Looking back to 8-bit computing to move forwards

In my third essay looking at increase breaches of personal information through malware and questionable security practices, I will now take a look at existing computing systems.

As security breaches have become common practice with companies and governments ‘loosing’ personal data, a new way of thinking and working with IT systems is required. There has been some recent high profile data losses, notably with eBay, Orange France, voice recording technology used by emergency services worldwide and the fallout from the Heartbleed bug in OpenSSL program’s code is still an unknown quantity.

Security researchers have complained about how the recent introduction of US Computer Fraud and Abuse Act (CFAA), is making it difficult to track down potential security vulnerabilities and exploits. The dichotomy of policy makers within government can be seen with another recent story where the “White House and NASA gear up for National Day of Civic Hacking”. Citizens are encouraged to find solutions to problems, technological or otherwise. This is at odds with government wanting to suppress security analysts from researching flaws through CFAA enforcement.

With the ever increasing threat from malware effecting modern operating systems of all flavours, should we all be looking at either not storing personal information on computing systems or returning to less complex operating systems? Should we be reviving 8-bit home computer booting practices to protect personal data?

I recently wrote about George RR Martin’s use of a DOS based computer running WordStar to write Game Of Thrones novels. The lack of connectivity and the use of a less advanced computer system protect Mr Martin’s work. I suggest in this article that maybe we should be looking back to the 1980s and early 1990s of 8bit and possibly 16bit home computing to look forwards again.

Due to the ever growing problems of malware (viruses) effecting boot sectors, EFI/UEFI (Unified Extensible Firmware Interface) was developed. While UEFI will reduce the threat on Windows and Unix/Linux (including Mac OS X) based operating systems, modern operating system’s vast complexity and predominately closed source code for Windows and Mac OS, provide challenges for security experts and dedicated bug hunters to find. Open source code also suffers from vulnerabilities due to the vast complex nature of programs, where bugs can be hidden within many thousands to millions of lines of code. The Heartbleed bug within OpenSSL open source code is a case in point.

So what could be done to mitigate the ever increasing threat from malware? I don’t think it would be a bad thing to have a modern UEFI firmware which boots into BASIC (computer language) command line interpreter interface with a limited operating system, something like CP/M or DOS, and not just for nostalgic reasons. Other computer languages could be used beyond BASIC if required, such as Pascal, Python, or one of the many flavours of C. However the simpler and less complicated, the better.

From the command line interpreter, extensible commands could be executed to load BASIC programs, or for switching over to an extended OS enabling other more advanced operating systems to be loaded, such as a full-blown modern OS (Windows, Mac OS, BSD/Linux), should it be required. Programs could be created from the UEFI boot-time programmable language interpreter (UEFI-BPLI) interface to run. The chosen language could have a positive impact in getting us all to understand more about the computing technology we use today.

To a certain extent this already exists with programmable microcontroller systems, such as with Arduino and add on systems to the Raspberry Pi. However with small pocket computers booting straight into an OS and not an interpreter interface, a trick is being missed. One can understand the commercial implications of why computers don’t boot into a BASIC interpreter today, most people would not know what to do and its selling potential as a startup project could be greatly diminished. But I do believe with the substantial threat of modern malware and the ability to run 350 billion guesses a second on a password hash file, there is not only the scope but also a need for UEFI boot-time programmable language interpreter (UEFI-BPLI) computer systems to exist, and not just for pocket computers but for all.

The interface does not have to be ‘jurassic’, it can have copy, cut & paste functions, contain a clipboard, a built-in text processor (Emacs, WordStar, WordPrefect or Scrivener) for writing documents and programs, and even run a built-in GUI based IDE (Integrated Development Environment) with all the necessary libraries available for the chosen programming language, for those who want a GUI to program in rather than use a built-in text processor, with this functionality all available within the firmware at boot-time from its initial command line interface, with a simple CP/M or DOS based OS; think modern ZX Spectrum, Acorn Electron or Commodore 64. To run the programming GUI one could type something like RUN “GOGUI”. To run the built-in text processor, one could type something like RUN “GOWP”. DOS commands would run directly from the CLI to load programs from disk, such as LOAD “PROGRAM”. All other clutter found on modern operating systems is removed, including network/Internet connectivity, until one chooses to boot to a full OS… LOAD “PC-DOS”, LOAD “WindowsOS” or LOAD “MacOS” or LOAD “LinuxBSD-OS”, etc.

