The MacGyver complex
"Do you want to be MacGyvers?" In a fascinating lecture this week, given as part of Royal Holloway's annual Smart Card Centre open day, University of Tulsa professor Sujeet Shenoi demonstrated the work he and his Cyber Corps team do to extract information from the weird and wacky devices used by criminals. No photographs were allowed: real devices, used in real crimes! And here we find out that just as there's an arms race in software (you make stealthier malware, I come up with cleverer ways to block it, so you make even smarter stuff, and...) there's one going on in hardware obfuscation. Not just, as security writer Brian Krebs keeps documenting, that people keep inventing ever-cleverer and harder-to-detect devices, One of Shenoi's gadgets began as a set of headphones with an embedded MP3 player purchased from Skymall; the MP3 player was then attached to an ATM to record the data on cards' magnetic stripe as audio files; Krebs describes a similar device.
But the people who make the gadgets that land in Shenoi's lab are aware that at some point they may be investigated in detail using techniques like forensic desoldering and they have access to manufacturers' assistance to reverse-engineer pinouts. So part numbers are burned off with acid or covered with paint, and the boards are covered and underfilled with epoxy so investigators will struggle to take them apart to access the innards. No wonder Shenoi needs his degrees in chemical engineering as well as computer science: they use lasers and chemicals such as DMSO and MEK to attack such gambits. They have recovered information from buried and burned phones and broken SIM cards, and 3D-printed tiny JTAG connectors to plug into the broken-off ports on boards to get at the 0s and 1s encoded in the chip. A 2010 case in which an ATM skimmer swallowed a USB drive raised the question of the effect of stomach acids on electronic circuitry, a study that sounds like an Ig Nobel award waiting to happen. My guess is that criminals know their inventions won't permanently defeat investigators, and that their goal is to extend as long as possible the window of time during which they can go on profiting from these devices to the tune of $1 to $5 million a week.
"It's old-time science," Shenoi said.
In various discussions of the HIV clinic that emailed 780 of its patients with all their email addresses exposed, several points have emerged. The first is that medically - the reason for its existence - the clinic has an extraordinary record of excellence. The second is that the instinctive reaction to blame the person whose finger was on the Send button may be unfair: quite often "modern" email software doesn't make it easy or obvious how to send individual group emails. This is one of many cases where it's worth remembering that people *can*, when software-deprived and in a hurry, make mistakes. The better option is generally to improve the software so that doing it right is the easiest possible option, but also to see such mistakes as part of a complex system that has typically accreted rather than being designed. Fixing the human or designing them out entirely is rarely a complete solution.
I have been sporadically and incompletely following the strange story of what can only be described as a Distributed Denial of Service attack on the Hugo awards that involved slates of candidates and block voting. For 60-plus years, the Hugo awards have been amiably voted on by fans who have paid the fee to join the year's World Science Fiction Convention. They are everything you'd want fans' choice awards to be: voted on by knowledgeable, passionate readers spending their own money. This year, as millions of words in blogs and articles - such as The Daily Beast's summary, and Wired's wrap-up, and discussions hosted by Theresa and Patrick Nielsen-Hayden and Charlie Stross. Some solutions have been suggested. One, E Pluribus Hugo, has been adopted with the intention of closing off this year's particular exploit for future years. The cost for this year, however, is that when fans rebelled against the slates many categories were voted "no award", and the likelihood is that by being crowded out of the nominations some deserving authors lost out on the recognition they might otherwise have received.
Not technology-related: I commend to you Show Me a Hero, the new HBO miniseries by David Simon (best known for The Wire and Treme), based on the eponymous 1999 book by New York Times journalist Lisa Belkin. The series expertly chronicles the ugly, angry late-1980s dispute over desegregating housing in Yonkers, New York, which saw the city was by US federal judge Leonard B. Sand (Bob Balaban) to pioneer scattered-site public housing. The series makes explicit a theme that is visible in today's "neutral" big data systems: years of exclusion, deprivation, and prejudice embedded in the infrastructure (or the data) indicate patterns that become the coded basis for resisting change. Big data is a result; it's bad hoo-doo to turn it around and make it a cause.
Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.