Rejection Letter

Rejection Letter
By Charlie Stross

Dear Mr Stross

I’d like to apologize in advance, but after consulting with my colleagues in other departments at Reality Publishing Corporation, I’m afraid we can’t publish your book, “Zero Day: The story of MS17-010”, as things stand. However, I’d like to add that it was a gripping read, very well written, and we hope to see more from you in future!

Because the plot of your yarn is highly technical, we engaged a specialist external reader to evaluate it. And they had some unfortunate words to say on the subject of plausibility. I attach the reader’s report, in the hope that you might consider amending your manuscript accordingly.


E. S. Blofeld, Editorial Director


Short version: while Stross can clearly write workmanlike, commercial prose, the plot of “Zero Day” does not hold up to scrutiny. In fact, it reads like a mash-up of popular conspiracy theories, alarmism, and bad Hollywood thriller cliches. Also, the characterisation is spotty: the shadowy villain remains off-screen for the entire novel (and apparently gets away with their crime), the hero who saves the day only appears in the last chapter, and the overall lack of thematic resolution at the end of the novel is painful. We suppose this is a side-effect of telling a story as a collage of blog entries and web news reports, in an update of the style pioneered by John Dos Passos: it’s innovative but ultimately unsatisfying. Also, the C++ code listings are a major obstacle for the non-technical reader.

Now, to the problems with the plot:

We start with a shadowy US government agency, the NSA, systematically analyzing the software of the biggest American computer companies in search of vulnerabilities. So far, so plausible: this is one of the jobs of an intelligence and counter-espionage agency focussed on information technology. However, instead of helping Microsoft fix them, we are supposed to believe that the NSA hoard their knowledge of weaknesses in Microsoft Windows, a vitally important piece of their own nation’s infrastructure, in case they’ll come in handy againt some hypothetical future enemy. (I’m sorry, but this just won’t wash; surely the good guys would prioritize protecting their own corporate infrastructure? But this is just the first of the many logical inconsistencies which riddle the back story and plot of “Zero Day”.)

Next, the plot takes a turn towards faceless anonymous parties (lacks drama!) as someone calling themselves “the Shadow Brokers” leaks a huge trove of classified NSA documents to WikiLeaks, who in turn dump it on the internet. These documents are the crown jewels of cyberwarfare, but they’re apparently just lying around on the NSA’s internal network for anyone to grab. WikiLeaks, we are led to believe, may be a front for the Kremlin (twirls evil moustachio villainously) but if this is the case and they’re acting for the KGB why would they disclose such vital American secrets? Spies just don’t do that sort of thing. Also, who is supposed to have smuggled these secrets out of the NSA headquarters, and how? Did they use a thumb drive? Email it to themselves? This is a huge missed opportunity for tension and plot development and it’s completely absent from the manuscript as reviewed.

Anyway, this preposterous intelligence leak shows up on the internet and includes details of a vulnerability in Microsoft’s file sharing system, codenamed ETERNALBLUE. This only really affects older Windows systems and can be blocked by simply switching off legacy file sharing support, so it’s no big deal, but Microsoft dilligently release security updates through March, including a fix for vulnerability MS17-010, as the NSA black ice is renamed by people who don’t get their ideas for codenames out of bad technothrillers. (ETERNALBLUE was part of a release of code that also gave us such interesting names as EDUCATEDSCHOLAR, ETERNALROMANCE, and ERRATICGOPHER. Oh to be a fly on the wall at the classified NSA committee meetings discussing the deployment of their weaponized ERRATIC GOPHER …)

Then, one day in May, all hell breaks loose.

Someone unknown—as noted, this novel is very short on identifiable people the reader can relate to—takes the code for a piece of ransomware usually distributed as an email attachment, and turns it into a payload for ETERNALBLUE, which is a worm—capable of directly infecting other machines on the same network without human intervention. And in a matter of hours, the new malware, known as Wanna Decryptor, infects the entire British National Health Service, a Spanish cellphone company, FedEx, and over a third of a million computers whose owners had lazily failed to enable automatic security updates from Microsoft.

When a piece of “ransomware” infects a computer, it starts by stealthily encrypting all the personal documents, pictures, and spreadsheets on the PC. Only when it has finished does it pop up a window to warn the PC’s owner, and issues a ransom demand. The bewildered human is instructed to go to a website and buy $300 worth of BitCoin, an electronic token called a “cryptocurrency” by some, and to pay the ransom in order to unlock all their files—if they don’t do so within three days, the ransomware will permanently delete them.

Normal ransomware spreads by attaching copies of itself to email messages and sending them to everyone in the victim’s address book. This means it won’t propagate unless someone is so foolish as to ignore their antivirus messages and click on the attachment. But Wanna Decryptor doesn’t need to do this—it uses the magic NSA code in ETERNALBLUE to scan the internet for targets. It’s a worm—a boringly old-hat idea first introduced into fiction by SF author John Brunner in his 1977 novel “The Shockwave Rider”. (To this extent, the plot of “Zero Day” isn’t even original.)

One is supposed to believe that evil genius hackers (unidentified) using code stolen from the most secretive of espionage organizations by some third party (also unidentified) and released for free on the internet, took someone else’s poor quality malware (author unidentified) and turned it into a cyber first-strike weapon that causes carnage worldwide because millions of responsible computer operators fail to apply vital software security patches for months after they’re released? This beggars plausibility.

But then it gets worse.

In the foreground, ambulance despatch systems are going down: clinical information systems are offline: hospitals are declaring major incidents and trying to revert to paper and pen: operations are cancelled except in case of life-threatening emergencies because doctors can’t review X-rays and medical records: the entire Telefonica cellphone network stops being able to handle billing and orders in Spain: FedEx’s parcel network is inaccessible: Deutsche Bahn train signaling is disrupted across half of Europe …

And a mild-mannered British computer security expert who is on his week off gets home from lunch with a friend, checks a work website (implausible! He’s on holiday!), sees something odd, and kills the world-threatening zero day exploit dead by registering a domain? And then takes a couple of hours to realize that the evil genius responsible for a global terror attack helpfully left an “off” switch that anyone could flip?

I’m sorry, this is just silly.

In fiction, we rely on the reader’s willingness to suspend their disbelief in the lies we are telling them. Willing suspension of disbelief can be abused if the story lacks plausibility, and this part is totally implausible! The WCry worm (as it is thankfully abbreviated) switches itself off if a random-seeming domain name has been registered and a web server exists to serve it. Why? The mastermind who wrote this weapon obviously knows about bitcoin, and by extension, how blockchain works; surely they could have contrived some sort of cryptographically secure way to protect their kill switch?

This is the digital equivalent of the James Bond movie where the evil mastermind’s lair from which the nuclear missiles are to be launched features a prominent red button labelled SELF-DESTRUCT, which, when pressed, does in fact cause the missile base to self-destruct. And which is not guarded, booby-trapped, or in any way concealed, so that when a Mr Bean figure walks in, slips on a banana skin, and happens to catch his fall on the wall switch, the evil plan for world domination is stopped dead in its tracks.

Come on, Mr Stross, you can’t expect us to believe that!

Summary: well-written, but short on characterization and the plot, while dense, makes essentially no sense and relies on a Deus Ex Machina ending to allow the hero (who only shows up at the eleventh hour) to triumph bloodlessly.

May 13, 2017 at 02:05PM
via Charlie’s Diary

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s