Conversations with creators and thinkers who are charting the way forward in a tech-saturated society. Tech, community, video games, and whatever else is next.

Also available as an MP3 podcast. More info at our Podcast Central page.

May 22, 2023: Cybersecurity and "how the world ends"

Listen to this show: MP3 - 128K |  Pop-up player!

Today: Cybersecurity and "how the world ends" – drawing on Nicole Perlroth’s book This Is How They Tell Me the World Ends: The Cyberweapons Arms Race (in paperback as of Feb 2023).

Context:

• Where cybersecurity is important: banks, hospitals, government, schools, energy (nuclear power plants, oil and gas pipelines, electric utilities), telecom, food, big stores and other companies, smartphones and other devices (see Pegasus show from March 27 with Sandrine Rigaud), transportation (aviation, trains, shipping), and connected cars and other "smart" (i.e., surveillance) things.

• Types of cybersecurity vulnerabilities (malicious hackers taking advantage of zero-days, or "rudimentary" attacks like "phishing scams, stolen passwords, lazy configuration mistakes, [or] a lack of multifactor authentication"). Perlroth’s book mostly covers hackers using zero-day exploits.

• Risks of security breaches: leaks, theft, damage, and loss

• Zero-day exploits: zero referring to the number of days a company has had to patch this vulnerability

• For example: Apple fixes three new zero-days exploited to hack iPhones, Macs (Bleeping Computer, May 18, 2023) – one of which was reported by Donncha Ó Cearbhaill of Amnesty International’s Security Lab, featured in the Pegasus book

• Ransomware: Malware that locks up systems, threatening to delete or disclose data unless a ransom payment is made to the hackers, typically by a deadline

From Nicole Perlroth’s This Is How They Tell Me the World Ends

• In recent years, hackers from China, Russia, North Korea, and Iran have infiltrated the digital systems of hospitals, schools, nuclear power plants, and government offices. We now live in danger of a "Cyber Pearl Harbor," Perlroth writes.

• Or this: "The most likely way for the world to be destroyed, most experts agree, is by accident." (p. 52, quoting a cybersecurity expert)

• From the prologue, talking about an early Russian hack of Ukraine’s systems: "The public’s understanding of what was transpiring was - to put it mildly - a mismatch to the gravity of the situation . . ." A theme of the book.

• "In the United States, convenience was everything; it still is. . . . We had bought into Silicon Valley’s promise of a frictionless society. . . . we had never paused to think that, along the way, we were creating the world’s largest attack surface. . . . We failed to see that the world of potential war has moved from land to sea to air to the digital realm."

• The book covers the history of the "cyberweapons arms race" and the various actors: capitalists, spies, mercenaries, and "the resistance."

• Back in the 1990s, "boutique government contractors . . . started buying zero-day bugs on behalf of U.S. intelligence agencies. . . . Amassing those stockpiles became a competitive enterprise. . . . It wasn’t abnormal to find multiple nation-states listening in on the same machine." (pp. 43, 46, 47)

• "Today, the Pentagon’s Joint Strike Fighter aircraft contains more than 8 million lines of onboard software code, while Microsoft’s Vista operating system [which was updated through 2016] contains an estimated 50 million lines." (p. 86)

• On Stuxnet: "By the start of 2010, the worm had destroyed 2,000 of Natanz’s 8,700 centrifuges." Then the worm got out (to Chevron, though didn’t do a lot of damage) – foreshadowing later events.

• On the Pentagon (p. 221): "The Pentagon had paid Computer Sciences Corporation $613 million to secure its systems. CSC, in turn, subcontractedthe actual coding to a Massachusetts outfit called NetCracker Technology, which farmed it out to programmers in Moscow. Why? Greed. The Russians were willing to work for a third of the cost that U.S. programmers had quoted. As a result, the Pentagon’s security software was basically a Russian Trojan horse, inviting in the very adversary the Pentagon had paid hundreds of millions of dollars to keep out."

• (p. 261) "Hackers weren’t hobbyists anymore. . . . they had become the world’s new nuclear scientists. . . . What Iran, North Korea, and others could not develop on their own, they could now just buy off the market." [similar to what we learned in the Pegasus interview]

• On China’s commercial espionage (p. 281): By 2015, "China had already collected enough U.S. intellectual property to last it well into the next decade. Chinese hackers had taken everything from the designs for the next F-35 fighter jet to the Google code, the U.S. smart grid, and the formulas for Coca-Cola and Benjamin Moore paint."

• (p. 285): "The consequences of a large scale attack on the U.S. grid would be catastrophic." From a national-security letter to Congress: "widespread outages for at least months to two years or more, depending on the nature of the attack."

