Apollo, Elections, and 007

First, by the end of this article, that title will make some sense. Second, if you want more information on what I discuss, there will be links to more information in the text.

With the midterm elections becoming closer and closer, we are hearing repeated pleas to our generation to get to the polls and vote. Regardless of party or ideals, just vote. Increasingly this is being done through electronic voting machines. Tamper resistant, easier to count, more convenient, and hopefully with better user interfaces than the machines used in Florida during the 2000 election. It may then come to your surprise that there is a group of people rather concerned about the use of these machines, software engineers. Randall Munroe, the mind behind xkcd comics put it this way.

xkcd Comics, original can be found at https://xkcd.com/2030

This sentiment was echoed by Tom Scott, a web developer and software engineer who now runs a youtube channel devoted to finding fascinating historical and scientific places scattered around the world. His assessment boiled down to that either you have an easily hackable machine or a very expensive pencil. This however just raises another question, why are software engineers so concerned about these machines being vulnerable? The reasoning is fairly simple, as demonstrated in the M.R-1 launch, computers can have all kinds of problems and bugs which cause unfortunate things to happen. This, however, is not the only concern.

First, the oops. These are the accidents, an errant bit of code is published that was never supposed to see the light of day, or a software engineer making a mistake. These are your Steam Store Christmas bugs, where the website has incorrect code for handling new user logins and instead displays the page of whoever logged in at the start of that five minute period to anyone who logs in. Then the webpage stored on the server refreshes, and another unfortunate person gets their logged in user page shared with the world. In the case of Steam, this was mostly harmless, as other security protocols prevented persons directed to the wrong page from making purchases or viewing payment information. The same could not be said for the Norwegian government when they accidentally shared the personal information of one of their citizens with anyone who logged in to check their tax return.

Very similar to the oops is the odd interaction. This is when the way a computer processes a bit of code or as is often the case, several thousand lines of code results in something rather unexpected. This would be where the M.R-1 launch fits in. It is in good company, everything from the aptly named shellshock bug to the link that crashes chrome fits in here. The instance of this which you are probably most familiar with would be the text that went around a few years ago which crashed any i-phone which received it. This was due to the way in which the i-phone determines how much of a text to display in a notification. The phone first takes into account the size of the screen, along with what type of notification it is displaying. If the amount of text it determines it can display is less than the amount in the message, then it will cut the message to make it shorter. This particular text lined up where the phone would cut off the text with a particular Arabic character. Many characters in Arabic change length based on whether they are at the end of a word or not. The consequence of this was that when the phone cut the message, the message immediately grew in length, and was beyond what it had spaced out to display. At the time, IOS was unable to handle this, determined that something had gone horribly wrong, and shut down.

Next up are the lazy or convenience vulnerabilities. These normally occur because someone decided to take a short cut and leave something disabled. These range from the unfortunate situation with the security cameras in Wake County’s public school system. (You are going to have to ask me about that personally for more information). This is also what happened in the case of the Equifax breach (two links there) where they were informed about a vulnerability and just refused to fix it for several months. <i> One instance of this occurred a few years ago, and was noticed when the BBC’s official twitter page spread a self retweeting tweet. </i> If that last sentence was italicized, then this platform is also vulnerable. Essentially, there are tags which can be placed in the html code of websites which do various things, make text bold, make it italicized, add headings and all kinds of other useful things. The user of a website should never ever be allowed to put these things into the website, and most websites have ways of making user inputs “safe” or instructing the browser to just ignore any of these special tags which the user enters. TweetDeck had never enabled this for the part of their website which handled posting tweets. This resulted in a tweet which someone made that included the “script” tag being allowed to run if anyone using TweetDeck viewed a tweet containing it. The result of the script imbedded in this tweet was that it auto retweeted itself, and left the user with a lovely popup explaining what had just happened.

The final, and most concerning is the intentional vulnerability. In the event that a company or group want to make their product vulnerable they can certainly do so. Sometimes this comes in the form of a backdoor, a secret way around all of the security in a device or system which can be exploited by not only its creator, but also anyone who finds it. More often than not, however it is just a company trying to make a few more bucks. In 2015 Lenovo admitted to preinstalling a piece of software called Superfish onto many of their pcs. The software was there to serve extra advertisements to their users whenever they visited search sites such as google. In order to do this the software had to redirect the browser to its own webpage and serve advertisements there along with loading the google page, essentially performing a man in the middle attack. Simply forcing the browser to do this would have set off all manner of security red flags for the browser and any security software on the device because the computer was expecting to be connected with google.com and got something masquerading as google. The security certificate that the browser was expecting for google would have been missing and it would have terminated the connection. In order to get around this, Lenovo set up a trusted certificate authority in Superfish on their laptops that was signing these certificates on the fly. When the browser went to check for the google certificate, Superfish would be there to provide a faux one. This story gets even worse. Creating a security certificate requires a private key, which is then put through some one way operations to produce the certificate. This key was stored on the Lenovo devices, and was they same for every single instillation. Once someone got the private key out of the Superfish software on a device, they could cause any Lenovo product with Superfish on it to connect to any faux website they wanted it to without setting off any security warnings.

So there you have it, software is horrible, all is doom and gloom and it should never be trusted with anything as important as voting let alone driving or protecting humanity. The vulnerabilities I discussed here are not even some of the most terrifying such as Specter and Meltdown. This may be the initial reaction, but at the same time there is hope. Software engineers are working to ensure that things like this never happen. Along with them, white hat hackers such as these fine people are working every day to ensure the safety and security of our devices and services. Corporations such as Google even have whole departments devoted to not just finding vulnerabilities in their own systems, but also in other systems. In the meantime however, you can go crash your browser here, if that sounds like fun.

 

More Specter and Meltdown Links:

NY Times Article

Vulnerability Researcher’s Site