Warning: Invalid argument supplied for foreach() in /www/wwwroot/www.killerrobots.org/wp-content/plugins/unyson/framework/includes/option-types/typography-v2/class-fw-option-type-typography-v2.php on line 148
Computer Security Is a Political Struggle | AI and International Law Blog

Computer Security Is a Political Struggle

Figure 1: “One day, in retrospect, the years of struggle will strike you as the most beautiful.” – Sigmund Freud

Cold cyberwar

We are in a new cold war. That sounds like it’s not news. However, it
is not the bordered cyber-war between nation states involving armies
of hackers, but more akin to a quiet civil conflict between ordinary
people – who use and depend on technology – and the… well to quote
Bill Hicks “demons that run amok amongst us”.

It’s a political and psychological battle for culture and is the old
battle for the dividends of technology. Who gets to use the fruits of
science and to what end? As technologists it behoves us to take stock
of this landscape, if not to pick a side then to plan our own way
between the falling shells.

Recent events demonstrate clearly that our technology is unsafe.
We’re in an accelerating situation of acute failures that shut down
businesses, sometimes for days or weeks. Large one-off losses from
fraud, such as ransomware or AI assisted social engineering, keep
growing. At a deeper level there are systemic failures because the
goods and services we rely on are not fit for purpose, and those
responsible for supplying and maintaining services are unable to
discharge their duty. And at the highest level there is a political
failure to confront the real causes. The UK Horizon Post-Office
scandal laid bare the complicity of authority in burying inconvenient
truths, making scape-goats and disseminating official lies to cover up
problems with civic technology.

We find that our major concerns in cybersecurity are not really
technical at all. They are political. But they are largely beyond tha
capacity of our current political thinkers to solve. Instead,
politicians bat the problem back into the technical court. We add or
remove a layer of encryption, change a key protocol, deploy “intrusion
detection” or “malware filtering”… and within a week the same
problem is back, metamorphosed into something new. This will continue
ad nauseum until there is political change.

The digital version is more subtle and damaging than kinetic wars in a
civil space. We can’t look to history for guidance. Conjure up mental
images of ruined cities, food shortages, civil unrest, exploding power
plants, disabled hospitals and broken transport systems. Worst case
cyber-war is what Hollywood disaster movies have equipped us to
anticipate. In the drama of a post-apocalyptic Mad Max fantasy world
we can see ourselves playing unlikely solar-punk survivors living
off-grid.

But that’s just a story, at least so far. How do we recognise the
effects of the different kind of war? What does a “worst case” look
like if limited to infowars in cyberspace?

In Hollywood movies, the {terrorists, evil maniacs, rogue states} take
over cyberspace and then use it to {hijack planes, melt down reactors,
assassinate presidents}, or whatever. They are doing one thing,
which is taking power.

Power, or “control” is one of the primary functions of digital
systems – the others are computation, storage and
communication. Control systems, which permit action at a distance,
almost always involve communication along with telemetry as
feedback. They close a loop. If you can mess with that loop you can
exercise control.

That’s why the integrity of communications systems is important. If
the bad guys get control of the communications they win, and Hollywood
events ensue. In reality, power seekers can act to manipulate events.
That’s the hard way. In cyberspace, you don’t have to leave your seat
to just manipulate the capture, transformation and transmission of
signals that represent events. The media have done this for decades.
Going further, if you can manipulate the perception and discussion of
ideas that’s even more powerful, especially if you already more or
less own the means of communication.

That’s why the Great Maker created the Internet first, as a little
patch of level playing-field (or garden if you like) to see what we’d
make of it. Not much, it turned out. We preferred to let developers
pave it over and build us a residential amusement park. And of course,
amusement parks always turn spooky and fill up with murderous robots
and killer clowns.

An Internet is a jolly useful and powerful thing, if you can keep it,
and the trick is to ensure that power remains spread out and not let one group
of people suddenly have it all, like terrorists in the films.

But as Bruce Schniere puts it best, Terrorists Don’t Do Movie Plots.
In number theory there’s an idea for that, it’s called Cantor’s
Diagonal
or otherwise Russell’s paradox if you prefer to think of
sets, but either way the insight is that “there’s always one more…”,
one more bug, one more escape sequence, and so on, which entreats us
to abandon the folly of totalitarianism and chasing “perfect
systems”. Concern with risk then is really about emerging threats
rather than known ones against which we can pit our security.

