The Internet as existential threat

https://www.raphkoster.com/2017/06/27/the-internet-as-existential-threat/

Misc

Some days I wonder if we are completely screwed. So today’s post is a perhaps slightly hysterical outburst.

The news is not paying enough attention to the Petya/NotPetya ransomware, and the effects it is having on the Ukraine and on a bunch of businesses worldwide. I think it may be a harbinger of how the Internet could kill us all.

Based on what little I have read so far… A piece of widely used tax software — one used by the Ukrainian government — did its usual “phone home” to check for updates. Instead of getting back a few hundred bytes of acknowledgement, it got a viral payload. Basically, this tax software served as a means of auto-updating the virus to thousands of targets. The result is not just accounting systems down, though. It’s gas stations and point of sale systems in grocery stores.

This kind of thing basically makes me wonder how long we’ll have the Internet.

The whole premise of the Internet is the connecting of disparate networks. It started out by only connecting computer networks. But today it connects networks of vastly different sorts: computers, yes, but also financial networks, distribution networks, road networks, water networks, power networks, communication networks, social networks. It truly is “Inter” now.

As we rush towards putting more and more things “in the cloud,” as we rush towards an Internet of Things with no governance beyond profit motive and anarchy, what we’re effectively doing is creating a massive single point of failure for every system we put in it.

Think of a house with an alarm system on the doors, and a phone system, and power coming into the house, and water pipes, and so on. In your house these are probably all separate connections to separate networks. If the water stops running, you don’t tend to think that your phone will go down too. But you know that cutting the power at the mains renders the house vulnerable in a host of ways, because so many things do connect to the electricity.

Well, even without going so far as to buy Internet-enabled juicers, quite a lot of that stuff actually has been connected to one point of failure, and it’s not necessarily all things we term “critical infrastructure.”

What we are building is basically a perfect scenario for collapse, where a commons is consumed by actors who either don’t care or don’t understand the collective damage that is possible in a connected system, and the tipping points that can ensue.

Most networks we come across in the real world follow power-law distributions, and are what we term “scale-free networks.” Basically, this is where most nodes on the network aren’t that important, but there’s a preferential attachment thing going on, where some nodes are super-connectors. They’re really hard to destroy; you have to take out the biggest nodes, all at once. But if a power-law network is co-opted, you have a real problem. The Internet is basically our biggest node now.

Most of the big virus scares lately have been traced in one way or another back to state actors; Petya is based on an exploit the NSA kept secret, that was then leaked to the general public, and weaponized by hackers. As huge as their effects have been, consider that this implies fairly limited use. But picture a world where these tools of state actors are actually in the hands of random people, and released at the frequencies that random people would engage in. I remember being in South Korea in the mid-2000s, and watching a colleague’s laptop get owned instantly just from connecting to hotel wifi without firewalls up. Within ten seconds, the laptop was completely useless, locked up, conquered totally. Picture an Internet like that. In such a world, the only people who can connect would be the ones with the wherewithal to do so, the money and the savvy and the ability to actually harden security.

But just as critically, governments and state actors seem to be the source of so many of the problems precisely because the Internet is now too many forms of critical infrastructure, and therefore too juicy a target. If software eats everything, then the ability to kill software is the ability to kill anything. Net connectivity becomes the single point of failure for every system connected to it.

Even if the Net itself is designed to route around damage, that doesn’t help if it is the single vector of attack that can take down any given target. It’s too juicy a target for the military, too juicy a target for terror, too juicy a target for criminal ransom.

The old adage goes “when they came for this, I said nothing. When they came for that…” — we all know it. Consider that the more we hand gleefully over to the cloud because we want convenience, big data, personalization, and on, we’re creating a single thing that can be taken from us in an instant. We’ve decided to subscribe to everything, instead of owning it. When they came for your MP3s, your DVDs, fine,. not “critical infrastructure.” When they came for your resumes, OK, getting closer.

Your juicers? Whatever, we can laugh at that because it seems ludicrous, but it’s not. A typical US city only has three days of food within the city limits, because the Internet has enabled just-in-time delivery of foodstuffs. Economic optimization within a network tends to imply specialization, which means that even those lovely rural communities that in theory grow their own food don’t grow balanced diets locally. And you’re laughing at an Internet connected juicer? Your juicer is already Internet-connected. If that goes down, you don’t get any more juice! It’s just connected in a way you can’t see.

Now that gas stations play video ads on a loop above the station, now that every cash register is replaced with an Internet-connected device, losing Internet means no gas and no groceries. No gas means no trucks delivering the groceries. Especially if we make them into self-driving trucks! We think of critical infrastructure in terms of government-owned or controlled utilities… but the food trucking fleet is “critical infrastructure.” It’s owned by a massive patchwork of private entities, and actually is networked into the air fleet and the shipping fleet as well via databases of shipping container IDs. Wanna paralyze the world economy? Corrupt that ID database.

