Open source software security

Proliferation of the Internet

30 November -0001
I know there has been a lot of discussion on this topic, but I thought I would add my two cents. Everyone knows that the internet was originally established as a medium to exchange academic ideas, and there has been some realization that the addition of capitalization has been rather a poor fit to the internet, but has anyone really studied the effects of the commercialization of the net? Probably one of the most well known problems among IT professionals today is the realization that security and accessibility exist at two poles of a scale. In order to provide absolute security there can be no access, and to provide ultimate accessibility to end users security has to be subverted. This presents a constant dilemma to everyone involved in IT, from network admins to programmers. How to make the product usable for the client, but still secure. The answer is that you can't really, you have to come to some sort of a happy medium.

The underlying problem in this scenario is that the internet was designed to share resources. Tools like whois, finger, vrfy, etc. are all used to share information. Prior to the commercialization of the net there really was very little need to keep information proprietary. If you wanted to bop over to Berkley's server and check out who was online there was no problem. Better yet, if you wanted to exploit the huge computing power of MIT's systems from your dumb terminal, the internet was designed to facilitate you.

I would estimate that all of this began to change in the late 80's and early 90's. As more and more businesses came online there began to be an increasing need for security, to protect everything from credit cards to payroll records. The problems associated with attempting to use a system designed for the distribution of information for commercial purposes are obvious. The match is poor, but the huge profits available online are forcing and ill fated union of internet technology and big business. If anyone doubts that this marriage is forcing change need look no further than W3's recent decrees that certain HTML commands are going to be depreciated (mostly because they get in the way of making really neat flashy web sites).

Couple this problem with the fact that technology is growing at an exponential rate and you begin to realize the quagmire that the internet is becoming. The truth about computers is that there really isn't anyone around now who knows computers from the ground up. Basically IT professionals and academics understand pieces of computers, but nobody understands it all. There are people who spend their whole lives just designing processors. These folks can arguably have so little knowledge about computer systems that when their windows crashes they have to call tech support, but they can make really wonderful processors. As computers become more advanced this problem will only become worse. Programmers will know less and less about networking, network engineers will be unable to understand how databases are functioning, DBA's won't really know how their operating system works, etc. As each area of computers becomes more complex, the reliance on others to maintain their specific area of systems that they have specialized in will increase.

What does this mean for hackers? Well, it means everything. As technology progresses fewer and fewer people understand the architecture upon which systems are built (granted I still don't really understand how TCP/IP works, but in the same way that I don't really understand how my microwave works (yes I know the microwaves agitate molecules, but really, you can say that but do you really understand it?)). The exponential growth of computers and their business application means that development is being stressed over security, and most time this development is based on pre-existent technology. This means that security flaws will only become worse, and development will focus on progress rather than stabilization. Because clients want systems NOW, not secure systems 2 months from now, and because these clients will often fail to understand systems they purchase, the opportunities for malicious intrusion are only going to get bigger and better. Granted there is a burgeoning demand for so called 'computer security specialists,' but progress simply outstrips the growth in skilled employees in this field.

To provide another example for the doubters still out there, lets examine windows for a moment. Windows is the system of choice across the world. Yes, I know, I've heard the Linux rants before, but when I'm at work I don't get to chose my OS. Everyone should be aware of the VisualBasic security problems already present in windows. Why is this problem still around? Well, Microsoft wanted a way to make an easy programming language that non-programmers could use to tie all their different applications together. In order to provide a user friendly language, security was sacrificed. So yes, now when you open a VB app in Outlook it can interact with your file management, your Excel, or even (god forbid) your MP3's.

To further illustrate this point, everyone knows how to use windows (to some extent), but how many average users could you sit down at a DOS prompt and expect even to know how to perform basic file navigation? MS-DOS is the platform upon which windows was built, and as windows advances (with the emphasis on progress), MS-DOS with all its features and flaws remains its roots. Imagine how much more invaluable it will become with time to understand basic Unix and DOS structures. Knowing how to use simple 'hidden' programs like tracerout, ping, ftp, netstat, etc. is becoming increasingly rare.

What do I think all this means? Its a wonderful time to be a hacker. Understanding what the hell is going on underneath all of this is limitlessly enjoyable. Knowing the security holes opened up by all the new advances in systems and programming allows hackers access to more information rather than less. Also, as technology continues its ceaseless march onward and upward the number of people who understand the base architecture of the internet and operating systems is diminishing. This not only helps hackers' marketability, but it also imbues them with an increasing amount of power. As the future dawns ahead of us, we all need to be sure to examine the cost of user accessibility and quick fixes to business problems. Are these advantages worth the risks given the pervasive threat of cracking and cyber terrorism? Only time will tell.