Contributing Your Grain Of Sand
To The Computer Security Mandala

[warning: rant]

6 February 2004

We’ve all heard, “one man’s trash is another’s treasure.” That rings true from the context of your home computer to the fender of your next new automobile.

Seemingly innocent bits of information, casually abandoned by you are very much of value to those with something to sell as well as those interested with something to buy, particularly using your identity rather than their own.

There are plenty of articles on identity-theft, missives and memos on vigilance against e-mail viruses, books on securing computer operating systems and advice from your young cousin on how to do it “right”.

*   *   *

From one company for which I worked, we built a security system for a major US bank and their merchants. The holes in their previous system were gaping, to say the least. As much as I’m philosophically opposed to the idea, we filed three or four software patents based upon the design we made. Apparently, this was new territory… way back in 2001.

I was in Detroit at the end of 2003 to encrypt networks for Volkswagen of America which includes Audi. All the auto companies are starting to do the same thing: your car gets plugged into the internet and speaks to some computer (in VW/Audi’s case, connecting through to Germany) to make sure it wasn’t stolen. Newer cars require this even to verify a fender replacement, to make sure the new part wasn’t from a stolen car. (Each component has its own microchip: 85+ chips on new cars! my late model Volvo has just one for engine timing.) Currently, it’s the high-end cars, but next year, the VW Golf will have this requirement too. It’s supposed to be for keeping insurance rates down. In a few years, all cars– US and European– will have this.

The unfortunate thing about all this is the big brother angle.

It all starts innocently and honestly enough: controlling a car’s components thwarts theft; this reduces insurance costs, thereby lowering the total cost of ownership, which in turn sells more cars…

However:

Many companies are gathering much information about each of us, and it’s difficult to escape.

Why is this bad?

While each company’s cache of information per individual isn’t that bad, with mergers and acquisitions crossing industry boundaries, the cross-referencing of all this information can have far reaching consequences. For example, it’s only a matter of time before Beatrice (the parent to some of the most well known food products) and, say, Ford merge. Then, they merge again with, say, Amazon or eBay. (But fortunately, the precedent of AOL-Time-Warner is considered a failure, and they want to spin-off AOL to save the larger company; that, and the fact that most large companies are slow to act, the reality of this cross-referenced information is more a matter for our children’s future.)

It all comes down to this:

While there is no grand conspiracy (people just can’t keep secrets for that long), it’s the human in the loop. People make mistakes. When technology is difficult to use– as is the case with most security products– the intended user will find ingenious ways around the “obstacle” thereby making things even less secure than before it was “secured.” People write passwords on post-it notes, use the same password everywhere, leave their office security card-key on the desk while going to pick up a print-out (then getting pulled into an impromptu conversation and returning hours later). I’ve seen this many times.

Where the conspiracy, such as it is, comes into play: people are taking “social engineering” one step further these days. Since the 1980’s, kids would take internship positions just for access into companies. Back then, however, it was usually for the “tourist” hacker: just looking, usually to quench a thirst for knowledge.

Today, it’s a little more… organized.

An office intern will have sufficient access to the company’s computer network to grab unencrypted information from the inside.

(Far fetched? Well, I’ve been here too: I worked for a company in 1995 that was compromised by the cleaning staff and an executive v.p. working to manoeuvre a merger into an all-out take-over. They won, and that “nice place to work” went down the toilet.)

But how does this relate back to an article on security and your home computer?

Your home computer– with your selection of MP3s for your iPod, electronic receipts from eBay and Amazon, and web browser history– is becoming the holy grail of commerce: accurate customer profiles and targeted sales.

How long before the major conglomerates realize that it would be in their best interests to “partner” with certain disenfranchised unethical parties? If the “script kiddies” can explore your files, this sub-population can glean information too.

Take it up a notch.

Your average home computer these days is quite powerful, fast enough to run serious expert systems and recognition software (commonly known as artificial intelligence or A.I.) to glean a profile on you or your family. Without even a window appearing on your screen, the virus can open Internet Explore, plant a Cookie, thereby marking you and your computer as unique. Since most people only clear Cookies when purchasing a new computer, you might as well have a bar-code on your forehead when going out the door.

With the merging of mobile phones with desktop computers with TV with global positioning… the scenario from the movie, “Minority Report,” is coming true: you walk into a shop, and you are recognized by their computer, and it suggests something to buy that complements what you previously bought… there or perhaps, elsewhere! How? That’s where the conglomerate-inspired computer virus comes in…

(What’s that?–Don’t want global positioning on your cell phone? Yes, you do… When you call 911 from your mobile after some moron in his SUV backs over you on the sidewalk because he can’t see over his super-sized mocha-latte, you won’t be able to talk, yet the medics need to find you. …or so goes the theory behind technology already in place with newer phones. Next is 911 service for wireless laptops and Voice Over IP telephone calls– I’m currently interviewing for that job.)

Beyond that, these features are for your convenience! When something is adequately positioned in the marketplace for “convenience”, it virtually sells itself. It’s one of the classic memes of manipulation, along with, “It’s for the children…”

Metaphorical Conclusion:

If everyone places just a single grain of sand on the table in a particular place, you’ll have a sand painting not unlike a mandala crafted by Buddhist monks. But different than what the monks do next, these creations are never wiped away. Instead, this sand forms concrete.

It’s the persistence and accumulation of information that is problematic.

That’s the heart of the issue. (A computer virus that says “i love you,” while annoying, is mostly harmless in the larger scheme of things.)

Solution:

And if you run Windows, reload it every few months. Your computer will perform better!

Further reading:

Copyright © 2004 Daniel Joseph Pezely
May be licensed via Creative Commons Attribution.