Perlroth, Terminology, and Hyperbole

I finished reading “This Is How They Tell Me The World Ends” by Nicole Perlroth a few weeks ago but haven’t had time to write this blog, and likely another, based on specific aspects of the book. I have written two blogs on topics covered in the book after reading it already, but both written before completing the book.

Overall the book was an enjoyable read. It is clear that Perlroth covers the topic of zero-day exploits and the exploit market very well, based on a lot of research and interviews with key players. The book exposed some things that were new to me so I enjoyed some chapters very much. The book also gave me a sizable list of items to do further research on including several ideas for FOIA requests. Finally, I think the epilogue was especially well done and would serve as a great ~ 20 page primer on the topic and where the world is going in the realm of exploits and hacking campaigns. If you are interested in the topic I do recommend this book.

That said, this blog is about one issue I have with the content. Starting in the prologue and continuing throughout several chapters of the book, Perlroth uses language that is arguably one step past hyperbole, seemingly crossing the definition of “intensifier” and falling squarely into “extreme exaggeration“. This has been a problem for over twenty-five years in Information Security with one of our worst being “Cyber Pearl Harbor“, which is also used in this book. While such terms are dramatic and hook a reader they are counter-productive as they unfairly explain or refer to concepts that are not as serious or damaging as the terms used.

Equating two unrelated terms to explain one concept to an audience not familiar with it is common enough, and we all do it. But consider the definition on an analogy which is “a comparison of two otherwise unlike things based on resemblance of a particular aspect“. The key, I believe, is “resemblance of a particular aspect” which can really be interpreted differently. If I compare a rocket to an automobile to make a comparison about travel because they both can move and transport people, does that count? Sure, but it sucks as an analogy and doesn’t make the point very well. When that gets taken to an extreme, you have a logical fallacy known as a false analogy.

To me, that is where analogies or descriptions like “a Cyber Pearl Harbor” fall. Until a computer intrusion can routinely sink ships, destroy aircraft, kill over 2,300, and wound over 1,100 people in just over an hour, I don’t think that is an appropriate term to use. If such an event happens once, perhaps calling it “the Cyber Pearl Harbor” would be acceptable. Further, what part of the attack on Pearl Harbor resembles a computer attack? Until that can be answered, journalists and security professionals should endeavor to use more grounded analogies that can explain a concept without embellishing or incorrectly comparing something in the virtual computer domain to a kinetic real-world item or event. While Perlroth’s first use of this term was quoting “security experts”, she had the opportunity to temper that with a caveat or explanation, but did not.

Even calling exploits a “weapon” begins to push that boundary as most people think of a kinetic weapon like a knife or gun that has wounded or killed millions in the last 100 years. With that, here is a sampling of some of the analogies and terminology Perlroth used throughout her book to illustrate the problem. What is perhaps most unfortunate about this is that the book is well-written and did not need to do this to make it interesting. To me, it was actually a detraction and did not add to the topic.

  • xvi: Russian hackers made a blood sport of hacking anyone…
  • xvi: For five long years, they shelled Ukrainians with thousands of cyberattacks a day…
  • xviii: The very same Russian hackers that had been laying trapdoors and virtual explosives
  • xxi: .. is what happened when the NSA’s most powerful cyberweapons got into our adversary’s hands. So in March 2019 I went to Ukraine to survey the ruins for myself.
  • xxvi: If Snowden leaked the PowerPoint bullet points, the Shadow Brokers handed our enemies the actual bullets: the code
  • p8: In the process, “zero-day exploits” became the blood diamonds of the security trade.
  • P257: They were here to recruit, perhaps, or broker the latest and greatest in Argentine spy code.
  • p294: Russian hackers had been shelling Ukraine’s computer networks with cyberattacks, and the timing was ominous.
  • p295: And like those attacks, the KillDisk had a ticking time bomb.
  • p324: But nation-states could just as easily bolt digital bombs and data wipers onto the tools, detonate data, and take America’s government agencies, corporations, and critical infrastructure offline.
  • p334: Across the world, people started ripping their computers out of the wall.
  • p348: Nobody had even bothered to tell the mayor that the virus hitting his city had been traveling on a digital missile built by the nation’s premier intelligence agency.
  • p349: One assailant locked up its systems with ransomware; another detonated EternalBlue to steal data.
  • p381: It was Nakasone who played a critical role in leading Nitro Zeus, the U.S. operation to plant land mines in Iran’s grid.
  • p383: They – the hackers, the officials, the Ukrainians, the voices in the wilderness – had always warned me that a cyber-enabled cataclysmic boom would take us down.

