On the heels of the third Presidential “debate”, there was
much hand-wringing and finger-wagging against Trump, for refusing to commit
himself in advance to not contesting the election, no matter how it turns
out. Actually no rational
candidate should do that -- there is always the possibility of a squeaker, in
which the seemingly-losing candidate may demand a recount (most recently and
notably in Bush v. Gore). But additionally, there exists a
scenario, unfortunately not science-fictional, in which Hillary not only
would, but should, contest the results, and indeed demand something more
thorough-going than a mere recount.
Namely, as the candidate herself maintains (very plausibly):
(1) Russian state actors hacked the DNC data as well as that of
the chairman of her Presidential campaign.
(2) Putin is said to have it in for Mrs Clinton.
So -- what if a state actor were to hack the vote-count, and
throw it to Trump?
When I mentioned this scenario to people at work, they
mostly preferred to shrug it off and keep their fingers crossed. And indeed, (1) + (2) do not entail that Putin either would, or could,
pull of a vote-fraud on that scale.
But the very next morning, two news items caught the world’s attention.
(3) Russia sent its fleet through
the English Channel. As they
passed Dover, they trained their guns on England.
(4) A wide variety of very
prominent (and, one would imagine, relatively well-defended) Web sites were -- a thing unprecedented --
simultaneously unreachable.
(3): Would (Putin
is not reticent about flourishing power).
(4): Could (rather than attacking such sophisticated well-fortified sites as Amazon and the New York Times, he need only get past the defenses of the clueless retired librarians and what have you who run the elections in Mississipi et cetera).
(4): Could (rather than attacking such sophisticated well-fortified sites as Amazon and the New York Times, he need only get past the defenses of the clueless retired librarians and what have you who run the elections in Mississipi et cetera).
As it turns out, the attacks were not quite as concerning as
one could have been led to believe by vague early media accounts. The attackers didn’t manage to
hack their way into the sites in
question, where they would be in a position to make mischief (say, to order one
billion copies of The Art of the Deal with next-day shipping to the
Clinton campaign).
Rather, they merely flooded the servers of a somewhat obscure DNS
company (one which originated, in Wikipedia’s phrase, as “a community-led
student project” at Worcester Polytech), which performs the humble domain-name
service for various sites.
By way of comparison:
Anyone can temporarily block access to Fort Knox by burning a
semitrailer on the entrance road;
that is quite different from actually breaking in and making away with the
gold. Specifically as
applied to electronic vote-counting,
all that a DDOS attack could do would be to disenfranchise that fraction
of Alaskan voters (they won’t be missed) and overseas servicemen who are allowed to vote via the
internet; it wouldn’t change their votes to a different
candidate, nor those of non-Internet voters.
Nevertheless, the attack was significant for the novelty of
its Denial-of-Service robot army,
relying in large measure on the “Internet of Things” -- “smart” (read:
idiot-savant) devices like late-model thermostats and baby-monitors.
 |
| "Smart" refrigerator, plotting evil |
Now, I have long been annoyed, in a grumpy curmudgeonly way,
with contra-Okhamian appliances and interfaces, that try to do so many things
that they perform their core function less well, and have multiple points of
failure. But I had not
realized their potential for active lethality, in concert, a sort of
globe-girdling zombie army. So I
contacted my old friend Песец из Канады, surveying the bedraggled
march of history from his perch in
the frozen north:
> As a guy who
used to program for limited-memory ROMs serving closed,
> pre-circumscribed-purpose platforms, perhaps you can answer this: How
> can a single-purpose device like a thermostat have the capacity to
> store, and then launch upon instruction, malware used for DDOS ??
> pre-circumscribed-purpose platforms, perhaps you can answer this: How
> can a single-purpose device like a thermostat have the capacity to
> store, and then launch upon instruction, malware used for DDOS ??
He replied:
Nowadays, "limited memory" means gigabytes. It actually costs *more* to make a product that is only capable of doing what it needs to do and is not also a mass-produced general-purpose computer.
