Features

net.wars: Unsustainability

Let's face it: Las Vegas ought not to exist. A city in the middle of the desert that shows off extravagant water fountains. (No matter how efficient these are, they must lose plenty of water to the 110F dry desert air.) Where in a time of energy crisis few can live without cars or air-conditioning and many shops and hotels air-condition to a climate approximating that of Britain in winter. A city that specializes in gigantic, all-night light displays. And, a city with so little respect for its own history that it tears itself down and rebuilds every five years, on average. (It even tore down the hotel that Elvis made famous and replaced it.)

In fact, of course, the Strip is all façade. Go a block east or west and look at the backs of the hotels and what you see is the rear side of a movie set.

There is of course a real Las Vegas away from the Strip that's cooler and much prettier, but much of the above still applies: it is a perfect advertisement for unsustainability. Which is why it seemed particularly apt this year as the location for the annual Black Hat and Defcon security/hacker conferences. Just as Las Vegas itself is an exemplar of the worst abuse of a fragile ecosystem, so increasingly do the technologies we use and trust daily.

If you're not familiar with these twin conferences, they're held on successive days in Las Vegas in late July. At Black Hat during the week, a load of (mostly) guys in (mostly) suits present their latest research into new security problems and their suggested fixes. On Thursday night, (mostly) the same crowd trade in their (mostly) respectable clothes for (mostly) cargo shorts and T-shirts and head for Defcon for the weekend to present (many of) the same talks over again to a (mostly) younger, wilder crowd. Black Hat has executive stationery for sale and sit-down catered lunches; Defcon has programmable badges, pizza in the hotel's food court, and is much, much cheaper.

It's noticeable that, after several years when people have been arrested for or sued to prevent their disclosures (of vulnerabilities) a remarkable number of this year's speakers took pains to emphasize the responsible efforts they'd made to contact manufacturers and industry associations and warn them about what they'd found. Some of the presentations even ended with, "And they've fixed it in the latest release." What fun is that?

The other noticeable trend this year was away from ordinary computer issues and into other devices. This was only to be (eventually) expected: as computers infiltrate all parts of our lives they’re bringing insecurity along with them into areas where it pretty much didn't exist before. Electric meters: once mechanical devices that went round and round; now smart gizmos that could be remotely reprogrammed. Flaws in the implementation of SMS mean that phishing messages and other scams most likely lie in the future of our mobile phones.

Even such apparently stolid mechanisms such as parking meters can be gamed. Know what's inside those things? Z80 chips! Yes, the heart of those primitive 1980s computers live on in that parking meter that just clicked over to VIOLATION.

Las Vegas seems to go on as if the planet were not in danger. Similarly, we know – because we write and read it daily – that the Internet was built as a sort of experiment on underpinnings that are ludicrously, laughably wrongly designed for the weight we're putting on them. And yet every day we go on buying things with credit cards, banking, watching our governments shift everything online, all I suppose with the shared hope that it will all come right somehow

You do wonder, though, after two days of presentations that find the same fundamental errors we've known about for decades: passwords submitted in plain text, confusion between making things easy for users and depriving them of valuable information to help them spot frauds. The failure, as someone said in the blur of the last few days, to teach beginning programmers about the techniques of secure coding. Plus, of course, the business urgency of "let's get this thing working and worry about security later."

On the other hand, it was just as alarming to hear Robert Lentz, deputy assistant secretary of Defense, say it was urgent to "get the anonymity out of the network" and ensure that real-world and cyber identities converge with multifactor biometric identification in both logical and physical worlds. My laptop computer was perfectly secure against all the inquisitors at Black Hat because it never left my immediate possession and I couldn't connect to the wireless; but that's not how I want to live.

The hardest thing about security seems to be understanding when we really need it and how. But the thing about Vegas – as IBM's Jeff Jonas so eloquently explained@@ at etech in 2008 – is that behind the Strip (which I always like to say is what you'd get if you gave a band of giant children an unlimited supply of melted plastic and bad taste) and its city block-sized casinos lies a security system so sophisticated that it doesn't interfere with customers' having a good time. Vegas, so fake in other ways, is the opposite of security theater. Whereas, so much of our security – which is often intrusive enough to feel real – might as well be the giant plastic Sphinx in front of the Luxor.