We are staking our future on a resource that we have not yet learned to protect.

George Tenet, director of the Central Intelligence Agency, in 1998

Modern life depends on the trusting exchange of electronic data. But the computers, networks and systems that we use to do this were not designed with safety and reliability in mind. Much of the time they work amazingly well, but behind the machines' shiny casings and the glitzy graphics of the software is a ramshackle mess of improvisation and recycling. Modern life, in effect, is dependent on a patchwork of compromises made in the past decades at a time when nobody involved could have realised the consequences of their decisions.

As consumers, we are partly to blame. We want computers and software to be easy to use, cheap and flexible. We want them to work with anything new that we like, but also to be 'backwards compatible' – to work with much older programs and machines. We want our computers and networks to be tailored to our needs, but we are unwilling to spend much time learning new tricks and ways of working. The result of all this is compromises, all of which come at a price. One is reliability. Meeting our expectations most of the time means that the systems fail some of the time. The other is complexity. Computer chips, and the programs which tell them what to do, are now so complicated that no one person can understand them.

Yet the fundamental principles are simple. Anyone who has ever made a railway journey can understand them. The computer is like a railway. Without instructions, it sits still. It is a machine, but without the ability to run on its own. What brings it to life is software – a set of rules, written in code that machines can understand. When the power comes on, switch on this light. Then connect to a keyboard and a monitor. Then start up this storage device, and follow the instructions you receive. Even the most complicated tasks can be broken down into simple instructions. The genius of software writers is to analyse a real-life problem and then to solve it with instructions that a machine can understand and implement.

Software and hardware are in principle interchangeable. Software can be written into a chip when it is made, so that few further instructions are necessary – a good example is the chip in a child's toy. Pull the string and a small computer inside will play a nursery rhyme. Simple hardware can be made to do a lot of exotic things with the right instructions and inputs of data. The earliest programmable digital computer was Colossus, built by British technicians at Bletchley Park during the Second World War to help crack German codes. It needed to be programmed by hand, with technicians using switches, plugs and cables. Later, software was loaded on to a computer by punched paper tape, and later from electromagnetic media (readers of my generation may remember loading computer games on to a primitive computer from cassette tapes). Next came 'floppy disks', then CDs, and now, in most cases, downloads from the internet. Software has become hugely more complicated, as we will see. But in essence, it is simple.

A railway timetable is a kind of software program. It explains in precise detail who has to do what, where and when. Signals change colour, trains stop and start, points switch back and forth. If the network is the hardware and the timetable the software, the third element in a railway system is the trains themselves. Getting them and their contents from A to B is the point of the whole exercise. On a computer, the equivalent of the trains is data. Imagine, for example, that you take a picture on an electronic camera and transfer it to your computer. That is a trainload of data – an enormous series of 1S and 0S which determine every dot of colour captured by the camera, now to be rendered on the screen or reproduced on a printer. Depending on your computer's capabilities, the software installed on it and the instructions you give it, that picture can be sent to a friend, posted on the internet, or cropped and tweaked to look better. But a lot of things have to go right for that to happen seamlessly. The picture may be in a format that your computer software cannot read. Or it may be stored on a memory card which your computer cannot deal with. The quantity of data may be too big for a small computer – for example a phone – to deal with. The data may be 'corrupted' – meaning that a tiny error in the hardware or the software has affected the information. That is the equivalent of the wrong railway truck ending up in the wrong train: an error that can be trivial or catastrophic depending on the circumstances.

Most such errors never come to public attention. Computer users are inured to mysterious problems which seem to come and go without rhyme or reason. Most of the time you simply restart your machine and hope that the problem does not return. But some of the errors are so fundamental that they do make headlines. A startling example of this came in September 2014 with news of a mistake, perhaps the worst bug in the history of computing, which was discovered in a crucial part of the ubiquitous UNIX operating system. Most computer users have probably never heard of UNIX, but it is the basis of most big electronic systems. Unlike the software sold by Microsoft and Apple, it does not have a single owner. It is, broadly speaking, available free of charge, and maintained and developed by volunteers.

'Bash', as it is known, is a crucial bit of code which connects computers running UNIX software to the outside world. For example, it allows users to give their computers instructions, or for the computers that connect with websites to receive them. Bash was first written in 1989. But it contained a flaw, which, in theory, could allow an outsider to deliver a bogus instruction to a computer. The so-called 'Shellshock' bug was not the result of attackers' cleverness or users' carelessness. It was simply because of an innocent mistake in the software. Millions of users were at risk as a result. 1 An outsider, using Shellshock, can take over another person's computer, give himself all kinds of privileges, steal and corrupt data, and so forth.

On computers that are run by humans, remedying this flaw is fairly straightforward. But millions of other devices run UNIX-based software, too, such as routers – the small blinking boxes which run home and office wi-finetworks – as well as internet-enabled thermostats, industrial machines and other devices. And these computers (which is what they are) are for the most part designed to operate autonomously. Updating their software is a fiddly task, for which their owners may not have the time or the aptitude. As a result, many of the devices vulnerable to Shellshock may never be patched, and are therefore wide open to outside attack, and will remain so for many years to come.

We were warned about this. As noted at the start of this chapter, George Tenet, director of the CIA, said in 1998: 'We are staking our future on a resource that we have not yet learned to protect.' His words were not heeded. Since then we have become far more dependent on computers, and the gap between attackers' prowess and defenders' abilities has become bigger, not smaller.

When Mr Tenet made those remarks, most attacks on the internet were perpetrated by pranksters, driven by curiosity or ego. The amounts of money involved were usually trivial. Kevin Mitnick, who became America's best-known hacker (and following a stint in jail is now a reputable consultant on computer security), began by working out ways to cheat the Los Angeles public transport system. He bought his own ticket punch, so that he could use discarded transfer tickets. He was bored, clever, plausible and fascinated by rules and the loopholes in them. His greatest skills were not technical expertise, but trickery – what is now called 'social engineering'. He was an enthusiastic amateur conjurer, giving him an insight into the gap between perception and reality, and how to exploit it. He was an adept practitioner of what was then called 'phone phreaking' – using tricks such as whistles and clicks to fool the phone system into allowing free phone calls. Mr Mitnick's simplest means of breaking into computer networks was by phoning control centres and pretending to be a technician on a field trip. With a bit of friendly chit-chat, and some convincing seeming details, he was able to persuade bored, careless and unmotivated employees to give him the passwords and logins he needed. But his goal was neither mayhem nor riches. Most of the time, he was simply enjoying the thrill of having successfully breached the system. Sometimes the booty was the ability to make free telephone calls. Sometimes he would simply amuse himself by reprogramming the network so that a friend's number would be mistakenly categorised as a public coin-operated phone. The baffled subscriber would try to make a call – and receive an automated message telling him to deposit a coin first.

Now these attacks have become weapons of politics and statecraft, as well as a huge and lucrative criminal business. Activists use attacks on computers as part of their campaigns – against the secretive Scientology cult, for example, or to punish companies whose policies displease them. The attack on Sony was described by one security expert as the company being 'nuked from inside'. As I show in Chapter 5, the Chinese government has launched a colossal campaign of state-sponsored theft of intellectual property from Western businesses. Russia steals state secrets from its geopolitical competitors. Both these countries, and others, contract these attacks out to private groups and individuals, just as in previous times governments might have hired mercenaries and freebooters.

At the heart of all this is the biggest way in which the online world differs from real life. We have no easy, dependable way of proving who we are; conversely, it is hard for us to know who we are really dealing with. Our single weakest point is our electronic identities: the messy, unreliable, easy-to-forget mixture of logins, passwords, security questions and other means we use to control and authenticate everything we do online. Only a few years ago, these were a small part of our lives. Now the balance has shifted. In modern life, if something goes wrong with your electronic identity, your real life suffers, too. Solutions to this problem exist – but they will require radical changes in the way we use our computers.

Our online identity may feel as secure as a locked door, but it is wide open for an attacker. You may not have heard of 'n00ds', but if you are female and famous you are prey to people who steal, collect and exchange these 'nudes'. In late 2014 it emerged that pictures of celebrities such as The Hunger Games star Jennifer Lawrence, the model Kate Upton and dozens of others had been stolen from computers managed by Apple, and were being traded in an illegal online marketplace. This somewhat chilling (and anonymous) post on an online message board gives some of the details.

There wasn't just one hack

There isn't just one leaker

There's been a small underground nood-trading ring that's existed for years

Why wasn't it revealed earlier? The only way to join the ring is by buying in with original pics ('wins', as they call them) you've acquired by yourself

Also these guys are greedy fuckers. If you were the only person in the world in possession of jlaw [ Jennifer Lawrence] nudes, would you really give them out? For free??

These guys conduct individual attacks on celebs through (I presume) a mix of social engineering and (esp for more high-profile targets) straight-up hacking

They trade with each other to expand their collections

Circle hardly ever widens to include more people – very few people find out about this ring, and fewer still have noods to buy in with ...

Except for self-style 'rich kid' ... it appears he bought a few sample pix and blew the lid on this whole operation by sharing them with outsiders for the first time

Spotting their chance, and realising that existence of the nood collections was revealed, a couple of other guys from the circle came out of the woodwork offering up some of their collection for donations

It is easy to dismiss such people as creeps and perverts, but for their victims it is no laughing matter. Even the most energetic and expensive legal response cannot scrub the stolen photos from the internet. As fast as you persuade or order one site to take them down, another puts them up. You can never be sure that they will not appear again – someone, somewhere, has them on his computer, and publishing them takes just a couple of mouse-clicks.

One of the first lessons of the computer age was that machines can break down. So users like to make copies of their data, and store them in different locations. But avoiding one kind of problem has created another. The celebrity victims of the attack outlined above did not store their precious photos on just one computer or phone, because together with safety they also wanted convenience. Uploading material to the 'cloud' (a big network of computers run by someone else, such as Google or Apple) means that you can get hold of it wherever you are, whenever you want.

The convenience is a genuine advantage. But the feeling of safety was illusory. It was all too easy for outsiders to get hold of these photos because Apple – one of the biggest computer companies in the world – had made it astonishingly easy to break into its users' accounts.

Apple denies this. It says that it was 'outraged' to learn of the theft, which it blamed on a 'very targeted attack' on usernames, passwords and security questions. None of the cases, it said, resulted 'from any breach in any of Apple's systems'. That is true. The hackers did not use clever hacking techniques to break into Apple's computer networks. Instead they exploited a series of flaws in the company's security procedures. The first step is to guess the victim's e-mail address. That is not too hard, given that you can have, in effect, as many tries as you want. You can try to register an Apple account with any e-mail you like: if the e-mail is already in use, then you have got your first bit of information. For example, were the great Humphrey Bogart still alive, you might try to register an Apple account in the name of humphrey.bogart@gmail.com or some other easily obtainable variant such as humphrey.bogart@ me.com, humphrey.bogart@yahoo.com etc. When you find an e-mail that works (i.e. one that Apple says is already in use as a user ID), you have, in effect, identified the lock you probably need to open. Now all you need is the key.

To find that, you now try to log in as Humphrey Bogart, using the e-mail which Apple has told you is in use, and say that you have 'forgotten' the password. Apple then offers you two options. One is to send a message to your e-mail address, containing a link. Click on that and you can reset your password. Even that is not particularly secure, because an attacker (as we will see later) may get control of your e-mail account. But the other is even easier. Unless you have enabled some extra security precautions, Apple will reset a password online to anyone who can provide your date of birth (easily ascertained for celebrities) and give answers to some rather feeble security questions (such as names of family members). Anyone with a Wikipedia or Facebook entry has given those away already. A bit of detective work on the internet can also easily find them out from other sources. Once the attacker has reset the password, he can log in – and gain access to the victim's photographs and other private data.

Punishing those who enjoy sneering and jeering at other people's private lives – and private parts – is all but impossible. If someone copies your keys and then enters your house and steals pictures from your bedroom, the police can look for fingerprints, witnesses, even DNA. But attacks on your bedroom via the internet, especially using copies of your own logins and passwords, leave far fewer traces, if any.