For any system there are a couple of places from which threats can
come. From the outside or from the inside. Inside threats may come
from defective people, but more likely from failures of the system
itself. Poor maintenance is a rather mundane and preventable
cause. Through the distracted happy apathy of our amusement park days
we forgot to oil the works and kick the tyres.

Our Internet has slowly rusted. The repair bill is high and the
effects already showing are not good. We’ve undergone a slow descent
into digital serfdom, meaningless pseudo-employment, apathy, anomie, a
permanent state of endemic economic, spiritual depression and
frustration. Like all realities it emerges day by day without
fanfare.

We don’t feel it creeping up on us. We don’t notice the walls of
social media echo-chambers closing in on us… our horizons narrowing,
hope evaporating. We don’t feel the steady increase of pressure and
anxiety from constant hostile surveillance, being tricked, gaslighted,
lied to and manipulated. Yet the present, evident cultural effects are
on everybody’s lips. Every day we read and talk about the negative
effects of news and communication technology.

The technology itself seems so “successful”. Is it? We’ve always
celebrated technology that’s good for us, whether it’s steam engines
or rockets, and even the stuff that we didn’t know was so bad for us,
like our cars.

But the idea of tech which is just bad for everyone and we all know
it
is something new. It hadn’t taken hold until this century. At
least here in the West beyond a context of warfare far away, our
weapons were always aimed “at them”. But remember that the Internet
started in an “Advanced Research Projects” defence laboratory. It’s a
weapon. We were so excited to unbox it nobody read the manual and the
warning about the “sharp end” and which way to point it.

Like bad food or environmental pollutants, the effects of bad
technologies take time to come on, and then get us talking about “what
to do?” Surely we are prepared, because there are so many amazing
books and films about dystopias and failed social experiments, served
as cautionary signposts for what not to do (again, elsewhere or
just…ever!). Orwell, Solzhenitsyn, Kafka Huxley and Gibson all
described states we do not want to build.

But for some people these warnings became blueprints. They set us off
on a slow death-march; a slow maddening of humanity. These are our
times. Soviet style conditions of hostile, intrusive and abusive
corporate plutocracy… the various ideologies of consumer communism,
surveillance capitalism, advertising madmen, blood-thirsty tech
visionaries with shark-lasers… meanwhile most of our stuff, like the
trains and planes and banks just don’t work the way we want.

It is this sad carnival of clowns that we are at war against. It is a
war on cheap, greedy incompetence, on reckless engineering, on sleazy
opportunists, on crony contractors and corrupt IT back-room deals. It
is a war against those who have their hands on the levers of
technology, but are a dangerous lot who do not deserve to. It is a war
for functional civic technology that the people own and control.

As defenders we are called to arms because real cybersecurity has to
consider not just where technology fails, but where it succeeds
for some strange paperclip-maximised value of “success”.

Technology is not neutral. It carries values. Often, bad technology is
just ordinary, but designed and deployed by those with wicked agendas.
Where technology grows too thickly or in the wrong place it is a weed
and a poison. Like any garden or ecosystem the Internet can decline,
as it has, into a form of wholly inadequate but irreversible social
control. For example, “social media” is the obliteration of the
social.

But what do you call a struggle like this? Fifty years ago radical
Marxists might have called it a “class war”, if you substitute
ownership of means of production for control of the means to social
life. Yet it seems an entirely different sort of conflict that
transcends class, wealth, pedigree and political belief.

In all conflicts people use mental defences to say “it can’t happen
here”, until it does. Digital war is a great leveller. Whatever walk
of life you come from it affects you. You are no less at risk from an
enemy of sorts that does not recognise power or privilege, laws,
station or legitimacy.

If we split the world of digital threats up into a few broad kinds we
might call them advanced persistent threats (APT), which are
specific and even localised, transient situational threats like Y2K or
solar storms which came and went, and ambient or nebulous effects,
which are already inside our system or all around us. Here let’s
consider the last of these. What are we to do about ambient threats
that are within the very systems we use to naviagate life?

Self devouring

Most of Western society now depends on digital technology. Yet we have
a technology industry that is at war with its own customers. Much of
our technology is broken, and it is broken by design. because this is
profitable and brings power to its creators. Technologically, our
civilisation is suffering from a lack of self-care. We are struggling
with a broken model of “security” and the emergence of a global
insecurity industry. This self-devouring and abandonment of our own
values is what Solzhenitsyn warned us against in his Warning to the
West
.

