By Martin Brampton, 11 May 2004 09:25
COMMENT In real life, you can instantly identify people you know. But not so online. Until we can improve this capability, says Martin Brampton, your best defence against malicious users is parnoia.
It is no wonder computer networks are vulnerable to attack. It took millions of years for human beings to evolve the abilities they use in ordinary encounters. Now, in a few years, we are attempting to emulate them for electronic encounters.
Take, for instance, this fact: The average person can accurately identify a friend, seen from a distance at an awkward angle and in a poor light. This is a remarkable ability, and is pretty reliable, despite the billions of people in the world. Seemingly effortless recognition of faces is a skill that has resulted from generation after generation of evolution. It is not understood in detail, and certainly involves some amazing information processing.
Even voices are often distinctive. How many people do you instantly recognise as soon as you hear them speaking on the phone? And when you transact with unfamiliar people, you often rely on familiar features of the material world, such as a company's livery decorating a shop or office. Again, most of us are quite sensitive to small cues that confirm what is going on and are expensive for imposters to reproduce.
Turn to the internet, and it is all different. How do you know who you are talking to? There are plenty of cases to demonstrate how easily we can be fooled. And the solutions proffered remain unconvincing, despite government enthusiasm. Part of the issue is that large sections of IT seem to view the issues through rose-tinted spectacles.
Take the question of patches for software vulnerabilities. It has always seemed a weak solution to deploy software widely, then attempt to fix problems by applying patches. Few organisations have robust systems for distributing software automatically, let alone patching it automatically. The result is much insecure software that remains insecure even though a fix is available.
But the thinking on this subject views the problem as purely technical. Microsoft is telling businesses that they should buy into automatic systems for the installation of updates. There are at least two reasons why this is, at best, a limited solution.
The first problem is that patches commonly introduce fresh problems. It is dangerous to install them without testing. At the same time, patches are used by hackers to find the very weaknesses the patches are intended to fix. The hackers keep getting quicker, so that a patch can provoke a new attack, which is launched before cautious organisations have had time to test the patch.
Even if that could be overcome, it is precisely global information distribution that has enabled the various ills of viruses, worms and so on. How could we be sure that a wholly automated distribution system for patches would not play straight into the hands of the hackers? If such systems became widespread, we would not need to wait long before the first malicious patch appeared.
Of course, not everyone would fall for it, but how confident can we be that the damage would not still be considerable? After all, we have not really solved the question of how to recognise who we are dealing with in our electronic transactions. So far, just about every technique that has gained mainstream acceptance has been shown to have serious weaknesses.
Perhaps we will have to adopt the revolutionary approach of designing software to be closer to the ideal of being robust and secure when first released. Which brings us back to the issue of how to test software effectively. Until then, what can we do? Be paranoid.
Comments
There are 6 comments. Join the discussion
1. Jim Winski
For the real reason that security is so primitive, we only need to look to one place - Microsoft. Why not place blame where it belongs, Martin? Microsoft's lax policies towards security for so many years, and their band-aid approach to it now shows why so many firms are in a security mess. Why have there been no major security/worm/virus/etc issues for Linux and Mac OS X?
2. David
That is a little one eyed at best. There are serious vulnerabilities in all O/S environments. Not just Microsoft. Believe me, I am not a Microsoft proponent, but the problem really lies in the reluctance of companies to spend money on ensuring the availability and integrity of critical systems. Sure, the software companies wear a lot of the blame, but we can vote with our money as well. Microsoft are now acknowledging the inadequate focus on security for which they are to be applauded. Now if companies will maintain a constant focus on enterprise system security, rather than a kneejerk approach, we may get somewhere in the long term. Education is the key.
3. anonymous
The internet is still in the wild west phase. There are 'snake oil' salesmen and political pamplets all over the place. You do not know or recognize them, and you should not believe all they say. Most folks do not lock doors at night. We need a few more lynchings.
Hacker=horse thief?
Be polite and carry a gun.
I do not want to NEED a bank vault to live in. We must treat pimple faces door rattlers like criminals, even if the doors are port addresses.
Mitnik is a jackass.
If I run over people with my car,
I will not be allowed to drive.
4. Tom
You are all correct!
However, the real blame is on us as the user. It is kind of like taking your car to get an advertised $30 tune-up and walking out paying $100 for a lot of extra crap.
The user is uneducated, and believes what is told to him about security because they don't know any better.
I know that security services are sold to customers in a Managed Security environment and are never delivered. The customer does not have a clue as to what was sold to him.
Users need to wake up and take an active role in security.
5. anonymous
Computer security isn't primitive, the problem is that we have let Microsoft and Unix/Linux dictate our standards for IT security. These want to blame the applications for almost every problem when it is the operating systems that should be controlling the environment in which the application operates. OpenVMS and some of IBM's operating systems (not AIX) have very few problems of security because they are designed properly. Alas, other operating systems are not.
Funny how a BBC report that headlined a problem in Windows as being the reason why the Sasser virus was spreading so fast was pulled very quickly from its webpages!
The simple fact is that when we have very poor locks on our doors it is just a tad unreasonable to blame the entire problem on the burglars.
6. Chris
Education and a puting a formal recognsied security policy in place would be a good start.
We need to look at our Governments to lead the way here not commerce. Commerce wil go for the quick buck every time. Standards such as BS7799,
ISO 17799 are they way forward. Why is it that the Japanese are the highest adopters in the world of this kind of business practice ? Because they're smart and know that they can insist that business partners have the same standards and so ensure that they have a valid reason to provide work for their own home companies and not abroad.... I urge you to find out more and be in charge of setting your own security standards.