Would you like to play a nice game of chess?

Twenty Megaton Giraffe

“Colonel Giraffy’s Weapons of Mass Distraction” – guest art by Max, who drew this from a briefing of “giraffe nuclear missile” in a matter of seconds. Jealous, I am!

If you’re my age then as well as lurking in your secret lair plotting your takeover of the universe, you’ll almost certainly remember War Games. War Games is an utterly fantastic movie of its time and it is still, all these years later, a wonderful demonstration of how time changes technology but neither the mistakes we make nor the risks we take. The plot is blissfully simple: during a military drill, it turns out that human beings, when it really comes down to it, find it really, really hard to press a button that kills tens of millions of men, women, children and kittens. This is a good thing. However, when it comes to launching a retaliatory nuclear strike, it’s a bad thing – if you’re into that whole “destroy the human race” thing. It is, after all, meant to be mutually assured destruction. Thus, the whole lot was replaced with computers. Wham, bang, job’s a good ‘un: should the soviets do something foolish, the president can press a button (or indeed, not) and a whole stack of machines will launch the missiles without any of those pesky meat bags thinking twice about whether they wish to be directly responsible for mass destruction beyond anyone’s imagination… and some of us grew up with films like Threads to aid our nuclear nightmares.

This reliance on machines turns out, of course, to be a mistake: a hacker kid with a computer and a modem sneaks into a back-door of the AI-stuffed war simulation computer and ends up nearly starting World War 3. He thought that he was just playing games. Brushing aside some minor details, the premise was alarmingly plausible: the equipment was bang on the money and the process is correct. I know this because I’ve done it. I copied War Games, but without the global thermonuclear war bit. In the mid 80s, before tone-dialing modems and digital exchanges, I had a computer and modem dial free 0800 numbers overnight from 100000 upwards looking for computers. Each time it found one, it made a note, disconnected and proceeded. “Security by obscurity” was alive and well: companies figured that if nobody knew the number, they needed no security. Well, they were wrong. As a naive teenager who was lucky that there was no practical way of tracing calls back then, I poked around in a great number of open-door policy network services booking this, that and whatever. You’d be shocked at how easy it was. You’d be even more shocked if you realised that nearly three decades later security (and by extension you, your privacy and your data) is still treated with very little care and attention by people who should know better.

It’s worse now: your life is digital

Generally, security on the Internet is shite. It’s this way for so many reasons and it’s simply not fair to blame just the companies operating their services with such an amazing lack of care. Let’s blame them, the web developers and the users themselves – the “trio of extraordinary incompetence and ignorance”, we shall call them. The latter have crap password policies that allow the errors the former two make to be magnified 1,000 fold. Users also click on links that they shouldn’t and have a habit of believing that if it’s too good to be true, then it’s probably true! The developers and companies, though, over-engineer everything across the board making such an incredible range of poorly configured interlinked computing devices that it’s possible for a single student to build an entire map of the IP4 internet space simply by uploading a custom piece of software that he wrote to a broad range of internet connected devices. We’re all lucky that this software wasn’t malicious. Next time, it might be. One of the many devices that contributed to this incredible paper may have been in your house. Hell, it could have been your ‘fridge, your thermostat, your lights or your television.

Wait, did I say, ‘fridge? Why yes, yes I did.

Let’s think for a while about the devices that you have that contain complete, functioning computers in them along with standard off-the-shelf operating systems (probably Linux) that may be a) poorly configured and b) connected to the internet and are thus c) massive time-bombs of security catastrophes waiting to happen.

Your television. It’s probably a smart-TV these days. The “Smart”, as we all know is the exact opposite, but perhaps you connect it to the Internet for BBC iPlayer or Netflix or whatever grows your beans. If it has a camera, like the Skype supporting Samsungs, then remote attackers could possibly switch the camera on without you knowing and film you. Nice, eh? I hope you don’t do anything naughty in front of your TV as you could find yourself a revenue generator for unscrupulous porn producers in no time.

But your TV is the tip of the iceberg. Lights, fridges, central heating, alarms, cameras, ovens that can be pre-warmed remotely, garage doors opened — if it’s electrical, some asshat is trying to figure out how to make it “smart” and connect it to the Internet. It’s the “in thing” in our modern connected world. It has the right marketing buzzwords, because, well, if it can’t tweet then it’s just not cool, right? Your refrigerator could very well soon be ordering food for you when you run low and if that doesn’t fill you with terror then read on, I’ve got more.

But what’s the worst that can happen?

So let’s play a brief game of “imagine the worst that could happen”. How often do you have to update your computer and its software to deal with security issues? Weekly? Every bloody day for Adobe’s “software”?1 Now think about all of these Internet connected appliances. Are they updated regularly? Are they updated at all? Are their passwords secure? Were they even changed from the defaults? Well, the IP4 map paper answers this question remarkably clearly: no, most are not. Most routers and “Internet appliances” are a fucking outrageous swiss cheese of security holes. And this means that in the future, a hacker would be able to secure control of your house. Did you miss that? Let me say it again, it’s important: in the future a hacker might be able to gain control of your house. Where you and your loved ones live. They could let themselves in. At night. Or disconnect your electricity, steal your car, take your stuff or simply gather the data that they need to electronically empty your bank accounts. And this is all the effects on the one. What if it was a co-ordinated attack on thousands? Or millions of people? What about the power substations? Distribution plants? What if all those was attacked at once? Screw bombs and guns: digital warfare and terrorism is the way forwards and has the added advantage of leaving infrastructure in one piece but simply disabled.

