Hacker wars
Future government intervention is scarier than future exploits.
Coding history should have taught us one valuable lesson: Programmers will make mistakes (actually other humans do this too). String, buffer and heap overflows have all been around a long time and as long as humans are involved it’s hard to see things changing. Sure, we can all start using new-fandangled, type-safe, memorysafe and thread-safe languages like Go, Rust and Swift, but we’ll just introduce new classes of bugs. And the bad guys will find new and inventive ways of exploiting these. Even as we are putting the finishing touches to this article, a new bug ( actually two: CVE-2016-0777 and -8) have been discovered in OpenSSH.
Writing at the beginning on the 20th century, Nikola Tesla said that in future war would be fought by machines and robots. If we grant him some degree of prophetic licence here, then he’s quite right – think drones and bomb-disposal robots. Assuming current trends continue, though, the future battleground is online. Nations have developed ‘cyber armies’ and huge sums of money are devoted to offensive ‘cyberstrategies’. We’ve seen that critical infrastructure can be crippled: in December 2015 it emerged that a power outage in western Ukraine was the result of a politically motivated hacking attack. Why bother with bombing a city to bits when you can just switch the electricity and water off?
Hackers wearing black or white hats are discovering new and incredibly advanced exploits on a daily basis. These might involve a BIOS/UEFI-attacking rootkit, or even manipulating your laptop’s memory using electromagnetic effects between adjacent cells (as in the Rowhammer attack). If a sufficiently motivated and capable attacker (eg a nation state) is particularly interested in disrupting an individual’s online activities, then it may use a zero-day exploit against them. The zero refers to how many days the exploit has been public for, so if you’re vulnerable then there’s nothing you can do about it. However, for all the technical capability, attacks of this kind are comparatively rare, as we’ve said previously. Even though the Ukraine power attack involved advanced malware known as BlackEnergy, the root cause appears to have been a spear-phishing attack featuring a poisoned Microsoft Word document.
“Strong encryption (public key cryptography) has ruffled feathers on both sides of the Atlantic.”
Encryption concerns
Nonetheless, governments have become increasingly interested in the activities of security researchers and proposed updates to the Wassenaar Agreement (a set of guidelines that signatories agree to implement) would make it difficult for researchers to share their findings across borders. Hampering this research, or worse forcing vulnerabilities to be disclosed to governments rather than the relevant software’s authors, would set a dangerous precedent.
Last year, David Cameron made comments that suggested he wanted to ban encryption. His office has since said this was not his position, however the proposed Investigatory Powers Bill (the draft of which runs to 300 pages, should you require some light reading), contains provisions which would compel ISPs to provide customer data under a court order. The wording is fuzzy, but the draft makes reference to the Home Secretary being able to request ‘the removal of electronic protection’ from communications providers. When citizens indulge in end-to-end encryption (GPG emails eg Whatsapp) only they can decrypt their conversation, so no third party can do anything about [you legally have to disclose any known keys to the UK authorities already – Ed] any ‘electronic protection’.
So-called strong encryption (a branch of mathematics called public key cryptography) has ruffled feathers on both sides of the Atlantic. Many politicians favour a key escrow system, where citizens are free to communicate in private, but the government holds a ‘master key’ (or some other backdoor) which can undermine all of that privacy. Tech firms have been united in their stance against this idea, not because they are sympathetic to the four horsemen of the cyber-apocalpyse (terrorists, pirates, drug dealers and paedophiles) but because they know that any kind of backdoor may be exploited by the bad guys.
Imagine what would happen if a rogue state got hold of the key to everyone’s private communications. Recent history has shown that secrets, including ones kept by the government, have a nasty habit of becoming public. It’s true, criminals do use and will expand their use of strong encryption, but they also make mistakes that make them susceptible to capture by traditional law enforcement methods. They also make extensive use of trains [and guns – Ed], but no one’s said anything about outlawing those yet.