Right now, you're sitting in front of our pact with the Devil. When you finish reading this, you will do nothing about it.
The Devil is the Internet, if you were wondering. As the proprietor of this site recently wrote, the Internet opens up a world of wonderful possibilities -- possibilities we're just beginning to understand.
But since it takes us everywhere; everywhere can reach us. That includes bad guys, some of whom work for major criminal gangs or governments. That possibility's the price we pay for watching riots in Kyrgyzstan in real time if we want to.
But that price is peanuts compared with what the world's major institutions pay. Their world, kept from view, is cyberwar, 24/76.
If that sounds like science fiction, welcome to the future. Things have gotten so wild out there that just this Saturday, the Lulz Security hacker group -- which last week took credit for stealing the personal data of about 200,000 players of Brink, an on-line game -- Tweeted Sega Corp., the Japanese game manufacturer, and offered to go after hackers that had broken into its system.
"Sega - contact us," Lulz said in its Tweet. "We want to help you destroy the hackers that attacked you. We love the Dreamcast, these people are going down."
Offers like that probably didn't stream into the offices of Sony Inc., CitiGroup, the CIA, the US Senate, or the International Monetary fund after they'd been attacked in early June's wild outbreak of high-profile attacks. Those boys were probably attacked by some of those major criminal gangs or, in the case of the IMF and CIA, a government. They're on their own.
When guys like that are attacked, though, it's not just about them; it's about all of us -- the entire world, now bound together by the Internet, because when they're attacked, it means we -- or at least our accounts and personal data -- can be attacked.
And there's the rub; since the Internet's everywhere, the bad guys can go everywhere. Admiral Mike McConnell, a Booz Allen Hamilton executive vice president, is an old source of mine who's run the National Security Agency and was the second Director of National Intelligence.
"In the old days, if the Pentagon wanted to send a message to a ship at sea, it would be coded, and sent to the ship in an encrypted radio burst," he once told me. "It would be decoded and put into the Captain's safe. The chances of capturing that message or decoding it were small. If somebody wanted to get that message, they'd have to get on the ship, open the safe, get the message, and get off the ship. But now, all they have to do is break into the computer network."
Which is easy.
"Nothing is 100 percent guaranteed impenetrable," he said. "In my experience, when you are testing something to see if there is a vulnerability, you most always find a vulnerability."
"Today, with all our networking, the vulnerability does not end with the transmission [of data]," he added. "It's gone from worrying about data in motion to also worrying about data at rest," because much information is stored on hard drives. "That's where the vulnerability is."
And when Adm. McConnell was talking to me, a Silicon Graphics workstation was a powerful platform. Today there are "zombie bots", virtual supercomputers made of networks of thousands of hijacked computers that, working unknown to their owners, are rented to criminals. Given time, they can overpower any system.
Like I said: Welcome to the future. Underneath our world of everyday email with friends and associates, or reading this article, there's a shadowy world at war.
Another old source of mine once laid out just how warlike that can be. This guy, then in charge of computer security for a very large global bank, told me that every once in awhile he'd get on a plane, disembark in some obscure city, strap on a bullet proof vest, and break down a door in armed company to get at a particularly noxious hacker.
To survive in this world, in other words, big institutions are their own police in a world in which the notion of sovereign nations just doesn't apply.
When I was covering this ten years ago, you could break into any computer perfectly legally; all you had to do was operate from a country that had no laws against what you were doing -- Monaco, in those days, or Ukraine.
Nothing's changed since. Certainly, anybody with a good satellite uplink and their own electrical generators could operate today out of Waziristan, say, or a ship anchored outside the international 12-mile limit, and be almost immune from ordinary law enforcement -- since you weren't breaking any laws where you were.
Not that the people we're talking about are worried about breaking laws. This past week, somebody stole $500,000 from someone's BitCoin account. Bitcoin is a virtual payments system that allows you to make completely anonymous payments to anyone, anywhere.
When you're talking about stealing that much or more -- consider that the recent CitiGroup hack stole data about 360,000-plus credit cards -- a lot of qualms go by the board.
