It's no longer enough to create working code. We must now put serious energy and deliberate thought into securing our code, the data it works on, and the users who rely on it. I'm convinced that we are headed toward a series of crises – in fact, the crises have already begun. And as near as I can tell, there's no solution in sight.

There's more malware out there than ever before. Viruses, worms, trojans, rookits, back doors, intrusions, spyware, botnets, cross-site scripting, proxies, SMTP threats, SQL injection, header splitting, keystroke loggers, screen loggers, e-mail redirectors, IM redirectors, session hijackers, ransomware, transaction generators, dialers, denial-of-service attacks, DNS poisoning, SEO abuse, phishing, pharming, data-mining, man-in-the-middle attacks, pump-and-dump stock scams, social engineering exploits, riskware, pornware, identity theft, social-media character assassination...the list goes on and on. Most of this has been with us for years, of course, growing at a predictable (if alarming) rate. All indications are that the rate of infection has grown dramatically in recent months, and it is about to explode.

Part of the story is that hackers are becoming more sophisticated in their attack methods. There's real money to be made in hijacking user data, and the money has attracted a new breed of for-profit hackers. A quick search of the Internet will convince you that it's simple to download all the software components you need to breach most security systems. The software toolkits are powerful, effective, and widely shared. Globe-spanning hacker syndicates are at work 24 hours a day, devising and sharing techniques for breaking through defenses. It's big business.

At the same time, the number of vulnerable platforms with sufficient installation numbers to attract hackers has grown rapidly. Yes, most attacks are still targeted at Windows PCs and Web servers. But recent months have given us dramatic evidence that new platforms are vulnerable. Smart phones, SCADA installations, embedded systems, utility grids, and smart cities are all coming under attack. Portable systems fall into the wrong hands easily and frequently. Revisions to Windows, iOS, Linux, HTML, Java, Office, and Android promise to fall to new generations of malware. A recent report from Columbia University researchers demonstrates that Web-accessible laser printers can be instructed to make paper smoulder, and perhaps catch fire. Hackers can use your phone to track your location or take photographs under remote control. If your e-mail isn't being intercepted, read, and revised, it's because you haven't been targeted, not because hackers are incapable. If you've got the money, you can install a monitor to intercept data flowing through the fiber-optic cables that route Internet traffic across the ocean floor, SSL or no SSL.

Service providers are collecting terabytes of user data, often without disclosing the fact. Providers know what Web sites we visit, what we buy, where we take our mobile phones, when we read and answer e-mail, what we're reading on our tablets, which files we download to our e-readers, and all the details of our banking relationships. Even if they don't intend abuse, the data is now subject to external attack. It's not enough to secure the systems under our control – our service providers' systems must be secure too.

And it's not just hackers we have to worry about. Government and law-enforcement agencies are increasing their power to access data, shut down Web sites, shutter businesses, and track users without the benefit of trial – or even, in many cases, the minimal protection of a subpoena. Congress is debating legislation that would extend much of this power to corporations.

We haven't even talked about cloud computing. IT shops are increasingly called upon to secure data that isn't stored on-site. Data-transfer channels are vulnerable to eavesdropping. Cloud service providers are vulnerable to attack. Providers may store information on servers in a country whose laws are not strict enough to provide base-level protection. Authentication systems and backup programs may not be sufficient to keep data secure.

As if all of this weren't enough, it is clear that skirmishes have already begun in a new generation of international cyberwar. State-sponsored and state-developed malware has targeted users, corporations, industries, and utility grids across international borders. Nations, including the United States, have gathered tremendous resources to blow through conventional firewalls, encryption routines, and user authentication systems with ease. Except for the Stuxnet trojan that apparently set back Iran's nuclear program a few months or years, most of these attacks have been small-scale efforts so far – proof-of-concept demonstrations, little more. When the real cyber-shooting starts, we will all sit in the crossfire.

My research has convinced me that the security technology we are currently employing to protect ourselves is laughably impotent in the face of current threats – much less the new threats that will arrive over the next 12 to 18 months.

This year saw the death of Robert Morris, a cryptographer and computer scientist who contributed to Unix and did research at AT&T Bell Labs for 26 years before joining the National Security Agency's Computer Security Center as chief scientist – essentially, cryptographer-in-chief of the United States. Morris had three simple rules for computer security: “Do not own a computer; do not power it on; and do not use it.”

Morris's tongue-in-cheek advice seems grimly relevant today.

