I had yet another computer journalist call me to ask if Vendor X’s security solution was THE security product to solve all our security problems. I get a call or e-mail like this about once every two weeks. Usually they’ve read the vendor’s own PR, another newspaper article, or even my own column touting a particular product. The typical conversation goes something like this:
Journalist: "Hey, do you think Product A from Vendor X will solve all our security problems?" (I’m not making up this question, either -- I hear a version of it 99 percent of the time.)
Me: "No, I think security is only going to get worse and every proposed product is doomed to failure. I predict that within a few days the Internet will collapse and online communication as we know it will cease to exist and the Internet will have to be rebuilt from the ashes over the next six months. On the positive side, we’ll all have a lot more time for our family soon."
Journalist: [Silence or pause] “Huh?”
To be fair, a little more than half of them know I’m pulling their leg. Only a few formally ask if they can quote me.
It bothers me that a lot of computer security journalists don’t really know security. Not that I’m an expert, but when a vendor’s press release starts out with the phrase, “We detect all threats known and unknown, without frequent updates," I immediately discount that product.
Usually I end up explaining to the journalist how none of the security products we use will ever be perfect because they are all point solutions ignoring the real problem: Most hackers and malware spreaders never get caught. If hackers and malware writers knew we could catch them most of the time, we wouldn’t even need anti-virus software or firewalls, because our security threats would be almost gone.
This is analogous to speeding on the highway. Nearly everyone speeds on the highway because few speeders get caught. But if every speeder got a ticket every time (think ticket-cams), you’d see all drivers slow down.
The real computer security problem is a lack of persuasive authentication. If the Internet allowed default authentication and accountability for every packet and every program, from source to destination, hacking and malware would stop overnight. In a better world, if someone sent me a malicious program, I could track it back not only who sent the program to me, but who sent the program to them, and so on … back to the original creator, with nearly 100 percent certainty. Hacking would cease to exist.
It’s not as if this idea is unknown to the world. Many security solutions attempt to tackle authentication: PKI, S/MIME, PGP, ActiveX, smart cards, network access control solutions, etc. But each of these is only point a solution, tackling a particular part of the problem but not every possible scenario.
Lots of people are trying to build a holistic solution, but persuasive authentication isn’t easy or fast to accomplish. The Trusted Computing Group’s open standards are a good place to start. They offer guidance to computer device manufacturers and software developers attempting to build in default trust and authentication.
The idea is that everything needs to be authenticated, including the hardware, operating system, application software, and anything the software creates or sends. It all starts with trusted hardware components, to prevent software from manipulating and invalidating the trust routines situated in the hardware. Currently, many hardware and CPU vendors are building TPM (trusted platform module) chips onto the motherboard. Linux and Microsoft are already starting to use the chips; enterprise versions of Windows Vista will use the TPM chips to store encryption keys that lock up the hard drive prior to booting to prevent boot-around attacks.
Once the hardware is secure, vendors can build trusted and authenticated operating systems that rely on the trusted hardware. Then application vendors can rely on the OS for trust and allow people to send trusted data content back and forth to each other.
In the future, it is highly likely that the Internet Version 2 will require default authentication on all messages, from source to destination. For example, in order for your e-mail server to send an e-mail to my e-mail server, it must authenticate to my e-mail server first. Your e-mail server will authenticate that your e-mail came from you and that you meant to send it. Your operating system will ensure that your e-mail client isn’t being controlled by a worm or spybot.
Some people say that persuasive authentication is bad, that anonymity is necessary in certain places, like AIDS testing organizations and rape recovery meeting groups. That's fine -- keep your anonymity. I’ll just not allow anything that needs anonymity to connect to my business asset, and I’ll pay extra for that protection.
Maybe there will be two Internets: one for default authentication (and encryption) and another for the untrusted world to play. IRC (Internet Relay Chat) channels have that now. Communicating on unauthenticated IRC chat channels is a dangerous place to hang out for most Internet users. The trusted and authenticated IRC chat channels are mostly free of malicious hacking and bot wars that plague the untrusted version.
For hackers to attack the trusted Internet, they will need to compromise the persuasive authentication mechanisms. And they will, because humans will code the authentication mechanisms and we are imperfect. But we will be able to install one patch and immediately remove that attack threat -- which is the opposite of what we do now. Today, we cure one symptom while ignoring the underlying disease.
The solution to our security problems isn’t a particular product or vendor, but persuasive authentication, which will probably only happen after multiple catastrophic e-commerce events and forced government regulation. We know what the fix is, but we are reactive sheep, waiting to be forced to the real solution.