Review of the Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon

Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon

Rating: ⭐️⭐️⭐️⭐️⭐️

Zetter’s book engages in a heroic effort to summarize, describe, and explain the significance of the NSA’s and Israel’s first ‘cyber weapon’, named Stuxnet. This piece of malware was used to disrupt the production of nuclear material in Iran as part of broader covert efforts to delimit the country’s ability to construct a nuclear weapon. 

Multiple versions of Stuxnet were created, as were a series of complementary or derivative malware species with names such as Duqu and Flame. In all cases the malware was unusually sophisticated and relied on chains of exploits or novel techniques that advanced certain capabilities from academic theory to implementable practice. The reliance on zero-day vulnerabilities, or those for which no patches are available, combined with deliberate efforts to subvert the Windows Update system as well as use fraudulently signed digital certificates, bear the hallmarks of developers being willing to compromise global security for the sake of a specific American-Israeli malware campaign. In effect, the decision to leave the world’s computers vulnerable to the exploits used in the creation of Stuxnet demonstrate that offence was prioritized over defence by the respective governments and their signals intelligence agencies which authored the malware.

The book regales the reader with any number of politically sensitive tidbits of information: the CIA was responsible for providing some information on Iran’s nuclear ambitions to the IAEA, Russian antivirus researchers were monitored by Israeli (and perhaps other nations’) spies, historically the CIA and renown physicists planted false stories in Nature, the formal recognition as cyberspace as the fifth domain of battle in 2010 was merely formal recognition of work that had been ongoing for a decade prior, the shift to a wildly propagating version of Stuxnet likely followed after close access operations were no longer possible and the flagrancy of the propagation was likely an error, amongst many other bits of information.

Zetter spends a significant amount of time unpacking the ways in which the United States government determines if a vulnerability should be secretly retained for government use as part of a vulnerabilities equities process. Representatives from the Department of Homeland Security who were quoted in the book noted that they had never received information from the National Security Agency of a vulnerability and, moreover, that in cases where the Agency was already exploiting a reported vulnerability it was unlikely that disclosure would happen after entering the vulnerability into the equities process. As noted by any number of people in the course of the book, the failure by the United States (and other Western governments) to clearly explain their vulnerabilities disclosure processes, or the manners in which they would respond to a cyber attack, leaves unsettled the norms of digital security as well as leaves unanswered the norms and policies concerning when (and how) a state will respond to cyber attacks. To date these issues remain as murky as when the book was published in 2014.

The Countdown to Zero Day, in many respects, serves to collate a large volume of information that has otherwise existed in the public sphere. It draws in interviews, past technical and policy reports, and a vast quantity of news reports. But more than just collating materials it also explains the meanings of them, draws links between them that had not previously been made in such clear or straightforward fashions, and explains the broader implications of the United States’ and Israel’s actions. Further, the details of the book render (more) transparent how anti-virus companies and malware researchers conduct their work, as well as the threats to that work in an era when a piece of malware could be used by a criminal enterprise or a major nation-state actor with a habit of proactively working to silence researchers. The book remains an important landmark in the history of security journalism, cybersecurity, and the politics of cybersecurity. I would heartily recommend it to a layperson and expert alike.

Review of Happy City: Transforming Our Lives Through Urban Design

Rating: ⭐️⭐️⭐️⭐️⭐️

Mongomery’s book, Happy City: Transforming Our Lives Through Urban Design, explores how decades of urban design are destructive to human happiness, human life, and the life of the planet itself. He tours the world — focused mostly on Vancouver, Portland, Bogotá, Atlanta, and Hong Kong — to understand the different choices that urban designers historically adopted and why communities are railing against those decisions, now.

The book represents a tour de force, insofar as it carefully and clearly explains that urban sprawl — which presumed that we would all have cars and that we all wanted or needed isolated homes — is incredibly harmful. The focus of the book is, really, on how designing for cars leads to designing for things instead of people, and how efforts to facilitate car traffic has been antithetical to human life and flourishing. His call for happy cities really constitutes calls to, first and foremost, invest in urbanization and densification. Common social utilities, like transit and parks and community spaces, are essential for cities to become happy because these utilities both reduce commutes, increase socialization, and the presence of nature relieves the human mind of urban stresses.

While the book is rife with proposals for how to make things better, Montgomery doesn’t go so far as to argue that such changes are easy or that they can be universally applied everywhere. The infrastructure that exists, now, cannot simply be torn up and replaced. As a result he identifies practical ways that even suburban areas can reinvigorate their community spaces: key, in almost all cases, are finding ways to facilitate human contact by way of re-thinking the structures of urban design itself. These changes depend not only on — indeed, they may barely depend at all upon! — city planners and, instead, demand that citizens advocate for their own interests. Such advocacy needn’t entail using the language of architects and urban designers and can, instead, focus on words or themes such as ‘community’ or ‘safe for children to bike’ or ‘closer to community resources’ or ‘slower streets’ or ‘more green space’. After robustly, and regularly, issuing such calls then the landscape may begin to change to facilitate both human happiness and smaller environmental food prints.

If there is a flaw to this book, it is that many of the examples presume that small scale experiments necessarily are scalable to broad communities. I don’t know that these examples do not scale but, because of the relatively small sample-set and regularity at which Montgomery leverages them, it’s not clear how common or effective the interventions he proposes genuinely are. Nevertheless, this is a though-provoking books that challenges the reader to reflect on how cities are, and should be, built to facilitate and enable the citizens who reside within and beyond their boundaries.