Home / Blogs

Why Can't We Make the Internet Secure?

John Levine

In a discussion about a recent denial of service attack against Twitter, someone asked,

Some class of suppliers must be making money off of the weaknesses. Anybody out there have a prescription for the cure?

Sure, but you're not going to like it.

The Internet was originally a walled garden, where its operators knew who all the users were and could eject anyone who misbehaved. It's not surprising that its design was robust against technical failures, but not against malicious behavior by people who had access to it, and it had essentially no security other than its physical perimeter. Fortunately or unfortunately, the design was robust enough to scale up many orders of magnitude to the Internet of today without any fundamental changes to the design or security (non-)model.

Similarly, the most popular operating system on the net, Microsoft Windows, was originally designed for standalone computers and then disconnected office LANs, again with wide open access within the LAN, and the security model mostly being a physical perimeter, with utterly predictable results when it was attached to the public Internet.

Popular web applications such as blog hosting and content management systems are riddled with exploitable security holes because people select them for being cheap and full of glitzy features, not because they're secure or reliable.

It's no surprise that retrofitting security to an existing design is really hard, both because of design issues, and because users hate anything that makes their systems harder to use. Even the stuff that doesn't directly annoy users is expensive, and the key to understanding the Internet's economic model is to realize that everyone foists off costs on other parties as much as they can.

Hence we have millions of virus and worm ridden PCs, with nobody from the users who own them to the vendors that sold the insecure software to the ISPs (Internet Service Providers) through which the worms propagate taking responsibility for fixing the damage they enable. We have untraceable DoS attacks, with hosts forging their source IP addresses with impunity, because it's too expensive for networks to do proper ingress filtering.

Irresponsible ISPs and networks, not all of them, but we know who they are, continue to get connections from Network Service Providers (wholesale networks) that don't want to know what their customers are doing. McColo festered for years until the Washington Post named and shamed its providers, who then turned them off overnight.

The basic answer to your question is that the people who run the net, all umpteen million of us, have collectively decided that it's cheaper to live with the damage that criminals cause than to deal with the problems that let them do it. Change that attitude, then we can talk.

By John Levine, Author, Consultant & Speaker. More blog posts from John Levine can also be read here.

Related topics: Cyberattack, Security

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

True, but irrelevant? Dave Crocker  –  Aug 09, 2009 2:06 PM PDT

Everything John says is true.  We/they have all be sloppy and gone for cheap choices.

But the title of his article promises too much.  It implies that merely being more diligent would lead to a "secure" Internet.  This underestimates the diligence and success rate of bad actors. 

Outside of the Internet, has anyone found a place that has a complete absence of crime?  Even fully totalitarian regimes have a serious undercurrent of crime.  The Internet will never be different from this norm.  It can be (and perhaps is) worse, but it can't be better.

So, we can make the Internet more tolerable and more safe, but really folks, let's be careful about managing our expectations, along with managing our better security efforts.

/d

Internet as an experiment in Democracy Alessandro Vesely  –  Aug 12, 2009 3:18 AM PDT

Outside of the Internet, has anyone found a place that has a complete absence of crime?  Even fully totalitarian regimes have a serious undercurrent of crime.  The Internet will never be different from this norm.  It can be (and perhaps is) worse, but it can't be better.

Although crime can only exist if the law of the strongest has been abandoned, its rates are not somehow proportional to freedom. For example, assaults statistics show that the Caribbean state of Montserrat --not quite a fully totalitarian regime-- enjoys low crime levels. What are the scalability problems from walled garden to global? Whether the Internet can be better than the world without it is an interesting question. To answer that, we should also consider what role the Internet plays in a global evolution scenario (perhaps not just our species), because we don't want to achieve security by limiting that role, e.g. by rising costs and dropping features. In that respect, a negative answer implies the Internet is almost useless (perhaps our species is).

Great article. Security (sadly) is almost never Jeremy Hitchcock  –  Aug 09, 2009 7:43 PM PDT

Great article. Security (sadly) is almost never a feature and those who name it as one are seen as a responsible party in one lens or one dispensing FUD in another.

