Living unsecured

An article published in the Proceedings of the Sixteenth Conference on Financial Cryptography and Data Security details how University of Michigan professor Alexander Halderman, two grad students, and the university’s “ethical hacker” broke into Washington, DC, voting machines and caused Futurama character Bender Bending Rodriguez to be elected to the DC school board. This happened in 2010, when the DC school board ran a mock election and invited hackers to try to bypass the security of their online voting system.

If you’ve never tried to write a secure computer program, this might be shocking or even frightening news. If you have, you probably shrugged it off. What else could you expect?

If you read programming websites like The Daily WTF, you get horror stories of sites and software built for governments and large corporations that are vulnerable to simple attacks like SQL injection. This technique cancels an innocuous command partway through and replaces it with a malicious one that deletes or releases secured data. It’s easy to exploit and trivial to protect against.

A similar technique was used by Halderman and his students to break the DC voting system and take over the school board’s network. Once they were in, they had access to sensitive information including confidential voter data and live feeds of the building’s security cameras.

The takeaway message from the article is that electronic voting is not viable and won’t be until there are major advances in computer security. But there’s more to learn here: this wasn’t an isolated incident: this sort of thing happens all the time. We live in an unsecured world.

In high school, a friend and I broke into the wireless router in our computer science class and set it up to block all Internet access between the hours of 9 and 10 a.m. and ban a certain classmate from visiting any sites containing the letter M in their name. We did this despite having no skills and no knowledge of cryptography — we used a freely available piece of software to intercept the password when a trusted user logged in. It was literally as simple as opening a program and clicking the “break in” button.

Like many exploits, this is not difficult to protect against. But in order to do so, you need to know a vulnerability exists in the first place. Beyond the most basic level of choosing secure passwords and not downloading any files named “naked_ladies_I_swear.exe”, this can require serious technical knowledge that most people can’t afford to cultivate.

This was an ordinary router of the kind you might find in your own home, using WPA encryption—the most common type, though a shocking number of wireless routers are still unsecured. If two high school kids screwing around can cause this much mischief, imagine what a bona fide black hat (the bad kind) hacker could do. It suddenly becomes clear that the only reason no one’s ever bypassed the security on your computer or mine is that it’s never occurred to them.

How can we get by in the world with such a bleak outlook?

Well, you probably can’t afford to pay a security company to patrol your house 24 hours a day. Instead we use a lock and key. We don’t fool ourselves that this will keep out a determined criminal, but nothing a normal person can afford will, and at least a lock deters casual burglary. The best security measures will only inconvenience a skilled attacker, but this was the case before computers even existed. For most people, security has always been an illusion.

Large institutions with the money to pay for proper security will create new and exciting ways of inconveniencing attackers to be developed. There will always be holes, but then again every so often somebody slips past the U.S.’s secret service.