Saturday, February 27, 2021

Review: Perlroth's book on the cyberarms market

New York Times reporter Nicole Perlroth has written a book on zero-days and nation-state hacking entitled “This Is How They Tell Me The World Ends”. Here is my review.


I’m not sure what the book intends to be. The blurbs from the publisher implies a work of investigative journalism, in which case it’s full of unforgivable factual errors. However, it reads more like a memoir, in which case errors are to be expected/forgivable, with content often from memory rather than rigorously fact checked notes.


But even with this more lenient interpretation, there are important flaws that should be pointed out. For example, the book claims the Saudi’s hacked Bezos with a zero-day. I claim that’s bunk. The book claims zero-days are “God mode” compared to other hacking techniques, I claim they are no better than the alternatives, usually worse, and rarely used.


But I can’t really list all the things I disagree with. It’s no use. She’s a New York Times reporter, impervious to disagreement.


If this were written by a tech journalist, then criticism would be the expected norm. Tech is full of factual truths, such as whether 2+2=5, where it’s possible for a thing to be conclusively known. All journalists make errors -- tech journalists are constantly making small revisions correcting their errors after publication.


The best example of this is Ars Technica. They pride themselves on their reader forums, where readers comment, opine, criticize, and correct stories. Sometimes readers add more interesting information to the story, providing free content to other readers. Sometimes they fix errors.


It’s often unpleasant for the journalists who steel themselves after hitting “Submit…”. They have a lot of practice defending or correcting every assertion they make, from both legitimate and illegitimate criticism. This makes them astoundingly good journalists -- mistakes editors miss readers don’t. They get trained fast to deal with criticism.


The mainstream press doesn’t have this tradition. To be fair, it couldn’t. Tech forums have techies with knowledge and experience, while the mainstream press has ignorant readers with opinions. Regardless of the story’s original content it’ll devolve into people arguing about whether Epstein was murdered (for example).


Nicole Perlroth is a mainstream reporter on a techy beat. So you see a conflict here between the expectation both sides have for each other. Techies expect a tech journalist who’ll respond to factual errors, she doesn’t expect all this criticism. She doesn’t see techie critics for what they are -- subject matter experts that would be useful sources to make her stories better. She sees them as enemies that must be ignored. This makes her stories sloppy by technical standards. I hate that this sounds like a personal attack when it’s really more a NYTimes problem -- most of their cyber stories struggle with technical details, regardless of author.


This problem is made worse by the fact that the New York Times doesn’t have “news stories” so much as “narratives”. They don’t have neutral stories reporting what happened, but narratives explaining a larger point.


A good example is this story that blames the Baltimore ransomware attack on the NSA’s EternalBlue. The narrative is that EternalBlue is to blame for damage all over the place, and it uses the Baltimore ransomware as an example. However, EternalBlue wasn’t responsible for that particular ransomware -- as techies point out.


Perlroth doesn’t fix the story. In her book, she instead criticizes techies for focusing on “the technical detail that in this particular case, the ransomware attack had not spread with EternalBlue”, and that techies don’t acknowledge “the wreckage from EternalBlue in towns and cities across the country”.


It’s a bizarre response from a journalist, refusing to fix a falsehood in a story because the rest of the narrative is true.


Some of the book is correct, telling you some real details about the zero-day market. I can't say it won't be useful to some readers, though the useful bits are buried in a lot of non-useful stuff. But most of the book is wrong about the zero-day market, a slave to the narrative that zero-days are going to end the world. I mean, I should say, I disagree with the narrative and her political policy ideas -- I guess it's up to you to decide for yourself if it's "wrong". Apart from inaccuracies, a lot is missing -- for example, you really can't understand what a "zero-day" is without also understanding the 40 year history of vuln-disclosure.


I could go on a long spree of corrections, and others have their own long list of inaccuracies, but there’s really no point. She's already defended her book as being more of a memoir than a work of journalistic integrity, so her subjective point of view is what it's about, not facts. Her fundamental narrative of the Big Bad Cyberarms Market is a political one, so any discussion of accuracy will be in service of political sides rather than the side of truth.


Moreover, she’ll just attack me for my “bruised male ego”, as she has already done to other expert critics.


1 comment:

Jeff said...

For non-technical issues, "Journalism" is being replaced by "advocacy journalism", which is taught in many universities.