Web recommendation: Ah, the Internet. What did we ever do before we had such an accommodating home for rants and flame wars? I admit it: I can't resist reading the occasional over-the-top Web post and scrolling through the outraged comments that follow. My new favorite is “Why I’ve finally had it with my Linux server and I’m moving back to Windows” over at ZDNet (right around the corner from us, in Web terms). I don't want to start a flame war here, so I'll simply say that I can relate to what blogger David Gewirtz has to say. J.D. says check it out.

J.D. Hildebrand has written hundreds of articles for dozens of publications and online communities dedicated to software development. He believes the system he used for writing this column is virus-free. But hey, what are the odds?

Last week I wrote about the risk of malware to industrial systems that control critical infrastructure such as gas and oil pipelines, chemical plants, and water and sewage treatment facilities. These sites are increasingly subject to computer control, and therefore potential targets for worms and trojans that could wreak major damage. The security technology that protects industrial computers is very primitive compared to the monitors and barriers that are available to users of home PCs. I shared my conviction that the risk is “imminent and dire.”

I've continued researching this issue, and uncovered a vulnerability that I hadn't previously considered. We are even more vulnerable than I initially thought.

It turns out that electrical utilities throughout the country – all over the world – are in a mad rush to replace the electromechanical meters that have recorded home and business electricity usage for decades with new “smart” meters.

Smart meters make a lot of sense. They allow utilities to read customers' usage figures without the need to send a technician door-to-door to read meters. They alert utilities to power outages and energy theft. Utilities see them as hubs that coordinate the activities of energy-consuming appliances, scheduling them to run at off-peak hours when electricity is plentiful and inexpensive. Smart meters allow utilities to cut off electrical power without an on-site visit. Innovative pricing plans could be set up, in which customers play a low flat fee for baseline consumption plus a premium price for overages, for example. Overall electrical savings of up to 10 percent have been reported. Studies demonstrate that the cost of upgrading to smart meters is quickly recouped in increased efficiency.

The problem is that smart meters enable two-way communications between customers and utilities over pipelines that are at present minimally encrypted at best. In the U.S., most utilities are standardizing on wireless links based on the ZigBee spec. However, other sections of the wireless spectrum are also in use. In Maine, customers found that smart meters interfered with the use of wireless routers, cordless phones, electric garage doors, and answering machines.

Application code for smart meters is written as if it will be run in a secure sandbox. Monitor and control messages are relayed without authentication. Researchers have demonstrated that they can take over smart meters and inject malware that propagates from customer to customer. They can then turn power on or off, reveal power usage, or uncover sensitive system-configuration settings.

It would be a simple matter for a determined but relatively unskilled hacker to exploit these vulnerabilities to turn off the power to hundreds of thousands of customers at once – perhaps during the coldest days of winter, when the need for electricity to control and fuel heating systems is vital. The stakes are much higher than a virus infection on a home PC.

Less dramatic but still troubling is the potential for privacy loss. Utilities will no longer take once-a-month snapshots of electrical usage. They'll be updated on a minute-by-minute basis. Researchers have demonstrated that different devices within the home generate recognizable signatures in detailed usage records. Electric companies, which have previously had minimal reason to maintain data-security policies, will be in possession of terabytes of potentially sensitive information. In an October 2010 report, the U.S. Department of Energy declared that smart meters “could significantly increase the amount of potentially available information about personal energy consumption…whether their (customers’) homes are equipped with alarm systems, whether they own expensive electronic equipment such as plasma TVs, and whether they use certain types of medical equipment.”

Smart meters are being installed by the millions, both in the U.S. and around the world. The U.S. has invested about $8 billion in the transition so far. Utilities are eager to install the meters, in part because peculiar aspects of their regulation agreements specify that the amount they charge customers is related to the amount they spend on infrastructure improvements. (Don't get me started.)

In August, California's Public Utilities Commission drafted regulations that required its three largest utilities to implement baseline security measures in smart meters. But this legislation is lacking elsewhere.

I would worry even if security guidelines were universally implemented. Electric meters may get periodic firmware updates, but the basic hardware is replaced only after 15 or 20 years of use. History teaches us that encryption methods and other security measures that seem sufficient according to today's standards will be laughably inadequate in years to come.

The good news, I suppose, is that all of this technology deployment means more employment for software developers. Including, I predict, those with a solid background in implementing data-security measures.

Web recommendation: Programming blogs are a dime a dozen. Most start strong with a couple of long-overdue, comprehensive rants, then subside into irregular griping. Jeff Atwood's Coding Horror is an exception. Jeff shares enough personal detail to surface as a real human being, and his technical articles are well-written and interesting. Very good stuff. J.D. say check it out.

