Dyn’s Fire

In case you didn't get the title.

In case you didn’t get the title.

Already, the Dyn attack has fallen from the memory of most Americans–a phenomenon for which they can’t really be blamed. Realistically, we’re simply bombarded with too many things happening of too much significance at too high a frequency to possibly keep track of all of it. Just a few weeks ago, I read about China’s expansion into the South China Sea and how it made the American Government butthurt, and that’s a pretty major issue, since we’re sending more of our Navy to the region to “make sure China doesn’t expand too far” (let’s forget that we’re talking about the South China Sea), and I’ll be honest with you: I’ve given that issue almost no thought. In fact, through the last week I’ve not really given any thought to the harsh reality that Hillary and the Democrats seem to want war with Russia, or that the Russians are preparing for nuclear war, or that we’ve got more troops on Russia’s borders now than we ever did during the Cold War…

So on the surface, even if we did have memories synthetic enough to perfectly recall every bit of important news, something like Netflix and Reddit being knocked off the Internet for a while is of no consequence to most people. “Oh, no, you couldn’t watch The Walking Dead or whatever for a few hours? Excuse me while I try to avert World War 3.”

There has been a lot of speculation about who was responsible for the Dyn attack. John McAfee–who has my deepest support–spent some time on the Tor network and heard that actors in North Korea were responsible. I attempted to do this myself, a few days before the attack (there were whispers here and there before the attack took place, but details were sparse), but found everything of any interest to anyone has been moved behind a BTC paywall, and I didn’t care enough to pay to enter a forum that might be full of people blustering and not really knowing what they’re talking about, so I’m glad he was able to succeed where I failed.

However, the fact that we don’t know who is responsible points to a bigger problem.

For example, have you heard of the Equation Group? “Equation Group” is the name that Kaspersky Labs has for a hacker/malware group whose sophistication is so advanced that they are wholly unlike any other threat generator in the world. Most people agree that the Equation Group is, in fact, the NSA. It is either the NSA or an equivalent Israeli agency, but given that their actions largely take place within the United States, it is most likely that it is the NSA, and their level of sophistication is terrifying. For example, they have intercepted hardware shipments in the United States and rewritten firmware that contains malware that is both invisible and practically impossible to remove.

This was actually a matter of some curiosity, as a colleague orders from Newegg constantly. Via email, we agreed that he would order some components that I needed for my personal PC: a new motherboard, new CPU, and more, better memory. Having used Newegg for years, the colleague was certain the shipment would arrive expediently. In fact, the shipment disappeared for ten days–the first and only time this has ever happened to the colleague. Now that we know the reach of the NSA and how they absolutely can identify someone in my position–especially since I had just been learning Arabic, though I dropped that quickly when I realized the implications–it remains entirely possible that my hardware was intercepted. There was, after all, a trail via email that made it clear the hardware was for me, and we know the NSA snoops email. Disregarding the fact that I was certainly visited by goons of some agency several years ago who wanted me to help them hack a mayor’s email address and break into a government PC.

Large cloud vendors, social networking sites, and other media platforms are being hacked with an almost weekly regularity now, and it doesn’t seem that Americans are really taking note of the world we live in. This is one of the reasons I’m working on a series of short stories involving a sort of modern Sherlock Holmes who does I.T. work in a world some 10-15 years in the future. The first such story deals with a woman who is driving down the Interstate when a hacker infects her vehicle with ransomware.

“Your vehicle has been protected with AGI Encrypt 3.0. This has been done for your protection. We cannot guarantee the service works for you unless you pay 2 BTC to Bitcoin Address… In the event that you do not, then your vehicle will be susceptible to hackers, who would hijack your system and pilot your vehicle into a tree at high speeds.”

Sound bad?

That’s the world we’re heading toward. Blithely.

No one takes security seriously. I own an I.T. firm, and this firm does 99% of its work through contracting for another firm, and I can tell you from experience that most I.T. people don’t take security seriously. What’s wrong with leaving RDP enabled on its default port? lol. What’s wrong with turning off the firewall on the server? No, we’re not talking “Oh my god, you’re not running an anti-virus?!” kind of crap. Anti-viruses are useless, and I haven’t used one in nearly a decade. Anti-viruses are pacifiers for the gullible, and nothing more. Back in the day–in the mid- and late-90s–they were more important. In modern times, though, they’re useless–the only anti-virus you need is a reasonably knowledgeable user. Don’t click to install that fucking plugin from ultraporn.xxx. Don’t download Ultra Pro Super Registry Fixer and Driver Updater Plus.

