Book Review: Countdown To Zero Day

benrothke writes A word to describe the book Takedown: The Pursuit and Capture of Americas Most Wanted Computer Outlaw was hyperbole. While the general storyline from the 1996 book was accurate, filler was written that created the legend of Kevin Mitnick. This in turn makes the book a near work of historical fiction. Much has changed in nearly 20 years and Countdown to Zero Day: Stuxnet and the Launch of the Worlds First Digital Weapon has certainly upped the ante for accurate computer security journalism. The book is a fascinating read and author Kim Zetters attention to detail and accuracy is superb. In the inside cover of the book, Kevin Mitnick describes this as an ambitious, comprehensive and engrossing book. The irony is not lost in that Mitnick was dogged by misrepresentations in Markoff's book. Keep reading for the rest of Ben's review. Countdown to Zero Day: Stuxnet and the Launch of the Worlds First Digital Weapon author Author: Kim Zetter pages 448 publisher Crown rating 10/10 reviewer Ben Rothke ISBN 978-0770436179 summary Outstanding narrative about Stuxnet and how it was developed, quarantined and debugged For those that want to know the basics about Stuxnet, its Wikipedia entry will suffice. The book take a detailed look at how the Stuxnet worm of 2010 came to be, how it was written, discovered and deciphered, and what it means for the future and provides nearly everything known to date about Stuxnet.

The need to create Stuxnet was the understanding that a nuclear Iran was dangerous to the world. The book notes that it just wasn't the US and Israel that wanted a nuclear free Iran; Egypt and Saudi Arabia were highly concerned about the dangers a nuclear Iran would bring to the region.

What is eminently clear is that Iran chronically lied about their nuclear intentions and actions (chapter 17 notes that former United Kingdom Prime Minister Gordon Brown told the international community that they had to do something over Iran's serial deception of many years) and that the United Nations International Atomic Energy Agency (IAEA) is powerless to do anything, save for monitoring and writing reports.

Just last week, President Obama said a big gap remains in international nuclear negotiations with Iran and he questioned whether talks would succeed. He further said "are we going to be able to close this final gap so that (Iran) can reenter the international community, sanctions can be slowly reduced and we have verifiable, lock tight assurances that they cant develop a nuclear weapon, there's still a big gap. We may not be able to get there". It's that backdrop to which Stuxnet was written.

While some may debate if Stuxnet was indeed the worlds first digital weapon, it's undeniable that it is the first piece of known malware that could be considered a cyber-weapon. Stuxnet was unlike any other previous malware. Rather than just hijacking targeted computers or stealing information from them, it created physical destruction on centrifuges the software controlled.

At just over 400 pages, the book is a bit wordy at times, but Zetter does a wonderful job of keeping the book extremely readable and the narrative enthralling. Writing about debugging virus code, Siemens industrial programmable logic controllers (PLC) and Step7 software (which was what Stuxnet was attacking) could easily be mind-numbingly boring, save for Zetter's ability to make it a compelling read.

While a good part of the book details the research Symantec, Kaspersky Lab and others did to debug Stuxnet, the book doesn't have any software code, which makes it readable for the non-programmer. The book is technical and Zetter gets into the elementary details of how Stuxnet operated; from reverse engineering, digital certificates and certificate authorities, cryptographic hashing and much more. The non-technical reader certainly won't be overwhelmed, but at the same time might not be able to appreciate what went into designing and making Stuxnet work.

As noted earlier, the book is extremely well researched and all significant claims are referenced. The book is heavily footnoted, which makes the book much more readable than the use of endnotes. Aside from the minor error of mistakenly calling Kurt Gödel a cryptographer on page 295, he was a logician; Zetter's painstaking attention to detail is to be commended.

Whoever wrote Stuxnet counted on the Iranians not having the skills to uncover or decipher the malicious attacks on their own. But as Zetter writes, they also didn't anticipate the crowdsourced wisdom of the hive — courtesy of the global cybersecurity community that would handle the detection and analysis for them. That detection and analysis spanned continents and numerous countries.

The book concludes with chapter 19 — Digital Pandora — which departs from the details of Stuxnet and gets into the bigger picture of what cyber-warfare means and its intended and unintended consequences. There are no simple answers here and the stakes are huge.

The chapter quotes Marcus Ranum who is outspoken on the topic of cyber-warfare. At the 2014 MISTI Infosec World Conference, Ranum gave a talk on Cyberwar: Putting Civilian Infrastructure on the Front Lines, Again. Be it the topic or Marcus just being Marcus, a third of the participants left within the first 15 minutes. But they should have stayed, as Ranum, agree with him or not, provided some riveting insights on the topic.