We are now taking an unprecedented direction in political history
having slept-walked into a territory where the monopoly companies we
allowed quasi-governmental status through delegation (dereliction) of
power in the late 20th century cannot be coerced, regulated, fined or
even taken over and “nationalised” as a remedy. So far politicians
have underestimated and misunderstood the power struggle with
technology that is afoot.

Money, money, money

Let’s take a simple, modest example from your everyday life; If you
have an Android type phone spend a moment researching how to stop
Google from spying on your location. Simple enough, no?

Google are a ‘legitimate company’, are they not? But despite all the
protections your laws afford you, despite still more tough-talk from
Europe about our privacy rights, the realpolitik is quite
different. In fact it’s more or less impossible to get Google to stop
spying on you.

First let’s acknowledge the motives: US American BigTech companies
primarily make money by selling your private data to co-parasitical
advertising and security industries. Commercially they discriminate to
distribute digital goods preferentially by location, social strata or
even as personally targeted campaigns.

Increasingly for political reasons, service access is only available
in certain countries or by certain groups. The Internet has become the
The Splinternet, a tool for division. Conflict makes clicks.

Of course this disadvantages anyone who moves between spheres, is
travelling or relocated for work, or has family in other countries.
It “locks things down”, and simply goes against the basic principles
of “The Internet” as a global, universal system (which it hasn’t been
for almost 10 years now). But, “so what?” you may say. These are
“first world problems”, surely? Minor inconvenience at most?

Look again. Tech corporations have insinuated themselves into almost
all aspects of life. For too many people companies like Microsoft act
as their identity. Companies like Amazon control everything they buy,
sell, read, own or even think about. Google know every thought they’ve
had since 1998.

Governments and bodies for trade, development and intellectual
property (WIPO, WEF, WTO), have been derelict and allowed BigTech to
carve up the global economy into new digital fiefdoms. Through
negligence, through weakness, through our own deliberate fault, we’ve
enabled the rise of digital colonialism, new forms of slavery and
neo-feudalism. We’ve failed “consumers” as people, and all of us as
citizens.

Of course it is still possible to live, and live well, without
invasive low-life-quality technology. Millions of us do. Smart kids
don’t have smart phones. For the adults, Microsoft’s operating system
is now an advert-infested disaster-area teetering on unusable, with
droves abandoning it. As is Google’s derelict search engine. Social
media is a misery pit of teen anxiety, disinformation and
hate-spreading.

But the aim was never to live without technology, just to have good,
simple, humane, flexible, durable tools that make life a little easier
and bring some fun. We long ago surpassed that need. People are
turning away from tech, or at least pinning their anger and fear upon
it, because of the effects of how it’s used now, not what it
essentially is.

With pomp, bluster and glory the big technology companies bask in the
glow of “freedom”. They supply us all with the mind-numbing cargo-cult
of games, media and applications we can give our attention to.

They present themselves as “progressive” and there is always the
breathless cry… “Follow us follow us! Don’t be left behind” But
surely we must start to see them for what they really are. The Pied
Piper is fundamentally anti-progressive because he leads in a
circle. Other writers have described it as the problem of the modern
East India Tea Company, as throwbacks to the unfettered
laissez-faire capitalism of the era before the Great War, and
consequent global crash of the 30s and World War 2. We’ve already
learned these lessons from history, so why are we going for a replay?

As a British person I can really relate to companies like Google,
Microsoft and Meta… dinosaurs, still trading on the myths of their
once glorious past empires, standing uncomfortably too long on the
stage, missing all the cues for a graceful exit and having to be
hauled off with a shepherds crook. They have been holding back
technology for decades.

They are first and foremost companies who cannot allow actual
progress to come before profit. Sure they came out of the garages of
suburbia, as the cool new rockers. But if Bigtech were bands they’d be
the kind on 12 inch vinyl in your mum’s record box, who now wear gold
watches, own organic fish-farms and were at least accused of touching
their groupies inappropriately in the 1970s.

Dig into the reality behind Google and you’ll discover a company that,
apart from having a defunct “search engine” on which it built its
initial reputation, also abandoned almost every other product it ever
touched. It adds up to a gargantuan bonfire of wealth and lost
opportunity imposed on the rest of Western society. Likewise,
Microsoft’s death-grip of insecurity on computing by acquisitions,
smothering or outspending competition, has done for the progress of
computer security what Julius Caesar did at Library of Alexandria in
48 BC.