One of the key features of my stories is that the I.T. world has become increasingly analogous to a free market police solution. This shouldn’t be a surprise–I’m an anarchist, after all. So if I’m envisioning the future, I’m going to come up with solutions that don’t rely on the state. In actuality, though, I.T. firms are already very similar to police departments–instead of arresting people, we sinkhole servers.

For some background, I was interviewed as an expert by Fox News to discuss ransomware:

That… was obviously a few years ago.

I was berated heavily for that video, wherein I said that it’s pointless to contact the FBI. So the next time a client was hit with ransomware, I contacted the FBI. It went down like this:

  • Client contacted me with problems using PeachTree Accounting Software.
  • Connected remotely to the server–the server is in South Carolina, and I’m in Mississippi.
  • Found immediate signs of ransomware.
  • Removed malware and restored backed-up documents to undo the damage.
  • Discovered it was the result of a targeted attack. It was an intense experience, as I was literally working on the server at the exact moment someone else was. It wasn’t as intense as Hollywood would make it out to be, but it was fun.
  • Contacted the FBI.
  • All of the above happened over the course of 2 days.
  • Six months later, the FBI replied to my report.

As far as comparisons between the free market and the state go, they don’t get more obvious than that. Within minutes of learning of the problem, I was on the server, running it down and handling it. It took the state six months to respond. So let’s be clear about this. We’re heading toward a future where private I.T. firms will cease to exist–much as private police forces have ceased to exist–with the role being turned over to the state, where it becomes inefficient, wasteful, and ineffective; or where…

American Tech Suppliers–or something like that, because I don’t remember what I called them–instituted a national database of I.T. firms. If you owned an I.T. firm, you could apply to be Listed for your city. Only one firm per 30 mile radius could be listed, though, which encouraged competition, efficiency, and excellence. If BITS and MNS both in Memphis wanted to be listed, then whichever one of them was better would get that coveted spot. Why was it coveted? Because, no matter where you were in the country, you could call 510, and it would automatically direct your call to the nearest Listed tech firm.

This became necessary because malware infections started becoming matters of emergencies, though, at the time the story takes place, vehicles are only just now beginning to be infected with ransomware. And it’s going to happen. Have no illusions or delusions about it. We’re heading toward the Internet of Things in a society where technological security is an afterthought at best. Despite reports abounding about ransomware, how many Americans are regularly backing up their data? I’d bet less than 3%. So when they get hit with ransomware, they’ll be caught with their pants down, faced with paying $500 or losing 12 years of pictures and videos.

Now look forward, to the days of self-driving cars with always-on Internet connections. There’s a quandary there, isn’t there? Should the human driver’s input always override the computer navigation? “Yes!” laypeople would say without giving it any thought, because already this isn’t the case. If you’re attempting to back up, and your van detects that there is a little kid on a bicycle behind you, it will not let you back up. While people would say this is a good thing, the implications are obvious: human input does not automatically trump the computer. We want the computer there to keep us from making mistakes and having accidents, after all, so we’re okay with our vehicle automatically stopping even if we’re telling it to go.

But how difficult would it be for someone to plant a virus that spoofs the sensors and tells your computer that there is a child behind your vehicle? You’ll get in your car, crank it to leave, and find you can’t reverse out of your driveway because it thinks there is a child behind you. No matter how hard you floor it, your vehicle isn’t going anywhere. Then the message plays over your radio, “Your vehicle’s system has been upgraded with Cyber Protect for your protection. To unlock your vehicle for use with its upgraded system, you must pay $500 in BTC to this address…”

That’s the best that we could face–and we will face it, because it will happen, and auto manufacturers are treating security like it’s not very important. But even if they did consider it as important as Microsoft considers Windows security to be [let’s not get into that], they can’t be very effective. Decades of dealing with malware have taught us that no amount of top-down security can protect you from malware. There are always people looking for code to exploit. When they find it, it is patched, and then they go on to find new exploits. It’s a constant battle, and even staying updated will not protect you from zero day exploits. So if a hacking group finds a zero day exploit that will allow them to take control over every Chevrolet on the road, then you’re simply fucked if you drive a Chevy.

