The picture is of Tommy Flowers, who built Colossus, the first computer. It was built to break the German High Command’s Fish cipher (Sägefisch) in the second world war; its construction would be regarded as heroic or despicable depending on which side you were on, I suppose. Nowdays, some similar uses of computers completely lack the heroic element: more on this below.
The picture hangs in the headquarters of the Institution of Engineering and Technology (formerly the IEE) in Savoy Place in London, just off the Embankment near Waterloo Bridge. We were there for a public lecture, the Stevenson Science Lecture, put on by Royal Holloway University of London. The series has been running for the best part of a century; but this was the first time it had been held in London, despite the University’s name (it is actually in Surrey).
The title of the lecture was “Should I have just clicked on that?” – quite scary when emails came about changes in the timing – and it was a triple act, put on by Lorenzo Cavallaro and Stephen Wolthusen from the School of Mathematics and Information Security and Marco Cinnerella from the Psychology Department. (Note that two out of three are among those being used as bargaining counters by the despicable Theresa May.) It was a polished performance; it was clear that time and thought had been put into the sequencing.
As the title suggests, there was quite a bit about phishing and ransomware emails. They pointed out that now you don’t even have to click on a link to suffer the penalty: if you use the autoplay setting on Facebook (whatever that may be), by the time the video of fluffy kittens starts playing the malware has already been downloaded onto your computer. But a lot of people click on ill-advised links because their attention isn’t fully engaged; as Marco put it, they haven’t “throttled up” their brains. I think that Julian Jaynes would say that we live much of our lives unconsciously; things only come into consciousness if they are significantly different from usual. But maybe psychologists don’t like talking about the unconscious these days: Freud gave it a bad name.
So why do they do it? Just business. You don’t even need infrastructure. Twenty dollars’ worth of computer time from Amazon is enough to crack the average password, and then you can earn much more than your investment by installing malware, using the computer for DDOS attacks, or simply selling on the information to those who will use it. Also, many permissions nowdays are transitive, so even if you haven’t explicitly given your login details to some organisation, they have had it passed on from someone you did give it to, quite legitimately. (So yes, choosing secure passwords is important!)
There are even more worrying things. A modern car has an order of magnitude more computer code in it than a Dreamliner; a program that large is bound to have weak points which can be attacked. Moreover, the car is connected to the internet, both for the satnav and for the infotainment system. It seems that the steering wheel, accelerator and brake pedals are not mechanically connected to the front wheels or the engine respectively; when you turn the wheel or put your foot on the pedal, you are telling the computer that you want something to happen, and it is the computer’s job to do your bidding. But, if control of the computer has been taken over by an outsider, it may be given an instruction to turn the front wheels when you are travelling at high speed down the motorway. This is said to be a very efficient way of getting rid of enemies, and may already have been used for this purpose.
How do we avoid these things? Well, my shoes are not yet connected to the internet, so I am probably safe walking to work. But as for keeping your computer safe, part of the problem is that different cultures take very different attitudes to imposed security measures. Some regard them as simply something to be got around by ingenuity. In some cultures, when a security investigator interviews staff about their working practices, people will say what they think he wants to hear rather than what they actually do. I think we simply have to try to be a little more conscious of what we are doing when at the computer (and at other times too).