CS 1023 Cultural Implications of the Information Society

I have examined Man's wonderful inventions. And I tell you that in the arts of life man invents nothing; but in the arts of death he outdoes Nature herself, and produces by chemistry and machinery all the slaughter of plague, pestilence, and famine.... When he goes out to slay, he carries a marvel of mechanism that lets loose at the touch of his finger all the hidden molecular energies, and leaves the javelin, the arrow, the blowpipe of his fathers far behind. In the arts of peace Man is a bungler.... There is nothing in Man's industrial machinery but his greed and sloth: his heart is in his weapons.

G.B. Shaw, Man and Superman, 1903

Only a few ideas are included here; human inventiveness will come up with new ways to misuse computers, ways not imagined by me. However, computer crime does not have to spin out of control. Mature computer technology will eventually provide such thorough oversight that monitors and agents will stop many computer crimes in real-time; the tracking and data logging will identify and analyze most of the others after the fact.

Warfare

The march to utilize computer technology in warfare proceeds on many fronts, like war itself. Governments have embraced the contributions of all technology, but especially the computers. Up to now, non-computer hardware, perhaps under computer control, has carried out the actual killing and destruction, but looming ahead is all-software warfare: attacks on a computer system through network connections.

Since World War II, nations have used computers for the gathering and dissemination of information, and for related communication, if not directly for warfare. There are myriad sources of information and endless ways to pass it along; the latter causes problems for the U.S., since it can be hard to get information across incompatible systems. Related uses for computers come from control and remote control of devices. Remote control and communication can use cryptographic techniques to ensure security and authentication -- after all, the enemy must not be able to intercept or inject messages or to take over control. Remotely controlled weapons systems, whether in the air, on land, or under water, promise to transform warfare, eliminating danger to human controllers, and allowing the use of smaller and faster units.

During the last decade the U.S. pursued its Strategic Defense Initiative (SDI). People whose opinions I trust have called the whole idea misguided, which is the mildest epithet they used. From hardware to software, from computers to physical weapons, the approach was misguided. On the hardware side, the system was to knock out incoming missiles, using other missiles, ordinary lasers, and X-ray lasers, all under computer control. I am no expert in this field, and the details are classified, but the use of a laser to destroy a missile from hundreds of kilometers away clearly requires tremendous power -- either a huge conventional power plant in orbit, the means to transfer energy from the ground, or detonation of a nuclear weapon in orbit to provide the energy. Without any back-of-the-envelope calculations, the physical side of these proposals sounded preposterous -- even with no enemy countermeasures. So it surprised many people that experts identified software as the most difficult part of the project, or depending on the expert, as the part that absolutely could not be created with existing and anticipated technology. The software requirements called for a distributed database, keeping track in real-time of all the threats from hundreds or thousands of missiles that are part of an all-out nuclear attack. This distributed software, more complicated than anything created before, would have to function after elimination of randomly-selected nodes -- a level of fault-tolerance far greater than any previously achieved. Finally, this Strategic Defense Initiative, though billed as a defensive system, always seemed better-suited to offense.

After spending US $55 billion without getting a workable system, the U.S. renamed and repackaged its SDI as the Ballistic Missile Defense (BMD). This new BMD represents a more realistic and more limited version of the old SDI, with intercepting anti-missiles and airborne lasars in the megawatt range, the latter carried on Boeing 747 airplanes. This system is more alarming because its lowered expectations may be realizable and because it still works better for offense than defense.

Software-only attacks can be a part of warfare. Though it may sound like a science-fiction movie, these attacks are of great concern. Hackers have carried out so many successful attacks against military computers that the worries are understandable. Conventional acts of terrorism or subversion destroy power plants or poison water supplies. But what if a country's financial institutions were crippled with a software attack? Other targets could be the air-traffic control system, the phone system, or the computer controls on the electric power grid. As warfare gets dependent on computers, the computers themselves and their software become new points of attack. An enemy could attack a country's computer networks directly. Consider the insertion of viruses and logic bombs in military software and hardware, written not by teen-aged hackers but by experts supported with the resources of a country. Talk about moles! Instead of planting an agent inside a country to use decades later, the new warfare will plant a virus in their computer systems.

