Sometimes during the summer I like to go swimming. Oh who am I fooling? I always want to be immersed in some new body of water; it’s like braving a dangerous element in exchange for a feeling I cannot quite express. I cannot breathe underwater, but I can hear something down there that gives me a kind of strange comfort in a world that I cannot fully see but feel and understand with different senses. I will lay belly up with my ears underwater for hours just to look up and wonder at the sky.
Walden pond in Concord, MA, is a bell-shaped freshwater pond, and I’ll head there early in the mornings on some Sundays in August. Around the perimeter, there are these little private beaches, rock steps leading into the water. The place is welcoming and is a bit of a mirage, but it is very much there. I go there so seldom now it often slips from my memory, but it is not my imagination. The water has a magical feeling to it, and gets so warm in summer that it sustains life in different ways. A few summers ago, news outlets reported a strain of jellyfish was living in the water. What did people make of it, a typically salt-water organism living in fresh water?
“Gwen Acton thought the dime-sized translucent pods she saw … were strange, beautiful seeds that had drifted down to the water surface from some flowering plant” (Daley, 2010).
Melissa Webster said, “We saw them on most of our swims during September, and on our last swim Oct. 1. Definitely cool” (Associated Press, 2010)!
Gsinger said, “I have been swimming in Walden for 30 years and had never previously seen them. Has something changed” (Associated Press, 2010)?
Chris said, “This is a very scary event. They are a great danger to the native animals in the lakes and to the water. [T]his is a event that should be looked into with great con[c]ern is a sign of the danger nature is in” (Associated Press, 2010)
Although they pose no threat to humans, there was a variety of perceptions. Some were in awe, some were happy to see them, some were frightened, and others feared the apocalypse. The extent to which anything can tell us about being human is our perceptions. Anything we encounter can yield a feeling or impulse which people attach meaning to. It could be a jellyfish or something else.
Years before today our ancestors looked up at the sky and saw the sun and moon and told each other stories about what each one did. There were gods possessing great virtue that ruled the stars. There were heroes and villains entangled in legends of a shared narrative that people thought up which crafted some understanding as to what was going on in the world.
Today we know the sun and moon are planets that orbit our solar system. We have the answers to what we think are the big questions. We think we have it all figured out, and to a large extent, we do. A lot of what we place meaning on will propel us into the next age. Sometimes a jellyfish is bad, other times he is a fascination. What we do with these meanings will be reflected in our behavior.
This week I have been reflecting on how people think about things, namely bad things. Oops, there I’ve gone and placed meaning to something without thinking. This week I have been thinking a bit about computer security vulnerabilities and how they are perceived. What I found reminds me of the problems I have faced in my own life, and how those problems were thought of in that time. In retrospect, with what I know now about it, I consider these initial impressions to have fallen away or changed somewhat in my thinking.
The research I have done has changed my view of computer vulnerabilities as not something to fear for loss of one’s data, but rather an industry unto itself in a larger narrative that does not involve me directly, but rather my data and personal information. I am part of the bigger war, but I feel less a participant in it, less in control of my own personal information, and oddly more at peace with computer vulnerabilities than I thought I would.
I have often thought about it for a moment and forgotten it, a shell picked up on the shore and thrown back into the sea. I have stored up moments that I would like to feel have given me a sense of something, but then I remember how things in the past exist only in your mind. How you cannot take it out and measure it, but you can place a meaning onto something and that can be everything that it is now, so that all that is left is your impression of what used to be.
Sometimes your own conscious thought dissolves into the layers of waves how an ocean does, in the sense that your cognitive awareness doesn’t even have surface tension, so the points of arrival and departure are always changing, always different and new, reflective. This is how one person can have a thought about a thought. This sense, this wondering is an unfolding of constantly redeemed perks or chits that have no expiration date and whose value is changing in relation to meaning. These things may be only in the mind, but they are without a doubt changing and evolving as a direct function of one’s thinking and reflexive mind.
Are there known vulnerabilities in software that are rolled out without adequate testing? To answer this question, one need only think of one’s own individual computer experiences. Have you ever had a hard time using a computer? Yes. I have an impression of Microsoft that runs from a history of their long and confusing installation process, which makes it more challenging to add software to your computer. “On the Windows desktop, users have to open their browsers, search the web, download an application from a website, and install it manually” (“HTG Explains, 2015).
As a result, there are a number of things that can happen, including security breaches.
Many less-savvy users may end up downloading dangerous software or clicking a fake “Download” button that leads to disguised malware. Users may download and run potentially dangerous types of files, such as screensavers, without knowing that they contain executable code and can infect their system. People downloading pirated software from questionable websites may end up infected. (“HTG Explains,” 2015)
In comparison, Apple, whose built-in features make it simple to add programs, one can simply press a button and voila! The program is added without so much as pointing a finger and clicking. Apple users install applications and software “that come from a trusted, centralized repository. Users open their app store or package manager, search for the program, and install it” (“HTG Explains,” 2015). I have reflected on these two experiences, the Microsoft design and the Apple design, and balked.
