Again and again, over the past months, I’ve returned to the topic of security. Events have shown that our networks, data, and applications are extremely vulnerable. The potential attackers are malicious kids, criminals who hack for profit, other companies, and even governments (foreign and, alas, domestic). The U.S. Defense Department, which has substantial resources, including classified technologies, to throw at the problem, has concluded that it is safest to assume all of its networks have been compromised. As the director of the Information Systems Analysis Center at Sandia National Labs says: “[Malware] is on our machines, and we’ve got to operate anyway.”

I hope by now that I’ve convinced you there is a problem. Obviously, there is. And it’s a big one.

The next question is, what do we do about it?

The traditional answer, for developers, is that we do nothing. Security is an operations issue, not a development issue. We implement password protection where it belongs, we use encryption libraries if users specify that level of protection, and that’s it. Keeping the computers and data secure is someone else’s problem.

That answer doesn’t suffice any longer. The security problem can’t be solved without the active engagement of developers. Our contributions are necessary.

So…how do we begin?

This question has been asked hundreds of times on online programming forums. “Never trust user input” is the most common response. You can spend a few hours reading itemized lists of advice, and much of it makes sense. But it’s hard to translate all of those imperatives into working code and changed work habits.

I think it’s better to start with a comprehensive overview of potential vulnerabilities. You know – a systematic approach. Take a look at the Common Weakness Enumeration site. CWE is a software assurance initiative sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. It’s a sort of community-based dictionary of security vulnerabilities. The hours you spend browsing this database will be time well-spent. You can translate the site’s taxonomy of vulnerabilities into an action plan for design, coding, and testing

If you can’t solve all your security problems at once, you need to prioritize. Start with this list of the 25 most dangerous software errors.

I really like this series of security articles for Java programmers.

I’m curious about the Microsoft Security Lifecycle system. If you have experience with it, or with comparable offerings from other vendors, get in touch with me via the comments.

I’ll come back to this topic in future posts.

Web recommendation: I came to the Oracle v. Google patent-infringement lawsuit with no preconceptions, and I haven’t heard Google’s side of the story. But I do find this pretty convincing.

J.D. says check it out.

J.D. Hildebrand has written hundreds of articles for dozens of publications and online communities dedicated to software development. He has recently become acquainted with the wonderful work of Studio Ghibli.

If you haven’t noticed, software development faces some severe challenges right now. Serious problems face us – not in some hypothetical time-frame, but right now. And I am sorry to say that the tool vendors and thought leaders we count on are letting us down. They’re focusing on other matters entirely.

I don’t mean to pick on Java, but that’s the example that comes to mind. A year from now Java will support lambda expressions. The big brains directing the evolution of what is arguably the industry’s most important language surveyed the computing terrain and decided the best thing they could do for developers was add syntax for lambda expressions.

Are you freaking kidding me?

To be fair, the Java team is also grafting modularity-control features onto Java via the Jigsaw project, and these features could be of real benefit to Java programmers. But still…lambda expressions?

Here are the things we developers ought to be focusing on.

Security

Yes, I know. I’m a broken record on this issue. But we don’t face a bigger challenge, and the days of shrugging off security as an operations concern are over. If you have a wireless router in your company, a bad guy in your parking lot can have access to your network in two or three hours using off-the-shelf tools and a $350 laptop.

You think your firewalls and strong passwords are sufficient protection? You’re dreaming. The U.S. military spends billions defending its servers, and last week it told the Senate Armed Services Committee that these security measures have failed. The military now assumes that hostile forces have network access, and it is shifting its focus from controlling access to protecting data. “[W]e have to go to a model where we assume that the adversary is in our networks,” said Dr. James Peery, director of the Information Systems Analysis Center at Sandia National Laboratories. “It’s on our machines, and we’ve got to operate anyway.” Anonymous has demonstrated it can compromise pretty much anyone it targets. If your network hasn’t been compromised yet, it’s because the bad guys haven’t selected you as a target yet. When they do, your security measures will fail.

This isn’t just an operations problem. It’s everyone’s problem.

