1/ BTW, the criticisms we techies have of Perloth's zero-day book isn't with Perlroth but with the NYTimes-style reporting. NYTimes reporters don't understand the subject but nonetheless attempt to explain it, leading to mangled information and outright lies.
2/ For example, Dave Sanger has a book on nation state hacking "A Perfect Weapon". In a chapter titled "Man In The Middle", he describes the Snowden "MUSCULAR" revelation as:
3/ Um, no. This contradicts everyone else's reporting on MUSCULAR. This contradicts how Wikipedia describes the program. It contradicts how I, a techy, read the diagram. Nobody (of note) but Sanger thinks that arrow points to where the NSA is tapping things.
4/ The "SSL Added/Remove here :)" points to a "Google Front End" device, an SSL accelerator. It's not the NSA doing a "man-in-the-middle" as Sanger claims, but Google doing "SSL acceleration".
5/ A "MitM" is when SSL is added/removed on BOTH ends. "SSL acceleration" is when SSL is added/removed on ONE end, with unencrypted ("clear text") HTTP on the other end. It means passively tapping links anywhere on the other end allow you to spy on the "clear text".
6/ What everyone believes is that the NSA has tapped links between data centers ("DC" in the diagram). Passive eavesdropping isn't "man-in-the-middle". And it's between data-centers, not between internal servers and GFEs (though that's also possible) -- nowhere near GFEs.
7/ A few paragraphs later, Sanger gives the correct interpretation (that agrees with everyone else), that links are being tapped. Yet, in even later paragraphs, he continues to claim Google servers are hacked.
8/ It's a narrative that Sanger wants to tell, he twists the technical details to match the story. It's a belief that non-techies have, that if they don't understand the technical details, then whether they are true or false isn't important.
9/ But whether the NSA taps international links or hacks Google's servers is incredibly important. One is something we know they do (it's their job to eavesdrop), the other is something that probably violates the law (hacking American corporation servers).
10/ Anyway, in Perroth's book, she got criticized for claiming (incorrectly) that NSA hacked Google's servers, instead of tapping their links. She probably got that from Sanger. It's an NYTimes problem, not a problem with a specific author.
11/ Note that Perlroth has said she'll correct this mistake in the next version of her book. But Sanger can't really correct his mistake -- "NSA hacked Google servers" and "MitM" is woven throughout the chapter, it's too big to fail/correct.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Robᵉʳᵗ Graham😷, provocateur

Robᵉʳᵗ Graham😷, provocateur Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @ErrataRob

9 Mar
1/ So here's the deal: it's not always clear that our perspective is necessarily the "right" one and the NYT's is the "wrong" one. There's good reason why the NYT might reasonably disagree. But...
2/ ...but it is still a clear difference between how the NYT reports things and how the either the tech press (Wired, Ars Technica, etc.) or the rest of the mainstream press (e.g. Associated Press) reports things.
3/ The NYT prides itself on not simply giving the "facts" but telling "narratives". In other words, as the paper of record, they don't simply want others to repeat their facts, but repeat the spin they've put on stories.
Read 16 tweets
7 Mar
okay ipv6 people -- am I right that SLAAC only happens when the Router Advertisement advertises a prefix of /64 (not /63, not /65) and the "autonomous address-configuration" flag is set?
I ask because I can't figure out how to get my Ubuiti EdgeRouter from getting a prefix delegation of /56 from my ISP, and then giving /64s to internal interfaces to get SLAAC working.
the "prefix ::/64" command for radvd doesn't give a /64, that string means to query the local interface, which is /56, and use that instead.
Read 4 tweets
6 Mar
So here's the deal with Agile: everyone was (and still is, mostly) taught Anti-Agile software-engineering. Mistakes in "requirements" and "design" are costly, so we need to spend more time doing that before coding.
Agile preached the opposite. If mistakes in "requirements" and "design" are costly, then change your coding practices so that these mistakes are now cheap to fix.
A recently had to change requirements for my 'masscan' project. It was originally written with the requirement that it would always be IPv4 because scanning IPv6 address space isn't practical.
Read 6 tweets
6 Mar
Current status: scraping library websites checking status of banned Dr. Seuss books. Here's availability for Boston library network.
The "banned" is my own annotation to the table, whether the book is that on the recent list of discontinued books. It doesn't mean the library has banned them.
Presumably, the reason availability has dropped is because people have checked them out, not because they've deliberately removed them.
Read 5 tweets
6 Mar
Current status: writing the code to sell property on Venus using NFT tokens.
Q: What is NFT?
A: It's just like the DAO, but stupider.
Q: Well, then what was the DAO?
A: You have all the information you need to know.
Read 4 tweets
5 Mar
Warning for layoffs: IT'S RARELY YOU WHO IS AT FAULT. It's almost always management.

Them: "I won't get laid off because I'm a rockstar 10x programmer"

Me: "You are working on badly managed product that's going to get canceled because it generates no revenue".
Yes, they were a really valuable programmer. Yes, they got laid off. You'd think a better world that they could somehow do this more efficiently and keep the best employees, but they can't.
I wasn't in that layoff -- but wanted to be. So I called up my manager's manager and told him "I'm going on vacation, using up all my accrued time". He barely paused before telling me "...okay, I'll put you on the layoff list", which meant somebody else got pulled off the list.
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!