In an interview with Ex-Interpol agent Marc Goodman, NewScientist‘s Douglas Heaven discovers that the upcoming ‘Internet of Everything’ means everything can be hacked (paywall):
You’re implying that every connected device is a target. Why do you think that?
No one has ever built a computer system that could not be hacked. We are rushing full speed ahead to put every possible device online and they’re all insecure. We should pause for a moment. If somebody hacks my television, do I care? But all of the world’s critical services are run by computers and we’re seeing these computers increasingly come under attack. People have always struggled for power. Now, if you control the code, you control the world.Does that include connected technology like CCTV security cameras?
The tools we have to protect us can be subverted and that security used against us. It’s what I call the judo model of cyber security – using your opponent’s weight against them. You really can’t have any faith that when you set up 300 cameras on a street in London, or wherever, that the government is the only one watching.Nor can anyone trust what they see on screens. We’ve all received phishing emails that appear to be from our bank. That was taken to the next level with the Stuxnet malware attack in Iran in 2010. Nuclear engineers in a control room were staring at screens that showed the status of uranium-enrichment centrifuges. The screens said everything was fine but the centrifuges were actually spinning out of control. Somebody had inserted a hack in between what was really going on and what was being presented on the screens. We are becoming increasingly disconnected from physical reality in this way.
I’ve often felt that computers are best considered to be multipliers. Someone who holds up a bank only gets what is – at best – in the bank’s branch at that time. If they’re real thrill seekers, they take hostages and make a bit more – or get shot in the process.
Computer hackers can do much, much better, and generally from the safety of their office.
For the professional software engineer, the future may hold some interesting questions:
- Does your favorite programming language make it easy or hard to write code vulnerable to hacking? (Hint: If it’s C, it’s probably really, really easy.)
- Does your favorite language easy to evaluate for correctness? Most are not; the languages in the functional paradigm are reputedly a little more easily evaluated, but I haven’t seen it done on – yet – on production level code. If you know of examples, let me know.
- Does your language let you program computers – or express solutions?
- Have you ever taken a class specifically oriented towards writing secure code?
This is not to imply that all – or even most – vulnerabilities are the fault of programmers; some are hardware, some are social. But a significant fraction of them are a result of using insecure programming languages, and future languages should be designed with that in mind. I am not an expert in security (I’m more a jack of a few trades – don’t ask me about numerical analysis, either), but I used to read comp.risks, and I hear things.
FOR EVERYONE – I can’t help but pose the obvious question: if the Internet went away, how would it affect YOU?
