Open Sesame

 

The latest crisis in computer security comes from news of the Meltdown and Spectre Central Processing Unit (CPU) exploits. Nearly all desktop and laptop computers are affected, and most tablets, smartphones, and other small devices are also affected.* The difference is on account of the types of CPUs used for the various computers and devices. Since home users usually access password protected accounts like email and online banking from smaller devices as well as larger computers, they could see their privacy and online security compromised across platforms. In other words, hackers can exploit a hardware flaw in the CPUs of home computers, and then hackers could use that vulnerability to access private email and banking passwords in software that crosses platforms.

 

ืขืœื™ ื‘ืื‘ื ืžืชื—ื‘ื ืขืœ ื”ืขืฅ
In the story “Ali Baba and the Forty Thieves”, Ali Baba overhears one of the thieves say “Open Sesame” to open the entrance of the cave where they store their loot. Illustration by Rena Xiaxiu.

CPU makers like Intelโ€  are racing to fix the problem, which was first discovered by Google security researchers last June, and internet browser makers, where many users store passwords, are hurrying to tighten security on their end. In the meantime, people need to be vigilant about email and banking security themselves, starting with changing their passwords if they suspect unusual activity in their accounts and running a full suite of anti-virus, anti-spyware, and anti-malware programs on their computers. Those are routine security measures that people ought to be taking already, but unfortunately some folks don’t even do that much. When their computers are compromised by hackers, those home users are often as not completely unaware they are being used as part of a rogue network, called a botnet, to spread spam and other nasties throughout the internet. When everything is linked as with the internet, the weakest links are the easiest targets of hackers.

Even after tightening up individual computer security by using strong passwords and storing them securely, by not clicking on links in untrusted emails, by surfing the web safely using the anti-phishing feature built into most browsers, by regularly updating a security suite and running scans with it, even after all that a careful home user can still have difficulties, whether it’s because of something completely out of their control in the so-called cloud, such as when credit reporting agencies got hacked, or simply because their Internet Service Provider (ISP) momentarily gives them the Internet Protocol (IP) address of a blacklisted spammer, causing their email provider to block their account.

Since the majority of IP addresses are dynamic rather than static, meaning that each time a computer user connects to the internet the device that user is on, or possibly a larger network it is part of, is assigned a different IP address rather than keeping the same IP address from session to session. Because dynamic IP addresses are recycled, it’s a wonder that the unfortunate coincidence of being assigned a blacklisted address does not happen more often than it does. It’s impractical to remove a bad address from the rotation entirely because spammers can jump from address to address so quickly that soon all of them would be blacklisted, or the addresses would have to be prohibitively long.

Alfred Hitchcock’s 1956 film The Wrong Man explores the nightmare of mistaken identity.

The other way to get blacklisted as a spammer is to get hacked as described earlier, either through negligence or bad luck, and end up an unknowing part of a botnet distributing spam to friends and strangers alike. The use of biometrics like fingerprint and iris scans are no better a solution to account security than passwords since hackers have been at work on spoofing mechanisms for biometrics. Police can also compel people to grant access to their computers and other devices when they are locked by biometric measures, whereas they cannot compel people to divulge their passwords. There is no single, simple solution to keeping private data entirely secure on any computer or device as long as it is connected to the internet. It’s like the locks on doors and windows, which ultimately will keep out only honest people. Dishonest people will find a way in if they are determined enough, but it’s better for everyone else if it’s not too easy for them, and if they get caught sooner rather than later.
โ€• Techly

*Post updated to enlarge number of devices affected.

โ€ In November, long after he had learned of the vulnerability in his company’s products, but of course before the flaw had become general knowledge last week, Intel CEO Brian Krzanich sold almost all of his stock in the company for $39 million.

 

The Fickle Fingerprint of Fate

In May of 2016, Department of Justice officials wrote a memorandum seeking a warrant to search a Lancaster, California, premises and to force the occupants to unlock any phones or electronic devices with their fingerprints if the devices were equipped with that technology. This amounted to a fishing expedition to circumvent previous court rulings which held that law enforcement could not compel a criminal suspect to unlock an electronic device with their pass code because that would be a violation of the Fifth Amendment protection against self incrimination. It is unclear whether the DoJ ultimately received the warrant they sought because not all documents related to the case are publicly available.

Creation of Adam (Michelangelo) Detail
“Creation of Adam,” by Michelangelo

Why is compelling a suspect to unlock a device with their fingerprint also not a violation of the Fifth Amendment? Because of a 2014 ruling in a Virginia Circuit Court which stated that fingerprints and other bodily attributes are not protected, while handing over a pass code to law enforcement is divulging of information, which is protected. Law enforcement has long been able to use a suspect’s physical characteristics to incriminate him or her, but has not been allowed to compel a suspect to give up information. The problem now is that technology has leaped ahead of current law, and judges and prosecutors are falling back on anachronistic case law to cope with the use of biometrics like fingerprints and iris scans to lock personal electronic devices. Case law going back one hundred years and more treats fingerprints as a way of determining a suspect’s culpability at a crime scene, not as a key to a suspect’s possessions which may or may not contain evidence. It is obtuse to claim that a fingerprint or any other biometric is not the same as a pass code when it is being used for the same purpose.

All seeing eye
“All seeing eye,” from U.S. currency

The use of biometrics is springing up not only in consumer devices, but in technology used by the military and law enforcement. The 2002 film, Minority Report, depicts a dystopian future when law enforcement and advertisers make great use of biometrics, and those predictions are proving more accurate with each passing year. The Department of Justice already uses facial recognition technology for surveillance of people in public spaces, and as we have seen with the National Security Agency, the ability of modern digital storage to accumulate massive amounts of data encourages the practice of scooping up everything indiscriminately. Like a fishing trawler using a drift net, law enforcement intends to collect everything now, store it, and sort it all out later. They think they are being efficient and better safe than sorry. But people are not fish subject to by-catch, which ought to be obvious enough, and to be sure the Fourth and Fifth Amendments to the Constitution make the distinction clear.
– Techly

Randolph County Veterans Memorial Park Bill of Rights marker
Randolph County, Georgia, Veterans Memorial Park Bill of Rights marker;
photo by Michael Rivera