For the moment, people still tend to buy products that "connect to the Internet!!!" As more of these IoT disasters unfold, I expect that eventually people will learn that they must never allow Internet access from any computer whose program they are prohibited from replacing. First off, "connects to the Internet!" is just a bullet-point on the packaging; manufacturers don't really want to pay what it would actually cost to develop a *secure* product that connects to the Internet. Second, there are considerable social forces acting on manufacturers to engage in frankly-evil acts -- and one evil act can build upon another, leading to a DDOS attack.
Example: Samsung used to sell a television set that recorded all your voice conversations (for no reason) and sent them to a central server (for no reason) over an Internet connection (that a TV doesn't really need). It offered a menu item for turning off this behaviour, but the Samsung TV was programmed to lie to its "owner" and claim that it had stopped spying, while actually continuing to do so under orders from its manufacturer. In a perfect world, Samsung's corporate charter should have been revoked for this. Instead, TV's are joining thermostats as IoT objects that can be co-opted by terrorists. Isn't it nice of us to provide them with this free ammunition?
Microsoft's Windows 10 has the same problem -- it spies on you, offers an option to turn off the spying, then continues to do it anyway. Windows 10 should not be used on any computer connected to the Internet, especially by a person who holds a security clearance from any country. A computer that has been programmed to accept orders from "our spies" over the Internet is a computer that can be co-opted by "their spies" over the Internet.
GM's "OnStar" vehicles have the same problem: a car that can be remotely shut down by police is a car that can be remotely shut down by an assassin or a terrorist. Wouldn't it be interesting to find out if it's technically possible to convince all the GM-branded cars on the Beltway to simultaneously shut off their brakes and steering while travelling at highway speeds?
Speaking of computers inexplicably connected to the Internet, *why* do American e-voting machines have Internet connections? The only obvious reason to do that would be to allow the government to disclaim the result of an election that doesn't go their way: the American people didn't *really* vote for Donald Trump, that was just the Russians hacking our voting machines because they're evil demons who do evil things for no reason -- after we give them the necessary tools for no reason. How dare the Russians "interfere" with our election by publishing the emails that Hillary insisted on letting them have! And why is it that we are preparing for cyberwar against Russia, when it always seems to be China conducting cyberwar against the USA? That's like invading Iraq because some Saudi dissidents based in Afghanistan attacked New York City.
I'm voting for Stein. Thankfully, I will not have to move to Canada after the election.
That assertion about Windows 10 was startling. I did not wish to post anything so
denigrating about the LOVELY, PEACEABLE, TOTALLY NON-LITIGIOUS ALL-POWERFUL
MEGA-ENTITY MICROSOFT (who can crush poor bloggers like a bug) without some
supporting footnotes, which my correspondent kindly supplied:
http://www.howtogeek.com/273513/why-you-shouldnt-use-anti-spying-tools-for-windows-10/
"You can’t fully disable telemetry on Home or Professional editions of Windows 10... If you have a major philosophical problem with the fact that Windows 10 doesn’t let you avoid non-security updates or disable telemetry, don’t try to fix it. Instead, just switch to another operating system, like Linux..."
http://www.disclose.tv/news/the_extent_of_windows_10_spying_software_is_revealed/127799
A more alarmist article, claiming that even buying the Enterprise edition of Windows 10 still won't stop all the spying.
https://discussions.agilebits.com/discussion/70037/windows-10-keylogger
Windows 10 keeps copies of everything you type and sends them to Microsoft's servers. There is a button to turn this off, but Microsoft keeps sending out updates that turn it back on -- and you are not permitted to turn off those updates.
"You can’t fully disable telemetry on Home or Professional editions of Windows 10... If you have a major philosophical problem with the fact that Windows 10 doesn’t let you avoid non-security updates or disable telemetry, don’t try to fix it. Instead, just switch to another operating system, like Linux..."
http://www.disclose.tv/news/the_extent_of_windows_10_spying_software_is_revealed/127799
A more alarmist article, claiming that even buying the Enterprise edition of Windows 10 still won't stop all the spying.
https://discussions.agilebits.com/discussion/70037/windows-10-keylogger
Windows 10 keeps copies of everything you type and sends them to Microsoft's servers. There is a button to turn this off, but Microsoft keeps sending out updates that turn it back on -- and you are not permitted to turn off those updates.