One thing to note is that on rare occasion, Perlroth did temper such wording. One example can be found on page 49 where she says “Again, these weren’t weapons. They were gaping security holes that could be exploited to break into hardware and software, and the American taxpayer was being asked to bankroll the entire supply chain.” Unfortunately, this comes after several lines in the bullet points above and many more like it.

Similarly to using exaggerated terms for exploits and digital attacks, Perlroth does the same when describing hackers. While describing a complex world of zero-day exploits, brokering them, and the impact they can cause, she falls back on tired clichés to describe the people using these exploits. Here are a few examples:

  • xix: .. simply beyond that of any four-hundred-pound hacker working from his bed.
  • p22: .. he did not resemble the emaciated hackers and former intelligence types glued to their computer screens
  • p23: .. a little colorful for men who wore black T-shirts and preferred to work in windowless dungeons.
  • p23: .. their diet subsisted of sandwiches and Red Bull.
  • p28: Vendors didn’t want to deal with basement dwellers
  • p28: … pimply thirteen-year-olds in their parents’ basements
  • p28: … ponytailed coders from the web’s underbelly
  • p30: Hackers who barely made it out of their basements would get hammered…

If I used hyperbolic clichés to describe Nicole Perlroth, a New York Times reporter, I wonder how many journalists I would offend?

May 2021 Reviews

[A summary of my movie and TV reviews from last month, posted to, mixed in with other reviews.]

Without Remorse (2021)
Medium: Movie (Amazon)
Rating: 1/5 .. and without value
Reference(s): IMDB Listing || Trailer
After two months of teasing and waiting, this film was a huge letdown. It seems like it was more of a collection of what Clancy thought were cool scenes strung together, with this boring plot that is based on insipid unrealistic assumptions. This movie also had no actual military consultants on it, or their input was ignored, as various aspects of this SEAL team were absurd and made no sense. I sat through a long overly drawn out scene waiting for it to finish so we could get to the finale, only to realize that was the finale. Round it out with plot holes, serious continuity problems, flat acting, and just an underwhelming everything. This movie is without remorse, without value, and full of regret.

Voyagers (2021)
Medium: Movie (Multiple)
Rating: 1/5 boldly going where everyone has been
Reference(s): IMDB Listing || Trailer
Lord of the flies. That’s really all you need for this one. If you want a spoiler of sorts; there’s no surprise ending either, the movie really is that simple.

Kodachrome (2017)
Movie (Netflix)
4.5 / 5 the film developed nicely
Reference(s): IMDB Listing || Trailer
I went into this movie thinking “a different take on As Good As It Gets”, with three people in a car and one of them is a jaded asshole. I left the movie really appreciating how different it was, despite sharing that premise. The great cast certainly helps with that, but the pace, music, and scenery bring it all together. Based on a true story, and knowing exactly how this movie will progress and end even without reading it, the time is worth it to experience the tension between Ed Woods and Jason Sudeikis and see the resolution, no matter how predictable. In short, its worth the drive.

Vanquish (2021)
Medium: Movie (Multiple)
Rating: 2.5/5 Languish is more appropriate
Reference(s): IMDB Listing || Trailer
Halfway through the movie I had a revelation, that this was a John Woo flick, but it had been upgraded from the usual doves to sea gulls. A movie promising action that basically had a couple pedestrian chases, some gunplay, and attempts to cut serenity with the drama… but directed by George Gallo. With Ruby Rose and Morgan Freeman, you would expect this movie to bring some excitement. Unfortunately, both actors just fell short of the depth and range we’ve seen before. Rose as a badass forced back into her previous life, Freeman as a retired cop living in a 10 million dollar home but not arousing any suspicion, a series of tasks that offered little variety and an ending that was predictable. Potential was squandered, but at least we had a scene with birds.

The Marksman (2021)
Medium: Movie (Multiple)
Rating: 1/5 … it missed the mark, obviously
Reference(s): IMDB Listing || Trailer
Entirely predictable from the first five minutes, down to specific scenes an hour later. Bad writing means they have to spell out every bit of foreshadowing to the point of being insulting. The few places it isn’t obvious you are just left with a simple guess if it is Cliche1 or Cliche2. All of the acting is flat and pedestrian, including Neeson. I’d write more but really, you’ve probably seen the film in different iterations over Neeson’s career so I bet you can imagine what this one was like. Oh the plot? Who cares.

