Digital contagion

Computer and biological viruses behave similarly: they hit where it hurts the most.

by Philip Di Salvo

alt=
web3 23 November 2020

The Covid-19 pandemic stopped the world, causing thousands of deaths around the globe, and questioning the structures of our societies, economics, and cultures. Following the quarantine requirements, human sociality progressively moved online. As a consequence, digital infrastructures were under severe stress for a few weeks, following a massive increase in data consumption and connectivity demand. More people online for more time also meant more chances for cybercriminals to spread malware and other viruses exploiting code vulnerabilities and human weaknesses. In the face of this full-force technical gale, computer security expert Mikko Hyppönen tweeted out a warning to internet criminals: “Public message to ransomware gangs: Stay the F away from medical organizations. If you target hospital computer systems during the pandemic, we will use all of our resources to hunt you down.” 

What follows is a conversation in lockdown, in March 2020, between Philip Di Salvo—an academic and journalist who covers surveillance, hacks, and leaks—and Salvatore Vitale—a visual artist who works on security imagery and the politics of data, who recently infected a computer for art’s sake. 

Philip di Salvo: In these first days of quarantine in Northern Italy, I was thinking about how frequently I used the term “virus” in a technological context, compared to a medical, biological one. It strikes me now, to see this term gaining such a crucial meaning in that regard.

Salvatore Vitale: I’ve been thinking about it a lot too during the past few days. We are all witnessing the limits of our political and economic systems, therefore their social impact somehow reflects the way we, as humans, aren’t fully aware of how those systems work. This brings me back to high school, when, during biology class, my teacher was trying to hold the attention of a bunch of young students, while explaining how the human body and its immune system work: We all know we have one, we all, more or less, know the parts that constitute it, but many of us aren’t fully aware of its functioning. Can you find some similarities if we compare it to technology and safety online? Technological apparatuses, although cultural objects, go far beyond our understanding of their functioning. I see some similarities with the recent events concerning the pandemic, caused by an unknown enemy. 

As I watch cases of Covid-19 increase in my region, I’m constantly thinking about how easily we spread computer viruses or malware, sometimes without even noticing it. We have all received at least one email from a random contact with a dodgy link or attachment. That reminds me of asymptomatic people spreading Covid-19 without any awareness or chance of avoiding it. Have you ever worked on these issues?

I recently read an article about the increase of cyber attacks due to Covid-19. As more and more people are experiencing quarantine, online activity becomes a primary source of information and entertainment, as well as a tool to pursue social and professional interactions. This massive online presence triggers a series of criminal activities against a huge amount of potential victims. IT security has a lot to do with human behavior, a topic which is discussed in psychology. Back in 2018, talking about psychology and IT security at the festival Transmediale, Stefan Schumacher, president of the Magdeburg Institute for Security Research and editor of the Magdeburg Journal for Security Research, addressed some questions related to hand washing and disinfection: Everyone knows how to wash their hands, but many don’t know how to do it properly. That’s an interesting fact, as recently we’ve been bombarded by tutorials on “How to wash your hands,” promoted by governments, celebrities, and influencers in an attempt to educate the population to avoid the spread of Covid-19. There is, indeed, a similarity between hand washing and IT security, as both actions imply a certain level of self-awareness and perception of personal expertise, which inevitably leads to decision-making. And decision-making is affected by experiences and individual behaviors. Therefore, psychology plays a major role in the study of these phenomena. Let’s take as an example the use of passwords. Users don’t perceive a direct threat when they are requested to set up their passwords. The majority of them use weak passwords, often because they don’t consider IT security relevant. This has a lot to do with individual perception and acceptance of risk. When something (or someone) appears to be abstract, or—as in the case of computer malware or a biological virus—difficult to be comprehended, risk is not perceived, therefore, security measures for prevention will be weak. The complexity of cybernetic systems leads to various collateral and/or unintended effects on socio- and political-technological levels. However, these modulations, and thereby the relation between the modulator and modulated, are rarely fully transparent. This leads to action and reaction patterns with delayed or obscured cause-and-effect mechanisms, often resulting in a black box for lay users. This logic, as such, reflects the internet, but as we have seen, also both the computing of security and the securing of computing. Actions and non-actions, of users, super-users, bots, and robots, in connection with the networked world, require a regime of policing and securitization. Starting from these assumptions and the basic question, “what does malware look like?” I worked on The Reservoir, an installation used as a trigger to experience the non-linear cause-and-effect relationship that occurs while browsing the internet. By interacting with a sensor field in the sound installation, the audience disturbs and modulates an audio track, while a real-time infection of a Macintosh-running virtual machine connected to the internet triggers a visual simulation of human online activities and malware responses. Photography, sound, video, and interactions work together to underline and evoke the construction of a certain kind of awareness concerning safety in cyberspace.

