Technocreep (21 page)

I once asked a photo editor at the
New York Times
if he could detect faked photographs now that they could be digitally manipulated. He said that in the past, he would look for things like sharp edges where negatives had been cut and pasted together. Now that image tampering is done by computers, he acknowledged that fakes can certainly get past him.

Ordinary citizens are even starting to practice various forms of disinformation. Shopper Keith Gormezano posted his Safeway Club Card online, encouraging others to download the barcode and use it when they went shopping. It worked, and now there are people all over North American hearing “thank you, Mr. Gormezeno” from grocery store cashiers. As one blogger pointed out, this ruse might someday backfire on Mr. Gormezano if authorities try to figure out why he consumed 666 bottles of wine last month.

Nowhere is consumer lying more blatant than in polls and on surveys. The most recent provincial election polls in Western Canada have all been wildly different from the actual voting results. In 2013 Angus Reid and Ekos predicted a crushing defeat for Premier Christy Clark in British Columbia; instead she was easily re-elected.

Do voters simply wake up on Election Day and switch allegiances? Telephone polls usually focus on people who have landline telephones. So the pollsters probably heard from a lot of octogenarians, missing the entirety of the youth vote. And, of course, people have been known to lie, telling pollsters what they think they want to hear, or whatever will get them off the phone quickly.

Online consumer surveys sometimes seek to compensate you for your time with cash incentives or points that can be converted into something like a magazine subscription. The elderly are usually screened from these surveys, reflecting the way the market views them, generally speaking.

Cut your age down to 39, and the surveys will flow like water. After completing one, for fun and points, on a medical condition I don't have (hemorrhoids), one of these surveys gleefully asked me probing questions about what I have around the house in a bizarre attempt to profile me. Do I have a bike? A Yoga mat? Cast iron skillet? Face paint? Scented candles? A cape?

The same survey asked me to select the person I'd most like to take for a Sunday walk. I struggled to choose among the options presented: Warren Buffet, Jesus, or Tina Fey.

My favorite story about trusting technology over common sense comes from the early days of product scanners and point-of-sale (POS) terminals at the supermarket. Back then the checkout clerks were required to call out the purchases and prices verbally—to reassure shoppers that this technology was really working.

Some innovative hackers taped over bar codes of various products, substituting bar codes from more expensive items so they wouldn't really be stealing:

Store clerk: “Lobster tail: $14.99”

Customer (pointing to bag of potatoes): “No, that's a sack of potatoes”

Store clerk (pointing to POS terminal screen): “Lobster tail, $14.99.”

Watching a human being allow a computer readout to take precedence over what she saw with her own eyes was both funny and profoundly unsettling.

In the 1980s and 1990s, radio station contests were sometimes rigged so the station manager's cousin would win the trip by being, remarkably, “the fifth” caller and our lucky winner.” Hackers like Kevin Poulsen figured out ways to attack a broadcaster's phone system to win some high stakes contests.

As reported by Alan Wlasuk on TechRepublic, Poulsen's “iconic 1991 hack was a takeover of all of the telephone lines for the Los Angeles KIIS-FM radio station, guaranteeing that he would be the 102nd caller and win the prize of a Porsche 944 S2. The bold Poulsen was wanted by the FBI for federal computer hacking at the same time he was winning the Porsche and $20,000 in prize money at a separate station. Poulsen spent 51 months in a federal prison, the longest sentence of a cybercriminal at that time.”
255

The Internet has allowed even more creative tampering with contests. An unsanctioned “Who Wants Justin the Most?” competition in 2010 claimed that Justin Bieber would perform in whichever country tallied the most fan votes. Internet pranksters rigged the contest so North Korea won, with 659,141 votes. Bieber did not go to North Korea.
256

In a similar fiasco, a 2013 “Meet Taylor Swift” contest was canceled after the Boston radio station that sponsored it reported that “the integrity of the ‘Taylor Swift's Biggest Fan' contest” had been “compromised.” Reddit and 4chan promoted a 39-year-old bearded man knows as “Charles Z.” “Crush the dreams of these girls,” urged 4chan, “and give him a chance to make a complete ass of himself by blatantly just sniffing her hair with cameras rolling.”
257

In 2008, the Canadian Broadcasting Corporation ran a contest for a new composition to replace its classic “Hockey Night in Canada” theme song. Vying for the $100,000 first prize, young Logan Aube submitted an entry that he described as “mostly comprised of cat and sheep sounds, baby cries, and gunshots/explosions.”

Using the power of the Internet, specifically the Something Awful forum, YouTube, and Facebook, Aube managed to push his entry into first place. The CBC faced angry protests when they took it down.
258

Another malicious activity happening online with alarming frequency is the hacking of email accounts. According to a report in
The Economist
, “One day in early 2010, an American working for an environmental NGO in China noticed something odd happening to his BlackBerry; it was sending an email from his account without his doing.”
259

He watched, dumbfounded, as the email went out to a long list of U.S. government recipients, none of which was in his address book. Seconds later he saw the email disappear from his sent folder. Eventually he heard from the FBI that his email account and those of several colleagues had been compromised by hackers from China. All the victims had attended a climate-change conference in Copenhagen in December 2009, where America and China had clashed.

David Barboza, a journalist at the
New York Times
, reported in October 2012 that relatives of Wen Jiabao, China's prime minister at the time, had huge fortunes. After his story was published, Chinese hackers compromised the publication's networks to get at Mr. Barboza's work email account. “Other news organizations, including the
Wall Street Journal
and Reuters, noticed similar Chinese intrusions.”
260

Even hardware is no longer safe.

