Hi Gary,
That's a beautiful piece of text : would you mind if I forwarded it to
some of my clients when they ask 'why I can't do this' ... as it
explains a lot! I'd obviously include any footers and reference to you,
should you desire.
My simplification is that the problem with the internet is that people
want everything that's on it, and just as with censorship, having
everything means that the bad comes with good, it's the same argument
that has exists about 'freedom of speech' vs 'censorship'. No one really
likes censors when they step on their toes, but most people are
disgusted quite easily as well, so where do you draw the line? People
don't naturally censor simple content in the same way, so why should
they censor complex content, as delivered on the web, any differently?
different people have different bounds, how does one therefore cater for
everyone? One doesn't : one takes a broad general view.
However, to me, this means even a seperate network of trusted services
would eventually be undermined, for the same reason that certain world
leaders rise to power... nobody ever agrees 100% on anything : otherwise
life would be incredibly dull, and progress wouldn't exist in the same
way as we'd all still be trying to fight off our predators with our bare
hands. Competitiveness leads to a lack of trust.
Just my [overly cynical] point of view, I still think you are spot on
with whats currently going on!
d.
> IMHO:
>
> Once upon a time, the phone company highly restricted the types of devices
> allowed to connect to its network. Some cynics may argue that this was a
> monopolistic practice solely for the purpose of making money but I'd have
> to argue, given today's experience with an open network, their explanations
> about assuring the security of their network certainly had some value.
>
> At the time, they mostly had to worry only about electrical characteristics...
> i.e. hardware. On the Internet, we have software to worry about. Something
> that is almost infinitely variable. The electrical characteristics of the
> pulses that make up packets have very little to do with the disruption that
> may be caused by the digital content of the packets.
>
> The devices we attach to today's network are highly complex and highly
> functional. Much more so than most computer users realize or are able to cope
> with.
>
> Although software engineering practices and computer science have continually
> made possible larger and larger software projects, the correctness of high
> level design, algorithms, business logic, and low level programming methods
> continues to be lacking which results in making software bugs the commonplace
> occurrence that every computer user nowadays accepts and expects.
>
> We've had problems with viruses, system break-ins, and various types of denial
> of service attacks for years. The evolution of such attacks into higher forms
> is inevitable given the fertile breeding ground of the explosion of Internet
> connectivity, the aforementioned bugs and complexities, and the rapid
> integration of network functionality into mainstream end user applications.
> The recent tools used in distributed denial of service attacks, automated
> vulnerability detection and exploitation software, the cross-site scripting
> issue, and the widely circulating remote control trojan programs are just four
> recent examples. As motivational factors to subvert security grow with
> e-business, Donn Parker's "automated crime" is just a short step away (note 1).
>
> The basic technology model in the today's Internet includes programmable
> machines indiscriminately connected to a shared, open network with little or
> no access control. While yesterday a company concerned about security would
> communicate over dedicated, leased lines, today's company, if it uses anything
> at all, uses VPNs and firewalls...still over the same shared network.
>
> Yesterday's company had professional system administrators to take care of
> network connected systems. Today's systems are administrated by the person
> who just unboxed their computer from Wal-Mart and plugged it in expecting it
> to communicate with the rest of the world with no restrictions. Technical
> training for these programmable, network connected boxes that present services
> to the world and automatically download and execute code from anywhere including
> email and web sites consists of how to click the Start button and format Word
> documents. Anything more than plug-n-play is viewed user unfriendly and to be
> avoided at all costs. "Computers should be easy to use." Even professional
> administrators today cry foul when software is difficult to configure, complex,
> and/or inconvenient.
>
> Active content and scripting is just a small part of the problem. The core
> problem is connecting those highly complex, unadministered, programmable devices
> to an unrestricted network of like devices. One of the two will need to change
> to provide for any semblance of order and security.
>
> In a free society, people are allowed to travel and interact with others
> basically at will. Antisocial behavior is discouraged by things like social
> mores, the desire to fit in and be constructive, and the fear of punishment. In
> the Internet, computer communications are allowed to travel and interact with
> others basically at will. However, the factors discouraging anti-social behavior
> are much less effective. Near instantaneous and remote communications make
> trouble making easy and nearly anonymous. Those same factors, combined with the
> sometimes farcical, sometimes nonexistent attempts of politicians, lawmaking
> bodies, the courts, and law enforcement to deal with highly complex, rapidly
> changing, and interwoven technical, multinational, and philosophical issues make
> fear of getting caught or punishment questionable. Social mores vary in the
> world community. Hackers may believe in what they do just as terrorists believe
> in their causes.
>
> The commercial world is taking over the Internet. Money and politics become
> major factors. Its been a wonderful time but I fear for the future. The
> structure of the Internet's communication model isn't likely to change. It is
> what makes it so adaptable and pervasive. What governing bodies may want to
> change is what is connected to the network:
>
> a) Hardware only devices that provide no programmability. Maybe only web browser
> functionality.
>
> b) IPSEC end devices combined with higher level certifying authorities that will
> label packets with the source's social identity. Of course, this brings up
> enormous privacy issues.
>
> c) ISP connections that constantly test connected end devices for compliance
> with the aforementioned rules.
>
> d) Servers are licensed for "public transport" and maintained accordingly.
> Licensees must demonstrate the skills needed to supply "public transportation".
> Unsafe servers are removed from the network just as are unsafe vehicles.
> Repeated offenses result in loss of license.
>
> e) Perhaps two networks will evolve. One will be similar to today's Internet. The
>other,
> will use the aforementioned restrictions and be the one that everyone uses for
>E-business,
> online stock trading, online banking, etc. Or, for that matter, any type of active
> content. :)
>
> This is unfortunate. Its another example of how uncooperative members of a free
> society force extra burdens of regulations and restrictions on cooperative members.
>
> Perhaps everyone that wants to save the Internet as a free network should
> turn in a cracker/vandal every day :)
>
> Note 1: http://www.infosecuritymag.com/sept99/AutoCrime.htm
>
> Gary Flynn
> Security Engineer - Technical Services
> James Madison University
> http://www.jmu.edu/info-security/engineering
> ---------------------------------
> A vandal is a vandal whether they're breaking my windows or breaking by Windows.
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
--
Dorian Moore is property of Kleber Design Ltd. If found please contact Kleber
by phone on +44 207 581 1362 or visit http://www.kleber.net for further details.
You really shouldn't listen to anything he says... as it may just be an opinion
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
