- Email: [email protected]
The End Of The Internet As We Know It
jan nese.qxd
12/21/01
12:01 PM
Page 16
managing network security talking to his boss, his co-workers, even the receptionist, but remember to document whatever you find out. And people do lie on their CVs. In an article in the South China Morning News,David Mycroft, a former headhunter, said: “Having worked for three executive search agencies and reading hundreds of CVs, I don’t think I have read one that hasn’t been embellished in some way.” He notes that one: “very well placed executive” claimed to have an MBA from Mcqoarie University in 1962, when, in fact, the university did not start its MBA programe until 1964. As a guide, when you are taking references, you should ask: • Why did this person leave (and compare it to his reasons); • What are his three most prominent personality traits; • What dates did this employee work for you?
• Describe this employees role to me (again, compare it to his reasons); • Is there any reason for you to doubt the applicant’s competency, honesty, trustworthiness or reliability; • Are you aware of anything that the applicant has said or done which would affect suitability for employement in your organization (including criminal or improper conduct)?
The serious stuff If you are recruiting for a role that requires a high level of trust (and in our industry that would be just about everyone including the cleaner), it makes sense to get a police check done. In the UK, candidates can ask the police for a copy of their record and — thanks to the Data Protection Act — the police have to supply one. This involves convincing the candidate to give you the copy though, (unless you work with
children in which case you can sometimes as for one as part of the initial application process). If you are going to do this, make it clear from the outset — it may help thin the initial applicant pool too! You might also want to consider credit checks to ensure your candidate isn’t a bankrupt or serial credit defaulter. This doesn’t make them a bad person of course, but can indicate undesirable personality traits such as lack of control or inability to face problems.
Finally If you still believe that you should be recruiting on the basis of instinct, old school ties or any other emotive reasons, remember this: If the person you hired turns out to be a hacker, a fraudster, a stalker or an idiot, you will be culpable and, what’s more, your company may be liable. Now, where’s that jobs page?
MANAGING NETWORK SECURITY
The End Of The Internet As We Know It Fred Cohen Networks dominate today's computing landscape and commercial technical protection is lagging behind attack technology. As a result, protection programme success depends more on prudent management decisions than on the selection of technical safeguards. Managing Network Security takes a management view of protection and seeks to reconcile the need for security with the limitations of technology. In early 1900s, the United States made a transformation from the wild west to a 'civilization'. It was not the first time a wild country had been 'civilized' and it would and will not be the last. This change was marked by the industrialization of the society. Among other things, this included a movement from small businesses towards a small number of dominant large businesses in any one field of
16
endeavor. While small businesses continued to exist, the end of the frontier marked the shift of power from individuals to organizations. For some time, the lawlessness continued, and it took a long time to eliminate many of the pockets of resistance, but eventually, the United States became a relatively civilized place. As these changes took hold, many things were and are still lost. People no longer carry
sidearms in most places in the US, small businesses are heavily intertwined and not very self sufficient. There are more restrictions. People who break laws that would have never been allowed to stand 100 years ago end up in prison, and political correctness becomes vital to survival. This shift from lawlessness to civilization is reflected in the changes we are seeing on the Internet. For those of us who know the sweet taste of freedom from the early days of the Internet, many of the recent changes taking place reflect, not the civilization of the Internet society, but rather the part of the industrial age when the robber barons were in control of the country.
Robber barons of the Internet Everybody who experienced the changes in the Internet 1980s and 1990s knows
jan nese.qxd
12/21/01
12:01 PM
Page 17
managing network security that Bill Gates and Microsoft were the robber barons of their age. They stole from everyone and gave to themselves to form an empire by leveraging their monopoly status to force their will on the rest of us. But, the Internet changed this — largely because the robber barons of that era could not get their arms around the new frontier as quickly as it was expanding. Once the Internet went consumer, this all changed. The powers that were took up their positions, marking territories and trying to gain monopoly status by constraining their opposition. The AOLs of the world took the consumer's desktop by using loss leaders to gain market share. When the bubble grew, to their credit, the AOL leadership took the opportunity to diversify and became a real power house across a much broader spectrum. Cable companies moved into the Internet space because DSL couldn't do what they could do for customers. And, as soon as they had enough power to take advantage, they did just that. As DSL companies started to fail, cable companies raised rates, started restricting services, and just recently, demonstrated their immense power by taking 4.1 million people offline at the peak of the holiday buying season in a failing economy in order to gain a few scores of millions of dollars in leverage. Consumers are their leverage, they knew how much they could be squeezed, and they squeezed all they could get. And along the way, they also changed the rules of the road.