At the 2012 Black Hat conference in Las Vegas, Jonathan Brossard gave the world a peek into the secret world of hardware back doors, which are a lot harder to detect than software ones, and virtually impossible to fix once they are installed.
261

Brossard fired up a normal-looking computer with a diddled BIOS chip, the software that controls how a computer starts up. This was enough to disable security features of Microsoft's latest Windows 7 operating system. In fact, it could have disabled any operating system, because it bypassed low-level security instructions in the computer's CPU. He made the additional point that much of this nasty exploit is “built on top of free software, including the Coreboot project, meaning that most of its source code is already public.” So, unlike hacks that require microscopes and cutting chips apart, this one is done with easy-to-obtain tools and some brainpower. It is also safely beyond the reach of antivirus software: even erasing the hard disk and reloading the operating system won't do a thing to it.
262

The clear implication is that if someone can obtain physical access to a computer, especially at the manufacturer or distributor level, they can “own” it forever, making it take instructions from them over the Internet at will.

While an Intel spokesperson shot back that this was largely a theoretical vulnerability, there is certainly evidence of hardware back doors such as the Stuxnet worm that have been much more than theoretical.

From the earliest days of computers, people tried to make them do unlikely and sometimes humorous things. In the days when computers were the size of rooms, we would sometimes prank the operators by making their huge clunky line printers play musical sounds. Another favorite was EDITH, which displayed an image of a naked woman, made entirely of ASCII characters like Xs and *s on the printer.

Often programmers built in secret instructions to display their names as the authors, or for their own convenience while testing or using the program in the future. We called them features, but our bosses viewed them as unacceptable holes in the system. So we made sure they never found out. Nobody was ever going to read our code line by line anyway, except perhaps another programmer, who would then be in on the little secret.

In the 1970s I worked on the MULTICS operating system, which was explicitly and carefully designed for security. An ancient (1974) report on this system contains these prophetic words: “the penetrator can install ‘trap doors' in the system which permit him access, but are virtually undetectable.”
263

By the time the 1983 film
WarGames
was made, the term “backdoor” was
en vogue
. In that movie, the secret access code was the name of a character's dead son, Joshua.

In four decades of watching hackers, I've come to admire both their ingenuity and their persistence. The best way to summarize the goal of the hacker mind, at least for the “White Hat ones,” is “not to do what you're not supposed to do—to do what you're not supposed to be able to do.”

System designers often fail to “expect the unexpected.” One of my favorite examples is a German author who embedded SQL commands into a book he published. Exploiting a flaw in the Amazon web store, he arranged it so people who tried to “Look Inside” his book had their browser redirected to the page for purchasing it. Amazon quickly fixed the problem but it was one of the more clever attacks of this nature.
264

Unintentional “magic strings” can also happen. In September 2013, word started to spread about a “magic sequence” of Arabic letters that would crash iPhones and other devices that used Apple's CoreText text rendering system. According to
Business Insider
, “just to read these letters in your timeline was enough to crash your Twitter app.”
265

Are those who exploit such weaknesses good or evil? Ultimately that depends on their motivation and how they use the knowledge that is hidden from the masses. One thing is for certain: technology tricks can be used to harm us, often in the pocketbook.

Most people know that there's no terminally ill rich widow in Nigeria waiting to share her fortune with a lovely person like you, and that Bill Gates doesn't randomly select email addresses to send out million dollar checks. “Get your free credit report” often means “give us enough information to steal your identity.” Even “I want to buy that guitar you listed for sale on Kijiji” could actually translate into “I'm harvesting and selling confirmed email addresses and want to add yours to the list.”

Scam artists are using some downright insidious tricks to tug at our heartstrings. According to a report in
The Guardian
, “Peter Saunders from Edinburgh received a heart-wrenching letter from Namukula Viola of Uganda. She is just 16, with two younger sisters, orphaned when her mother was raped and killed by rebels in fighting in the north of the country.”
266

He was horrified by her detailed tale of woe, and sent money as requested. Then a news report alerted Saunders to the fact that a lot of people were getting identical sob story letters. It was in fact a wicked hoax aimed at extracting money from nice but gullible people. An interesting twist is that many of the victims were artists, probably because their names and addresses were listed in a certain directory.

Even the savviest users can get fooled by a type of online trickery called Dark Patterns. As explained on
darkpatterns.org
, this is “a type of user interface that appears to have been carefully crafted to trick users into doing things, such as buying insurance with their purchase or signing up for recurring bills.”

A wonderful example appeared on the website of Ryanair, which offers inexpensive air tickets but charges for just about everything else like checked baggage and boarding pass printing. One of the things they sell is travel insurance. At one point their site was pushing it so hard that you had to dig for the “opt out” option hidden between Latvia and Lithuania. It's not even in alphabetical order! If you didn't spot the “No Travel Insurance Required” choice and specifically select it you were continuously taken back to “Please select country of residence.” Writing on
DarkPatterns.org
, Harry Brignull observed that “What's interesting about this pattern is that it gives the site owner plausible deniability: they can claim that when you read the words on the page, it's entirely clear what's being said, so what's the problem?”
267
You can judge this one for yourself at
http://darkpatterns.org/library/trick_questions/
.

Even more people have been struck by the Conduit search bar, a piece of software that frequently shows up after someone has downloaded “free software from a reputable site.” These free software download sites need to make money, so their “automatic” installation often brings programs like Conduit along for the ride.

The website
malwaretips.com
says this about Conduit: “it's technically not a virus, but it does exhibit plenty of malicious traits, such as rootkit capabilities to hook deep into the operating system, browser hijacking, and in general just interfering with the user experience. The industry generally refers to it as a ‘PUP,' or potentially unwanted program.”
268
To make matters worse, some of the “free Conduit removal tools” offered online to desperate victims are themselves vicious pieces of malware.