In my third essay looking at increase breaches of personal information through malware and questionable security practices, I will now take a look at existing computing systems.
As security breaches have become common practice with companies and governments ‘loosing’ personal data, a new way of thinking and working with IT systems is required. There has been some recent high profile data losses, notably with eBay, Orange France, voice recording technology used by emergency services worldwide and the fallout from the Heartbleed bug in OpenSSL program’s code is still an unknown quantity.
Security researchers have complained about how the recent introduction of US Computer Fraud and Abuse Act (CFAA), is making it difficult to track down potential security vulnerabilities and exploits. The dichotomy of policy makers within government can be seen with another recent story where the “White House and NASA gear up for National Day of Civic Hacking”. Citizens are encouraged to find solutions to problems, technological or otherwise. This is at odds with government wanting to suppress security analysts from researching flaws through CFAA enforcement.
With the ever increasing threat from malware effecting modern operating systems of all flavours, should we all be looking at either not storing personal information on computing systems or returning to less complex operating systems? Should we be reviving 8-bit home computer booting practices to protect personal data?
I recently wrote about George RR Martin’s use of a DOS based computer running WordStar to write Game Of Thrones novels. The lack of connectivity and the use of a less advanced computer system protect Mr Martin’s work. I suggest in this article that maybe we should be looking back to the 1980s and early 1990s of 8bit and possibly 16bit home computing to look forwards again.
Due to the ever growing problems of malware (viruses) effecting boot sectors, EFI/UEFI (Unified Extensible Firmware Interface) was developed. While UEFI will reduce the threat on Windows and Unix/Linux (including Mac OS X) based operating systems, modern operating system’s vast complexity and predominately closed source code for Windows and Mac OS, provide challenges for security experts and dedicated bug hunters to find. Open source code also suffers from vulnerabilities due to the vast complex nature of programs, where bugs can be hidden within many thousands to millions of lines of code. The Heartbleed bug within OpenSSL open source code is a case in point.
So what could be done to mitigate the ever increasing threat from malware? I don’t think it would be a bad thing to have a modern UEFI firmware which boots into BASIC (computer language) command line interpreter interface with a limited operating system, something like CP/M or DOS, and not just for nostalgic reasons. Other computer languages could be used beyond BASIC if required, such as Pascal, Python, or one of the many flavours of C. However the simpler and less complicated, the better.
From the command line interpreter, extensible commands could be executed to load BASIC programs, or for switching over to an extended OS enabling other more advanced operating systems to be loaded, such as a full-blown modern OS (Windows, Mac OS, BSD/Linux), should it be required. Programs could be created from the UEFI boot-time programmable language interpreter (UEFI-BPLI) interface to run. The chosen language could have a positive impact in getting us all to understand more about the computing technology we use today.
To a certain extent this already exists with programmable microcontroller systems, such as with Arduino and add on systems to the Raspberry Pi. However with small pocket computers booting straight into an OS and not an interpreter interface, a trick is being missed. One can understand the commercial implications of why computers don’t boot into a BASIC interpreter today, most people would not know what to do and its selling potential as a startup project could be greatly diminished. But I do believe with the substantial threat of modern malware and the ability to run 350 billion guesses a second on a password hash file, there is not only the scope but also a need for UEFI boot-time programmable language interpreter (UEFI-BPLI) computer systems to exist, and not just for pocket computers but for all.
The interface does not have to be ‘jurassic’, it can have copy, cut & paste functions, contain a clipboard, a built-in text processor (Emacs, WordStar, WordPrefect or Scrivener) for writing documents and programs, and even run a built-in GUI based IDE (Integrated Development Environment) with all the necessary libraries available for the chosen programming language, for those who want a GUI to program in rather than use a built-in text processor, with this functionality all available within the firmware at boot-time from its initial command line interface, with a simple CP/M or DOS based OS; think modern ZX Spectrum, Acorn Electron or Commodore 64. To run the programming GUI one could type something like RUN “GOGUI”. To run the built-in text processor, one could type something like RUN “GOWP”. DOS commands would run directly from the CLI to load programs from disk, such as LOAD “PROGRAM”. All other clutter found on modern operating systems is removed, including network/Internet connectivity, until one chooses to boot to a full OS… LOAD “PC-DOS”, LOAD “WindowsOS” or LOAD “MacOS” or LOAD “LinuxBSD-OS”, etc.
Other potential benefits would be running a word processor from firmware without additional clutter that comes with many modern GUI (and some non-GUI based) operating systems. Files could be saved to disk such as a USB flash drive with SAVE “FILENAME”. Applications could be run directly from using the computer’s firmware (UEFI) based boot-time programmable language interpreter (BPLI), rather than having to load a complex modern operating system first. With an option not to enable any form of network connectivity by default, documents could be worked on in a more secure environment and encrypted if additional layers of security were required.
One could even go further to include within the BPLI not just a text or word processor, but a whole office suite of applications, all throughly tested for security flaws before building the firmware. To some extent this happens with the likes of a tablet computer or mobile phone, but their focus is on Internet connectivity. The purpose of the BPLI is to have no Internet connectivity at boot time, and to use the programming interface, or the built-in word processor, with security at its heart.
Setting up web-based cloud storage systems so that no personal identifying information is stored on any public network, but only in private LANs with encrypted SQL (see essay Ubiquity and pervasiveness of SQL DBs) and secure web services running directly off a boot-time programmable language interpreter (BPLI) will also help to reduce the risk of data becoming compromised.
If changes are not made in how personal data is stored and accessed, governments and companies should return to using paper hard copies for confidential and personal information.
Additionally a BPLI based computer could be created where any file (whether it is a word-processed document, spreadsheet, a picture, audio, video, database, etc.) that contains personal or other sensitive information, incorporates tracking code into the document which is re-compiled each time on every BPLI system the document is accessed on, with preventative measures from opening on a non BPLI computer system. Within the document’s encoding is included not only the computer’s unique information (including processor information, network card & LAN IP address information where applicable for cloud based computing, board serial number, date & time, etc.) and GPS data, but also the bio data of every person who accesses that file is recorded and incorporated, while applying quantum encryption to prevent tampering. This will reduce the level of abuse to personal data and prevent multiple copies from finding their way out onto the Internet.
While this sounds a bit sci-fi like, it will not be too long before technology will be widely available to implement this idea. The “D:.Wave” computer has recently displayed signs of showing quantum entanglement.
If companies and governments want our personal data digitally they should make sure it is 99.999r% safe and secure. If not, they should go back to paper and filing cabinets. The simple truth is that today, a more secure computer system, is one that is not Internet or network connected in any way, and most likely runs an older (and obsolete) operating system with no bluetooth, Wi-Fi and no cabled LAN card. Going the Nth degree, computer systems should also be placed inside of a Faraday cage as seen in movie Enemy of the State and also locked in secured bunkers.
Without new ideas being developed as outlined within this essay, and previous essays, for example a boot-time programmable language interpreter (BPLI) which runs a DOS and GUI interpreter system with data and bio encoding, circumventing the need for more modern and increasingly highly complicated operating systems, malware’s influence will risk not only damaging the reputation of ‘the Internet’ as being safe to use, but also put the advancement of commerce and public use of networked computer systems such as ‘the Internet’ at risk. Ensuring that personal identifying information including associated meta data is securely locked away, including data used in financial transactions for commerce, is of paramount importance, else dissolution of Internet commerce could occur.
There are none so
deaf death than those who clutch its straws.