabouts/. 12.


pages: 340 words: 97,723

The Big Nine: How the Tech Titans and Their Thinking Machines Could Warp Humanity by Amy Webb

Ada Lovelace, AI winter, Airbnb, airport security, Alan Turing: On Computable Numbers, with an Application to the Entscheidungsproblem, artificial general intelligence, Asilomar, autonomous vehicles, Bayesian statistics, Bernie Sanders, bioinformatics, blockchain, Bretton Woods, business intelligence, Cass Sunstein, Claude Shannon: information theory, cloud computing, cognitive bias, complexity theory, computer vision, crowdsourcing, cryptocurrency, Daniel Kahneman / Amos Tversky, Deng Xiaoping, distributed ledger, don't be evil, Donald Trump, Elon Musk, Filter Bubble, Flynn Effect, gig economy, Google Glasses, Grace Hopper, Gödel, Escher, Bach, Inbox Zero, Internet of things, Jacques de Vaucanson, Jeff Bezos, Joan Didion, job automation, John von Neumann, knowledge worker, Lyft, Mark Zuckerberg, Menlo Park, move fast and break things, move fast and break things, natural language processing, New Urbanism, one-China policy, optical character recognition, packet switching, pattern recognition, personalized medicine, RAND corporation, Ray Kurzweil, ride hailing / ride sharing, Rodney Brooks, Rubik’s Cube, Sand Hill Road, Second Machine Age, self-driving car, SETI@home, side project, Silicon Valley, Silicon Valley startup, skunkworks, Skype, smart cities, South China Sea, sovereign wealth fund, speech recognition, Stephen Hawking, strong AI, superintelligent machines, technological singularity, The Coming Technological Singularity, theory of mind, Tim Cook: Apple, trade route, Turing machine, Turing test, uber lyft, Von Neumann architecture, Watson beat the top human players on Jeopardy!, zero day

Havens, executive director, IEEE Global Initiative on Ethics of Autonomous and Intelligent Systems, and author of Heartificial Intelligence: Embracing Our Humanity to Maximize Machines BIBLIOGRAPHY Abadi, M., A. Chu, I. Goodfellow, H. McMahan, I. Mironov, K. Talwar, and L. Zhang. “Deep Learning with Differential Privacy.” In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS 2016), 308–318. New York: ACM Press, 2016. Abstract, last revised October 24, 2016. https://arxiv.org/abs/1607.00133. Ablon, L., and A. Bogart. Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits. Santa Monica, CA: RAND Corporation, 2017. https://www.rand.org/pubs/research_reports/RR1751.html. Adams, S. S., et al. “Mapping the Landscape of Human-Level Artificial General Intelligence.” AI Magazine 33, no. 1 (2012). Agar, N. “Ray Kurzweil and Uploading: Just Say No!” Journal of Evolution and Technology 22 no. 1 (November 2011): 23–26. https://jetpress.org/v22/agar.htm.


pages: 446 words: 102,421

Network Security Through Data Analysis: Building Situational Awareness by Michael S Collins

business process, cloud computing, create, read, update, delete, Firefox, general-purpose programming language, index card, Internet Archive, inventory management, iterative process, p-value, Parkinson's law, peer-to-peer, slashdot, statistical model, zero day

Host-based collection systems require knowing that the host exists in the first place, and there are numerous cases where you’re likely not to know that a particular service is running until you see its traffic on the wire. Network traffic provides a view of the network with minimal assumptions—it tells you about hosts on the network you don’t know existed, backdoors you weren’t aware of, attackers already inside your border, and routes through your network you never considered. At the same time, when you face a zero-day vulnerability or new malware, packet data may be the only data source you have. The remainder of this chapter is broken down as follows. The next section covers network vantage: how packets move through a network and how to take advantage of that when instrumenting the network. The next section covers tcpdump, the fundamental network traffic capture protocol, and provides recipes for sampling packets, filtering them, and manipulating their length.

This limitation means that signature-based IDSes usually have a high false negative rate, meaning that a large number of attacks go unreported by them. The most extreme version of this problem is associated with vulnerabilities. AV primarily, but also NIDS and HIDS, rely on specific binary signatures in order to identify malware (see On Code Red and Malware Evasiveness for a more extensive discussion on this). These signatures require that some expert have access to an exploit; these days, exploits are commonly “zero-day,” meaning that they’re released and in the wild before anyone has the opportunity to write a signature. Anomaly-based IDSes are built by training (or optionally configuring) the IDS on traffic data in order to create a model of normal activity. Once this model is created, deviations from the model are anomalous, suspicious, and produce events. For example, a simple anomaly-based NIDS might monitor traffic to specific hosts and generate an event when traffic suddenly spikes upward, indicating a DDoS or other suspicious event.


pages: 719 words: 181,090

Site Reliability Engineering: How Google Runs Production Systems by Betsy Beyer, Chris Jones, Jennifer Petoff, Niall Richard Murphy

Air France Flight 447, anti-pattern, barriers to entry, business intelligence, business process, Checklist Manifesto, cloud computing, combinatorial explosion, continuous integration, correlation does not imply causation, crowdsourcing, database schema, defense in depth, DevOps, en.wikipedia.org, fault tolerance, Flash crash, George Santayana, Google Chrome, Google Earth, information asymmetry, job automation, job satisfaction, Kubernetes, linear programming, load shedding, loose coupling, meta analysis, meta-analysis, microservices, minimum viable product, MVC pattern, performance metric, platform as a service, revision control, risk tolerance, side project, six sigma, the scientific method, Toyota Production System, trickle-down economics, web application, zero day

This additional measure adds protection from the types of errors replication doesn’t protect against—user errors and application-layer bugs—but does nothing to guard against losses introduced at a lower layer. This measure also introduces a risk of bugs during data conversion (in both directions) and during storage of the native file, in addition to possible mismatches in semantics between the two formats. Imagine a zero-day attack5 at some low level of your stack, such as the filesystem or device driver. Any copies that rely on the compromised software component, including the database exports that were written to the same filesystem that backs your database, are vulnerable. Thus, we see that diversity is key: protecting against a failure at layer X requires storing data on diverse components at that layer. Media isolation protects against media flaws: a bug or attack in a disk device driver is unlikely to affect tape drives.

Doesn’t Google have lots of disks and a fast network to replicate data this important? Of course Google has such resources, but the principle of Defense in Depth dictates providing multiple layers of protection to guard against the breakdown or compromise of any single protection mechanism. Backing up online systems such as Gmail provides defense in depth at two layers: A failure of the internal Gmail redundancy and backup subsystems A wide failure or zero-day vulnerability in a device driver or filesystem affecting the underlying storage medium (disk) This particular failure resulted from the first scenario—while Gmail had internal means of recovering lost data, this loss went beyond what internal means could recover. One of the most internally celebrated aspects of the Gmail data recovery was the degree of cooperation and smooth coordination that comprised the recovery.

SQL databases such as MySQL and PostgreSQL strive to achieve these properties. 2 Basically Available, Soft state, Eventual consistency; see https://en.wikipedia.org/wiki/Eventual_consistency. BASE systems, like Bigtable and Megastore, are often also described as “NoSQL.” 3 For further reading on ACID and BASE APIs, see [Gol14] and [Bai13]. 4 Binary Large Object; see https://en.wikipedia.org/wiki/Binary_large_object. 5 See https://en.wikipedia.org/wiki/Zero-day_(computing). 6 Clay tablets are the oldest known examples of writing. For a broader discussion of preserving data for the long haul, see [Con96]. 7 Upon reading this advice, one might ask: since you have to offer an API on top of the datastore to implement soft deletion, why stop at soft deletion, when you could offer many other features that protect against accidental data deletion by users?


pages: 416 words: 129,308

The One Device: The Secret History of the iPhone by Brian Merchant

Airbnb, animal electricity, Apple II, Apple's 1984 Super Bowl advert, citizen journalism, Claude Shannon: information theory, computer vision, conceptual framework, Douglas Engelbart, Dynabook, Edward Snowden, Elon Musk, Ford paid five dollars a day, Frank Gehry, global supply chain, Google Earth, Google Hangouts, Internet of things, Jacquard loom, John Gruber, John Markoff, Jony Ive, Lyft, M-Pesa, MITM: man-in-the-middle, more computing power than Apollo, Mother of all demos, natural language processing, new economy, New Journalism, Norbert Wiener, offshore financial centre, oil shock, pattern recognition, peak oil, pirate software, profit motive, QWERTY keyboard, ride hailing / ride sharing, rolodex, Silicon Valley, Silicon Valley startup, skunkworks, Skype, Snapchat, special economic zone, speech recognition, stealth mode startup, Stephen Hawking, Steve Ballmer, Steve Jobs, Steve Wozniak, Steven Levy, Tim Cook: Apple, Turing test, uber lyft, Upton Sinclair, Vannevar Bush, zero day

