On days when I’m in a somber mood, I think about the enormous amount of malware and spoofs and phishing schemes, and wonder how long it will be until computers can no longer be trusted to be secure.
Will we go back to paper records, and personally knowing your banker?
Or will we simply assume that nothing is secret anymore, and do business that way?
About three years ago.
Let me tell you about TiVo’s OS. It’s sort of Linux but with weirdness. (E.g., it uses an Apple partitioning system and its own special file system to hold the programs and guide data.)
There’s a “chain of trust” built into it. The bootcode in the ROM checks that the signature is right on the kernel. The first thing the kernel does is check that all key files are signed right and there are no extraneous files anywhere. Then it finishes booting.
For early Series 1 TiVos, this was sort of easy to defeat. For Series 2 and 3 (the last analog and first digital ones), you could get around it by replacing the ROM chip with one your write yourself. Got to be a really great solderer. No one has ever figured out a general way to get into Series 4 (Premieres) or 5 (Bolts). The ROMs are well protected and cannot be read with chip readers.
The Bolts, in fact, keep certain key boot programs in ROM rather than on the HD. This adds a whole 'nother layer of trouble to try and get in.
All this to keep people from buying a TiVo, its retail price is less than manuf. cost, and using it without paying for TiVo’s guide service. (As well as turning off copy protection which is most regular folks’ goal.)
So pretty rock solid. But …
They did have the Shellshock bug. But they came out with a update very quick. You can still downgrade some models to an older OS, etc. But it is such a pain that no one ever implemented and posted a how-to specific to TiVos on the board devoted to such things. (Which is now practically a ghost site.)
There are “apps” of sorts that can be installed via an Opera Web Store to add functionality. But that never really took off and may in fact be dying or dead.
(It also helps a bit that TiVo didn’t leave any idiotic ports open so that outsiders have little hope of gaining access from across the Internet.)
This is sort of what has to be done.
The entire chain from boot to OS up and running has to be incredibly secure. And you have to “sandbox” all user installed apps.
But, a TiVo is a fairly limited OS designed to just run one task on one type of hardware. Once you get into doing different things on a variety of hardware, all this gets so much harder it’s incredible.
And there’s still going to be bugs. Google tries to make Android as secure as possible but bugs that allow rooting keep getting found. If you have a popular device, you can probably root it. (Which means that a malware containing app can do whatever it likes.)
I have a relative who works in “the business” and his attitude for companies is to give up on regular virus scanners and such. You have to software that monitors everything for any odd behavior/change and deal with it then. And lots and lots of backups.
No, it is simply not possible to go back to paper records due to the volume of data companies need to conduct business.
Security will continue to be a constant arms race between people trying to secure information and people trying to steal it.
For me, the issue is not so much security, but how software and operating systems keeping getting “improved” to the point where they’re no longer functional. Windows 10 has bricked some computers, for example. A while back I got so fed up with updates rendering my software unusable that I now run Windows 7 and don’t allow any automatic updates.
Fortunately, I’m computer savvy enough that I have never run into security problems (that I know of). But if anything, this problem seems to be getting worse and worse.
There is already a huge amount of computer-stored data that cannot be retrieved:
I for one still have my slide rule, triangles and engineering paper. I will still be able to do analysis no matter what happens.
While this is an issue, it probably pales beside the amount of data that is lost in fires, floods, warfare, etc. It also probably pales beside the amount of digital data that is lost to media degradation.
The sovereign remedies are standardization, with backwards compatibility – MS Word will open old WordPerfect files – and offsite backup storage. If people are wise enough to make use of these simple strategies, very little data needs to be lost.
(Only the universe and stupidity are infinite…and we’re not sure about the universe.)
But, this isn’t the issue I’m concerned with.
Right now, people assume that information they enter using their computer is private. At some point, I fear that that assumption will need to be flipped on it’s head, and people will need to assume that all data is visible to anyone who wants to see it.
How will that affect what we do with our computers?
People that gladly hang their dirty laundry out on their front yard with twitter/facebook etal will learn or get what they actually want. Notoriety.
I know that’s not what the OP is talking about. As much as I despise ‘hackers’ that steal info, they are actually doing an odd service. Encryption becomes stronger with each attack. Banks get robbed, but it’s still a better place to put your ‘money’ than under a mattress.
The worst kind of attack would be insidious. And not necessarily robbery. Screw up data a tiny, tiny bit at a time. To the point that it would be hard to find a point to restore it.
I’m not worried. And as has been said, we can’t go back.
The same was true of all communications and memory systems that preceded computers. All, where secrecy was necessary, could be reasonably well secured, and where secrecy was not required, what is the downside of computers?
Thou shalt not make a machine in the likeness of a human mind!
As I mentioned in the OP, I think we are approaching a time where malware will become ubiquitous. There has recently been discussion of a new Intel initiative to put a supervisor chip on the motherboard, which would enable undetectable rootkits. It this comes to pass, and the keys are ever compromised (which, they will be), then there would be no way for the average consumer to verify that his machine was clean.
One thing is that it could lead to more “sneaker net” data transfer: I put my secure stuff on a disk, and deliver it to you personally, without making use of an outside network. People might end up with two systems: the one in the basement (Hi, Hillary!) and the one they communicate to the outside world with.
But I agree with enipla: security will continue to get stronger, and we’ll maintain a rough balance. Yeah, there’s a background level of credit card fraud, but no one has transferred a cool trillion from the Federal Reserve to their offshore bank.
The golden age of malware finished with Windows XP. I’m pretty sure the prevalence of malware has been on the wane for well over a decade. What makes you think it will go up?
If Intel tries to do that, no company will buy a computer with that motherboard. Consumers will find out and shun them as well.
The increasing cleverness of Social Engineering schemes.
isn’t that something that is fixable through a PSA or something?
If only…
I have a LOT of clients who have no concept of computer security. Most of them are older, but I don’t hold out much hope for younger users, who grew up when computers wee common, and treat them as magic boxes.
Depends what you mean by malware. Worms and viruses that just exist to fuck things up are on the decline, but things like ransomware and trojans aren’t going away, because they are profit centres for criminals.