The Software Security Iceberg

6a00d8341c562c53ef01347fcf13ae970cOver on Reddit, there’s a pretty fun sub called explainlikeIAmA (Reddit-speak for “Explain Like I am a …”). The premise is simple: people post a request in the form “Explain [topic] like you are [person]”, and other people reply accordingly. It’s basically a game of make-believe, and it’s a fun exercise for fiction writers.

Today, I replied to one such post titled “Explain the Sony hack like you, and not North Korea, were the one responsible, and you are trying to not-so-subtly hint at what you did.” Clever premise, and highly topical. Here’s my response:

Hypothetically, if a hacker wanted to avoid detection, he’d use an opportunity to deflect the blame to a plausible scapegoat. Perhaps this hacker, whoever he is, saw a golden opportunity in the impending release of The Interview.

North Korea is already known for its cyber-warfare program, and it’s no surprise they objected to The Interview. If someone wanted to hack Sony — perhaps for personal reasons that we may never learn — it wouldn’t be too difficult for said hacker to leave clues that point back to the DPRK: clues that are obvious enough for the FBI to pick up on, but not so obvious that they look suspiciously fake. Someone familiar with Sony’s network security should be able to accomplish this quite easily.

When the news came out that North Korea’s government was the prime suspect in the hack, Pyongyang’s response was predictable. Obviously they know they weren’t the hackers, but why would they deny such a perfect opportunity to claim credit for a massively successful cyber-attack? What better way to show the world they’re not a joke, and that they must be taken seriously as a threat to global security?

The media jumps on the story. North Korea is a known belligerent on the world stage, and the explanation that they’re behind the hack is not only plausible, it’s ideal. Meanwhile, the real hacker can relax, knowing he will never be caught.

OBVIOUS DISCLAIMER FOR MORONS: the above is a work of fiction/speculation. I am not the Sony hacker, nor do I claim to know anything about the identity, strategy, or methods of said hacker(s).

That said, nothing I wrote in that Reddit reply is implausible. If I had sysadmin-level access to Sony, I could have probably pulled off everything I said up there. A person with more expertise in computer networks than me, or someone with inside knowledge of Sony’s systems, would definitely be able to pull it off. Computer software is full of horrible flaws because it’s made by humans — and humans are jam-packed with horrible flaws.

A computer can only do what it’s told. That’s what software is: instructions that tell the computer exactly what to do (or not do). If it’s told to keep your data safe, it will. If it’s told to give your data to someone else, even someone who’s never supposed to have it, it will. The good intentions of whoever made your software are irrelevant. Computers don’t try to guess what the programmer intended: they can only do exactly what’s in the instructions. Even software that has some appearance of intelligence, such as Siri or Cortana, is really just moving data around based on a firm set of rules — rules that were written by a flawed human being.

500004289-03-01Back when computers could only do a limited number of things, such as arithmetic and code-cracking, the concept of hacking was impossible to comprehend, let alone accomplish. Usually the technician knew every instruction the computer had been given, along with exactly what the gigantic, vacuum-tube-filled beast was supposed to do with these instructions. The comparative simplicity of the whole process left zero room for risk, like pushing a Hot Wheels around the kitchen table versus directing traffic for an entire national road network. The guy who maintained the computer understood every piece of it from top to bottom. There was no point of intrusion, certainly not one the computer experts wouldn’t have immediately spotted and corrected.

Today, no such know-it-all person exists. Computer hardware and software is so incredibly complex, understanding it all from top to bottom literally exceeds the capacity of the human brain. Today’s computers are the result of decades of engineering and specialization. Forget phones and tablets: the computer in your goddamn microwave is orders of magnitude more powerful than the one that sent the Apollo astronauts to the moon. And trust me: if you could somehow connect your microwave to the Internet, there’ll be someone out there who already knows how to hack it. Enjoy your frozen Hot Pockets, chump!

An engineer at Intel might know the nitty-gritty of how an instruction set on the Core i7 works, but nobody knows that level of detail about the entire line of Intel chips that are still in use today. That’s to say nothing of all the assorted hardware components, firmware, operating systems, drivers, shared libraries, communication protocols, services, and end-user apps that fill every computer in the world. At best, an engineer knows how her specific piece talks to other pieces.