Charlie Miller famously managed to get the App Store to approve a malware app that allowed him to break Apple’s stranglehold on the device. For five hundred dollars, University of Michigan professor Anil Jain was able to build a device that fooled the iPhone’s fingerprint sensors. In 2015, the security firm Zerodium paid a bounty of one million dollars for a chain of zero-day exploits (vulnerabilities that the vendor isn’t aware of) on the iPhone, though no one knows who won the money. And no one, save Zerodium, knows what became of the zero days. And in 2016, Toronto’s Citizen Lab revealed that a very sophisticated form of malware, called Trident, had been used to try to infect a civil rights activist’s phone in the UAE. The hack was revealed to have been the work of an Israeli company, which was believed to have sold its spyware for as much as $500,000—likely to authoritarian regimes like the UAE government.


pages: 200 words: 54,897

Flash Boys: Not So Fast: An Insider's Perspective on High-Frequency Trading by Peter Kovac

bank run, barriers to entry, bash_history, Bernie Madoff, computerized markets, computerized trading, Flash crash, housing crisis, index fund, locking in a profit, London Whale, market microstructure, merger arbitrage, prediction markets, price discovery process, Sergey Aleynikov, Spread Networks laid a new fibre optics cable between New York and Chicago, transaction costs, zero day

But it is clear that these are cherry-picked statistics: Why 2004 to 2006? Why not include 2003? And why compare to 2010, 2011, and 2012, with the European debt crisis threatening to blow apart Europe in a way that the U.S. housing crisis couldn’t?[57] The answer is that the data fits his argument best when you slice it this way. The period from 2004 to 2006 comprises the quietest years on record – there were absolutely zero days where the market dropped by 2% or more, and only two days in those three years where the market rose by 2%. For contrast, in 2003 alone the market had 15 days where it rose or fell more than 2%. In 2002, there were more than 50 such days. So it’s no surprise that Lewis excluded 2002 and 2003 from his “quiet” years. In case you are wondering, market swings of 2% or more happened a whopping total of three days in 2013.


pages: 181 words: 52,147

The Driver in the Driverless Car: How Our Technology Choices Will Create the Future by Vivek Wadhwa, Alex Salkever

23andMe, 3D printing, Airbnb, artificial general intelligence, augmented reality, autonomous vehicles, barriers to entry, Bernie Sanders, bitcoin, blockchain, clean water, correlation does not imply causation, distributed ledger, Donald Trump, double helix, Elon Musk, en.wikipedia.org, epigenetics, Erik Brynjolfsson, Google bus, Hyperloop, income inequality, Internet of things, job automation, Kevin Kelly, Khan Academy, Kickstarter, Law of Accelerating Returns, license plate recognition, life extension, longitudinal study, Lyft, M-Pesa, Menlo Park, microbiome, mobile money, new economy, personalized medicine, phenotype, precision agriculture, RAND corporation, Ray Kurzweil, recommendation engine, Ronald Reagan, Second Machine Age, self-driving car, Silicon Valley, Skype, smart grid, stem cell, Stephen Hawking, Steve Wozniak, Stuxnet, supercomputer in your pocket, Tesla Model S, The Future of Employment, Thomas Davenport, Travis Kalanick, Turing test, Uber and Lyft, Uber for X, uber lyft, uranium enrichment, Watson beat the top human players on Jeopardy!, zero day

Dan Kloeffler and Alexis Shaw, “Dick Cheney feared assassination via medical device hacking: ‘I was aware of the danger,’ ” ABC News 19 October 2013, http://abcnews.go.com/US/vice-president-dick-cheney-feared-pacemaker-hacking/story?id=20621434 (accessed 21 October 2016). 2. Kim Zetter, “An unprecedented look at Stuxnet, the world’s first digital weapon,” WIRED 3 November 2014, https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet (accessed 21 October 2016) 3. “What happened,” U.S. Office of Personnel Management (undated), https://www.opm.gov/cybersecurity/cybersecurity-incidents (accessed 21 October 2016). 4. Casey Newton, “The mind-bending messiness of the Ashley Madison data dump,” the Verge 19 August 2015, http://www.theverge.com/2015/8/19/9178855/ashley-madison-data-breach-implications (accessed 21 October 2016). 5.


pages: 547 words: 160,071

Underground by Suelette Dreyfus

airport security, invisible hand, John Markoff, Julian Assange, Loma Prieta earthquake, packet switching, pirate software, profit motive, publish or perish, RFC: Request For Comment, Ronald Reagan, Stephen Hawking, Steven Levy, Stuxnet, uranium enrichment, urban decay, WikiLeaks, zero day

See: http://www.cbsnews.com/stories/2010/11/29/world/main7100197.shtml 10. William J. Broad, John Markoff and David E. Sanger, ‘Israeli Test on Worm Called Crucial in Iran Nuclear Delay’, New York Times online, 15 January, 2011. See: http://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html?pagewanted=3&_r=1 11. Ibid. 12. Ryan Naraine, ‘Stuxnet attackers used 4 Windows zero-day exploits’, Zdnet, 14 September, 2010. See: http://www.zdnet.com/blog/security/stuxnet-attackers-used-4-windows-zero-day-exploits/7347 13. Thomas Erdbrink, ‘Iranian nuclear scientist killed, another injured in Tehran bombings’, The Washington Post, 29 November, 2010. See: http://www.washingtonpost.com/wp-dyn/content/article/2010/11/29/AR2010112901560.html 14. BBC News, ‘Iranian nuclear scientist killed in motorbike attack,’ 29 November, 2010. See: http://www.bbc.co.uk/news/world-middle-east-11860928 15.


pages: 562 words: 153,825

Dark Mirror: Edward Snowden and the Surveillance State by Barton Gellman

4chan, A Declaration of the Independence of Cyberspace, active measures, Anton Chekhov, bitcoin, Cass Sunstein, cloud computing, corporate governance, crowdsourcing, data acquisition, Debian, desegregation, Donald Trump, Edward Snowden, financial independence, Firefox, GnuPG, Google Hangouts, informal economy, Jacob Appelbaum, job automation, Julian Assange, MITM: man-in-the-middle, national security letter, planetary scale, private military company, ransomware, Robert Gordon, Robert Hanssen: Double agent, rolodex, Ronald Reagan, Saturday Night Live, Silicon Valley, Skype, social graph, standardized shipping container, Steven Levy, telepresence, undersea cable, web of trust, WikiLeaks, zero day, Zimmermann PGP

Two days later, Snowden faced a class full of officers and analysts from around the intelligence community: FBI, NSA, Department of Homeland Security, Navy Criminal Investigation Service, Air Force Office of Special Investigations. He guided them on a virtual tour of Chinese hacking consortia, illustrating a range of attacks from simple phishing emails to sophisticated “intrusion sets” of computer code that burrowed into an exposed machine and stayed there. The Beijing government often exploited previously unknown security flaws to gain entry. That kind of flaw was called a Zero Day because attackers used it before the first day, Day 1, that anyone else became aware of the threat. Despite the stealth of that kind of attack, Snowden showed participants how to work and communicate safely in an untrusted environment. One of the habits he taught them became a signature moment in the Laura Poitras film Citizen Four. Cover your keyboard with a blanket, he said, when typing your password.

., 275–76 in intelligence community, 368 need for action as core value of, 296 and public’s right to know, 334–35 rarity of, 295–96 WikiLeaks, 25, 256 Williams, Pete, 186 Williams & Connolly, 100, 102, 185 Wizner, Ben, 321–22 Wyden, Ron, NSA hearings of, 164–65 XKEYSCORE (NSA targeting interface), 86, 87, 332 Yahoo, 299–300, 337 Zarqawi, Abu Musab, killing of, 212 Zero Day cyber attacks, 58 Zimmerman, Phil, 365 ABCDEFGHIJKLMNOPQRSTUVWXYZ ABOUT THE AUTHOR Barton Gellman is a critically honored author, journalist and blogger based at the Century Foundation in New York. A longtime writer for The Washington Post, Gellman has led multiple teams to a Pulitzer Prize and was a member of the team that won the 2002 Pulitzer for National Reporting for coverage of the 9/11 attacks and their aftermath.


pages: 678 words: 159,840

The Debian Administrator's Handbook, Debian Wheezy From Discovery to Mastery by Raphaal Hertzog, Roland Mas

bash_history, Debian, distributed generation, do-ocracy, en.wikipedia.org, failed state, Firefox, GnuPG, Google Chrome, Jono Bacon, MITM: man-in-the-middle, NP-complete, QWERTY keyboard, RFC: Request For Comment, Richard Stallman, Skype, SpamAssassin, Valgrind, web application, zero day, Zimmermann PGP

In the Free Software world, there is generally ample room for choice, and choosing one piece of software over another should be a decision based on the criteria that apply locally. More features imply an increased risk of a vulnerability hiding in the code; picking the most advanced program for a task may actually be counter-productive, and a better approach is usually to pick the simplest program that meets the requirements. VOCABULARY Zero-day exploit A zero-day exploit attack is hard to prevent; the term covers a vulnerability that is not yet known to the authors of the program. 14.5.4. Managing a Machine as a Whole Most Linux distributions install by default a number of Unix services and many tools. In many cases, these services and tools are not required for the actual purposes for which the administrator set up the machine.


