appnext

Sabtu, 12 November 2016

Android and chill: Everything has bugs and will be hacked

And by everything, I mean your phone. And your computer. And your television. And your WiFi router. And your car. And ...

Google, Apple, Microsoft and Adobe got raked over the coals this past week because their latest products were all hacked at Pwnfest 2016 in Seoul. Windows 10, Android 7.1 and MacOS Sierra all fell in just a matter of moments from browser-based exploits, giving members of China's Qihoo 360 team full access to all admin functions and a healthy bounty for being the folks who got in. And Flash, well it was just being Flash and got hacked faster than it can load itself on a web page.

Well of course they were. They almost always are. And they will almost always continue to be.

I was chatting with a friend about this. She is not a nerd and was surprised that this was able to happen. She was more surprised when she found out that these products get hacked every year. After all, these companies stand on a stage somewhere and tell you how much money and time they spend for this product to be the most secure version ever, so thinking that they are invulnerable makes sense. But no software is invulnerable because that's just not possible.

How fast it gets fixed — and not how fast it gets hacked — is what really matters.

These exploits were all reported ethically. That means the team told Google (and everyone else with a product that got broken) how they did it and didn't tell anyone else. But by seeing how they were initiated it appears that something like Javascript (or another common web platform) was exploited. This exploit didn't exist when Android 7.1 or Windows 10 or MacOS Sierra (and I miss OS X already) were developed so it's certain that code wasn't put in place to handle what would happen. You simply can't write in safe fallbacks for everything that could happen and if you could the software would be worth gazillions of dollars. Hackers know this and the people writing the code that gets attacked know it. The only people who should know it but don't seem to are the media who report it as something unheard of and sensational when it's really mundane and expected.

Your phone running Android 7.1 (or your computer running Windows 10 or MacOS Sierra) is likely the most secure version of the operating system ever built. But it's only secure against things that the folks building it knew about, and against itself. People are already working on finding a bug or exploit in something else and seeing how they can use it to crash everything and burn it to the ground. Some of those people do it for the right reasons — a quarter million in cash for finding it and telling the companies involved is the best and most right reason of all time. Others are doing it in the hopes that they can get your credit card number. Both types of people will be successful, and everything you use will be hacked because it's riddled with bugs and holes.

Even my BlackBerry Priv, which some people think of as unhackable, is probably already hacked by someone, somewhere, who knows that "wasting" an exploit against a phone that hardly anyone uses is not the way to get a bunch of card numbers. Better to sit on it and hope you can find a better target because once found out it will be fixed. The first thing you do when you find a Linux exploit is to see how you can use it against a Windows computer, because the goal is to get it on as many machines as you can.

Your phone runs software that will be hacked. The people who write it have prepared for it.

Look at the phone in your hands. It has software on it that will be hacked. Know this. But also know that there are probably other factors in place that mitigate any potential harm and the company who wrote that software has a method where they can fix it and try to get it to you as fast as possible. That is the thing to take away from all this hacking news. What matters is how fast the bugs are fixed, because bugs are in every piece of software ever written. This is how software gets better each time it's updated.

It's always been this way and the only thing that has changed is how much attention it receives.

Tidak ada komentar:

Posting Komentar