At the end of 2000 I was studying IT management in the Universidad de Buenos Aires, and the teacher in front of my class was trying to instill some basic notions of computer security in the heads of a rather skeptical (albeit ignorant) crowd.
Out of a certain exasperation, said professor stopped the class. He asked one of the few lucky owners of a cellphone in the classroom for his phone number. After entering the number into a device looking like a handheld calculator, he asked this unsuspectful student to go outside the classroom and call a friend or a relative.
The student complied. After a few seconds, to our astonishment, the machine picked up the call. We could all clearly hear our friend talking to his mum about dinner plans for that evening.
I was shocked. I had no idea how cellphone networks worked. But I was under the absolute assumption that privacy and security were given attributes of them. That whoever designed and built that infrastructure, had them as major goals. Was not private correspondence protected by the constitutions of most countries in the Hemisphere, after all? Why would cellphone communications be any different? Was this assumption foolish?
A few months later, I bought a copy of “Hacking Exposed 2” by Scambray, McClure and Kurtz; it was the only book about computer and Internet security I could find in the shelves of the stunning and recently opened “Ateneo Grand Splendid” bookstore in Buenos Aires.
(It must also be said that this is one of the books that changed the meaning of the word “Hacking” forever in the minds of millions, a confusion that Richard Stallman himself has tried to debunk, but to no avail.)
In that book I learnt that most of the traffic in our networks back then was completely unencrypted. Which meant that, with the proper setup, it was easily “sniffable.”
Out of curiosity, I used this brand new search engine you might have heard about, “Google,” to learn more about the subject. I found a copy of CaptureNet, a freeware packet sniffer part of the SpyNet/PeepNet by Laurentiu Nicula; then I looked up for the port number used by MSN Messenger (it was 1863 in case you were wondering.) Finally I found out how to enable “promiscuous mode” in the network card in my laptop.
I plugged all of these pieces together in silence, my coworkers fully unaware of my proceedings. In the small LAN of the office my company had north of Buenos Aires, we were all using Windows 2000 Professional there. And, as it were, it turns out we were using a good old router, not a switch, which undoubtedly helped me fulfill this task.
I finally turned the sniffer on.
Instantaneously, my screen started to show me the conversations my peers were having on MSN Messenger. And I mean all of it. Every detail of their private lives, the current business deals, the comments of the latest news. Every “smiley” they were sharing. Everything in their private lives, every single word they said. All on my screen, ready to read, without any encryption.
After changing the sniffing port to 80, I used CaptureNet’s uncanny feature of reconstructing the web pages. All of my colleagues browsing at that very moment, including images and scripts, appeared in my laptop.
Those sessions shall remain anonymous and forgotten. I got so scared that I basically hit the stop button on the sniffer and deleted the logs. For the first time in my career (I had been working as a software developer for 3 years so far) I had the sensation that everything we did in our industry was extremely fragile, insecure. It seemed to me that we were all blissfully unaware of how naked we were.
It was even worse than watching our teacher listening to private phone conversations. This was even simpler and cheaper – no need for custom hardware.
This new knowledge took me to a rather somber hobby, one of which I am not really proud nowadays. Around 2002 I got into the habit of scanning random IP ranges on the Internet, finding computers running Windows 95 or 98 with port 139 (NetBIOS) wide open, and then connecting to them using Back Orifice.
Connected to those machines on the other side of the planet, I watched live. Those users were typing documents, filling spreadsheets, or browsing the web. I would then take over their mouse, open a Notepad file, paste a pre-written text explaining to them that I meant no harm. Explaining them that their system was open to intrusion, and how they should protect themselves.
I would then leave without further action, a shocking small Notepad window behind me. A mirror of their own nakedness, and most probably a gaze of terror in their eyes. In my defense I will say that I never, ever made any change or stole any information from those machines; my intent was to raise awareness, although I reckon my methodology was probably not the most adequate or tasteful.