pages: 592 words: 161,798

The Future of War by Lawrence Freedman

Albert Einstein, autonomous vehicles, Berlin Wall, Black Swan, British Empire, colonial rule, conceptual framework, crowdsourcing, cuban missile crisis, currency manipulation / currency intervention, Donald Trump, drone strike, en.wikipedia.org, energy security, Ernest Rutherford, failed state, Fall of the Berlin Wall, Francis Fukuyama: the end of history, global village, Google Glasses, Intergovernmental Panel on Climate Change (IPCC), John Markoff, long peace, megacity, Mikhail Gorbachev, moral hazard, mutually assured destruction, New Journalism, Norbert Wiener, open economy, pattern recognition, Peace of Westphalia, RAND corporation, Ronald Reagan, South China Sea, speech recognition, Steven Pinker, Stuxnet, the scientific method, uranium enrichment, urban sprawl, Valery Gerasimov, WikiLeaks, zero day

Zarate, Robert, and Henry Sokolski, eds. Nuclear Heuristics: Selected Writings of Albert and Roberta Wohlstetter. Strategic Studies Institute: US Army War College, 2009. Zartman, William. Collapsed States: The disintegration and restoration of legitimate authority. Boulder, CO: Lynne Rienner, 1995. Zedong, Mao. On Guerrilla Warfare, trans. Samuel B. Griffith. Urbana: University of Illinois Press, 2000. Zetter, Kim. Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon. New York: Crown, 2014. Zimmerman, Warren. Origins of a Catastrophe: Yugoslavia and its Destroyers. New York: Times Books, 1996. Zwierzchowski, Jan, and Ewa Tabeau. ‘The 1992–95 War in Bosnia and Herzegovina: Census-based Multiple System Estimation of Casualties’ Undercount’. Paper for International Research Workshop on ‘The Global Economic Costs of Conflict’.

Bruce Berkowitz, The New Face of War: How War Will Be fought in the 21st Century (New York: The Free Press, 2003) 138–140. 18. Rid 310. 19. Anna Mulrine, ‘CIA Chief Leon Panetta: The Next Pearl Harbor Could Be a Cyberattack’, Christian Science Monitor, 9 June 2011. Adm. Mike Mullen, quoted in Marcus Weisgerber, ‘DoD to Release Public Version of Cyber Strategy’, Defense News, 8 July 2011. Both cited by Lindsay. 20. Berkowitz 143. 21. Kim Zetter, Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon (New York: Crown, 2014). 22. Kaplan 275. 23. Cited in Aaron Franklin Brantly, The Decision to Attack: Military and Intelligence Cyber-Decision-Making (Athens, GA: University of Georgia Press, 2016) 39. 24. Thomas Rid and Ben Buchanan, ‘Attributing Cyber Attacks’, Journal of Strategic Studies 38. (2015): 1–2. 25. Kaplan 283. 26. John Arquilla and David Ronfeld, ‘Cyberwar is Coming!’


Engineering Security by Peter Gutmann

active measures, algorithmic trading, Amazon Web Services, Asperger Syndrome, bank run, barriers to entry, bitcoin, Brian Krebs, business process, call centre, card file, cloud computing, cognitive bias, cognitive dissonance, combinatorial explosion, Credit Default Swap, crowdsourcing, cryptocurrency, Daniel Kahneman / Amos Tversky, Debian, domain-specific language, Donald Davies, Donald Knuth, double helix, en.wikipedia.org, endowment effect, fault tolerance, Firefox, fundamental attribution error, George Akerlof, glass ceiling, GnuPG, Google Chrome, iterative process, Jacob Appelbaum, Jane Jacobs, Jeff Bezos, John Conway, John Markoff, John von Neumann, Kickstarter, lake wobegon effect, Laplace demon, linear programming, litecoin, load shedding, MITM: man-in-the-middle, Network effects, Parkinson's law, pattern recognition, peer-to-peer, Pierre-Simon Laplace, place-making, post-materialism, QR code, race to the bottom, random walk, recommendation engine, RFID, risk tolerance, Robert Metcalfe, Ruby on Rails, Sapir-Whorf hypothesis, Satoshi Nakamoto, security theater, semantic web, Skype, slashdot, smart meter, social intelligence, speech recognition, statistical model, Steve Jobs, Steven Pinker, Stuxnet, telemarketer, text mining, the built environment, The Death and Life of Great American Cities, The Market for Lemons, the payments system, Therac-25, too big to fail, Turing complete, Turing machine, Turing test, web application, web of trust, x509 certificate, Y2K, zero day, Zimmermann PGP

Actually determining the amount of signed malware in circulation is a more or less unsolvable problem (you’d have to have a facility for scanning the entire world’s computers and reliably detecting all malware on them, which, if you could do that, means that you could also remove it all and put an end to malware), but the MMPC results at least provide a representative value for the subset of recent Windows machines with automatic updates active that regularly run the MSRT. The MMPC reports that a staggering one in ten digitally signed files found on Windows PCs is malware, and the majority of this authenticated malware falls into Microsoft’s “severe” or “high” risk category, roughly equivalent in threat level to a zero-day rootkit (presumably the malware authors know which of their products are the most effective and only bother signing those, leaving the less effective malware to take its chances as ordinary unsigned content). So in this case the use of code-signing really does provide a “trust and quality assurance mechanism” [387], because when users encounter a CA-certified signed rootkit or worm they can trust that they’ve been infected by the best-quality malware.

Making the Realtek/JMicron signed-malware debacle even more entertaining was the fact that one of the principal systems targeted by the malware is a Siemens SCADA (industrial control) system that uses a hardcoded password 2WSXcder that can’t be changed because doing so causes the system to stop working [429] and that had been circulating on the Internet for years, including being posted to a Siemens online forum in Russia [430] as well as in online lists of default passwords [431] (this situation isn’t unique to Siemens embedded systems, with one Internet scan finding over half a million embedded devices across more than 17,000 organisations in 144 countries that were publicly accessible and used manufacturer-default passwords [432]. Even the well-known secret password was a relatively minor issue compared to (apparently unfixable) exploitable design flaws in the SCADA control software [433], a so-called forever-day exploit (named as a play on the term zero-day or 0-day exploit), one that the vendor has no intention of ever fixing [434] with all manner of alarming security implications [435]. (The reason for this poor level of security is that SCADA systems rate availability above everything else, so that anything that affects, or potentially affects, availability is strongly avoided. The rationale for this is that there’s a higher risk created when a critical device isn’t working due to a buggy update than through having the device working but vulnerable to a particular attack.

[424] “W32.Duqu: The Precursor to the Next Stuxnet”, ‘Symantec Security Response’, 18 October 2011, http://www.symantec.com/connect/w32_duqu_precursor_next_stuxnet. [425] “Win32/Stuxnet Signed Binaries”, Pierre-Marc Bureau, 19 July 2010, http://blog.eset.com/2010/07/19/win32stuxnet-signed-binaries. [426] “Another Signed Stuxnet Binary”, Sean Sullivan, 20 July 2010, http://www.f-secure.com/weblog/archives/00001993.html. [427] “New Stuxnet-Related Malware Signed Using Certificate from JMicron”, Lucian Constantin, 20 July 2010, http://news.softpedia.com/news/NewStuxnet-Related-Malware-Signed-Using-Certificate-from-JMicron148213.shtml. [428] “Adobe Reader zero-day attack — now with stolen certificate”, ‘Roel’, 8 September 2010, http://www.securelist.com/en/blog?weblogid=2287. [429] “Siemens warns users: Don’t change passwords after worm attack”, Robert McMillan, 20 July 2010, http://www.infoworld.com/d/securitycentral/siemens-warns-users-dont-change-passwords-after-wormattack-915. [430] “SCADA System’s Hard-Coded Password Circulated Online for Years”, Kim Zetter, 19 July 2010, http://www.wired.com/threatlevel/2010/07/siemens-scada/. [431] “default password list”, http://www.defaultpassword.com/?


pages: 200 words: 72,182

Nickel and Dimed: On (Not) Getting by in America by Barbara Ehrenreich

business process, full employment, housing crisis, income inequality, McMansion, place-making, post-work, sexual politics, telemarketer, union organizing, wage slave, women in the workforce, working poor, zero day

What is this business of letting someone in off the street to run a nursing home, or at least a vital chunk of a nursing home, for a day?[21] True, this is the one job where my references were actually checked, but what if I were one of those angel-of-death type health workers, who decided to free my charges from their foggy half-lives? More to the point, I am wondering what the two-job way of life would do to a person after a few months with zero days off. In my writing life I normally work seven days a week, but writing is ego food, totally self-supervised and intermittently productive of praise. Here, no one will notice my heroism on that Saturday's shift. (I will later make a point of telling Linda about it and receive only a distracted nod.) If you hump away at menial jobs 360-plus days a year, does some kind of repetitive injury of the spirit set in?