Is anyone still fooled?

Apparently, at long last, the U.S. government is losing trust in
Microsoft
. In recent years it has stood up against powerful foreign
technology actors like Huawei and TikTok. Even in Britain we had to
acknowledge the security catastophe of Hikvision cameras and our
government finally banned them. But these are the tip of the iceberg
of toxic tech. It is easy to pick on Chinese or Russian companies
precisely because we don’t trust their regimes. But most dangerous of
all are the companies we suppose we can trust, like Meta, Google,
Amazon, and Apple.

Trust is the ability to do harm.

The political fault-lines lie in this misplaced trust, “special
relations” and trade agreements that place U.S. technology suppliers
beyond question.

Yet we continue to lionise these lumbering monsters. Their bright
coloured logos, sit behind the strutting stars of TED talks in their
brown leather brogues, turtle-necks and jeans. Their hipster language
still dazzles us. In our minds they are youthful, vibrant and privy to
secrets about the future.

Reality check; They are already the next iteration of tired old
power
, replete with red mid-life-crisis-mobiles on the drive. Our
“tech leaders” are now the generation of fossilised cranky and
emotionally challenged old men. Same as the ones that ran Exxon Mobil
while the planet was heating up in the 1950s.

The limits of industry

In academic writing and political talk we often see “Industry” used as
a notional symbol, It stands, not in a harmony but alongside
“Government” and “Academia”, as a timeless imaginary power
grouping. It requests a deflationary logic that “industry” is
synonymous with “the economy” which is in turn synonymous with
“happiness and quality of life”.

It is a peculiarly post-Thatcher/Reagan take, a neo-liberalist ideal
of “private industry” taking the place of government. But if Thatcher
was ever to be taken seriously on a single word she said, what we have
today is an abomination of her values. “Private enterprise” was
another way of talking about the ordinary people, but through an
economic lens. If you cut someones hair or carried your own groceries
to the car today you’re involved in “industry”. We have a music
industry a culture industry, an education industry… what has not
been industrialised? So what does that leave that isn’t an
“industry”? Of course what politicians really mean by “industry” today
is the one percent of rich and powerful owners.

Perhaps we misunderstand industry as “engines of progress” because of
the persistent mythology of our own bygone industrial revolution;
greats like Brunel, Stephenson and Telford. We still see ourselves on
the frontier, paving roads to infinity. But industry has other forms,
especially in mature civilisations. It is sustaining, home-building,
frugal, refining.

The old mythology is still recycled in the stories and
pseudo-philosophies of Ayn Rand, and now Elon Musk, Peter Thiel and
company. Modern heroes? Noble strugglers against “Old power”? Or
perhaps, misogynistic, grandiose, psychopathic Silicon Valley “bros”
who are not ashamed to hide their naked contempt for the poor, for
education, mobility, for women, blacks or anyone else who refuses to
“get with their programme” of social immobility. Silicon Valley
increasingly has the stench of some alt-right faction, throwbacks to
violence – so long as it is cowardly, technologically mediated
violence.

In it’s disdain for women it’s starting to look more like a backward
religious sect. The irony is that tech is an industry that doesn’t
really produce anything. Software is mostly like music, in that you
sell the same thing again and again.

It recycles old ideas and repackages software sponged from a global
network of volunteer “free software” writers, sticks that on some
chips imported from China, and uses that as bait to attract victims
for data harvesting. It’s a tasty racket if ever there was.

Of course real industry is very important, and it is part of human
progress. Steel and concrete must come from somewhere. But we’ve long
passed time to put the tech industry alongside the old oil and
pharmaceuticals. It is no “disruptive” challenger to the status quo.
What it perpetuates is more of itself, more control. It might not be a
paperclip-maximiser yet, for now it’s just a tech-industry maximiser.

It is the status-quo.

So it needs disrupting. Real progress is complex. It’s not just this
or that breakthrough… Penicillin. Electric lights. Steam
engines. It isn’t just spotting opportunities to monetise this or that
idea. It’s a balance of the intellectual, social, political, artistic,
as well as industrial faculties. Yet we have bowed down before just a
few industrial totems. This one-sided cult-like obsession with
technology must be overcome and balance restored to the political and
humanistic classes if we are to survive.