Far more alarming will be the people who put your life at ransom. Why shouldn’t they? Can you imagine driving the road, only to have your vehicle tell you that it’s going to continue driving around for the next hour, you have that time to pay a certain amount of BTC to a specific address, and, if you don’t, you will be driven into a wall at high speed? Oh, of course your doors would lock and not let you out. You could try breaking a window and jumping out of the window while cruising down the Interstate at 70 miles per hour, but your odds there aren’t much better than they are with the wall. In short, you’ll pay.

It only took 6,000 cell phones that were infected to bring down an entire state’s 911 service. It’s hard to even imagine how vulnerable our technological systems really are, but just process that. 6,000 infected cell phones brought down an entire state’s emergency services. Imagine what state-sponsored hackers in another country could do with 300,000 infected devices.

Meanwhile, someone is probing and testing the waters for taking down major websites by crippling DNS providers. How many devices would it take to tear down Facebook, Twitter, Gmail, Ymail, etc.? How difficult would it be to time that so that it coincides with a major military assault? Suddenly the Internet would just… go down… for everyone… and when it came back up we’d learn Washington, D.C. has been nuked by the Chinese and Russians, and that a coalition of these forces has already landed in California. Now, I don’t think either of these countries have any interest attacking us. My point is how vulnerable we are, not how threatened we are.

I’ve been unable to find the actual news item–Google makes it impossible to find older news items, which is scary in its own right–but we’ve long been aware that the Chinese are actually capable of crippling 17 key defense systems. How technological are our military systems? Could NORAD even be effective without the Internet? Who knows? And though I don’t think there is any reason to believe that someone wants to be aggressive toward us–except North Korea, who is incapable of doing much harm anyway–the unfortunate truth remains that we are exceedingly vulnerable, and we have no idea how vulnerable we really are.

Some years ago while I was at work, suddenly everything in the city was down. No one had Internet, and no one’s phones worked. For about 45 minutes, the entire city was completely disconnected from the rest of the world. The problem was never identified, but it was terrifying. Suddenly, there was absolutely no contact with the outside world. For all I knew, I could get on the Interstate and would find myself blocked by military vehicles telling us that the entire area was under quarantine and no one was allowed to leave–I had just watched The Andromeda Strain, it’s worth mentioning.

Imagine the effect that a few hours of zero Internet access would have on the United States, and imagine what could happen in those hours.

This is why I sneer at people who insist that, even if Hillary does want war with Russia, it doesn’t matter because Russia can’t possibly do us any harm. It’s like someone sneering that it doesn’t matter if they lick a petri dish that allegedly contains salmonella, because they can look and see the dish is clear and empty. “I can’t see it, so there must be nothing there! It’s totally safe!”

No… Take the biochemist’s word for it–there’s salmonella on that dish.

And take my word for it: our technological infrastructure is far more vulnerable than you think.

That a group of people was able to take down tremendously popular sites like Netflix and Reddit should make that obvious. That there are multiple groups who could be the ones responsible for it should make it abundantly clear. Was the Dyn attack a very big deal? Not really. But it should have been a warning of what’s to come. If they can take down Netflix, then they can take down Facebook and Twitter. I don’t know how the American people would react if they had to go without social media for more than a few minutes–the insane reactions of people when Facebook goes down for a few minutes of maintenance should be an indicator–but it wouldn’t be good.

Worse yet, the Dyn attack was carried out by devices in the United States, by unwilling and unknowing ordinary people whose phones were weaponized. Maybe your phone. You know? There is every possibility that your phone–the one you’re probably using to read this–was part of the DDoS. How would you know? You wouldn’t. And you probably didn’t even think to look into it.

“The Internet of Things!” people proclaim, excited and eager.

But I can only shake my head. No people have ever been less ready to take on such an enormous vulnerability.

One thought on “Dyn’s Fire

  1. Pingback: There’s a War For Your Technology |

Share your thoughts...