pages: 283 words: 73,093

Social Democratic America by Lane Kenworthy

affirmative action, Affordable Care Act / Obamacare, barriers to entry, basic income, business cycle, Celtic Tiger, centre right, clean water, collective bargaining, corporate governance, David Brooks, desegregation, Edward Glaeser, endogenous growth, full employment, Gini coefficient, hiring and firing, Home mortgage interest deduction, illegal immigration, income inequality, invisible hand, Kenneth Arrow, labor-force participation, manufacturing employment, market bubble, minimum wage unemployment, new economy, postindustrial economy, purchasing power parity, race to the bottom, rent-seeking, rising living standards, Robert Gordon, Robert Shiller, Robert Shiller, Ronald Reagan, school choice, shareholder value, sharing economy, Skype, Steve Jobs, too big to fail, Tyler Cowen: Great Stagnation, union organizing, universal basic income, War on Poverty, working poor, zero day

This is a big challenge, but it’s a manageable one. Next, large involuntary declines in income. Here, four changes are needed. One is sickness insurance. We are the only rich nation without a public sickness insurance program.6 Though many large private-sector firms offer employees some paid sickness days, and a few cities and states have a public program, one in three employed Americans gets zero days of paid sick leave.7 FIGURE 3.1 Health expenditures and life expectancy, 1960–2010 The data points are years. The lines are loess curves. Life expectancy: years at birth. Health expenditures: public plus private, as percent of GDP. The other countries are Australia, Austria, Belgium, Canada, Denmark, Finland, France, Germany, Ireland, Italy, Japan, the Netherlands, New Zealand, Norway, Portugal, Spain, Sweden, Switzerland, and the United Kingdom.


pages: 268 words: 76,702

The System: Who Owns the Internet, and How It Owns Us by James Ball

Bill Duvall, bitcoin, blockchain, Chelsea Manning, cryptocurrency, don't be evil, Donald Trump, Douglas Engelbart, Edward Snowden, en.wikipedia.org, Firefox, Frank Gehry, Internet of things, invention of movable type, Jeff Bezos, jimmy wales, Julian Assange, Kickstarter, Leonard Kleinrock, Marc Andreessen, Mark Zuckerberg, Menlo Park, Minecraft, Mother of all demos, move fast and break things, move fast and break things, Network effects, Oculus Rift, packet switching, patent troll, Peter Thiel, pre–internet, ransomware, RFC: Request For Comment, risk tolerance, Ronald Reagan, Rubik’s Cube, self-driving car, Shoshana Zuboff, Silicon Valley, Silicon Valley startup, Skype, Snapchat, Steve Crocker, Stuxnet, The Chicago School, undersea cable, uranium enrichment, WikiLeaks, yield management, zero day

v=XEVlyP4_11M 8Optic Nerve was first disclosed in a 2014 Snowden story, reported with Spencer Ackerman: https://www.theguardian.com/world/2014/feb/27/gchq-nsa-webcam-images-internet-yahoo 9https://www.ft.com/content/93fe2e28-d83c-11e2-b4a4-00144feab7de 10https://www.propublica.org/article/claim-on-attacks-thwarted-by-nsa-spreads-despite-lack-of-evidence 11https://www.npr.org/2018/12/28/677414459/in-chinas-push-for-high-tech-hackers-target-cutting-edge-u-s-firms?t=1550197762515 12To learn more about Stuxnet, and the massive cyber-programme it was part of, the best source is Alex Gibney’s documentary Zero Days. I reported some of its revelations, with independent corroboration, here: https://www.buzzfeednews.com/article/jamesball/us-hacked-into-irans-critical-civilian-infrastructure-for-ma 13https://www.thebureauinvestigates.com/stories/2018-09-13/bureau-wins-case-to-defend-press-freedom-at-the-european-court-of-human-rights 14https://www.theguardian.com/world/2013/oct/24/nsa-surveillance-world-leaders-calls 15As with other stories, they did agree to redact certain specific details (for example, particular models of software, or company names, when specific reasons were given). 16The Guardian version of this story can be viewed here: https://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security 17This was helpfully tweeted by the BBC’s technology editor, Rory Cellan-Jones: https://twitter.com/ruskin147/status/1096327971131088896/photo/1 18The following account of WannaCry is based on interviews with the Symantec staff in the chapter, my own reporting from the time (https://www.buzzfeed.com/jamesball/heres-why-its-unlikely-the-nhs-was-deliberately-targeted-in, https://www.buzzfeed.com/jamesball/gchq-is-facing-questions-over-last-weeks-ransomware-attack, https://www.buzzfeed.com/jamesball/a-highly-critical-report-says-the-nhs-was-hit-by-the), and some details from this later Washington Post report: https://www.washingtonpost.com/world/national-security/us-set-to-declare-north-korea-carried-out-massive-wannacry-cyber-attack/2017/12/18/509deb1c-e446-11e7-a65d-1ac0fd7f097e_story.html?


pages: 330 words: 83,319

The New Rules of War: Victory in the Age of Durable Disorder by Sean McFate

active measures, anti-communist, barriers to entry, Berlin Wall, blood diamonds, cognitive dissonance, commoditize, computer vision, corporate governance, corporate raider, cuban missile crisis, Donald Trump, double helix, drone strike, European colonialism, failed state, hive mind, index fund, invisible hand, John Markoff, joint-stock company, moral hazard, mutually assured destruction, Nash equilibrium, offshore financial centre, pattern recognition, Peace of Westphalia, plutocrats, Plutocrats, private military company, profit motive, RAND corporation, ransomware, Ronald Reagan, Silicon Valley, South China Sea, Stuxnet, technoutopianism, Washington Consensus, Westphalian system, yellow journalism, Yom Kippur War, zero day, zero-sum game

Inflated cyber threats to U.S. electrical grid: Transforming the Nation’s Electricity System: The Second Installment of the Quadrennial Energy Review (Washington, DC: Department of Energy, January 2017), S-15. On varmint threat, see: Cyber Squirrel 1, 31 January 2018, http://cybersquirrel1.com. 9. Stuxnet hype: Michael Joseph Gross, “A Declaration of Cyber-War,” Vanity Fair, 21 March 2011, www.vanityfair.com/news/2011/03/stuxnet-201104; Kim Zetter, “An Unprecedented Look at Stuxnet, the World’s First Digital Weapon,” Wired, 3 November 2014, www.wired.com/2014/11/countdown-to-zero-day-stuxnet. 10. Billy Mitchell predicts age of air power: William Mitchell, Winged Defense: The Development and Possibilities of Modern Air Power—Economic and Military (New York: G. P. Putnam’s Sons, 1924), 25–26. 11. Billy Mitchell predicts Pearl Harbor: “Billy Mitchell’s Prophecy,” American Heritage 13, no. 2 (February 1962): www.americanheritage.com/content/billy-mitchell’s-prophecy. 12.


pages: 274 words: 85,557

DarkMarket: Cyberthieves, Cybercops and You by Misha Glenny

Berlin Wall, Bretton Woods, Brian Krebs, BRICs, call centre, Chelsea Manning, Fall of the Berlin Wall, illegal immigration, James Watt: steam engine, Julian Assange, MITM: man-in-the-middle, pirate software, Potemkin village, reserve currency, Silicon Valley, Skype, Stuxnet, urban sprawl, white flight, WikiLeaks, zero day

For a broader introduction into some of the challenges emerging as a consequence of Internet technology, Jonathan Zittrain’s The Future of the Internet: And How to Stop It should be the first port of call. Other blogs of real value include Krebsonsecurity by Brian Krebs; Bruce Schneier’s newsletter, Crypto-gram; the blog of F-Secure, the Finnish Computer Security company; and, finally, Dancho Danchev and Ryan Naraine’s Zero Day blog on Znet. ACKNOWLEDGEMENTS Writing this book presented many challenges which I could never have met had it not been for the generous assistance I received from a number of friends and colleagues around the world. In Britain, two people played a vital role. Leonida Krushelnycky has proved to be an indefatigable researcher, often uncovering vital material long after I had given up any hope of finding it.


pages: 304 words: 80,143

The Autonomous Revolution: Reclaiming the Future We’ve Sold to Machines by William Davidow, Michael Malone

2013 Report for America's Infrastructure - American Society of Civil Engineers - 19 March 2013, agricultural Revolution, Airbnb, American Society of Civil Engineers: Report Card, Automated Insights, autonomous vehicles, basic income, bitcoin, blockchain, blue-collar work, Bob Noyce, business process, call centre, cashless society, citizen journalism, Clayton Christensen, collaborative consumption, collaborative economy, collective bargaining, creative destruction, crowdsourcing, cryptocurrency, disintermediation, disruptive innovation, distributed ledger, en.wikipedia.org, Erik Brynjolfsson, Filter Bubble, Francis Fukuyama: the end of history, Geoffrey West, Santa Fe Institute, gig economy, Gini coefficient, Hyperloop, income inequality, industrial robot, Internet of things, invention of agriculture, invention of movable type, invention of the printing press, invisible hand, Jane Jacobs, job automation, John Maynard Keynes: Economic Possibilities for our Grandchildren, John Maynard Keynes: technological unemployment, Joseph Schumpeter, license plate recognition, Lyft, Mark Zuckerberg, mass immigration, Network effects, new economy, peer-to-peer lending, QWERTY keyboard, ransomware, Richard Florida, Robert Gordon, Ronald Reagan, Second Machine Age, self-driving car, sharing economy, Shoshana Zuboff, Silicon Valley, Simon Kuznets, Snapchat, speech recognition, Stuxnet, TaskRabbit, The Death and Life of Great American Cities, The Rise and Fall of American Growth, the scientific method, trade route, Turing test, Uber and Lyft, uber lyft, universal basic income, uranium enrichment, urban planning, zero day, zero-sum game, Zipcar

