BKCBRTER.RVW 20050929 "CyberTerror", R. J. Pineiro, 2003, 0-765-34304-5 %A R. J. Pineiro author@rjpineiro.com %C 175 Fifth Avenue, New York, NY 10010 %D 2003 %G 0-765-34304-5 %I Tor Books/Tom Doherty Assoc. %O pnh@tor.com www.tor.com %O http://www.amazon.com/exec/obidos/ASIN/0765343045/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0765343045/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0765343045/robsladesin03-20 %O Audience n- Tech 0 Writing 1 (see revfaq.htm for explanation) %P 493 p. %T "CyberTerror" Now, those who follow this series will know that, in my opinion, most of the hype over cyberterrorism is a) overblown, and b) looking at the wrong things anyway. However, this book goes beyond the norm. It reminds me of that old joke about the difference between a used car salesman and a computer salesman being that the used car salesman knows when he is lying to you. All right, let's look at what he got right. Yes, computers do control a lot of "infrastructure." Yes, the worst disasters are when there are multiple (and usually cascading) failures in both control and safety systems. Yes, developers, maintainers, and even service people do leave trapdoors in systems. And, yes again, if you were going to perform terrorist acts, it would be best to target a number of interrelated systems. Now, before we look at the technical problems, a few practical ones. The advantage of cyberterrorism is said to be that you can, from the comfort of your own (remote and safe) hacienda, blow up your enemy's city with a few keystrokes. The terrorists in this book must be pretty unskilled, because they seem to need money, traitors, advance information, bomb materials--in short, everything that any other terrorists need when they are doing noncyberterrorism. (The characters aren't terribly consistent: for example, we have one Middle Eastern terrorist who reverts to Hispanic at moments of stress.) As for the technology, it isn't good. We have the usual movie- script-oriented virtual reality interface, completely ignoring the realities of internal computer operations, and the fact that providing complicated forensic information via a simple graphical interface would be a very difficult task indeed. (Oh, and we also have the famous, mythical "digital-pulse-bomb-that-gets-from-the-computer-into- your-head-and-gives-you-a-stroke" program.) Pineiro contradicts himself, telling us that there is a virus, then that there is no evidence of a virus (the mythical "undetectable" virus: a virus *always* changes *something*), and then that there is a virus. (The author never defines what a virus is, which, given how much else he gets wrong, is probably a good thing. Supposedly a virus can be used as traceroute, a RAT, a trojan, or anything you want.) While it was a big deal fifteen years ago, a T1 carrier is hardly high-speed anymore, particularly between related companies. As a devotee of software forensics, I approve of the fact that characteristics of a computer system can be used to gain information about the user, but I hardly think it boils down to a choice of pink defensive software for girls and blue for boys. Pineiro does not seem to know the difference between computer hardware and computer software. (We have, of course, already seen that computer software can generate sufficient power to fry circuitry, and even people.) Programs (some of which can be as small as two bytes long) communicate via certain frequencies, like radio signals. When you stop the system clock, somehow memory locations begin to lose charge. (No, I don't think he is referring to the fact that DRAM needs to refresh every millisecond or so.) The author also doesn't seem to realize that, regardless of what language was used to write the original program, most software in production systems tends to be object code. (He also seems to think that you can stop the system clock and thus halt programs originally written in Ada, but leave programs originally written in C still running.) With their magical virtual reality interface, the blackhats never seem to need to know what system they are attacking. It's got some UNIX- like characteristics, but that blue screen just has to be Windows. Which is too bad, given that most embedded systems tend to be specialized hardware, and not subject to any off-the-shelf malware. (As of the mid-90s, most nuclear power plants still used PDPs, keeping at least one plant running turning out replacement parts for them.) Pineiro also displays his ignorance of artificial intelligence. Despite his "neural-like" type of expert system program that amalgamates all known AI techniques, a neural net is one approach to AI, while an expert system is quite a different one. Not all AI systems are capable of learning: in fact, it's quite a feat to put learning capability into a package. (And I love the "Turing Society": I'm sure that those in Turing's home country of Britain would be thrilled to have the US defence department deciding who can, and can't, mess around with their AI programs. The implication of the Society is rather Frankensteinish, although Hans Moravec, in "Robot: Mere Machine to Transcendent Mind" [cf.BKRBTMMT.RVW], would probably agree with the possibility of AI taking over, if not the necessity of inhibiting it.) Cyberterrorism is certainly possible, and a lot of systems should be protected more rigorously than they are at present. However, this book provides no feeling for the realities of cyberterrorism--or anything else, for that matter. copyright Robert M. Slade, 2005 BKCBRTER.RVW 20050929