Will the West Survive Computer Technology?

[Icebound]

http://www.theglobeandmail.com/news/world/chinese-hackers-compromise-us-missile-systems-jets-ships-report/article12185265/

Also, this old document: http://www.internetsociety.org/articles/security-protocol-failures

Hostile regimes gain access to defense plans.

In our rush to make life "easier" through computerization, we have created a society where theft has become exponentially easier. Scammers collect millions of dollars in a few hours. Private information is routinely stolen and misused. . And on and on...

The bank and the credit card companies keep assuring me that they have the utmost security. Yet it has become easier than ever to steal chip information off my card. Not to mention that they lose billions, themselves.

Even your car's electronic key can be read and duplicated easier and quicker than a real key....

Now we are moving to mandatory paperless reporting. Unsecure email is being used for purposes for which it was never intended. Especially since I cannot take my email address with me, when I change providers...

And millions of "accounts" out there which go dormant when people die... (What DOES happen to them?) ..

Can we survive this death by a thousand cuts??? Will there be the one big failure which will make the 2008 financial meltdown seem like a mere hiccup?

..

Edited May 28, 2013 by Icebound

[Moonlight Graham]

There just has to be a lot of security measures put in place, and more professional hackers hired to find weaknesses in important computer systems so that they can stay up to speed with hackers who want to do illegal things. I don't think security is at an adequate level and cyber attacks or even cyber terrorism is a major concern, but at least governments are well aware of it.

[GostHacked]

There just has to be a lot of security measures put in place, and more professional hackers hired to find weaknesses in important computer systems so that they can stay up to speed with hackers who want to do illegal things. I don't think security is at an adequate level and cyber attacks or even cyber terrorism is a major concern, but at least governments are well aware of it.

They have been aware of it for over a decade, I'd say close to two decades. The US Military views the Internet as simply another weapons system. Other countries are using it and viewing it the same way. China, Russia, ect ect ... there is a cyber war going on at the same time real conventional wars in the real world.

[Moonlight Graham]

They have been aware of it for over a decade, I'd say close to two decades. The US Military views the Internet as simply another weapons system. Other countries are using it and viewing it the same way. China, Russia, ect ect ... there is a cyber war going on at the same time real conventional wars in the real world.

We need a Tom Clancy movie about this. lol

[GostHacked]

We need a Tom Clancy movie about this. lol

No need for a movie, it's being played out for you in front of you.

http://www.amazon.ca/Cyber-War-Threat-National-Security/dp/0061962244

I suggest this book, not very long but shows how the USA is viewing the Internet as a weapons system.

[danielrw]

The speed technology is improving is about to take a spike in 2020-2040. It'll be increasing so exponentially fast that it'll be damn hard to keep up with security wise. I just hope I'm off the grid by then.

[Icebound]

No need for a movie, it's being played out for you in front of you.

http://www.amazon.ca/Cyber-War-Threat-National-Security/dp/0061962244

I suggest this book, not very long but shows how the USA is viewing the Internet as a weapons system.

.... except that in this particular war, Mutually Assured Destruction is not a deterrent, the way it was in the Cold War.

And so I expect that MAD will actually occur. Or at least: mutually severe damage.

[Icebound]

This thread is being resurrected in honour of the Heartbleed bug...

http://www.reuters.com/article/2014/04/09/us-cybersecurity-internet-bug-idUSBREA3804U20140409

A year ago, this question was posed tongue-in-cheek because we already suspected the answer.... and now we KNOW...

[TimG]

A year ago, this question was posed tongue-in-cheek because we already suspected the answer.... and now we KNOW...

What do we know?

This bug needs to be fixed because some hacker could accidentally stumble onto vital information, however, the chances of anyone actively seeking and finding useful information with this exploit is near zero. Your chances of winning the lottery are many times higher than having a password leaked to an individual willing to do something nefarious with it.

[GostHacked]

This thread is being resurrected in honour of the Heartbleed bug...

http://www.reuters.com/article/2014/04/09/us-cybersecurity-internet-bug-idUSBREA3804U20140409

A year ago, this question was posed tongue-in-cheek because we already suspected the answer.... and now we KNOW...