Why IP is like the radio The IP space, like the radio spectrum, is a limited resource. There are only so many total IP addresses available, and who owns the critical resource has power. Owning a small number of IP addresses will not help you survive for long, because only those who are large enough to afford large chunks of IP space are allowed to buy into the space at the top
level. Those that have their piece of the pie will hold into it with a vengeance, and, eventually, based on increased demand, they will charge for the supply whatever the market will bear. The impact of this on the average person is not immediately obvious, but it will be when you come to understand that you need a stable IP address in order to have an Internet server. The nature of the design of the Internet is such that IP addresses are the key to server survival, and the space is finite. The major owners know this and thus they are doing everything they can to eliminate the ability of those who haven't paid them large sums of money to have a place in the IP space. The reason is that without a place in the space, you cannot have your store front, your email address, or any of the things that make you a supplier. As the large dollar interests squeeze out the small suppliers, they gain the ability to control the market. If this sounds like the big chain stores moving into the local strip malls, you understand the issue. The notion that Internet Protocol Version 6 (IPv6) will expand the IP address space is an interesting one, but I don't think it has a chance of surviving. While IPv6 could work from a technical standpoint, it would put control over the IP space out of reach of the majors for some time. Yes, they would find a way to do it eventually, but why should they? IPv4 is, like the width of railroad tracks, likely to be with us for a very long time. For those who don't know the story, I'll summarize it briefly. The width of modern US and European railroad tracks is a direct result of the width of the average Roman horse’s back end.
Crime aids robber barons Many ‘hackers’ think that they are protesting against the robber barons when they deface sites or carry out Internet sitins — so-called hactivism. It is unfortunate that they are wrong, and indeed they
often destroy the very cause they claim to be supporting. If there wasn't Internet crime, they would have created it. Indeed, some of them did. Crime is a great convenience for those who wish to grab for more power. They can take the moral high ground by claiming it's all for the benefit of us all, as they dismantle what we thought were our rights. The vast majority of the public can't tell the difference, the media is largely owned by these robber barons, and those that are not have too little voice and too little understanding to prevent the rest of society being rolled over. Of course, the criminals are unknowing conspirators, and they are helping the robber barons out a lot these days. What crime won't do, war will. Ask the citizens of the US in a few years when another Presidential candidate gets caught using the newly superempowered intelligence agencies to win the Presidency. Or will the people be sufficiently cowed by that point not to even care? Yes, the current 'War Against Terrorism" is one of the greatest excuses for grabbing for power in a long time, and it is being used to its fullest. The mythical cyber-terrorist is the symbol of the day — used to push away the last remains of the freedom we once knew in the Internet space.
How does it happen? It is happening today. ISPs now restrict outbound use of TCP port 25 — the email port — so that email has to pass through their email server and use their email addresses. If you want your own domain name, you have to pay for the email addresses, the Web server, and the bandwidth. Use another provider, and you will find your packets slowed down at the interface. If it is strange to you that from the same starting point I can get faster connections by logging into a remote server and going from there to my ultimate destination rather than going directly from my starting point to the remote destination, you will understand the issue.
17
jan nese.qxd
12/21/01
12:01 PM
Page 18
e-commerce: the dark side In order to gain financial advantage and leverage over customers, ISPs are tying performance to where you go. In some cases, you can't get there from here. It's done in the name of spam prevention or countering Internet pornography, but in the end, it means that you cannot access large parts of the Internet from some places so that they can control what you see and who you buy from. Ask a question about it and you will hear the most ridiculous and widest variety of foolishness for explanations that you can imagine. Law enforcement monitors email. Encryption is made harder and legal
blockades are attempted to prevent its use. Intelligence agencies force providers into allowing monitoring of email. ISPs control the flow of email and of Web access so that you can only go through the corporate and government observation posts. Websites are removed because they have content that government wants to suppress. Free speech in the Internet is quashed. Yes, it's happening right here and right now. We are becoming “civilized”. How long till we rebel? It depends on how well they have measured how far they can push us so that we bend and do not break.
Conclusions As Benjamin Franklin once said “The man who trades freedom for security does not deserve nor will he ever receive either.” Yes, in the end, I think it is better to live in the society I live in today than in the one of the late 1800s, but not because my freedoms are more restricted. Indeed, I have more freedom despite more restrictions. The increased freedom comes from the advances in technologies, but don't confuse them... I could have these technologies and a lot more freedom as well. Coming soon to an Internet site near you — ways to avoid the restrictions your ISP has placed on you.