In information security, it is widely accepted that the weakest knot in a system is usually human behavior. For instance, you can use the best state-of-the-art encryption technology and still jeopardize your security by doing something banal outside of the internet. Also, most hacking is more social engineering than technological expertise. I re-thought about it the other day when I saw a tweet from a white-hat hacker warning that in a lot of pictures on social media showing smart-working it was possible to spot passwords handwritten on post-its, etc. It is always fascinating to see how much humans tend to think about technology as if it was in isolation from other human, physical, or even biological factors. But tell me more about the project, what did you find out?

It is worth mentioning that as of yet there is no official research devoted to the visualization of cyberspace as a whole, though the researcher and academic, Myriam Dunn Cavelty, has attempted to specifically trace the visualization of cyber threats in visual culture through the analysis of movies and TV series. Ultimately, visual culture remains the only site that influences how digital is read and made readable. Within it we can observe a rapidly growing interest in the understanding and representation of the digital world we live in. A long list of blockbuster movies, for instance, deals with the representation of the intangible, which each time is presented and represented in a more or less physical, more or less ephemeral, futuristic, or post apocalyptic way. This is especially true in the realm of science fiction. Hyperreality plays a role here. The perception of the digital is often channeled into a series of factors that make its specificity explicit. However, the real is increasingly imbued with digital elements, therefore it becomes increasingly difficult to make a clear distinction. Hito Steyerl argues that the “internet is dead” because it crossed borders and became too real. The world we live in is shaped by the internet and the internet shapes the world we live in. It is actually a good exercise, to stop for a moment and notice how every single aspect of our life is regulated by images, screens, 3D models, videos, devices. Indeed, this is nothing new and many words have been shared about and around this topic. But Steyerl takes it to another level, she says: “Data, sounds, and images are now routinely transitioning beyond screens into a different state of matter. They surpass the boundaries of data channels and manifest materially. They incarnate as riots or products, as lens flares, high-rises, or pixelated tanks. Images become unplugged and unhinged and start crowding off-screen space. They invade cities, transforming spaces into sites, and reality into realty.” How can we blame her? The subtle line that separates what is digital from what is physical triggers a whole series of behaviors and reactions, which inevitably lead to situations such as the one you mentioned in your passwords example. However, as I was mentioning earlier, I witnessed a big gap between reality and representation. Our understanding of the digital is mostly based on patterns coming from a speculative process. Digital as such is highly abstract, therefore, it becomes difficult to visualize its functioning. When I had the occasion to collaborate with the The Reporting and Analysis Centre for Information Assurance (MELANI), I immediately realized how much this problem was also present in the work of those who produce and ensure IT security. In this sense, metaphors and allegorical representations of subjects are used, which often are far from providing exhaustive resources that grant access to wider audiences. I started, then, to wonder how to get rid of the limitations brought by the use of such a representative media as photography is, embracing different points of view, allowing it to play on an experiential level, but still underlining a visual narrative. Indeed, there are several examples in this sense, especially if we look back at internet art in the ‘90s and early ‘00s, as a precursor to internet aesthetics such as ASCII art—which is still used in some cases to design the visual look of software such as malware. In my installation, therefore, I put together those elements, creating a narrative which underlines both the functioning and the aesthetic of malware– a quite visual ransomware called Petya to be specific—relying on the viewer’s individual experience to design a speculative process filling the gap between understanding and representation. 

