 |
| Two Jeep Grand Cherokee models during a hearing at the Transportation Department in Washington to determine whether automaker Fiat Chrysler has failed to remedy safety defects. Photograph: Luis M. Alvarez/AP |
On Monday, thousands of people were outed as members of a
dating site catering to unfaithful spouses after the theft of a database
containing personal details of millions of user accounts. Other panicked users
of Ashley Madison have already started to pre-emptively admit to loved-ones
that they were members in an effort to stave off relationship destruction if
the full database is ever released.
On Tuesday, hundreds of thousands of people were told to
update the software on their cars after two security researchers wirelessly
took control of a Jeep, cutting the brakes or turning off the engine all with
the click of a button. Fortunately, so far the damage has been limited to one
terrified Wired reporter mashing an unresponsive break pedal in an unsuccessful
attempt to stop his car rolling slowly into a ditch. The researchers are yet to
reveal the technical details of the hack, but plan to in three weeks.
On Wednesday, a German coder discovered a bug in the latest
version of Mac OS X that can let anyone run software on one of Apple’s
computers as though they are the administrator. The company apparently knew
about the bug in June, when it issued a fix for the beta versions of its next
operating system, El Capitan, but in doing so it revealed the existence of the
gaping flaw to the world. At the same time as it said it wouldn’t be fixing
consumers’ computers until September, leaving the hole open to attack for four
months.
What is going to happen on Thursday? And what can you do to
stop it? The answer is: practically nothing.
Welcome to 2015, where everything is
terrifying.
We’re used to hearing all kinds of advice intended to help
us battle against the tide of technological mishaps (or at least, lessen the
damage when they occur). We’re told we should have complex passwords which we
don’t re-use or write down; we should always install security updates as soon
as they’re available; we should keep backups of our data in case our laptop is
stolen or our hard drive corrupts; and we should be careful about what we click
on, download, or view online.
This advice made us safer a decade ago, but the nature of
the world we’re having to deal with has changed.
“Always use long, unique, passwords”, for example, was
plausible in an age where we had one internet-connected device, and accounts on
a small number of websites. But today it is impossible. So we are advised to
store passwords in password managers, or to enable two-factor authentication,
or even to use weak passwords on sites that don’t matter, to make it easier to
remember long passwords on sites that do.
Installing security updates on your computer, meanwhile, has
got easier as Apple and Microsoft have updated their operating systems to
prioritise them. But at the same time, the number of devices in a typical house
that can be hacked has risen enormously. You might be confident your computer
is up to date – but do you know about your router, your set-top-box, or you
smart thermostat? Do you even know whether the model of car you drive is
capable of installing security updates?
And the conflicting, impossible advice continues. When you
diligently make backups of your photographs, or let Apple or Google do so for
you as it’s easier that way, you’ve protected yourself from losing those to a
hard drive crash or a broken PC, but you’ve opened up new vulnerabilities. If
you’re storing them on a cloud-based service which later gets hacked, you could
find your cheeky nudes spread across the internet. As one problem is solved, a
new one occurs just as quickly.
In 2015 much advice is moot, a hangover from an age when
every technology report carried advice at the bottom of the story telling the
reader what they should do with the news. Increasingly, the truth is that there
is nothing you can do.
Vulnerabilities now occur less because of what an individual
does, like giving away bank details to a phishing email, and more because of a
failure in the services we rely on. Spotting where the weaknesses will occur is
impossible.
No amount of judicious investigation could have revealed to
a would-be adulterer that Ashley Madison was the dating site that would lose
their details, and not OKCupid, Match.com or Tinder. No financial trader could
have known that the New York Stock Exchange was going to suffer its crippling
outage in early July, and no holidaymaker is able to pick which airline is
liable to ground its entire fleet due to a software error, which happened to
United Airlines earlier this month.
Of course, this unpredictability is a fact of life in the
offline world.
The human body has a long-running unpatched vulnerability
which means that being hit by two tonnes of metal traveling at 35 miles per
hour can cause a permanent loss of data.
Until now it has been very difficult for a criminal,
terrorist, or even just bad luck to exploit that vulnerability on hundreds or
thousands of people at once. But as soon as you can remotely hack the brakes on
all Jeeps, the scale of that vulnerability, and the ability to exploit it
changes dramatically.
University of North Carolina professor Zeynep Tufekci argues
that the reason these kind of vulnerabilities seem to be becoming increasingly
common is the scrappiness of software development. “Software engineers do what
they can, as fast as they can. Essentially, there is a lot of equivalent of
‘duct-tape’ in the code, holding things together,” she wrote after the NYSE
outage.
But that’s worse, not better. “From our infrastructure to
our privacy, our software suffers from ‘software sucks’ syndrome which doesn’t
sound as important as a Big Mean Attack of Cyber-terrorists. But it is probably
worse in the danger it poses.”
Not that increasing the amount of money we spend developing
software could help. Any programmer will tell you about the “mythical
man-hour”: the idea that if one coder can develop a program in 10 hours, then
10 coders can do the same work in one hour. Of course, the idea is bunk – but
that’s never stopped managers from thinking that the bigger and more complex
the development team, the better the result.
Perhaps the answer is to cut as much software out as
possible – or at least, not connect it to the wider internet. Marta Janus, a
security researcher at Kaspersky Lab, says that the news of the Jeep’s weakness
means just that. “We should definitely reconsider the concept of the internet
of things, and think carefully about which devices should be a connected to one
another. Obviously, computers, smartphones and tablets would be next to useless
without an internet connection, with their main purpose being to keep us
connected in this digital world.
“But,” she asks, “what is the real advantage of having a car
with access to the internet?
“In my opinion, transportation, together with industrial
systems and other critical infrastructure, shouldn’t make use of public
internet at all.”
Face it: software sucks and so there will always be
vulnerabilities for hackers, and we have to live with that. As a result, maybe
it’s worth dialing back our reliance on it just a little bit, so the next time
you’re complaining about something crashing for some unfathomable reason, you
can console yourself that it’s your computer – and not your car.
No comments:
Post a Comment