What is the right perspective on Internet and Computer Security?
An Internet company admitted that data on it’s computers may have been compromised. Not a surprising revelation given the news over the past few years about data breaches and malware. The intriguing aspect of this report is the way the malware infects the computer and surrenders data privacy.
See the article, New In-Memory Rootkit Discovered by German Hoster on Slashdot.
Experts in Computer Security will vary in their assessment of the solution to computer security. Based on my reading, 3 dominate views consist of the following:
- Complete security is impractical. Also known as Computer Insecurity.
- Complete security requires strict, multiple layers of security technology.
- Complete security requires regulations to punish people who overcome tech security.
Let us look at each one.
Perspective 1 – Computer Security is Impractical
People with this view generally accept that you should try to secure computer systems. However, they may also believe that any security you put in place will eventually be defeated. May be known as Computer Insecurity. I do not hold this view.
Those that think this way may hope to stay a step ahead by keeping their systems up-to-date. Real world evidence does not prove this out.
Perspective 2 – Multiple Security Technologies
The technical name is, “Defense in Depth” and is currently a primary view in security circles and security certifications. The idea is that if one level of security is broken, the next level of security might still block access. By having numerous levels, you can slow down access attempts enough for someone to detect the access attempt and respond.
Real world evidence only proves you can learn that someone has broken into your systems, but the widespread adoption of “Defense in Depth” has not stopped the most high-profile security breaches.
I think this is necessary in the short-term, but ultimately unnecessary if root causes can be addressed. Other related viewpoints such as Security by Design are completely valid but can be undermined if the underlying machine architecture prevents a full realization of thorough security.
Perspective 3 – Regulations Deter or Make Examples of the Guilty
Does not work against very high level security experts; nation states; or crime syndicates with many levels of hidden identities or geographic base of operations.
What Computers Are (non-technical description)
The following is a metaphor to describe computers in general, layman terminology. The question is, what is the basics of computers that makes them susceptible to access and technical compromise by unauthorized third parties. The answer lies in the design of the machine itself. Consider the following scenario:
When you play a piano, you push a key that produce a sound. As you press keys you hear different sounds. Each key means something and a combination of sounds results in a song, melody, or signal.
Computers are electrical machines that do two things.
- First, your information stored in a computer is stored as energy waves.
- Second, the wires inside the computer (called circuits) work together to do calculations on information and translate information into different information.
At a basic level, the wires in a computer are the same as keys on a piano. As electricity flows into a computer, it flow through the wires. As the electricity hits the wires, based on how the wires are shaped or placed inside the computer, the electricity with shorten or lengthen. As electricity flows through the wires, patterns emerge. These patterns are like the combination of sounds from a piano producing a song, melody, or audio signal.
Except, instead of making music, the patterns in a computer makes information. Now, a set of wires called a sound card can take this information and broadcast music into another piece of equipment called speakers, but that is an end effect. This leads us to two basic conclusions regarding the prospect for computer security:
- Just like you cannot generally hide a piano sound, you cannot hide computer signals.
- The automatic transparency of computers is the source of why security efforts tend to fall short at a broad level.
While the foregoing metaphor is simplistic, it is precise.
The Beginning Perspective for Computer Security
Computers give off multiple types of radiation based on the electricity flowing through them. This radiation can be examined from a distance and with the right equipment and technology, a third-party can reverse engineer what you were doing at the time they captured the radiation patterns.
The first step in computer security is designing the outer coverings of laptops, desktops, servers, tablets, and smart phones in such a way as to completely hide their radiation output.
Inside the computer, the wires have electricity flowing through them in such a way that the knowledge about much of this activity is known to most parts within the computer. This means that if someone injects a data pattern (called a virus, malware, or trojan) into the computer, that little piece of data can learn about nearly the entire state of the computer.
Why is this so? Well, that is the design of the computer. All data is created equal and have equal awareness of all other data.
This is well before you even touch Microsoft Windows, Apple OS, or Android. At the level of the computer itself, you have the potential for universal data awareness, access, and potential modification. Those that make the wires for the computers (generally called chip manufacturers) are the first source of the solution to all computer security.
Basically, they have to redesign the chip structure and specifications in a smarter way. They may even have to do this in a way that disrupts the business models of Microsoft, Apple, Google, HP, DELL, and so on. However, getting the chip design and computer specification right is the only thing that determines effective security.
The true remedies may be economically unwelcome by incumbents in computer technology. Therefore, the realistic prospect of change in this area may remain unattainable for the foreseeable future.
Computer Security Involving Networks
Say you took all the security advances made in computers over the last 5 years and then stayed off the Internet, computers, by themselves would be secure enough for private home or business use.
However, the network attached to the Internet in which information flows across country at lightning speed compared to an automobile or aircraft currently results in a privacy and security hazard. Once you take the Internet connection out of the equation, computer security is at a very high level. It is very unlikely in such a scenario that a local person in the building with the ability to break the security of a well-tuned but standalone computer will be present.
