I suffer from impostor syndrome.
You see, I am learning to code. I have to, because my business really needs me to learn it. And since I don’t have the time to go to school for it, I am self learning. Self learned individuals often suffer from a condition known as impostor syndrome, wherein they are not confident in themselves because they were never certified by an expert in what they know. One perpetually feels like there is some large piece of knowledge that your missing. Something everyone else knows but you just flat missed.
The project doesn’t need to scale. Our business employs a less than 200 mostly part timers, and really won’t ever get larger than 10x that size. But security is still important, and this is where my impostor paranoia kicks hard. As I learn and build, I am constantly afraid that I have left a door wide open. That a gentle breeze will carry our data away, or allow us to get ransom-wared into non-existence.
So let’s talk about security. I am not an expert. (Impostor, remember?) But I know enough to know that it is hard and getting harder. The world is more connected. We do more online, which means the attack vectors are larger. For the non-geeks, that’s a fancy way of saying there are more ways of trying to get into a system these days, because every action a user can make on a website is another window that can be broken.
The connectedness makes things worse too. A couple years ago, Wired magazine showed how they could dupe an Apple support tech into changing the recovery email for one application, and thereby get access to, well everything.
A more recent Wired article (they really have been killing it) detailed the criminal masterminds behind the so called Zeus malware. Long story short, it took a decade to stop, and they didn’t even catch the main developer behind it. He is still out there, and probably around 100 million richer for his efforts.
Then I read this article on medium. The problem was the ballooning Internet of Things — all those simple devices that now have a cell or WiFi connection. Of course it is great that your dryer can now text you when your clothes are done. But often these devices are left with default passwords, meaning they can be easily infected with malware. Say what?
Alright, these devices don’t usually have much power. They can’t and don’t do much more than very simple if-this-do-that sort of stuff. And of course they are not going to key log and steal your passwords, because no one is checking their bank statement via their toaster (yet). But they can ping an IP address, and that is important.
A ping is simply a hello from one device to another. Every time you access a website, it starts with a hello (ping), and then more data is exchanged back and forth. Big time servers like Google and Facebook and Amazon get millions of these pings every second and handle that just fine. One more from your toaster will not make a dent.
The power, and threat, from the Internet of Things is that there are a lot of them. A lot. Billions, in fact. And more are coming online every day. And most of them are not secured, they have those default passwords, which means they are easily, easily, infected with malware.
The makers of this malware are smart. They know that disrupting your toaster will not have any value to them. So the malware they use lets your toaster keep on functioning as if nothing is wrong. You don’t even notice. But, behind the scenes, they can command that toaster to make a simple ping (hello) to any server they want. Now spread this malware to tens of millions of machines (in the Zeus case, it was estimated that a half a billion machines were infected), and you have an army. Any one toaster saying hello makes zero difference to, say, a bank’s servers. But millions all at once, and repeatedly, will overwhelm the server, and that’s the problem.
So medium writer Leigh has a great idea: pre-empt the bad guys. Make some malware that merely serves the purpose of bricking any machine that is insecure, rendering it useless to both would be black hats (swanky term for bad guy hackers) and the end user. The result would be manufacturers being incentivized to produce only secure products from the get go, because customers either demand refunds or avoid buying from manufacturers that produce vulnerable gear.
It’s a brilliant solution. But why not go one step further? Imagine a class of ‘benevolent malware’ that zips around the internet seeking vulnerabilities, but instead of capitalizing on those for criminal conduct, it bricks devices or otherwise forces them to be made more secure. It exposes security openings and creates a call to action before the black hats utilize them for nefarious purposes.
How would this work? I mean, every system is different, which means every piece of malware has to be custom built. The benevolent malware wouldn’t scale. But it could, because it’s all about low hanging fruit.
There is no such thing as a perfectly secure system. The goal in security is not to be breach proof, but to be so difficult to breach that it just isn’t worth the black hat’s time. You can get quite carried away with this, naturally, but you don’t have to. There are actually a few simple things that security gurus believe would have a huge impact, such as two factor authentication and using a password manager so your passwords can all be insanely large and complicated.
There will still be some successful attacks. A good example is the banking industry. Back int he day, banks’ got robbed frequently. Your success rate and take made it a worthy gamble for enough people to try. Banks have not eliminated bank robberies, but they put in place safeguards that made it far more difficult to execute without being caught and dramatically reduced the take that an average robber might score. This changed the incentives. We can do the same for digital crime.
Our benevolent malware does not need to adapt to each server environment, it merely needs to sweep along and enforce a certain minimum standard of various recommendations. Doing just that makes the world a lot tougher for digital criminals.
Written by Page Russell.
Follow me while I complain about stuff on twitter: @pagerussell