Other potential benefits would be running a word processor from firmware without additional clutter that comes with many modern GUI (and some non-GUI based) operating systems. Files could be saved to disk such as a USB flash drive with SAVE “FILENAME”. Applications could be run directly from using the computer’s firmware (UEFI) based boot-time programmable language interpreter (BPLI), rather than having to load a complex modern operating system first. With an option not to enable any form of network connectivity by default, documents could be worked on in a more secure environment and encrypted if additional layers of security were required.

One could even go further to include within the BPLI not just a text or word processor, but a whole office suite of applications, all throughly tested for security flaws before building the firmware. To some extent this happens with the likes of a tablet computer or mobile phone, but their focus is on Internet connectivity. The purpose of the BPLI is to have no Internet connectivity at boot time, and to use the programming interface, or the built-in word processor, with security at its heart.

Setting up web-based cloud storage systems so that no personal identifying information is stored on any public network, but only in private LANs with encrypted SQL (see essay Ubiquity and pervasiveness of SQL DBs) and secure web services running directly off a boot-time programmable language interpreter (BPLI) will also help to reduce the risk of data becoming compromised.

If changes are not made in how personal data is stored and accessed, governments and companies should return to using paper hard copies for confidential and personal information.

Additionally a BPLI based computer could be created where any file (whether it is a word-processed document, spreadsheet, a picture, audio, video, database, etc.) that contains personal or other sensitive information, incorporates tracking code into the document which is re-compiled each time on every BPLI system the document is accessed on, with preventative measures from opening on a non BPLI computer system. Within the document’s encoding is included not only the computer’s unique information (including processor information, network card & LAN IP address information where applicable for cloud based computing, board serial number, date & time, etc.) and GPS data, but also the bio data of every person who accesses that file is recorded and incorporated, while applying quantum encryption to prevent tampering. This will reduce the level of abuse to personal data and prevent multiple copies from finding their way out onto the Internet.

While this sounds a bit sci-fi like, it will not be too long before technology will be widely available to implement this idea. The “D:.Wave” computer has recently displayed signs of showing quantum entanglement.

If companies and governments want our personal data digitally they should make sure it is 99.999r% safe and secure. If not, they should go back to paper and filing cabinets. The simple truth is that today, a more secure computer system, is one that is not Internet or network connected in any way, and most likely runs an older (and obsolete) operating system with no bluetooth, Wi-Fi and no cabled LAN card. Going the Nth degree, computer systems should also be placed inside of a Faraday cage as seen in movie Enemy of the State and also locked in secured bunkers.

Without new ideas being developed as outlined within this essay, and previous essays, for example a boot-time programmable language interpreter (BPLI) which runs a DOS and GUI interpreter system with data and bio encoding, circumventing the need for more modern and increasingly highly complicated operating systems, malware’s influence will risk not only damaging the reputation of ‘the Internet’ as being safe to use, but also put the advancement of commerce and public use of networked computer systems such as ‘the Internet’ at risk. Ensuring that personal identifying information including associated meta data is securely locked away, including data used in financial transactions for commerce, is of paramount importance, else dissolution of Internet commerce could occur.

There are none so deaf death than those who clutch its straws.

Advertisements

Personal data, bugs and security breaches

This is the first in a series of 3 essays, looking at malware’s far reaching consequences to personal information and questionable security practices some organisations implement.

Protecting one’s personal data is becoming more difficult as security breaches of many companies and governments advance at pace. Their has been some recent high profile data losses, with eBay, shoe retailer Office, music service Spotify, and gaming platform Steam over a two week period. What one might think would normally be a trickle of data breaches has turned into a torrent.

