Book review: Counting From Zero

I might be a masochist, I don’t know. Certainly I didn’t find it enjoyable to read this book, but at least I got to the end of it, unlike the previous one which I also found difficult to digest.

The book, Counting from Zero by Alan B. Johnson is one of the worst books I’ve read in a while, to be entirely honest. It’s another cyber-thriller, if we want to use this name, akin to Russinovich’s Zero Day (review) and Trojan Horse (review) which I read last year and found.. not so thrilling — but in comparison, they are masterpieces.

So the authors in both the Russinovich’s and Johnson’s cases are actually IT professionals; the former author works at Microsoft, the latter has been co-author of the ZRTP protocol for encrypting audio/video conversations. Those who had to deal with that and Zfone before are probably already facepalming. While Russinovich’s world is made up of nuclear plants running Windows on their control systems, and connecting it to Internet, Johnson’s a world that is.. possibly more messed up.

Let’s start with what I found obnoxious almost immediately: the affectations. The cover of the book already shows a Ø sign — while I’m not a typographer, and I didn’t feel like asking one of my many friends who are, it looks like a bold Bodoni or something similar. It’s not referring to the Scandinavian letter though, and that’s the sad news. In the whole text, the character zero (0) has been replaced with this (wrong) character. For a person who can get angry when he has to replace ò with o for broken systems to accept his name, this is irksome enough. The reasoning for this is declared in the second half of the book as all programmers write it this way to not mistake it for an ‘o’ vowel — bad news for the guy, I don’t know people who do that consistently.

Even if I’m writing a password where the letters and numbers can be mistaken – which is not common, as I usually use one or the other — my preferred note for zeros is a dot at the center. Why a dot and not the slash that the author so much like? It’s to not confuse it with the many similar symbols some of which are actually used in mathematics, where the zeros are common (and this is indeed something that my math teacher in high school convinced me of). Furthermore – as Wikipedia notes – the slashed zero’s slash does not go over the circle, for the same reason as me using the dot: it would be too easy to mistake for an empty set, or a diameter sign.

Once, the use of this fake slashed zero is cute, done as a sed replacement all over the book? Bleah.

It’s not the only affectation though, another one is that chapters have been numbered … in hexadecimal. And before somebody asks, no it was not 0x-prefixed, which would probably have made more sense. And finally, there are email quoted almost every chapter, and they have a “PGP” block at the end for the signature (even though it is left to intend that they are actually encrypted, and not just signed). I’m pretty sure that there is some meaning behind those blocks but I can’t be bothered searching. There are also a bunch of places where words are underlined like if they were hyperlinks — if they were, they were lost in translation on the Kindle Paperwhite (which I have bought last week after breaking my Keyboard), as they are not clickable.

Stylistically, the book stinks. I’m sorry, I know it’s not very polite to criticize something this harshly, but it really does. It reads like something I was trying to write in middle school: infodumps a-plenty – not only in computer stuff but even on motorbike details – and not in a long-winded, descriptive, “look how cool” kind of way, just in a paragraph of dumping info on the reader, most of which is really not important to the story – action driven, and repeating the subject, the protagonist’s name, every line – Mick did this. Mick did that. Mick went somewhere – and in general very few descriptions of environments, people, or anything at all.

But, style is an acquired skill. I didn’t like the first Harry Potter book, and I enjoyed the later ones. In Russinovich’s case, the style issues on the first book were solved on the second (even though the story went from so-so to bad). So let’s look into the story instead. It’s something already seen: unknowns find zero-days, you got the self-employed wizkid who gets to find a fix, and save the world. With nothing new to add there, two things remain to save a book: characters and, since this is a cyberthriller, a realistic approach to computers.

These should be actually the strong points of the book, standing to the Praise between ToC and Prologue — Vint Cerf describe it “credible and believable”, while Phil Zimmerman calls it a “believable cast of characters”. It sets the expectation high.