The Cost

AI is consuming electricity equal to the supply for Netherlands. Crypto
block-chains twice as much again. Every new phone manufactured uses the
daily water supply of 10,000 people. Survival of the planet was simply
not on the profit road-map for the oil companies, and likewise neither
will human survival be a priority for tech. Stubborn refusal to pause
AI despite low value-yields and skyrocketing risk is the giveaway.

Your security and privacy means nothing for the technology companies.
Until we internalise a new reality; that our quest for technology run
by people, that our quest for a sustainable, reliable, private, and
secure world is not a technical problem but a political struggle, we
will make no progress toward it.

Look out of your window at the floods, wildfires, hurricanes, and
streets lined with stationary automobiles, then do some research on
the systematic suppression of electric vehicle technology. We could
have begun a serious counter to climate change over 60 years ago when
it would have made a difference. The computer security problem today
is eerily similar. It is stuck in political stasis, but presented as a
technical problem.

Taking back tech

Technology has one purpose; to serve humanity.

Here, today… on every smartphone there should be a single, reliable
button to switch off spying once and for all. But there isn’t. Why
not? Because it’s not profitable for you to have privacy. That’s all
there is to it. There’s no technical challenge.

But, you say, those with political power can simply order these
mischievous tech companies to behave. Sadly, no. Foremost our
politicians lack the courage, knowledge and fluency. But behind that
is a Faustian bargain by which they hope to benefit from a
surveillance pact. They imagine themselves “sharing” power with the
tech oligarchs. They will not. Like Yeltsin, post-1991 Minsk
Agreement
they will become puppets and vassals to those who control
their means of communication. There will be nothing left but for a
“strong man” to come to the rescue of the people. And nothing good
will come of that.

Who dares?

It seems that, to get the things we want and need from technology
today we must all become active. We must become hackers and
combatants in a theatre of digital political warfare – fighting
for security. For civic cybersecurity.

Security, privacy and self-determination in tech is what you take,
not what is given to you out of kind-heartedness. What we need will
not be obtained because corporations adhere to the rule of law. Nor by
market forces. There is certainly nothing you can buy from people
who want to rob you of it.

Big tech companies scoff at the law. They think it old-fashioned.
Enormous fines are simply factored into their budgets. They have more
money and influence than the political blocs that hope to regulate
them. Neither can we rely on our political representatives to put up
resistance, because they are poorly educated in technical matters and
easily bought or misinformed.

No escape?

Now, suppose you are active and skilled enough to do things like root
a phone, disable, spoof or jam GPS, remove the SIM, connect by wifi
via a VPN endpoint hosted in another country, and use a payment
service located in that country… then you may briefly be able to
trick companies like Google or Meta to give you what you need. But no
matter what apps you install on an Android smartphone, the operating
system itself is written by Google, and is therefore untrustworthy.

In all such software, privacy settings default to unsafe or revert to
unsafe settings following a forced update. Some location-tracking even
works when your phone is supposedly “switched off”. Although their
Play Store contains hundreds of apps for masking or spoofing location,
few of these really work because the company is locked in an endless
cat and mouse game to defeat suppliers of those products. They kill
products that meet a manifestly enormous market-demand. They pretend
this is motivated by “business”, not ideology.

Like the British Tory party who sabotaged hospitals so that they could
deem them “failing” and ripe for privatisation, BigTech firms
vandalise the privacy landscape in order to declare that “there is no
demand for privacy”. This disinformation trick can be seen on social
media forums and Internet discussion boards everywhere tech industry
shills operate.

The big players dislike any independent suppliers of security
products, because they conflict with their thirst for profit and
power. By empowering users, small companies become the enemies of
BigTech, tolerated briefly in their “App Stores” before being
arbitrarily ejected. Hacker forums are filled with stories of upstart
developers trying to build a company, but being turfed off BigTech
land by capricious diktats. Github, a common developer platform run by
Microsoft is notorious for political beheadings of dissident projects.

False security

Maybe more damaging is that BigTech misuses people’s desire for
security, and misuses the language of security, to misdirect users
into less beneficial or safe situations. For example, printer
companies sabotage third party ink refils with malicious updates
pitched as “necessary for security”. This undermines any real project
of cybersecurity. Users begin to mistrust updates of any kind when
companies use them as vehicles for malware and undocumented suprises.

