« Worms | Main | Lame Name »
Exploding software
The RIAA may be seen as a bit draconian for suing 12 year old illegal music downloaders, but they’ve got nothing on CIA tactics. Want to discourage pirates? Let’s play global thermonuclear war.
In an op-ed column in today’s New York Times (so you know it’s true!), William Safire writes about a fascinating and previously unknown (at least to me) episode in cold-war espionage history. Apparently, in the early eighties, the CIA planted a Trojan horse into U.S. pipeline control software which was then pirated by the Soviets.
"The pipeline software that was to run the pumps, turbines and valves was programmed to go haywire," writes Reed, "to reset pump speeds and valve settings to produce pressures far beyond those acceptable to the pipeline joints and welds. The result was the most monumental non-nuclear explosion and fire ever seen from space."
Our Norad monitors feared a nuclear detonation, but satellites that would have picked up its electromagnetic pulse were silent. That mystified many in the White House, but "Gus Weiss came down the hall to tell his fellow NSC staffers not to worry. It took him another twenty years to tell me why."
The main goal of the CIA wasn’t to stop software piracy but to land a hard blow in the cold war. However, besides the quaint humor of nearly starting World War Three (a flock of geese at the wrong time here could have been unpleasant), this raises some interesting questions:
1. If this had happened today, and the makers of the technology were a non-governmental corporation, would there be any liability issues? Can you be sued if your anti-piracy code causes the thief’s computer to explode? How about the thief’s autonomous province? As a former Director of the NSA told me, “never bring a lawyer to a real fight.”
2. How much of our own infrastructure is similarly at risk from software written in off-shore labs? Are off-shore sources more susceptible to deliberate, Trojan horse attacks, or is pretty much all software vulnerable? On the one hand, it might be easier to insert malicious code overseas. On the other hand, the increased engineering discipline and code reviews required to effectively run an off-shore operation may actually make code safer.
3. We have a hard enough time protecting ourselves from viruses and worms written by teenagers, spread as email attachments and consisting of juvenile payloads that rarely do more than lame denial of service (DoS) attacks. Does anyone have a plan for dealing with cyber attacks perpetuated by grown ups, with a specific target, goal and budget?
Not easy questions. Ok, the first one is probably easy, but I’m sticking by the other two. How about a nice game of chess?
February 2, 2004 | Permalink