The main protagonist is your stereotypical nerd’s wet dream: young self-employed professional, full of money, with a crew of friends, flying around the world. This might actually be something Johnson feels he’s himself, given that his biography on both the book and Amazon points that he’s a “Million Miler” with American Airlines. Honestly, I don’t dream to travel that much — but you all know how I hate flying. Not only he’s a perfect security expert and bike rider, he’s also a terrific mechanic, a sailor, and so many more things. His only defect in the whole book? He only speaks English. I’m not kidding you, he doesn’t go as far as shouting at a woman in the whole book! Have you ever met a guy like that in a security or FLOSS conference? I certainly haven’t, including myself. Seriously, no defects… sigh… I like characters when they have defects because they need to compensate to become lovable.

Scratch the protagonist then. Given the continuous turmoil in the IT scene about sexism and the limited showcase of women in a positive light, you’d expect that somebody writing about IT might want to tip the scale a little bit in their favor — or at least that’s what I would do, and what I’d like to see. How many female characters are there in the book? The protagonist’s sister, and his niece her daughter; the protagonist’s “on-again, off-again”, a new woman joining the crew at the beginning of the book, and … spoiler … a one-off, one-chapter hacker that falls for one of the oldest tricks in the book (after being said to be brilliant — even though her solutions are said not to be elegant).

The on-and-off, who’s supposed to be one of the crew of security experts, is neither seen, nor said, doing anything useful at all in the story, beside helping out in the second chapter crisis where the protagonist and his friends save a conference by super-humanly cloning a whole battery of servers and routers in a few hours from scratch, dissect a zero-day vulnerability on a web server, fix it, and do an “anonymous commit” (whatever the heck that should be!). Did you say “stereotype!”, expecting the protagonist to be madly in love with his long-time friend? No, worse, she’s the one who wants him, but he’s just not there.

The newly-joining gal? Works for a company that would have otherwise been badmouthed at the conference, and has a completely platonic relationship with the protagonist all over the book. Her only task is to “push papers” from the protagonist to her company’s techs — Daryl from Russinovich’s books is more proactive, and if you read them, you know that’s a hard record to beat.

Family-wise … parents are dead sister is married with child. Said child, even if coming up many times during the book, is almost always called “Sam” — a play with a tomboysh girl? I’d say more like an interchangeable character, as it could easily have been a boy instead of a girl, for what the book’s concerned. The sister is, by the way, a librarian — this is only noted once, and the reason is to do yet another infodump on RFID.

If you want to know the kind of dump of infodumps this book is, the author goes on a limb to comment about “obsolete” measure units, including an explanation of what the nautical knots are modeled after, explains the origins of “reboot”, the meaning of “order of magnitude”, ranted about credit card companies “collecting databases of purchasing habits and data”, the fact that you use dig to run a “DNS trace”, the fact that Tube is the “unofficial name for London’s underground railway” (unofficial? TFL calls it Tube!), the fact that there is a congestion charge in London, the fact that Škoda is a Czech brand, and what the acronym RAM stands for!

If anything, the rest of the “crew” does even less than all these people, all the work is done by the protagonist… even though all the important pieces are given to him by others! Sigh.

Before closing the review (that you can guess is not positive at this point), let’s look at the tech side. Given the author is a colleague, and given the kind of praises coming from other people “in the scene”, you’d expect a very realistic approach, wouldn’t you? Well, the kind of paranoia that the protagonist is subject to (not accepting un-encrypted email, phone calls or video) is known to be rampant, although I found that this is often more common among wannabes than actual professionals.

But (and I did take notes, thanks to the Kindle), even accepting that in the fury of disconnecting a possibly infected or to-be-infected network from the Internet you can identify in a nanosecond which are the (multiple) cables to the internet and at the same time damaging them (without even damaging the connectors)… since when you need a “makeshift soldering iron to repair the broken Ethernet connector” ? If it was equipment-side, a soldering iron is not going to be enough; if it was the cable… WTF are you using a soldering iron for?!