Companies muddy the waters around “security” by conflating “your
security” with “our security”. They then use the word “securty” as an
abstract noun to imply users are getting something that benefits
them but in reality benefits the vendor. They get security from the
user. Even the word itself has become a kind of token, a false “moral
high ground” from which wannabe tyrants can denounce their
enemies. This is a sort of cyber-washing, to use fake cybersecurity
for virtue signalling and concern trolling.

Once we see that this sort of security is a fixed-sum game then it’s
clear that anything that improves the end-user’s security actually
subtracts from that of the platform suppliers who benefit from a
user’s vulnerability. So the main vendors smear the sellers of things
that compete with their “insecurity model”. They attack Libre Open
Source software written by regular citizens as “insecure” and
“risky” – while secretly it’s the same software they take for their
own products, without paying for it.

Rebuilding public trust

Thankfully the political systems of Europe have started to wise-up and
stand-up to US BigTech hostility and have mandated that all software
used for public services, government and state apparatus must be Libre
open source code that is auditable, verifiable and under control of
the people. We want to see the same for schools, hospitals, railways
and every other facet of public life and governance in the UK. Digital
sovereignty is a big issue today.

Meanwhile practically, all of the “official” methods given by BigTech
for obtaining privacy are no good. Play with your “preferences or
choices” but regardless the platforms are still quite able to extract
personal information from wifi networks and Bluetooth points in range
of your devices, metadata in photos you share online, financial
transactions, IP addresses of anything that touches a computer run by
AWS, Meta, Azure or Google Cloud (even just to download a font or
style-sheet). Any information passing through Gmail, Hotmail or Google
Drive is subject to their prying if you are still unaware not to use
such things.

Remarkably, some government offices still use these systems, and
everything from doctors to parts of the British defence industry are
entangled with Gmail, Amazon cloud, and even Whatsapp, despite
warnings from the intelligence services that this isn’t a good
idea. Hypocritically, even GCHQ buy-in services from Amazon. If
organisations that absolutely should avoid these security risks
cannot resist the economic lure, who can?

There is a clear conflict of interests that companies that supply the
systems for private and secure communication also profit from
violating privacy and security. Surveillance is Google and Facebook’s
core business model. The only reliable way to defeat them and their
type is not to use their products, or at least to fully root an
“Android” smartphone and replace the operating system with something
safer like F-Droid and with alternative social media platforms.

A boot stamping…

But ubiquitous location spying is just one random example of the
spectacular mess of consumer computing. Let’s now talk about “Secure
Boot”, which is in the news this week as the latest massive tech
SNAFU.

“Secure boot” is a ploy by (mainly) Microsoft to ensure that every
computer on Earth must run exploitable software. You’ll hear other
explanations for “secure boot” – such as the ability to stop malware
writing to the BIOS. That’s handy, In reality though, that problem is
solved by a “jumper”, a small wire or component costing fractions of a
penny. Instead the “industry” invested billions of dollars in an
arcane, elaborate scheme of “trusted computing” based on suspect
cryptography, to replace a wire that costs a penny. Why would they do
that?

Well, it’s also a way for “anti-cheat” and digital restrictions code
to run on your computer, whether you want it to or not. And to stop
you copying what you see on your computer screen. These don’t sound
like features you requested, am I right? That’s because they’re
feature requests from tech’s neighboring trillion dollar industry –
arts and entertainments.

Anyone in physical possession of computer hardware can subvert it. End
of. Secure boot is a fine idea in some very limited use cases, but as
a general principle to replicate into all consumer technologies it’s
an industry con, what we call a “Fritz Chip” that cedes power to the
commercial OS vendors and software-as-service industry.

It puts your computer completely under the control of a remote and
hostile company. It provides “trusted computing” for them and does
not, unless you have a side business deploying remote servers in
hostile locations, serve you (as a regular dude/dudette), and
importantly the ostensible owner of the computer.

Last week Bruce Schneier reported on research from a group called
Binerly that “secure boot” is completely compromised on almost all
systems. In response, the comments were mostly “Good! We own our own
computers!”. Go away secure boot!

Secure-boot is a solutionist reaction to fixing a security problem
that should never be there in the first place. It caters to conditions
of extreme mistrust and therefore cultivates mistrust where deployed.
This is a perfect example of the “insecurity industry”. It is an
undesirable computing concept because it brings more security to the
powerful while removing security for the less powerful.

Besides, another problem is that computer main-boards even still have
BIOS/EFI, now a silly and unnecessary mistake prolonged by industry
inertia. People who’ve built and maintained computers for decades know
that the more minimal the loader and the less the BIOS needs to do the
better.

