The Times' John Markoff has a long piece in the paper today to make the point that:
… there is a growing belief among engineers and security experts that Internet security and privacy have become so maddeningly elusive that the only way to fix the problem is to start over.
What a new Internet might look like is still widely debated, but one alternative would, in effect, create a “gated community” where users would give up their anonymity and certain freedoms in return for safety. Today that is already the case for many corporate and government Internet users. As a new and more secure network becomes widely adopted, the current Internet might end up as the bad neighborhood of cyberspace. You would enter at your own risk and keep an eye over your shoulder while you were there.
Now, I think Markoff is a tremendous reporter. Indeed, in at least one job interview, but probably more, when asked what reporters I admire I list Markoff and John Fraser — but when you write a story about how dangerous the Internet has become and cite as your sources for that observation people who will sell you software to protect you against that danger, well, I begin to wonder. Markoff also cites some researchers at Stanford, which is certainly a school that's produced a lot of computer and telecom innovations but it's also the school Markoff teaches at. (That point is not disclosed in the piece.)
Now, to be fair, Markoff interviews Purdue's Gene Spafford for the piece and he should — I would if I was writing about the state of Internet security — but Markoff — for whatever reason (the piece is in the Times' Review section — maybe the editors there forced him to take all the geek-speak out. It's happened to me before …) we don't learn much about Spafford's diagnosis of the problem, a diagnosis which, it seems to me, doesn't require a completely new Internet where I have to give up my anonymity for safety:
OSes, overly-permissive email, firewalls, anti-virus that is unable to keep up with the threat, and on and on. Not only are most of these poorly thought out from a security point of view, they are all designed to provide too many generic, permissive services to the widest possible client base. That may be good business but poor security planning. And much of the security solution space is limited responses to specific threats that continue to prop up the rest of the poorly-designed base.
…
The number 1 change we need to make is to understand that issues of security, safety and reliability are not easily measured and deploying the cheapest upfront solution is not consistent with trusted systems. The impact of that would go deep, including into the design of the software we run on our systems. Note that this is true of any security — airport, computer, home or national security. There is a cost involved, and always residual risk.
We have chosen to standardize on a small set of very complex items because some people think they are cheaper to acquire and maintain….based on experiences gained 15-20 years ago with different platforms. Those estimates also don't bear in mind the costs of security, reliability, and other important factors. But until we change the mindset about up-front cost trumping all else, we can't win.
We have to change the way we educate software designers, and the way we hold companies accountable for flaws in code.
We must do a better job investigating and prosecuting computer crime.
These are not fundamentally big shifts in technology — we have the technology for many of these issues now. We simply lack the will to apply it.
I'm not going into detail, because I doubt there are many who really want the answers. They want their Windows machines, on-line games, animated WWW apps, iPods and universal connectivity.
That's from a rant of Spafford's that Dave Farber put out on his list on Dec. 11 (and I'm almost positive Markoff is on Farber's list). It's a shame Markoff didn't explore some of those ideas a bit further and question the assumptions of the Stanford researchers — and others — a bit further.
But back to the basic problem as I see it: It ain't the Internet that's the problem so much as its users.
I had my first e-mail account in (I think) 1987 or 1988. Since then, I have been running around the Internet using machines running DOS, Windows, and Mac operating systems. My home machines have never — never! – been infected with a virus and, so far as I know, no one's stolen my credit card number or my identity. I'm a liberal arts grad, not an electrical engineer, and all I'm pretty sure I've done to enjoy such good fortune is exercise a little common sense.
On the corporate networks I've been on, I've seen one security problem hit home. A virus knocked out the network for a company I once worked for for a few weeks. (That company, incidentally, was running Microsoft server products and a Microsoft operating system on its desktops. If you're running a server, why wouldn't you run OpenBSD? That, my friends, is what the Pentagon uses for its mission-critical, ultra-sensitive servers. The price for that server product: Nuthin'. It's open source.) My point here is: Time and time again, we've heard, mostly from companies who sell computer security products, that the world is ending, that there is a monster virus out there that's about to pull the whole thing down. I'm not convinced. Exercise a little common sense when you compute and I'm sure we'll all be fine.
In any event: If you build a new Internet and you want me to get a license to drive on it, sorry. I'm hanging out here in v.1.
He's assuming that a “gated community” will just be safe? I guess he's never heard of credit / debit cards or drivers licenses being stolen and people losing their identity as a result?