Development processes

The Agile movement is popular – and why not? It’s a feel-good set of aesthetic principles unencumbered by a development process. XP, Scrum, and Kanban let us throw off the chains of heavyweight development methods and get back to coding.

This is no way to achieve reliable, repeatable results. It’s de-evolution in action, a return to the days of late-night hack attacks and reliance upon the heroic contributions of uncommonly talented superprogrammers. Too many companies are betting their futures on this family of untested, unproven non-methods.

CASE tools and formal methods were no fun – I get that. They sacrificed flexibility and improvisation and even personal fulfillment for reliable, repeatable results. They weren’t the fastest way or the most enjoyable to get from Point A to Point B, but they did guarantee you’d get there. You can’t say that about Scrum.

Platform fragmentation

It was a big deal when we went from building Windows apps to building net-enabled apps that split program logic along the well-established seam between lightweight clients and back-end servers. But that was nothing. In the very near future, we’ll be asked to deliver apps that run properly on arbitrary hardware with dramatically varying specs, all running different operating systems. It’s an unprecedented challenge for the software development community.

The traditional approach has been for IT to set up a list of approved hardware and software platforms, and thereby to limit the demands on application developers. But that discipline has broken down. You can’t keep your company’s workforce from bringing in their new tablets and smartphones, and from demanding that these devices be given access to corporate apps. The security concerns alone are daunting – how do you keep your network secure when the CEO misplaces his iPad in an airport lounge on another continent?

And don’t get me started on cloud computing. The security implications alone should give you serious pause. Rearchitecting your apps may not take as long as you fear, but the split between your resources and your cloud vendor’s servers will remain brittle. I lived in San Francisco long enough to know you don’t build something important on a fault line.

Inadequate tools

If I read the surveys correctly, you probably don’t remember the transition from DOS programming to Windows. I remember it well – I was at the heart of it. The programming tools and languages that had served us well in the single-tasking, character-mode environment were inadequate to the demands of GUI programming. The industry responded with visual programming environments, object-oriented programming languages, application frameworks, and plug-in reusable modules. Eventually these tools allowed us to cut the challenges of Windows programming down to size.

What tools and languages are addressing today’s challenges? Python? Ruby? C#? Honestly, they all seem to be addressing niche problems. It seems to me we’re being sent into this battle empty-handed. Or am I missing something?

Yes, these state-of-the industry rants are supposed to be posted in December or January. I’ve broken one of the unwritten laws of tech bloggers, and the authorities will no doubt crack down on me. But I had to get this off my chest.

Am I the only one who has noticed that we’re in deep, deep trouble?

Web recommendation: The evocative phrase “Internet of Things” always catches my attention. Here’s a rare substantive discussion of what the term refers to, by Google’s Vinton G. Cerf, a U.S. Medal of Technology recipient, ACM Turing Award winner, Japan Award winner, etc., etc. J.D. says check it out.

J.D. Hildebrand has written hundreds of articles for dozens of publications and online communities dedicated to software development. He has rediscovered the joy of peanut butter.

The Feds arrested Hector Xavier Monsegur last June. Monsegur is better-known in the online world as Sabu, a leader of LulzSec, a highly active subsidiary of the Anonymous hacker collective.

Prosecutors charged Monsegur with crimes that could land him 122 years in lockup, so he made a deal. In exchange for leniency, he agreed to help FBI investigators nab as many LulzSec and Anonymous agents as he could – and that’s just what he did. For the past 10 months, Monsegur has been a double-agent. He’s continued his LulzSec activities using a computer supplied by the FBI, with an agent sitting at his elbow. He’s maintained his Sabu identity on Twitter and IRC. But now, all of his online activities and communications are logged by federal agents. The FBI has warned targets of incoming Anonymous attacks. And so far, the Feds have arrested five more LulzSec hackers.

Monsegur’s guilty plea and cooperation agreement cover more than his LulzSec activities. He’s also admitted to marijuana trafficking, illegal firearm possession, credit-card fraud, and receipt of stolen property. It’s not clear that he’ll serve a day in prison for any of these activities. Which is okay, I guess. It’s common for informants to receive clemency in return for their cooperation in bringing down other criminals.

