Stamp Out Network Security
We are building an economy based on the religion of
- Whitfield Diffie, Inventor of public key cryptography
My work sent me to Networld+Interop this year to attend a security
symposium, find out what nifty new hardware was going to be available
soon, and score free T-shirts (OK, that last item was my own ulterior
motive). I just got back from Atlanta and my bags aren't even unpacked,
but I had to rush to my computer to submit this month's Tales of the Geek Lord, and let you all know
Security is dead.
Once upon a time, a long, long time ago, a geek at MIT and a geek at
UCLA convinced their mainframe computers to talk to each other across
phone lines, using a nifty new concept in data transfer known as "packet
switching". These two geeks knew each other well, and trusted one another.
They anticipated problems, and bad data, and network failures, and silly
mistakes, and they would deal with these problems as they arose, as
distinguished engineers tend to do. But they never anticipated hostile
actions, or petty angst, or backstabbing capitalists, or corporate
espionage, or bored high school kids, or streaming video, or America
Online, or even the worst thing to be drifting around the Internet these
days: Security professionals.
Best effect would come from me now saying "I, yes I, am a security
professional!", but that's not quite true. I do a lot of work with
our own security team, and I have traveled to a few sites to help
them improve their network security, but I tend to work more in
design, installation and support. Security is just part of the overall
equation. In my job, you have to keep a positive attitude, or else you
wind up making excuses and falling way behind in your work.
Just like security professionals.
Security pros are as varied as everyone else on the Internet. There
are firewall vendors, consultants, reformed hackers, and hundreds
and hundreds of clueless morons out to make a buck. Security has
become a buzzword, like "Extranets", or "Stateful". The only difference
is that the security buzzword has been passed around regularly since
the Internet Worm incident in 1988.
Why do I have such bad things to say about our brethren, the security
folks? Here's the top reasons:
- They lie. This item is worth a few subtopics. Here are the
most spoken lies:
- All you need is a firewall.
You can also substitute the word "cryptography" for firewall,
and get the same basic lie. What they are telling you with a
comment like this, is that a network can be secured with one
magic, silver bullet. To keep it basic, firewalls can be
circumnavigated, through internal modems or data masquerading.
Cryptography works from point to point, but there is no guarantee
that the text is not being recorded and rebroadcast after it
leaves its last encrypted hop.
- You don't need a firewall. Oh yes, my son. You do. If
you run even a very small network, with only a few servers on
it, then you already have too much work to do. Recording and
analyzing all traffic on your network is sure to be more work
than you can possibly do, and still go about the business of
providing what your network exists to provide anyway. A firewall,
if nothing else, will enforce your basic rules of usage, and
prevent a good 90 percent of intrusion attempts.
- There are thousands and thousands of serious hackers out
This lie exists to give you the impression that you have hired
your security professional in the nick of time, because at this
moment some wiz kid with years of programming experience is
preparing himself to invade your network, and put graffiti of
a disparaging nature all over your web site. To borrow a quote
from Jeffrey Schiller, the network administrator for MIT, "Clue
remains a constant". 10 years ago, there were about 100 people
who really had administrative control over the way the Internet
was ran, and there were about 1000 people who really understood
how the Internet works. Despite the recent growth in Internet
usage, those numbers have remained closely constant. A hacker
isn't worth a damn unless he truly understands the way things
work, and of the 1000 people out there who understand the net,
most of them are dedicated to keeping it working. The few real
hackers out there who are up to no good are probably not
interested in your web site. They have other things to do, like
publish books on how to be a hacker, or avoid the bull rapist in
the prison yard.
- I used to be a dangerous hacker.
This may not be a complete lie, depending on your definition of
"dangerous hacker". Most people who tell you this are really
saying they used to download hacker files off of the Internet,
or they spent a lot of time on #hack channels.
- They have given up.
Security is a tough job. There are fundamental vulnerabilities with
every level of internetworking. The applications you load on your
computer were driven by "time to market" considerations, not secure
communications. Security professionals have to deal with impossible
guidelines and shrinking budgets. In other words, they have the same
problems you do. The difference is they are not responding to these
problems. You can spend thousands of dollars on a security solution,
and be left with the promise that "You are never completely secure".
Too many security people use this concept to justify only going
through the motions, saying the same old things over and over, and
then letting the blame fall on you if you do not follow their
instructions to the letter.
- They never cared about you anyway.
Cynicism runs deep in security circles. So does hatred for their
customers, whom they view as stupid, petty and completely unreasonable.
As a security person is speaking to you, in the backs of their minds
they have alrea