With this increased threat from malware exploiting bugs within software code and some organisations implementing poor security practices, a basic understanding of how one can protect personal data from the next hack like eBay is necessary. There are many news articles on ways one can protect personal data following an attack and breach of a database containing approximately 233 million customer records on eBay’s systems.

eBay said the breach, which was detected two weeks ago, had not given the hackers access to customers’ financial information. But it did affect a database holding encrypted passwords as well as customer names, email addresses, physical addresses, phone numbers and dates of birth which were not encrypted. The site has 233 million customers worldwide, including more than 14 million active in Britain.

After the hack of Sony’s unencrypted personal user records, in July 2011 I wrote a brief security guide on protecting your login identity. While this article requires some updating, much of this guidance remains valid and relevant with the increasing use of SQL databases, while companies and governments are amassing huge dossiers on individuals with their computer systems being breached.

Before the first dot-com bubble bust period roughly around 1997-2000, companies with an on-line presence would generally only request an email address and a password to use their service. Wind forward 10 years and the use of on-line services from game playing, shopping, booking hotels, email services, government services… ask all sorts of personal identifying information. If this trend of intrusion into personal data continues from companies and governments, it will not be long before ID photos are requested along with collecting personal data on one’s eye colour, etc. With personal information being stored on private networks often with public access, and worse on public facing servers too, the scope and scale of malicious attacks will increase.

Go back 50 years, to the creation of BASIC programming language, cheques were used, banks had awkward opening times, and debit cards let alone chip and pin was not even a thought, cash was the favourite choice for tokens of exchange. Into the 1970s came ATM cash cards, so money could be taken out when the bank was closed. In the UK & Ireland cheque guarantee cards became widely used around the early 1970s, which later morphed into joint ATM cash cards during the 1980s. Spin forward into the 21st century and debit cards are ubiquitous along with the growing spread of contactless money transfer. Information technology has transformed the way we can access services, and collect and use information, however this has also made criminal activity easier too.

Often there is a willingness to share too much personal identifying information on-line with social networking sites, and some of these companies (Facebook, Google, Yahoo, LinkedIn and many others) have become very competent at harvesting that data and commodifying it. The collected data is then sold on in various formats to other companies and governments to ‘enable’ a wide range of services from ‘targeted advertising’ through to nefarious purposes. There is also a growing trend of governments and businesses (tax & welfare, banking, utility companies, etc.) forcing people into using on-line services and removing paper versions.

Mass marketing, media and other information strategies have successfully sold the notion that individuals should publish on-line as much information as possible about themselves. This includes a growing trend of pushing people into publishing CVs publicly for the world to see, along with a LinkedIn profile; there are huge risks in publishing so much personal information about oneself. It is very easy for any business, government or individual with a bit of know-how to aggregate this information to form a dossier. This increased intrusion is by no means harmless, or even ’mostly harmless’.

Google co-founder Larry Page spoke out about the recent European ruling with the ‘right to be forgotten’ suggesting that:

The EU’s “right to be forgotten” ruling risks empowering repressive governments and their control of the internet, Google’s chief executive, Larry Page, warned.

What was not said by Mr Page is just as important, if data is removed from Google servers with the “right to be forgotten” it could hurt Google’s business model, for harvesting and selling off personal data to ad agencies or to other organisations. Change in the EU law will not prevent Google from harvesting personal information and tracking user activity through its web-search engine, cookies and other methods. Google will just make the data not publicly visible, just as FaceBook does when you “delete” information. Information once out there on the net is never really deleted, just hidden from view.

Google claims to want net neutrality and their motto is “Don’t be evil”. Having the right balance is key, as proven with revelations by former US security analyst Edward Snowdon, and published in the Guardian’s NSA files. The same analysis can be applied to other information aggregators with search engine provision, such as Microsoft’s MSN/Bing, Yahoo, Lycos, etc. DuckDuckGo is a search engine provider with a no-tracking policy.

There is often the pretence that personal data will be kept safe on servers, but in reality this can never be guaranteed. The mass storage of information has all become possible through the use of databases within information technology, in particular SQL (Structured Query Language). Databases are not new, but their pervasion into modern technology has grown more rapidly than the spread of an unwanted weed or pest not native to its landscape. As with any tool, it is not the SQL database per se where the problem lies, but the use harvested information is put too.

