found that the nonce generation was predictable. A nonce is supposed to be a unique object in a protocol, a one-time ‘security code’, but it was found out that some ATMs were using a small supply of tokens as nonces and reusing them in a predictable order, thereby compromising their security.²

1 Steven J Murdoch, Saar Drimer, Ross Anderson and Mike Bond, ‘Chip and PIN is broken’, 31st IEEE Symposium on Security and Privacy (IEEE Computer Society 2010) 433–46, available at <www.cl.cam.

ac.uk/research/security/banking/nopin/oakland10chipbroken.pdf>; Steven J Murdoch, ‘Reliability of Chip & PIN evidence in banking disputes’ (2009) 6 Digital Evidence and Electronic Signature Law Review 98.

2 M. Geuss, ‘How a criminal ring defeated the secure chip-and-PIN credit cards’, arstechnica (20 October 2015), available at <http://arstechnica.com/tech-policy/2015/10/how-a-criminal-ring- defeated-the-secure-chip-and-pin-credit-cards/>; Mike Bond, Omar Choudary, Steven J Murdoch, Sergei Skorobogatov and Ross Anderson, ‘Chip and Skim: cloning EMV cards with the pre-play attack’, a paper presented to Cryptographic Hardware and Embedded System (CHES) 2012, in Leuven, Belgium, September 2012, available at <http://sec.cs.ucl.ac.uk/users/smurdoch/papers/

oakland14chipandskim.pdf>; Houda Ferradi, Rémi Géraud, David Naccache and Assia Tria, When Organized Crime Applies Academic Results: A Forensic Analysis of an In-Card Listening Device, available at <http://eprint.iacr.org/2015/963.pdf>.

6.99 Furthermore, security may be associated with safety. If there is a safety-related system with security vulnerabilities, it is possible for the safety functions in the system to be deliberately subverted and give rise to a safety issue. For instance, the nuclear industry has developed a draft international standard for safety and security.¹ The vital problem in this area, which nobody has solved, is that while updates of safety functions in code that control nuclear reactors are slow, deliberate, and highly analytical, updates for security purposes have to be rapid, to forestall anticipated attempts via zero-day exploits. These two modi are obviously incompatible.

1 Caroline Baylon, with Roger Brunt and David Livingstone, Cyber Security at Civil Nuclear Facilities: Understanding the Risks, Chatham House Report (The Royal Institute of International Affairs, September 2015), available at <www.chathamhouse.org/publication/cyber-security-civil-nuclear- facilities-understanding-risks>.

6.100 It follows that software security vulnerabilities expose them to manipulations without the authority or knowledge of the software vendor.¹ Many of the vulnerabilities arise specifically from the errors in the original implementation. For instance, it might be possible for a person to control another owner’s computer as part of a botnet² or enter the control system of an aircraft in flight via the in-flight entertainment system.³ 1 The Trojan horse problem was recognized very early, for which see Linden, ‘Operating system structures to support security and reliable software’ 422–4.

2 Sanjay Goel, Adnan Baykal and Damira Pon, ‘Botnets: the anatomy of a case’ (2005) 1 Journal of Information System Security 45.

3 See the Applicant for a Search Warrant in the case of Chris Roberts at the United States District Court for the Northern District Court of New York Case number 5:15-MJ-00154 (ATB) dated 17 |April 2015, [18]–[19], available at <www.wired.com/wp-content/uploads/2015/05/Chris-Roberts-Application- for-Search-Warrant.pdf>.

6.101 At this point, the reader might consider that such problems can be solved fairly easily – by the introduction of anti-virus software (this is not to imply that all attacks are by the use of malicious software). But it must be understood that the fundamental nature of most anti-virus software limits its effectiveness – and the anti-virus software itself might not be error-free. A sophisticated attacker will have access to all the types

of anti-virus software, and he will program round the detection mechanisms and test his code against the anti-virus systems to ensure it is not detected.¹ Most anti-virus software is reactive, in that it searches for known threats. As such, anti-virus software is far from perfect. It fails to stop some malicious software² and should not be relied upon as the sole method of securing a computer. Indeed, this happened to the New York Times.³ It was discovered that over a period of three months, 45 items of software were installed in the New York Times computer system. The New York Times relied on a Symantec anti-virus product, which only found only one item of the malicious software. Symantec subsequently posted the following comment in connection with this allegation:⁴

Advanced attacks like the ones the New York Times described in the following article [N. Perlroth, ‘Hackers in China attacked The Times for last 4 months’, New York Times, 30 January 2013], underscore how important it is for companies, countries and consumers to make sure they are using the full capability of security solutions. The advanced capabilities in our endpoint offerings, including our unique reputation-based technology and behaviour-based blocking, specifically target sophisticated attacks. Turning on only the signature-based anti-virus components of endpoint solutions alone are not enough in a world that is changing daily from attacks and threats. We encourage customers to be very aggressive in deploying solutions that offer a combined approach to security.