“Robert Tappan Morris,” Wikipedia, https://en.wikipedia.org/wiki/Robert_Tappan_Morris (accessed June 27, 2019); and “Computer Fraud and Abuse Act,” Wikipedia, https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act (accessed June 27, 2019). 43. Kim Zetter, “An Unprecedented Look at Stuxnet, the World’s First Digital Weapon,” Wired, November 3, 2014, https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/ (accessed June 28, 2019). 44. Gordon Corera, “21st Century Warfare,” BBC, http://www.bbc.co.uk/guides/zq9jmnb#ztq6nbk (accessed June 28, 2019). 45. Steve Morgan, “Cybercrime Damages $6 Trillion by 2021,” Cybersecurity Ventures, October 16, 2017, https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/ (accessed June 28, 2019). 46. “Gross Domestic Product for World,” Federal Reserve Bank of St.


pages: 309 words: 79,414

Going Dark: The Secret Social Lives of Extremists by Julia Ebner

23andMe, 4chan, Airbnb, anti-communist, anti-globalists, augmented reality, Ayatollah Khomeini, bitcoin, blockchain, Boris Johnson, citizen journalism, cognitive dissonance, crowdsourcing, cryptocurrency, Donald Trump, Elon Musk, feminist movement, game design, glass ceiling, Google Earth, job satisfaction, Mark Zuckerberg, mass immigration, Menlo Park, Mikhail Gorbachev, Network effects, off grid, pattern recognition, pre–internet, QAnon, RAND corporation, ransomware, rising living standards, self-driving car, Silicon Valley, Skype, Snapchat, social intelligence, Steve Jobs, Transnistria, WikiLeaks, zero day

Apart from learning these technical skills, he also recommends a range of infiltration and forgery techniques to get around security boundaries that cannot be solved with hacks alone: • Get jobs that fill roles that you might find useful to compromise people working within in the future. This means sysadmin stuff, helpdesk stuff, etc. Also, you can usually get into everything at a company just by being hired as a sysad. If you can talk your way into a systems role repeatedly, you don’t need zero-days,25 you can get given the keys to everything. • Getting a job as a skiptracer26 in the collections industry will give you access to datasets that will turbocharge your ability to dox individuals. • Become a more competent programmer by submitting git pull27 requests for fixes on outstanding bugs and desired features on well used open source products. Get a dev job. • Try to talk your way into random restricted areas, and call up random support lines and talk them into giving you sensitive customer information.


pages: 335 words: 95,549

Confessions of a Bookseller by Shaun Bythell

Airbnb, British Empire, cashless society, credit crunch, Donald Trump, mail merge, period drama, Skype, zero day

Till Total £162.89 17 Customers WEDNESDAY, 8 APRIL Online orders: 6 Orders found: 5 One of the orders was for three books, one of which was brought in by the banana box man yesterday – Outrage, by Ian Nairn, an unusual book. Nairn was an architectural critic who coined the word ‘subtopia’. One person ordering three books online means that the total number of books that went out today was eight: total value £99. Unusually high for our online sales, but it compensates for the two zero days we’ve had in the past week. At 10 a.m. a young Italian woman came in to discuss life in a bookshop for an article she’s writing for a blog. While we were chatting about the hardships facing bookshops today, a customer was browsing and came to the counter with three books. The total was £23. He said ‘You’ll do them for £20, won’t you.’ The Italian woman’s jaw dropped in disbelief. Which reminds me, haven’t heard from Emanuela for a while.


pages: 324 words: 96,491

Messing With the Enemy: Surviving in a Social Media World of Hackers, Terrorists, Russians, and Fake News by Clint Watts

4chan, active measures, Affordable Care Act / Obamacare, barriers to entry, Berlin Wall, Bernie Sanders, Chelsea Manning, Climatic Research Unit, crowdsourcing, Daniel Kahneman / Amos Tversky, Donald Trump, drone strike, Edward Snowden, en.wikipedia.org, Erik Brynjolfsson, failed state, Fall of the Berlin Wall, Filter Bubble, global pandemic, Google Earth, illegal immigration, Internet of things, Julian Assange, loss aversion, Mark Zuckerberg, Mikhail Gorbachev, mobile money, mutually assured destruction, obamacare, Occupy movement, offshore financial centre, pre–internet, side project, Silicon Valley, Snapchat, The Wisdom of Crowds, Turing test, University of East Anglia, Valery Gerasimov, WikiLeaks, zero day

In cybersecurity speak, the GRU and the FSB operated as Advanced Persistent Threats (APTs), a reference to their dedicated targeting and wide array of cyber-hacking techniques. APTs, unlike common cybercriminals or hacker collectives, have sufficient resourcing to stay on their targets until they penetrate the systems they desire to access. APTs use a range of techniques, from the simple to the complex, employing all forms of social engineering and specifically tailored malware known as “zero days.” The Russian APTs were known in the cybersecurity world as APT28 (code name: Fancy Bear) and APT29 (Cozy Bear). Cozy and Fancy Bear represented competing Russian hacker groups seeking access and compromising information from democratically elected officials adversarial to Russia, media personalities (particularly reporters who interfaced with anonymous sources), military leaders, and academic researchers and policy think tanks studying Russia.


pages: 360 words: 100,991

Heart of the Machine: Our Future in a World of Artificial Emotional Intelligence by Richard Yonck

3D printing, AI winter, artificial general intelligence, Asperger Syndrome, augmented reality, Berlin Wall, brain emulation, Buckminster Fuller, call centre, cognitive bias, cognitive dissonance, computer age, computer vision, crowdsourcing, Elon Musk, en.wikipedia.org, epigenetics, friendly AI, ghettoisation, industrial robot, Internet of things, invention of writing, Jacques de Vaucanson, job automation, John von Neumann, Kevin Kelly, Law of Accelerating Returns, Loebner Prize, Menlo Park, meta analysis, meta-analysis, Metcalfe’s law, neurotypical, Oculus Rift, old age dependency ratio, pattern recognition, RAND corporation, Ray Kurzweil, Rodney Brooks, self-driving car, Skype, social intelligence, software as a service, Stephen Hawking, Steven Pinker, superintelligent machines, technological singularity, telepresence, telepresence robot, The Future of Employment, the scientific method, theory of mind, Turing test, twin studies, undersea cable, Vernor Vinge, Watson beat the top human players on Jeopardy!, Whole Earth Review, working-age population, zero day

Its developers will certainly do what they can to make their work and devices user-friendly, but beyond this there will be the hackers, the entrepreneurs, the DIY innovators who will seek to unravel the mysteries of the technology and in doing so bestow far more of its awesome power upon anyone who wants it, including the technically unskilled. It sounds ridiculous, but this is exactly what we’ve seen in recent years as hackers have made what was once hard-won knowledge and skill available to all at very affordable prices. Distributed denial of service (DDOS) attacks, SQL injections, brute force password cracking, botnet services, and zero-day exploits are all hacking methods that once required sophisticated expertise to perform. Today anyone with money and an Internet connection can access the “Dark Web” and find these tools available for purchase—complete with user-friendly interfaces. Tomorrow’s world will find much more for sale, and emotional computing tools will most certainly be among them. “Social engineering” is one of the key practices used by hackers seeking to gain electronic or physical access to secured hardware and data.


pages: 350 words: 107,834

Halting State by Charles Stross

augmented reality, Boris Johnson, call centre, forensic accounting, game design, Google Earth, hiring and firing, illegal immigration, impulse control, indoor plumbing, Intergovernmental Panel on Climate Change (IPCC), invention of the steam engine, lifelogging, Necker cube, Potemkin village, RFID, Schrödinger's Cat, Vernor Vinge, zero day

“The question isn’t where Team Red got the keys to the realm from: Hayek Associates have a copy of the one-time pad, because they’re sniffing on everything. The question is, Who inside Hayek Associates leaked the pad, via the blacknet? Barry’s gotten through to the disaster planning people. They’ve generated fresh master pads, and they’re pushing copies out to the main switches by courier—they’re implementing the national zero-day exploit plan. The goal is to throw the switch at noon, at which point all Team Red’s careful work goes down the toilet. Then they’ll reboot CopSpace completely and load freshly signed certificates for the dot-sco domain by hand on the root servers, and a bunch more fiddly stuff. But the main thing is, once they change the one-time pads for admin access to the national backbone routers, Team Red will be unable to tap traffic at will.


pages: 324 words: 106,699

Permanent Record by Edward Snowden

A Declaration of the Independence of Cyberspace, Berlin Wall, call centre, Chelsea Manning, cloud computing, cognitive dissonance, drone strike, Edward Snowden, Fall of the Berlin Wall, job-hopping, Julian Assange, Mark Zuckerberg, McMansion, Occupy movement, pattern recognition, peak oil, pre–internet, Rubik’s Cube, Silicon Valley, Skype, sovereign wealth fund, trade route, WikiLeaks, zero day