What I’m curious about is how the Federal Witness Protection Program will manage to keep Sabu safe from Anonymous retaliation. If this guy ever touches a computer or a smartphone again, they’ll be all over him. I don’t think much of his chances.

Web recommendation: Told you so. J.D. says check it out.

J.D. Hildebrand has written hundreds of articles for dozens of publications and online communities dedicated to software development. He laughed out loud at the logical flaws in the moderately enjoyable movie Rise of the Planet of the Apes.

Do you want to sit in that cubicle forever? Or do you cherish a secret dream of striking off on your own? Wouldn’t you like to start a small business and see if you have what it takes to make it grow? “Every normal man,” said H.L. Mencken, “must be tempted at times to spit upon his hands, hoist the black flag, and begin to slit throats.”

The problem with going rogue is that entrepreneurship is risky. We settle for lives as employees because we have too much at stake to roll the dice on a questionable business venture. Prudence is an understandable and appropriate response to decisions of magnitude. But we promise ourselves that if ever the right opportunity presents itself, we’ll make the leap.

I’m here to tell you that the opportunity is here. You want to start a business with an excellent chance of success and rapid growth in the U.S. and Western Europe? I’ve got the idea for you.

If you’ve been reading my posts here regularly, it’s possible you’ve already connected the dots:

• An operating system for cities
• Cyberwar’s first shots have been fired
• Smart infrastructure plus malware equals disaster
• Distributed intelligence means distributed security risks
• Insecure
• Security concerns top year-end news

Here’s the deal. Over the past decade, cities, counties, and states across America have augmented their electronically controlled water, gas, traffic-control, public-transport, and electrical systems with offsite command-and-control systems, wiring them up via Internet connections. Putting utilities online has improved efficiency and reduced costs, but it has exposed critical elements of the public infrastructure to malicious hackers.

Municipal systems have not been targets of cyber-attacks in the past, and they lack all but the most remedial security measures. If password protection is enabled, the systems are generally protected with the manufacturer’s default passwords. That’s how naïve local governments are about protecting their assets.

You want to be an entrepreneur? Here’s how you do it. Travel from city to city, analyzing vulnerabilities and installing protection. You don’t have to invent technology here. Tried-and-true secure lines, encryption, password protection, and firewalls will do much to make critical systems more secure. Help local governments organize and adopt attack-response measures.

Almost all utility systems are vulnerable, but cities have been slow to act. The need is urgent and the market is on the verge of exploding. Now is the right time to jump into this field.

You may find yourself more marketable if you acquire credentials. The Department of Homeland Security’s U.S. Computer Emergency Readiness Team (US-CERT) offers classes on infrastructure protection through the National Cyber Security Division’s Control Systems Security Program. US-CERT’s Cross-Sector Roadmap for Cybersecurity of Control Systems (PDF) contains some excellent background data that you will want to include in your business plan and your sales presentations.

If you’re serious about stepping out on your own one day, I think now’s the time to do it. This is an opportunity to achieve independence, make a bundle of money, and help the good guys defend themselves against attack. Why wait?

Web recommendation: In my most recent post I cited Edge, which describes itself as a collection of the world’s “most complex and sophisticated minds.” I’ve spent some more time with the site since then, and I must say I am not impressed. The articles suffer from grammatical errors, misused and inconsistent punctuation, dead links, and misspelled words. Don’t get me wrong, there’s some great stuff there. (And I dare say you’ll find the odd typo among my own online postings here and elsewhere.) It’s just, for a site that goes out of it way to proclaim itself the homepage of the world’s top intellectuals, edge.org has an embarrassing number of errors. The folks at Edge may be brilliant, but even geniuses need editors. J.D. says check it out.

J.D. Hildebrand has written hundreds of articles for dozens of publications and online communities dedicated to software development. He’s dead serious about the entrepreneurial opportunity he outlines in this post.

With a recent case, the U.S. Supreme Court had a perfect opportunity to shed some light on the murky—and increasingly important—issue of privacy in the digital age. The court made the right decision, in my view, but the majority's decision sidestepped the compelling social issues presented by the case. So we will have to wait for future decisions—and, no doubt, legislation.