Anti-virus software alone is not enough.

1 J A P Marpaung, M Sain and Hoon-Jae Lee, ‘Survey on malware evasion techniques: state of the art and challenges’, Advanced Communication Technology (ICACT), 2012 14th International Conference (Global IT Research Institute 2012), pp. 744–9.

2 Daniel Bilar, ‘Known knowns, known unknowns and unknown unknowns: anti-virus issues, malicious software and internet attacks for non-technical audiences’ (2009) 6 Digital Evidence and Electronic Signature Law Review 123; in 2006, Graham Ingram, the general manager of the Australian Computer Emergency Response Team (AusCERT), told an audience in Sydney, Australia, that popular desktop antivirus applications do not work, reported by Munir Kotadia, ‘Eighty percent of new malware defeats antivirus’ (ZDNet Australia, 19 June 2006); Michael A Caloyannides, ‘Digital evidence and reasonable doubt’ (2003) 1 IEEE Security and Privacy 89; Dmitry Silnov, ‘Features of virus detection mechanism in Microsoft Security Essentials (Microsoft Forefront Endpoint Protection)’, (2013) 4 Journal of Information Security 124; also see the annual ‘X-Force Trend Statistics’ by IBM Internet Security Systems that reinforces the position on the failure of anti-virus software, available online at

<www-03.ibm.com/security/xforce/downloads.html>; the reports produced by the Anti-Phishing Working Group (<www.antiphishing.org>) illustrate the same problem; reports by AV-Comparatives.

org appear to indicate that some of the best products are now very efficient, available at <www.av- comparatives.org>; see also ‘Common vulnerabilities and exposures’, available at <https://cve.mitre.

org>.

3 Nicole Perlroth, ‘Hackers in China attacked The Times for last 4 months’, New York Times (New York, 30 January 2013); in 2014, it was accepted by Symantec that anti-virus was no longer to be relied upon, for which see Danny Yadron, ‘Symantec develops new attack on cyberhacking declaring antivirus software dead, firm turns to minimizing damage from breaches’, Wall Street Journal (New York, 4 May 2014).

4 <www.symantec.com/connect/blogs/symantec-statement-regarding-new-york-times-cyber- attack>.

6.102 It is a truth universally acknowledged that the majority of hackers concentrate on the most widely used software and on vulnerable applications that can be found by using Internet search engines, although the development of the Stuxnet virus illustrates that governments are now probably responsible for some of the most effective viruses that are written, although organized criminals can be equally effective.¹ Software

need only include a low number of defects to create enough vulnerabilities for serious hackers to manipulate the defects to their advantage. Jim Nindel-Edwards and Gerhard Steinke usefully sum up the position:

It would seem that after decades of software development there would be some assurance that software works as specified in the customer requirements. Is it that software vendors are unwilling to perform sufficient testing? Is it possible to test everything? Finding a certain number of bugs, doesn’t mean that the software has no more bugs. On the other hand, not finding any defects doesn’t mean there aren’t any defects in the software either. Perhaps there are known bugs, but the time and resources to fix these bugs and defects are often not provided and the software is released with known (but not publicly stated) bugs.

Is it because there is a low expectation of quality? Is it even possible to get rid of all bugs, especially when we are integrating components from multiple sources and we are dependent on the software that was developed and tested by others?

Software quality assurance is a challenging task. There are many questions raised by software being released with defects. What are the ethical responsibilities of a software vendor releasing software with bugs, especially if it is system-critical software, but also when releasing non system-critical software?

1 Roderic Broadhurst, Peter Grabosky, Mamoun Alazab, Brigitte Bouhours and Steve Chon,

‘Organizations and cyber crime: an analysis of the nature of groups engaged in cyber crime’, (2014) 8 International Journal of Cyber Criminology 1, available at <www.cybercrimejournal.com/

broadhurstetalijcc2014vol8issue1.pdf>.

2 Jim Nindel-Edwards and Gerhard Steinke, ‘Ethical issues in the software quality assurance function’ (2008) 8 Communications of the IIMA 53, 54.