I'm sure the banks (and the government) knew those victims' true identity before their IDs were stolen…
Some mind find it ironic that you lambaste Markoff for his associations yet you do not disclose your own history with openbsd and darpa.
Someone please introduce John Markoff to Firefox.
He did say he needs a new Internet, right?
Maybe the one with a blue E on it just doesn't do it for him.
Why don't we know who *you* are, anon?
Still, the internet isn't safe now in Canada – and I thought it was bad here in Australia. The courts deciding an IP is open to searches without a warrant? Dangerous move.
The article struck me as a standard journalistic “the internet-sky is falling” article with help from anti-virus software people.
Although it is the other side of security people, see xkcd. Most security people misidentify the problem as a technology one.
Huh? You mean me? David Akin? I have associations with OpenBSD and DARPA? Don't think so… See “Who Pays For This Blog?” in the left-hand column.
Markoff is well known for it's novels… I remember reading some very interesting “idiotic” articles + Books on Kevin Mitnick…
It's interesting to compare his perspectives from then , and se that, Internet is safer than before…
Markoff is a seller, but instead of publishing Science Fiction books…
Shame on NYT.
One the serious omissions in Johm Markoff's NY Times articles, and which you also do not address is that a significant part of the security problems facing use of the Internet come exclusively from Microsoft Windows software ridiculously poor security/quality, as recently noted by in a biting but true editorial by Carla Schroder of Linux Today online.
Why is that you and most all other so-called tech journalists, most importantly including John Markoff are reticent and almost afraid of putting the anvil on Microsoft when it rightly belongs there? By refusing to be truthful and up front on this issue, you folks have no integrity and therefore no credibility.
W. Anderson
wanderson@kimalcorp.org.
The Spafford quote is from some time ago. Markoff used it in another NYT article last December:
http://www.nytimes.com/2008/12/06/technology/internet/06security.html
I see I been an advanced internet thinker. I had thought of this for some time on.
The need for a “global net id” with or without auth on the net is needed for some “business”.
I do like the idea of a kind of secure and _open_ vpn on top of the internet, for some things. Forcing that far beyond those “some things” is killing the main idea of internet and its true power: To be a ground for new ideas, a cheap place to grow, etcs.
It can not be so hard if you think of it. There are a lot of alternatives to implement it. But the hard part would be to have the goverments aproval, and help. They do not care about those things. No polician is good at solving problems, so just explain the problem would be extremely hard, not to mention legislate it.
*That* is the hard part.
And as a FreeBSD/Linux guy, I am pretty sure M$ is to blame for a big part of the internet lack of security.
Just my two cents.
This is a interesting one. I work as a software developer, developing financial applications in the insurance sector. All of our applications is web based. The current internet and all of its protocols and browsers, are badly broken.
The internet has grown too fast. One day it was meant for research, the next every organization had a website. This was probably why there is so many issues with it. I believe that a new internet would be a leap towards a better future.
Think about it, it is true that a little common sense goes a long way, but there are cases where it common sense can't be expected. Think about say a 14 year old girl. She might have a need for interaction with a boy, just to talk. If she meets a boy online, her emotions would cloud her common sense, not that a 14 year old girl has a lot common sense. The boy might be a 40 year old man, a sexual predator. We all know how this story ends, we read it in newspapers and see it on tv.
In this case all of you probably wonder how a new internet would stop this. Well, it probably won't. But, with enhanced security, the girl might not be allowed to reach these types of sites. Or a security bot might identify the man as being 40 years old and the girl as 14 years old, and alert her. There is a lot of ways that a smart information system can assist us in making better choices.
This is my long term dream. Short term, is to have the damn browsers fixed so that my work is easier 🙁 or, I'll just go with Silverlight 🙂
You are correct to suggest that common sense will get us pretty far.
Some problems with your argument, though:
1. Anecdotal evidence about not being hit by a virus. Argument by anecdote is weak rhetoric.
2. Not being hit is a weak statistical argument to imply that you are secure. Really the same as the above, if you look closely enough (that is, argument is “effect therefore cause”)
Consider: “I've been crossing the freeway on foot for 30 years, and have never been hit by a car.” Does this imply crossing the freeway on foot is safe?
Moreover, in the case of computer breaches, you may have been hit, and not know it.
3. You seem to imply that the road to security is to use OpenBSD. I hope you aren't proposing an OpenBSD monoculture.
I think a much more obvious argument would be: What happens if we have a two-tier internet?