The more things get connected the more problems you are going to see. You have a hacked home smart fridge sending out spam emails. You have a smart smoke alarm that gets disabled by waving your arms, the same way you turn off the alarm when it goes off, real smart there. Large scale server hacks on all sorts of private and public institutions on a daily basis. Theft of millions of customer information. Downtime and revenue reduction due to trying to fix the issue.

Now how the hell did someone manage to make a virus that will throw down what is supposed to be an international standard for web security? And how did they manage to infect an estimated 2/3rds of the global server infrastructure? That is no small task. I would be interested to know what is the ratio of types of servers. Unix? Windows? Other?

It's been proven that if you can hack into a device that is somehow connected to the net, or get the virus uploaded to the device even if it is on an isolated network (Stuxnet - Iranian nuclear facility) you can damage hardware and possibly make them break themselves through operating out of spec.

This is not a surprise to me.

So who has the resources to accomplish this task? What was this cyberterror attack supposed to accomplish?

[Michael Hardner]

The more things get connected the more problems you are going to see.

Yes, and things get quietly solved as time goes on. It gets better.

Do you remember installing drivers before plug & play ?

Do you remember the days when airlines regularly lost luggage ?

It's better now.

As somebody who tries to make things better, I can tell you that a tiny thing going wrong gets noticed a lot more easily than a pervasive fundamental problem that is solved behind the scenes.

There are lessons in there for all aspects of human activity, especially the political economy. I just don't know how they can be applied for good rather than evil.

[Icebound]

What do we know?

This bug needs to be fixed because some hacker could accidentally stumble onto vital information, however, the chances of anyone actively seeking and finding useful information with this exploit is near zero. Your chances of winning the lottery are many times higher than having a password leaked to an individual willing to do something nefarious with it.

Yes, the head-in-the-sand approach is good.

So 900 SIN numbers were compromised. They will never be used to open a bank account, right? Maybe only one of them will. It won't disrupt the guys life ...much.... Collateral damage in the grand scheme of things.

Do you remember installing drivers before plug & play ?

Do you remember the days when airlines regularly lost luggage ?

It's better now.

There is a big difference between plug and play.... (which is more convenience) .... and lost luggage (which is worse security)

More convenience has ROUTINELY resulted is poorer security. When I had to walk down to the bank to cash a cheque, my face and my signature proved conclusively who I was.

It is certainly NOT better now.

Here is your lost luggage...26 million pieces of it : http://www.cntraveler.com/travel-tips/flying/2012/07/airlines-baggage-luggage-checked-fees-missing-bags

And here is your missing money: 7.6 Billion of it. http://www.huffingtonpost.com/2011/10/04/credit-debit-card-fraud-more-common-banks-lose-ground-hackers_n_994690.html

[Michael Hardner]

It is certainly NOT better now.

Proving something is 'better' is pretty tricky business. There are many factors you would have to consider.

[GostHacked]

Yes, and things get quietly solved as time goes on. It gets better.

Do you remember installing drivers before plug & play ?

I know you are not very knowledgeable when it comes to technology. Your two points are proof of that. Drivers are not the same as a virus that can cascade a whole bunch of problems through a nation's infrastructure that relies heavily on Internet communications to operate. This is the point I make about being more connected means more potential issues. Web/network admins and security specialists deal with this every single day.

Viruses, malware, spyware, the NSA ect ect ...

Do you remember the days when airlines regularly lost luggage ?

This is even worse than your other point.

As somebody who tries to make things better, I can tell you that a tiny thing going wrong gets noticed a lot more easily than a pervasive fundamental problem that is solved behind the scenes.

Then why do things like this Heartbleed virus manage to cause soo much damage if these things are noticed? Not even the NSA and other security agencies were aware of this virus.

[TimG]

So 900 SIN numbers were compromised. They will never be used to open a bank account, right? Maybe only one of them will. It won't disrupt the guys life ...much.... Collateral damage in the grand scheme of things.

I am extremely skeptical. Given the nature of the bug there is no way they could know that 900 SIN numbers were compromised. Most likely they figured out that 900 SINs were in the computer memory and a very lucky hacker *might* of picked up a few of them. But even if he did there would be no context like the name or date of birth would make them useless. Edited April 14, 2014 by TimG

[TimG]

Then why do things like this Heartbleed virus manage to cause soo much damage if these things are noticed? Not even the NSA and other security agencies were aware of this virus.