E-COMMERCE: THE DARK SIDE
The Golden Rule? Bill Boni There is an old saying that turns the Golden Rule — do unto others as you would have them do to you — into a more cynical commentary on the human condition: Who has the Gold makes the Rules! This inversion came to mind when the perennial controversy about whether it is ethical for anyone other than the developers to publish vulnerabilities in commercial software once again surfaced. The holders of Gold in this case would be the leading companies that make software used in microcomputers and other systems. However, in real life, unlike the simple homilies of folk wisdom, the situation is complicated by the fact that there are compelling arguments on both sides of this issue.
Spin The opposing camps present diametrically opposed positions. On one side, the software firms and their spokespersons advance the idea that telling everyone about flaws and exploits represents irresponsible behavior. It is tantamount to handing the denizens of the dark
18
side loaded weapons that are then frequently used to commit crimes and abuse. There is undeniably a connection between the release of vulnerability information and the subsequent incorporation of the latest exploits into hacker tool kits and later into commercial security products. One can perhaps forgive a large segment of the technical and security population for doubting that anything other than damage control motivates the kind of public relations blitz that has recently been initiated by the software developers. One can reasonably question claims by software companies that revealing exploitable bugs or holes in code is morally wrong and not be a cybercriminal or cyber-terrorist. Further, it seems a blatant attempt to exercise “spin control” to suggest, as some have,
that only a few anointed apostles of security should be trusted to deal with the knowledge of new security flaws. Many have suggested that such a closed community is simply designed to control and limit the ability of the public at large to make any sort of informed judgment about the real merits or risks associated with common software products. The return to “security through obscurity” as a guiding paradigm seems a dangerous leap backwards that is likely to fail as the ever more connected world makes it ever more difficult to keep even sensitive military or commercial information under wraps.
Tell me everything On the other side are the proponents of what may be called “full disclosure”. The most extreme of these advocates believe that everyone has a not only a right, but perhaps a duty, to publish or release as much information as necessary to compel software developers take immediate action to correct security vulnerabilities or risk possible losses. On their behalf, there have been many episodes over the years where
12/21/01
12:01 PM
Page 16
managing network security talking to his boss, his co-workers, even the receptionist, but remember to document whatever you find out. And people do lie on their CVs. In an article in the South China Morning News,David Mycroft, a former headhunter, said: “Having worked for three executive search agencies and reading hundreds of CVs, I don’t think I have read one that hasn’t been embellished in some way.” He notes that one: “very well placed executive” claimed to have an MBA from Mcqoarie University in 1962, when, in fact, the university did not start its MBA programe until 1964. As a guide, when you are taking references, you should ask: • Why did this person leave (and compare it to his reasons); • What are his three most prominent personality traits; • What dates did this employee work for you?
• Describe this employees role to me (again, compare it to his reasons); • Is there any reason for you to doubt the applicant’s competency, honesty, trustworthiness or reliability; • Are you aware of anything that the applicant has said or done which would affect suitability for employement in your organization (including criminal or improper conduct)?
The serious stuff If you are recruiting for a role that requires a high level of trust (and in our industry that would be just about everyone including the cleaner), it makes sense to get a police check done. In the UK, candidates can ask the police for a copy of their record and — thanks to the Data Protection Act — the police have to supply one. This involves convincing the candidate to give you the copy though, (unless you work with
children in which case you can sometimes as for one as part of the initial application process). If you are going to do this, make it clear from the outset — it may help thin the initial applicant pool too! You might also want to consider credit checks to ensure your candidate isn’t a bankrupt or serial credit defaulter. This doesn’t make them a bad person of course, but can indicate undesirable personality traits such as lack of control or inability to face problems.
Finally If you still believe that you should be recruiting on the basis of instinct, old school ties or any other emotive reasons, remember this: If the person you hired turns out to be a hacker, a fraudster, a stalker or an idiot, you will be culpable and, what’s more, your company may be liable. Now, where’s that jobs page?