Those assertions are disputed elsewhere, e.g
The dispute is way above the pay-grade of this peaceful,
penguin-loving site, and we take no stand on the matter.
 |
|
Wholesome penguins,
lacking Internet access,
don’t worry about any of this |
~
Miscellaneous musings:
(1) In the case
of weaponizable appliances, we are faced with a double-bladed Tragedy of the
Commons. It is simply not in
the interests of the various cost-cutting Asian-tiger gadget manufacturers to
add in security (which in any even would be swiftly obsoleted; and nobody’s going to pay for ongoing anti-zombie
tech-support for Net-connected blenders and toasters). Nor does the individual consumer
particularly care (save in so far as heroically public-minded) whether his
electr(on)ic toothbruth or Web-connected hamburgerbun sesameseed-applicator was
out on the town last night, ravaging Reddit (though they do seem a bit
hung-over this morning).
(2) When the
DNC hack was pinned on Putin, pundits wondered aloud (or rather, aprint)
whether we should retaliate by deploying our own cyberattack tools. That was ill-considered.
(a) First, sanctions, to have any
point, must be publically announced -- a tariff, an embargo, a finger-wagging
on the New York Times editorial page, or what not. The virtue of cyber tools is that they can be used
stealthily and (with luck) deniably -- exactly the wrong scenario here.
(b) Cyberwar is serious business,
and its means stand on the forefront of (secret) research. You want to minimize exposure of your
tools until they are needed to be deployed for
real, and not just as a petulant gesture.
To retaliate against Putin (or anyone else), you select that
arrow from your quiver that best meets the case; you don’t limit yourself to mimicking
his moves, doing exactly what he did
(as the lex talionis enjoined).
Which raises the question: In Friday’s attack, cui
prodest? On the face of
it, nothing positive was accomplished, just a few hours of snail-slow
connection times. And the
attackers lost the element of surprise as regards a next such attack: defenders now know that, in estimating
the power of the next DDOS attack, they must reckon-in the gadget-bot
army. But it might
have been worth it to the attacker, to see how vulnerable a crucial node like a
DNS would be. The sally
would thus be the cybernetic equivalent of a ferret flight.
(3) From a
conspiratorial standpoint, the beauty part is: it is not even necessary actually to manage to hack the vote
-- merely providing plausible reasons for people to imagine you might have,
poisons national confidence.
Cf. the ridiculous episode of the Nigerian Underwear Bomber, who failed
to bring down the plane he was riding on, managing only to boil his balls: still, AQAP rejoiced, since it was
enough to get TSA’s knickers in a twist. Already burdensome security become more burdensome
still -- though unlike the case of the Shoe Bomber, the incident did not lead
to the targeting of a specific garment -- no Skivvies Inspections at the
airports as yet.
[Update 28 October 2016] And now, sailing in from left field, the bizarre carom-shot
off Anthony Weiner’s computer,
announced today out of
nowhere by a po-faced FBI
director, somehow supposed to link up with the in principle unrelated Hillary-computer-emails brouhaha. Nothing substantive yet, nor will there
be (he conceded) until after the election; as Trump said recently in another connection, “I’ll keep you
in suspense.” (As a mysterywriter, I would hesitate to concoct so far-fetched a plot; but reality recks not verisimilitude.)
Thus, it is not only Trump voters who have reason to
question the legitimacy of this electoral season.
Note, though, that anyone maintaining that the timing of the
announcement was calculated to maximize the damage to Mrs Clinton, should
consider the fact that it was made at the least
sensitive time in the news-cycle, Friday afternoon, the hours at which any
business or administration prefers to release embarrassing news.
No comments:
Post a Comment