Mortal Kombat (2021)
Medium: Movie (HBO Max)
Rating: 1/5 get away from me
Reference(s): IMDB Listing || Trailer
On the off chance you didn’t realize, this movie is a remake of the 1995 movie which is an adaptation of a video game, made in 1992. The movie is a shallow absurd plot, because it is based on a video game without a plot, just updated with 2021 CGI. Even then the fight scenes are largely boring, the acting pedestrian, and no part of this movie is really compelling. I’ll take the rest of this review to point out how pathetic the movie studios are in that they pass over thousands of scripts from talented writers and instead, shove a remake of a remake down our throats and over-hype it. These same studios are wondering why movies are struggling in general, losing out to other forms of online content. Gee, that’s a head-scratcher.

The Yin Yang Master (2021)
Medium: Movie (Netflix)
Rating: 4.5 / 5 It’s pretty and fun
Reference(s): IMDB Listing || Trailer
First, this review is for The Yin Yang Master not The Yin-Yang Master: Dream of Eternity, both of which are on Netflix (more info on the difference), which gets more confusing as Netflix calls it The Yin Yang Master while Wikipedia calls it The Yinyang Master. This is the story of three realms; that of humans, spirits, and demons. The scenery and artistic visions of each realm are beautiful making it a visually stunning movie. While there are spells and swordplay, the movie isn’t dominated by that which lends itself to character development and storytelling. The familiars in the spirit world are a tad on the cheezy side as far as graphics, but they are a lot of fun. Except that they keep calling them “the ferrets” when they look more like raccoons. Otherwise, the movie keeps at a good pace and is great to unwind to if you want to enjoy a simple story that looks great on screen.

April 2021 Reviews

[A summary of my movie and TV reviews from last month, posted to, mixed in with other reviews.]

Bad Trip (2021)
Medium: Movie (Netflix)
Rating: 4.5/5 fingercuffs what?!
Reviewer: jericho
Reference(s): IMDB Listing || Netflix
If pranks aren’t your thing, move on now. If pranks are your thing, then this is your new jam. Eric André brings his physical humor to bear in a series of pranks that are hilarious and sometimes disgusting. The premise is a simple road trip for two friends from FL to NY to pursue a “love interest”, with Tiffany Haddish playing the escaped felon protagonist chasing the guys for “stealing” her car. Several of the pranks are not only Rated R, but certainly not for young ones or those easily disgusted. If dark, sick humor born out of pranking people is appealing, this movie should keep you laughing.

Barbaren / Barbarians (2020)
Medium: TV (Netflix)
Rating: 4/5 nothing like potato cakes, jalapeno poppers, and a beefy sandwich for breakfast
Reviewer: jericho
Reference(s): IMDB Listing || Netflix || Trailer
This six episode series plays out the battle of the Teutoburg Forest between Germanic tribes and a Roman Empire legion occupying their territory. The big point of intrigue is that an officer in the legion was German-born and taken by the Romans as a child. His allegiance is in question fairly early, setting us to wonder which side he will help. The show starts out a bit slow to introduce the players, establish each side, and eventually build up to the historic battle. The Germanic tribes end up led by Thusnelda, wonderfully played by Jeanne Goursaud, under a tenuous supposition but proves her loyalty and dedication to the tribes shortly before battle. The story is simple, acting good, and the story climax is worth the wait.

A Knight’s Tale (2001)
Medium: Movie (Netflix)
Rating: 5/5 the tale gets better every time you watch it
Reviewer: jericho
Reference(s): IMDB Listing || Trailer
I started re-watching this movie again recently), and I was reminded how it is such a fun movie. I love how they ‘modernized’ it a bit with clever music integration. Queen’s “We Will Rock You” at one point in the lists while waiting for a knight and then again for David Bowie’s “Golden Years” during the banquet and dance scene. Since jousting might be a bit boring watching it over and over, the cinematography was well-done with lead-ins to the jousts and well-executed slow motion pauses. Overall this movie brings the laughs and definitely the feels, so make sure you have onions nearby to cast blame elsewhere.