June Lab Notes
Steven Turvey
I was not very happy about being woken at 1am in the morning by my bank. They were calling to confirm if I really did want to place a $13842 order in India. Don’t get me wrong, I am very pleased they rang me. But what is annoying is that someone got hold of my credit card details and was trying to rip me off!
I’m very cautious with my credit cards, I have two, one has a $1000 limit and the other considerably more. I use the lower limit card for day to day transactions, although when it tops out I use my larger credit card. I absolutely do not use the larger card for Internet transactions. I’ll also typically use PayPal which is linked to my smaller card in the hope that this adds an additional layer of security to the transaction.
Me being me, I always try to watch my card when I hand it over to a retailer for swiping, but like anyone, I can be distracted. Me being me, I’m a tad paranoid about ATMs, so I catch myself checking it out for false panels and cameras.
Even so, somehow, somewhere my details were stolen!
I suppose it could have been skimmed at a convenience store or hacked from a website that has my details; I will never know. The problem is that if someone sets out to rip you off, it can be shockingly easy for them to do so.
The internet was an experiment that grew out of all proportion. Sadly, it’s still rather like the Wild West – its original inventors never envisaged the depth and breadth of its current form.
The original brief, if there ever was one, was to simply develop a net to be as fault tolerant as possible. If part of it broke the remaining net would, in effect, transparently reroute all traffic via the unbroken portion.
This was fantastically efficient, but it also left the new creation wide open to tampering. In the beginning security was not considered an issue. Today we have security sort of tacked on what is effectively, an open system. If you were to ask the inventors of the Internet what should be done to fix the lack of inherent security, their most likely answer would be “start all over again with security an integral part of the design”.
Quite obviously this is not going to happen so where can we minimise our risk?
To answer this question we need to look at the major vulnerabilities. Two items really stand out:
First and foremost, the software we use is, pardon my directness, rubbish. Our most popular operating systems and business software solutions are ponderous and complex, with so many security holes it’s laughable. The security patch updates and notifications for our operating systems and business software are almost constant.
Consider also that we operate using ridiculous legal contracts with software providers. Unlike a car which you buy and own, your software is only licenced, which is legal speak for you don’t really own it. The vendor therefore takes no responsibility for what it might do, or not do. If your car’s brakes fail due to a design fault you can sue the vendor. If your poorly written software allows hackers to access your banking details, bad luck.
The second problem is that many countries are safe havens for hackers and their servers. At times they also have high levels of political protection and can be brazen and untouchable.
In this day and age a pimply group of unidentifiable hackers can wreak as much havoc as an armed invasion. It is easy to appreciate why dodgy regimes would protect such an asset. Consider the potential damage that could result from hacking a national utility or an air traffic control system.
I don’t believe this is science fiction. Sony and the FBI have both been hacked recently, so nothing would seem impossible.
Our current systems and software really are quite inadequate. At the end of the day we need to make software vendors more accountable, and consumers and businesses need to be more patient. If vendors can dedicate time to properly coding and securing their products, the problem starts to disappear.