How to Secure the Internet

The Problem

You've probably seen news items about how insecure the Internet is. Those items are accurate: there is a problem. We're forever having hackers break into some large organization, like a bank, and steal credit card numbers. It's actually common. "Denial of service" attacks have been reported a number of times. It's perfectly common for viruses to take over personal machines and do bad things, although usually the bad thing is fairly innocuous (like send large emails to everyone you know). But, there have been viruses which deleted all the files on your hard disk. That can and will happen again.

The government has announced that we are wide open to "cyberterrorism" and they're completely right. One web site survey reported that 11 million sites were currently vulnerable. At one point, 60% of IIS "secure" sites had been compromised.

There are lots of computers that are entrusted with human lives: for example, FAA systems, medical equipment, and the floodgate controls of dams. In these cases, a hacker could kill someone, and as we know, there are people in the world who want to kill us. So, there's a problem.

Why is there a problem?

Well, for two reasons. and no it's not because software has bugs. Of course it has bugs. It always will.

The first part of the problem is the way many companies deal with their bugs. Partly it's not being diligent enough in testing for bugs, but more importantly, it's not being professional about repairing bugs promptly, so that very few of their customers ever get exposed to any great danger. And default configurations are often ill chosen. (There have been manufacturers who shipped Windows XP with speech recognition turned on. Users reported random words inserted into their Word documents, and they didn't know why, because they didn't even know they had speech recognition software.)

The second part of the problem is much larger and harder to solve, so that's what I will address.

The basic issue is, there are hundreds of millions of computers in the world, and there aren't hundreds of millions of people who are expert in operating their computer, and there never will be. So, a lot of these computers are very badly set up. For example, when you buy a wireless network, there is the ability to encrypt all of your message traffic. If you do not bother to turn that feature on, then anyone out in the parking lot can listen in on whatever is going on, and very possibly reach in and do things. There has already been a report of a company which used wireless cash registers, sending credit card numbers and amounts and names in a way that any perfectly ordinary laptop could listen to.

Unfortunately, it looks like most wireless public-access systems are going to be operated by small businesses like coffeeshops, who offer the service as a loss leader. This is not the scenario you would choose if you were hoping for well administered systems.

The Internet in general is wide open for mischief. How did it get this bad? And the answer is, because there is no real incentive to do better.

And that's the problem.

I have a lapel button which reads "Too bad ignorance isn't painful". And the more I think about it, that applies to the Internet. It's too bad that having a misconfigured computer isn't painful.

But it isn't, and that's why so many of them exist. And, as I argue below, these misconfigured computers are what makes hackers able to operate, and what makes cyberterrorism possible, and spam ungovernable. Everyone who gets a flood of spam, as I do, would like the Internet to be better maintained.

So there's the issue. We need to make misconfiguration painful.

A Solution

There's absolutely no substitute. We're going to have to have some force that goes around discovering problems, and getting them fixed. And since the problems exist in computers owned by individuals and by corporations, and they're not fixing them, that means that the force has got to be outside those individuals, and outside those corporations. It has to be the government. This is a real pity, because I don't like the idea of suggesting a new government agency. But that's what I'm doing.

What that agency should do, all day, every day, is run around doing the electronic equivalent of trying doorknobs. After all, that's what hackers do, really. They have their computer try 10,000 doorknobs and eventually they find a door that's unlocked. That's how they break into computers. After all, in a million systems, a few thousand mistakes are inevitable.

We can lay the blame for misconfiguration at various different doors, but let's not lay that blame. Let's get on with the solution. Rather than put requirements on software vendors, let's create a customer demand for better systems.

When the Million Doorknobs Agency finds a system that has a known vulnerability, they would contact the people listed as owning that computer. But it turns out that if you phone some company, and tell them about a security issue, you tend to get a runaround. Whoever you're talking to doesn't really want to know, because it's not part of their job description. Or maybe the computer was set up by a consultant, and the consulting contract has run out, and no one there knows what to do. They probably don't quite understand what you're saying, or even know who would, and besides, admitting anything might make them liable. So would you please go away.

So the reason we need a government agency is because the warning has got to have teeth. It's got to have "or else" in it somewhere. When people are informed that a vulnerability has been found in their computer, they have to be informed that they gotta fix it, or else. And of course there are a whole spectrum of or-elses that are available to a government agency. In some situations, a fix is urgent, in others it's not. In some situations the vulnerability is more potential than actual. In some situations, the fix is expensive or unavailable, so polite advisories might be issued instead, in the hope of creating customer demand. And so on. We would want an agency that was reasonably flexible, and reasonably enlightened. We would want it to have a good appeals court, so that people like you and me would not be too easily harassed.

The bottom line is that there has to be an "or else", because otherwise the whole thing is a complete waste of time. If this agency was run by the Internet name registrars, the only threat they have is to delist your domain. That's very inflexible. If this agency was run by insurance companies, I suppose raising your rates is a flexible thing. But who has bought hacking insurance? We'd have to force that down people's throats, which brings us right back around to the G word, Government.