Security breaches like these were by then already the matter of urban legend. Or worse, heated discussion around an almost expected feature in every new version of Windows. The situation of Microsoft regarding security was so serious that Bill Gates himself wrote the now legendary “Trustworthy Computing” memo to his employees, making the book “Writing Secure Code” by Howard and LeBlanc a mandatory reading inside his company.
The motto of Microsoft was “a computer in every desk.” Unfortunately said motto made no mention of how secure that computer had to be. This is to me another proof that “moving fast and breaking things” is one of the most harmful policies a company can follow.
The Dawn Of A New Era
There was a bigger question that popped into my mind back then.
I was just a software developer without any kind of formal training, with just a basic amount of curiosity and a little experience. Yet I could put together all of those pieces in an admittedly standard computer. What could then be happening in governments or companies? What would be the level of intrusion of these companies in our lives? How much did our government and corporations know about us?
Well, in the case of the Argentinian government, not a lot. Its level of competence in IT was still a long way off (one could argue that ignorance was a bliss for the Argentinian people back then,) and there were other problems to worry about.
But of course I figured out that great powers like the USA, Russia or Europe were easily reading (or at least storing) everything we said and did online. Because doing so was not only cheap for them (I had not spent a single dime in my setup, using a company laptop and some freely available software) but also extremely convenient and strategically important.
Actually, it made more sense for governments to actually record everything that was going online and storing it in a database, than not doing it at all. All things considered, having all of that information in a database for later evaluation was better than not having it.
Turns out I was right, and yet, still very naive. I had not realized that nuclear plants, hospitals, pacemakers, finance and nearly everything that uses electricity, was already being managed with computers connected to the Internet.
“Geekonomics” by David Rice would not be published before 2008. Bruce Schneier blog was still just a newsletter. And IoT was… well.
The World We Built
We, designers and users of the technology of the future, eager to use the latest gizmos and the newest of approaches, we were feeding a silent surveillance machine, the product of which, 18 years later, is the slow establishment of the largest coalition of fascist leaders in modern history.
As citizens, as technology designers and users, we all have contributed to the growth of this machine and the birth of this new world order, through none other than Facebook, MSN Messenger, Skype, Twitter, Tumblr, iOS, Android, Google, and so many other companies and systems.
But we can change this, the same way we unconciously decided to make this happen.
And of all citizens, software engineers and IT experts have an ethical duty to make computers secure, acting in two fronts at once:
- First, by designing, implementing and deploying systems in a secure and privacy-conscious fashion.
- Second, by teaching and raising awareness of the various issues around security and privacy in our modern infrastructure.
Humans, and particularly those working with computers, are the weakest link in the chain of security.
The World We Could Have Built
We are the ones giving out our (weak) passwords when receiving a phone call from the “support” team of a company whose products we use, or when a stranger asks us for it on the street.
Clicking “I Agree” on most privacy agreements without even skimming the text.
Not (fully) understanding how encryption works, and why some algorithms are of no use today, and even better, rolling up our own without first reading Schneier’s Memo to the Amateur Cipher Designer written in… 1998.
Not even trying to configure PGP in our mail clients.
Designing purposedly complicated systems that others cannot properly configure, leaving security holes open.
Forgetting to add SSL certificates to that new website we built for a relative.
Misconfiguring routers and firewalls for convenience… or plain ignorance.
Storing passwords as plain text in databases, and then, God forbid, sending them to users via e-mail. Not even trying to explain our pointy-haired bosses that this should not happen.
Ignoring two-factor authentication in our accounts.
Letting ourselves be easily spoofed by politicians, as they try to convince us how weakening encryption is important for our “security.”
It is our duty, our ethical duty, the one with utmost importance, to realize that we are humans, and that we, the people, are the weakest link in the chain of security.
The good news is, this link, however weak, has an uncanny capacity to learn and change. We can change this world we built. We can stop building the current one, right away.
Let us build a world where we protect each other, consciously, all the time, and where the systems we build serve this purpose.
A world where privacy and security are basic human rights.
Let us teach each other how to build this new world, like my visionary teacher tried to.