Michael G. Roskin: Online Outlaws
Thursday, March 16, 2017 10:55 AM
The massive WikiLeaks of CIA hacking abilities dovetailed last week with my personal computer problems. Namely, I have for months been getting vague but dire warnings that Google would no longer support the Windows Vista on my 2009 Dell, old for computers. I didn’t know what the heck that meant.
I assumed it was a scam from someone in Mumbai to hijack my personal numbers. Nowadays, I assume that all unsolicited phone calls and computer messages are fraudulent, something that essentially free communications has brought. Phone calls and emails, because their marginal cost is so low, are vastly overused, interrupting dinner and building mistrust. Taxing all messages a dime or quarter would decrease scams, rebuild social trust and raise revenues.
Opening the warnings and reading them, however, you find buried way down mention that old operating systems have higher security risks, which are not defined. Probably to prevent panic and lawsuits, nowhere do they state that you are more likely to be hacked. I checked with three computer gurus, and they confirmed that indeed security is what these warnings are about. One told me not to worry about my ordinary emails, but avoid banking or credit cards online. He advises using U.S. Postal Service for these matters.
Microsoft is pressuring users to move up to Windows 10, which my ancient Dell does not accept; neither can it be upgraded. Old computers may work fine but have been rendered obsolete in less than a decade by hacking and upgrades to fight it. I’m willing to buy a newer machine — something we may have to do every few years — but a friend warned me that “internet security is pretty much a complete disaster” and efforts to fix it are slow and incoherent, something that banks and credit-card companies do not publicize. Imagine the criminal brainpower now dedicated to hacking our accounts.
The Point: Entire tribes, both governmental and criminal, hack everything. Nothing is absolutely safe. Here we connect with the gigantic breach of CIA data. One of the first questions is how did WikiLeaks — the outlet for Russian hacks — get this material? Russian hacking is possible; they do a lot of it. But by exposing CIA tricks, Moscow would reveal its capabilities, which cyberwarriors prefer to conceal: Don’t let your adversary know what you can do, as that alerts him to take protective measures. I therefore suspect it was a leak, not a hack.
Who would leak this supersecret material? As discussed in the column “Leakistan” a few weeks ago, federal career employees rarely jeopardize their jobs and pensions. Outside contractors, whose employees come and go, may not be as disciplined, another reason to not rely on outside contractors. News accounts say that CIA cyberespionage is farmed out to private contractors. WikiLeaks founder Julian Assange, now in his fifth year in London’s Ecuadorian embassy (good), indicated his trove came from a contractor. The Edward Snowdens are the weakest links.
Some say the leak is overblown and accuse WikiLeaks of self-promotion in proclaiming a dramatic breakthrough, but encryption and penetrating it is not news. It might even do some good. If terrorists, criminals and drivers stop texting, so much the better. There are constitutional problems: Does a signal that moves through the ether enjoy more privacy protections than public conversations? Is not the ether a public place? “Expectation of privacy” is sometimes extended too broadly. Criminal conspiracies should not expect privacy.
So far, I’ve been lucky with the identity theft now rampant, but recently one of my credit cards was compromised — I suspect at a restaurant where the waiter took it for a few minutes. Someone tried to use its clone at a gas station hundreds of miles away to charge $113 (50 gallons? big truck?), but the issuer’s algorithm spotted discrepancies, denied payment, emailed me, invalidated the card and issued me a new one, all within minutes. The card of another diner at our table also got copied — confirming my suspicion — with the same result: a big-box store denied the $750 charge. Only the card companies fight this fraud. Law enforcement lacks funds and expertise for much high-tech interstate policing, a gap we should speedily fix.
The crooks who tried to use the bogus cards gained nothing, lost their purchase price and potentially flagged themselves to police. This suggests that one defense against data theft might be to make the stolen data unusable and risky. We may never be able to fully end cybercrime, but we might constrict it. Any system that is open to users cannot be totally secure, and any totally secure system can barely be used.
We’ve been slow to grasp the online-security threat, one not countered by troops or border walls. Terrorists and bandits could shut down our power grids, banking and internet. We can’t even stop millions in fraudulent IRS refunds every year. Social Security numbers safeguard nothing; they’re easy to steal. But no politician proposes serious steps against cybercrime.