It all started when Washington D.C. police suspected a man named Antoine Jones of being a drug dealer. They got a warrant to place a GPS device on his wife's car, and they subsequently tracked his movements for 28 days. The warrant was good for just 10 days, however, and the GPS wasn't attached until the eleventh day. Moreover, the police tracked the car's movements through Maryland, though the warrant was valid only in Washington. Nonetheless, the police arrested Jones. Prosecutors used the GPS data at trial.

Prosecutors held that the GPS data could be admitted even though it was not covered by a warrant. Their argument was that someone's movements along public streets are public acts, not private, and that Jones had no reasonable expectation of privacy regarding his movements. They pointed out that police cars could follow Jones's car from place to place without a warrant, and argued that the GPS was essentially the same. No warrant, they said, was necessary for the police to record a suspect's movements on a 24/7 basis.

Jones was found guilty, but the case was reversed by the D.C. circuit court. The case wound up in the U.S. Supreme Court as United States v. Jones.

The Supreme Court agreed that Jones's conviction was invalid because the GPS data was collected illegally. The court did not, however, resolve the issue of whether police must obtain a warrant to track and record suspects' locations. Instead, the court concluded that the police erred in placing a physical GPS device on the car. This action, the court concluded, was trespassing. The court did not rule on whether the government could or could not collect round-the-clock electronic surveillance data on citizens who have not been convicted of a crime, without even a warrant.

So an important legal issue remains unresolved. Our cell phones pretty much always know where we are, and our cell-phone providers have access to location data. Internet service providers know the physical locations of our hook-up sites. More and more devices and Web services collect location data on us. In a scary and increasing number of cases, the government is claiming this data without establishing probable cause or securing a warrant. It's a very disturbing development.

The court's decision was unanimous, but justices wrote three opinions. The majority opinion, which outlined the GPS-attachment-as-trespassing theory, was written by justice Antonin Scalia and signed by chief justice John Roberts and justices Anthony Kennedy, Clarence Thomas, and Sonia Sotomayor. A second opinion, written by justice Samuel Alito, was signed by justices Ruth Bader Ginsburg, Stephen Breyer, and Elena Kagan. The opinion likened GPS monitoring to wiretapping phones, and argued that the Fourth Amendment to the Constitution protected citizens from such actions. Justice Sotomayor, who signed Scalia's opinion, contributed an additional opinion in which she argued that the court's ruling that a person “has no reasonable expectation of privacy in information voluntarily disclosed to third parties” was “ill suited to the digital age.” Sotomayor pointed out that people disclose phone numbers and SMS messages to their cell-phone providers, and URLs and e-mail addresses to their ISPs, and the books, groceries, and medications they purchase to online retailers. “I for one doubt,” Sotomayor wrote, “that people would accept without complaint the warrantless disclosure to the government a list of every Web site they had visited in the last week, month, or year.”

I doubt it too. But until the court makes another ruling—or Congress jumps into the issue with legislation—the issue remains unresolved.

Web recommendation: Hey, look—MIT is the new home for Google's App Inventor. The technology lets kids and nonprogrammers create Android apps easily. MIT intends to make App Inventor an open-source project. You can get all the details here. J.D. says check it out.

J.D. Hildebrand has written hundreds of articles for dozens of publications and online communities dedicated to software development. He made a nice potato chowder for lunch today.

Do you have a wireless network? Me too – I've had one for years. WiFi is easy to set up, there's virtually no administrative overhead, and the benefits are hard to ignore. It's no wonder so many businesses, public spaces, schools, and homes are going wireless.

Every network requires security, of course. In wireless networking, security standards are managed by the Wi-Fi Alliance. (Note: I spell it "WiFi," but the Wi-Fi Alliance, which owns the trademark, says "Wi-Fi." You, of course, are free to write it either way.) It is the Wi-Fi Alliance that has standardized on Wi-Fi Protected Setup, or WPS. Among its various specifications, the standard requires that each wireless router must have a unique eight-digit PIN. The PIN secures access to the network against unauthorized traffic and is key to encrypting wireless traffic. It must remain secret for the network to be secure. An attacker with the PIN could retrieve the network's password, reconfigure the wireless access point, or cause a denial of service.

