June 20, 2016 6:52 PM   Subscribe

New York Magazine details a hypothetical cyber-attack on New York in an uncomfortably close future.
The fictional account imagined here is based on dozens of conversations with cybersecurity experts, hackers, government officials, and more. An attack of such scope is unlikely, but each component is inspired by events that can, and in most cases have, happened.
posted by quinndexter (23 comments total) 11 users marked this as a favorite
This is why I tell every child I meet that it's still important to be able to read words off of paper, not just off of screens. You can't left-swipe the downfall of civilisation, kids!
posted by turbid dahlia at 7:01 PM on June 20, 2016 [2 favorites]

oh goddammit this was gonna be my post tomorrow

looks like i'll have to go with the bear in the swimming pool instead
posted by poffin boffin at 7:18 PM on June 20, 2016 [10 favorites]

*shrug* we could also extinguish most life on this planet with about an hour's notice. whaddayagonnado?
posted by indubitable at 7:19 PM on June 20, 2016 [3 favorites]

At 10 A.M., the President reached into the back of her lowest desk drawer and produced the legendary Clear Phone. Her advisors gasped.

She picked up and held the receiver to her ear. There was no need to dial.

"Get me," she said slowly but clearly, "The Lawnmower Man."
posted by No-sword at 7:33 PM on June 20, 2016 [17 favorites]

"NSA warns that strong encryption could 'metastasize into terrorist AI', and that it's 'only a matter of time' until thousands or more are killed. 'We don't want to start a panic, but right now we're the only thing standing between you and a flamethrower equipped killbot', said a Homeland Security spokesperson while blasting an airhorn."
posted by Pyry at 7:42 PM on June 20, 2016 [26 favorites]

On the morning of December 7th, 2018, a date which will live in infamy, an executive at Goldman Sachs was reading through an anthology of 1990's humor in the back seat of his self-driving car, when his augmented reality headset flashed a warning in the corner of his vision: The DJIA was down by 17 points in 0.3 nanoseconds, an unusual move with no explanation. Suddenly, his car swerved to the left, throwing him against the window where he found himself face to face with a school bus whose artificial intelligence driver had apparently gone mad. The school bus was playing mariachi music at full blast over its external speakers; what additional horrors the children inside were subjected to we can only imagine. From the way they were tearing at their self-releasing seat restraints, it must have been bad.

Moments later, on the George Washington Bridge, a Low Rider Chevy began bouncing wildly on its hydraulics, veering left and right at low speed across all four lanes. The traffic problems were not a coincidence. Within minutes, there were ice cream trucks advertising free popsicles to all comers, electronic scooters trying to ride their owners off the bridges, and big rig trucks chasing Emilio Estevez down the Merritt Parkway. All the vehicles involved, it was later discovered, used media player systems with the same brand of firmware, but as the calls came in to the 911 centers, the operators simply chalked them up to normal Monday morning hysteria. No one had yet realized that New York City had just been hit by a cyberattack — or that, with the city’s cable television networks, air conditioners, taxi drivers, short order cooks, and pretty much everything else now operated by computers, the worst was yet to come.

A third-year computer science student at the University of South Broadway walked through the computer lab as her smart-head mirrorshades drew her attention to an unusual spike in trans-metropolitan network traffic. She tried logging in to check on the situation, but was greeted with an error message that read GIVE ME A COOKIE.

The university, like major institutions across the country, had spent the past few decades fighting so-called Cookie Monster virus programs, in which nefarious hackers locked down computer networks until someone worked out what kind of cookie it was after and how to deliver it. Sometimes just typing "cookie" worked, but sometimes, as on this occasion, it was more serious.

For weeks, a group of hackers had been sending secret messages encoded as cat gifs posted on Tumblr to employees in Colombia pretending to be recruiters from Morgan Stanley. When a student opened an attachment featuring the recruiting pitch, as eight thousand of them did, the virus gained another opening through which to hook its tentacles in to the university mainframe. From there, it had an ideal perch from which to besiege the rest of the city's computer systems.

Most New Yorkers were proceeding with their day unaware. But the city’s head of cyberinformational security excellence had begun to connect the dots: Traffic lights out of sequence, hospitals making their patients wait up to six percent longer than usual, car alarms playing disco music in synch with fire hydrants opening and closing their valves, dogs barking in irritation as their homing collars mistakenly alerted them of mutant squirrels that weren't even out of their burrows by this time in the morning.

The cybersecurity chief pulled out the Office of Emergency Management’s 42-page booklet on how the city should react. He probably should have read this thing earlier, but nobody expected the Big One to hit so soon! He was flipping from page to page, enjoying the curiously analogue feel of actual paper, when he got a call from a reporter. Pacify the press! Now that was something he knew how to do. If they could crash a car, could they crash a subway? No, the subway website might be down, but the trains are pretty smart, they'll probably just shut themselves down if they feel like they've been compromised.