If we do, then they either interface, or do not. If they interface, how many unregulated interfaces are there? If only a handful, people will stick with the “old internet”. If there are enough to promote “anonymity”, people will use the technically impoved version, but the anonymity battle will have been conceded. If they don't interface, then it must be because of control exerted on the improved internet. As already mentioned, people will avoid this control for various reasons. Similar arguments can be made for security concerns.
the mentioned problem has nothing to do with the current internet. Virus spreading, is about antivirus, but most of all configuring systems right (for example i can configure an windows system to run only allowed software.. but how many admins enforce that?) no they let the users install software, so there they go. The internet itself doesnt need to be more secure, are you able to hack the switches internaly used by your ISP? (no you dont). Depending on the protocols you use, you can be secure thats why there is httpS SSL and VPN, PPTP, card readers etc etc.
Your view is that of a user who doesnt understand but somehow kept his own systems alive. My parents running vista without many knowledge of the internet or computers, are just like you. They have even less knowledge about it as you, but that missing gap is resolved by using an operating system without much configuration that does do a good job in keeping itself healty (despite of all the bad media atention, Vista actualy does do a good job on it).
The bigest problems of safety are the programs we use, not the groundlayer the internet itself.
For example mail is an old protocol, and like desktop computers, it can be setup wrongly, evenworse spam has become almost a war, (where some make milions on erectional disfunctional geeks) and even if they didnt click on pamela then you might recieve fraudster emails. Well SMTP a protocol, is basicly not secure admins can set up however more then only an MX record so it becomes clear if their server is valid or not.
Still even if you get that right, people use other mail systems and try to fraud you, or sell you viagra. The problem is while some make good use of the internet other have a more skilled inteligence for using the internet for their win. Despite whatever security one invents, the problem is not all people are nice. Other people will always invent things to miss use the internet. Like non elecontronic communication, be aware of people might f*ck you up.
You now for your information, altough your free to love OpenBSD, how about a company that takes hackers, spammer etc to court?, and beyond that improves their operating system automaticaly almost wwekly to be (potentialy) be the most secure system (people like to lower security themselves to run games etc… … ..) well that company who tries to live in peace with many of you, also wants to be a comercial company.
A company isnt even that bad if you think about it, in this world a lot has been comercialy build. And if you work comercialy you can fall back them on them, raise iesues etc, or get their advice,
Well no suprice the company i talk about isnt Sun IBM, ASUS, DELL no its good old Microsoft.
But your free to use linux or whatever.
However if you attack MS with such a lack knowledge i would like to let now the world that there are way better engineers, who design secure systems using Microsoft software, corectly configured, perhaps in combination with a corectly configured Cisco Firewall, or ISA server, or well whatever. The point is stop this blablabla Microsoft when you dont no sh*t about the things you talk about. Get some engineering degree, stop the talking and do some more working.
“And as a FreeBSD/Linux guy, I am pretty sure M$ is to blame for a big part of the internet lack of security.”
What a dumb comment. 95% of desktops run Windows, so the vast majority of virii, trojans and malware is written for it (it's not Microsoft's fault, they don't write the Virus, getit?). If Linux was on top, they would have just as many problems, unless you're saying that Linux is intrinsically secure (I doubt even you believe that)? Consider as well that a lot Windows users run as Administrator (a lot of software used to be written in such a way that it would ONLY run when you were Administrator – lack of security awareness was a problem across the eco-system, not just at Microsoft) and you will start to have a whole host of problems.
To be fair on Microsoft, security wasn't on their radar until widespread adoption of the Internet came around. Now it is; Vista and 7 are pretty secure, as long as you don't switch off UAC and run your account as an administrator (people complain about UAC and want to switch it off – it's really not a problem once your installation settles down – you only use it occasionally).
Again, there are thousands of people out there hunting down and finding gaps in Microsoft product security. Those same people would no doubt create merry hell on the Linux Desktop if that was the dominant OS.
Now, I haven't been hit by a Virus since I ran Windows 98. Anecdotal evidence I know, but some of us intuitively know when something “isn't quite right” – and usually don't click the link or run code until we've done a little research. I try to teach friends and family the golden rule: if you don't know what it does or don't trust it does what it claims to do, don't run it. In practice that covers 99.9% of stuff that could be a virus or trojan.
The “internet” will grow & adjust (much like an organism) in response to the “Internet 2.0” threat. I dont see this as much of an issue.