Who would ever pay money on the experience of Microsoft? It creates a product in which outside services and repair are almost a requirement. There is a much higher risk of viruses as PC has been the target of the majority of worms.
Windows XP shipped without a firewall enabled and network services were exposed directly to the Internet, which made it an easy target for worms. At one point, the SANS Internet Storm Center estimated an unpatched Windows XP system would be infected within four minutes of connecting it directly to the Internet, due to worms like Blaster. (“HTG Explains,” 2015)
In addition, Windows XP’s autorun feature automatically ran applications on media devices connected to the computer. This allowed Sony to install a rootkit on Windows systems by adding it to their audio CDs, and savvy criminals began leaving infected USB drives lying around near companies they wanted to compromise. If an employee picked up the USB drive and plugged it into a company computer, it would infect the computer. And, because most users logged in as Administrator users, the malware would run with administrative privileges and have complete access to the computer. (“HTG Explains,” 2015)
Part of the problem is the intention of Windows’ original design. “Historically, Windows was not engineered for security. While Linux and Apple’s Mac OS X (based on Unix) were built from the ground-up to be multi-user operating systems that allowed users to log in with limited user accounts, the original versions of Windows never were” (“HTG Explains,” 2015).
DOS was a single-user operating system, and the initial versions of Windows were built on top of DOS. Windows 3.1, 95, 98, and Me may have looked like advanced operating systems at the time, but they were actually running on top of the single-user DOS. DOS didn’t have proper user accounts, file permissions, or other security restrictions. (“HTG Explains,” 2015)
Despite, or perhaps due largely in part to the existing vulnerabilities, there is an opportunity to profit on it. When one is looking at the framework of insecure computer systems as an object not of dread and avoidance, but rather a part of a larger economic system, things start to look different. The research I came across includes an article published in Time magazine from July 2014 titled “The Code War”.
The idea that a software bug can be worth actual dollars and cents is an odd one. Bugs are mistakes; people generally pay money to fix them. The fact that there’s a market for them is a consequence of the larger oddness of our present technological era, in which our entire world — our businesses, medical records, social lives, governments — is emigrating bit by bit out of physical reality and into the software-lined innards of computers in the form of data. A lot of people are interested in that data, for reasons both good and bad. Some of those people are spies. Some of them are criminals. Bugs are what they use to get at it. (Calabresi, Frizzel, & Grossman, 2014)
The Time article interviews Aaron Portnoy, co-founder of Austin-based Exodus (Calabresi et al., 2014). Portnoy’s career began as a high school student where he hacked into computer system at the Massachusetts Academy of Math & Science in Worcester (Calabresi et al., 2014). Where Aaron’s initial hacking career dovetails in with his current project is his love of hacking.
Portnoy, now 28, is the co-founder of a two-year-old company in Austin called Exodus Intelligence. Its mission statement reads, “Our goal is to provide clients with actionable information, capabilities, and context for our exclusive zero-day vulnerabilities.” Which means — translated from the quasi-paramilitary parlance that’s endemic to the software-security industry — that Exodus Intelligence finds and sells bugs, specifically the kind of bugs that could potentially give a third party access to a computer, the same way Portnoy got access to his high school’s network. They’re worth a lot of money. Vulnerabilities in popular applications and operating systems have been known to change hands for hundreds of thousands of dollars each. (Calabresi et al., 2014)
The industry of computer vulnerabilities is an enormous and international one. For example:
in May [2014] when the U.S. indicted five members of the Chinese army for stealing data from American companies, including Westinghouse and Alcoa. That wasn’t an anomaly; it’s the norm, and it’s getting more normal all the time. Retired Army general Keith Alexander, who formerly headed both the NSA and U.S. Cyber Command, has called China’s ongoing electronic theft of American intellectual property “the greatest transfer of wealth in history.” Two weeks ago several security firms confirmed that a group believed to be backed by the Russian government has been systematically hacking the U.S.’s energy infrastructure since at least 2012. According to IBM’s security division, the average American company fielded a total of 16,856 attacks in 2013. (Calabresi et al., 2014)
The history of computer vulnerabilities goes back twenty years.