If you have a “smart wifi lightbulb” that’s critical infrastructure because it can be owned by a botnet and used to attack. Hyperbolic? In a world where we take actual damage when something digital is attacked, any CPU is basically a weapon, and leaving Internet connected CPUs unattended is basically leaving armory doors open.

Take the example of the solar panels on my home. They are similar to the IoT lightbulb, but the point is more pertinent.

The solar system controller phones home in a variety of ways to provide information to me on how it is performing, but also to inform the grid about the power I am generating . Because there is no battery in my home, any excess power beyond my consumption must be fed back to the grid. Should solar panels feed more power into the grid than the grid can actually handle, this power must be offloaded elsewhere — typically California pays neighboring states to take it. If the power utilities failed to do so, the grid would actually explode. Literally. Explode. The result could be a cascading power failure covering several states.

By connecting this solar controller to the Internet, we have actually put a portion of the critical infrastructure of the entire power grid in the cloud where it is vulnerable. Is that the most direct vector of attack? No, of course not. I suspect you can’t actually tell my solar controller to do anything much, it’s pretty stupid as smart devices go. But I have every expectation that someone wants to make direct bidirectional control possible, because it’s “cool.” (Presumably, regulation is stopping them. Yay, regulation. Please don’t let Congress notice your existence).

The only difference between my solar panels and a hydroelectric dam is scale. To the grid, they are all just nodes, with differing power outputs. Yes, you could cut off my panel. You could cut off a hydroelectric plant too. The issue isn’t whether the node in the network is severable. The issue is whether we are increasing the fragility of the system and thereby increasing the likelihood of cascade effects.

Network connecting solar panels opens the possibility of things like malware attacks designed to cause them all to misreport, say… luckily, the electrical grid has redundancies, fuses, switches. Physical lines to sever. We can measure power flows independent of using the Internet. So let’s consider another example.

Our medical systems have terrible Internet security… MRI machines you can connect to with USB that still have “admin:password” to gain root access. That’s horrifying, sure, but that’s not an attack at scale. More frightening: we’re busily uploading all our medical records to the cloud. Take down that cloud, and no patients can be treated, because nobody will know what they have, what meds they are on. Software swallows your insulin pumps and your pacemakers. To kill people, all you need is to hack that database, or simply erase it or block access to it. After all, we don’t tend to realize that in an Internet of Things, humans are just Things too.

As this software monster has encroached on stuff like election systems, the common reaction has been to go back to paper. So let’s consider a less obvious example. We should be going back to paper for our libraries too! We’ve outsourced so much of our knowledge to digital that the amount of knowledge available in analog has dropped notably. There are less librarians in the fewer libraries with smaller collections than there used to be. If the net goes down, how much reference material is simply not accessible that was thirty years ago? Google Search is “critical cultural infrastructure.” How much redundancy do we actually have? Could a disconnected town actually educate its children?

How critical is Google as a whole? If Google went down for a month, I am pretty sure we would see worldwide economic collapse. How much of the world economy passes through Google hosting? How much of it is in GMail? How much is dependent on Google Search, Google Images, Google Docs? The answer is a LOT. And because financial systems are now also JIT, ten thousand corporate blips where real estate agencies and local car washes and a huge pile of software companies and a gaggle of universities and so on are suddenly 100% unable to function digitally (no payroll! no insurance verification!) would absolutely have ripple effects into their suppliers and their customers, and thence to the worldwide economic market. Because interconnection without redundancy increases odds of cascades.

It’s actually NORMAL for complex systems to go through collapse cascades. It is part of how they grow and develop. We just won’t like it when one happens to us.

In the current economic climate, there’s this romance with the idea of monopoly. VCs like Peter Thiel speak approvingly of not funding anything unless it has a shot at monopoly. Some great achievements of technology probably wouldn’t have happened without the monopolies that are currently enjoyed by most of the big names in tech. The usual arguments against monopolies are generally around how they stifle competition and hurt consumers. Consumers are OK with the tech monopolies because they largely see benefits right now.

But the single biggest downside to these monopolies is actually lack of redundancy. If AWS went down for longer than the brief interval it did a while back, is there even enough capacity elsewhere? I have no idea — probably there is — but what happens when instead of it being a minor inconvenience it’s actually gone? That’s more like losing the hydroelectric dam than losing the solar panel.

We should be thinking now about how we create redundancy, resilience, in all these systems. “The cloud” isn’t it. Big Data isn’t what we need. Small replicated data is.