Not surprisingly, the interaction between components is where security vulnerabilities appear. Remember back in the pre-Google-Maps era, when people used to give each other directions over the phone? Remember how annoying and error-prone that was? Congratulations, you now know how every piece of computer hardware and software in the world works: one person (or component) clumsily giving directions to another person (or component) who went out there and muddled through it.

I’m not kidding. I wish I were. The infamous Heartbleed virus is a perfect example of this. Because a popular computer program’s communication protocol was too vague, a massive vulnerability was exposed on countless websites. (Those who want a simple, yet accurate explanation of Heartbleed should check out this XKCD comic).

The risk isn’t that our computers are too complicated to understand, it’s that they’re too complicated and we do everything with them. The Sony hack was trivial compared to what could have happened. Imagine if North Korea (or whoever it was — I remain skeptical at this point) had targeted a bank, or a branch of the military.

Let me stop you before you say “but those are much more secure than a movie studio, Matt!” No. They’re not. Not in the slightest. The reason why is simple: your system is only as secure as the weakest person who builds or maintains it.

Read that point, and read it again. Take a second to think about it in the context of your software. Humans are flawed. They’re motivated by fear, greed, laziness, selfishness, hate, love, addiction, compulsion, and ideology, among many other things. It’s far, far easier to corrupt a human than a computer. It’s much simpler to give the sysadmin a briefcase full of cash or put a gun to his head than it is to brute-force hack the system he maintains. And no, the people who make financial and defense software aren’t somehow less corruptible or more altruistic. To quote Depeche Mode, people are people. Besides, more often than not, the people who made the bank’s software are the same ones who made the donkey porn site’s software (again, Heartbleed).

Most likely, a “hacker” is either someone inside the organization, or someone who corrupted/robbed a person inside the organization. That’s how the Sony hack was carried out. It’s also how my benevolent hacker protagonist in Winterwakers operates. There are no firewalls or system logs that can defend against someone with legitimate access to the guts of the software.

There’s no easy fix for all this. There probably isn’t even an insanely complicated fix for it. Computer security is one of those iceberg problems: the ten percent above the surface is scary, but the ninety percent we can’t see is way worse.

I want to end this bleak post on a bit of good news, so here it is: just because computers are insecure doesn’t mean you’ll be a victim of computer crime, especially if you take a few simple precautions. My basic security tips that everyone can follow:

BASIC TIP 1: Make A Really Strong Password. Come up with a password that’s long (i.e. 30+ characters), unique, and easy for you to remember. Don’t worry about numbers or special characters unless you really want to. Focus on these three things: long, unique, memorable. A phrase that’s special to you is a good choice, but try to pick something that’s not from a popular book (yes, that includes the Bible) or movie.

BASIC TIP 2: Use a Password Manager. Now that you have your long, unique, memorable password, get yourself a password management app and learn how to use it. Use your shiny new password for the master login. Think of it as a fire-proof safe that stores all your keys. And don’t worry about all your passwords being in one place; it’s far, far safer to do this than to use the same password for everything, or have a ton of passwords you’ll never remember on your own. A forgotten password is a vulnerability. A password that’s the same for all your sites is a vulnerability. Password managers help with both those things and more. I use and recommend LastPass, but there are other good ones out there as well.

BASIC TIP 3: Be Vigilant. A lot of websites nowadays let you see a log of when and where your account was used. Example: in GMail, you can go to the bottom right corner of the page and get a list of all places and times someone logged in to your email. Get into the habit of checking this regularly. If you see a login from a different country, or at a time that doesn’t make sense (don’t forget to take your phone into account here, though), report it to the site.

BASIC TIP 4: Install Those Software Updates ASAP. When a software developer pushes out an update for something you own, here’s what they wish they could say:

“Hey user, I need you to install this update RIGHT NOW, because I just fixed a HUGE SECURITY FLAW! You need to plug that leak before the hackers find it! I’M SERIOUS MAN, SHE’S GONNA BLOW! DO IT NOW NOW NOW!!!!”

The above is a mild exaggeration at best. The longer you put off installing those updates, the more vulnerable you are. Quit being lazy and do it.

Fair warning: at best, these are preventative measures that will only protect you from the most simplistic attacks. That said, if you follow these four tips, you’ll be way less vulnerable than the average computer user. When it comes to being a target for hackers, you don’t have to be the fastest gazelle, just faster than the slowest gazelle.

Further reading (especially if you’re a developer, sysadmin, or other IT person): “A story about Jessica and her computer.”

No Comments?

Comments are now closed for this post.