J.D. Hildebrand has written hundreds of articles for dozens of publications and online communities dedicated to software development. He is slowly warming (no pun intended) to the Serbian notion of heating with wood.

The microprocessor has done much more than fuel IT installations, PCs and laptops, smartphones and tablets. It's also allowed designers to build intelligence into a wide range of brute-force hardware devices. Modern refrigerators, automobiles, and home thermostats routinely have more MIPS and RAM than my first PC. Microprocessors allow utilities, manufacturers, and municipalities to control networks of smart machines. Factories, power-generation stations, water infrastructures, streetlights, hospitals, airports, and urban-transit networks are all increasingly monitored and controlled by dedicated computer systems. And those systems rely on the Internet for the flow of information and control.

This is all part of a vision that is sometimes called “the Internet of things.” The idea is that we can embed and distribute a little bit of intelligence into each of the myriad objects that surround us. Intelligent systems will prevent supermarkets from running out of popular items, or from ordering too much fresh produce, resulting in spoilage.

The good news is that computers can make processes and networks run more efficiently. They can help us save materials and energy. And of course, where there are microprocessors, there are employment opportunities for programmers.

But there's a downside, too. This year has seen the first major outbreaks of malware against the Internet of things. For example, the Stuxnet trojan was apparently an attack against Iran's nuclear program. It infected the computers that controlled five uranium enrichment plants, damaging their centrifuges by causing them to spin out of control. Hackers have published security holes in widely used supervisory control and data acquisition (SCADA) systems from Siemens. The U.S. Department of Homeland Security reports that the hacker group Anonymous has shown interest in hacking industrial systems that control critical infrastructure such as gas and oil pipelines, chemical plants, and water and sewage treatment facilities.

Many things must change before we can address this vulnerability in essential infrastructure. Most importantly, those responsible for running industrial and government installations must acknowledge that the threat against them is real. Until now, they have believed themselves to be safe because they run custom hardware, their systems are not well-known to the general public, and they are not connected to the Internet in the same way offices, individuals, and IT departments are. But none of this constitutes real protection. Real progress toward securing these installations will not be made until we acknowledge our vulnerability.

The potential for hackers to disrupt essential services – and even cause loss of life – is imminent and dire.

Web recommendation: It's not just nuclear waste recycling stations that face the threat of malware. Research shows that smartphones are starting to show up on the radar screens of the hacker community – and not in a good way. The researchers at Juniper Network have completed a report showing a 472 percent increase in malware infection on the Android platform since July 2011. The figures are a little misleading – the infection rate for phones is much lower than for Windows PCs, even after a half-year of explosive growth. But it's certain that smart phones in general – and Android devices in particular – are now subject to infectious malware. Juniper summarizes its report here. J.D. say check it out.

J.D. Hildebrand has written hundreds of articles for dozens of publications and online communities dedicated to software development. He thinks marrying sauces to the right kind of pasta is a subtle and demanding artistic specialty

What if you could write applications to optimize and control the behavior of real devices scattered throughout your city?

Every city contains thousands of devices that could potentially be monitored, controlled, and synchronized intelligently.

Consider traffic lights. With a few lines of code you could ensure that fire trucks never hit a red light on their way to a fire. This would make emergency response times faster and it would probably reduce the number of accidents caused by cars blundering into the paths of speeding fire engines.

You could write a few more lines of code to implement intelligent control of temperature and lights in schools and city offices.

I bet there are plenty of opportunities to optimize your city's water-delivery pumping systems.

Once you start thinking about it, there are hundreds, maybe thousands of benefits to wiring up all the city's monitoring and control systems, and coordinating them in an intelligent manner.

That's the dream of Living PlanIT, which has created Urban Operating System, which is – well, just what it sounds like. An operating system for cities.

I like the thinking behind this idea. The potential for energy savings alone is immense.

I don't know if Living PlanIT has competitors. I'm not even sure an operating system is the right technology for implementing these kinds of solutions. (Once the devices are networked the hard part is done, right? All you need is a simple communications protocol for monitoring and controlling behavior. And such protocols are already abundant in the embedded-systems world.)

But I wish 'em luck. This is an idea whose time has surely come.

And, um...I hope they're putting major thought into security. Because I don't want to be traveling through New York in a taxi when a hacker decides it would be fun to scramble the behavior of the stoplights. Or whatever. Not that hackers would ever do such a disruptive thing, of course.