In 1995 Netscape announced a “Bugs Bounty” program that paid cash to anybody who could find flaws in its browser. The company … just wanted to fix holes in its software. In 2002 a security firm called iDefense started buying up vulnerabilities of all kinds; another company, TippingPoint, launched a similar program in 2005. Both programs were created as alternatives to the increasingly active and chaotic exchange of zero-days on the open market — essentially they acted as safe zero-day disposal facilities, a bit like radioactive-waste repositories. If you found a bug, instead of selling it to the highest bidder, who would do God knows what with it, you could sell it to iDefense or TippingPoint for a reliable price, and they would alert their clients to the problem and work with the software vendor to get the bug patched. iDefense and TippingPoint had something else in common too: they both, in successive years, 2005 and 2006, hired an intern named Aaron Portnoy. (Calabresi et al., 2014)
What Portnoy does now is not so different from his internship at TippingPoint. At Exodus, nine engineers sit at computers all day:
banging on software looking for ways in: browsers, email clients, instant-messaging clients, Flash, Java, industrial control systems, anything an attacker could use as an entry point. “One thing we try to maintain is a capability in every major backup software out there, because that’s one of the juiciest targets,” Portnoy says. “If you get on an enterprise network, what is an administrator going to want to protect? Their important information. What do they use to protect that? Backup software.” (Calabresi et al., 2014)
When a researcher at Exodus finds a vulnerability, he or she types it up in a professional-looking report along with technical documentation that explains what it does, where it lives, what it gets you, how to spot it, what versions of the software it works on, how one could mitigate it and so on. Most important, Exodus provides you with an exploit, which is the procedure you’d have to follow to actually trigger the bug and take advantage of it. “Every single vulnerability that we give our customers comes with a working exploit,” Portnoy says. “If we can’t exploit it, we don’t even bother telling anyone. It’s not worth it.” Voilà, one freshly minted zero-day vulnerability. (Calabresi et al., 2014)
Portnoy takes pride in the superior quality and effectiveness of Exodus’ exploits. “We try to make them as nasty and invasive as possible,” he explains. “We tout what we deliver as indicative of or surpassing the current technical capabilities of people who are actually actively attacking others.” When a company hires Exodus, it does so on a subscription basis: you get a certain number of bugs a year for such-and-such amount of money. Subscriptions start at around $200,000. (Calabresi et al., 2014)
The vulnerabilities business has a mixed reputation, based on the presumption that the bugs it provides are being used for criminal or unethical purposes. A Washington, D.C., company called Endgame that sold vulnerabilities to the government for years was dubbed “the Blackwater of hacking” by Forbes magazine. Last year, when Endgame announced that it was getting out of the game, it did so triumphantly, as if it were kicking a heroin habit: “The exploit business is a crummy business to be in,” its CEO said. (Calabresi et al., 2014)
The reality is more complex. Exodus’ clients come in two basic types, offensive and defensive. Playing for the defense are security firms and antivirus vendors who are looking for information they can integrate into their products, or who want to keep their clients up to speed on what threats are out there. On offense are penetration testers, consultants who use Exodus’ zero-days to play the “red team” in simulated attacks on their own or other people’s networks. “If they want to show what a real attack would look like from a determined adversary,” Portnoy says, “we give them the tools to do that.” (Calabresi et al., 2014)
As far as one confirmed fear will take you, there is comfort in the fact that many computer vulnerabilities, malicious bugs, and computer worms exist, as part of the general landscape always will, for a hefty profit. As the author Chuck Palahniuk writes, men will be “slaves to the IKEA nesting instinct” (Kopal, 2009). Women will believe they are less than gorgeous beasts until they consume millions of dollars in beauty products to make them whole again. Kids will buy all the music they want knowing that they are what they like, not who they are based on personality, values, or behavior, found and maintained through authentic human interaction or genuine relationships with other people.
One can sleep soundly by taking a sedative of life, by truly not worrying over the thought that your online life is being exploited by some personal vendetta or a deeper need to defame your character. Those fears are for the people who buy and sell the glitches that get our data. It puts to bed all the paranoid claims that lie awake with you at night, toiling, wondering as you look up at the ceiling. To get out of this half make believe world made mostly of wires, one must find a green place, free from the dry desert you once thought was the barren lands. You must stop searching out there in the mirage and come home. Know you are part of the wasteland, and be thankful it’s not just all about you.
Related articles:
https://ourtrickstime.wordpress.com/2015/09/16/the-top-five-hacking-tool-of-2015/
https://dguiney.wordpress.com/2015/09/15/hacking-team-computer-vulnerabilities-and-the-nsa/
References
Associated Press. 2010, Sep. 10. Mysterious Jellyfish Invade Walden Pond. Retrieved from
http://www.wbur.org/2010/09/10/mysterious-jellyfish
Calabresi, M., Frizzel, S., & Grossman, L. Jul. 21, 2014. The Code War. Time. 184(3), 18-25.
http://search.ebscohost.com/login.aspx?direct=true&db=f5h&AN=96981364&site=eds-
live
Daley, Beth. 2010, Sep. 10. Mystery Blooms on Walden Pond. Retrieved from
http://www.boston.com/news/science/articles/2010/09/10/mystery_blooms_on_walden_pond/
Kopal, Indira. 2009, Oct. 19. Tyler Durden’s anti-consumerism quotes. Retrieved from
http://indranikopal.blogspot.com/2009/10/tyler-durdens-anti-consumerism-quotes.html
HTG Explains: Why Windows has the Most Viruses. 2015. Retrieved from
http://www.howtogeek.com/141944/htg-explains-why-windows-has-the-most-viruses/
blorgons 