This is not solely a technological problem. I’ve often wanted to sit down with Mark Zuckerberg and argue with him about Facebook. It is premised on the notion that “connecting everyone” is an unmitigated good. But it’s not, and for the exact same reasons as the above. We don’t have opinions, we share the opinions of those we know. We think and decide things like politics via viral mechanisms — the old school meaning of “meme.” Nodes can be infected, can even be high-profile nodes, and they will have cascading effects on far larger populations. Actors who don’t understand what they’re doing — like say, billionaire political activists — can basically release ideological malware into the population not realizing the cascade effects, because predicting chaotic systems is hard, and by connecting everyone we’re actually intentionally removing the firewalls and the fuses and the airlocks. Attacks on the idea of the value of expertise are like taking down the immune system while giving the patient a cold.

Right now, we’ve got shit in the water supply.

It’s possible the water gets so dirty that no one can drink from it anymore. This would be all of us saying the net is too dangerous to connect to.

It’s possible we all keep guzzling away and all die.

Or maybe we can start getting smart and diversifying our water supply, getting smarter about cross-contamination, drill separate wells and avoid tapping the same water table.

This sort of problem is what birthed modern epidemiology, long ago, when Dr. Snow figured out a cholera epidemic’s source in London. Facebook is like all of us drinking from the same well.

In general, I’ve come to believe that the norm for systems is to interconnect, to form larger networks, and for sub-areas in that network to evolve into specialization. In the process, they lose autonomy. Eventually, they end up as appendages — sometimes vital, sometimes optional — to the larger organism. The larger network is almost certainly more powerful, more likely to survive, capable of greater things. But when it goes, everything in it goes too. Bits and bobs survive, or dissolve back into constituent parts. Anything over-specialized at that point is almost certainly going to perish, to be used as building blocks for a different network.

We’re fine with this when we are the larger network. Paring our fingernails is no big deal, and the fingernails don’t get a vote. When we are in the larger network, though… it’s likely to our individual benefit not to permit it to reach too high a level of interconnection, specialization and sophistication. It simply means we’re each more vulnerable to the failure of some strongly interconnected node way up the line — just like the tendon in our toe is screwed if our nervous system gets shut down.

Anyway. Pay attention to Petya. Think about how much of your life is online. Assume every connected service will some day shutter. Consider your personal strategies, and contemplate the larger scale. I’m not a radical individualist, not by a long shot… not the sort to say we should hoard gold and have self-sufficient farms in our back yards. But I am someone who more than once has built entire complex communities with hundreds of thousands of nodes — technological and human nodes — and watched them fall prey to single points of failure.

This isn’t about cute Internet of Shit jokes anymore. It’s about how gangrene spreads.

The best posts of the last five years

https://www.raphkoster.com/2017/06/23/the-best-posts-of-the-last-five-years/

Game talk

Five years ago, I was asked to put together a list of the best articles on the website. I did, and it’s been linked as “recommended posts” up on the menu under the Blog section for a few years now.

Just the other day, I was asked by Jordan Amaro (@JordanAMAR0) whether I was ever going to update it. Probably at some point, but in the meantime here’s a list of the ones I think are best from the last five years.

Looking over the list, the things that jump out at me are: a lot more posts about the game business and trends, about general topics like creativity, and about the intersection of the virtual with the real — the way tropes from online worlds are impinging upon our daily lives. I also note quite a lot of looking backward in these: game histories, postmortems, etc. Of course, this was also the period that encompassed the Great Formalism Wars of 2012, which seem overblown given hindsight. And lastly… despite my feeling I am hardly posting anything, this is a pretty nice list for five years!

General game design

These are talks or posts about general game design topics: history of games, systems design advice, that sort of thing.

Postmortems and anecdotes

The bulk of this section is the epic postmortem of Star Wars Galaxies wherein I discuss the way in which the economy, procedural content systems, and social systems were designed… and talk about the failures around Jedi and ultimately what led to the NGE, which stands to this day as an object lesson for MMO developers.

Game criticism-related

These essays aren’t about game design per se, but more about how we talk about games. They aren’t “formal” enough to fit into the “game grammar” category, though, as they are mostly about topics more on the humanities side, or even about games criticism as a field, or how we as developers and critics talk to one another. Some of these were controversial, but it’s because of that that I include them on the list; they were part of a large conversation that took place, and it was an important one.

Theory of Fun and game grammar

This is stuff directly related to the very formal exploration I’ve been doing of “how games work” for over a decade now. It’s less directly applicable than the stuff in the general game design section, but is instead more structural.

Games and society

These are all about the impact of games on our everyday world, more or less. Some of them are very concrete and specific, and others are a lot more intellectual. Many of them are about how we can work to create ethically. Several of them are outside of “games” per se. I’m particularly proud of “Digital Bards,” even though several other ones from here got a lot more traction.

Game industry/business

These are mostly about games as a business; some of them are a little bit dated in terms of referencing events from when they were written, but I think they are all still very relevant.

Game design practice/developer advice

These are about being a game developer, and advice on things like creativity, career, and evaluating your and other people’s work.