It’s nigh on impossible to make a system completely secure from outside threats, especially if it’s going to be available to the general public. Still there are certain measures you can take that will make it a lot harder for a would be attacker to get at your users’ private data, which is usually enough for them to give up and move onto another more vulnerable target. However, as my previous posts on the matters of security have shown, many companies (especially start ups) eschew security in favor of working on new features or improving user experience. This might help in the short term to get users in the door, but you run the very real risk of being compromised by a malicious attacker.
The attacker might not even be entirely malicious, as what appears to be the case with one of the newest hacker groups who are calling themselves LulzSec. There’s a lot of speculation as to who they actually are but their Twitter alludes to the fact that they were originally part of Anonymous, but decided to leave them since they disagreed with the targets they were going after and were more in it for lulz than anything else. Their targets range drastically from banks to game companies and even the USA senate with the causes changing just as wildly, ranging from simply for the fun of it to retaliations for wrong doings by corporations and politicians. It would be easy to brand them as anarchists just out to cause trouble for the reaction, but some of their handiwork has exposed some serious vulnerabilities in what should have been very secure web services.
One of their recent attacks compromised more than 200,000 Citibank accounts using the online banking system. The attack was nothing sophisticated (although authorities seem to be spinning it as such) with the attackers gaining access by simply changing the identifying URL and then automating the process of downloading all the information they could. In essence Citibank’s system wasn’t verifying that the user accessing a particular URL was authorized to do so, it would be like logging onto Twitter and then typing say Ashton Kutcher’s account name into the URL bar and then being able to send tweets on his behalf. It’s basic authorization at its most fundamental level and LulzSec shouldn’t have been able to exploit such a rudimentary security hole.
There are many other examples of LulzSec hacking various other organisations with the latest round of them all being games development companies. This has drawn the ire of many gamers which just spurred them on to attack even more game and related media outlets just so they could watch the reaction. Whilst it’s kind of hard to take the line of “if you ignore them they’ll go away” when they’re unleashing a DDoS or downloading your users data the attention that’s been lavished on them by the press and butthurt gamers alike is exactly what they’re after, and yes I do get the irony of mentioning that :P. Still had they not been catapulted to Internet stardom so quickly I can’t imagine that they would continue being as brash as they are now, although there is the possibility they might have started out doing even more malicious attacks in order to get attention.
Realistically though the companies that are getting compromised by rudimentary URL and SQL injection attacks only have themselves to blame since these are the most basic security issues that have well known solutions and shouldn’t pose a risk to them. Nintendo showed that they could withstand an attack without any disruptions or loss of sensitive data and LulzSec was quick to post the security hole and then move onto to more lulzy pastures. The DDoSing of others though is a bit more troublesome to deal with, however there are many services (some of them even free) that are designed to mitigate the impact of such an incident. So whilst LulzSec might be a right pain in the backside for many companies and consumers alike their impact would be greatly softened by a strengthening of security at the most rudimentary level and perhaps giving them just a little less attention when they do manage to break through.
I readily admit that I’m a bit of a tinkerer. There’s something really enjoyable about taking something you bought and squeezing extra functionality out of it, especially if it unlocks something that no product currently fits. I remember after having my PlayStation Portable for a while that I heard of the many great things that could be done with it, so I set out to mod it. A couple days later I had it streaming live video from my PC over our wireless network which was quite an impressive feat back in those days. Today the device hacker scene is alive and well on almost any platform that can be exploited leading to a game of cat and mouse between the creators of said devices and those who would seek to exploit them.
Now I’m not going to be naive and pretend like there aren’t nefarious motives behind parts of the hacking scene. Indeed the main motivator for quite a lot of hacks that enable people to unlock certain bits of functionality is usually done in aid of pirating legitimate software. In fact for the Xbox 360 the only hack available is arguably only for pirating software, as Microsoft’s hard line on banning users who do it shows. Still the never ending game of cat and mouse that companies play with the recreational hacking crowd doesn’t appear to make much fiscal sense on the surface as the man hours required to try and protect such systems always appear to fail with little more than a couple weeks from a few skilled individuals.
