So we can't solve the problem that way because if human beings are in the loop they will fail.
But anything that's done entirely by software can be spoofed by malicious software.
So barring some solution I haven't heard of, we can limp along, gettng increasinglyt dependent on an unreliable system until it suffers catastrophic failure.
Catastrophic failure.
So far, no one has done anything important to our computer network because nobody who has that ability wants to. But it's inevitable that at some point somebody will cause irreversible damage to hundreds of millions of computers in north america and europe.
]]>The connectivity has given us new problems that were not so important in the past. We aren't just repeating the old mistakes, we're making brand new ones.
So -- your computer is somebody else's slave, it works full-time for them when you aren't using it, and part-time for them when you are. That isn't so bad for you when it still does what you want it to.
Your computer tells them everything you do. But mostly they aren't interested and you don't care. That isn't so bad.
There has never yet been a significant exploit of the computer system. But there will be.
What we are doing now is not viable. We need an alternative. My suggestion to put humans in the loop I now see would not work. But without that, even if you are quite knowledgeable about how things work, you still have no chance to avoid being part of the problem. Without that there is absolutely nothing you can do to protect your own personal systems.
I think there's nothing. Maybe I'm wrong. I have a couple of friends who refuse to run javascript, or flash, or pdf. One of them uses a slow connection which makes him an unattractive target. He uses linux on ancient hardware that nobody would particularly want to own. They both use Lynx. They both say that websites which have actual data show up that way, because the stuff that the marketing guys have pawed over won't work. Neither of them are confident that their systems belong to them.
They're both in europe and they're both named Anton. That's probably a coincidence.
]]>Sounds like they've got the key :)
]]>Yup. They went for a Harvard architecture -- physically separate memory for data and code -- and a capabilities-based OS for controlling what processes are allowed to write to the code segments. That's on their time-sharing systems, early instances of which resemble a MULTICS service as originally envisaged (with 8-bit remote terminals with floppy disk drives and a single-tasking CP/M like OS to kickstart their personal computing revolution) ...
]]>If your smartphone/PC etc. or even someone's at the NSA gets horribly corrupted, then it's not actually a catastrophe. It may be a nightmare for you, it might be a national security headache, but it's not a catastrophe from an IT POV.
Most of the computers that are very networked and might cause a catastrophic failure aren't staffed by people who don't know what they're doing and will "push the button" without knowing what's going on. Because the internet is widely networked, if one or two, or one or two hundred nodes go down it's not a catastrophe. (There may be places isolated behind a failed node that disagree with that but it's not a global meltdown.) Most of these places also have redundancy locally (like a backup server/router etc.) and a (group of) sysadmin(s) or similar who sits there 24/7 and baby it along and make sure it keeps on working.
There are places like nuclear power stations etc. where it would be a nightmare, but again you hope they employ someone with a clue and don't just randomly update, install patches etc. With or without such a hard-wired switch.
]]>So you figure if their stuff required a manual override then we could weather it?
If in some hour 300 million computers in europe and north america turned into hunks of metal that no data could ever be recovered from, it wouldn't be so bad because they would be the least important 300 million computers?
So we could sell good hardware to the pros, and today's junk to the plebes, and it would work out?
]]>The US was handily winning in the first few days, and Iraqi generals started getting messages printed out by their computer printers. Of course the printers were on their Microsoft local networks, so they were easy to get to.
The CIA told each of them that the war was going well and they were going to lose. If he kept his men in barracks the barracks would not be bombed and his men would survive, and after the war he would get a pension. The printer gave him a contract to sign.
That must have been pretty convincing. When the enemy breaks into your own network to offer you your own generous personal surrender terms, probably they're going to win. (I don't know of any examples where the barracks were bombed anyway and I wouldn't know how to find out.)
Somebody dropped the ball somewhere along the line, and a year later the US-run administration, staffed largely by political appointees and their relatives was still getting annoyed by Iraqi generals demanding their pensions. "No. You don't get a pension. You fought for Saddam. You lost. We don't give pensions to the enemy."
That was a simple trick. Now it turns out your hard drive and your backup and all your thumb drives are infected too, and there's nothing you can do about it.
People are talking like somehow this is acceptable. Any alternative would be too inconvenient.
Is that because they think the US government is ahead, and they trust the US government? If it was the chinese or the russians who were ahead, would it be acceptable them?
]]>I think you're assuming everyone installs everything that comes by. I'm not quite sure what the most successful malware we've seen was, but ILOVEYOU has to be way up there. But like biological viruses part of its success was it actually didn't do much - it sent crapped on your image files and sent itself to your email lists. Today that would be nastier because we've got more of our images on our computers but still not catastrophic for most of us - our computers would still work for example. Ebola has been all over the news for months. While I have every sympathy for the people it killed, infected and those around it, and those scared they're going to catch it, more people have caught the common cold in most months for the last 2 or three months in just Britain than have been infected with Ebola world wide in the last 2 years. In terms of severity there is no comparison of course, but in terms of numbers there's no comparison the other way.
If a virus spreads that bricks your tablet - lets say it bricks all iOS devices - then if Apple issued it, they're going to spend their warchest in a hurry. It should be harder for anyone except Apple to do because of their walled garden approach. On Android devices, fragmentation may or may not protect you.
On a desktop or laptop, there's still different chip sets, different OSes etc. So killing them all... tricky. And like a lot of biological viruses there are issues about kill viruses. If I get a virus that gets in and blows up my computer, it has to spread to everyone first because once my computer is bricked, I'm unplugging it and getting a new one that is, hopefully, uninfected.
The chances of someone bricking all the computers in the world overnight... maybe I'm just being unduly complacent. It's not my area of expertise. But I think it's much more the area of paranoid nightmares.
]]>If either of us had that expertise we could not legally discuss it. So it is not possible for us to know what's possible.
What we have seen from NSA has been very polite. They have made viruses that erase themselves after awhile if they find they have not reached the specific targets they are aimed at. Etc. They have been designed to do a particular task and then eliminate themselves. It's taken a long time for some of them to be discovered at all, and surely some that they have been using have not yet been discovered.
Most of what NSA does, somebody else could do given the knowledge and a moderately large budget. They have copies of everything that goes through a US hub, which others can't duplicate easily. They can tamper with the US mail. They can sabotage hardware built in the USA and maybe some other hardware. But stuff that gets done with viruses, anybody can do if they learn how.
Anybody who knows how can reprogram your hard drive to hold their code and not tell you or anybody that it's there. They can run their code when your computer starts, as soon as the booting computer asks for some code from the hard disk. The code they run can send anything from your disk over the internet to them, if there's anything on it they want. They can encrypt your disk so nobody but them can get anything from it, or they can erase everything that isn't theirs -- if they want to. When they want to.
There has never been a significant sabotage event. Never. Not yet. I think it's primarily because nobody who knows how to do it, wants to do it. Maybe I'm wrong. Maybe there's no way it could happen. If I knew what I was talking about I would not be allowed to talk about it.
How much should north americans be ready to bet that I'm wrong?
]]>Trivial, compared to a big attack.
]]>