Ah! At some point the protagonist is given by “an uncle in Australia” some “magnetic GPS trackers” to use against the bad guys. How the uncle could have guessed that he needed them is already a good question. The fact that the ones used toward the end are for no use at all, is something I don’t want to spend time on. My question is going to be do you call realistic a throwable magnetic bug that receive GPS signal on the underside of a car *and can be traced by a cellphone in real-time*?

Oh and of course, this is the world-famous, filthy-rich security expert who only has one password for every service and changes it every week. If somebody thinks this is a good idea, let me remember that this extends the surface on which you’re vulnerable to MITM or sniffing attacks on in an incredible way! And they even steal his private key, not once, but twice! It seems like he knows everything about PGP and encryption but not about the existence of SmartCards.

Even though the guy has an impressive collection of SIM cards and mobile phones that work all over the world, including in the middle of the Atlantic ocean. And when he buys a new phone, he can just download and compile the operating system. And we have to fight to get Android sources for our phones…

Okay the review is getting longer than I expected, so I’ll just note down that the guy “performed a disk wipe on the solid state storage” — and yes he’s referring to the 37-or-however-much-that-was wiping that was debunked by the paper’s author, as most people misinterpreted it altogether. And that is completely irrelevant to solid state storage (and most modern non-solid state storage as well!). Oh and he doesn’t buy off-the-shelf systems because they could have keyloggers or malware in them, but trusts computer parts bought at the first store he finds on his phone.

Of course he can find components for a laptop in a store, and just fit it in his custom CNC case without an issue. He can also fit a state-of-the-art days-long battery that he was given earlier, without a charger design! Brilliant, just brilliant. Nothing for a guy who “did a mental calculation of how much lighter it would be in a titanium case… and how much more expensive”. I don’t even know the current price of dollars, he can calculate the weight difference and price of a titanium case in his mind.

Last pieces before the bombshell: the guy ends up in the TSA’s No-fly List; they actually spell the full TSA name. Then he’s worried he can’t take a plane from London to Kiev. Message for somebody who spent too much time in the USA even though he’s Australian (the author): TSA’s competence stops at the US border! And, even in the situation where somebody left their passport in the side pocket of somebody else’s carry on bag (so fortunate, deus ex machina knows no borders!), you don’t have to find the same glasses he had on the photo… they let you change glasses from time to time. And if you do have to find them you don’t need to find real glasses, if they give you headaches.

Sorry, I know, these are nitpicks — there is much more in the book though. These are just the ones that had me wondering out loud why I was still reading the book. But the bombshell I referred above is the following dialogue line:

“Sir, he uses ZRTP encryption for all his calls, and strong encryption on all his messaging. We know who he communicates with but we haven’t been able to break any yet…”

Thanks, Randall! XKCD #538

I know the guy is a co-author of ZRTP. But…

Book Review: Trojan Horse

Last month I reviewed Zero Day this month I’m reviewing the sequel, still from Mark Russinovich … and you’ll soon notice I’m quite disappointed. The first book had a number of negative sides, but it was acceptable if you think it a “the first book of an author” — this book, I find it worse than the first one, which makes it even worse considering it’s not the first one! Once again spoilers might follow, especially for the book before this! Actually, there aren’t many spoilers, especially if you read the first one and you’re expecting nothing exceedingly new from this.

So first the good news: no textspeak this time! Yai! Too bad it hasn’t written this way from the start, but okay. Also this time the author admits that there are other platforms beside Windows, repeatedly name-checking (a vulnerability in) Android. That’s about it for good news. The bad characterization of characters and stereotypes is more or less the same, although he seems to have added the straw dissident to please the critiques. That’s not how it works. Especially because said dissident and his brother (again) meet in a tent (again) in the desert. Are you kidding me?