MANAGING NETWORK SECURITY
The End Of The Internet As We Know It Fred Cohen Networks dominate today's computing landscape and commercial technical protection is lagging behind attack technology. As a result, protection programme success depends more on prudent management decisions than on the selection of technical safeguards. Managing Network Security takes a management view of protection and seeks to reconcile the need for security with the limitations of technology. In early 1900s, the United States made a transformation from the wild west to a 'civilization'. It was not the first time a wild country had been 'civilized' and it would and will not be the last. This change was marked by the industrialization of the society. Among other things, this included a movement from small businesses towards a small number of dominant large businesses in any one field of
16
endeavor. While small businesses continued to exist, the end of the frontier marked the shift of power from individuals to organizations. For some time, the lawlessness continued, and it took a long time to eliminate many of the pockets of resistance, but eventually, the United States became a relatively civilized place. As these changes took hold, many things were and are still lost. People no longer carry
sidearms in most places in the US, small businesses are heavily intertwined and not very self sufficient. There are more restrictions. People who break laws that would have never been allowed to stand 100 years ago end up in prison, and political correctness becomes vital to survival. This shift from lawlessness to civilization is reflected in the changes we are seeing on the Internet. For those of us who know the sweet taste of freedom from the early days of the Internet, many of the recent changes taking place reflect, not the civilization of the Internet society, but rather the part of the industrial age when the robber barons were in control of the country.
Robber barons of the Internet Everybody who experienced the changes in the Internet 1980s and 1990s knows
jan nese.qxd
12/21/01
12:01 PM
Page 17
managing network security that Bill Gates and Microsoft were the robber barons of their age. They stole from everyone and gave to themselves to form an empire by leveraging their monopoly status to force their will on the rest of us. But, the Internet changed this — largely because the robber barons of that era could not get their arms around the new frontier as quickly as it was expanding. Once the Internet went consumer, this all changed. The powers that were took up their positions, marking territories and trying to gain monopoly status by constraining their opposition. The AOLs of the world took the consumer's desktop by using loss leaders to gain market share. When the bubble grew, to their credit, the AOL leadership took the opportunity to diversify and became a real power house across a much broader spectrum. Cable companies moved into the Internet space because DSL couldn't do what they could do for customers. And, as soon as they had enough power to take advantage, they did just that. As DSL companies started to fail, cable companies raised rates, started restricting services, and just recently, demonstrated their immense power by taking 4.1 million people offline at the peak of the holiday buying season in a failing economy in order to gain a few scores of millions of dollars in leverage. Consumers are their leverage, they knew how much they could be squeezed, and they squeezed all they could get. And along the way, they also changed the rules of the road.
Why IP is like the radio The IP space, like the radio spectrum, is a limited resource. There are only so many total IP addresses available, and who owns the critical resource has power. Owning a small number of IP addresses will not help you survive for long, because only those who are large enough to afford large chunks of IP space are allowed to buy into the space at the top
level. Those that have their piece of the pie will hold into it with a vengeance, and, eventually, based on increased demand, they will charge for the supply whatever the market will bear. The impact of this on the average person is not immediately obvious, but it will be when you come to understand that you need a stable IP address in order to have an Internet server. The nature of the design of the Internet is such that IP addresses are the key to server survival, and the space is finite. The major owners know this and thus they are doing everything they can to eliminate the ability of those who haven't paid them large sums of money to have a place in the IP space. The reason is that without a place in the space, you cannot have your store front, your email address, or any of the things that make you a supplier. As the large dollar interests squeeze out the small suppliers, they gain the ability to control the market. If this sounds like the big chain stores moving into the local strip malls, you understand the issue. The notion that Internet Protocol Version 6 (IPv6) will expand the IP address space is an interesting one, but I don't think it has a chance of surviving. While IPv6 could work from a technical standpoint, it would put control over the IP space out of reach of the majors for some time. Yes, they would find a way to do it eventually, but why should they? IPv4 is, like the width of railroad tracks, likely to be with us for a very long time. For those who don't know the story, I'll summarize it briefly. The width of modern US and European railroad tracks is a direct result of the width of the average Roman horse’s back end.
Crime aids robber barons Many ‘hackers’ think that they are protesting against the robber barons when they deface sites or carry out Internet sitins — so-called hactivism. It is unfortunate that they are wrong, and indeed they
often destroy the very cause they claim to be supporting. If there wasn't Internet crime, they would have created it. Indeed, some of them did. Crime is a great convenience for those who wish to grab for more power. They can take the moral high ground by claiming it's all for the benefit of us all, as they dismantle what we thought were our rights. The vast majority of the public can't tell the difference, the media is largely owned by these robber barons, and those that are not have too little voice and too little understanding to prevent the rest of society being rolled over. Of course, the criminals are unknowing conspirators, and they are helping the robber barons out a lot these days. What crime won't do, war will. Ask the citizens of the US in a few years when another Presidential candidate gets caught using the newly superempowered intelligence agencies to win the Presidency. Or will the people be sufficiently cowed by that point not to even care? Yes, the current 'War Against Terrorism" is one of the greatest excuses for grabbing for power in a long time, and it is being used to its fullest. The mythical cyber-terrorist is the symbol of the day — used to push away the last remains of the freedom we once knew in the Internet space.
