Pages, some stolen, some original

Monday, July 16, 2018

Secret City


Secret City - Trailer season 1

Short (6 episodes) series about modern day espionage in Australia. The arch villain reminds me of Hillary Clinton. That's not a coincidence, is it?

Everyone is chasing a SIM card from a smart phone. Supposedly it's contains a secret that someone is willing to kill to protect. The government security outfits (an alphabet soup of acronyms, much like what we have here in the USA) is very interested in this tiny little computer part.

One government agency has a TSA like security protocol for anyone coming into the building. They even have cell phone lockers for employees where employees can leave their smart phones when they come into the building. But the employees use computers inside the building that are connected to the outside world. How secure is that? It could be very secure if the people who are in charge of computer security know what they are doing, but if they are using any kind of commercial software there are going to be holes.

Problem is the way modern computers use RAM (random access memory). Any computer program is composed of two parts: code and data. The code is the program (the sequence of instructions) that the CPU (central processing unit) executes, and the data is what those instructions operate on. Both code and data reside in RAM and while there are flags that can be set that will tell you whether a particular block of RAM contains code or data, those flags can be changed, so what was once data can now become code and vice versa.

You can test your code all you want, verify that it has no holes and will not let anyone do anything that would allow the release of confidential information, but if you allow a program to change that flag on a block of data (which undoubtedly came from outside), you will now have a wild program running loose in your system.

Modern commercial computer software does this all the time. Javascript, which is what every web app (application program) in the world uses, comes down the pipe as data and is fed to the Javascript engine which interprets the Javascript instructions and executes bits of code as instructed. Now the Javascript engine may be very secure, but unless someone you trust has gone through it and verified that it cannot possibly do anything bad, how do you know? And is it even possible to verify it? I suppose, if you have set up some hard and fast boundary conditions, it might be.

Java, on the other hand, is not allowed on Chromebooks because it cannot be contained. You could make a Java interpreter that was constrained, but that is another software project that would need to be tested, vetted and verified.

I'm thinking if you want a secure computer system, you would need to write the code yourself, which means you are going to need an army of programmers. Big government agencies can afford that, but there are not too many people who are creative enough to write code and are docile enough to work with the restrictions imposed by working for a big Federal agency. Plus, programmers are people too, so some of them are liable to take short cuts, like 'borrowing' code from outside. And there might be a point where your system becomes so complex it is not possible to know whether every component has been rigorously tested and is known to be secure.

All it takes is one little loophole known to one guy and the whole thing can be compromised.

1 comment:

  1. In our simple life, love plays a very specific role. Now we are able to make your love life healthy and no space for any type of trouble. These all are possible with the help of Dr. EKPEN of SOLUTION TEMPLE. He helped me cast a spell that brought my long lost lover back within 48hours who left me for another woman. You can also contact him on EKPENTEMPLE@GMAIL.COM or add him on WHATSAPP +2347050270218 and be happy forever like am now with his experience.

    ReplyDelete