I heard rumors from friends that during the cold war, American and Soviet satellites played games with one another. According to these rumors, each side had hunter/killer satellites, designed to take out the other side's satellites. Just sidling up to the other device and blowing both apart would be easy, but the others would know what had been done, so -- still relaying a rumor here -- both sides shot the equivalent of BBs at one another, little pot shots not designed to destroy the other satellite but to make it malfunction.

The devices just described (if they existed) were more likely remotely controlled than autonomous. The prospect of autonomous, war-making robots, mobile versions of the agents discussed in the next chapter, is terrifying. These agents need not pass the Turing intelligence test; they only need enough brains to complete their mission, whether destruction or killing. Right now researchers have difficulties just getting a large autonomous vehicle to navigate a road. For these robots, even scene analysis is a big problem that has long occupied the artificial intelligence community. But progress continues. The field is not yet ready to develop small, mobile robots wandering around looking for humans to kill, or with another lethal mission, but they will come. Such robots do not have to be all that capable, and developers should find it easy to kill a person. A variety of approaches will do, say, a tiny air-powered gun firing a minute pellet, almost too small to see, with one of the terrible poisons in a cavity inside the pellet.

I am personally afraid of lethal robots because, unlike the Strategic Defense Initiative hardware and software (and its successors), robots like these should be feasible in a decade or so, assuming reasonable progress. Each individual robot has a simple mission that builds on what the others are doing to carry out higher, more complex missions. These ideas -- complexity emerging from simple parts, with bottom-up control -- currently occupy one segment of the computer research community.

The techniques of modern biology and of nanotechnology may eventually be adapted to warfare, with unknowable results. And future wars may change to more sophisticated activities -- not directly killing people or destroying physical objects. Malicious attacks could destroy electronically recorded history, undermining education, culture, and a nation's ability to progress. If one views these activities from the present background and vantage, it might not seem like war at all, but it will be serious just the same and may result in destruction of cultures or vast changes in human history, as wars always have.

Pornography

In the United States, lawmakers have discovered pornography on the Internet. Whether or not they enjoy it themselves, they want to legislate against it, forgetting that America does not own the Internet, forgetting about the U.S. First Amendment free speech rights. Attempts to eliminate pornography will likely fail. To give one reason, illegal non-computerized child pornography is still around despite efforts to get rid of it. And the new electronic medium offers more opportunities for disguise and distribution.

The current Internet contains raunchy material. There are newsgroups on every conceivable nasty topic, web sites supported by skin magazines. Pick a newsgroup at random, not too far off track, one that illustrates the repetition and banality of many of these newsgroups: alt.tasteless.jokes. Individuals send jokes to this newsgroup (``post'' them) and others get to read tasteless jokes. After each disaster, no matter how horrible, tragic airline crash or lethal bombing, ugly jokes about the disaster appear, followed by postings about how disgusting the jokes are, and these latter postings are followed by postings to the effect that if a user does not want to read tasteless jokes, he should read a different newsgroup. Posters also like to ``flame'' their critics -- they post even more offensive messages with personal references to these critics. Only half the postings are actual jokes, and fewer than five percent are witty even with a charitable definition of the term. Like all pornography it quickly gets boring.

Other newsgroups are much more explicit. Then there are the pictures: again every possible subject matter, including child pornography, people with animals, the usual ugly material. Digital video technology is rapidly coming on-line, and video clips will be a hot new area. In addition there are ``chat rooms'' available from commercial vendors, supporting ``cybersex,'' safe sex that uses imagination, fantasy, and sometimes filthy speech -- bondage or bestiality or whatever. No need for condoms here, but anonymity often plays an important role. There are still other possibilities I know little about (better not to know).

Pornography on the Internet is similar to what has always been around, but it is far more easily accessed. Another difference now is that a child can download material into the computer at home. I feel that the current applications barely scratch the surface. What are the limits? There are no limits to this digital realm.

Not all the activities described above are harmful, and many are protected in the U.S. as free speech. The chat rooms allow adults to meet one another electronically, and eventually perhaps in person, or for teen-agers to talk about issues they consider important. This situation is like the ``pen pals'' that have been around for ages, except that the new electronic version is more convenient and rapid. Pornography has even helped promote Internet innovations, as with the ``streaming'' technology, in which an image is built up partially, and then with more and more detail.

