REVIEW: "Zero Day", Mark Russinovich

["Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rmslade () shaw ca>]

BKZERDAY.RVW   20111109

"Zero Day", Mark Russinovich, 2011, 978-0-312-61246-7, U$24.99/C$28.99
%A Mark Russinovich www.zerodaythebook.com markrussinovich () hotmail com
%C   175 Fifth Ave., New York, NY   10010
%D   2011
%G   978-0-312-61246-7 0-312-61246-X
%I   St. Martin's Press/Thomas Dunne Books
%O   U$24.99/C$28.99 212-674-5151 fax 800-288-2131
%O   josephrinaldi () stmartins com christopherahearn () stmartins com
%O  http://www.amazon.com/exec/obidos/ASIN/031261246X/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/031261246X/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/031261246X/robsladesin03-20
 http://www.amazon.com/gp/mpd/permalink/m3CQBX46DOK0AK/ref=ent_fb_link
%O   Audience n Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   328 p.
%T   "Zero Day"

Mark Russinovich has definitely made his name, in technical terms,
with Winternals and Sysinternals.  There is no question that he knows
the insides of computers.

What is less certain is whether he knows how to write about it within
the strictures of a work of fiction.  The descriptions of digital
forensics and computer operation in this work are just as confusing,
to the technically knowledgeable, as those we regularly deride from
technopeasant authors.  "[T]he first thing Jeff noted was that he
couldn't detect *any* data on the hard disk."  (Emphasis in the book.) 
Jeff then goes on to find some, and notes that there are "bits and
pieces of the original operating system."  Now there is a considerable
difference between not finding *any* data, and having a damaged
filesystem, and Russinovich knows this perfectly well.  Our man Jeff
is a digital forensics hacker of the first water, and wouldn't give a
fig if he couldn't see "the standard C: drive icon."

Generally, you would think that the reason a technically competent
person would write a novel about cyberwar would be in order to inject
a little reality into things.  Well, reality seems to be in short
supply in this book.

First of all, this is the classic geek daydream of being the ultimate
'leet hacker in the world.  The Lone Hacker.  Hiyo SysInfo, away!  He
has all the tools, and all that smarts, about all aspects of
technology.  Sorry, just not possible any more.  This lone hacker
image is unrealistic, and the more so because it is not necessary. 
There are established groups in the malware community (among others),
and these would be working together on a problem of this magnitude. 
(Interestingly, these are generally informal groups, not the
government/industry structures which the book both derides and relies
upon.)

Next, all the female geeks (and there are a lot) are "hot."  'Nuff
said.

The "big, bad, new" virus is another staple of the fictional realms
which does not exist in reality.  Viruses can be built to reproduce
rapidly.  In that case, they get noticed quickly.  Or, they may be
created to spread slowly and carefully, in which case they can take a
while to be detected, but they also take a long time to get into
place.

Anti-malware companies don't necessarily rely on honeypots (which are
usually there to collect information on actual intruders), but they do
have bait machines that sit and wait to be infected (by worms) or
emulate the activity of users who are willing to click on any link or
open any file (for viruses).  Malware can be designed to fail to
operate (or even delete itself) under certain conditions, and those
conditions could include certain indications of a test environment. 
However, the ability to actively avoid machines that might be
collecting malware samples would be akin to a form of digital mental
telepathy.

Rootkits, as described in the novel, are no different than the stealth
technology that viruses have been using for decades.  There are always
ways of detecting stealth, and rootkits, and, generally speaking, as
soon as you suspect that one might be in operation you start to have
ideas about how to find it.

A backup is a copy of data.  When it is restored, it is copied back
onto the computer, but there is no need for the backup copy to be
destroyed by that process.  Therefore, if a system-restored-from-
backup crashes, nothing is lost but time.  You still have the backup,
and can try again (this time with more care).  In fact, the first time
you have any indication that the system might be corrupted enough to
crash, you would probably try to recover the files with an alternate
operating system.  (But, yes, I can see how that might not occur to
someone who works for Microsoft.)  After all, the most important thing
you've got on your system is the data, and the data can usually be
read on any system, and with a wide variety of programs.  (Data files
from a SQL Server database could be retrieved not only with other SQL
programs, but with pretty much any relational database.)

Some aspects are realistic.  The precautions taken in communications,
with throwaway email addresses and out-of-band messaging, are the type
that would be used in those situations.  There is a lot of real
technology described in the book.  (Although I was slightly bemused by
the preference for CDs for data and file storage: that seems a bit
quaint now that everyone is using USB drives.)  The need, in this type
of work, for a level of focus that precludes all other distractions,
and the boredom of trying step after step and possibility after
possibility are real.  The neglect of security and the attendant false
confidence that one is immune to attack are all too real.  But in a
number of the technical areas the descriptions are careless enough to
be completely misleading to those not intimately familiar with the
technology and the information security field.  Which is just as bad
as not knowing what you are talking about in the first place.

Other forms of technology should have had a little research.  Yes,
flying an airliner across an ocean is boring.  That's why the software
designers behind the interface on said airliners have the computer
keep asking the pilots to check things: keeps the pilots from zoning
out.  I don't know how quickly you can "reboot" the full control
system in an airplane, but the last one I was on that did it took
about fifteen minutes to even get the lights back on.  I doubt that
would be fast enough to do (twice) in order to pull a plane out of a
dive.  And if you are in a high-G curve to try and keep the plane out
of the water, a sudden cessation of G-forces would mean that a) the
plane had stalled (again) (very unlikely), or b) the wings had come
off.  Neither of which would be a good thing.  (And, yes, the Spanair
computer that was tracking technical problems at the time was infected
with a virus, but, no, that had nothing to do with the crash.)

Russinovich's writing is much the same as that of many mid-level
thriller writers.  His plotting is OK, although the attempt to
heighten tension, towards the end, by having "one darn thing after
another" happen is a style that is overused, and isn't very compelling
in this instance.  On the down side, his characters are all pretty
much the same, and through much of the book the narrative flow is
extremely disjointed.

Overall, this is a reasonable, though unexceptional, thriller.  He was
fortunate in being able to get Bill Gates and Howard Schmidt to write
blurbs for it, but that still doesn't make it any more realistic than
the mass of cyberthrillers now coming on the market.

copyright, Robert M. Slade   2011     BKZERDAY.RVW   20111109


======================  (quote inserted randomly by Pegasus Mailer)
rslade () vcn bc ca     slade () victoria tc ca     rslade () computercrime org
Prince Edward: You're not singing.
Giselle: Oh.  Oh, no I'm not.  Well, I was just thinking.
Prince Edward: [perplexed] Think-ing...?                 - Enchanted
victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links
http://blogs.securiteam.com/index.php/archives/author/p1/
http://twitter.com/rslade
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.