The BBC who initially reported this proof-of-concept ‘infection’ stated that Dr Gasson admitted that the test is only proof of concept but believe that there are significantly implications for advanced medical devices. In my opinion, such systems should be incapable of malware infection as a heavily important part of their design. Such real-time systems should not have the necessary capacity to carry and distribute, both in terms of storage space and system capability.

If you are running an (operating) system capable of malware reception* on mission critical systems (and thus required anti-malware measures), such as those used in nuclear power plants or reservoirs to regulate containment, there there is a fundamental problem with this design. This is akin to a school teacher wearing a condom during classes – while this technically provides additional safety, there is obviously something fundamentally wrong with this principle at a more basic level.

* I’m aware there is no system that is 100% secure from malware, but levels of security exist. For example, the mission critical systems discussed here do not require a full Microsoft Windows operating system, nor a full consumer operating system of any kind in fact. Such devices should be self-contained in most cases, with entirely custom code. Lesser mission critical systems may rely on a Linux kernel as the base operating system with the business/operational logic running on bespoke programs running ontop of this base system.

The BBC article and Mark Gasson goes into further details on the  security risks of advanced medical devices which may be subject to malware.

“With the benefits of this type of technology come risks. We may improve ourselves in some way but much like the improvements with other technologies, mobile phones for example, they become vulnerable to risks, such as security problems and computer viruses.”

He also added: “Many people with medical implants also consider them to be integrated into their concept of their body, and so in this context it is appropriate to talk in terms of people themselves being infected by computer viruses.”

However, Dr Gasson predicts that wider use will be made of implanted technology.

“This type of technology has been commercialised in the United States as a type of medical alert bracelet, so that if you’re found unconscious you can be scanned and your medical history brought up.”

We can all hope that security in these heavily critical devices is never designed alongside the principles of many general purpose computers.

Imagine an equivalent of the Storm botnet that, rather than infecting and making zombies of its host computers, infects human medical devices. In fact, that is not even a future I want to consider.

If you feel the default set-up of world readable home directories is not to your liking you can deny other users access to your home directory with one command, as follows:

sudo chmod -R 750 /home/*

This command, when entered, will give other users no access permissions. When browsing via Nautilus or a command prompt, other users attempting to access your home directory will receive an ‘access denied’ error message. This will stop read access, write access and even file listing of your home directory from other users. It should be warned that this restricted configuration could potentially cause issues with programs that attempt to access configuration files in your user directory in an unusual manner (such as when being ran in the name of another user on the system). However, from personal experience I have not encountered any related problems.

If you wish to make this configuration the default for all newly created users, you must reconfigure the ‘adduser’ software package. This can be done very simply by running the following command and selecting ‘No’ when asked whether or not your want world/system readable home directories.

sudo dpkg-reconfigure adduser

It is my opinion that home directories should be set with these permissions and the adduser package should be configured in this manner by default. Researching this as an issue, I have discovered many others also feel this way. For example, see Ubuntu Brainstorm idea #6106 and note the debate in the comments between default configuration versus user choice. Although user choice is always important, surely a more secure/privacy-protecting default which can be changed if required, is the more desirable option?

What do you think? Also, has anyone ever encountered any problems with a non-world readable home directory configuration?