Some people would monitor and control conversations between consenting adults, though I consider even monitoring unacceptable. Students who use a university's equipment, and others who set up a free web page through a service like Geocities, may break rules against pornography in their respective services. This is not a free speech issue since they are not paying for the service; they are using someone else's equipment. But the main concern should lie with interactions between children and adults, and possible exploitation of children. Early proposals in the United States used technical means for parents to selectively block their children's access to adult material, but these proposals required too much oversight on the part of parents, with cartoon images of parents asking their own children how to enable Internet access controls. More recently the World Wide Web Consortium has released flexible technology that will allow each group to set their own blocking standards. The Platform for Internet Content Selection (PICS) uses content labels to allow users and organizations to choose which sites to block. Thus parents can sign up with the blocking service that suits their philosophy. The technology also allows a user to block outgoing data, such as phone numbers or credit cards (but beware of a clever youngster who could phrase such information in a way the blocking software would not recognize). Soon this software will do a good job keeping children from accidentally accessing a web site that might disturb them.

Gambling

Legalized gambling has vastly increased in the U.S. during the past decade. Now the Internet is getting into the act. Hundreds of sites allow credit card gambling on sports or horse races, or on electronic versions of traditional games using cards or dice -- from online casinos to online bingo parlors. To avoid U.S. laws, most Internet gambling operations have located offshore, especially in the Caribbean and in Central America, where they are becoming important to the local economies. Electronic casinos might even float, with no fixed location, a virtual casino. Whose laws would apply then? Whether gambling should be a crime is debatable, but U.S. efforts to criminalize Internet gambling with legislation and using the FBI for enforcement will only induce the owners to cover their activities better. One might suspect that the larger motive is to protect U.S. gambling and lottery revenue, rather than protect U.S. citizens from unregulated gambling. For example, the only U.S. Internet lottery, run by an Idaho Indian tribe, seems under legal attack more because it is profitable and is cutting into the profits of others, than from any desire to curb crime or protect the youth.

Much of the current Internet gambling is credit card based, with US $10 minimum bets, and a recent lawsuit may cut into the ease of using credit cards, but the operators will find other ways to get money, since deposits into special accounts are easy to arrange.

Other Problems

Traffic in stolen information, including trade secrets, computer software, works of art such as music and videos, and phone and credit card numbers, is a major headache on the Internet that will continue indefinitely as a problem. The criminals advertise their services on the same Internet. They then proceed to use for their illegal acts the identical strong public-key cryptography (PGP, say) that supports privacy for normal users. Law enforcement agencies in the U.S. propose the elimination of strong cryptography as the solution. I find it sad to see such short-sighted policy. Even with no cryptography, criminals will find other ways to traffic in their stolen secrets. Equally important, these criminals will be able to disguise their use of cryptography. And ironically, the same strong cryptography can protect against computer crime, especially against intrusions by hackers and others. Society must make it harder to steal the data, harder to hack computer systems, as well as making it hard to traffic in stolen data. Interestingly, some illegal hacker activities serve only to support other illegal ventures, as with stolen phone credit numbers used for computer access.

The Internet is filled with bad information (how to build a bomb) and with incorrect information (cancer is really just an allergy). These are old problems, but the ease of use and rapid availability of the Internet have worsened them. The Internet has also made it far easier to disseminate and promote hate speech.

Countermeasures

For many of the evils and problems in this chapter, the U.S. is attempting legal remedies -- passing laws against activities on the Internet. So in a sense the Communications Decency Act (CDE) is a failed countermeasure, like the newer congressional proposals to outlaw Internet gambling. These measures try to legislate against human nature and are thus doomed to fail. In such areas a much better method is to de-criminalize, while controlling access of minors to the materials and services.

As for the evils of warfare, the crimes here are crimes against humanity. What could society do to make war impossible, to outlaw war? Not much, it seems, if the past is a guide. As with other crimes in this book, factors like poverty, population pressure, disease, and hunger promote war, so one belated strategy would strive to improve these factors. Rapid and open information about wars in progress may help keep them in check, while a huge technological lead (the current U.S. approach) only works in limited cases and until opponents catch up.

