Daniel Cuthbert lets us in on how designers and security can work together to stop the problem.
Bugs are getting worse, there is no doubt about that. But what can designers do to mitigate this and just how bad are things? This is a topic that Daniel talks about with ease as a security specialist.
Daniel begins his talk by taking the WebExpo audience on a trip down memory lane, with the evolution of ‘the bug’ and some of the most memorable bugs over the years that you are sure to remember.
The first bug
September 1919 – Harvard found a bug in their system, it’s the first reported case of a ‘bug’ and where the name comes from. Literally, a bug stuck on a piece of paper.
Storm Rocket Launch
16th June 1992 – the software took a 64-bit variable and put it into a 16-bit variable. The rocket went up, then exploded. Not a great success story.
Psy broke the internet
Back in July 2012 Korean Popstar Psy broke the website Youtube, all because Youtube used a 32-bit counter. When Psy’s hit ‘Gangnam style’ hit 2.41 billion views, the counter couldn’t keep up. After this, Youtube had to move to a 64-bit counter.
Jay Chou lost his ape
Jay Chou found out about his bored ape yacht club NFT being stolen after thinking it was an April fools day prank, when in fact it was an NFT phishing scam where the scammer involved sold his beloved ape for 164 ETH.
But these are all engineer-induced bugs. You might be shouting.
They are, Daniel explains, but are also great examples of where malicious bugs have evolved from, the problem is, since then, things have gotten much, much worse.
Bugs in operating systems
From here, we saw the rise of the global surveillance industry. In the last 10 years, there has been the industrialisation of bugs. It was during this time that bugs became valuable to scammers, businesses, governments and even individuals.
‘It’s a golden age of espionage in terms of stealing information’ Kenneth Geers.
Now, there are UX bugs. And this is where Daniel urges designers to sit up and take notes.
So let’s now look at ways in which these innocent-sounding bugs have evolved and take a closer look at the empires that are using them.
Italian hacking team
This group brought together loads of their bugs but started exploiting them for people with money. This, in effect, was the start of a market for selling information. This is where hackers began using UX design in their work. No longer were hackers tucked away with their black screens, they had sleek setups and weren’t afraid to use them.
NSO Group
This is a hacking team based in Israel. They sell pervasive capabilities for people to gain access to data and infrastructure.
From here lawful intercept tools began being used due to the sheer amount of data that was being used by these hacking groups. It has been found that over 120 companies are selling bad data.
Exploit.in
This is a Russian website that facilitates discussion between criminals and the sale of bad data. This is not a site hidden on the dark web, it’s accessible to all and authorities are careful to get involved.
Daniel couldn’t mention hacking groups without mentioning one of the best hacking teams of all time…..
The Hacking group of North Korea
This group steals crypto and as well as other finances from around the world. They exploit new and old bugs and no one can stop them, conservative efforts suggest they have stolen over 4 billion dollars.
In all, from these sites, we know that bugs are becoming cheaper to buy because they are bugs from the software UX designers are designing.
These companies are running like normal businesses and organisations which means bugs are being exploited as part of the programs designers are working on.
What happens now for UX designers
Daniel wants us to know that designers in the industry now can help with the solution, but security and UX will need to work together.
Security teams have introduced four things to make it easier to work together to stop seemingly innocent bugs from growing into something that can be used to exploit governments, businesses and individuals.
Tooling
Security teams have bought guardrails. The tools to help are better now, these tools can show what bugs are being exploited and how to fix them.
Integration
Security teams are beginning to better explain to UX teams in plain English how to fix bugs and where issues in the system may be.
Automation
This is where automated systems are being bought in to check for bad code automatically to help designers before releasing products.
Knowledge
Knowledge is key and providing this knowledge for teams is one of the most important factors in helping the fight against this new age of bugs.
‘Bugs are no longer simple things that people can ignore and think what’s the worst that can happen, we now have an industry that’s doing very ugly things with our bugs’ says Daniel.
If you want to read more, then you can watch the full talk given by Daniel Cuthbert live at WebExpo where he covers what can be done before you hit Github so can to ensure better security in your design moving forward and ensure how a simple bug doesn’t get into the wrong hands.