Today, the highest level of computer security is going to be with those machines that are never on the network or the Internet and the network cable is physically disconnected. The best way to update such machines is through sneaker net source code based rebuild of the OS and related software.
Second to that, other machines that are infrequently connected may enjoy security for a time and there are inconvenient strategies of periodic OS re-installs or Virtual Machine re-implantation can stay highly secure.
Some computer network technologies have intelligence built-in them. However, since the equipment that networks run on are designed with many of the same technical and conceptual principles as digital computers, they are potential targets for security compromise.
Remember, many of the largest commercial and governmental organizations with huge technology budgets with investments in the most sophisticated equipment, security practices, and technical software money can buy have been breached through the network across the years.
What Does All This Mean?
First, something is fundamentally flawed at the core of computer technology equipment and machines in terms of security. If you want full transparency, nothing is wrong with computers the way they are. If you need digital security guarantees on data that must remain absolutely secure, computers as they are presently designed, at least when paired with a network, cannot provide this guarantee.
Another point of view is that computers are fine the way they are. I hold this point of view from the standpoint that open source is a good phenomena; computers as machines in which their transparent nature allows a wide community of scientists, engineers, and technicians to inspect, review, and deliberate over any machine based on an open specification is what allows society to keep the technology honest. The widely understood nature of computers underwrite modern advances.
Recall the Intel processor bug in the 1990’s that some claimed could cause certain calculations to be off enough to cause problems with software. The open and transparent nature of computers allowed the community of concerned technical persons to raise this issue that resulted in a fix.
Based on a reading of information technology history, the impetus for the creation of computers was in what they could do in tabulating information. Commercial concerns and considerations around security were far below the horizon of concerns. It seems that those that perpetuated the advance of digital technologies, networks, and computers where part of a culture of transparency in terms of data sharing.
Within this culture, information is to be shared, insights exchanged, and intellectual property consigned to the public domain for the advancement of knowledge and understanding. This culture produced computers and networks. Trust among colleagues of similar intellectual dispositions and inclinations, therein, was implied in the design of these machines in terms of the sharing of information. A design that naturally allows information to be shared easily.
In the context of today’s world, we can think about computers as either essential machines for all of life’s activities or machines optimally specialized for certain things.
Computers As All Encompassing Gateways to Life
Given how computers are being used today, you could say this is where computers currently are; serving as a gateway to all of life’s activities. Many of the activities facilitated through computers include:
- Entertainment – Streaming Movies, songs, and online video games.
- Community – Personal level social networks, personal emails, and personal messaging.
- Commerce – Buying and selling products and services, banking, investments, and bill payment.
- Governance – Grant submissions, petitions, reports, inter-agency communication, etc.
Many of these activities are increasingly migrating to a digital platform or have fully transitioned to it altogether. If this is the direction of things, then it bears asking the question if a quintessential change should occur in computers to improve the benefits they offer while making them fundamentally secure machines by which to do these things.
Or, maybe the new way of doing old things should occur in a more fully transparent way leading us into a new culture in which privacy is only something that exists in a physical but not digital context.
The practical question to ask is can we trust that this transparency will not cause problems. Only each person can answer that question. In the meantime, things are they way they are in the digital area with little prospect for significant change in terms of what would be a more beneficial situation.
If basic privacy in the digital arena should correspond to our expectations in the physical arena, the computer hardware has to change to match those expectations.
Computers As Specialized Machines
As specialized machines, computers are superb in their ability to take in information; perform calculations; transform information into different information; and enable hyper efficient operations.
If you abandon the notion that a computer must be involved in all things spanning recreation, commerce, and digital social connectivity, then you may surmise that as calculation and information tools, they might be better used for specific activities.
When used to study the stars, computers can be very useful in calculating vast distances, huge magnitudes in mass, and high rates of change in velocity and temperature. What other mechanism can do these things as well as computers?
Think about financial services and the use of formulas over a huge set of data to determine loan eligibility; rates of return; and the most suitable interest rate for currency holdings.
Infrastructure may be improved through the use of models and information about materials and physical stresses to aid civil engineers and architects in their effort to produce better buildings.
In specific ways, computers can be very useful outside the realm of defining a social identity in a network linked to bank accounts and public reputation. Applied to specific applications, computers appear valuable to and entirely capable of fulfilling their basic design.
Between Life Facilitation and Specialized Use
The choice is clear, but it is one that each individual has to make. As a general principle, the best caution may be to carefully consider the things you use such as:
- Cloud services like: E-mail, online file backup, and social media
- WiFi that is unprotected, but take care that even secure wi-fi can pose a challenge
- Devices that require a network connection in order to work
You have to use a bit of common sense and careful judgement to be safe. As always, there is the Sneakernet as an alternative.