Today we went up to Bradford for a rather special talk. The folks at Black Marble arrange seminars for IT professionals (you'll never guess who's giving the next one) and today they had managed to get Ed Gibson over to talk about Computer Security. Ed is quite a chap, an ex FBI guy who is now Microsoft UK's chief security advisor. So a bunch of students and myself boarded a magic bus to Bradford.
We were lucky enough to meet up with Ed. before the talk. Thanks to my super advanced planning I managed to get everyone to the venue around 90 minutes early, and so we had plenty of time to sit around a roaring fire in the hotel bar and chat. Ed turned up and the first thing he did was buy everyone a drink. My kind of guy.
Then, after some superb sandwiches courtesy of Black Marble it was time to get down to the serious business of the evening. And it is serious. Ed has been there, done that, and told us some truly scary stories. For me the most interesting thing that emerged from his talk is that the computer fraudsters don't want your bank details. They want your bandwidth. If they can get enough machines on the net under their control they can pretty much take down any server, anywhere. Unless you pay them big money.
At some point we will have laws that extend far enough to catch the perpetrators and enough systems out there hard enough to resist the attacks that can turn your home PC into an agent of the bad guys. However, until then the rule has got to be keep your system up to date. Don't think of computer crime as a "soft" crime with no real victims. The people who do it are in there for the cash, very organized and totally ruthless.
Ed made some good points on a broad canvas. The speaker that followed him zoomed right down into the low level detail. He showed how breathtakingly easy it is to attack a system. One of my programming rules is "build yourself a nice place to work". What I means is make sure that it is very easy to create, build and test the systems that you are writing. It never really occurred to me that hackers would do the same.
We were shown a tool which used SQL injection (basically a way of putting database commands into the text you feed into a web page) to stripmine entire company databases. I knew about the technique, but I never thought there would be such advanced tools for this kind of thing. The next thing that we were shown fair took my breath away. It involved changing the way that the .NET Framework itself works.
Imagine that a developer has got some permissions set on a program. And they want to stop users from pressing certain buttons on certain screens. The Forms library that ships with Windows will do this for you. With a simple property change you can disable a button. If the button is disabled it turns grey and the user can't press it. Job done.
Unless someone changes the guts of .NET so that this property change no longer works. By just changing one particular byte in the right library file a nasty person who has access to your machine can make every single button work all the time. So simple, sooo scary.
Admittedly you'd have to do something rather stupid to let someone else run their program on your machine in the first place, but the result of this is that even securely written code can now be totally banjaxed by being hosted on a corrupted system. Amazing stuff. Simple yet brilliant. And a very worthy follow on to the talk from Ed.
This was a superb evening. Kudos to Black Marble, Ed and his associate (who's name I've forgotten I'm afraid). All the students had a great time, with some pretty deep conversations on the bus on the way back. This was the first Black Marble event I've been to. It will not be the last...
And with that, I'm just going to update my virus scanner...