But the black hats on the opposite end of this Cyber Pearl Harbor didn't stop there. Once they'd taken over the New York Times, it was only a few simple steps from there to the Tronc. And once they had Tronc, they took Facebook. From facebook they got into everything, from wind turbines to thermostats, weather satellites to rototillers. It's only a matter of time until they find me, too. I only hope that ~~;~NO CARRIER
posted by sfenders at 8:05 PM on June 20, 2016 [43 favorites]

Apologies, poffin boffin! Please bring any links you've got to the party - I only made such a sparse post because my trackpad is causing me much, much aggravation today.
posted by quinndexter at 8:27 PM on June 20, 2016

The President, in his top-secret mobile submarine headquarters on the ocean floor off the coast of Guam, felt the inconceivably massive explosion which vaporized Laurie and 85 million other Americans. The President slammed his fist on the conference table. "We can't allow this! I'm going to veto that treaty! Let's blow 'em out of the sky!"
posted by Behemoth at 8:34 PM on June 20, 2016 [4 favorites]

A year or two after 9/11, NYC's power grid failed. There wasn't power, but there wasn't mass chaos, either: people figured out how to work together and didn't flip out. It's kind of fascinating, stepping back, how much of American media is based on selling outright fear.
posted by a lungful of dragon at 12:42 AM on June 21, 2016 [13 favorites]

sfenders: "Within minutes, there were ice cream trucks advertising free popsicles to all comers, electronic scooters trying to ride their owners off the bridges, and big rig trucks chasing Emilio Estevez down the Merritt Parkway"

I am interested in your product and would like to subscribe to your newsletter.
posted by chavenet at 1:21 AM on June 21, 2016

I think there's a bit more in it though, than just a power outage. The scenario is clearly an attack, so a little more out-flipping might be likely.
posted by quinndexter at 1:42 AM on June 21, 2016 [1 favorite]

Thank goodness the important bits are bolded so I don't have to read the whole story
posted by fantabulous timewaster at 2:04 AM on June 21, 2016 [2 favorites]

For one direction that seems promising look at: Advanced Adaptive Applications (A3): Automated Zero-Day Defense

(OMFG stupid acronym, just try searching for "A3")
posted by sammyo at 4:17 AM on June 21, 2016

The thing that continues to drive me crazy about this is that while all this stuff is possible, becoming probable over time, it doesn't have to be this way. No amount of "cybersecurity" in the world can fix the actual root cause... our Operating Systems are stupid... they require you to trust any program you run, and don't offer any tools to limit the scope of what a program can do.

Imagine the power grid with no circuit breakers what so ever... this is what Windows, MacOS, Linux etc all do, as well as all the embedded Internet of Things devices we're buying by the millions. They blindly trust every line of code you tell them to run, or that they auto-run when you insert a USB stick, etc.

Operating Systems exist (but are not mainstream), like Genode (which I still don't have running on my laptop... any year now....grrrr), which offer a way do securely run things, the key to this magic non-stupid OS?.... it simply asks which files you want to let a program use, and never blindly trusts anything. The thing doesn't have to be any less user friendly either... Word could just use the file you chose, instead of asking you and doing it itself.

I figure about 10 more years until this type of OS goes mainstream... I keep mentioning it every chance I get... a low level PR campaign to fix cybersecurity for once and for all.
posted by MikeWarot at 4:23 AM on June 21, 2016 [3 favorites]

Sorry but "hardened" operating systems are not new and I suspect like fusion and AI they will "always be 10 years away". The bit's I've read about actually implementing something like SELinux it a serious PITA and some stuff just won't run. And anyway running an "OS" is so last century, think about serverless code (AWS Lambda) and short lived replaceable containers (Docker), any problem, kill it, init the code, sync and go.

Yes there's a place for high security OS's, they are in use, very effective, expensive in sysadmin and dev resources, great tools, almost impenetrable but it'll always be a niche.
posted by sammyo at 5:43 AM on June 21, 2016

A tipster claimed the hackers had caused at least a dozen car crashes and debilitated multiple hospitals and agencies — with more to come. If they could crash a car, could they crash a subway?

Not likely. Here we see the advantage of running a train system with direct current dynamos, mechanical relays and knife switches.
posted by Dean358 at 6:17 AM on June 21, 2016 [1 favorite]

So you're saying people who make a living out of selling cybersecurity solutions are telling us there is a critical need for their solutions? And people who need to sell magazines want to tell us about it?
posted by Happy Dave at 8:15 AM on June 21, 2016 [6 favorites]

Love the idea that a government would drop $100 million on some anonymous freelancers to pull a one-off disruption of New York City. (The story implies that the funder wants massive deaths, but has the hackers reject the offer because massive deaths would push the narrative off the plausibility cliff.)