Yet even given that knowledge, I still struggle to accept the sheer magnitude and speed of the change, from an America that sought to define itself by a calculated and performative respect for dissent to a security state whose militarized police demand obedience, drawing their guns and issuing the order for total submission now heard in every city: “Stop resisting.” This is why whenever I try to understand how the last two decades happened, I return to that September—to that ground-zero day and its immediate aftermath. To return to that fall means coming up against a truth darker than the lies that tied the Taliban to al-Qaeda and conjured up Saddam Hussein’s illusory stockpile of WMDs. It means, ultimately, confronting the fact that the carnage and abuses that marked my young adulthood were born not only in the executive branch and the intelligence agencies, but also in the hearts and minds of all Americans, myself included.


pages: 339 words: 103,546

Blood and Oil: Mohammed Bin Salman's Ruthless Quest for Global Power by Bradley Hope, Justin Scheck

augmented reality, Ayatollah Khomeini, clean water, coronavirus, distributed generation, Donald Trump, Downton Abbey, Elon Musk, Exxon Valdez, Google Earth, high net worth, Jeff Bezos, Marc Andreessen, Mark Zuckerberg, MITM: man-in-the-middle, new economy, Peter Thiel, ride hailing / ride sharing, Sand Hill Road, Silicon Valley, South of Market, San Francisco, sovereign wealth fund, starchitect, Steve Jobs, Tim Cook: Apple, trade route, Travis Kalanick, Uber for X, urban planning, women in the workforce, young professional, zero day

Based in Herzliya, its team of computer engineers and former government hackers had built a system called Pegasus that could compromise smartphones. It only sold the system to governments that it deemed would use it for acceptable purposes and required Israeli government permission for each sale. Qatar was denied access, while the UAE purchased not one but three $50 million annual subscriptions for different intelligence-related organizations in its government. The high cost came down to NSO’s use of “zero-day” exploits, a term for loopholes in widely used software that even big companies like Microsoft, Google, and Apple don’t know about. Its researchers work to find those holes and create programs that exploit them to gain control of or access to devices. The only problem with providing such a powerful tool to other governments, including authoritarian monarchies, is their extremely limited oversight.


pages: 386 words: 116,233

The Millionaire Fastlane: Crack the Code to Wealth and Live Rich for a Lifetime by Mj Demarco

8-hour work day, Albert Einstein, AltaVista, back-to-the-land, Bernie Madoff, bounce rate, business process, butterfly effect, buy and hold, cloud computing, commoditize, dark matter, delayed gratification, demand response, Donald Trump, fear of failure, financial independence, fixed income, housing crisis, Jeff Bezos, job-hopping, Lao Tzu, Mark Zuckerberg, passive income, passive investing, payday loans, Ponzi scheme, price anchoring, Ronald Reagan, upwardly mobile, wealth creators, white picket fence, World Values Survey, zero day

Would you make a 5-for-2 trade knowing that it could transform into a 1-for-10? Would that be a something to invest in? While I worked my plan, I gave 7-for-0 (I worked seven days and didn't take a day off) because I knew the roads on my roadmap converged with dreams. I worked for a better ratio in the near future, not in 40 years. I controlled my destiny and eventually my time trade investment yielded a dividend of 40 years. Now I do 0-for-7. I work zero days and get seven days of freedom. Sadly, if you are entrenched in the Slowlane, your options to shatter this negative 60% return for your freedom is restricted. Remember, wealth is defined by freedom, and if you require proof, look no further than Friday night when people celebrate freedom as the Slowlane dictatorship takes a weekend furlough. Normal Is Condemnation to Mediocrity Revolutionary Road, the 2008 movie starring Leonardo DiCaprio and Kate Winslet, does an excellent job portraying the Slowlane's death grip.


pages: 398 words: 120,801

Little Brother by Cory Doctorow

airport security, Bayesian statistics, Berlin Wall, citizen journalism, Firefox, game design, Golden Gate Park, Haight Ashbury, Internet Archive, Isaac Newton, Jane Jacobs, Jeff Bezos, mail merge, Mitch Kapor, MITM: man-in-the-middle, RFID, Sand Hill Road, Silicon Valley, slashdot, Steve Jobs, Steve Wozniak, Thomas Bayes, web of trust, zero day

They continue to turn people, to compromise them. They mine the social network sites and use threats to turn kids into informants. There are hundreds of people working for the DHS on Xnet right now. I have their names, handles and keys. Private and public. > Within days of the Xnet launch, we went to work on exploiting ParanoidLinux. The exploits so far have been small and insubstantial, but a break is inevitable. Once we have a zero-day break, you're dead. > I think it's safe to say that if my handlers knew that I was typing this, my ass would be stuck in Gitmo-by-the-Bay until I was an old woman. > Even if they don't break ParanoidLinux, there are poisoned ParanoidXbox distros floating around. They don't match the checksums, but how many people look at the checksums? Besides me and you? Plenty of kids are already dead, though they don't know it


pages: 472 words: 117,093

Machine, Platform, Crowd: Harnessing Our Digital Future by Andrew McAfee, Erik Brynjolfsson

"Robert Solow", 3D printing, additive manufacturing, AI winter, Airbnb, airline deregulation, airport security, Albert Einstein, Amazon Mechanical Turk, Amazon Web Services, artificial general intelligence, augmented reality, autonomous vehicles, backtesting, barriers to entry, bitcoin, blockchain, British Empire, business cycle, business process, carbon footprint, Cass Sunstein, centralized clearinghouse, Chris Urmson, cloud computing, cognitive bias, commoditize, complexity theory, computer age, creative destruction, crony capitalism, crowdsourcing, cryptocurrency, Daniel Kahneman / Amos Tversky, Dean Kamen, discovery of DNA, disintermediation, disruptive innovation, distributed ledger, double helix, Elon Musk, en.wikipedia.org, Erik Brynjolfsson, Ethereum, ethereum blockchain, everywhere but in the productivity statistics, family office, fiat currency, financial innovation, George Akerlof, global supply chain, Hernando de Soto, hive mind, information asymmetry, Internet of things, inventory management, iterative process, Jean Tirole, Jeff Bezos, jimmy wales, John Markoff, joint-stock company, Joseph Schumpeter, Kickstarter, law of one price, longitudinal study, Lyft, Machine translation of "The spirit is willing, but the flesh is weak." to Russian and back, Marc Andreessen, Mark Zuckerberg, meta analysis, meta-analysis, Mitch Kapor, moral hazard, multi-sided market, Myron Scholes, natural language processing, Network effects, new economy, Norbert Wiener, Oculus Rift, PageRank, pattern recognition, peer-to-peer lending, performance metric, plutocrats, Plutocrats, precision agriculture, prediction markets, pre–internet, price stability, principal–agent problem, Ray Kurzweil, Renaissance Technologies, Richard Stallman, ride hailing / ride sharing, risk tolerance, Ronald Coase, Satoshi Nakamoto, Second Machine Age, self-driving car, sharing economy, Silicon Valley, Skype, slashdot, smart contracts, Snapchat, speech recognition, statistical model, Steve Ballmer, Steve Jobs, Steven Pinker, supply-chain management, TaskRabbit, Ted Nelson, The Market for Lemons, The Nature of the Firm, Thomas Davenport, Thomas L Friedman, too big to fail, transaction costs, transportation-network company, traveling salesman, Travis Kalanick, two-sided market, Uber and Lyft, Uber for X, uber lyft, ubercab, Watson beat the top human players on Jeopardy!, winner-take-all economy, yield management, zero day

To prevent against this type of fraud, shoe designer Greats released its Beastmode 2.0 Royale Chukkah collection in 2016 with a blockchain-enabled smart tag that enables enthusiasts to confirm the authenticity of their sneakers with their smartphone. Patrick Byrne, CEO of online retailer Overstock.com, has been a blockchain advocate since the early days of Bitcoin. Overstock became the first major e-commerce store to accept the digital currency, in September 2014. Byrne went on to create a subsidiary, TØ.com, that uses blockchain to track the exchange of financial assets. The name comes from the fact that trades on the platform settle in zero days as opposed to three days later (T+3), which is the norm on Wall Street. Overstock used TØ.com to offer $25 million in corporate bonds in June of 2015. In March of 2016 it announced it was making a public offering of preferred stock, utilizing blockchain. Both of these were world firsts. In October of 2015, Nasdaq launched Linq, a solution enabling private companies to digitally record share ownership using blockchain technology.


pages: 368 words: 145,841

Financial Independence by John J. Vento

Affordable Care Act / Obamacare, Albert Einstein, asset allocation, diversification, diversified portfolio, estate planning, financial independence, fixed income, high net worth, Home mortgage interest deduction, money market fund, mortgage debt, mortgage tax deduction, oil shock, Own Your Own Home, passive income, risk tolerance, the rule of 72, time value of money, transaction costs, young professional, zero day