The malware that has mostly attracted my attention has been Mirai, which made the news in 2016. I’ve been fascinated with it ever since. The name means “future” in Japanese and the software itself has been at the core of one of the most widespread cyber attacks of recent times. Hackers used it to infect an army of products: cameras, printers, coffee machines, and other items that are connected to the internet for no serious reasons. The malware created an enormous botnet of “zombie” devices which were used to launch various Denial-of-service attacks against websites and web infrastructure, such as the DNS service provider, Dyn. Human users had no idea about what was going on with their devices but they were unconsciously helping to almost shut down the internet. I can’t really think of anything more similar to the Covid-19 pandemic.

Internet of things… the not-so-new-frontier for hackers. You made a point here, as the expansion of internet services is also a point to consider during the Covid-19 crisis. Suddenly, we are aware of the fact that the network isn’t unlimited and, as with any kind of infrastructure, it relies on limited resources. As previously said, we can definitely trace a correlation among the spread of a biological virus and the increase of cyber attacks. A major part of the world population is massively using internet services, the infrastructure is under pressure, and user behaviors shift to patterns that facilitate the spread of digital viruses. Since its very beginning and despite its borderless promises, internet logic mostly referred to groups and closed dynamics. Therefore, in the context we’re discussing here, the concept of community plays a role. Community building is, indeed, one of the main goals for any online service, both for a marketing and communication strategy. This became even more visible with the rise of Web 2.0 and the new dynamics introduced with the development of participatory content fostering bottom down engagement strategies, and consequently, community empowerment. Recently, I read about an interesting study—by Laurent Hébert-Dufresne, Samuel V. Scarpino, and Jean-Gabriel Young, published in Nature Physics—aiming at demonstrating how complex contagions (such as political ideas, fake news, and new technologies) are spread via a process of social reinforcement while, on the contrary, biological contagions are thought to be spread as simple contagions (where the infection is not directly related to the social context in which it happens). They also mention another study on the spread of memes within and across communities, demonstrating how “the spread within highly clustered communities is enhanced, while diffusion across communities is hampered.” Hence, contagions  benefit  from  network  clustering. This was also said by a Google IT security expert who I met while working on my project. Talking about user behaviors and policies to avoid the spread of digital attacks, they underlined how the company is mainly working on bottom down strategies devoted to educating users to recognize threats and foster individual awareness within their communities. 

My university inbox was recently targeted by a phishing attack coming from a compromised account related to an organization that I’ve been in touch with. The text tried to persuade me to download an “important” text file. The file was called “safety measures in regards to Covid-19.”

Closing the circle! I bet you downloaded it. Jokes aside, I am still fascinated by how phishing techniques somehow maintain this old-fashioned nature. Between.txt files, stock photos of self-styled white collars impersonating CEOs of big and famous companies and institutions, improbable wins, and requests for information, the question remains the same: “Who’s going to trust it?”According to KnowBe4, one of the world’s largest security awareness training and simulated phishing platforms, 91% of cyberattacks begin with phishing emails. However, in some cases, it is possible to assist in successful cyber security awareness campaigns and, suddenly, many users seem to understand some of the dynamics of popular attacks and start to protect themselves. It is very common, for instance, to see laptops with webcams covered—sometimes in a creative way—by any kind of sticker, post-it, colorful tape, and so on. This makes me think that, perhaps, when the risk threatens the personal sphere in a more or less visual way, users are more inclined to adopt defense strategies. Of course, there are many kinds of cyber threats as, to stick to the parallelism we are discussing, there are many different infectious agents. But, among the most effective ones we can definitely mention the Zero-Day, a bug in a system unknown to developers that is targeted for system attacks. It is called Zero-Day because, after the vulnerability is discovered, the developer has zero days to fix it. In a way—and to play with analogies—it makes me think about the concept of patient zero: The sooner you find them, the faster you can find out how an epidemic was spread and develop measures to contain it.