Age of the Geek

Computer Tower of Babel 
     Last week a cyberattack struck computers across the globe. Systems infected with the "WannaCry" ransomware had their data encrypted, demanding payment in untraceable bitcoins to secure their release.
     The whole scenario played out like something from a movie, complete with a ticking countdown timer and a last minute save from an unlikely hero.
     But while the threat of the WannaCry attack has mostly passed, the danger of subsequent attacks persists. The war of escalation for internet security is never-ending. With every new update to your phone or computer, web security experts and hackers race against each other to find cracks in the system to be either fixed or exploited.
     In the wake of the WannaCry attack though, another question has been raised. Which side of the battle are our government agencies on?
     The WannaCry attack used an exploit discovered by the National Security Agency to spread itself to vulnerable computers across the internet. Known as "EternalBlue," the vulnerability in Microsoft Windows was catalogued by the NSA, who presumably kept it around in the event that they needed to utilize the exploit for a legitimate government purpose.
     That's fair enough, I suppose. Contrary to what the television would have you believe, hacking is not done on-the-fly by snarky nerds furiously typing. It makes sense for the NSA to research vulnerabilities and keep a list of backdoors on hand.
     Sure, the NSA could have told Microsoft about the exploit, but then they wouldn't be able to use it.
     But it wasn't the NSA that used it. It was internet terrorists, who were able to launch this attack using the NSA's own weapon.
     This incident was predicted last year when the FBI tried to coerce Apple into hacking into the smart phone of one of the San Bernardino shooters. Apple refused, explaining that building a tool to intentionally break their own security would inevitably result in more security problems down the line.
     The issue brought up a moral dilemma. The FBI wanted the information on that phone and Apple was the company best equipped to unlock it. Is it right for the government to try and compel them to open it? Does Apple have an obligation to comply, even though doing so would be against their own interests?
     I found Apple's refusal to be a reasonable stance. It's not Apple's job to break open locked iPhones, especially if it would create vulnerabilities that would expose their customers. If the FBI wanted that information so badly, they were free to break the phone themselves.
     Which they did.
     Then the tables turned. Once the FBI announced that the phone had been cracked, Apple demanded that the FBI share the secrets of that exploit so it could be fixed. I can only imagine that the FBI's response to that demand was something along the lines of blowing a raspberry and making a rude hand gesture.
     So now we have another moral dilemma. The FBI has knowledge of an exploit that could be used to put the private information of American citizens at risk. Do they have an obligation to share that information with Apple to prevent such an attack from happening?
     At the time, it was argued that any undisclosed exploit puts innocent users at risk. Just one year later that prediction has come true. The EternalBlue exploit catalogued by the NSA was released into the wild last April by a hacking group and within weeks it was used to deploy the WannaCry ransom malware.
     In fairness to the NSA, the EternalBlue exploit was not unknown to Microsoft by the time it leaked. Microsoft had already discovered the exploit and released a security patch to fix it in March.
     But not everybody is diligent about their security updates and at least 200,000 computers were still vulnerable when the WannaCry malware spread.
     Some of the blame can be placed on people who, for whatever reason, neglected to keep their systems up-to-date. It's a hard lesson for the people and businesses that rolled the dice on their cyber-security.
     That said, this is an attack that probably would not have happened if the NSA had informed Microsoft of the vulnerability when they found it. Moreover, the only reason the EternalBlue exploit became widespread knowledge in the first place is because the NSA wasn't diligent enough with their own security.
     So where do we go from here?
     Should the FBI, CIA, and NSA be stockpiling these exploits? Even with legitimate uses and the best of intentions, they're playing with fire and putting people at risk when these exploits get out of their control.
     This isn't a new quandary. I can think of three different Batman stories that pose the same question. The caped crusader has become a magnet for cautionary tales about well-intentioned tools and tactics spectacularly backfiring.
     Like Batman, the FBI, CIA, and NSA will almost certainly continue to seek out and stockpile exploits to aid in their work, and by the very nature of that work, we'll never know exactly how much that stockpile benefits us. This makes it impossible to determine if the risk is worth the reward.
     There's no good answer to be found here. In the meantime, keep your security up-to-date, don't open e-mail attachments from people you don't know, and don't click pop-up ads from the shadier part of the internet.
     Travis Fischer is a news writer for Mid-America Publishing and wonders if the Bat-Computer uses Malwarebytes.