The book leaves two unresolved questions; who did it, and how did it get into the Nantanz enrichment facility. It is thought the US with some assistance from Israel created Stuxnet; but Zetter also writes that Germany and Great Britain may have done the work or at least provided assistance.

It's also unknown how Stuxnet got into the air-gapped facility. It was designed to spread via an infected USB flash drive. It's thought that since they couldn't get into the facility, what needed to be done was to infect computers belonging to a few outside firms that sold devices that would in turn be connected to the facility. The book identified a few of these companies, but it's still unclear if they were the ones, or the perpetrators somehow had someone on the inside.

As to zero day in the title, what was unique about Stuxnet is that it contained 5 zero day exploits. Zero day is also relevant in that Zetter describes the black and gray markets of firms that discover zero-day vulnerabilities who in turn sell them to law enforcement and intelligence agencies.

Creating Stuxnet was a huge challenge that took scores of programmers from a nation state many months to create. Writing a highly readable and engrossing book about the obscure software vulnerabilities that it exploited was also a challenge, albeit one that few authors could do efficaciously. In Countdown to Zero Day: Stuxnet and the Launch of the Worlds First Digital Weapon, Kim Zetter has written one of the best computer security narratives; a book you will likely find quite hard to put down.

Reviewed by Ben Rothke.

You can purchase Countdown to Zero Day: Stuxnet and the Launch of the Worlds First Digital Weapon from amazon.com. Slashdot welcomes readers' book reviews (sci-fi included) -- to see your own review here, read the book review guidelines, then visit the submission page. If you'd like to see what books we have available from our review library please let us know.

Is the review done by bennett?

Can I finally form an opinion? ?? TFS cleary wants to imitate the frequent contributor Bennett Haselton with its length. However only Bennett can put down ALL THOUGHTS on the topic.

Re:Is the review done by bennett?

Can someone please remove this spammer!

Beware:spammer comments linking to "My Clean PC"

Someone is spamming on this thread to have you go to the my clean pc site.
It is a scam.

Read this: http://www.pchell.com/reviews/mycleanpc.shtml

and then read this - Top 35 Complaints and Reviews about MyCleanPC.com ---- http://www.consumeraffairs.com/computers/mycleanpc.html

and then watch this video - mycleanpc.com IS A SCAM! ------https://www.youtube.com/watch?v=X8E5sgsRmLo

Re:Beware:spammer comments linking to "My Clean PC

and then watch this video - mycleanpc.com IS A SCAM! ------https://www.youtube.com/watch?v=X8E5sgsRmLo

dont get me started on vista.

Re:Is the review done by bennett?

Why? Not only did MyCleanPC fix dudes life it could be used to weed out terrorists!

Re:Beware:spammer comments linking to "My Clean PC

I've watched that video and the dude opened another cleaning program and compared the results. That other cleaning program has found less errors than My Clean PC, so it was worse. And he used that as explanation that My Clean PC is wrong. Then he yelled into the camera that it were a scam and he ended the video. I don't think he is reputable enough to rate My Clean PC. My Clean PC however is reputable, as there is a guy in a suit on their website. Only reputable sources add a guy in a suit to their website.

Re:Is the review done by bennett?

You really should seek help for your condition.

Bennett Haselton

He is, after all, a frequent contributor.

comments are all messed up..no spam

watch out..spammers r loose.

Re:Is the review done by bennett?

You really should seek help for your condition.

It is interesting to note that the MyCleanPC copypasta appears more frequently on stories that concern security issues. It's almost like the people behind it prefer that certain things either not be talked about, or that readers browse certain topics at +1 or above. This is, of course, obviously a coincidence. Absolutely no aspersions are being cast about why the copypasta appears more often on stories involving national security. Nope, nosirree.

Why are comments banned for this book???

Political comments are being stopped; why?

Re:Why are comments banned for this book???

[_merlin]

Anything pointing out that the only substantial act of cyberwar was perpetrated by US/Israel supports terrorists, I guess. Can't let people actually have a discussion about it, have to bury it in a crapflood. Yeah, it's odd that this particular story has attracted such a storm of MyCleanPC and Bennet copypasta. What are the odds that it's actually a coincidence?

Re:Why are comments banned for this book???

>>What are the odds that it's actually a coincidence?

why would any one do that?

Re:Why are comments banned for this book???

Inflated ego much? Slashdot is an irrelevant tech site. If this was happening on Reddit or Hacker News you might have a point.

Re:Why are comments banned for this book???

I've just thought, oh there is some bennett (the frequent contributor one) fan around with mod points, so let him burn them for good. The choice was mere coincidence. You can start making theories and so on and so on, but I simply guess that mycleanpc dude saw what I was doing, and made their own crapflood to show me how good and fast he could bla bla. In fact, he could crapflood faster, I've pointed that out in one of my comments. Also note that every comment is unique, so you can call it crapflood but please not copypasta. I've given every single of my children their own piece of love, please appreciate that. Also, its the first bennett copypasta ever I guess. Please correct me when I'm wrong. I don't wanna give me titles I don't deserve. Thank you for answering me, its a nice feeling to be fed.

Re:Is the review done by bennett?

Why? Not only did MyCleanPC fix dudes life it could be used to weed out terrorists!

Not only that it solves world hunger and leaves the bathroom sparkly.

Re:Is the review done by bennett?

I used MyCleanPC for the garage floors and they have never been cleaner, not only that by using it I found a new confidence taken away by incontinence.

I love you MyCleanPC, if only the whole wide world was a clean PC then global warming would be no more.

Free, Kevin Mitnick!

[MrKaos]

I remember when Mitnick was held in jail for 5 years by the FBI without a charge and that they were so scared of the guy they refused him a phone call because they believed he would be able to call in a nuclear bomb strike.

I read his book, "The Art of Deception" - an excellent read, yet despite all his recommendations we see all of the holes still present for the modern intelligencia to take advantage of. Kevin was to be the poster boy for 21st Century human rights abuse and the FBI didn't care how many bumper stickers people bought.

Re:Free, Kevin Mitnick!

in this interview on the colbert report.... mitnick talks about that:

http://thecolbertreport.cc.com/videos/1yhudu/kevin-mitnick

Re:Free, Kevin Mitnick!

fbi is still at it...check this one out:

Fbi Agents Impersonate Repairmen As Part Of Las Vegas Gambling Bust

  Published on Oct 30, 2014

In "Ocean's Eleven," Danny Ocean's crew plans a ruse to steal money inside a Las Vegas casino. It includes cutting the city's power. The FBI has now been accused of a planning a real-life ruse inside luxury villas at Caesars Palace.

https://www.youtube.com/watch?v=1F38zQBo8W0

Huh?

[Threni]

I don't understand the point of the reference to Takedown, nor the irony of Mitnick commenting on another book.

Re:Huh?

http://www.amazon.com/Countdown-Zero-Day-Stuxnet-Digital/dp/077043617X

“Part detective story, part scary-brilliant treatise on the future of warfarean ambitious, comprehensive, and engrossing book that should be required reading for anyone who cares about the threats that America—and the world—are sure to be facing over the coming years.”
—Kevin Mitnick, New York Times bestselling author of Ghost in the Wires and The Art of Intrusion

Re:Huh?

free advertising!!!

might be one auithor being nice to another author.....

Kevin Mitnick : The Stuxnet References

Honestly what the referential fuck? Kevin Mitnick wrote Stuxnet, I knew it! Bastard.

Re:Kevin Mitnick : The Stuxnet References

yet not a Anonymous Coward..yer a jerk.

Beware of:My Clean PC

some spammer is getting his wack off writing and spamming about My Clean PC.

Google My Clean PC and u can see it's malware...it will rip you off cold.

avoid it....

can some admin here please delete the threads about My Clean PC!~~~

except this one of course!

Re:Beware of:My Clean PC

Are you wearing a suit? Are you a frequent contributor? Are you a frequent contributor wearing a suit? If you can answer yes to all three questions, then this thread is clearly... oh sorry forget this one please. GNAA stinks out of the goatse ass.

Re:Is the review done by bennett?

she is the MyCleanPC spammer!

My Clean PC is for clueless idiots!

anyone who would be sooo stupid to install and use My Clean PC deserves all the malware it serves up.

if u r that stoopid...u derserve My Clean PC !!

tuff luv but thats wat it iz.

How much fact vs speculation?

Almost all the information on Stuxnet I ever saw was speculative and not based in fact. Does this book have verifiable facts, or does it just repeat the story that has been spun the past few years based on anonymous sources, scaremongering "cyber" experts, and reporters all quoting each other's stories?

Stuxnut authors are our heroes!

Iran is evil.

to you who wrote the stuxnet. thank you.

this just out about Iran:

AP Interview: Nobel laureate Ebadi says human rights in Iran have not improved under Rouhani
http://www.foxnews.com/world/2014/11/11/ap-interview-nobel-laureate-ebadi-says-human-rights-in-iran-have-not-improved/

iran must be stopped!!

Nobel prize for Stuxnet author please

A Nobel prize for Stuxnet author please. i would like to nominate.

iran is responsible for the deaths of many innocents, including many americans.

Nobel laureate Ebadi says human rights in Iran have not improved - http://globalnews.ca/news/1666349/nobel-laureate-ebadi-says-human-rights-in-iran-have-not-improved/

i wish I could hug the team who wrote the stuxnet.

they are good people saving the lives of us in iran.