HOUSE_OVERSIGHT_018331.jpg

“Weird Machine”: Computers or sensors or network webs silently made to do what is not intended. Made weird. Hacking is, after all, a kind of perverse programming. It involves slipping inside a target machine, and then driving it to do things it wasn’t intended to do, by giving it instructions its designers never knew it might receive.136 The process of developing and using computer bugs, Bratus found, is not unlike the most sophisticated software research. Hacker follow careful patterns. The best of them really conceive of whole systems in the way the finest data architects might. They look for particular designs, weaponize their code with a delicate elegance and aim relentlessly at total control. A normal machine does what you tell it. A weird machine does what someone else commands it to do. How is such a system born? Well, a potential software hole of the sort that produces a “Weird Machine” might be as simple as a failure to secure computer code after it is compiled - sort of like not locking the door on your house after you leave - ora programming oversight that means a machine can’t handle unexpected inputs. Take the technique of “fuzzing”, for example, a famously effective way to turn a normal machine into a weird one. The process involves confusing a digital security system by throwing unexpected data into normal, apparently safe-looking procedures like logging into a mail system or transferring money by wire. Think of all the “username” and “password” forms you see when you're on the Internet. In a fuzzing attack, instead of placing a legitimate user name or email address in a registration field, hackers might add some unexpected characters known to cause a system to cough up a confused response. If you type in, joe@user.com!” instead of joe@user.com as the machine expects, the /’ at the end of the address can baffle and stall a mis-programmed device. In some cases, that hiccup opens a vulnerability. A proficient programmer can then order the dazed computer, for instance, to opena door to the root of the system. It’s as if you could walk up to the teller at your local bank and shout “Xhsuhgnnsh!!” at her when she asks how you are doing - and in her confusion she lets you into the safe. You’ve made a weird machine of your bank. System designers in later generations have become much more sophisticated in trying to avoid such problems, not least because they’ve so often fingered the embarrassing or costly aftermath of these kinds of holes in their own code. “You do not understand how your program really works until it has been exploited,” Bratus has said, a sentiment that hints at the stomach-lurching moment many coders and their suddenly victimized users have now had.1%’ You don’t understand yourself until you've been pwned. The odds that the endless possible glitches can ever be completely patched is honestly zero. Hackers continue to use classic exploits like 136 It involves: Julian Bangert, Bratus et al. p2 “The Page-Fault Weird Machine: Lessons in Instruction-less Computing”, Presented as part of the 7th USENIX Workshop on Offensive Technologies, (Washington, D.C., 2013) available on www.usenix.org 137 “You do not really understand”: Rebecca Shapiro, Sergey Bratus, Sean W. Smith, “Weird Machines’ in ELF: A Spotlight on the Underappreciated Metadata” paper delivered 7th USENIX Workshop on Offensive Technologies, (Washington, D.C., 2013) available on www.usenix.org 99 HOUSE_OVERSIGHT_018331