Computer scientists and electronics engineers get to build some quite
challenging things as rites of passage. In my youth I wired together
my own microprocessor (4 bit ALU with three registers and 12 bit
address using TTL logic) and a full microprocessor system or
“computer” (68000 based board roughly equal to an Apple Lisa – along
with a simple operating system and loader for it). Having built, and
in the process properly understood such technology, it’s my humble
opinion that since it worked in the past without any opaque magic, it
can work in the future without opaque magic. The inconvenient theory
that, anything that has happened can happen, leaves little space
for a logical comeback.

Board-level OS is one of those ritual grooves that we are stuck doing
because we always have. The root of it is disorder in the hardware
industry and betrayal of standards. Egged on by the likes of Microsoft
to add “trusted computing” hardware, the PC “mainboard” industry lacks
a creative escape plan. In practice many simpler but very powerful
“single board computers” (SBCs) completely do without this nonsense
and there are hundreds of brands of main-boards that don’t have
encumbering and trecherous technologies embedded. Nonetheless we are
attempting to normalise dangerous ideas, wandering into territory
that’s hostile to user security in the name of making big business
more secure against them.

Perhaps the spectacular failure of Microsoft as a company is the best
thing that has happened to cyberscurity for years.

Why are we stuck?

So why do we accept this dynamic? As regular citizens, mostly because
we don’t know much about it. As engineers, because we get confused
about whose control we are supposed to be protecting. As
governments, probably because the power seems seductive but there’s a
lack of education in the political science of why that would be a bad
thing
.

In part it’s also down to a dearth of technical education and the
power of dishonest marketing. Technnology is always a market where
people will buy things they have no need or use for, no understanding
of, but hope might bring empowering magic. That is the push-power of
an industry that does not answer to demand. It is also a failure of
our legal and political systems to challenge predatory business,
dishonest advertising and monopoly.

However, in the name of innovation, we have always taken a hands-off
approach to tech, with minimal regulation. That’s led to a slowly
growing abusive culture. There’s a toxic relationship that’s grown
through habit of non-challenging and taking-for-granted. We now have
an industry that feels itself above and beyond the law. We have
“consumers” who dwell in learned-helplessness without the courage,
knowledge or political voice to fight back.

But the horror show is getting a lot more light shone on it and cracks
are now visible due to a slew, indeed an inexorable tide, of
spectacular technology failures that now threaten individual lives,
small and medium sized businesses and government too.

Digital lemons

It’s also because the quality and provenance of software is hard to
evaluate. Experts are as pressed as an average person to tell whether
software is genius or junk. We don’t know what value it will really
bring. We don’t know where the bugs are. Software quality metrics are
as much a black-art as 40 years ago. We are kept on the path of
cavalier engineering, to “move fast and break stuff” by the
ever-present promise of medical and other scientific breakthroughs
that can help humanity.

But have we factored political turmoil and social disintegration into
our risk equations as a likely price to pay? Technology is risky
ground and you need to look whare you are going. I think we are rather
lost in fact. We seem at the mercy of tech hype cycles – blockchains,
AI, virtual reality, consuming trillions of dollars and thousands of
terawatt hours of energy. Where is the practical upshot? We get
unemployment, pornography, and scorching the planet, so that going
outside is unbearable; which may all at least cancel each other out if
we can build enough homes for people to hide in and masturbate.

In truth, nobody is really sure what they are doing, and so we avoid
long term discussion and decisions by deferring everything and moving
agency to a future “long-tail” or maintenance phase of hardware and
software. The core idea at the heart of so much bad cybersecurity is:

"Someone else will sort that out later"

The trick is to push the security onus and cost onto the end consumer
in the form of so-called “updates”. Like with climate, it pushes the
risks and costs on to future generations… those that will have to
clear up the mess caused by short-term profit. Unfortunately there’s
no “update” for a ruined planet in civil turmoil.

Digital technology is an industry that gets away with a fundamental
violation of basic expectations of quality and fitness for purpose
more than any other. We call this “software exceptionalism”. The
technology industry is run by people who think what they do is
special – in an almost religiously sincere way. But most are not
special. They are ordinary irresponsible people/ hoping to make a
buck quick and get out before the fall.