Most policies have an elimination period (sometimes called a deductible or a waiting period). That means benefits can start 0, 20, 30, 60, 90, or 100 days after you start using long-term care or become disabled. How many days you have to wait for benefits to start will depend on the elimination period you pick when you buy your policy. You might be c05.indd 117 26/02/13 11:09 AM 118 Financial Independence (Getting to Point X ) able to choose a policy with a zero-day elimination period but expect it to cost significantly more. Protecting against inflation can be one of the most important additions you can make to a long-term care insurance policy, although it will increase the premium you pay. If your benefits do not increase over time, years from now, you may find that they have not kept up with the rising cost of long-term care. The younger you are when you buy a policy, the more important it is for you to think about adding inflation protection; otherwise, you will be only partially covered when the need arises.


pages: 458 words: 135,206

CTOs at Work by Scott Donaldson, Stanley Siegel, Gary Donaldson

Amazon Web Services, bioinformatics, business intelligence, business process, call centre, centre right, cloud computing, computer vision, connected car, crowdsourcing, data acquisition, distributed generation, domain-specific language, glass ceiling, orbital mechanics / astrodynamics, pattern recognition, Pluto: dwarf planet, QR code, Richard Feynman, Ruby on Rails, shareholder value, Silicon Valley, Skype, smart grid, smart meter, software patent, thinkpad, web application, zero day, zero-sum game

There are not a lot of standards yet how to handle these petabytes of data, how to access it in an optimal, cost effective way. There are some open source applications to manage big data, and some very well-known large companies are starting to support those standards. S. Donaldson: How about cyber security? Cherches: Cyber security—well, that's a big subject. I always talk about one day walking into the office and everything is wiped out. A new, unknown threat, often called zero-day attack, may come out and computers will be wiped out. So, you need to have a good data recovery strategy in cyber security. Hire a good expert. Hire a company that can do penetration testing for you and can just come from outside and the inside and then report you their concerns. S. Donaldson: How do you handle technology investments for your own company? Cherches: What we try to do is to find at least three different vendors to try to present their solution.


Construction Project Management by S. Keoki Sears

8-hour work day, active measures, air freight, inventory management, Parkinson's law, supply-chain management, zero day

However, when a schedule adjustment bumps a whole chain of succeeding activities forward, all the resource needs of succeeding days can be affected substantially, thus complicating the calculation. These changes may serve to improve the overall situation or may only further complicate it. In the case of the 10 laborers needed on working day 6, Chart 5.3a on the companion website shows that activity 80 has 19 days of total float and 19 days of free float. Activity 90 has 12 days of total float and zero days of free float. This labor conflict can be remedied easily by moving either activity 80 or 90 to a later date; movement of activity 80 is preferable. 8.9 Heuristic Manpower Leveling A number of operations research techniques are available for obtaining optimal solutions to manpower leveling problems. Numerous algorithms are available to accomplish such a time‐critical analysis, but these require a computer to handle no more than a few resources.


pages: 478 words: 149,810

We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous, and the Global Cyber Insurgency by Parmy Olson

4chan, Asperger Syndrome, bitcoin, call centre, Chelsea Manning, corporate governance, crowdsourcing, Firefox, hive mind, Julian Assange, Minecraft, MITM: man-in-the-middle, Occupy movement, peer-to-peer, pirate software, side project, Skype, speech recognition, Stephen Hawking, Stuxnet, We are Anonymous. We are Legion, We are the 99%, web application, WikiLeaks, zero day

I know you guys don’t know me, but you probably know people that do. Xero, venuism, e, insidious, nigg, etc etc.” Then he added, “Kayla.” Joepie reported all of this verbatim back to the crew in #pure-elite. Those nicknames were very well known, pointed out a secondary-crew member called Trollpoll. Another laughed. “He’s just name dropping,” said Sabu. Neuron, a friendly and analytical Anon, suggested asking Egeste to provide a zero-day as proof of his skills. Also known as a 0day, this referred to an as-yet-unknown server vulnerability, and finding one meant big kudos for any hacker, white hat or black hat. Sabu asked Kayla if she’d heard of Egeste, and it turned out the new guy had also been in the #Gnosis channel when she had coordinated the hack on Gawker, but “he did not do shit,” she said. For all the names he had mentioned, Egeste was just another distraction.


pages: 497 words: 144,283

Connectography: Mapping the Future of Global Civilization by Parag Khanna

"Robert Solow", 1919 Motor Transport Corps convoy, 2013 Report for America's Infrastructure - American Society of Civil Engineers - 19 March 2013, 9 dash line, additive manufacturing, Admiral Zheng, affirmative action, agricultural Revolution, Airbnb, Albert Einstein, amateurs talk tactics, professionals talk logistics, Amazon Mechanical Turk, Asian financial crisis, asset allocation, autonomous vehicles, banking crisis, Basel III, Berlin Wall, bitcoin, Black Swan, blockchain, borderless world, Boycotts of Israel, Branko Milanovic, BRICs, British Empire, business intelligence, call centre, capital controls, charter city, clean water, cloud computing, collateralized debt obligation, commoditize, complexity theory, continuation of politics by other means, corporate governance, corporate social responsibility, credit crunch, crony capitalism, crowdsourcing, cryptocurrency, cuban missile crisis, data is the new oil, David Ricardo: comparative advantage, deglobalization, deindustrialization, dematerialisation, Deng Xiaoping, Detroit bankruptcy, digital map, disruptive innovation, diversification, Doha Development Round, edge city, Edward Snowden, Elon Musk, energy security, Ethereum, ethereum blockchain, European colonialism, eurozone crisis, failed state, Fall of the Berlin Wall, family office, Ferguson, Missouri, financial innovation, financial repression, fixed income, forward guidance, global supply chain, global value chain, global village, Google Earth, Hernando de Soto, high net worth, Hyperloop, ice-free Arctic, if you build it, they will come, illegal immigration, income inequality, income per capita, industrial cluster, industrial robot, informal economy, Infrastructure as a Service, interest rate swap, Intergovernmental Panel on Climate Change (IPCC), Internet of things, Isaac Newton, Jane Jacobs, Jaron Lanier, John von Neumann, Julian Assange, Just-in-time delivery, Kevin Kelly, Khyber Pass, Kibera, Kickstarter, LNG terminal, low cost airline, low cost carrier, low earth orbit, manufacturing employment, mass affluent, mass immigration, megacity, Mercator projection, Metcalfe’s law, microcredit, mittelstand, Monroe Doctrine, mutually assured destruction, New Economic Geography, new economy, New Urbanism, off grid, offshore financial centre, oil rush, oil shale / tar sands, oil shock, openstreetmap, out of africa, Panamax, Parag Khanna, Peace of Westphalia, peak oil, Pearl River Delta, Peter Thiel, Philip Mirowski, plutocrats, Plutocrats, post-oil, post-Panamax, private military company, purchasing power parity, QWERTY keyboard, race to the bottom, Rana Plaza, rent-seeking, reserve currency, Robert Gordon, Robert Shiller, Robert Shiller, Ronald Coase, Scramble for Africa, Second Machine Age, sharing economy, Shenzhen was a fishing village, Silicon Valley, Silicon Valley startup, six sigma, Skype, smart cities, Smart Cities: Big Data, Civic Hackers, and the Quest for a New Utopia, South China Sea, South Sea Bubble, sovereign wealth fund, special economic zone, spice trade, Stuxnet, supply-chain management, sustainable-tourism, TaskRabbit, telepresence, the built environment, The inhabitant of London could order by telephone, sipping his morning tea in bed, the various products of the whole earth, Tim Cook: Apple, trade route, transaction costs, UNCLOS, uranium enrichment, urban planning, urban sprawl, WikiLeaks, young professional, zero day

World Input-Output Database. http://www.​wiod.​org/​new_site/​home.​htm. Writson, Walter B. The Twilight of Sovereignty: How the Information Revolution Is Transforming Our World. Scribner, 1992. Zakaria, Fareed. The Future of Freedom: Illiberal Democracy at Home and Abroad. W. W. Norton, 2007. Zeihan, Peter. The Accidental Superpower: The Next Generation of American Preeminence and the Coming Global Disorder. Twelve, 2015. Zetter, Kim. Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon. Penguin Random House, 2014. Zhang Weiwei. The China Wave: Rise of a Civilizational State. World Century, 2012. Zheng, Y. De Facto Federalism in China: Reforms and Dynamics of Central-Local Relations. World Scientific, 2007. ———. “Institutional Economics and Central-Local Relations in China: Evolving Research.” China: An International Journal 3, no. 2 (2005): 240–69.


pages: 537 words: 149,628

Ghost Fleet: A Novel of the Next World War by P. W. Singer, August Cole

3D printing, Admiral Zheng, augmented reality, British Empire, digital map, energy security, Firefox, glass ceiling, global reserve currency, Google Earth, Google Glasses, IFF: identification friend or foe, Just-in-time delivery, low earth orbit, Maui Hawaii, MITM: man-in-the-middle, new economy, old-boy network, RAND corporation, reserve currency, RFID, Silicon Valley, Silicon Valley startup, South China Sea, sovereign wealth fund, stealth mode startup, trade route, Wall-E, We are Anonymous. We are Legion, WikiLeaks, zero day, zero-sum game