There are a growing number of IT experts who suggest not handing over your personal data if you think a company is asking too much, and consider if you really need to use that service.

Rik Ferguson vice president of security research at Trend Micro recently told the Guardian:

“It’s all very well telling everyone to go out and change their passwords, but you can’t go and change your postal address, telephone number, name and date of birth.”

“All organisations that are hold any sort of private or financial information should absolutely be encrypting that data at all times – there is no excuse for not doing so.”

Companies ‘loose’ personal data by many means, from lax security through to attacks on their systems. However the rate of security breaches have increased at an alarming rate over the past few years. Since mid 2000, as computers have become rapidly more powerful and software more complicated, the power and potential to crack and be cracked has increased dramatically. However private business is not the only type of organisation to ’loose’ personal data.

Several cases of information breaches and bad practices exposing personal data within government organisations have occurred. For example in November 2007 it was reported that HMRC lost 25 million personal records including bank account details and NI numbers which were unencrypted save a password on the zip file, not difficult to break, by placing data on CDs and putting them into the postal service. Wikipedia has a list of publicly known government data breaches.

Encryption of data is often loudly voiced as being the answer to protecting data securely. However encrypting data is not enough in itself to keep information secure. If password hashes are stolen and subsequently broken, data can be unencrypted. Or worse still, bugs in encryption software will enable back-door access to what one might thought was secure. The recent announcement of TrueCrypt telling its customers to switch to rival encryption software is troubling and leaves many unanswered questions.

Using complicated passwords should in theory be enough to protect your login account, and for the most part they are, for the moment. However as computing power has moved forward at a quantum leap pace, analysts & password crackers can build computer systems which can run 350 billion guesses a second. Advice from some IT analysts is to create a passphrase and not a password, or use a password manager.

With multiple sophisticated malware present on the net, it is not too difficult to breach a computer network. The Heartbleed bug is among one of the more serious programming flaws of recent years. Modern day programs are made with hundreds of thousands to millions of lines of code. This creates problems for software developers (programmers) as mistakes occur through human error. Other threats come from software code designed to harvest information or destroy, and this malware is not only created by frustrated teenagers (the popular media driven stereotype) in their bedrooms angry at the current sociopolitical structures.

Stuxnet is a worm reported to be responsible for ruining almost one-fifty of Iran’s nuclear centrifuges. There are suggestions that government agencies in the US worked in collaboration with other governments around the world to create the Stuxnet worm. But then Stuxnet got released into the wild, available for people to find on the net. The use of Malware was reported within the Snowden files.

To protect yourself one should think carefully about what sort of information is released onto the net. Once uploaded, it is very difficult to remove. While pen names (and other substituted information) can be used for certain services, this is not possible for all on-line services, such as with government. Stronger legal measures and sanctions should be enforced on companies and governments who fail to keep personal data secure.

With the recent campaign for the right to be forgotten on the net, a new legal framework could be employed that not only allows individuals to have a legal right to control their personal information, but also restricts companies and governments access to their personal data.

On-line services should only require an email address and password. Other personal identifying information should only be temporarily held for official purposes, such as a financial transaction. Following the completion of the data’s use it should be classified as obsolete, with personal data being removed within a short period. This won’t solve all of the problems where data breaches occur with personally identifying information, but it would go a long way to reduce the damage caused.

I shall be following up with two further essays continuing this discussion on malware’s far reaching consequences to personal information, with further recommendations and solutions, which could reduce the risk of data theft.

As BASIC celebrates 50 years, a revival is needed

On the 1st May 1964 BASIC (Beginner’s All-purpose Symbolic Instruction Code) programming language was initiated when at 4 a.m. Professor John G. Kemeny and student programmer Thomas E. Kurtz (who later became a professor) simultaneously typed RUN on neighbouring terminals in the basement hall of Dartmouth College in New Hampshire. When they got back the correct answers to their programs, BASIC was officially born. This innovation implemented the concept of time-sharing on computer systems and set in motion a chain of events which would lead to computers becoming available to all.