Goes especially into head-scratch territory when he repeats again that Muslims have to be terrorists, and that’s unlikely for an Iranian to be one if he’s not practising or when he notes that “Armenians were Christians, hardly likely to be terrorists”. Somebody got to make Russinovich read about the IRAs just so he stops giving this kind of stereotypes continuity. At least this time the damsel in distress is a bit less useless, but still she is in distress (more so than Rapunzel in Tangled, to give you an idea).

But that’s not the worst problem this time; now the problem is that for somebody that is in our line of business, or who has at least half a clue about technology, the WTF count is quite high. I have for the first time used Kindle’s note-taking options thoroughly through the book to be able to point out some of these because they are extremely bothersome even for a not-so-picky reader like me.

First problem: repetitions. In TV-series and made-for-TV movies, it’s extremely common for plot points to be repeated over and over ad nauseam; this is by design: before Netflix, Hulu, Amazon Prime and so on, most people tuned-in in the middle of an episode and they might not have had any clue about what was going on before. In a book, this doesn’t make the same amount of sense — it makes a sense if backstories and backgrounds are repeated from previous books, but once per book is enough. Going on for the first quarter of the book about how the protagonist foiled a terrorist plot in the book before doesn’t help, nor does repeating the fact that the “air gap” has been breached thanks to “an Android vulnerability”.

On a smaller scale, the first 50 pages of the book repeat “Al Qaeda” at least a dozen times. And on a stylistic note instead, he keep using “all but *something*” forms in the book, even in words of people who shouldn’t be speaking English to begin with — you can accept the “autotranslation”, but that kind of form is hard to use for a non-native speaker to begin with, and at least for latin-based languages it’s extremely hard to translate.

Speaking about foreign languages I guess Italian is not high in Russinovich’s knowledge; he puts one of the characters within a (as far as I can tell) fictional organization which would be the “Iranian Democratic Front” based in Italy, but he gives it a Spanish name (“Frente Democrático Iraniano”). Interestingly enough it was almost correct, as the Italian name in that case should have been “Fronte Democratico Iraniano”. Oh well, I guess geography’s or foreign languages are his best subjects.

Then there are some cringeworthy but still possibly references all over the place, like a couple of places where auto-capitalisation probably burnt the author and nobody caught it before, such as “the Intel sat” (as in satellite). That’s okay, it can happen. There’s also a note about being able to “search the Internet” on board of an intercontinental flight (I know some airlines have that in business class, but is that an “in your face, I’m actually flying business class”, or simply a missed point?), or the fact that the Swiss-Italian border controls scans all incoming passports for images “making a copy of the page” (it’s possibly but I find that extremely unlikely…).

But the big WTFs come up in many places as well:

  • in Russinovich’s fantasy land, mIRC is “an encrypted chatting program” (verbatim, I swear, I’m not making this shit up!), used by the DOD, although “modified [the code] to require both public and private key codes between parties” — now if you’ve not spent time on Windows in the past … 20 years or so, mIRC is a very common at a time IRC client… the author of which, while British, happens to be of Palestinian and Syrian origins; while I’m not putting all people of middle-eastern origin in the same category as the book’s author, I find it extremely difficult for the US DoD to get the sources of, modify and use a client written by a non-american author, especially for secure communication!
  • oh, by the way, nice way to feel secure “Digital signatures could not be altered. Period.” (verbatim quote); yes because attacks to digital signatures are unheard of, right? I can understand that you can strongly trust a strong digital signature, but a stupid blanket statement like that is more trouble than it’s worth!
  • somehow, while Windows and Android are named clearly and accurately, in the parallel universe of the book, Microsoft merged Office and Works in “Microsoft OfficeWorks”; you could have called this a “bland name”, if it wasn’t insisting on the name OfficeWorks so many frigging times over the first half of the book. Was it a problem with actually giving in at the chance that the vulnerability might have been in Microsoft Office itself? If yes, why does he still say it out loud for Android, instead of having the vulnerability in the Robotic cellphone OS?
  • also for whatever reason instead of “software”, “malware”, “source code” … his (expert) characters are expecting “cyber code” to appear. What?
  • two cellphones models are called by name on the book, both of them from HTC: the Hero and the Galaxy — you probably never heard of the latter because it’s a very old (2005ish) Windows Mobile 5.0-based phone; for whatever reason this not really noteworthy device (it doesn’t even have a page on Wikipedia!) is the preferred of the (again, expert!) protagonist. The other one, which tended to be fairly unlocked, in their European GSM format, when not tied to a specific operator, in this universe need to be “jail-broken” to be able to “acquire any apps [..] from anywhere”.. what? On Android it’s just a matter of changing one parameter, you know…
  • at least it seems like the in that world, libav’s TDD (Troll-Driven Development) seems to have taken foot into the world, as (once again the protagonist) “trolls the websites” when looking for a new car to buy…