With so many con-artists around, this means tech is a market for
lemons in which the base price of all products is basically
zero. Because that’s the real level of confidence people have in
gratuitous tech, despite all they might say. Therefore all profit made
is by grift, encumbrances, rents, liens and deceptions laid on top of
ostensibly “free” software services. It is not even really a “market”
at all.

For about 30 years that didn’t matter. People and businesses did not
rely on computer software as we do today. In the 70s, 80′ and 90s
consumer tech products were seen as toys, fads, passing fun and
frivolity. Now we put the same quality of software into Boeing
airliners that fall out of the sky when it fails.

The tragedy is that we’ve plenty of smart people around who’ve devoted
their lives to software engineering, quality, formal methods, and
digital security. But their professionalism is made a mockery of by
greedy corporations, our lack of investment in smaller, local tech,
and missing political will to redistribute power on the Internet.

Anyone who looks at the emerging failures in digital tech is
bewildered. Not just journalists and politicians, but the experts and
programmers as well. The failures behind events like “Solar Winds”,
“Crowdstrike” and the latest “Secure Boot” issues are beyond belief –
in their fundamental stupidity. They prove that we can assemble
thousands of the worlds smartest people, but if we give them perverse
motives – like putting money ahead of human life – they will fare
worse than as many halfwits.

This avoidance of real thinking and engagement can be seen in events
like the sham Bletchley Declaration, signed by 28 nations to agree
to… “think carefully and have more talks”… about a threat
considered by many leading scientists to be more serious than nuclear
war.

I am in agreement with Carissa Véliz of Oxford who thinks the summit
was an ethical dodge. It sullied the name of Bletchley Park (now
within the grubby paws of Facebook after a £1 million “donation”) by
assembling political opportunists alongside carefully selected experts
to give an appearance that governments are in control of the tech
industry and not the other way around.

What we saw with Crowdstrike was a fundamental misunderstanding of the
concept of ownership. The US National Security Agency have described
anti-virus software as indistinguishable from a “rootkit” (the very
worst kind of malware). Indeed that’s what it is. It’s just very
dangerous software you allow someone else – who you believe you
trust – to install on your computer. Anti-virus and “managed endpoint
security” are medicines far worse than the diseases they claim to
cure. Sadly we have silently slipped into an age where nobody
questions this any longer, but we must challenge and remedy this
dangerous mindset.

Solutionism is where we start with a small mistake and build bigger
ones in response to it. In drama, that’s called farce. The cascade
effects in commercial tech have become a kind of farcical “Where’s my
trousers?” British sitcom. With secure boot what we see is mistakes
bolted on top of mistakes in an orgy of solutionism. Layer upon layer
of cryptographic staging and signing, and every new link in the chain
is a weakness. Most of the motives are unclear. Whose computer is it?
Whose property is being “protected”?

It has every hallmark of how security goes bad – because it is unclear – and
I believe deliberately so – who the security is for, what it is
security from, and what end it serves! A general consensus in the
technology world is that it primarily serves the interests of
publishers – the movie and recording industry, Sony, Disney, the RIAA
and MPAA in the US who represent these powers and dictate to other
tech companies.

Calling it out

As I’ve witnessed it unfold over 50 years this whole sorry saga
reminds me of some cautionary tale about a tangled web woven by the
boy who first told a little white lie, but then had to tell another to
support it, and a bigger lie, and then a bigger one still, until he
and everyone else had forgotten what was true and what was false.

That’s computing today. Our industry is dominated by greedy and
dishonest motives, so;

  • we’re not getting the technology we really need to face the
    existential and economic challenges of our age
  • we are facing a catastrophic complexity collapse
  • we endure nebulous societal harms like damaged mental health,
    ruined education, widespread depression and disaffection with
    politics
  • we risk a major takeover/power-shift away from democacy

If human political pride is stopping us from preventing a much worse
outcome that’s no failure of science, technology and engineering, but
a long overdue moral reckoning. The answers here are not technical but
moral, and therefore political.

Whatever names we know each weekly tech disaster by… Crowdstrike,
Meltdown, Solarwinds, Horizon… as we name hurricanes… they’ll
still keep coming and keep getting worse.

As with climate, to fix things we must look for the root causes. The
sooner we stop pretending these are technical problems and start
speaking the truth about the fundamental political problems in
cybersecurity, and the issues we have with our consumer computing
industry in general, the sooner we can have security for all computer
users again, not just the already rich and powerful ones.

Read More

Dr. Andy Farnell Edward Nevard Helen Plews Andy Farnell