Will 'Internet security' always be an oxymoron?

by Jonathan Yarden | May 20, 2005 7:00:00 AM

Tags: Jonathan Yarden, Internet, Internet security, security, Internet Security Focus Newsletter

Takeaway: According to Jonathan Yarden, we've reached a point where it's no longer possible to hide the fact that there's a horrible problem with core Internet security. Is this the point of no return, or is a secure Internet still possible? Jonathan delves into the past to see how we got to this point and shares his thoughts on where to go from here.

Want more advice for locking down your network? Stay on top of the latest security issues and industry trends by automatically signing up for our free Internet Security Focus newsletter, delivered each Monday.

It's common knowledge that using something you don't understand means incurring a certain degree of risk. Since computer users can't possibly know everything about the software they use�and most users have no hope of writing it themselves�they must accept some degree of risk when using the Internet.

But security risks are cumulative, and I believe we've reached a point where it's no longer possible to hide the fact that there's a horrible problem with core Internet security�from the architecture of TCP/IP to the applications used on PCs worldwide.

However, keep in mind that how we arrived at our current Internet security problems is rooted in the past. Does that mean we're too late to redeploy core Internet security? Let's look at how we got here.

Ancient history

More than a decade ago, after recovering from multiple security incidents with Sendmail and the Washington University-modified FTP daemon, I decided to write my own implementation of some of the core Internet application programs. Of course, as with most programming tasks, I didn't finish what I set out to do.

I had the skills, but the job just required considerably more effort than I was willing to commit. In addition, I was writing my own code, and none of my coworkers were proficient in C or C++ at the time�meaning I was completely on my own.

I did manage to write a specialized POP3 daemon, which, at the time, operated in a considerably more secure manner because it didn't require root-level privileges to operate. Unfortunately, I failed to recognize that POP3 servers are generally not interesting targets for would-be intruders.

So, while I partially accomplished what I set out to do, it didn't have any significant impact on Internet security where I worked. I fixed a security problem that didn't yet exist, and the time it took to implement the security outweighed the benefits it offered.

Then again, this was 1991, and the vast majority of people had no knowledge or use for the Internet on a daily basis anyway. While security incidents did occur, they didn't target general Internet users�there simply weren't enough of them to make it worth the effort.

The more recent past

Of course, we're all aware of how things have changed. With the millions and millions of users now surfing the Web�many of whom couldn't care less about security�incidents take on a whole new importance.

In my opinion, the companies that dominate the Internet, particularly the incumbents such as Cisco and Microsoft, have been asleep at the wheel for a long time. For example, Microsoft ignored the Internet until it became clear that it posed a threat to the software giant's operating system dominance.

When Microsoft finally did respond by producing its own Internet applications, it focused on developing competitive products rather than secure ones. And this behavior has continued. Rather than embracing the goal of security by design and attempting to redeploy Internet core applications and protocols, these companies have simply maintained the status quo.

But Cisco and Microsoft aren't the only companies to blame. There are hundreds of companies producing Internet products that are more concerned with sales than developing a product that's superior in both function and security. And there are more than enough users willing to accept that someone else is looking out for their security.

The tumultuous present

All of this has led us to the current state of problems with the Internet. On a daily basis, users face the perils of viruses, spam, spyware, phishing, pharming�and the list continues to grow. I recently read that a single e-mail worm (a Sober variant) may be responsible for more than 75 percent of all virus activity and more than 5 percent of all e-mail, and the news was far from surprising.

If a company such as Microsoft or Cisco had researched and implemented an open standard to replace SMTP, I'll bet this e-mail worm wouldn't even exist. But even so, it's a good bet that something else out there would be causing problems on the Internet.

What next?

When it comes to computing and technology, we've established a "culture of convenience" that emphasizes usability and enjoyment over everything else. We have produced software and deployed technology using the Internet without paying any regard to fostering an understanding of its use by consumers or its impact on security.

And I believe this will be the downfall of the Internet as a whole. While I don't think the Internet itself will cease to function, I predict that, for a lot of people, the costs of Internet security will eventually outweigh its usefulness.

In my opinion, we're close to reaching the point where we have only two choices. The first option is to change the culture of the Internet, which is probably impossible. The second choice is to completely redeploy core Internet security�from top to bottom. While this option may also appear impossible, I believe it's the only viable long-term solution.

Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.

28 comment(s)