T11M

This article by John Markoff appeared in the New York Times on February 14th, 2009.  Aside from the title being a little inflammatory the article does a fair job of explaining some of the problems faced by Internet architects today.  However, many of Markoff’s fears seem to be somewhat exaggerated.  He begins by harkening back to the early days of the Internet when a worm could bring the Net to its metaphorical knees.  He then makes the bold statement that things have gotten much, much worse.  Markoff uses Conficker (A.K.A. Downadup) as an example of how the Internet is broken – due to Conficker’s infection of over 12 million machines world wide.  Conficker basically enables its creators to control the infected machines and lash them together into the world’s largest botnet.  The botnet can then be used as an incredibly powerful spam engine or to create incredibly forceful destributed denial of service (DDOS) attacks that could easily cripple web services or even portions of the internet.  While this is definitely of great concern to all users of the Internet (obviously, who wants to see spam levels increase) it is not solely the threat is solely caused by the Internet.  All the computers within a botnet are remotely controlled and are the property of individuals and companies.  This means that at any time a computer can be removed from the botnet by either patching the flaw and removing the malicious software, by disconnecting it from the Internet, or by completely wiping the computer and starting over.  The owner of the computer has complete control over what happens to that machine.  The other disturbing part about Conficker is that the vulnerability in all recent Microsoft operating systems was patched by Microsoft in October of 2008 thus rendering Conficker ineffective on all updated systems.  All of the major antivirus companies also released removal tools around the same time.  Thus it is the people who are not regularly updating their computers that are at fault here, NOT the Internet.

Markoff also states that the original designers of the Internet never had security in mind when designing the protocols that make the Internet function – which is true.  Security was an afterthought that became very important as worms and viruses began to pop up and wreak havoc.  I agree that we have sunk a lot of time and money into patchng a system that was designed without an ounce of thought dedicated to security, but I don’t think that is a bad thing.  IPv6 has been developed out of necessity and is a good step forward in Internet security and this technology is available and ready to be used.  However, again we run into the same problem we experience with updating individual computers; unless there is a critical need to change, the majority of people do not want to change.  Thus the much more secure IPv6 protocol has begun to be implemented, but the less secure IPv4 protocol is still the primary protocol used to make the Internet function.

What bothers me most about this article is the solution Markoff proposes – a gated network where users are required to give up their anonymity.  What makes the Internet great, what keeps it interesting and innovative, is anonymity.  Any person with a computer (or any other networking enabled device) and a little know how can quickly access a wealth of information on just about any topic imaginable.  They can also add to the conversation thereby increasing the knowledge base.  A gated community by its nature keeps people out.  It removes this ability to easily access a certain area.  The digital divide is already enormous!  How can we expect to change this while implementing a security policy that makes it even more difficult to access the Internet.  That being said, there are again a couple of technical issues.  First, SSL already provides secure authentication and is used by most (if not all) of the major online businesses.  Why should they change and become a part of a gated community that may cause a loss of business?  It just doesn’t make sense.  Second, identity theft is currently wreaking havoc world wide.  A clever person can easily access incredible amounts of information and quickly take on the identity of someone else.  How will a gated community handle identity theft any better than the current system?

In my opinion, it is definitely smart to be looking to the future and focusing on improved security, but to say that the current Internet is broken and that the problems stem from the protocol is misplacing the blame.  As with any system in this world, one of the weakest points is the human element.  I’m learning more and more that a good social engineer can easily skirt the security measures that have been put in place by simply exploiting the humans involved in the system.  Before we do anything drastic like rebuilding the internet into a gated community, I say we do our best to educate people about how to be safe.  It’s much the same with children – you can do everything possible to keep them safe (to gate them in), but until you teach them how to be safe they will always be at risk of exploitation.