The eight-digit format selected for the PIN allows for 100,000,000 possible combinations. This means that a brute-force attack, given an average two-second signal-response time, would take years.

Researchers have discovered flaws in the implementation of the WPS PIN standard, however. Routers send a response signal after the first four digits have been entered, indicating if they are right – which means the two halves of the PIN can be attacked separately. Getting the first half of the PIN requires a maximum of 10,000 guesses. The second half of the PIN is weaker because the eighth digit is a checksum. This means that after an attacker has correctly identified the first four digits, he need test only 1,000 additional combinations. (The total number of combinations is reduced, in this scheme, from 10^8 possible PINs to 10^4 + 10^3.) The bottom line is that the PIN can be ascertained in a maximum of 11,000 attempts – which means a hacker can breach the network in a couple of hours.

Virtually all routers that implement the WPS standard share this vulnerability, including routers from Belkin, Buffalo, D-Link Systems, Linksys/Cisco, Netgear, Technicolor, TP-Link, and ZyXEL, according to testers.

Researcher Stefan Viehböck tested a number of routers and found that only one vendor, Netgear, implemented an extra layer of security for its PIN. Viehböck found that Netgear routers slow their response time after being offered incorrect PINs repeatedly. The slowdown means that the tested Netgear router can be disarmed in a day, rather than in two hours.

There appears to be no workaround for this security vulnerability, save disabling WPS (which may not be possible with most routers).

Viehböck's technical paper detailing the vulnerability is available here.

Web recommendation: Analysts at Kapersky Lab have been hard at work on the Stuxnet and Duqu worms. They have concluded that both attacks were created by the same team, and that the team has probably developed additional malware. The report is here. J.D. says check it out.

J.D. Hildebrand has written hundreds of articles for dozens of publications and online communities dedicated to software development. He wishes you a happy new year.

As far as I am concerned, security concerns dominated the high-tech world in 2011. The past year has seen the first documented attacks on American utilities, a probably act of cyber-war against an Iranian nuclear-processing target, fearless (and effective) attacks by the hacker collective known as Anonymous, and the emergence of cellular phones as malware targets.

There is no reason to believe these concerns will be any less urgent in 2012.

As snow falls over much of the U.S. and partiers around the globe prepare to celebrate New Year's Eve, security stories continue to dominate the headlines.

• Under the headline “A cyber-remedy for poison,” the Economist took a break from its in-depth coverage of political and economic policy to bring its stodgy readers up-to-speed on the vulnerability of DNS servers to “poison” redirection. The Economist's article is basically a sales pitch for OpenDNS and its DNSCrypt privacy tool.
• Another general-interest news organization, the Huffington Post, has published a report about the vulnerability of train systems to DDoS attacks. “Hackers could shut down train lines with DDoS attack: expert” is an in-depth evaluation of the vulnerability of train control systems that are increasingly interconnected via the Internet. The report is a bit breathless, but it brings a serious vulnerability to the attention of HuffPo readers.
• Reuters has published a summary of research to be published by Karsten Nohl, head of Germany's Security Research Labs. “GSM phones vulnerable to hijack scams: researcher” is a preview of findings that Nohl will present at an upcoming hacking convention in Berlin. Nohn says virtually any of the world's billions of GSM phones could be subverted by hackers and instructed to send text messages or make calls to expensive premium services.
• Identity Finder LLC has released details of its analysis of the recent Anonymous attack on Strategic Forecasting Inc., commonly known as Stratfor. The summary shows that activist hackers raided Stratfor's servers and emerged with more than 50,000 unique credit-card numbers, 86,000 e-mail addresses, 27,000 phone numbers, 44,000 passwords, and more. Hackers behind the break-in claim to have downloaded 2.7 million e-mail messages. The hackers have already used stolen credit-card numbers to make donations to charity.

Best wishes for a happy – and secure – 2012.

Web recommendation: Hey, this is fun: Odd technology job interview questions revealed. J.D. says check it out.

J.D. Hildebrand has written hundreds of articles for dozens of publications and online communities dedicated to software development. He thinks most cheesecake is too sweet – it ought to be creamy and rich, but not sweet. A thin layer of sour cream on top is a good sign.