How does it happen? It is happening today. ISPs now restrict outbound use of TCP port 25 — the email port — so that email has to pass through their email server and use their email addresses. If you want your own domain name, you have to pay for the email addresses, the Web server, and the bandwidth. Use another provider, and you will find your packets slowed down at the interface. If it is strange to you that from the same starting point I can get faster connections by logging into a remote server and going from there to my ultimate destination rather than going directly from my starting point to the remote destination, you will understand the issue.
17
jan nese.qxd
12/21/01
12:01 PM
Page 18
e-commerce: the dark side In order to gain financial advantage and leverage over customers, ISPs are tying performance to where you go. In some cases, you can't get there from here. It's done in the name of spam prevention or countering Internet pornography, but in the end, it means that you cannot access large parts of the Internet from some places so that they can control what you see and who you buy from. Ask a question about it and you will hear the most ridiculous and widest variety of foolishness for explanations that you can imagine. Law enforcement monitors email. Encryption is made harder and legal
blockades are attempted to prevent its use. Intelligence agencies force providers into allowing monitoring of email. ISPs control the flow of email and of Web access so that you can only go through the corporate and government observation posts. Websites are removed because they have content that government wants to suppress. Free speech in the Internet is quashed. Yes, it's happening right here and right now. We are becoming “civilized”. How long till we rebel? It depends on how well they have measured how far they can push us so that we bend and do not break.
Conclusions As Benjamin Franklin once said “The man who trades freedom for security does not deserve nor will he ever receive either.” Yes, in the end, I think it is better to live in the society I live in today than in the one of the late 1800s, but not because my freedoms are more restricted. Indeed, I have more freedom despite more restrictions. The increased freedom comes from the advances in technologies, but don't confuse them... I could have these technologies and a lot more freedom as well. Coming soon to an Internet site near you — ways to avoid the restrictions your ISP has placed on you.
E-COMMERCE: THE DARK SIDE
The Golden Rule? Bill Boni There is an old saying that turns the Golden Rule — do unto others as you would have them do to you — into a more cynical commentary on the human condition: Who has the Gold makes the Rules! This inversion came to mind when the perennial controversy about whether it is ethical for anyone other than the developers to publish vulnerabilities in commercial software once again surfaced. The holders of Gold in this case would be the leading companies that make software used in microcomputers and other systems. However, in real life, unlike the simple homilies of folk wisdom, the situation is complicated by the fact that there are compelling arguments on both sides of this issue.
Spin The opposing camps present diametrically opposed positions. On one side, the software firms and their spokespersons advance the idea that telling everyone about flaws and exploits represents irresponsible behavior. It is tantamount to handing the denizens of the dark
18
side loaded weapons that are then frequently used to commit crimes and abuse. There is undeniably a connection between the release of vulnerability information and the subsequent incorporation of the latest exploits into hacker tool kits and later into commercial security products. One can perhaps forgive a large segment of the technical and security population for doubting that anything other than damage control motivates the kind of public relations blitz that has recently been initiated by the software developers. One can reasonably question claims by software companies that revealing exploitable bugs or holes in code is morally wrong and not be a cybercriminal or cyber-terrorist. Further, it seems a blatant attempt to exercise “spin control” to suggest, as some have,
that only a few anointed apostles of security should be trusted to deal with the knowledge of new security flaws. Many have suggested that such a closed community is simply designed to control and limit the ability of the public at large to make any sort of informed judgment about the real merits or risks associated with common software products. The return to “security through obscurity” as a guiding paradigm seems a dangerous leap backwards that is likely to fail as the ever more connected world makes it ever more difficult to keep even sensitive military or commercial information under wraps.
Tell me everything On the other side are the proponents of what may be called “full disclosure”. The most extreme of these advocates believe that everyone has a not only a right, but perhaps a duty, to publish or release as much information as necessary to compel software developers take immediate action to correct security vulnerabilities or risk possible losses. On their behalf, there have been many episodes over the years where