“It might look like camouflage, but the reality is that all the scaffolding and tarps are really necessary. We ended up having to do a top-to-bottom overhaul here,” said Simmons. As they approached a knot of crewmen — some in their teens, others decades older — clambering over a scaffold, the admiral said, “Tell me about the crew. How is the new mix going?” “The mix of generations has its strengths and weaknesses. We have the remnants of the pre–Zero Day fleet. I was given my choice of the best of my old crew, which I understand I have you to thank for. Then there are the draftees, some of whom have never seen the real ocean, let alone been out on it,” said Simmons. “But what they do know are computers; they’ve been with viz in one form or another since birth. They see problems differently than regular sailors, even sailors who were in the Navy when the war started.”


pages: 477 words: 144,329

How Money Became Dangerous by Christopher Varelas

activist fund / activist shareholder / activist investor, Airbnb, airport security, barriers to entry, basic income, bitcoin, blockchain, Bonfire of the Vanities, California gold rush, cashless society, corporate raider, crack epidemic, cryptocurrency, discounted cash flows, disintermediation, diversification, diversified portfolio, Donald Trump, dumpster diving, fiat currency, fixed income, friendly fire, full employment, Gordon Gekko, greed is good, interest rate derivative, John Meriwether, Kickstarter, Long Term Capital Management, mandatory minimum, mobile money, mortgage debt, pensions crisis, pets.com, pre–internet, profit motive, risk tolerance, Saturday Night Live, shareholder value, side project, Silicon Valley, Steve Jobs, technology bubble, The Predators' Ball, too big to fail, universal basic income, zero day

Finally he helped me complete the credit analysis. There were several things I had a hard time making sense of. For example, when other diamond wholesalers closed a deal, they would typically be paid within six months, but it was different with Barry. His accounts would be settled immediately. “People pay me.” That’s the only answer he gave when I asked him about it. “But, Barry, the industry average is 180 days, and yours is close to zero days.” “People pay me.” I was beginning to understand the value of a tough reputation in the diamond industry, but despite Barry’s intimidating personality, it didn’t take long to recognize that he was good to his core, a man who had built his reputation through honesty and integrity. Over time, he became someone I could call for advice about any loan I was considering making. The diamond wholesaler community is small enough that everyone knows everyone else.


pages: 571 words: 162,958

Rewired: The Post-Cyberpunk Anthology by James Patrick Kelly, John Kessel

back-to-the-land, Columbine, dark matter, Extropian, Firefox, gravity well, haute couture, Internet Archive, pattern recognition, phenotype, post-industrial society, price stability, Silicon Valley, slashdot, Stephen Hawking, technological singularity, telepresence, the scientific method, Turing test, urban renewal, Vernor Vinge, wage slave, Y2K, zero day

“No need for both of us to be wrecked tomorrow.” “What? Oh. My personal box is over there. It went down around 1:30 and I got woken up by my process-monitor. I should have called you and told you I was coming down—spared you the trip.” Felix’s own server — a box he shared with five other friends — was in a rack one floor down. He wondered if it was offline too. “What’s the story?” “Massive flashworm attack. Some jackass with a zero-day exploit has got every Windows box on the net running Monte Carlo probes on every IP block, including IPv6. The big Ciscos all run administrative interfaces over v6, and they all fall over if they get more than ten simultaneous probes, which means that just about every interchange has gone down. DNS is screwy, too—like maybe someone poisoned the zone transfer last night. Oh, and there’s an email and IM component that sends pretty lifelike messages to everyone in your address book, barfing up Eliza-dialog that keys off of your logged email and messages to get you to open a Trojan.”


pages: 572 words: 179,024

Area 51: An Uncensored History of America's Top Secret Military Base by Annie Jacobsen

Albert Einstein, anti-communist, Berlin Wall, cuban missile crisis, data acquisition, drone strike, Maui Hawaii, mutually assured destruction, operation paperclip, orbital mechanics / astrodynamics, Project Plowshare, RAND corporation, Ronald Reagan, South China Sea, uranium enrichment, urban sprawl, zero day

An accidental detonation of a nuclear weapon in an urban area would be far more catastrophic than one in a remote desert area such as Groom Lake, and the Department of Defense wanted to test how city surfaces would respond to plutonium contamination, so mock-ups of sidewalks, curbs, and pavement pieces were set out in the desert landscape. Some fourteen hundred blocks of highway asphalt and wood float finish concrete were fabricated and set around on the ground. To see how automobiles would contaminate when exposed to plutonium, cars and trucks were parked among the juniper bushes and Joshua trees. As zero day got closer, Mingus saw preparations pick up. Giant air-sampling balloons were tethered to the earth and floated over Area 13 at various elevations; some were five feet off the ground and others a thousand feet up, giving things a circus feel. Nine burros, 109 beagles, 10 sheep, and 31 albino rats were put in cages and set to face the dirty bomb. EG&G’s rapatronic photographic equipment would record the radioactive cloud within the first few microseconds of detonation.


Seeking SRE: Conversations About Running Production Systems at Scale by David N. Blank-Edelman

Affordable Care Act / Obamacare, algorithmic trading, Amazon Web Services, bounce rate, business continuity plan, business process, cloud computing, cognitive bias, cognitive dissonance, commoditize, continuous integration, crowdsourcing, dark matter, database schema, Debian, defense in depth, DevOps, domain-specific language, en.wikipedia.org, fault tolerance, fear of failure, friendly fire, game design, Grace Hopper, information retrieval, Infrastructure as a Service, Internet of things, invisible hand, iterative process, Kubernetes, loose coupling, Lyft, Marc Andreessen, microservices, minimum viable product, MVC pattern, performance metric, platform as a service, pull request, RAND corporation, remote working, Richard Feynman, risk tolerance, Ruby on Rails, search engine result page, self-driving car, sentiment analysis, Silicon Valley, single page application, Snapchat, software as a service, software is eating the world, source of truth, the scientific method, Toyota Production System, web application, WebSocket, zero day

Rather than developing the same antibot or DDoS mitigation tooling in each application, you can use scriptable load balancers to build a layer of protection against these threats and use them on all web-exposed services.13 Cloudflare has built a business providing such a layer with its web application firewall functionality. Any service behind its middleware gains the same benefits of protection against Open Web Application Security Project (OWASP) vulnerabilities, common DoS vectors, and zero-day exploits. When the danger or authenticity of a request is ambiguous, the middleware is able to redirect to a challenge-response test to validate that the request comes from a legitimate source. Whereas previously protection against attacks below the application layer would require making a decision based on the scope of a single packet, scriptable load balancers allow you to make decisions after analyzing the entire transaction.


pages: 945 words: 292,893

Seveneves by Neal Stephenson

clean water, Colonization of Mars, Danny Hillis, digital map, double helix, epigenetics, fault tolerance, Fellow of the Royal Society, Filipino sailors, gravity well, Isaac Newton, Jeff Bezos, kremlinology, Kuiper Belt, low earth orbit, microbiome, orbital mechanics / astrodynamics, phenotype, Potemkin village, pre–internet, random walk, remote working, selection bias, side project, Silicon Valley, Skype, statistical model, Stewart Brand, supervolcano, the scientific method, Tunguska event, zero day, éminence grise

New arrivals tended to expect that anything placed elsewhere on the table would roll and slide down toward them. The walls were pale yellow. The usual collection of malfunctioning audiovisual equipment purported to show live video streams of people on the ground, in theory enabling them to teleconference with colleagues in Houston, Baikonur, or Washington. When the meeting began at A+0.0.4 (zero years, zero days, and four hours since the Agent had acted upon the moon), nothing was working, and so the occupants of Izzy had a few minutes to talk among themselves while Frank Casper and Jibran Haroun wiggled connectors, typed commands into computers, and rebooted everything. Relatively new arrivals to Izzy, Frank and Jibran had made the mistake of letting on that they were good at that sort of thing, so they always got saddled with it.


pages: 926 words: 312,419

Working: People Talk About What They Do All Day and How They Feel About What They Do by Studs Terkel

activist lawyer, business cycle, call centre, card file, cuban missile crisis, Ford paid five dollars a day, half of the world's population has never made a phone call, job satisfaction, Ralph Nader, strikebreaker, traveling salesman, urban renewal, War on Poverty, working poor, Yogi Berra, zero day

Going up, it’s bad enough carrying something on your back. Coming down with two hundred pounds on your back, it gets heavier. It has never bothered me. I have a real bad back, by the way. I’ve been in the hospital last year with a bad back. Shoveling coal and mopping is bad. If you have a lot of mopping, you’re throwing your hips around. I tire out very easy because of my back. But I’m better in my job now. A janitor on zero days, when the wind is blowin’ and he has to go up those stairs in ice cold weather—a lot of janitors are up in age. You’re talking about men fifty years old, fifty-five, up into there. He has to clean those porches off, he has to shovel the snow, and the ticker only takes so much. Now I have a jeep. I plow the whole sidewalk. Instead of shoveling, I just push it off now. Almost all the janitors . . .