This work is licensed under a Creative Commons Attribution 4.0 International License.
by
Andy Oram
November 26, 2001
Now that the nation and the world finally seem ready to seriously consider computer and network security, we have a historic opportunity to bolster security where it really counts. We can educate each end user and computer owner to take responsibility for the security of the entire network. Vendors can take the lead in educating buyers, and corporate environments in educating employees.
Security requires a grass-roots effort. If you choose an easy-to-crack password on your LAN, you open a hole on the entire LAN. If you dial into the Internet and leave a port open to certain services, you risk becoming part of a distributed denial-of-service attack that could harm someone else on the Internet who is totally unconnected to you.
Nevertheless, end-user education has never been a priority for most administrators. From experience, they have learned that most users don’t want to hear about something extra they need to do, and don’t want to deal with the disruptive restrictions of security. So the administrators throw up their hands and install, say, a mail filter to catch executable attachments. (That’s a useful practice, but not an adequate substitute for user education and secure software.) Mick Bauer, a security consultant and contributing editor to Linux Journal, where he writes the Paranoid Penguin column, has experienced the frustration repeatedly. “We have a lot to do regarding security awareness. People don’t want to learn anything they don’t have to learn about computers; it’s painful for them.”
While some pursue purely technical solutions to general security problems—a pursuit I support and offer my best wishes to—the trend in security circles has been to declare that no technical solution is adequate. Security in the larger non-virtual world, we are coming to realize, depends on the intuition, skill, and dedication of each individual: the guard screening suitcases at the airport, the patrol on the grounds of a critical facility, and so on. Perhaps the public is ready to grasp that Internet security, too, depends on each of us doing his or her job. An educated public will make better use of the technical solutions that do exist, and will provide alert responses to anything visible that goes wrong.
Is computer security important? Perhaps not compared to security at airports, power plants, skyscrapers, and other places where people can die from incautious practices. But it’s hard to predict where we are vulnerable. Who would have said that terrorists could destroy skyscrapers using box-cutters? And as many in government have pointed out, disrupted communication links can make a disaster worse by preventing people from getting reliable information that could help them deal with the disaster.
A lot of computer systems could be disconnected from the Internet right now; they are connected out of convenience rather than necessity. Some corporate business could be conducted on an internal LAN that doesn’t even have an interface onto the Internet. And in an age where we know someone’s out to get us, pulling the plug sometimes makes sense.
Security expert Bruce Schneier, founder of Counterpane Internet Security, Inc., says in his usual forthright style, “Too much is on the Internet. The more we put critical infrastructure on the Internet, the more vulnerable we are.”
Even if you don’t go so far as to perform routine business activities on systems with no Internet access, you can institute compartmentalization, as all the larger companies do. According to Bauer, even Mom-and-Pop organizations can separate public functions from private functions. For instance, their public Web site should be on a different computer from their internal file sharing system. Another good distinction is to put infrastructure such as DNS on a different system from highly visible services like the Web.
September 11 may mark a turn away from the popular spread of single sign-on and distributed computing. I am as fond as anyone of “the network is the computer,” and a lot of fascinating products are emerging around the notion of free-floating content and number-crunching. Even Microsoft researchers published a vision of a network operating system with no borders or fixed locations for content. But now there are all sorts of signs that paranoia is replacing a passion for experimentation.
Still, distributed computing could well become part of a robust computing environment. Shortly after the attacks, Raymond Kurzweil predicted that they would “accelerate” the trend to distributed technologies. I spoke on the issue of vulnerability with David Fish, who is CEO of AVAKI, one of the most ambitious of the many companies working on grid systems. Fish pointed out that such systems provide built-in redundancy that might prove useful when part of the network is taken down.
A number of companies, frustrated because they routinely release security fixes that customers don’t bother installing, have instituted automated downloads. Just leave your system connected to the Internet with a small service running in the background, and the latest fix to named or IIS comes clanking down a preset channel and self-installs. You wake up in the morning and everything should be running the same as always, except your screws are a bit tighter and another vulnerability is patched.
Red Hat started offering this service for its Linux distribution recently. At the beginning of October, Microsoft announced a similar service with the predictably pompous title of Strategic Security Protection Program, no doubt out of desperation. In the wake of September 11, customers were demanding what Microsoft could do to ward off viruses (which patches cannot help to prevent) and code bugs; later that month the Gartner Group advised customers to replace IIS completely and immediately.
What are the reactions of security experts to automated updates? Mostly negative. Spafford says cynically, “They’d have to convince me.” First, a company that puts out buggy software to start with can just as easily put out a buggy update. Furthermore, updates often contain new security flaws or cause customer applications to break. Vendors cannot test an update against the particular environment and third-party software at the customer site. So a system administrator could have the nerve-wracking experience of coming in to work and finding that a key function has broken or that the system has crashed altogether because of an automated update that took place overnight. Even worse, one can get into a churning situation where one brings the system up, it performs the automated update again, and it crashes anew.
Bauer thinks that automated updates are “a good idea that hasn’t been implemented securely yet, at least to my knowledge.” He expects it’s only a matter of time before we see some nasty Trojan horses from automated updating. No one has figured out how to distribute automated patches securely; current certificate authorities aren’t trustworthy enough for SSL exchanges. “But automated updates can be one option if people understand the risks and are willing to take recovery measure in case of security breaches.”
A politician once claimed that what prisons need is a better class of prisoners. Networks, which are made up of users and administrators, need for these people to become more alert and conscientious about security.
Remember one of the discoveries made by the investigators who cracked the DVD encryption system, CSS. They found that one of the movie companies who licensed the format included a plaintext key instead of the encrypted key it was supposed to include. The investigators would have cracked CSS even without this gift, but the incident is a perfect example of how widespread mistakes by end users are.
Many news reports indicate that companies have hoisted their spending on security products. But unfortunately, according to Bauer, September 11 hasn’t had a big impact in security training. “Almost perversely, people continue to be mystified by computer technology.” They expect technical fixes rather than organizational and staffing responses.
Bauer says that the “security by default” movement (exemplified by the OpenBSD distribution) is a good trend. “If you want to run Apache, you should have to do some reading. It is dangerous and unrealistic to have it installed by default. This may sound elitist, but it’s the only way we have now to get reasonably secure systems.”
What about government intervention? Required backdoors for law enforcement in commercial encryption products have once again been introduced into Congress. (As if terrorist organizations who can figure out how to fly 747s are too dumb to read Applied Cryptography, and as if hijackers who passed through three American airports can’t figure out how to crack a government key escrow system.) And once again, luckily, the Congressional proposals were defeated.
My view of government security expertise was laid out several years ago in an article titled Cyber Hygiene, Not Cyber Fortress Protects Our Networks. I welcome efforts to educate companies and spread best practices, but in this area the government cannot do much to directly protect us. When each of us protects himself or herself, we collectively protect each other.
This work is licensed under a Creative Commons Attribution 4.0 International License.
Andy Oram is an editor at O’Reilly & Associates. represents his views only. It was originally published in the online magazine Web Review.