There are a few more minor WTFs in my list but now that I listed the major ones, the others seem like chump change, so I won’t bother.

So at the end of the review, I’d say that this second book is less interesting, more boring, and way less suitable for a technical audience. The ongoing “fight” is a very insipid spy-vs-spy idea, there are “cuts” to CIA offices where nothing happens of substance, and all in all it’s not that thrilling. Save your money, it’s way not worth it.

Edit: but if it wasn’t clear, I am going to buy an eventual third book, hopeful that third time’s a charm. Russinovich knows how to write, he just need to find a better balance between technicalities and technofantasy.

Book Review: Zero Day

Zero Day has been an interesting read. First of all, this is of yet another computer guy turned author (Patricia Cornwell and Jim Butcher being two more) — the guy works for Microsoft, of all companies! And honestly, it shows. While the book is not written bad at all, it paints an even worse world than reality is, by having everything based off Windows, including very critical systems…

So how do you categorize this book? I guess you have to call it cyberthriller, although it has very little cyber in it; it takes place in present time, in a not-so-improbable situation if, as I said above, Windows is the only possible operating system out there. You can easily guess from the title and blurb that this relates to a computer virus infection that goes to have damage, which is something that other books try to warn us about. As you’re reading my blog, I expect you to know better than to think that Windows is the only operating system out there and that it’s suitable, for example for avionics.

So while the story is interesting, it has quite a few pitfalls. The first thing I’d complain about is that the author abuses textspeak! I can sort-of understand (but not really accept happily) the stereotypical textspeak among “crackers” and wannabes, but even among high-level IT professionals? Really?! And the same professional who has to be told what l33t5p34k is?!? Honestly it’s painful to have to read through a page fitted with textspeak, and it’s almost as much painful to find that the author still thinks that people speak over ICQ … that’s so ‘98 (and for those who don’t think 1998 isn’t far away enough, it’s 14 years ago.. where were you at the time?).

But, spoiler alert!

Spoiler follows.

Okay you’ve been warned.

The worst problem with the book, though, is the bad stereotypes embedded into its story. The girls in the IT world who’re not up to the job and need to call the main hero for help … one of which is actually said to sleep with her boss to move up with her career (while I can think of a few people who have been doing that, which make it realistic enough, do you really want to spend half a book with such a character, especially given the kind of social turmoil the IT world is in, in the past few years?)… The Russians who can’t stay on the right side of the law for more than a couple of pages… The evil muslim extremists who seek nothing but the destruction of the West, …

Before somebody takes offense about my words, I’ll be quick to point out that I’m an atheist and I don’t really care whether you believe in something or not, and even less I care about what you believe. So please.

Will I read the next book – Trojan Horse – almost certainly yes. I’ve learnt never to judge a whole series from the first book, especially for new authors. But honestly the book I’ll wait for will come out in November, not September, and it’s the new Dresden Files book, Cold Days… which happen to be out the day before my birthday — I’ll go the extra step and pay the full price for the Kindle edition, I don’t want to wait!