Good article though.
http://www.theregister.co.uk/2004/10/22/security_report_windows_vs_linux/#myth1
Wow the amount of brainwashing is amazing. Microsoft is directly responsible for most malicious activity on the internet. The argument that most machines are windows and therefore a target is a farce. The security issues are inherent to the windows model and no amount of patching will ever make that better.
Yes running your servers (and my desktop for that matter) on OpenBSD is a far better idea security wise.
The internet isn't broken; the users and admins are. If it wasn't for windows and crap like youtube (I am talking to you flash/silverlight) the security circus wouldn't exist in its present form. If you disagree with this you are probably a happy windows user/admin and not dealing with actual networking or low level development.
And to the guy/gal who is all surprised that there are people that are lying on the internet to kids: that is a parenting issue, not an internet issue.
I wrote a comment to the NYT guy before I ran across this article and I had pretty similar comments.
Keep your drivers license, I'll stick with the fine working internet,
Marco, an actual developer of software that does not suck.
Weren't you the same reporter who helped break the story regarding OpenBSD receiving funding from DARPA? Some apparently even blamed you for DARPA's retraction of those funds.
Yeah. And I've reported on Microsoft, Dell, Apple, IBM … Does that mean I have a “history” with those firms? Not making much sense there, my friend. And so far as the DARPA and OpenBSD stories — I reported the funding issue afterDARPA said it was going to withdraw funding … (although the Associated Press later reported that DARPA had no such plans at all, FWIW)
David's point is extremely well made and timely. Most of the problems with the Internet aren't technical problems, they're human engineering problems. Many, if not most viruses, trojans, and phishing expeditions rely not on technical flaws with software or protocols, but on the gullibility of people and their receptiveness to simple human engineering. People are gullible about the Internet because they have been “sold” the entire concept of the Internet by the media and the likes of Microsoft, who have touted how, like white bread or the latest toothpaste, it's amazingly new, wonderful and easy it is to use, and how secure they, the purveyors of Consumer Internet Mythology, have made it. If American e-consumers are going to believe the Big Lie from these folks, then yes, they will get robbed, ripped off and generally digitally raped. No amount of “gated community” technical security will prevent this. The gates are in people's minds, except, of course for the Bill variety, which is part of the problem 😉
Your premise that GNU-Linux or FreeBSD “would be just as vulnerable” as Windows if these OS were the most prevalent is categorically wrong, and “not supported by any facts” – as is usual for a Microsoft apologist.
For example, Apache with Linux/Unix runs more than 68% of Internet web sites, compared to Microsoft's IIS/Windows approximately 18 percent – as corroborated by Netcraft and other authoritative, non-partisan entities, yet the former incur less than two percent of internet vulnerabilities as compared to IIS/Windows that account for more than ninety percent.
Furthermore, studies by the National Security Agency (NDA), Cert.org, W3C plus found that Windows – even in lock-down mode is less secure that standard Linux from RedHat, Engard, Suse 11 Desktop, FreeBSD desktop configuration and other more reputable distros.
I never cease to be amazed as how stupid many computer users are in not knowing the facts or accepting truth.
W. Anderson
wanderson@kimalcorp.org
I've had exactly one (1) virus, because I explicitly downloaded it, because I got something that I thought was infected. I handled that file very carefully, then posted it to e-mail (because my outgoing e-mail has a virus scanner), and it confirmed it was. I then expunged that file (not just dragging it to the wastebasket, but physically deleting it). That's been over the last, oh, 30 years. One of the reasons I've never had a problem is I almost never use Internet Explorer.
We don't need a new Internet, we just need better design of some of the tools as well as changes to the way some things are done. For example, one of the thing that defeats spambots but not legitimate mail servers is the giving of a temporary failure on the first try to deliver mail; the spambot is in a hurry to send lots of mail, doesn't retry and goes away; the ordinary mail server actually reads the message and does a retry.
He's just stating facts. BSD is the best server OS there is when using TCP/IP. It's the stack from which all others stole. It's also the most secure “out of the box”. Instead of attacking people's creds, how about doing some research?
As far as whether or not OpenBSD is the best BSD, that is open for debate. FreeBSD is pretty secure too.
“If you're running a server, why wouldn't you run OpenBSD? That, my friends, is what the Pentagon uses for its mission-critical, ultra-sensitive servers.”
I'm just curious; Do you have a (disclosable:) source for this comment?
I know NASA publicly acknowledges the use of OpenBSD, but I don't see any Pentagon references since the infamous 2003 incident.