Since now the Sony Reader became much more useful I decided to make good use of it already. It wasn’t enough to finally have finished the Time Management book from O’Reilly, I was also finally able to read The God Delusion (shame on me not to have read it before! — Not that I needed it to “convert” as I’ve been sure about my atheism for over half my life). Reading on the device, even non-technical books, looks most definitely nice, so for the future I’ll try to get an electronic edition of any kind of book, before asking for a copy on dead trees.
Little note here, since I read some nasty comments about my atheism from the usual creek of “Free Software Advocates”. Not only you’re lame for attacking a developer who actually works on free software for almost all of his free time, but if you decide to attack on this ground, you’re beneath me. On that note, I’m very tempted to just add tracking for visitors coming from these creeks, and refuse their comments on my blog altogether.
But back to the topic; eBooks have this interesting propriety of fomenting my impulse shopping: you want to read something in particular? Look it up, and in less than half an hour you can start reading; and this timing includes registration on the site if it’s the first time you drop by there. So when last Saturday I was watching the latest episode of Real Time with Bill Maher (which I’ll keep admitting I’m downloading illegally, as HBO won’t even let me pay for it here!), and the special guest actually surprised me.
Richard A. Clarke sounded to me, at the announcement, another of the usual government pinheads who complain about the way the world of Internet is (in Italy, it’s basically the entire political class, but I also remind clearly an Obama comment about Internet when asked about Marijuana — again from Bill Maher some time ago). But the book he presented, Cyber War definitely struck a nerve in me.
I found the book, at Kobo even though it’s still (obviously) unavailable on Amazon UK. Nine euros later, I was reading, and it was three in the morning! I finished the book today, reading on and off every time I was too “cooked” to work. It gave me creeps and hopes at the same time.
Despite the evocative “cyber” name to everything, which reminds me more of Neuromancer than a non-fiction state-of-affairs book, Clarke seems to know what he’s talking about. Most of his points are, realistically, more tied to the United States of America than the rest of the world, and he admits that more than a couple of times, but it got me thinking.
I’m relatively disinterested in the military, warfare and conflict aspects that he obviously talks about extensively — it’s what the book is about to begin with. But reflecting upon the simple amount of interconnections between the “wild Internet” and critical systems is something that scares the crap out of me. You would expect important systems like power grids and railway systems to not be interfacing with Internet, and most likely they are not, directly, but there certainly is a “hop connection” – like the six degrees of Kevin Bacon – which even for me, more or less working in the field, doesn’t appear natural at first.
What woke me up reading that book was the consideration about rail services; in USA I guess most of the rail services are freight transit, not public transportation, nowadays. In Italy, trains are mostly people-oriented as far as I can tell, so it gets less logistical, but more civil, as a target. The most obvious Internet-connected systems for a transportation system is obviously the reservation system, since you order tickets online, usually. But there are more, and more down-to-earth control. Last time I was in Milan, I was able to check through my cellphone how much delay there was for my train… what scares me to think about, now, is that the moment the train passed through a station, even without stopping, the website would have told me.
Similarly, the Italian power company have converted most houses to an electronic measure device — this way they don’t have to send personnel once an year to read the data. This works for the convenience of us users most of the time (before, you paid based on what they expected you to consume until they checked the real usage… you either paid extra the whole year, or you’d have to pay a huge amount to cover what you consumed unexpectedly), but on the other hand, you now get a connection between your house and the power company’s system… I just hope they don’t have enough bandwidth for that to be really problematic.
The book does not try to sell us the kind of “hacking” that goes on TV with shows like CSI, that still seem to think that an electric outlet can get you to access the FBI databases, but, with due handwaving for a non-technical book, explain what the main problem is: you only need to trigger a pre-defined event. In the case of the device I named above, it would “just” take a malicious piece of software (that the book consistently called “logic bomb”) that expects a precise sequence of inputs to trigger a cascade failure… you could give those inputs through those devices and be near to unidentifiable (this reminds me of the slot-machines code in Ocean 13, but I digress once again).
Clarke’s repeats over and over that one of the main problems to solve is to make sure that you can trust the code that runs on your systems, and on that note, while he doesn’t make it too explicit, I think he would welcome that all critical systems were to run on open source software (he does mention open source as a tool in passing a couple of times — and goes on ranting about Microsoft for over an entire page!). While obviously open source does not guarantee you that there is no malicious code – it would be very very difficult to audit all of it and be sure that there are no intentional trigger sequence in it – certainly it makes it easier to spot those problems than closed-source software. He definitely seem to understand that security-by-obscurity is of no use, especially as he admits that both the US government and others (he refers mostly of China) have been scouring over the private “intellectual property” of manufacturers – it might be obscure to me and you, but sure as hell it is not obscure to a military force wanting to exploit it!
Put in the light of this book, efforts such as SELinux and the Coverity founding for auditing Linux and other components of Free operating systems make total sense. We can make use of those, but primarily, they want to be able to trust the code. Some of the ideas Clarke gives in the book seem a bit too much for me, though.
While the “back to mainframes” idea that he suggests, specifically noting that Vint Cerf wouldn’t agree with that, might sound the most strange option, I actually think he has a point there. Total division might be impossible for some tasks, are we’re definitely too used to be able to do everything and the kitchen sink with the same software, but it might be worth considering, in some domains at least.
The one that I find far fetched is the idea of having Artificial Intelligence write the software from scratch, to avoid the “human factor” introducing bugs by mistake, and backdoors by design. It’s not pure fear that makes me cringe there, but it’s rather the problem of chicken and egg: who writes the AI in the first place? We already have had examples of software being programmed to hide malicious code within other software (cfr. Reflection on Trusting Trust by Ken Thompson).
At any rate, this is one of those books that I will suggest you all to read. And at the end, it really gives you so many interesting points of view, that you’d really resent the way “cyber crime” is portrayed by CSI or – to a lesser extent, even! – Dan Brown.