Mankind has mostly succeeded in outlawing the use of poison gas in wars, but the gas and other weapons of mass destruction are making a comeback. In a similar way anticipated computerized weaponry promises to bring war up to new levels of slaughter, with the prospect of tiny killer robots or with smart weapons that the armies might lose control of. Try to imagine the equivalent of land mines that are small, smart, and active -- seeking ways to kill. Humanity must find a way to prevent the manufacture of such weapons.

For years hackers and computer vandals, as well as true computer criminals, have been gaining ground in their efforts to break into computer systems. Such hackers can launch an automated software attack from their home with only a personal computer. In a matter of seconds, the attack can go forward and often succeed. The same techniques apply to cyber warfare.

People wanting an inexpensive full-featured operating system may install the Linux system (a version of Unix) on their hardware. Once connected to the Internet, such a system is in immediate peril from hackers unless a current list of security patches is also put in place. The person maintaining the system must continue adding these patches indefinitely. What does an attack get for the hackers? Many of these intruders are just looking for an interesting or sensitive file of data. They would also like to find passwords to continue their adventures. The Holy Grail of breakins is ``root access'' -- in Unix terms, permission to do anything at all on the system. With this privileged access they can create new accounts for themselves or load special software to make a later attack easy. Other more-serious criminals are after valuable information, while spies, terrorists, and agents fighting a war have grave objectives indeed.

Fortunately for society, strong measures are available to protect computers against the hackers, criminals, terrorists, and foreign agents. Companies and governments are implementing such measures now out of fears of major future attacks; successful past hacker attacks would give anyone pause. Though potentially effective, the measures are not yet widely used and not yet developed in a mature form.

Computer systems are vulnerable because of their complexity, their continual evolution, and the many services they provide. The complexity means that it is impossible to understand the system perfectly or to anticipate every possible attack. The evolution assures that there will always be new parts of the system to attack. Finally, the provision of services implies that a system is open to the outside world in many ways, and this openness to legitimate users provides multiple entry points for attackers.

One can protect a system by making it simple, with few services. For example, a system can be configured so that it sits waiting for a phone call that will give the proper password. If simple, unchanging software responds to a single correct password and to nothing else, then such a system may be secure against attack. This assumes that the password is hard to guess and that the system will not allow endless repeated login attempts using different passwords.

A system that accepts electronic mail from the outside may have many vulnerabilities. Hackers can sometimes trick the system into accepting mail and putting part of the mail into execution. This executing program then might take control of the computer. Since mail systems evolve, it is hard to protect against such weaknesses.

Similarly, any newly-installed software may have modifications incorporating hidden features that will carry out actions on the system the user did not intend. Software with such extra functions is called ``Trojan horse'' software, because it sits on a computer system like a wooden horse, full of enemy soldiers ready to emerge and wreck havoc at the proper signal. Viruses and logic bombs are special cases of this scenario. Legitimate users and even the system's own programmers and maintainers may be interested in subverting the system, making control all the harder.

One protection against bad software uses the authentication described in Chapter 6. In brief, each piece of software installed in a computer system would be authenticated as having no extra Trojan horse code, using cryptographic checks. One can also authenticate that the entire operating system on a computer is unmodified. The authentication system itself can be attacked, and there are many potential pitfalls, but if the authentication is done with care, one can be certain that the software running on each machine is without flaws or additions. Another approach (like the Java virtual machine, for example) runs programs in a controlled environment, where access of a program to local resources is strictly limited.

Now one needs to protect against unauthorized users coming into such a system. In one advanced approach, each user first signs on to a special authenticating computer. This computer checks that the user is legitimate and has the proper passwords or personal features or hardware ID. Then this authenticating computer issues the user an electronic ``ticket'' with which he can gain access to other computers on the system. The idea is that one gets nowhere without the proper ticket, and that only the authenticating computer will issue tickets. Cryptographic techniques protect against forged tickets. Cryptography also protects against listening in on the network the computers are attached to.

Many other techniques under development will improve computer security. For example, so-called ``firewalls'' protect against intrusion at the boundary between the outside world and the individual local network. Chapter 3 mentioned intrusion detection systems that check for successful attacks. Right now the hackers almost have the upper hand against computer users, but taken all together, the measures above and more refined versions should close the door on hacker attacks. However, computers may never be safe against an insider, the person programming that particular machine. To protect against such insiders, a company's own employees, the company must monitor them, pay them well, and do background checks when hiring.