Like you I don’t know a lot about brain surgery, flying a jet, or hacking a cell-phone. Off-hand I often think of all of those somewhere on a spectrum from taking years to learn, to almost impossible, fictional or magical. Yet the evidence is different. People learn brain surgery, perform it regularly and well. Just this week we saw a mechanic take-off and fly a jumbo jet, apparently with only some video game experience. Which brings me to my newest proverb:
What we don’t understand seems all but impossible and fictional.
But that is not true. Perhaps I know that because I was once an expert in one software product. In the 1970’s I was an expert in a product by IBM called IMS. It was relatively new and it had occasional problem. IBM gave customers access to its source code. I could occasionally diagnose and cure problems by studying the symptoms and speculating on the possible errors in the code that would cause them, suggesting fixes to IBM often fixing them myself when IBM refused to address them. Few, if any, know how I did it. I knew, it was years of education, interest, access to that code, combined with a job that offered me an opportunity to do good things for my employer. Others, not everyone, could have done the same thing with enough motivation and interest. Even when I don’t know how to do something, I can understand how others could. How many of you know how to build apps for an iPhone? Well thousands have learned how to do that. And those apps often steal our data and can do many things with our iPhone. Do you trust those apps? Do you trust your iPhone? I rely on mine, yet I know danger always lurks.
A could of weeks ago I spent some time with an election official. He was obviously smart and accomplished, with a wide-ranging prospective. Yet, near the end of our time together, another computer scientist and I were unable to convince him that voting scanners were in any danger because his elections office did pre-election testing, had election definition files encrypted from a vendor, had no scanner internet connectivity, and kept the devices secured. Those all are good practices, yet even altogether they are insufficient with proven vulnerabilities. When we ended that discussion, I could tell he thought I must be crazy as we agreed to disagree.
Anyone who knows computers and software understands the risks. Any who has read in detail about STUXNET understands such threats are real. Few really understand how much more real and easy are threats from insiders. Every one of those security measures can by broken by outsiders, yet are much more easily broken by a myriad of insiders.
Case in point DEFCON, last week where some threats from outsiders are close to “Child’s Play”, many take just a bit more maturity, experience, and knowledge: US voting systems: Full of holes, loaded with pop music, and ‘hacked’ by an 11-year-old <read>
The first day saw 39 kids, ranging in age from six to 17, try to crack into facsimiles of government election results websites, developed by former White House technology advisor Brian Markus. The sites had deliberate security holes for the youngsters to exploit – SQL injection flaws, and similar classic coding cockups.
All but four of the children managed to leverage the planted vulnerabilities within the allotted three-hour contest. Thus, it really is child’s play to commandeer a website that doesn’t follow basic secure programming practices nor keep up to date with patches – something that ought to focus the minds of people maintaining election information websites…
On the adult side, Premier/Diebold’s* TSX voting machines were found to be using SSL certificates that were five years old, and one person managed to, with physical access, upload a Linux operating system to the device and use it to play music, although that hack took a little more time than you’d get while voting.
Diebold’s Express Poll 5000 machines were even easier to crack, thanks to having an easily accessible memory card, which you could swap out while voting, containing supervisor passwords in plain text. An attacker could physically access and tamper with these cards, which also hold the unencoded personal records for all voters including the last four digits of their social security numbers, addresses, and driver’s license numbers.
Hackers thus found that by inserting specially programmed memory cards when no election official is looking, they could change voting tallies and voter registration information. And take a guess what the root password was? Yes, “Password” – again stored in plain text.
..
