Wednesday, May 09, 2012
Don't let them scare you
Back in 2005 I briefed some high-level military people about the danger of flash memory, how a worm infected computers can easily trash the boot flash, turning computers into bricks. Such a threat isn't targeted at desktops, but servers, routers, and SCADA control systems. In most of these systems, flash memory is soldered onto the motherboard, and but even those where it's not, replacing the flash isn't an easy process. The consequence is this: a mass attack against Cisco routers would take down large parts of the Internet for days, if not weeks. Such an attack against SCADA control systems in the power grid would cause a blackout that couldn't be fixed for weeks. On the other hand, the solution is straightforward: make the flash boot for these systems user-replaceable, and supply and extra two boot flashes with any system where failure of the flash is catastrophic. (You need two, because after the first attack, you are going to replace it and get pwned again, requiring a third for replacement after you've fixed what's going on). Also, change systems so that they require manual intervention before they can be updated. Unfortunately, most people will set the jumper once to "enable flash update" and never change it, so you need to make it a button that after you press it, will allow flash update only on the next reboot, but not after that until you press the button again. Apparently, the military is now using this scenario as a scare tactic as part of their power grab for more control of the Internet, as reported by NPR. Seriously, where did these people go to journalism school? Gen. Alexander and Mike McConnell have been exaggerating cybersecurity risks for several years now, and the press is eating it up without questioning their facts or their motivations, or talking to experts (I'm only one of many, judging from Twitter reactions) that believe otherwise. The NPR story totally distorts the risk. This isn't an "incident", hackers havne't done this yet, it's just something they could do in theory. This isn't a "vulnerability" that lets hackers break into computers, it's a risk of what might happen after hackers get through numerous defenses in order to reach those systems. There is no imminent threat here. Rather, it's an issue of long-term planning: when designing critical systems, assume that hackers can make computers not boot. This does not "underscore the need for public/private partnerships" or "information sharing" as NPR implies. Quite the opposite, the lies and distortions by Gen. Alexander indicate that the government cannot be trusted, and is probably a greater threat than hackers. No server farm has been lost to hackers destroying the boot flash, several have been lost from the FBI confiscating the haystack in search of needle. Why oh why doesn't the media have a left-wing bias? I'd've thought after the threat inflation that led to the Iraq War they would be more sensitive to such things.