Ron DuFresne wrote: > What might be the reaction and legal fallout of such matters as concerns > Internet access, systems security, etc...? > Are active content pages and scripting ever going to be safe and > 'secure'? IMHO: Once upon a time, the phone company highly restricted the types of devices allowed to connect to its network. Some cynics may argue that this was a monopolistic practice solely for the purpose of making money but I'd have to argue, given today's experience with an open network, their explanations about assuring the security of their network certainly had some value. At the time, they mostly had to worry only about electrical characteristics... i.e. hardware. On the Internet, we have software to worry about. Something that is almost infinitely variable. The electrical characteristics of the pulses that make up packets have very little to do with the disruption that may be caused by the digital content of the packets. The devices we attach to today's network are highly complex and highly functional. Much more so than most computer users realize or are able to cope with. Although software engineering practices and computer science have continually made possible larger and larger software projects, the correctness of high level design, algorithms, business logic, and low level programming methods continues to be lacking which results in making software bugs the commonplace occurrence that every computer user nowadays accepts and expects. We've had problems with viruses, system break-ins, and various types of denial of service attacks for years. The evolution of such attacks into higher forms is inevitable given the fertile breeding ground of the explosion of Internet connectivity, the aforementioned bugs and complexities, and the rapid integration of network functionality into mainstream end user applications. The recent tools used in distributed denial of service attacks, automated vulnerability detection and exploitation software, the cross-site scripting issue, and the widely circulating remote control trojan programs are just four recent examples. As motivational factors to subvert security grow with e-business, Donn Parker's "automated crime" is just a short step away (note 1). The basic technology model in the today's Internet includes programmable machines indiscriminately connected to a shared, open network with little or no access control. While yesterday a company concerned about security would communicate over dedicated, leased lines, today's company, if it uses anything at all, uses VPNs and firewalls...still over the same shared network. Yesterday's company had professional system administrators to take care of network connected systems. Today's systems are administrated by the person who just unboxed their computer from Wal-Mart and plugged it in expecting it to communicate with the rest of the world with no restrictions. Technical training for these programmable, network connected boxes that present services to the world and automatically download and execute code from anywhere including email and web sites consists of how to click the Start button and format Word documents. Anything more than plug-n-play is viewed user unfriendly and to be avoided at all costs. "Computers should be easy to use." Even professional administrators today cry foul when software is difficult to configure, complex, and/or inconvenient. Active content and scripting is just a small part of the problem. The core problem is connecting those highly complex, unadministered, programmable devices to an unrestricted network of like devices. One of the two will need to change to provide for any semblance of order and security. In a free society, people are allowed to travel and interact with others basically at will. Antisocial behavior is discouraged by things like social mores, the desire to fit in and be constructive, and the fear of punishment. In the Internet, computer communications are allowed to travel and interact with others basically at will. However, the factors discouraging anti-social behavior are much less effective. Near instantaneous and remote communications make trouble making easy and nearly anonymous. Those same factors, combined with the sometimes farcical, sometimes nonexistent attempts of politicians, lawmaking bodies, the courts, and law enforcement to deal with highly complex, rapidly changing, and interwoven technical, multinational, and philosophical issues make fear of getting caught or punishment questionable. Social mores vary in the world community. Hackers may believe in what they do just as terrorists believe in their causes. The commercial world is taking over the Internet. Money and politics become major factors. Its been a wonderful time but I fear for the future. The structure of the Internet's communication model isn't likely to change. It is what makes it so adaptable and pervasive. What governing bodies may want to change is what is connected to the network: a) Hardware only devices that provide no programmability. Maybe only web browser functionality. b) IPSEC end devices combined with higher level certifying authorities that will label packets with the source's social identity. Of course, this brings up enormous privacy issues. c) ISP connections that constantly test connected end devices for compliance with the aforementioned rules. d) Servers are licensed for "public transport" and maintained accordingly. Licensees must demonstrate the skills needed to supply "public transportation". Unsafe servers are removed from the network just as are unsafe vehicles. Repeated offenses result in loss of license. e) Perhaps two networks will evolve. One will be similar to today's Internet. The other, will use the aforementioned restrictions and be the one that everyone uses for E-business, online stock trading, online banking, etc. Or, for that matter, any type of active content. :) This is unfortunate. Its another example of how uncooperative members of a free society force extra burdens of regulations and restrictions on cooperative members. Perhaps everyone that wants to save the Internet as a free network should turn in a cracker/vandal every day :) Note 1: http://www.infosecuritymag.com/sept99/AutoCrime.htm Gary Flynn Security Engineer - Technical Services James Madison University http://www.jmu.edu/info-security/engineering --------------------------------- A vandal is a vandal whether they're breaking my windows or breaking by Windows. - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