Web recommendation: A Serbia is a small, poor country with a history that's as complicated as – well, as complicated as the Serbian language. (Don't get me started.) But for such a tiny nation, it's doing incredibly well in sports competitions these days. The latest good news: Serbian women's volleyball team wins European gold. Go Serbia! J.D. says check it out.

J.D. Hildebrand has written hundreds of articles for dozens of publications and online communities dedicated to software development. He recently relocated to a small town outside Belgrade – stop by if your travels take you through Serbia.

Theresa Lanowitz, founder of Voke, Inc. an independent technology analyst firm, said to only talk about breaking down the silos between the development and operations teams would be myopic; the conversation, she added, needs to include the architects, the QA team and business analysts.

“Dev Ops is a faddish term. We’ve spoken for the past 10 years about breaking down the silos,” Lanowitz said, adding that software developers need to look at transforming the whole lifecycle and evaluate the entire supply chain in order to continue evolving the application lifecycle management process. 

Conversations and connectivity between teams, with a focus on their individual skills is an important part of the process, she said.

Developers will not become operations professionals and operations will not become developers, Lanowitz said, they will still each have their own specialized skills, but they should be able to connect with one another about software development projects. It is part of the idea in ALM that traditional IT is merging with embedded systems, something we’ll be featuring in our story about Voke’s recent ALM survey.

Are you breaking the silos? Are you a business analyst or software architect working with developers? Email vreitano@bzmedia.com; we’d love to hear your side of the story.

We don't cover embedded news as frequently as in the past, so occasionally I like to update our readers on what's happening in the market. Earlier this week, Microsoft announced a CTP of Windows Embedded Compact 7, the next generation of its Windows Embedded CE platform. The release is targeting slates, media players, and other specialized devices with new content sharing features, a new version of Internet Explorer, and syncronization with Windows 7 PCs. Microsoft has added Exchange 2010 AirSync and continues to support Microsoft Exchange Server. Windows 7 based embedded offerings were released last month.

Inspired by his kids and wanting to start something he would be really proud of, serial entrepreneur and four times CEO Gene Wang began his fifth start up. Launching People Power in January 2009, Wang entered the “hot new space of green technology,” he said.

His answer to more efficient and cost-effective technology: this week’s announcement of the availability of the SuRF (Sensor Ultra Radio Frequency) Developer’s Kit for OSHAN (Open Source Home Area Network). This release can help developers build smart and environmentally friendly appliances for household electronics and devices by using longer range at the lowest cost and ultra-low power consumption technology, Wang said.

He did however agree that this release is more for people developing devices, but reminded about the gigantic new market of green technology by citing what Gary Locke, secretary of commerce said to him, “Whichever country leads in energy will lead the world economy.”

The open source software and hardware kit is for wireless sensor networking with an open source operating system and network stack based on TinyOS, the release said. This provides developers access to the long-range, low-power SuRF board, a PCBoard built around Texas Instrument’s CC430 System-on-Chip.  With this system embedded onto one chip, Wang said, there is a much lower building of materials cost. And of the system’s power consumption, he added, “I think we’ve defined a new high watermark of power efficiency.”

With electricity costs on the rise, coupled with climate change, one can see how this kit is a step in the right direction. SuRF can be preordered now and costs US$149.95 a kit that includes two SuRF boards. People Power is also having a competition for any developer who builds the coolest SuRF device by Sept. 15, 2010. The winner will receive 5,000 shares of People Power stock, $5,000 and a free SuRF board.

Interesting, but alarming facts:

- The United States' TV vampire power consumption (how much power is used when the TVs are off) is equivalent to a coal fired power plant.

- 98% of power used by a DVD player is when it's not playing a DVD.

- U.S. electricity utility emissions: 7,830 thousand metric tons of Sulfur Dioxide, 3,330 thousand metric tons of Nitrogen Dioxides and 2,477,213 thousand metric tons of Carbon Dioxide.

Embedded systems modeling tools provider Artisan Software has merged with embedded Java and Ada tools provider Aonix to form Atego, which will focus on safety-critical systems and software, the company announced today. James B. Gambrell, the former CEO of Artisan, will become executive chairman of Atego, with responsibility for the new company's strategic direction and future acquisition opportunities. Pierre Cesarini, the former CEO of Aonix, will serve in that role at Atego and will be responsible for worldwide operations.

Artisan Studio remains the company's flaship software for modeling, with support for UML, SysML and architectural frameworks, while Artisan Workbench remains the company's development framework. Aonix brings in the PERC product line for application development in Java and Ada. Terms of the transaction were not disclosed.