In an earlier post, I suggested that the Stuxnet worm (some experts are pointedly calling it a trojan – I think both terms apply) could be considered the opening salvo in an as-yet undeclared cyber-war. Go ahead, accuse me of being melodramatic. Although no one is unambiguously taking credit for Stuxnet, the current consensus is that the malware was indeed an attack upon one nation by another.

In subsequent posts I have detailed the escalating vulnerability of civilian populations worldwide as intelligence and connectivity are added to elements of the critical infrastructure, including manufacturing, transportation, utilities, communications, and municipal services. The computerish components that automate services and coordinate communication are not well protected, to put it mildly. Many of the embedded systems used in industrial automation employ manufacturers' default passwords that are listed in documentation available for download over the Internet. Some default passwords are burned into ROM chips.

In the face of all this vulnerability, an unsettling idea has emerged. Since we probably can't make our intelligent networks invulnerable, maybe we should proactively launch the first attacks ourselves.

That, at least, is the suggestion of Herbert Lin, chief scientist at the Computer Science and Telecommunications Board at the U.S. National Research Council. In a presentation at a recent MIT/Harvard conference co-sponsored by the Council on Foreign Relations, Lin noted that experts are unable to build effective defenses against cyber-attack. The MIT Technology Review quotes Lin as saying, “Since you don't know how to do good defense, you can't prevent offensive dominance. And you can't do good deterrence because effective retaliation is hard. So if you want to take advantage of cyberspace, you will do offensive operations for nondefensive purposes.”

“We can't just defend,” agreed General Keith B. Alexander, head of the National Security Agency and the U.S. Cyber Command. Speaking at the U.S. Strategic Command's Cyber and Space Symposium last month, he said the U.S. must have the ability to attack other countries electronically. Such attacks might be launched in retaliation for state-sponsored cyber-espionage (it is widely believed that such spying has been conducted by Russia, China, and other governments) or for other reasons.

According to a November 2011 report to Congress, the Department of Defense “maintains, and is further developing, the ability to respond militarily in cyberspace.”

Earlier in 2011, Congress debated a bill that would give the President the power to shut off the Internet in the face of war and other national emergencies. The “kill switch” provision was removed from the bill after the Obama administration assured legislators that the War Powers Resolution already authorized such steps. Air Force General Robert Kehler, who heads the U.S. Strategic Command, told reporters, “I do not believe we need new explicit authorities to conduct offensive [cyber-war] operations of any kind.”

The authority to launch offensive cyber-war strikes is explicitly given to the President and the Pentagon in the fine print of the Defense Department's 2012 funding bill, which says, “Congress affirms that the Department of Defense has the capability, and upon direction by the President may conduct offensive operations in cyberspace.” The bill continues, “[I]n certain instances, the most effective way to deal with threats and protect U.S. and coalition forces is to undertake offensive military cyber activities, including where the role of the United States Government is not apparent or to be acknowledged.”

Is it just me, or does all of this seem more than a little scary?

Web recommendation: I read a lot of government documents while preparing today's report, which was not much fun. The good parts are often buried deep in the fine print. That's the case with today's Web pick too. The page – it's here – is a National Transportation Safety Board analysis of a 2010 schoolbus crash in Gray Summit, Missouri. Investigators examined all the evidence and tried to identify the factors contributing to the crash. At the very end, the NTSB makes recommendations, including this one: “To the 50 states and the District of Columbia: (1) Ban the nonemergency use of portable electronic devices (other than those designed to support the driving task) for all drivers.” That's right, the NTSB is urging the states to outlaw the use of cell-phones, including hands-free devices, at all times. I actually think it's a pretty good suggestion, but I find it odd how the proposal is buried at the bottom of the page. It's a crazy world. J.D. says check it out.

J.D. Hildebrand has written hundreds of articles for dozens of publications and online communities dedicated to software development. He thinks this is shaping up to be a pretty good weekend.

Here are updates on some of the issues I've been following for the past few weeks.