At the time, computers were generally used by science and mathematics students, and required custom written software. Data and programs were often stored on punch-cards and paper tape [Footnote 1], with magnetic tape being introduced in 1951. During the 1970s there was rapid growth in different flavours of BASIC, additional functions were added with extra structuring keywords and advanced floating-point operation features.

With the introduction of 8-bit home computing, from the ZX-81, Commodore VIC-20, ZX Spectrum, Commodore 64, BBC Micro & Acorn Electron, Amstrad CPC 464 and other models and makes of the 1980s, versions of BASIC became widespread and were often integrated into the computer’s firmware (ROM chip) along with an interpreter and operating system commands. Cassette tapes were used for data storage and retrieval initially and later floppy disks.

ZX Spectrum BASIC example
ZX Spectrum BASIC example

Upon powering on a home micro an interpreter prompt would be displayed, this enable writing BASIC programs or executing commands built into that hardware platform’s operating system. For example, to load a word processor package (e.g., Tasword) one would type LOAD “” and press Enter. Then play the tape. Friends with attached Interface 1 + Microdrives or floppy disks with the later ZX Spectrum +3 (Amstrad) would be able to load data at a much faster rate than cassette tape.

With the growth of 8-bit home computing, complete source code for computer games and other programs were published in magazines and books. In the UK the BBC embarked upon a Computer Literacy Project using BBC BASIC. Over the years BASIC has continued to develop, notably with Microsoft’s Visual Basic. Some teaching guides such as the AQA A/AS Level Computing books still provide examples in Microsoft Visual Basic, however this version of BASIC is closer in structure to Python or Pascal rather than 8-bit computer BASIC.

ZX Spectrum Keyboard
ZX Spectrum Keyboard

Higher level languages such as Pascal and Python can be confusing to someone who has never seen program code before and absolute beginners could also start with Scratch. While BASIC was not liked by all programmers, I believe that it is still an excellent introductory path in learning how to program. Once one has got to grips with programming in a BASIC language, whether one is using ZX Spectrum, BBC, True or any other flavour of BASIC, the next step would be to move onto Pascal, Python or Microsoft Visual Basic.

There are many Integrated Development Environments (IDEs) available to write programs in, such as Microsoft Visual Studio on Windows, Xcode on Mac OS, or on Linux/BSD (and Windows & Mac) Code::Blocks and Qt Creator.

However if one wants to go retro and get to grips with coding, a ZX Spectrum or BBC Micro emulator could be loaded onto Windows, Mac or Linux/BSD based OS computer. Excellent resources to start with are World Of Spectrum and BBC BASIC. Alternative hardware platforms to desktop & laptop computers are available for learning how to program, notable the Raspberry Pi.

Programming will open a whole world of fun, thinking logically and aid in the learning of algorithms. Problem solving skills will be acquired along the way, and with the growth of coding clubs, opportunities are available to learn in a group.

While the days of the 8-bit home computer hardware with built-in BASIC interpreter have been superseded by more advanced processor technology, and some may believe that technology has progressed beyond BASIC programming,

the age of Basic programming has gone

this need not be the case. With 8-bit emulators (ZX Spectrum, BBC Micro, et al.) available to run on Windows, Mac OS, Linux/BSD operating systems, and RISC OS available for the Raspberry Pi, BASIC programming is available for all to start learning.

Footnotes.

[Footnote 1] 1. Magnetic drums were widely used during the 1950s-1960s for computer memory, which was superseded by magnetic-core memory. Later followed transistor memory, and with the invention of semiconductor circuits the first RAM chips were used during the late 1960s, becoming commercially available in October 1970 with the Intel 1103.

Resources.

BBC BASIC
World of Spectrum
Visual Basic
Code Club
Coding Club
Computing for teachers
Raspberry Pi

WordStar used to write Game of Thrones

BBC News reported on 14th May that Game of Thrones author, George RR Martin, still uses WordStar 4 on a DOS based computer.

The Game of Thrones author has revealed that he did not want a modern word processor amending his writing as he typed, did not fear a virus (malware) from deleting his work, or have auto-correction spell checker change words not recognised in a fantasy novel.

Mr Martin said:

“I actually like it, it does what I want a word-processing programme to do and it doesn’t do anything else. I don’t want any help, you know?