You are correct that as connectivity has become less exclusive and the newly connected are "less responsible." However, that same force has allowed a whole slew of innovation and and I don't mean retail on the Internet.  I mean the innovation based on stretching or breaking acceptable practice.

Manipulating DNS responses was originally unfathomable. A couple companies really broke ground to provide a net benefit to Internet users by directing those end-users to content servers faster (Akamai/UltraDNS).  When those services first launched, there were some (and still today) who think that they violate the protocol.  Those two companies demonstrated that the net effect was positive and it's now generally accepted.  Today, the practice known as manipulating DNS responses ranges changing answers for geographical/network optimization of content (think Akamai/Neustar UltraDNS/Dynect), what OpenDNS does as a recursive DNS ASP, or what Comcast does as an ISP.  Time seems to make convenience outweigh protocol correctness.

Like all modern systems, the features and convenience we enjoy come with contain methods to abuse them.  I'm not sure that a system which is fully-featured and user-desirable whether it a network operator or a home blogger would prefer the deny first, allow last Internet.

What I am optimistic about is that the Internet has reached a level of maturity where "security" of the whole is now considered.  You can ask a software maintainer to tightening something up and ISPs are more cooperative about reaction.

There is clearly benefit to make sure that default pieces of software are secure by default but if you force a user to choose between security and a feature, we have lost.  Has to be secure by default.

So - to tell the difference between legitimate innovation and malice .. Suresh Ramasubramanian  –  Aug 09, 2009 9:07 PM PDT

there's this concept called "mens rea"- criminal intent. I'm not sure you can compare akamai, ultradns, opendns to botherders and dns poisoners who exploit the Kaminsky bug .. quite a stretch, even using the shopworn old slippery slope logical fallacy.

The old days when the MAPS RBL was broadcast as a BGP feed and used by some major tier 1s to nullroute certain netblocks are kind of long past (a variant does survive in the spamhaus DROP list but that's restricted to hijacked, or exclusively spammer / malware populated netblocks like the old Atrivo etc).

Perhaps those days need to come back?  So that a provider wont be able to tell Krebs "we didnt know, we took a look at them and said Holy Cow, immediately disconnected them" talking about McColo, some hours before Krebs went to press but after months if not a few years of continuing to host them despite certainly not living in a cave, being an active part of network operator and other lists that mentioned McColo on a fairly regular basis ..  Personally, I hope not.

But refusing to peer (or drink beer at conferences) with people who continue to provide connectivity to persistent sources of badness - of course, against a lot of published acceptable use policies - is something that's going to recur, sooner rather than later.

Split horizon DNS isn't the problem John Levine  –  Aug 09, 2009 9:24 PM PDT

I don't understand why you think I was referring to split horizon DNS, which has been around for about a decade and has never presented a security issue.

What I am getting at is that Jeremy Hitchcock  –  Aug 10, 2009 7:54 AM PDT

What I am getting at is that when you increase freedoms in a system by magnitude, you see a magnitude increase in users, and some increase of abuse since the limitations are more lax.  In general, populations prefer systems where there are greater freedoms.  To answer the original question, there is no cure since we prefer networks which are more open and less restrictive.  Sure, that decision is made with certain external costs not factored in and maybe that is the crux of the issue.

The example with DNS is that the standard of what is considered acceptable has grown.

Somali-style utopias John Levine  –  Aug 10, 2009 8:07 AM PDT

People certainly prefer to be more free, but they also prefer not to be hit over the head and robbed whenever they walk down the street. We're finding that the current Internet has become unpleasantly close to a mugger's paradise.

Your DNS example isn't a very good one, since I don't know anyone other than a few religious extremists who ever objected to split-horizon DNS. Open mail relays are a better example, which were a convenience when everyone was well behaved, but turned into a serious nuisance when bad guys appeared.