Infrastructure attack a false alarm – for now. In a series of posts, I have made clear my concern about the ongoing effort to computerize utilities and municipal-infrastructure control systems. While intelligent systems can help us conserve resources and use energy more efficiently, computerization also leaves critical systems vulnerable to hack attacks. A data-point supporting my argument was November 8's widely reported cyber attack against an Illinois water utility's SCADA system. The Illinois Statewide Terrorism and Intelligence Center reported that a hacker with a Russian IP address had caused a pump to burn out. The cyber war had begun! Or maybe not. It turns out the SCADA system was accessed by a utility contractor, Jim Mimlitz, who was on vacation in Russia. While everyone is breathing a little easier, the fact remains that these systems are still vulnerable. It's only a matter of time until they are really hit.

Microsoft bullish on Kinect 2: Microsoft has realized that its Kinect game controller for the Xbox platform is potentially a good solution for a huge range of problems. Beta 2 of the Kinect SDK is available now, and Microsoft promises that a commercialized SDK will be available in early 2012. In the meantime, the Kinect hacker community is running full-tilt at every offbeat and potentially useful application it can imagine. Meanwhile, the Kinect 2 will reported greatly extend the Kinect's abilities. The new device may be able to read lips and even to detect users' emotional states with its facial-recognition algorithms. (If hackers were to install a back door into Kinect-enabled systems, they would essentially have around-the-clock video access to user sites, and the Kinect's voice-recognition routines could monitor speech for key words. What if the government were to install such software?) Check out Kinect Hacks. And if you haven't seen it yet, you might as well look at Microsoft's Kinect Effect video.

Software detects lies with voice analysis. Researchers are using a variety of methods to analyze speech and detect whether speakers are telling the truth. The New York Times has an informative article here: Software that listens for lies. It must be a lot of fun working on applications like these.

Pentagon sponsors hacking contest. A determined team of programmers has won $50,000 in a contest sponsored by the U.S. Department of Defense's Defense Advanced Research Projects Agency, or DARPA. The eight-member team successfully retrieved the contents of seven pages of documents that had been shredded into more than 10,000 fragments. The Pentagon is quite open about its motivation for the contest: “The goal was to identify and assess potential capabilities that could be used by our warfighters operating in war zones, but might also create vulnerabilities to sensitive information that is protected through our own shredding practices throughout the U.S. national security community.” We already knew the government could intercept anything on the Internet. Now it turns out that they're looking to read our shredded documents. Congratulations, in any case, to the winners.

Web recommendation: Perhaps you have noticed that many programmers are also serious about cooking. You may be a good cook yourself, in which case you have no doubt already discovered the new Developer Cookbook section of sdtimes.com. Those recipes look good, but they're positively primitive compared to the cooking-as-rocket-science entries in Modernist Cuisine, a six-volume encyclopedia of cooking ingredients, methods, and technologies dreamed up by former Microsoft CTO Nathan Myhrvold. This lavishly illustrated tome has 2,438 pages and weighs more than 50 pounds. Your status as an amateur cook may not justify the book's $625 purchase price, but you should at least take a look via the authors' beautiful Web site. J.D. says check it out.

J.D. Hildebrand has written hundreds of articles for dozens of publications and online communities dedicated to software development. He likes raisins and walnuts in his oatmeal cookies.

It's no longer enough to create working code. We must now put serious energy and deliberate thought into securing our code, the data it works on, and the users who rely on it. I'm convinced that we are headed toward a series of crises – in fact, the crises have already begun. And as near as I can tell, there's no solution in sight.

There's more malware out there than ever before. Viruses, worms, trojans, rookits, back doors, intrusions, spyware, botnets, cross-site scripting, proxies, SMTP threats, SQL injection, header splitting, keystroke loggers, screen loggers, e-mail redirectors, IM redirectors, session hijackers, ransomware, transaction generators, dialers, denial-of-service attacks, DNS poisoning, SEO abuse, phishing, pharming, data-mining, man-in-the-middle attacks, pump-and-dump stock scams, social engineering exploits, riskware, pornware, identity theft, social-media character assassination...the list goes on and on. Most of this has been with us for years, of course, growing at a predictable (if alarming) rate. All indications are that the rate of infection has grown dramatically in recent months, and it is about to explode.