First - it is NOT a virus. Calling it virus makes you sound like you don't have a clue what you are talking about.

This XKCD cartoon is best explanation of what it is:

http://xkcd.com/1354/

Second, the damage has been cause by the reaction to the news (i.e. CRA down for a week). Not by the exploit itself.

[Michael Hardner]

I know you are not very knowledgeable when it comes to technology.

That's your opinion. We went head-to-head on this with the question of whether the government needed to have data in order to find out metadata, which I eventually explained to you.

Your two points are proof of that.

The subject matter I'm addressing is how technology works over long periods of time. It's clear that you have your own issues, calling Heartbleed a virus for example, as TimG pointed out.

In any case, the discussion of how technology and history are related has nothing to do with how to execute a SQL query. I also feel you have a lack of understanding on this topic, so I guess we agree to disagree.

This is the point I make about being more connected means more potential issues. Web/network admins and security specialists deal with this every single day.

Viruses, malware, spyware, the NSA ect ect ...

What's your point ? Technology solves problems, and as a consultant once taught me - when you solve problem #1, then problem #2 gets a promotion.

I will maintain that things generally 'get better' with regards to technology as time goes on. Problems get solved, and new ones arise.

This is even worse than your other point.

No. Problems get solved, that's my point. Even social problems. We have gone around on this many times, and when I post trends, progress and improvements your response is to reply with point-in-time statistics.

Your understanding of these things is much better at the micro- level than macro- I find.

Then why do things like this Heartbleed virus manage to cause soo much damage if these things are noticed? Not even the NSA and other security agencies were aware of this virus.

Case in point.

But, I note that you think the NSA wasn't aware. I'll use that to mitigate any future points about the NSA being behind it, as I'm starting to see now.

Heartbleed is a new problem, for sure.

[Michael Hardner]

Second, the damage has been cause by the reaction to the news (i.e. CRA down for a week). Not by the exploit itself.

Indeed, the organizations affected seemed to have networked so as to mitigate impacts this time around.

I point GH to Toynbee's "challenge and response" model of history for reference.

[TimG]

Indeed, the organizations affected seemed to have networked so as to mitigate impacts this time around.

It is very easy to fix for most websites (I don't know why CRA is having so many problems - perhaps it is because they need 20 meetings to get key stakeholders to sign off before they can authorize the fix...). There are many devices with embedded web servers (e.g. your wireless router) which will be harder to fix but they may be using an older version of OpenSSL which is not affected. Edited April 14, 2014 by TimG

[GostHacked]

First - it is NOT a virus. Calling it virus makes you sound like you don't have a clue what you are talking about.

This XKCD cartoon is best explanation of what it is:

http://xkcd.com/1354/

No matter if you call it a virus, we still have a huge problem. And you are correct, virus is not the correct term. This is an exploit. And, as a geek/nerd, I loathe XKDC. That panel cartoon is even more ambiguous than what has been explained to me and what I already know of SSL. I actually feel dumber for reading it.

Here is a better clip to understand. If you got 12 minutes to spare.

Second, the damage has been cause by the reaction to the news (i.e. CRA down for a week). Not by the exploit itself.

And with the CRA they admitted today that close to 1000 SIN numbers were stolen. The exploit allowed that to happen. The damage done is by the virus, not the reporting on it. You take the servers down in order to patch them properly. You cannot have them operating while you have this severe security issue.

I recall an email virus that ran rampant through the company network I was working for. It was a zero day virus and caused massive disruptions. All email servers were taken offline for close to a day while the servers were worked on and cleaned and while they verified the integrity of the data. That is the proper way to do it when you have a major virus or exploit.

http://www.cbc.ca/news/business/heartbleed-bug-900-sins-stolen-from-revenue-canada-1.2609192

The Canada Revenue Agency says 900 Canadians have had their social insurance numbers stolen from its website because of the Heartbleed security bug.

The agency said early Monday it became aware of the breach while repairing the bug, and that the theft happened over a six-hour period — although the agency didn't specify what six-hour period is in question, and isn't offering further explanation beyond a statement posted on its website.

FAQ on the Heartbleed security bug

"Social Insurance Numbers (SIN) of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability," the CRA said. "We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed."

[TimG]

That panel cartoon is even more ambiguous than what has been explained to me and what I already know of SSL. I actually feel dumber for reading it.

