Weathering the Monsoons
The Darker Side of Technology
In 1993 in Connecticut, some wonderful specimens of the human race carried an ATM (automatic teller machine) into a large shopping center. They wore the uniform of a major bank, talked to the shopping center security and told them they had permission to set up the machine. They connected the machine to power, phone and whatever else is necessary and walked off. A perfectly normal installation, of an article of ubiquitous convenience, for the benefit of the shopping public. But the new ATM had a glitch. When a bankcard was put into it, it asked for a PIN (Personal Identification Number) and then amount to be withdrawn, and then flashed a message saying “Temporarily Out of Service”. A few weeks later the bank got complaints from people who noticed money missing from their accounts.
The ATM scam has become a well-known but downplayed sinister event that severely undermined the security of bankcards. You see the ATM was not a real ATM, but a fake one. It recorded the account numbers on the cards inserted into it, along with the PIN that the person typed. Later, the low-lifers who installed the ATM retrieved this information from the machine, made up fake bankcards (quite easy to do) and used them at real ATM machines to make cash withdrawals (they now knew the PIN’s for the accounts). The banks have no good way of stopping such theft, and the chances of getting caught are miniscule.
Technology has promised to change our lives, and it has. Technology has promised to make the human experience more rewarding, less taxing, more pleasant and less harrowing. We can debate that outcome, but in many instances, it has. Communications, mass media, entertainment, transportation, computers, information dissemination, web access, email, household appliances, and a plethora of gadgets have marched on to provide us with capabilities and choices unconceivable in the last century. However many of us have simply not been exposed to the darker, riskier, and sinister side of technology. The very technology that makes life more gratifying can be used to commit criminal acts of huge proportions.
In the later half of the 1980’s cellular phone systems in the US sprung up. When a cell phone makes a call (using the older US system) it tells the base station the identity of itself, that is, its phone number and a serial number. Phone criminals built radio receivers capable of intercepting these signals, and then made cell phone out of pieces and parts that used the stolen numbers and placed calls. Then they sold the “free” calls they were making to other people to make International calls for a fraction of what it would cost. Victims of the stolen phone numbers often got phone bills for over $10,000 a month. When they screamed, the cell-phone companies ate the losses. (Digital systems fix this problem).
The cell phone (and the ATM) insecurity happened because of a fallible assumption, that common criminals are technology dolts. They can break into houses or use a gun to commit a crime, but would never learn how to make and use radios and computers and subvert communication and financial systems. We now know how stupid that assumption was. Just as technology has marched on; the criminal community has taken a turn, and have enrolled highly sophisticated minds, who can subvert the systems for personal fun and profit.
The ATM scam mentioned above, has in recent times, taken an even more sinister turn. In the last two years, in the US, the banks have sold “point of sale” machines to shopkeepers, to make purchases “more convenient”. Instead of paying cash, a customer can swipe his or her bankcard and then punch in the PIN and the gizmo would directly take the money out of the customers account. The point of sale equipment is easy to rig to record the card number and the PIN and then that information can be misused as in the first story. Of course, that fraud has started to happen.
Sloppy and inadvertent mistakes and shortsighted designs also are responsible for all kinds of embarrassments. A cascade of occurrences of privacy breaches is happening. A typical incident is as follows. A database of credit-card information maintained by a web-based retailer (Egghead Software) got exposed to the Internet. How can that be? Well, the customers who purchased from this vendor entered their credit card numbers and mail addresses into the web site. This information was transmitted securely over the Internet (using a well known, well trusted, secure method called SSL). After the company received this information they stored it on a different computer. The second computer was also running a web site, and the file where the credit card information was stored, was accessible from the web server at the second site. This is a textbook case of locking the front door with heavy bolts and leaving the backdoor wide open. Hackers did get a hold of a ton of personal information that could be used to purchase services on the web and charging to some victims account.
People who design and innovate technological solutions are also responsible for many horrific inventions. In September 2000, a researcher called Pitikhate Sooraksa working for King Mongkut's Institute of Technology in Bangkok announced the invention and deployment a “Roboguard”. It is one of five Thai-made hi-tech robots funded by the Thailand Research Fund. Roboguard is the world’s first armed robot security guard that can automatically open fire on suspected intruders (how nice). In automatic mode, Roboguard detects humans entering its range using infrared sensors and then can aim its gun and shoot. It can also be controlled over the Internet. If this is indeed true, misguided individuals such as Professor Sooraksa deserve medals for stupidity and the good folks at the Thai Research Fund need to be evaluated for a lobotomy.
A very disturbing invention coming down the technological avenue is electronic voting. From cities and towns to states and countries, governments are in a frenzy to install electronic voting machines to cut down on fraud, speed up tabulation, eliminate errors and make the expression of democracy smoother and fairer. The truth about electronic voting is frightening. Fraud in electronic voting can be perpetuated easier than paper balloting. In fact, once the scammers get to work, the fraud in older forms of voting will look like child’s play.
In electronic voting, the tabulations are done by computers. They count the votes and at the end of the elections, print the results. It is trivial for a programmer to program the voting computer to add votes to the person (or party) of his or her choice. Even a close examination of the code in the voting machine will not reveal this flaw, as the programmer can use well known “code obfuscation” techniques that have been perfected by the hacker community. With no untamperable way of recording the votes on paper, there can be no possibilities of “recounting” in cases of suspicion. There results of electronic voting is always less believable than paper ballots in a banana republic.
Will a programmer rig the system? Of course we know the answer is a resounding “no”. If you believe that, I have a bridge in New York for sale, real cheap. Want to buy it?
What is even scarier is that elaborate voting record keeping is possible. It is immensely possible to ensure a particular person’s vote be matched to this person’s identity. Suppose it is a hotly contested election between the parties called SewerRats and PondScum. Alice, an honest, regular citizen goes up to the voting machine to cast her ballot. She prefers the PondScum party and casts her vote for them. However, in the end the SewerRats win. Later, Alice needs a job and applies for a position in an office. The boss of the office has strong allegiance to SewerRats, and gets someone to look up the voting records. Oh a little social engineering works wonders and some programmer accesses the database and finds Alice has voted for the PondScums. Of course, Alice does not get the job, even worse, something sinister may mysteriously happen to her. Would you like to be Alice’s position?
Can electronic voting be made accurate, recountable, authentic, anonymous and perfectly reliable? The answer is yes, but with a “but”. The only way, known to mankind, to make electronic voting safe, is via some horrendously complex cryptographic algorithms. These algorithms make it mandatory for every voter to possess his or her own computer. In addition, the voter must know how to operate and administer the computer, install the software, check the security of the system and debug any problems—in other words he or she cannot trust any person to ever touch this computer.
Since such computer savvy voters are around every corner, in every corner of the world, we can go ahead and embrace electronic voting, now. Scary.
Partha Dasgupta is on the faculty of the Computer Science and Engineering Department at Arizona State University in Tempe. His specializations are in the areas of Operating Systems, Cryptography and Networking. His homepage is at http://cactus.eas.asu.edu/partha.