You could easily sleep-walk into letting each one of these badly configured appliances become an accidental repository of your passwords and personal data if you allow them to access Twitter, Facebook, Paypal, Amazon, etc. instead of using a (relatively) secure computer. Furthermore, by doing so, you are relying on them to incorporate, maintain and employ first-rate encryption and security practices to protect that data, much of which can be used to spend your money. Frankly, having seen what’s under the hood of some of these devices software-wise I wouldn’t trust them with my dirty underpants, let alone any passwords, username information, browsing history or payment capability.

Moral of the story so far: We do not take security seriously and we should.

Am I scaring you sufficiently yet? I hope so, because this is unbelievably important stuff and as a population we do not take it seriously enough. We need to hold everyone involved to a higher standard and stop tolerating piss-poor security. You read about passwords being stolen daily. This won’t stop until we make it stop.

You should neither tolerate lax computer security nor be part of the problem. Your passwords should be carefully chosen. They should be different. Don’t be lazy and re-use the same password for multiple services. You should never use insecure or untrusted WiFi. Never. And if you have any of your services from a company that stores your password in unencrypted form (companies saving money by adopting a “sort-of-fix-a-half-arsed-job-it-if-anyone-notices” policy is costing us, the customers, dearly) then you should vote with your feet before someone takes your stuff. Oh, and report them to the plain text offenders people. And tweet at them. Big companies still don’t understand the unparalleled power that an individual consumer now has thanks to social media, so use it. The rules of thumb are quite simple. For any company that has personally identifiable information about you:

  • If they can tell you your password or email you your password then they operate unacceptably crap security practices and should absolutely not be trusted for anything
  • If they provide a customer login on their web sites that is not fully encrypted using HTTPS and an appropriately up-to-date, verifiable certificate then they should not be trusted either

If they make excuses for either of the above then they are within a hair width of being criminally negligent with your data because it indicates they have no comprehension about why these practices indicate a fundamental thinking fault that will lead to problems.

And finally, a cautionary tale

And as for you, the reader, a cautionary tale. Whilst on the misery inducing train to London a few weeks ago I overheard some bloke talking about how his Yahoo mail account was hacked2. He was having the conversation sufficiently loud to ensure that everyone on the entire carriage heard, so I’m sure he won’t mind if I explain how him, his wife and his two teenage kids all had their accounts hacked too. They all used the same computer, of course, which was probably riddled with malware and other such things but their solution to their email accounts being hacked? To simply email their friends and say “ignore the spam you’re receiving from us, we’ve been hacked”. Did he do anything about it? No, of course not. It’s like saying “ignore the punches in the face I’m giving you, I love you really”. He’s exposing his friends and family to risk because he’s ignorant of the issue and he’s applying foundation to cover up his case of airborne Ebola. Selfish. And that’s being generous.

However, I mentioned that this was a cautionary tale. Well, that’s because I know his full name, his email address and password. He mentioned the latter to the bloke he was talking to on the blower and it would have taken the most determined “la-la-la, I can’t hear you” deployment to miss the rest. I’d bet a grand, right now, in cash, that he uses that password for everything. Everything. But it doesn’t matter anyway, because that’s his one and only email address so lost password recovery to find the rest is a trivial exercise.

I have the keys to his digital life.

And he’s lucky I choose not to use them.

Tomorrow, it could be his physical life too.

Please be careful when attaching devices to the Internet. Think twice. Be careful. Be smarter than your appliances.

It’s your stuff. Your life. Your loved ones. And they’re precious.


1 … but you’ve got to admire their latest automated remote wallet emptying scheme that manages the involve the world “cloud” as a method of charging you more for less. Honestly, it’s genius. Now, those irritating users who don’t/can’t afford to upgrade each and every time a new version is released are captured forever. Now, instead of paying a metric fortune to use Photoshop, you’ll pay an imperial fortune, in monthly instalments… forever! Muuuhahahahahaha, etc.

2 It wasn’t “hacked”, it was hijacked. There’s a subtle but important difference. He made (at least) two mistakes: 1) he logged into Yahoo mail, which does not have two-factor authentication and then *didn’t log out* and 2) continued to browse whilst still logged in. Eventually, some unscrupulous advert loaded with dodgy Javascript did the magic, harvested the cookie and that was that. Take home lesson here: do not stay logged into Facebook, Twitter, LinkedIn, Yahoo Mail or anything else whilst idly browsing the web. Either that or have a separate, different browser for general web surfing. A little care goes a long way to securing your life.

Edit 6th June 2013: Well, there you go. “Smart” Televisions: the security swiss cheese that keeps on giving!

This entry was posted in Rants, Security and tagged , , , , , , , , , . Bookmark the permalink.

Feel free to say hello