Hacked off at last

May  2002 

The need for improved security might yet be the undoing of Microsoft

The question of computer and network security is the software equivalent of UPS hardware. It’s unglamorous to the extent of being really boring for most users, but without it, you may well find yourself thoroughly stuffed. Nevertheless, I get huge numbers of press releases from UPS and computer security companies since there are many rich opportunities to scare the punters with regular tales of catastrophe of either the hard or soft variety.

However boring it may be, the problem is real and not imaginary. I know a security officer on one Internet network who is recording a substantial and growing number of intrusion attempts that range from the blatantly naïve to the deeply subtle. As bandwidth increases, so do the opportunities for serious denial of service attacks, and the tools to detect and counter these intruders are keeping up on a daily basis.

Software security problems arise, very simply, from the anonymity of the systems and data. If every byte carried a forensic fingerprint from a point of origin, then just as certainty of detection is the most effective way to prevent general crime, the same applies to hackers and virus mongers. The academic folks who founded the Internet gave far too little thought to the possibility that human nature would lead to the situation we have at present, but law of the jungle always prevails given half a chance. There are various initiatives that involve Public Key Infrastructure signing schemes, particularly where executable programmes are concerned, but these generally do not have viable hard security; relying instead on so-called “digital certificates” (and that includes all so-called “secure” web servers). However, there is increasing discussion of smart cards in he UK in various contexts from the obvious credit/debit card scene, to the government’s proposed (whatever you do, don’t call it an identity card) “entitlement” card, and also passport enhancements that invoke biometrics at last.

If the IP address of origin could be “branded” into the data in such a way that the average 12-year-old computer enthusiast couldn’t spoof it, then there would be no computer crime. Ironically, to do this with a completely “closed” operating system from Microsoft is nearly impossible. Ironically, it’s much simpler to compromise the security of something as “secretive” as Microsoft code because there are so few people really testing with inside knowledge before it gets set loose, and exposing it to extensive “peer review”.

And if Microsoft tries to plug on regardless and build on the already questionable notion of “security through obscurity”, the chances are that there are many hackers out there who now know a whole lot more about how to sneak past the efforts of Microsoft – and they are keeping this knowledge to themselves, while they work out how to get rich from it. Microsoft’s long history of imperious and proprietary effort to exert mind control on its marketplace by adding specific identity trackers to its products attracts the computing community rightly expresses extreme concern.

After all, Microsoft has been found guilty of various cases of exploiting its overbearing control of the market to advance its own interests to the detriment of all else.  But security starting at the most OS level is so fundamentally necessary, that it is not inconceivable that there may come a time when Microsoft is simply not able to justify its “closed development” strategy any longer.

Now, this all reminds me that it’s time to bang the drum again for Linux.

IBM, Sun, SGI, HP, and now probably also Apple have progressively given up all hope of ever doing business with Microsoft, and decided instead to give the whole “open Systems” and “Open Source” strategy of the Linux community to prove itself on the big iron. Which has done most eagerly.

The obvious high profile problems like word macro viruses that send email to everyone in your address book are the tip of a much more sinister iceberg; the security issues we all need to worry about are those subtle Trojans that hide themselves in your system and surreptitiously intercept logins and passwords without you ever knowing. It’s a lot harder to communicate a lump of hardware – like a smart card – to an untraceable hotmail account. And it’s also a lot trickier to hide such a Trojan in a transparent operating system like Linux, than something that’s as impenetrable as Windows XP.