It is not wrong. It explains what the exploit is in terms a non technical person can understand. It also illustrates how this "exploit" depends on dumb luck. i.e. the chance of a hacker finding anything useful is pretty small.

And with the CRA they admitted today that close to 1000 SIN numbers were stolen. The exploit allowed that to happen.

They are covering up something else and blaming heartbleed because they would have to be extremely unlucky to get hacked with information acquired with heartbleed. Just like with climate change - every hiccup in the weather is blamed on CO2 even if there is no credible connection. Edited April 14, 2014 by TimG

[GostHacked]

That's your opinion. We went head-to-head on this with the question of whether the government needed to have data in order to find out metadata, which I eventually explained to you.

It's not an opinion, it seems to be more of a truth. The metadata has enough data about the 'data' it might as well be the data. You've displayed your ignorance on technology several times already.

The subject matter I'm addressing is how technology works over long periods of time. It's clear that you have your own issues, calling Heartbleed a virus for example, as TimG pointed out.

The matter I am addressing is the more things get connected the more problems like this you are going to see. And with server hacks and this exploit prove my point without a doubt. We have been running with this tech for about two decades. This is now a global infrastructure.

In any case, the discussion of how technology and history are related has nothing to do with how to execute a SQL query. I also feel you have a lack of understanding on this topic, so I guess we agree to disagree.

Stop jumping all over the place. This is not SQL, this is a security exploit in the SSL (secure socket layer) for encrypting important data between your PC and the host server. The issue is with the communications protocol, not the query function. This is why I hold the opinion that I do of you and tech.

What's your point ? Technology solves problems, and as a consultant once taught me - when you solve problem #1, then problem #2 gets a promotion.

In many cases, one problem is fixed, two more arise. That might be due to incompetence of the programers or technicians. Both I have experienced. I've worked on large scale network infrastructures.

But, I note that you think the NSA wasn't aware. I'll use that to mitigate any future points about the NSA being behind it, as I'm starting to see now.

I doubt the NSA is behind it, but I will call bull on them saying they did not know about it before the exploit hit. It's not a zero day type exploit or virus. The exploit is in the SSL itself.

Heartbleed is a new problem, for sure.

Won't be the last, or the biggest.

[Michael Hardner]

It's not an opinion, it seems to be more of a truth. The metadata has enough data about the 'data' it might as well be the data. You've displayed your ignorance on technology several times already.

How so ? I have PM'd you to compare technical qualifications. I'm sure you find that mine stack up well with yours.

The matter I am addressing is the more things get connected the more problems like this you are going to see.

Well, yes. See my point about problem #2 getting a promotion. The success of technology itself is proof that problems get solved.

This is not SQL, this is a security exploit in the SSL (secure socket layer) for encrypting important data between your PC and the host server. The issue is with the communications protocol, not the query function. This is why I hold the opinion that I do of you and tech.

Yes, but my statement wasn't about that. You've misunderstood again. I'm saying that if you know SQL better than me (which I actually doubt) then it doesn't mean you are more qualified to talk about technology in general. You are unable to fathom analogies, and tend to be an alarmist in your postings IMO.

[GostHacked]

How so ? I have PM'd you to compare technical qualifications. I'm sure you find that mine stack up well with yours.

Irrelevant, that will turn into a pissing match. Not down with it. And our technical fields in technology might be drastically different and not comparable anyways.

Well, yes. See my point about problem #2 getting a promotion. The success of technology itself is proof that problems get solved.

Actually it is the technology failures that are proof that problems will get solved. It is the success of resolving those issues that is the success of technology.

Yes, but my statement wasn't about that. You've misunderstood again. I'm saying that if you know SQL better than me (which I actually doubt) then it doesn't mean you are more qualified to talk about technology in general. You are unable to fathom analogies, and tend to be an alarmist in your postings IMO.

My analogies are quite good. The two you provide are terrible analogies.

This heartbleed exploit prove I am not an alarmist.

[Michael Hardner]

Irrelevant, that will turn into a pissing match. Not down with it. And our technical fields in technology might be drastically different and not comparable anyways.

Ok - well, given your reluctance to not see my qualifications, I trust that we can put this presumption of yours to rest.

Actually it is the technology failures that are proof that problems will get solved. It is the success of resolving those issues that is the success of technology.

This is called progress.