This is crime, folks: Would somebody stop at kidnapping the wife of some computer worker if it meant being able to steal, say, $400 million? That's how much was reportedly extorted from the City of London in the Dark Ages of computer crime -- 1996.
In that caper, a Russian gang managed to slip what's called a "data bomb" into the system of an international bank. Data bombs force computers to make mistakes in computation.
How it was done isn't known. Temp workers were suspected at the time, but it could just have easily been an employee with a kidnapped wife. Anyway, once it was done, the gang sent a "Pay or die" email to the head of security.
"Come and get me," he said. Then the gang set off the data bomb and fried a corner of the bank's overseas futures operation. Millions were lost in a flash.
Then the head of security got an email on his private laptop: ""Now do you believe we can destroy your computers?" Millions were wired to the designated account in short order. After that, the gang only had to threaten and the money was sent.
Does this mean we should unplug the Internet now and go back to licking stamps? No -- just that the world we see isn't the world that is. If a kid a few years ago could hack so deep into T-Mobile's cellphone network that he could steal Demi Moore's cell phone pictures, nothing should surprise us.
What to do? I'm not unplugging my laptop. I publish on the Huffington Post, for God's sake. I have a website. I do Facebook. I get all my news from the Internet, and email constantly.
On the other hand, I'm cautious. I have a router on my connection, which blocks most attacks. I have good security software. I don't click on mail or links from strangers. I have a dedicated bank account for doing anything financial online, keep it empty, fund it per transaction -- in person -- and never touch it with my computer. If I was smart, I'd switch to a Linux operating system -- but that's way beyond my feeble computer skills. It all lengthens the odds.
Even so, the real reason I'm relatively safe -- and so are most of you -- is because I'm nobody. Bank robbers go where the money is, so a major criminal enterprise can't be bothered with our personal computers when they can hack into a bank. Of course, if it's your account they steal; well, in most cases -- not all -- banks, stores and the rest will make you whole and write it off as the cost of doing business.
For a good look at what we're facing here, and what we can do about it, you can do a lot worse than read The New War, published by Sen. John Kerry in 1997. Kerry lays out the problems clearly and makes sensible suggestions about how to deal with a world with only nominal borders.
Anything he says, of course, is subject to attack by his enemies on the Right; but for some, that's more of a ringing endorsement than anything else.
Visit me at my website, Reinbachs Observer.
Jessica Stam: The Lazy Susan Cell Phone Experiment
Oh, we can send email secured within our own networks, AND we can, on our own, encrypt our messages, share the basic encryption data with our recipients, and thereby have secure email wihtin certain boundaries. However, this is not good enough, and a practical solution isn't very hard.
One key aspect of this is to separate identity from the security of the system. UNFORTUNATELY, as we have it today, many people want to combine identity and security, but I reject this; anonymity is a valuable part of internet culture and to extricate it is a mistake. AND I believe this is a key reason why we don't see a big push for encrypted email from the technologists - they don't want encrypted email if it means giving up anonymity.
The solution is to use the same encryption model as with https web servers - let the server-to-server connection encrypt exactly the same way, and _trust_the_servers, senders and/or receivers. That's ALL that is needed to have point-to-point encrypted email, but the encryption scheme must be available on the recipient's email server, and that requires cooperation. Email senders can then choose or not to accept self-signed certificates. The technology has long been in hand and I truly don't understand why it hasn't been implemented.
Ballots should be counted with mechanical money counters or by hand as is done quickly and accurately by advanced nations around the world.
And beware of some of the default network settings. If you go to a coffee shop you can often see a lot of Macs on their network. These may automatically show up in the sidebar of your Finder window showing the actual name of the owner of the computer. Anybody could just drop files into their Public Folder without the owner of the computer ever finding out.
As for Linux, because of Ubuntu, it has become much more friendly and easy to use. You can get it for free at: http://ubuntu.com and it will run on Macs or Windows based machines.
As for Linux
It was updated to plug all of the methods used to remove the product.
