In 1983 the movie "War Games" detailed how a high school student with an IMSAI computer nearly causes atomic war between the Soviet Union and the United States. The IMSAI computer, one of the first home computers ever sold, was used to dial into a what turned out to be NORAD. Once connected the young protagonist finds games which turn out to be realist NORAD war simulations.
Books like "Ender's Game" (written by Orson Scott Card) follow similar concepts where children use games to develop strategies to defend the planet for hostile aliens and computer games to run the actual attacks.
But all this was nearly thirty years ago.
What's interesting is how wrong it all was.
True cyber war like the kind practiced by the authors of STUXNET against the Iranians are much different than the Hollywood reality. The roll of computers and technology in world-changing and war-like events comes down much more on the side of unlikely things like sloppy coding at Microsoft, cellphone networking, and Facebook.
The ousting of middle eastern despots has been enabled as much by cellphones and Facebook as any sort of computerized plan of attack. These tools, instead of directly attacking the regime instead provide a means for the humans involved to organize their own plan. The act as a "social lubricant" that allows the underlying feelings in society to be more easily and freely communicated, and with much less risk, than in the pre-computer days.
Posting anonymously on Facebook is much safer than "nailing 95 theses" (an idea for which there is not historical evidence) to the local church door. No one can see you, no one knows who you are, no one can prove you did it.
Similarly with cellphones - text your friends to meet in Tahrir Square. Who started the texting? Who's idea was it? How would anyone find out?
No, Facebook and cellphones are simply tools for literally "crowd sourcing" and "trash mobbing" attacks on repressive regimes. While I might personally be afraid to go down to the local square and throw bricks at the authorities if I text twelve buddies about how I feel I won't have to show up alone and there's a good chance of finding at least one person with a worse attitude than me.
Hardly the "War Games" scenario...
And then there is Microsoft.
Windows 2003 - the technology of choice for the Iranian centrifuge control - is so full of security holes its nearly impossible to fix.
Why is this?
Mostly because nearly 100% of all Windows programmers and software did little or no "bounds checking".
"Bounds checking" is a very simple concept. Let's say that I have a field to type your name into on my web page. Say I am generous and I leave you 100 characters for a name and I leave a corresponding 100 characters in my program and database for said name. As long as no one types in more than 100 characters everything works. If I type in 101 characters the extra character has no room and goes "off the end" of one field and steps into another - wreaking havoc along the way.
Since Windows was designed at the bleeding edge of technology in it 1980's hey days there was no reason in much of the code (much of which survives to this day) to check for these boundary conditions - the cost in terms of processor performance, program size, and programmer time was simply too great.
Which leaves us the STUXNET.
I would say the first real cyber weapon.
Which brings us to Red Bull and flip flops...
Deputy Defense Secretary William Lynn recently commented at a San Francisco security gathering: “...it is possible for a terrorist group to develop cyberattack tools on their own or to buy them on the black market...” he said, “As you know better than I, a couple dozen talented programmers wearing flip-flops and drinking Red Bull can do a lot of damage.”
Personally I prefer boxers, sandals and coffee...
But Lynn rightly wonders what al-Qaeda might accomplish with weapons like STUXNET.
The problem is that when companies like Microsoft develop software they cannot do it from the perspective of what nefarious purposes others might use it for. It simply cannot be done. At the time Windows was developed there was no issue like "bounds checking" to contend with - it was hackers dialing in from IMSAI home computers.
No comments:
Post a Comment