Using the power of the Internet, specifically the Something Awful forum, YouTube, and Facebook, Aube managed to push his entry into first place. The CBC faced angry protests when they took it down.258
Another malicious activity happening online with alarming frequency is the hacking of email accounts. According to a report in The Economist, “One day in early 2010, an American working for an environmental NGO in China noticed something odd happening to his BlackBerry; it was sending an email from his account without his doing.”259
He watched, dumbfounded, as the email went out to a long list of U.S. government recipients, none of which was in his address book. Seconds later he saw the email disappear from his sent folder. Eventually he heard from the FBI that his email account and those of several colleagues had been compromised by hackers from China. All the victims had attended a climate-change conference in Copenhagen in December 2009, where America and China had clashed.
David Barboza, a journalist at the New York Times, reported in October 2012 that relatives of Wen Jiabao, China’s prime minister at the time, had huge fortunes. After his story was published, Chinese hackers compromised the publication’s networks to get at Mr. Barboza’s work email account. “Other news organizations, including the Wall Street Journal and Reuters, noticed similar Chinese intrusions.”260
Even hardware is no longer safe.
At the 2012 Black Hat conference in Las Vegas, Jonathan Brossard gave the world a peek into the secret world of hardware back doors, which are a lot harder to detect than software ones, and virtually impossible to fix once they are installed.261
Brossard fired up a normal-looking computer with a diddled BIOS chip, the software that controls how a computer starts up. This was enough to disable security features of Microsoft’s latest Windows 7 operating system. In fact, it could have disabled any operating system, because it bypassed low-level security instructions in the computer’s CPU. He made the additional point that much of this nasty exploit is “built on top of free software, including the Coreboot project, meaning that most of its source code is already public.” So, unlike hacks that require microscopes and cutting chips apart, this one is done with easy-to-obtain tools and some brainpower. It is also safely beyond the reach of antivirus software: even erasing the hard disk and reloading the operating system won’t do a thing to it.262
The clear implication is that if someone can obtain physical access to a computer, especially at the manufacturer or distributor level, they can “own” it forever, making it take instructions from them over the Internet at will.
While an Intel spokesperson shot back that this was largely a theoretical vulnerability, there is certainly evidence of hardware back doors such as the Stuxnet worm that have been much more than theoretical.
From the earliest days of computers, people tried to make them do unlikely and sometimes humorous things. In the days when computers were the size of rooms, we would sometimes prank the operators by making their huge clunky line printers play musical sounds. Another favorite was EDITH, which displayed an image of a naked woman, made entirely of ASCII characters like Xs and *s on the printer.
Often programmers built in secret instructions to display their names as the authors, or for their own convenience while testing or using the program in the future. We called them features, but our bosses viewed them as unacceptable holes in the system. So we made sure they never found out. Nobody was ever going to read our code line by line anyway, except perhaps another programmer, who would then be in on the little secret.
In the 1970s I worked on the MULTICS operating system, which was explicitly and carefully designed for security. An ancient (1974) report on this system contains these prophetic words: “the penetrator can install ‘trap doors’ in the system which permit him access, but are virtually undetectable.”263
By the time the 1983 film WarGames was made, the term “backdoor” was en vogue. In that movie, the secret access code was the name of a character’s dead son, Joshua.
In four decades of watching hackers, I’ve come to admire both their ingenuity and their persistence. The best way to summarize the goal of the hacker mind, at least for the “White Hat ones,” is “not to do what you’re not supposed to do—to do what you’re not supposed to be able to do.”
System designers often fail to “expect the unexpected.” One of my favorite examples is a German author who embedded SQL commands into a book he published. Exploiting a flaw in the Amazon web store, he arranged it so people who tried to “Look Inside” his book had their browser redirected to the page for purchasing it. Amazon quickly fixed the problem but it was one of the more clever attacks of this nature.264
Unintentional “magic strings” can also happen. In September 2013, word started to spread about a “magic sequence” of Arabic letters that would crash iPhones and other devices that used Apple’s CoreText text rendering system. According to Business Insider, “just to read these letters in your timeline was enough to crash your Twitter app.”265
Are those who exploit such weaknesses good or evil? Ultimately that depends on their motivation and how they use the knowledge that is hidden from the masses. One thing is for certain: technology tricks can be used to harm us, often in the pocketbook.
Most people know that there’s no terminally ill rich widow in Nigeria waiting to share her fortune with a lovely person like you, and that Bill Gates doesn’t randomly select email addresses to send out million dollar checks. “Get your free credit report” often means “give us enough information to steal your identity.” Even “I want to buy that guitar you listed for sale on Kijiji” could actually translate into “I’m harvesting and selling confirmed email addresses and want to add yours to the list.”
Scam artists are using some downright insidious tricks to tug at our heartstrings. According to a report in The Guardian, “Peter Saunders from Edinburgh received a heart-wrenching letter from Namukula Viola of Uganda. She is just 16, with two younger sisters, orphaned when her mother was raped and killed by rebels in fighting in the north of the country.”266
He was horrified by her detailed tale of woe, and sent money as requested. Then a news report alerted Saunders to the fact that a lot of people were getting identical sob story letters. It was in fact a wicked hoax aimed at extracting money from nice but gullible people. An interesting twist is that many of the victims were artists, probably because their names and addresses were listed in a certain directory.
