market | past-systems | competition | team | intellectual-property | contact
Problem: “Click Here to Kill Everybody”
Cybersecurity failure is becoming a civilization-ending threat.
https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/ “The Untold Story of NotPetya, the Most Devastating Cyberattack in History[:] NotPetya cost Maersk between $250 million and $300 million.”
https://www.youtube.com/watch?v=soV7-gwxarE Vint Cerf (one of “the fathers of the Internet”): ‘The headline I worry about is the one that says “A Hundred Thousand Refrigerators Attack Bank of America.”’
http://www.cbsnews.com/news/60-minutes-great-brain-robbery-china-cyber-espionage/ “The Justice Department says that the scale of China’s corporate espionage is so vast it constitutes a national security emergency….”
http://foreignpolicy.com/2015/11/20/u-s-fears-hackers-will-manipulate-data-not-just-steal-it/ Adm. Michael Rogers, director of the National Security Agency: “What happens if the digital underpinning that we’ve all come to rely on is no longer believable?”
https://www.schneier.com/books/click_here/ Last year Bruce Schneier, one of the worlds experts on “security, computer and otherwise”, wrote a book called “Click Here to Kill Everybody.”
Tesco Bank: “…thousands of customers have seen hundreds of pounds wiped from their savings accounts”
It was the realization in 2005-2006 that this could happen at any time that lead us to working on this problem: http://www.independent.co.uk/news/business/news/tesco-bank-accounts-suspended-transactions-access-frozen-hack-money-la-a7402006.html
Tesco Bank has taken the drastic measure of temporarily halting all online transactions after thousands of customers have seen hundreds of pounds wiped from their savings accounts over the weekend due to an online hacking attack.
“End-to-End Encryption Isn’t as Safe as You Think”
Encryption is not going to save us: https://www.bloomberg.com/opinion/articles/2019-05-14/whatsapp-hack-shows-end-to-end-encryption-is-pointless
End-to-End Encryption Isn’t as Safe as You Think: The WhatsApp hack shows how supposedly secure messaging apps have a basic vulnerability. The discovery that hackers could snoop on WhatsApp should alert users of supposedly secure messaging apps to an uncomfortable truth: “End-to-end encryption” sounds nice — but if anyone can get into your phone’s operating system, they will be able to read your messages without having to decrypt them.
This quote is a special case of a point we make elsewhere: Software is built in layers. When the abstractions at one layer fail, all the abstractions layers above it also fail. Therefore, the most important layers to ensure are the ones at the bottom. Our goal is not to just make things better, our goal is to raise the abstraction floor below which the program cannot fall.
GAO: “Nearly all major… programs… had mission-critical cyber vulnerabilities that adversaries could compromise.”
Why send machines across an ocean to attack us when the Chinese can just tell our machines to do the same? Or maybe, just turn them off. https://www.gao.gov/assets/700/694913.pdf
United States Government Accountability Office, Report to the Committee on Armed Services, U.S. Senate, GAO-19-128, October 2018
WEAPON SYSTEMS CYBERSECURITY[:] DOD weapon systems are more software dependent and more networked than ever before…. Nearly all major acquisition programs that were operationally tested between 2012 and 2017 had mission-critical cyber vulnerabilities that adversaries could compromise.
“Neurosurgeons: … neural implants are vulnerable to networked attacks”
What comes after computers that fit in your pocket?: http://boingboing.net/2016/05/14/brainjacking-the-future-of-so.html
In a new scientific review paper published in World Neurosurgery, a group of Oxford neurosurgeons and scientists round up a set of dire, terrifying warnings about the way that neural implants are vulnerable to networked attacks.
Most of the article turns on deep brain stimulation devices, which can be used to stimulate or suppress activity in different parts of the brain, already used to treat some forms of mental illness, chronic pain and other disorders. The researchers round up a whole dystopia’s worth of potential attacks on these implants, including tampering with the victim’s reward system “to exert substantial control over a patient’s behaviour”; pain attacks that induce “severe pain in these patients”; and attacks on impulse control that could induce “Mania, hypersexuality, and pathological gambling.”…
The paper has a delightful bibliography, which cites books like Neuromancer, anime like Ghost in the Shell, as well as papers in Nature, Brain, The Journal of Neurosurgery, and Brain Stimulation.
Schneier: “Everything is becoming a computer”
Bruce Schneier, one of the worlds experts on “security, computer and otherwise”: https://www.schneier.com/crypto-gram/archives/2017/0615.html
Everything is becoming a computer. Your microwave is a computer that makes things hot. Your refrigerator is a computer that keeps things cold. Your car and television, the traffic lights and signals in your city and our national power grid are all computers. This is the much-hyped Internet of Things (IoT). It’s coming, and it’s coming faster than you might think. And as these devices connect to the Internet, they become vulnerable to ransomware and other computer threats.
It’s only a matter of time before people get messages on their car screens saying that the engine has been disabled and it will cost $200 in bitcoin to turn it back on. Or a similar message on their phones about their Internet-enabled door lock: Pay $100 if you want to get into your house tonight. Or pay far more if they want their embedded heart defibrillator to keep working.…
Patching is how the computer industry maintains security in the face of rampant Internet insecurity. Microsoft, Apple and Google have teams of engineers who quickly write, test and distribute these patches, updates to the codes that fix vulnerabilities in software. Most people have set up their computers and phones to automatically apply these patches, and the whole thing works seamlessly. It isn’t a perfect system, but it’s the best we have.
But it is a system that’s going to fail in the “Internet of things”: everyday devices like smart speakers, household appliances, toys, lighting systems, even cars, that are connected to the web. Many of the embedded networked systems in these devices that will pervade our lives don’t have engineering teams on hand to write patches and may well last far longer than the companies that are supposed to keep the software safe from criminals. Some of them don’t even have the ability to be patched.
Fast forward five to 10 years, and the world is going to be filled with literally tens of billions of devices that hackers can attack. We’re going to see ransomware against our cars. Our digital video recorders and web cameras will be taken over by botnets. The data that these devices collect about us will be stolen and used to commit fraud. And we’re not going to be able to secure these devices.
"The Case for Memory Safe Roadmaps"
https://media.defense.gov/2023/Dec/06/2003352724/-1/-1/0/THE-CASE-FOR-MEMORY-SAFE-ROADMAPS-TLP-CLEAR.PDF "The Case for Memory Safe Roadmaps[:] Why Both C-Suite Executives and Technical Experts Need to Take Memory Safe Coding Seriously (December 2023)"
United States Cybersecurity and Infrastructure Security Agency, United States National Security Agency, United States Federal Bureau of Investigation, Australian Signals Directorate’s Australian Cyber Security Centre, Canadian Centre for Cyber Security, United Kingdom National Cyber Security Centre, New Zealand National Cyber Security Centre, Computer Emergency Response Team New Zealand
Memory safety vulnerabilities are the most prevalent type of disclosed software vulnerability. They are a class of well-known and common coding errors that malicious actors routinely exploit. These vulnerabilities represent a major problem for the software industry…. These vulnerabilities persist despite software manufacturers historically expending significant resources attempting to reduce their prevalence and impact through various methods, including analyzing, patching, publishing new code and investing in training programs for developers. …