“I hate some of these modern systems where you type a lower case letter and it becomes a capital. I don’t want a capital. If I’d wanted a capital, I’d have typed a capital. I know how to work the shift key. Stop fixing it.”

Mr Martin further expanded his explanation saying:

“I actually have two computers. I have the computer that I browse the internet with, that I get my email on and I do my taxes on. Then I have my writing computer, which is a DOS machine not connected to the internet. Remember DOS? I use WordStar 4.0 as my word-processing system.”

Prior to Mr Martin talking on the Conan O’Brien show about his use of WordStar 4 on a DOS based computer, he previously revealed in a blog posting in February 2011:

“I am a dinosaur, as all my friends will tell you. A man of the 20th century, not the 21st.”

Why should such revelations produce a mini media storm? Well possibly because many have bought into the idea of upgrade to the latest product and throw out the old. However newer does not always mean better, different, sometimes less complex, but generally more complex. Having used computers since the days of the 8bit home computer, from the ZX Spectrum onwards, it is refreshing to hear what I believe to be a positive IT story.

There is much about data loss, bugs and potential compromise in the news currently, almost on a weekly basis (and sometimes daily) it seems… Orange France, Heartbleed, PayPal and eBay… to mention a few recent stories.

An important issue of connectivity has been overlooked with this micro media storm. The very lack of connectivity and complexity George RR Martin employs for writing, is the very same thing which protects his work from malware, cyber espionage, buggy software and frustrating “features” found in many modern word-processing applications and IT.

However, Mr Martin is no ‘dinosaur’.

Why… George RR Martin’s use of WordStar 4 on a DOS system not internet connected, with no auto-correct or other such features is a sensible precaution for a well known writer and author. Mr Martin also uses a newer internet connected computer for email, internet browsing and other tasks.

Being able to word-process on a computer is a great leap over using a mechanical type writer with an ink ribbon in terms of easily redrafting material, although there is a loss in tactile feedback. In drafting this article I have chopped, changed, added and removed words, sentences and whole paragraphs, and corrected the auto-correct spell checking corrections. Note: this article was drafted using a word processor.

WordPrefect 5.1 DOS based Word Processor
WordPrefect 5.1 DOS based Word Processor

I remember using WordStar at college many moons ago on an Amstrad PC1512 running CPM/PC-DOS, using Pen Pal 1.5 and Final Writer on a Commodore Amiga (16bit home computer), and also using WordPrefect 5.1 on Windows 3.1x from a DOS shell; reveal codes was a very useful feature in WP5.1.

I do have nostalgic moments, more often as I get older and when reading about the latest “security breach” of a company’s servers. It maybe time to look back to older technology to move forwards from the spate of malware which can infect modern operating systems and applications.

A computer that boots into an enhanced command line or shell BASIC (computer language) interface from firmware, which can subsequently load a modern OS from a simplified DOS through to a modern GUI (Graphical User Interface) desktop if required, may not be a bad thing. Beyond nostalgia, booting to a shell running BASIC may also encourage computer users into learning BASIC programming language, like the ZX Spectrum or BBC Micro & Acorn home computers.

BASIC is still a taught computer language and a good place to start learning computer programming. BASIC programming language is popular on Microsoft platform in the form of MS Visual Basic, VB .Net and BASIC interpreters are available for many other platforms too. For an excellent Wiki site containing a vast repository of programming language information, please visit RosettaCode.org.

Turning on a modern mobile phone, tablet, laptop or desktop computer and using one’s WIMP (windows, icons menu, pointer) device or hand gestures to navigate, is all well and good and makes life sort of easier with modern operating systems. Having 24/7 internet connectivity with constant updates from social media sites maybe useful too at times. However…

Modern malware is exploiting complexities of modern operating systems, applications, social networking and other on-line connectivity, leaving many tech users in the dark. So should we be looking back to 8bit or 16bit computing, or a BASIC interpreter interface to be moving forward? We don’t need to throw the rubber duck out with the bath water, but creating a computer system which encourages the learning of how to programme, combined with at least a moderate understanding of how a computer works would not a bad thing.