Even the savviest users can get fooled by a type of online trickery called Dark Patterns. As explained on darkpatterns.org, this is “a type of user interface that appears to have been carefully crafted to trick users into doing things, such as buying insurance with their purchase or signing up for recurring bills.”
A wonderful example appeared on the website of Ryanair, which offers inexpensive air tickets but charges for just about everything else like checked baggage and boarding pass printing. One of the things they sell is travel insurance. At one point their site was pushing it so hard that you had to dig for the “opt out” option hidden between Latvia and Lithuania. It’s not even in alphabetical order! If you didn’t spot the “No Travel Insurance Required” choice and specifically select it you were continuously taken back to “Please select country of residence.” Writing on DarkPatterns.org, Harry Brignull observed that “What’s interesting about this pattern is that it gives the site owner plausible deniability: they can claim that when you read the words on the page, it’s entirely clear what’s being said, so what’s the problem?”267 You can judge this one for yourself at http://darkpatterns.org/library/trick_questions/.
Even more people have been struck by the Conduit search bar, a piece of software that frequently shows up after someone has downloaded “free software from a reputable site.” These free software download sites need to make money, so their “automatic” installation often brings programs like Conduit along for the ride.
The website malwaretips.com says this about Conduit: �
��it’s technically not a virus, but it does exhibit plenty of malicious traits, such as rootkit capabilities to hook deep into the operating system, browser hijacking, and in general just interfering with the user experience. The industry generally refers to it as a ‘PUP,’ or potentially unwanted program.”268 To make matters worse, some of the “free Conduit removal tools” offered online to desperate victims are themselves vicious pieces of malware.
Even if you aren’t infected with malware, you automatically give out information every time you use the Internet. Ever notice how the people who “lost 40 pounds using this one weird trick” or “are waiting to meet you” magically seem to live in your hometown? That’s because the ads are being customized to your physical location.
But how do they know where you live? The simple answer is that your Internet Protocol (IP) address is generally tied to the geographical location of your Internet Service Provider (ISP). For the Internet to work properly, your return address has to be sent out with each packet transmitted. IP localization services like http://www.geobytes.com/iplocator.htm not only give the country code for pretty much any IP address, they even return a latitude and longitude. If you work for a large enough company, it may be serving as your ISP, so your IP address might effectively reveal your employer.
I gained an appreciation for just how far off from reality an IP address can be when the Canadian Forces invited me to visit their operations in Afghanistan. We stopped enroute at Camp Mirage, a now-closed military airfield that we were told to describe as “somewhere in Southwest Asia.”
We had a pretty good idea what country we were in, but to check, I logged on from one of the courtesy Internet terminals and asked a tech savvy friend in Canada to attempt to geo-locate me. He came back with an address in Ottawa. This made sense since that’s probably where our military Internet traffic was actually entering the public Internet. But in terms of actually locating me, the IP address location was off by over 10,000 km.
I’ve had similar experiences working on forensic investigations where the location of the address we’re trying to trace often comes up as a facility of the Internet Service Provider.
Many Canadians complain that they have a more restrictive version of Netflix and no access to a lot of things that tech savvy Americans take for granted like Hulu Plus, Pandora, and Oyster. These services provide access to on-demand media (videos, music, and books respectively) but are geo-fenced to U.S. users only because of licensing restrictions.
Creative Canadians have devised and published methods for faking a physical presence in the U.S. Often they involve using a Virtual Private Network (VPN) service to make your traffic appear to originate from the country of your choice. You can find out about all this and more at sites like www.howtogetitincanada.com.
Tweaking your position in cyberspace is an interesting and popular hack. But being deceived about your real-world location can have serious consequences. At a technical security seminar in 2007, researchers from an Italian information technology company gave a truly creepy demonstration called “How to freak out your Satellite Navigation.” Starting with a stock vehicle, they showed how to hack RDS-TMC (Radio Data System – Traffic Message Channel), the FM Radio system that provides traffic data to car navigation systems.269
Using “a PC and some cheap home made electronics,” they were able to inject messages into the Honda’s navigation system ranging from “Traffic Queueing” to “Bomb Alert” to the ever-popular “Bull Fight.” More menacingly, if they marked a road, bridge, or tunnel as “Code 401–Road Closed,” the system would silently plan and suggest another route. Being able to control, or at least seriously influence, somebody’s driving behavior at a distance could be a terrorist’s dream scenario.
Even if you’re not a slave to online driving directions, you probably rely on other digital guides for directions. Even Siri, the trusted voice of Apple’s personality assistant, can lead you astray, and she is certainly keeping track of you. According to Nicole Ozer of the American Civil Liberties Union of Northern California, Siri stores a trove of personal information including the people in your contact list, your music preferences, and even how you label your email.270 Ozer notes that “This data can be really personal, like if you ask Siri, ‘where is the nearest abortion clinic?’.” She adds that Apple reserves the right to share your data with “Apple’s partners who are providing related services to Apple.”
