Nothing Is Too Hidden to Hack

By Peter Coffee  |  Posted 2002-06-10 Print this article Print

Peter Coffee: No matter how careful you are or how tiny a component is, someone, somewhere, will dig deep enough to figure out what you've done and how—either for financial gain, or just for the sake of curiosity.

In William Gibsons definitive cyberpunk short story, "Burning Chrome," the narrator is a hardware hacker called Automatic Jack. As the story begins, Jack describes the attack console used by his partner: "I knew every chip in Bobbys simulator by heart; it looked like your workaday Ono-Sendai VII, the Cyberspace Seven, but Id rebuilt it so many times that youd have had a hard time finding a square millimeter of factory circuitry in all that silicon." Ive always thought that sentence a pardonable piece of literary license: After all, Gibson famously wrote his groundbreaking stories on a manual typewriter. I had to rethink that characterization, though, after reading MIT doctoral candidate Andrew Huangs account of his attack on the hardware security of Microsofts Xbox.
At one point, Huang wrote, "maybe Ill sacrifice a GameCube for the sake of curiosity and dissolve the package with hot sulfuric...or better yet, try and shave the package down so I can extract the pinout through visual inspection." Were not talking about scanning tunneling microscopes or multi-gigahertz oscilloscopes here. Were talking about exceedingly well informed, but essentially low-tech, attacks.
Huangs disclosures convey implicit messages that have to be understood by anyone involved in developing or deploying IT. First, theres no such thing as security based on obscurity or inconvenience. Someone, somewhere, will dig deep enough to figure out what youve done and how—either for financial gain, or just for the sake of curiosity. Second, theres no "technology floor" below which it becomes intrinsically safe to send valuable information in unencrypted forms. Even at a microscopic level, formal protocols at some point turn into actual volts and amperes: Anything that "friendly" hardware can process as bits, invasive hardware can analyze as intercepted signals that an attacker can then deconstruct. About 15 years ago, I was in a panel discussion with someone who said that the next 10 years worth of computer price/performance gains would all be absorbed by the user interface. Reality turned out to be even more resource-intensive, I would argue, in that the typical Windows system of 1995 was actually more sluggish in many ways than the 8 MHz 8086-based DOS machine that was on my desk at the time of that conversation. Between 1995 and 2005, it wouldnt surprise me if another decades worth of hardware performance progress were to be absorbed in security—either on our increasingly mobile (and therefore vulnerable) client devices, or at the level of the network infrastructure. Distributed processing, and a well-developed sense of shared responsibility, are the levers that we need to pry ourselves loose from this burden—and get back to improving the return on our IT investments. E-mail me and tell me how youll gain leverage against security problems.
Peter Coffee is Director of Platform Research at, where he serves as a liaison with the developer community to define the opportunity and clarify developers' technical requirements on the company's evolving Apex Platform. Peter previously spent 18 years with eWEEK (formerly PC Week), the national news magazine of enterprise technology practice, where he reviewed software development tools and methods and wrote regular columns on emerging technologies and professional community issues.Before he began writing full-time in 1989, Peter spent eleven years in technical and management positions at Exxon and The Aerospace Corporation, including management of the latter company's first desktop computing planning team and applied research in applications of artificial intelligence techniques. He holds an engineering degree from MIT and an MBA from Pepperdine University, he has held teaching appointments in computer science, business analytics and information systems management at Pepperdine, UCLA, and Chapman College.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel