Well CRISPR my MEATPISTOL, if this isn't the weirdest thing I've heard in a while.
Maybe we can look forward to a Trojan horse that is actually a horse (except for the spider parts that were added as a joke).
Scientists from the University of Washington have created synthetic DNA that produced malware of a sort. Detailed in a paper titled “Computer Security, Privacy, and DNA Sequencing: Compromising Computers with Synthesized DNA, Privacy Leaks, and More”, the authors explain that they decided to “synthesize DNA strands that, after …
I thought you had a clever title subtly referring to the "Gene editing used to eliminate viruses in live pigs". Instead, this was pen-testing of a different strain.
The program processes DNA sequences so the notion is to craft a DNA sequence (presumably in some bacteria or virus) that when detected, analyzed and fed through the software triggers a BO fail.
DNA synthesis machines (and DNAaaS companies exist) have been around for decades, although reinserting the product into an organism is tricky.
You'd probably want it to have it marked "do not read" by the host organism as what that sequence coded for inside an organism could be anything. Also genes are not read quit the way most people think they are. They are usually in multiple segments and often sub sets of the full set can generate specific proteins as well
So the attack vector is DNA --> Analyser--> V. big file --> file compressor -->Pwd PC running file compressor.
Worst case scenario. The malware writer inadvertently creates something that is a viable structure in the host organism and it's highly dangerous.
I guess it's what you'd do if you were the NSA and you suspected a nation state was running a covert BW programme you wanted to get a window into.
This is real Greg Bear territory ("Vitals" comes to mind), although I think William Gibson did a short story ("New Rose Hotel"? ) that loosely hinges around this idea.
Beer as it's Friday and y'know, yeast.
*My second thought was someone had used genetic algorithm techniques to "breed" more efficient BO code, which would be clever but not be that interesting (I'm not familiar with the subject but I'd be astonished if that hadn't been done several times by now).
I wondered if they are related to "Mutician" Elliott Organick ?
Their modification of fqzcomp means that not only does their custom DNA string cause it to break (in an exploitable way), but *all* DNA strings from the same sequencing run would cause it to fail too - likely in a crash. It's therefore an unrealistic attack as no one would deploy such a tool.
This is a shame because there *are* weaknesses in many tools (fqzcomp included - it has no check for ntok reaching MAX_TOK for example) that can be exploited if you control the *file* contents, but not if you control the *physical DNA* sample. The sequencing instrument is a great leveller here - it turns DNA into well-formed valid output files, which existing software then copes with just fine. The real problems are web sites that permit upload of data files - so cloud analysis sites etc rather than sequencing-as-a-service.
That said, why would anyone be using fqzcomp for real? It was a royal hack, mostly done at ungodly hours of the morning, as an academic exercise and entry to a competition. It even claims it's "experimental" in the README file. If anyone really cares, use https://sourceforge.net/projects/slimfastq/ instead which was a rewrite of fqzcomp (by a storage company) to be more stable. :-)
Because no one uses botched, stitched together software in their production environments, right?
I'd guess they used it because it because a)They wrote it b)It's actually in common use around the country (or even the world) c)They have a copy in their DNA lab.
TL;DR. RTF report.
Wrong. They created synthetic DNA which, when sequenced, produced dataset, which in turn allowed them to pwn the computer doing the processing. Admittedly it was due to a bug they inserted into software themselves - so more like a backdoor, to which actual strand of DNA was a key.
True, and they stated as much in the report.
However they also stated they done a source code analysis that showed the program did use the same sort of unsafe coding practices.
Rather than release a sequence that could crash an unmod'd copy of the program they created a deliberately compromised version that could be crashed by their sequence.
Which demonstrates this can really happen but not exactly how to do it.
I guess that's "responsible disclosure" in this field
This post has been deleted by its author
From their FAQ: "Many of these are written in languages like C and C++ that are known to contain security vulnerabilities unless programs are carefully written. In this case the programs did not follow computer security best practices. For example, most had little input sanitization and used insecure functions. Others had static buffers that could overflow."
So what's new? If you don't code in COBOL, your code is going to be insecure. Coding in C / C++ reminds me of a builder who put a house together, then was astonished that his customer wanted DOORS in every doorway. He was absolutely astounded that even more than that, the customer wanted LOCKS in ever door! What's with that? he wondered. The building works just fine without them!! 'Nuff said.
But is it possible that natural human DNA could also accidentally take down a biological research computer system someday?
I've been told that a PromethION sequencer will output 500MB/s*, so that'd probably take down many networks and storage systems.
*yes that capitalisation is correct
When sequencing gets that quick and easy, there comes a point where the intermediate files (like FASTQ or even BAM) get labelled purely as temporary / transitional, with the final output (one of the variant call formats) being the only thing to store.
We're not there yet,but it won't be too long before it's cheaper to resequence than it is to store.
"The Wolves of Fenric"
Anybody?
Spoiler alert.
Mad Cold War plan to encourage Russians to steal British crypto machine without anyone knowing it's gone. Machine is too large and complex to take apart without breaking so they will not discover the poison gas canister hidden inside to be triggered on receipt of a hard coded message.
But things are not quite that simple.