Not only can Siri spy on you, she might even misdirect you or hold back information. As the ACLU noted in 2011, Siri came up blank on “birth control information” and was instead directing people seeking abortions to pregnancy crisis centers that discourage abortions.271
There may be a pretty straightforward, non-malicious explanation for this: abortion clinics rarely use the word “abortion” in their name or listings. And to be fair, artificial intelligence is definitely improving how personal digital assistants function. However, people should still be concerned about secrets being exchanged behind their backs by systems to which they do not have direct access.
Humans, of course, have their own secret signals. For years, New York City “meter maids,” now called “parking agents,” would put a bag of M&M’s candy on their own dashboards, thereby fending off tickets from their fellow agents. It turns out that “secret handshakes” like this are all over the place, especially in electronic technology where they often rest undiscovered until somebody stumbles upon them. Their functionality is always there, but hidden in plain sight, available only to the initiated.
If you ever see somebody in a BMW doing this ritual:
1. Get in and close all doors.
2. Turn on the ignition and turn off quickly. (No more than 5 seconds) to start the process. Next action must take place within 30 seconds.
3. Remove the 1st key.
4. Hold the key up near your left shoulder (this is so it is closer to the remote receiver antenna.
5. Hold down the unlock button and press the lock button three times. Release the unlock button and the doors lock which confirms the operation.272
They’re probably not trying to steal the car. Instead, they are following a semi-secret procedure designed by the car’s manufacturer to program an ignition “chip key.”
There are all sorts of codes lurking inside cars, especially luxury models. Some can even unlock a vehicle and start its engine. If you have a microscope, a supply of valid keys to cut apart, and a lot of patience, you can discover how this works through a technique called “chip slicing.”
However, revealing those secrets can get you into trouble. Flavio Garcia, a lecturer in computer science at the University of Birmingham, planned to present a paper called “Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobiliser” at an academic conference. He promised to divulge the secret codes of luxury automobiles “including Porsches, Audis, Bentleys and Lamborghinis.”
Instead, he discovered that the U.K. High Court doesn’t take lightly to hacking the types of cars driven by the wealthy, such as judges and lawyers. Garcia was slapped with an injunction and prohibited from publishing his findings. However, the odds are very good that those very codes are out there on the Internet, if you know where to look.
Hoaxes and deception are everywhere on the Internet, along with the tools to perpetrate them. Even Google is not immune. Although the company has started taking itself much more seriously, Google still stages an annual April Fool’s Day hoax and allows its staff to plant hidden features called “Easter Eggs” in some of its software.
As explained on the mental_floss blogsite, there are various hidden Easter Eggs, jokes, and timewasters in almost every Google service, product, or new device.”273
Here is one you can try:
1. Go to YouTube
2. Start watching a video
3. Click outside the search bar
4. Type “1980”
“This will launch a playable game of Missile Command above the video. Beware! The aliens are trying to d
estroy the video you’re watching.”
Hoaxes are fun, but deception can be both effective and lucrative.
The news site reddit has acknowledged that, in that site’s early days, they spawned a fleet of fake accounts, often creating a new user every time they made an entry.
As Derek Mead wrote on Motherboard.com, “by populating the site with accounts whose strings they pulled, the reddit crew could shape the discourse and sharing of the site in the direction they wanted, and as the real user base grew, those standards held, allowing the fake accounts to fade away.”274
Online scammers have impersonated charities, victims of diseases, and even the FBI. Many of the scammers are in African countries, and the phenomenon is collectively referred to as a “419 fraud” in honor of a section of the Nigerian Criminal Code which seems to be rather laxly enforced.
While not a recommended hobby, some people do engage in conversations with the scammers, telling them wild stories, leading them on, and even asking for photographs of their passports.275
Still, it’s best to simply delete those “too good to be true” emails, not open attachments, and spurn unsolicited online proposals no matter how attractive. Just walk away, so to speak.
Of course, that’s difficult if someone is pointing a gun at you.
Physible Creep
Handguns have been around since the 16th century, and their core technology hasn’t really changed much. There has been some recent progress in building “smart guns” which use biometrics to respond only to the registered owner’s voice or body. Perhaps the day is coming when guns can be fired by mere mental commands. All this enhanced security may be moot if an eight-year-old with a 3D printer and some plastic can run off a working handgun and take it to school.
Texas law student Cody Wilson and his non-profit corporation Defense Distributed caused a furor in 2013 when they “released the files for the Liberator pistol—the culmination of the Wiki Weapon Project.”276 Lawmakers at all levels launched into action trying to ban them. In November 2013, Philadelphia had the distinction of becoming the first city to outlaw the manufacturing of guns by 3D printers.277 Critics quickly pointed out loopholes in that legislation. For example, it only bans the manufacture of 3D firearms in that city. Nothing in it makes it illegal to possess, say, a 3D printed gun created in neighboring Trenton, New Jersey Further laws will close this loophole; then others will surely appear.
Technocreep Page 16