Trusting Code that Was Never Designed to Be Secure
Our 40 plus year dependence on code – that was never designed for security – has finally caught up with us.–PC Pitstop
By Stu Sjouwerman, for KnowBe4.com Security Awareness Training
Vint Cerf, who together with Bob Kahn created TCP/IP, the protocol that routes Internet traffic, is often called the “father of the Internet”. Cerf was interviewed about TCP/IP recently in a book called Fatal System Error and admitted “We never got to do the production engineering.” In software design language that essentially means “we never got out of beta”.
Cerf explained: “My thought at the time, thirty-five years ago, was not to build an ultra-secure system, because I could not tell if even the basic ideas would work.” The focus at the time, as it was an ARPANET Defense project, was on fault tolerance, not security. The message was supposed to automatically reroute around atomic bomb blast sites, not protect you against identity theft or keep hackers out of your network.
Cerf has stated many times over, the only way the Internet is going to be truly secure is to rebuild it from the ground up. That is difficult, but can it be done? Absolutely. But it’s going to take agreement, a lot of time, and a lot of money. And looking at the state of the planet, it’s doubtful if it will ever be done. Especially as some powerful players prefer things to stay as they are because they are in control now.
How did it get to be this bad?
There actually are security technologies that are far superior to what is being used today. So how come they are not being deployed in production? The answer has to do with people, not technology. Hackers and the NSA are far ahead in their offensive technology, they can essentially break into any piece of code. And then there is that pesky end-user. Machine-to-machine communications are easy, but once you throw in hundreds of workstations, dozens of servers, and thousands of devices and apps that are being driven by humans, things get very hairy, very quick. Fancy mathematical security algorithms start to break down or get overwhelmed.
How does NSA Monitoring fit with all this?
As Cerf stated, the basic transmission protocols were not built with security in mind. This allows organizations with access to centralized Internet traffic hubs to “hoover” up the data they deem critical. The NSA claims that they only “touch” only 1.6% of daily internet traffic. If the net carries 1,826 petabytes of information per day, then the NSA “touches” about 29 petabytes a day. IT pros are very interested in what that actually means. Store? Analyze?
This excerpt appears with permission from knowbe4.com.