Monday, September 29, 2014

Shellshock, herd immunity, and the implications for the "Internet of Things"

Sometimes the analogies used for computer stuff can be a bit off-the-mark.  For instance, cordless computer "mice" aren't called "hamsters."  Computer "viruses," on the other hand, are a spot-on description.  Some are transmitted through a physical vector (historically, through a storage device such as a floppy drive or USB stick).  In other cases, transmission is seemingly airborne (such as via unencrypted wifi).

Continuing the analogy, UNIX-based systems such as Linux and Mac OSX have enjoyed the luxury of a certain "herd immunity."  In part because UNIX-based (a.k.a. "*nix") operating systems were designed to be networked, which meant that defences were baked in from the get-go.  Also, in the past, most everyone was running Windows.  And Windows users--typically but certainly not always--tend not to be the most tech-savvy.  Which, for anyone in the market for notoriety, put the virus-writing bulls-eye on Windows.

Which gave rise to a certain smugness among *nix users that ranged from a sighroll (When will you people learn?") to outright pointing-and-laughing whenever the latest Windows virus was making the rounds. 

Last week's "Shellshock" vulnerability may well have brought that smugness to an end...at least blunted it for the foreseeable future.   Mainly because the free ride of (perceived) "herd immunity" has come to an end.  Apple's OSX has definitely spread from the Graphics Department to other areas of business.  Also, the overwhelming majority of web servers are based on some flavour of Linux.  Additionally, embedded devices are increasingly based on Linux.

For programmers like myself who do the bulk of their work on Linux laptops or desktops, most of the distributions (e.g. Ubuntu, Red Hat) make it stupid-easy to install security updates.  Ubuntu, for one, definitely gets up in your grill about them.  (Plus, we generally know better than to ignore them for any longer than absolutely necessary.)  By contrast, an Android tablet (which is Linux-based) like my Nexus 7, can be more obsequious, like the velvet-footed, quasi-invisible Victorian butler.  (That tiny notification icon in the northwest corner of the screen murmurs, "Would Milady graciously condescend to update her tablet now, or after tea?  Very good, marm."  But no more than that.)  Which is dangerous from the standpoint that updates are easy to ignore, but it's the tablet that's more likely to connect to that coffee-shop wi-fi.

And the proverbial web-enabled toaster?  Fugeddabouddit.   Its manufacturer was too busy trying to squeeze half a cent off the unit cost (to appease Walmart's accounting goons) to worry about releasing software patches.  And that's precisely the problem with the Internet of Things.

And while I don't necessarily like to call for yet more regulation, I think any government that waits until after a catastrophic network attack to require patching is a reckless government.  The two major barriers to such a catastrophe are well on their way to becoming null and void.  Clearly, the industry cannot be trusted to police itself.

Cost was the first barrier.   Unlike Windows or OSX, Linux is free to use.  It is--just as importantly--also free to hack up and modify to suit your particular hardware.  Either factor is enough to make Linux a no-brainer for electronics manufacturers.  Which is fine for standalone gadgets.  But when they're exposed to a network (and by extension other devices), an evolving immune system is a non-negotiable.

There's another dimension to the cost factor, and that's in hardware.  Previously, only full-size PCs or laptops had the processing power and memory to support a full-blown operating system.  Not anymore, when the $40 Raspberry Pi runs off an SD card like the one you probably already have in your camera.  Eventually, the only limits on size will be imposed by the need to connect it to monitors and standard ports or peripherals (these days that means USB devices; who knows what hotness tomorrow will bring?).

All that, for a manufacturer, means that they don't have to spend the money and time to develop a custom operating system; they can go with a no-cost off-the-shelf platform.

The second roadblock, scarcity of always-on connectivity, is now disappearing, as public libraries and city buses and in some cases entire cities offer free wi-fi. 

The upshot is that we'll have an ubiquitous operating system that is less than likely to be immunised against the latest viruses.  And it will be living in the (metaphorical) Grand Central Station of the internet, exposed to any and all comers.  Pandemic is not a risk; it's a certainty.

I know that most people could care less if their cyber-toaster tells a black-hat hacker or the NSA or the CSEC that this morning's raisin bagel was (gasp!) not gluten-free.  But that's soooo emphatically not the point here.  Why?  Because hackers do not always want your data.  In many cases, they want to siphon your processing power and your bandwidth so they can use it to attack those who do have juicy credit card numbers or email addresses or passwords. or naked celebrity selfies or whatever.  Which ultimately means that when anyone's too lazy to keep up with patches, they're aiding and abetting the enemy.  And complacence, as we know from politics, is complicity.

Naturally, my Gentle Reader is too savvy and hip to be slovenly about such things.  They fully appreciate that even their Fitbit has orders of magnitude of computing and communications power beyond what put people on the moon.  And they, beyond question, have the instinctive class and sense of noblesse oblige to know that with great power comes great responsibility.

Of course they do.