The Internet has very quickly gone from a niche hobby to a revolutionary worldwide connection of information and ideas. We all started at different points when it comes to our exposure to it, leaving mixed feelings on its place and purpose. At the heart of the direction of the Internet on every level, there are two diametric philosophies: politicization leading to corporatizing, proprietizing and homogenizing, versus the free software movement pushing toward transparency, collaboration, expression and freedom.
Whether it’s from simply the software side where GNU and Linux has been growing steadily in quality and marketshare both on the OS side and just free and open-source projects such as Audacity, GIMP, Firefox and many others thriving on Windows itself, or within the realm of legislation in the debate over net neutrality and the importance of the freedom and anonymity of web users and web content.
So, this story is par the course, but no less misinformed, misleading and downright wrong than any other on the side of enforcing the unenforcable on the Internet.
The first thing to note about the article is that the purported security risks relate not the structure of the Internet, but the passing of information itself. It’s not that the Internet is insecure, it’s that Windows is insecure. How many of those 12 million computers were running Linux? There will never be a perfectly secure OS, but the point is that the vulnerabilities were in software, not distribution. Hilariously, the article says Conficker succeed by “easily sidestepping the world’s best cyberdefenses.”
For one, the answer to my earlier question on Linux is zero, because Conficker is Windows-only. Second, Conficker is a worm, which means it spreads by scanning ports then exploiting a service, in this case port 445 — a known malware hotspot that should unless absolutely necessary be blocked for all incoming traffic. A single obvious firewall setting stops it easily, and merely passing your connection through a router at default settings will likely do the trick on its own. World’s best? It’s not impossible to run a secure Windows machine, just as it’s not impossible to infect a Mac.
The second important point is that their solution never once mentions security in terms of technology or programming. Security by law enforcement is just absurd. Perhaps a result of American self-absorbtion, but it always seems to be forgotten that the Internet is worldwide. Good luck with that driver’s license methodology in stopping scams from Nigeria.
There are inherent security problems with the architecture of the Internet due to its initial roots, the article actually has that correct, but they are way off base in terms of what those weaknesses are. The problems are the public protocols, which have been forced to be updated, the most obvious example being HTTP which was designed as plaintext, but due to security issues SSL encryption was built on-top. Similarly, DNS has never exactly been the most immutable, hence the push for DNSSEC, a replacement with security in mind.
What’s holding DNSSEC up? Most ISPs can’t handle the increased overhead. Redesigning the Internet would do nothing to improve the stubborn western ISPs who have neglected investing in infrastructure and instead opted for milking the consumer as much as possible.
And ultimately, nomatter how you structure the Internet, you have to accept that fact that you can’t ignore the problem of the Dancing Pigs — most users are going to do what they want, security be damned. This is inherently and necessarily an Operating System problem if anywhere. The truth is, the underlying problem with security is not in protocol — the security in that is only supplementary, at least in terms of something along the lines of a worm or virus infection — but rather, PEBKAC, and nomatter what you do, that will forever and always be the case.
I can improve the security of how the user interfaces to the Internet by an order of magnitude by changing your login–don’t run as a super-user (Administrator) and that will severely cripple the vast majority of existing issues. Sandbox to eliminate nearly everything else. Add on continual improvement toward phishing and malware reporting in browsers themselves and we can do this.
Meanwhile the underlying philosophical concepts are just as harmful, with the article stating, “users would give up their anonymity and certain freedoms in return for safety.” Who is it here that has not witnessed the incredible depletion of American freedoms under the guise of security and the devastating consequences? Never more evident has it been the accuracy of Benjamin Franklin’s statement, “They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety.”
The Internet is by necessity neutral and anonymous. A cumulative database of all the knowledge of all of mankind available to every individual connected is already one of the most important progressions in history and can only become more essential with time. Legislation and propaganda by those who know the least what they’re trying to undermine are not only ignorant, but treasonous; not to a nation, but to mankind.