Interesting Parallels Dan Campbell  –  Aug 10, 2009 11:26 AM PDT

Your parallels to society are interesting and accurate.  It's a constant struggle between things like "freedom" and "openness" and "privacy" with "security" and "law / law enforcement", with the ever-present "cost" factor figuring in.  We always try to achieve a balance but the lines tend to move depending on a lot of conditions.  Many were more tolerant - albeit somewhat briefly - of a loss of liberties immediately after 9/11, based primarily on fear rather than reality and logic.  But most of the time, laws seem to only describe what can be done following the commision of what it terms a crime, rather than actually preventing crime.  Security is unfortunately more reactive than proactive.  The threat of consequences only goes so far, and not very far in the online Internet world that spans legal boundaries and jurisdictions and where it is easy to be invisible.  Furthermore, regarding the cost factor, security is lost sometimes not just because it is complicated but simple because (a.) it creates inconveniences for users (as you suggested earlier) and (b.) it costs alot to get there sometimes.  We've become incredibly spoiled these days, especially with the Internet providing so much and often for "free", that we expect prices to continually drop while features and services get better.  For example, we get in a tizzy when our broadband bill is $40/month when it should be $39 or $10 or free, depending on your perspective.  Yet we get in a similar tizzy when the service isn't secure, or the customer service is slow or outsourced or just plain bad, or the technology or services offered are just mediocre.  We constantly want better while simultaneously wanting cheap (or free.)

It's not reality.  The money is real and has to come from somewhere. There are jobs to be created or similarly lost.  There are P&L;targets and share prices to consider.  Those that complain most about the price for services or goods are usually the same ones that complain about unemployment rates, or the recessed economy, or declines in their stock portfolio, or a company's quarterly results being below what they think they should be, or not getting a raise or bonus this year.  Something has to give.  And this applies not only to security in our online services but also for customer service, management features, technical features, etc.  Personally, I'd be willing to pay a premium for many things, including increased security.  Hell, I'd pay an extra monthly fee if a service provider guaranteed that my occasional support call was routed to a human being immediately rather than an auto-attendent IVR from hell.  The same could be said for a more secure service offering.  But I'm probably alone on that.  It costs something to get there, and too many of our expectations are warped to think these things like security are cheap or free, or that you can acquire them without giving up something, perhaps privacy, service quality, features, speed, support, etc.

There's cheap, fast and good.  You can have 2 of the 3 but not all 3.  Take your pick.

Those interested in the topic might find Alex Tajirian  –  Aug 14, 2009 12:47 PM PDT

Those interested in the topic might find Alan Turing’s work on cryptanalysis and machines interesting. He is considered the father of modern computers.

The Titanic was thought to be unsinkable. WWII was to end all wars.

The practical implication is that downside risk/failure must be managed.

Turing, huh? John Levine  –  Aug 14, 2009 12:55 PM PDT

I happen to have a single rotor Enigma here that I bought at Bletchley Park. Assuming you also have one, I'll send along a suitable response.  Note that he designed the electromechanical Bombe, not the electronic Colossus.

Also. WW I was supposed to be the war to end all wars.  WW II was indeed the war to end all (large) wars, but now we're really off the topic.

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

3 Questions to Ask Your DNS Host About DDoS

Afilias Partners With Internet Society to Sponsor Deploy360 ION Conference Series Through 2016

Neustar to Build Multiple Tbps DDoS Mitigation Platform

The Latest Internet Plague: Random Subdomain Attacks

Digging Deep Into DNS Data Discloses Damaging Domains

New gTLDs and Best Practices for Domain Management Policies (Video)

Nominum Announces Future Ready DNS

New from Verisign Labs - Measuring Privacy Disclosures in URL Query Strings

DotConnectAfrica Delegates Attend the Kenya Internet Governance Forum

3 Questions to Ask Your DNS Host about Lowering DDoS Risks

Continuing to Work in the Public Interest

Verisign Named to the OTA's 2014 Online Trust Honor Roll

4 Minutes Vs. 4 Hours: A Responder Explains Emergency DDoS Mitigation

Dyn Acquires Internet Intelligence Company, Renesys

Tips to Address New FFIEC DDoS Requirements

Smokescreening: Data Theft Makes DDoS More Dangerous

dotStrategy Selects Neustar's Registry Threat Mitigation Services for .BUZZ Registry

24 Million Home Routers Expose ISPs to Massive DNS-Based DDoS Attacks

What Does a DDoS Attack Look Like? (Watch First 3 Minutes of an Actual Attack)

Joining Forces to Advance Protection Against Growing Diversity of DDoS Attacks

Sponsored Topics