Probably one of the platforms where this kind of behaviour is almost encouraged would be Android. For starters the entire system is open source so if you were so inclined you could write custom packages for it to unlock almost any functionality you wanted. It also seems that the vast majority of Android handset manufacturers only put mild roadblocks in the way of those seeking to gain root level privileges on the devices, akin to the CD in the drive checks of games of yesteryear. Still it seems that the trend may be shifting somewhat with the recent Droid X, touted as the best Android phone to date, employing some rather drastic moves to prevent end users from tampering with it:
Motorola has apparently locked down the phone to the point where any modification attempts — including “rooting” the phone to install unauthorized apps, or changing its firmware — could render it completely inoperable (or “bricked”). The only way to fix it is to return the phone to Motorola, reports the Android fansite MyDroidWorld.
The company is using a technology called eFuseto secure the device. It runs when the phone boots up, and it checks to make sure that the phone’s firmware, kernel information, and bootloader are legit before it actually lets you use the device. Here’s MyDroidWorld’s explanation:
If the eFuse failes to verify this information then the eFuse receives a command to “blow the fuse” or “trip the fuse”. This results in the booting process becoming corrupted and resulting in a permanent bricking of the Phone. This FailSafe is activated anytime the bootloader is tampered with or any of the above three parts of the phone has been tampered with.
Us device hackers know the risks when we go into them, it’s part of the fun! I remember when I was hacking my PSP for the first time I had to find files from a not-so-trustworthy source, a random I met on an IRC channel. Knowing fully well I could end up with a $400 paperweight I went ahead anyway and, luckily enough for me, it worked. However the trend towards vendors actively seeking to brick the phones should the user try to tamper with them feels like a kick in the teeth to me. Realistically it’s my hardware and what I do with it is my business and putting barriers in place just seems like a waste of both our time.
The argument can be made that they don’t want the average user attempting to do these kinds of things with their devices. There’s some logic to that as stopping the casual hacking crowd means that a good majority of the other nefarious activities will be thwarted as well. Additionally in this day and age the originators of the hack usually make it exceptionally easy to use like the Twilight Hackfor the Nintendo Wii which merely requires loading a save game, something everyone is capable of. Still most users are bright enough to know that what they’re doing is akin to taking a chainsaw to their device, something which the manufacturer will likely not appreciate nor cover under warranty.
Coming back to the piracy issue I still feel that this comes down to the perceived¹ value that customers are placing in the products being offered. The customers who are pirating your product aren’t the kind who are just going to up and pay for it if they can’t get it for free. Really you should be looking back on yourself to see why they’re pirating it as if it’s wildly successful with the pirates but not with legit customers it’s quite possible your product is priced too high or the channels you’re offering it through are too restrictive. I’ve been researching these markets for months now and it seems no matter how hard you try to ensure no one pirates your product you only end up hurting your paying customers, driving even more of them to those dastardly corners of the Internet where they pilfer your product for free.
In my mind there’s no question that the steps taken to thwart these would be hackers is not worth the time that’s put into them. For a platform like Android I actually believe these kinds of people actually help a great deal with the whole ecosystem of the platform, ensuring that power users get what they want whilst everyday users get dedicated experts to call upon at no cost to the original company. Who knows maybe I’ll change my tune when I start trying to extract money from the markets based on these platforms but if I do feel free to point at this post and lambast me for being an idiot, as I’ll be far too detached from reality at that point 😉
¹I have a habit of re-reading my old posts when I link to them and just noticed that I praised Ubisoft for taking the right direction when trying to combat pirates. After their last DRM farce I can’t really support them anymore, but the ideas in that post remain solid (I.E. increasing value with things that can’t be pirated).