Many or most of the readers in this area of the Choice Community will be aware of the constant flow of new bugs and ways of hacking into our computers/phones/IOT devices.
I am writing this post immediately after posting about a new HP fax problem, and its intent is to bring the reader’s attention to the cause of this and many other major vulnerabilities in any information technology - interpretation.
Pretty much everything a computing device does is based upon some sort of interpretation. At the very bottom levels, modern (pre-quantum) computers rely effectively on a switch being turned on or off - 1 or 0. Above this level we have all sorts of interpreters, within the hardware, the operating system, and the individual program. These all seek to translate between the binary computer and the non-binary user - the human.
The problems with interpreters are that they cannot anticipate everything that may be entered, and even when they can there are often ‘bits left behind’ after they have been written and debugged. What this means is:
- Back doors, where the coders/testers have written something to make their job a bit easier and accidentally left it in the code. Recent examples of this have been coming to public awareness in relation to D-Link routers, while the US National Security Agency (NSA) has been accused of deliberately weakening security standards - a form of indirect back door.
- Unexpected inputs. A fax machine expects that a facsimile transmission will consist of a header, a footer, and some text/visual content. HP apparently implemented bits of the fax specification that allow for colour faxes, but didn’t provide for an extremely large input to be received. This caused an error which could be exploited.
Many of the day-to-day exploits we hear about are due to interpretation errors. Adobe Flash is being retired in 2020, because they simply cannot keep up with the number of errors. Similarly, Adobe Reader (for PDFs) has had a lot of problems with interpretation. Even simple .jpg pictures have been able to be used as ways to gain unauthorised access to a machine.
How can I protect myself?
- Always keep your digital devices up-to-date. Twenty years ago, you would have been advised only to patch it if you’re having a problem. That advice has been flipped on its head by the explosion of vulnerabilities, and so every month even Windows gets patched to fix newly discovered problems.
- Limit possible attack surfaces. If a program or app does not need internet access, don’t give it that access. Interestingly, there is a case to be argued that anti-virus software expands the possible attack surface due to the extensive access it has to your operating system’s inner-most parts.
- If you don’t need/use it, get rid of it.
- Watch the IT security news.
I hope some of this information may be useful to some readers. I also look forward to additions and corrections.