Part of the story is that hackers are becoming more sophisticated in their attack methods. There's real money to be made in hijacking user data, and the money has attracted a new breed of for-profit hackers. A quick search of the Internet will convince you that it's simple to download all the software components you need to breach most security systems. The software toolkits are powerful, effective, and widely shared. Globe-spanning hacker syndicates are at work 24 hours a day, devising and sharing techniques for breaking through defenses. It's big business.

At the same time, the number of vulnerable platforms with sufficient installation numbers to attract hackers has grown rapidly. Yes, most attacks are still targeted at Windows PCs and Web servers. But recent months have given us dramatic evidence that new platforms are vulnerable. Smart phones, SCADA installations, embedded systems, utility grids, and smart cities are all coming under attack. Portable systems fall into the wrong hands easily and frequently. Revisions to Windows, iOS, Linux, HTML, Java, Office, and Android promise to fall to new generations of malware. A recent report from Columbia University researchers demonstrates that Web-accessible laser printers can be instructed to make paper smoulder, and perhaps catch fire. Hackers can use your phone to track your location or take photographs under remote control. If your e-mail isn't being intercepted, read, and revised, it's because you haven't been targeted, not because hackers are incapable. If you've got the money, you can install a monitor to intercept data flowing through the fiber-optic cables that route Internet traffic across the ocean floor, SSL or no SSL.

Service providers are collecting terabytes of user data, often without disclosing the fact. Providers know what Web sites we visit, what we buy, where we take our mobile phones, when we read and answer e-mail, what we're reading on our tablets, which files we download to our e-readers, and all the details of our banking relationships. Even if they don't intend abuse, the data is now subject to external attack. It's not enough to secure the systems under our control – our service providers' systems must be secure too.

And it's not just hackers we have to worry about. Government and law-enforcement agencies are increasing their power to access data, shut down Web sites, shutter businesses, and track users without the benefit of trial – or even, in many cases, the minimal protection of a subpoena. Congress is debating legislation that would extend much of this power to corporations.

We haven't even talked about cloud computing. IT shops are increasingly called upon to secure data that isn't stored on-site. Data-transfer channels are vulnerable to eavesdropping. Cloud service providers are vulnerable to attack. Providers may store information on servers in a country whose laws are not strict enough to provide base-level protection. Authentication systems and backup programs may not be sufficient to keep data secure.

As if all of this weren't enough, it is clear that skirmishes have already begun in a new generation of international cyberwar. State-sponsored and state-developed malware has targeted users, corporations, industries, and utility grids across international borders. Nations, including the United States, have gathered tremendous resources to blow through conventional firewalls, encryption routines, and user authentication systems with ease. Except for the Stuxnet trojan that apparently set back Iran's nuclear program a few months or years, most of these attacks have been small-scale efforts so far – proof-of-concept demonstrations, little more. When the real cyber-shooting starts, we will all sit in the crossfire.

My research has convinced me that the security technology we are currently employing to protect ourselves is laughably impotent in the face of current threats – much less the new threats that will arrive over the next 12 to 18 months.

This year saw the death of Robert Morris, a cryptographer and computer scientist who contributed to Unix and did research at AT&T Bell Labs for 26 years before joining the National Security Agency's Computer Security Center as chief scientist – essentially, cryptographer-in-chief of the United States. Morris had three simple rules for computer security: “Do not own a computer; do not power it on; and do not use it.”

Morris's tongue-in-cheek advice seems grimly relevant today.

Web recommendation: Ah, the Internet. What did we ever do before we had such an accommodating home for rants and flame wars? I admit it: I can't resist reading the occasional over-the-top Web post and scrolling through the outraged comments that follow. My new favorite is “Why I’ve finally had it with my Linux server and I’m moving back to Windows” over at ZDNet (right around the corner from us, in Web terms). I don't want to start a flame war here, so I'll simply say that I can relate to what blogger David Gewirtz has to say. J.D. says check it out.

J.D. Hildebrand has written hundreds of articles for dozens of publications and online communities dedicated to software development. He believes the system he used for writing this column is virus-free. But hey, what are the odds?