Luckily, I had a backup ID installed on the machine which is now allowing me the ability to install Malwarebytes and execute it, but the process has just begun.
Hundreds of millions are wasted each year by these rogue programs. It causes hours of disruption, a high cost for many who cannot figure out the resolution by themselves, or the software has to be reinstalled causing loss of data.
This new build locks down the Internet, DVD drives, all security products, all browsers, including Firefox (which two weeks ago wasn't apparently affected.
Why doesn't the government take this matter more seriously, as I'm sure there are built in keyloggers or something which could obtain passwords.
because they won’t utilise existing techniques that could address such subterfuge. It’s like the Germans still believing in Enigma, when there were clues everywhere that it had been compromised.
"Welcome to the future."
This, isn’t the future Andrew. This is an intermediate stage. Where the old guard are having rings run around them, by those they sought to sideline. They’re merely discovering that you can’t keep the cream of the species down in perpetuity.
"This past week, somebody stole $500,000 from someone's BitCoin account."
Who carries all their money around in their back pocket? Why not load the BitCoins into a device that can only download metered amounts? Then use that intermediary to convey the exact amount to its destination. Protected by a lock, whose key is sent via an alternative route.
"This is crime, folks"
Ultimately banks make good those missing funds from their customers. If they became liable for those losses things would change, rapido.
"How it was done isn't known."
Similar to the way dealers use computers to conduct surreptitious overnight deals, to cream a few cents off thousands and thousands of accounts?
The easiest way to secure the Internet is to support IPsec, which extends IP with a public key cryptosystem for authentication and confidentiality without requiring any further support at the transport level (e.g. SSL) or application level (e.g. HTTPS). I connect all of my computers to an IPsec VPN, which is especially handy for using public open wifi hotspots.
But few public services on the Internet support IPsec, so when my traffic leaves the VPN, it has to be downgraded to unsecured IP. Otherwise the large majority of Web servers and other Internet applications will refuse my secure connection requests over IPsec.
The technology exists, but the adoption rate is too low to be practical beyond LANs.
However, the larger security issue is not the Internet protocols but rather the applications themselves and the underlying software platforms. Internet-facing applications are commonly built in low-level languages which allow arbitrary memory references, out-of-bounds array indexes, and naked function pointers, or in high-level languages which allow embedding one language inside another.
These languages make it easy to inadvertently develop software which allows malicious users to hijack the process by supplying cleverly crafted inputs to the application. The user can trick the application into loading and executing malicious code when then runs with privileges and resources of the authorized process.
If the service requires IPsec connections, it may be possible for the system administrator to positively identify the malicious user after the fact, but by then the damage may already be done. The application dropped the ball, not the Internet.
Security vulnerabilities can be difficult to reason about while developing software, and there's a tendency for developer to reinvent the wheel (usually not so robustly). The wise approach is for a small number of developers to very carefully reason about the security implications of a set of common programming idioms and design patterns and for everybody else to color within those lines.
Certain chores like handling user input and interacting with data stores are fraught with easy mistakes, and the details should be hidden away from application developers in most cases.
Sorry, I was there; I know this is false.
"One good thing about the dominance of the Windows operating system is that it naturally performs the function of an anti-virus software, protecting the less prevalent systems such as Linux."
Thanks for that line - I needed a hearty snort this morning! It's another howler.
As apparently you haven't been aware, I'll help: Windows has throughout its entire history, from even the earliest days of DOS, has been _notorious_ as the hands-down leader in securityless computing. And yeah, I've had (way too much) hands on experience with exactly this and know what I'm talking about.
You should realize that out here in the wilds of the internet there yet remain some who are fully informed (on any given topic) and your ludicrous assertions are sure to be found out - though whether anyone posts a rebuttal is another matter.
That is precisely the sense of what I wrote. You should learn to pay more attention to what you read. By the way, if you claim that you have been there and know more, you have to be able to provide credentials.
It ensures my messages are stored and transmitted securely, and that only I and my recipients have the capability to decrypt your message data.
Nice *hit piece.
Called out by the Internets.
http://dontevergethacked.blogspot.com/