As I’ve been preparing to teach Network Security at Johns Hopkins this semester, I made the decision to change my assigned reading from The Cuckoo’s Egg to Countdown to Zero Day by Kim Zetter. I think that, in many ways, this is symbolic of the changes in the computer security world itself. Security, is growing up. Cuckoo’s Egg represents childhood, while Zero Day represents the teenager.
Young, impetuous, but also becoming very deadly. The adult form emerges but with so little wisdom and judgement that nobody knows quite how it will turn out.
In the true story retold by Cuckoo’s Egg, Cliff Stoll traces a foreign spy through the computer systems at Berkeley and even some government networks. Although the technology is out-of-date, the approaches used by this intruder can still be re-applied in today’s systems. I’ve had students that modeled their simulated attacks directly from what they learned in their reading. But most of the damage was stolen secrets and stolen CPU time. The intruder was a lurker. A shadow watching from the dark corners of the Internet’s precursor.
Countdown to Zero Day is many levels of danger beyond that. In this modern world, governments buy zero-day vulnerabilities and turn them into weapons. These weapons don’t just steal information, they damage systems. Nuclear systems. These are live weapons that can, and will eventually, start wars.
It’s with a certain sense of sadness that I’m preparing the class to focus so much on zero-day exploits. For our classroom simulations, we’re going to have a market place for buying and selling (fake, simulated) zero-day exploits. The students are going to level their (fake, simulated) cyber weapons at one another and pull the triggers. We’re still just simulating lost money and stolen secrets, but everyone knows what lies just beyond the doors of the classroom. But they have to know it. They can’t bury their heads in the sand.
Computer security specialists have to know that this is the new world. The zero-day world. There’s no going back.