• (p. 305) "Governments are starting to say, ’In order to best protect my country, I need to find vulnerabilities in other countries. . . . The problem is that we all fundamentally become less secure.’"

• (p. 307, quoting a security expert) "We’ve all migrated to the same technology. You can no longer cut a hole in something without poking a hole in security for everyone."

• (p. 323) "Few, if anyone, had ever paused to consider what might happen if the [U.S.] government’s stockpile was stolen." Yet that’s what happened in the Shadow Brokers hack in 2016-2017, North Korea launching WannaCry ransomware from the NSA’s Eternal Blue exploit. but then, (p. 343) "the United States had set the rules itself [with Stuxnet], making it permissible to attack a country’s critical infrastructure in peacetime."

• (p. 391) "The world is on the precipice of a cyber catastrophe." . . . "We must stop introducing glaring bugs into our code. Part of the problem is the economy still rewards the first to market. . . . the ’move fast and break things’ mantra Mark Zuckerberg pushed in Facebook’s earliest days has failed us time and time again."

• from an afterword written in 2022: "Most of the country’s 50,000 water plants are run by small nonprofits and staffed by only a handful of employees, few of whom are fluent in code or even cognizant of the threat. . . . all you need to remotely poison America’s drinking water is a stolen passwerd."

In the news since the book’s release

• GoDaddy: Hackers stole source code, installed malware in multi-year breach (Bleeping Computer, Feb 17, 2023): a new breach of cPanel, following the 2021 breach that saw 1.2 million WordPress customers get hacked

• Cyberattack on food giant Dole temporarily shuts down North America production, company memo says (CNN, Feb 22, 2023): "A cyberattack earlier this month forced produce giant Dole to temporarily shut down production plants in North America and halt food shipments to grocery stores"

• Gary Marcus in Persuasion (May 20, 2023), on ChatGPT systems writing code:

[P]eople in the last month have been playing around with something called Auto-GPT, where an unreliable AI system calls another unreliable system, and they’ve set it up so that these systems have direct internet access, direct memory access, and source code access. Just from a cybersecurity perspective alone, that’s a complete disaster waiting to happen, if you have bots that aren’t necessarily going to do what you want on any given trial, writing code that isn’t necessarily going to be reliable. I talked to someone very high up at Microsoft recently who had worked in cybersecurity for a long time, and they’ve spent years trying to teach programmers how to follow certain conventions so the code will be safe and won’t be hacked. These systems don’t have the conceptual wherewithal to do that. These systems are not smart enough to say, “Well, I’m being used now in a phishing thing, where people are trying to steal credentials.” They’ll happily comply.

. . . You trust humans to make the decisions. But some fool hooks up a large language model that hallucinates things to the train network and 500 trains go off of bridges. There are some scenarios where humans get fooled by new kinds of things that machines suddenly can do. There are many such possible scenarios, and I think each of them, individually, is pretty unlikely. But you sum all of those risks up—it’s enough to make me nervous.

What you can do

• Learn more about cybersecurity (read the articles or books mentioned here, listen to the shows, etc.)

• For anything you definitely want to keep, make a local backup, on a backup drive not connected to anything

• For anything really important, print it out

• Don’t use QR codes

• Don’t click on links unless you’re totally sure you can trust them

• Set up 2FA (two-factor or multifactor authentication, requiring you to verify login via text)

• Don’t reuse passwords at different services

• Use the minimum of apps on your phone (or don’t use a smartphone at all) and minimize luxury surveillance devices: Apple Watch, Google Fitbit, etc.

• Minimize or eliminate all IoT (Internet of Things) surveillance devices at home – Google Nest, Amazon Ring, Amazon Alexa, Google Home, etc.

• Keep your computer and smartphone fully updated, though beware that updates can break or degrade software that you’re accustomed to using. Decide between stability and security.

• Be careful with payment apps on the phone, especially: from A Basic iPhone Feature Helps Criminals Steal Your Entire Digital Life (WSJ, Feb 24, 2023):

On the evening of Jan. 22, 2022, Reece Thompson, an art director at a creative agency in Hiawatha, Iowa, was having a drink with his girlfriend while visiting downtown Minneapolis when his iPhone 12 Pro went missing from the bar. The next morning, when he tried to log into his Apple account from a different device, the account password had been changed. Thousands of dollars had been charged to his credit cards via Apple Pay and $1,500 was stolen from his Venmo account, he said.

Sign up to get Mark’s weekly email newsletter.

PAST EPISODES: techtonic.fm lists recent Techtonic shows.

PODCAST: Subscribe to the Techtonic podcast