So, now that we've decided the MDA will be a government agency, does it matter that it's not world wide? And the answer is, no. If the agency was in California alone, that would help. That would be good. It would make the world better. It would be nice if there was one in Montana. It would be nice if there was a federal one. It would be nice if there was one in Zimbabwe. But even if it was only in Montana, it would still make the world better.

Would it cost much? No, not really. As government departments go, it would be really cheap. Would it work? Sure, assuming of course it was set up properly. It would basically be in the traffic ticket business. Remember, we're not trying to send people to jail, we're trying to get them to comply with standards. We want them to clean up their act.

This is not just a question of reducing the Wild West aspect of the Internet. We're also safeguarding the privacy and wellbeing of all the Internet citizens - that's you and me, if you're reading this.

I believe that such an agency (operating over a sufficiently wide area, of course) could clean up a significant fraction of the problem.

Now, what do I mean by that? I mean that when attackers go touching doorknobs, trying to find an unlocked door, they will come up dry a lot of the time. We will have closed a significant fraction of the open doors, to the point where the hackers find it relatively slim pickings. This is the equivalent, in the drug war, of trying to interdict enough of the drug supply to the point where the street price goes up. You know that the drug war is unsuccessful if a major interdiction effort does not change the street price of an illegal drug.

If we can reduce the supply of broken and infected and infectable machines, to the point where the hacker community finds a reduced ability to break in, then the agency has paid for itself. That's the aim, and I believe that a well-run Agency could achieve it.

Some Details of the Solution

The agency should publish statistics. We need totals, so we know that they're busy, and to obtain a regular measure of the Internet's situation.

A more difficult question is: should they say who they have had to contact, or who they've fined?

Traditionally, security audits don't get published, because traditionally they find some enormous gaping hole. The offender then argues that if we were to reveal that hole, someone would take advantage of it. But in this case that's just not good enough. Holes should be fixed, and giving free passes reduces the incentive. And besides, the Million Doorknobs Agency is only in the business of finding easily-fixed problems. The Agency should, at most, delay publishing for four to six weeks.

FOOTNOTE: The Computer As Attractive Nuisance

There's a well established concept in law called attractive nuisance.

For example, suppose you own a swimming pool. If a neighborhood kid sneaks in and uses your swimming pool, and drowns, you are considered to be liable. Because the swimming pool was attractive to the child, therefore you have created a nuisance in the neighborhood, because all the children are now tempted. You must put a fence around your Attractive Nuisance, or else you are liable when something bad happens.

There are quite a number of towns where, if you leave your ignition key in your car, you can be fined, because you have created an Attractive Nuisance. Some teenager is liable to steal your car, go out on a joyride, and endanger people's lives. Therefore, by leaving your keys in your car, you have facilitated the endangerment of lives.

I have several reasons for arguing that a misconfigured computer is an Attractive Nuisance.

A lot of people argue that, well, they don't keep anything valuable in their computer, and therefore if someone breaks in, who cares? And they're often wrong. They completely forget that there's stuff in there like their bank account number, or maybe their social security number, or a file of passwords, or those rude pictures. And if those aren't there now, maybe they will be next year. The trend is to place more and more of one's life into computers.

But even if there's nothing valuable in there, your computer is a resource. Hackers break into computers that are perhaps otherwise uninteresting, because they have uses for them.

The can store things - like the things they don't want found on their machine. More likely, they will turn your machine into a slave. After they have acquired a few thousand slaves, they use them to mount what is called a "distributed denial of service attack". This is where the hacker tells the slaves to all send a flood of packets to some target. A huge wave of information pushes across the Internet, and arrives at the doorstep of the unfortunate victim. AOL and Google are almost the only companies that can withstand such a flood.

Your computer is now being used for a criminal purpose. By leaving it wide open, you have effectively left the ignition keys in your car.

There are other reasons why a computer could be of interest to a hacker. It's well known that if you want to break into a company, the best way to do it is to break into the home computer of one the company's employees. (Or, if one of the company's employees connects to his company from an ISP, break into the ISP.) Now you are there to watch the guy make the connection, and you get his password. This technique has been used for breaking into a National Laboratory, which is scary, because that's a National Security issue.

Hackers also use other people's computers to disguise their tracks. By persuading your computer to forward his messages, he makes it look as if the messages came from you. You definitely don't want this. The police might arrive at your doorstep, looking for him. Proving your innocence could be a real nuisance.

And, another reason, as if another was needed, is that spammers use other people's misconfigured computers. Mostly they do it to avoid having to pay fees, and as a way of evading Terms Of Service agreements. If someone passed tough spamming laws, it would be seriously difficult to enforce them.

I rest my case. Misconfigured computers are an Attractive Nuisance.

Last modified: 22 June 2003

Back to Don Lindsay's home page.

Email a comment.