I do think there are state-sponsored computer attacks (most prominently conducted by the US government), and I suspect some (not most) of the efforts are part of war-planning. In the first hour of a great-power military engagement, you could maybe get an edge by disrupting the civil electronics of the other side. $100 million starts to be plausible as the kind of money a state could spend on existential strategic maneuvers -- but, for perspective, a nuclear missile costs the US about $2 million dollars, and that much only because we get everything gold-plated.

The 9/11 Commission Report estimates that the attackers spent only $400,000-$500,000 on the 9/11 attacks. This is what the wealth and reach of bin Laden and Al Qaeda were able to spend on their central crowning project. And this relative pittance triggered huge changes in how money is moved around the world, to make it harder to finance similar efforts.

$4-500,000 for 9/11, and that is very much the high end for terror attacks. Every other plot I can think of, successful or foiled, would have cost substantially less. There is no shadow network of billionaires shipping around crates of millions to do hypothetical terror plots. ($100 million in $100's would weigh 2,200 pounds.)

This is a movie-plot fantasy. The closest real-life analogue are the US defense and intelligence contractors who sourced this article.
posted by grobstein at 9:42 AM on June 21, 2016 [2 favorites]

Hardening an existing operating systems such as Linux, resulting in SELinux, is going to be a serious piece of unusable garbage, because you're not starting with a system that is going to ask the user which files they wish to make available to a program... instead trying to install a patchwork of rules, which just can't work in the real world.

There are existing capability based systems, such as Genode, and if I had a few grand to spare, I'd have them buy a laptop, install the OS on it, and ship it to me.... but that's not an option.

The perpetually late capability based system everyone has heard of is GNU Hurd, which I don't ever expect to have serious market share.

At some point in the next few years, there will be a strong interest in capability systems, which will get Genode and some other open source projects off the ground. Only then will the big boys start paying attention and getting with the program.

In the mean while, you can enjoy a limited version of capability based security by taking your favorite OS, and running it inside of a virtual machine. This allows you to limit the damage to the last saved copy, and you could run multiple copies at the same time for separate tasks, which wouldn't be able to interfere with each other, if you do it right. See also, Qubes.
posted by MikeWarot at 4:48 PM on June 21, 2016

Can one of y'all explain how the iOS security model isn't exactly what you want? Siloed data, user-granted access, etc?
posted by polyhedron at 7:10 PM on June 21, 2016

Can one of y'all explain how the iOS security model isn't exactly what you want? Siloed data, user-granted access, etc?
According to 5 minutes of research on iOS, and Apple's iOS Security Guide, there are all sorts of efforts made to secure the OS and Boot process, which is always a good thing, but the app security is primarily about non-sharing of data between apps.

If you tried to do this with programs like Word, Excel, etc... you'd never be able to open a Word document from an Email, etc... each program is in its own sandbox, with very limited exceptions.

A capability based system treats programs like they are in sandboxes, but when the user opens a file, or folder, the handle (capability) is passed to the program, and it acts just like any other program... except the OS never trusts the program with this choice, it interacts directly with the user.

Static rules, like no sharing between walled gardens don't work for general purpose computing. The capability model offers a way to let the user decide what trust is given to a program, in a transparent and friendly way, without ever having to worry about unwanted side-effects.

Does that all make sense?
posted by MikeWarot at 8:02 PM on June 21, 2016

MikeWarot, the application sandbox in both iOS and macOS definitely enforces a capability style model for access to files. Attempts to access any file outside of the application's container have to be either: specifically approved by the user, be specific files authorized by application entitlements approved by Apple, or be files in certain world-readable locations. All attempts to access files by third-party applications on iOS and by sandboxed applications on macOS are intermediated by the OS sandbox which explicitly checks to see if the file is on an approved list. It is only by interaction with the user that the approved list is expanded. For example, on macOS if a sandboxed application wants to open an arbitrary file it has to use a system UI element provided by the OS to pick the file (which will add the file to the application sandbox when chosen by the user).
posted by RichardP at 8:57 PM on June 21, 2016 [1 favorite]

Remember how popular the enhanced security was on Windows Vista* when it first came out? Every single thing you attempted to do caused a security dialogue to pop up.
posted by monotreme at 11:01 PM on June 21, 2016

« Older Keep England British Shorthair   |   Ham4Algorithm Newer »

This thread has been archived and is closed to new comments