.comment: A Different View of Security

By: Dennis E. Powell
Wednesday, September 19, 2001 12:39:33 AM EST
URL: http://www.linuxplanet.com/linuxplanet/opinions/3784/1/

Waking Up to a Changed World

It's been a week and a day since the world changed -- and believe me, the world did change, all of it -- and it's ever more evident that the rage is not going to go away. Possibly on either side. Definitely not around here. I was in broadcasting in New York City for a number of years, and a lot of the broadcast transmitters and network uplinks were on top of the World Trade Center. There were engineers there, and in broadcasting, one tends to know a lot of the engineers. They didn't have a chance, nor did anyone located above the points where the stolen airliners full of people hit. Officially listed as "missing," they were either incinerated, or crushed, or were among those who jumped, perhaps surprised at first that there didn't seem to be a ground rush; that came a few seconds later.

My country has been raped, and like other rape victims we will recover, but we'll never be the same; still, we'll feel a lot better when certain parts are lopped off the offenders -- in this case, their heads. (If you disagree with me on this, tough.)

Some of the rage arises, no doubt, from an inability to do anything about it. But for the IT community, there is a great deal that must be done, anticipated, provided for.

Data Integrity and Preservation

As cold as this probably sounds, one of the disasters that didn't take place last Tuesday was the loss of significant data. And that's important. Many of the companies in the World Trade Center were securities dealers, including some of the world's largest. Had customer order information, account information, inventories of customer securities held by the company, and other important data not been duplicated off-site, a very bad economic situation would have been made immeasurably worse.

I do not know of anyone, including those in a position to provide a reliable appraisal, who thinks that the events of September 11 are the last of it. They may be the last attack via commercial airliner, but there are ever so many other ways of creating enormous death and destruction in an open society. Already, people who have phony documents have been arrested doing things such as scoping out dams located above cities. There has been talk, even, of terrorist nuclear weapons (the subject, interestingly, of John McPhee's The Curve of Binding Energy, the tremendous 1974 book that speculated, ironically, on using such a device to knock down the World Trade Center). These produce, in addition to the obvious destruction, a very nasty electromagnetic pulse against which most computers are nowhere near hardened, and the range of the EMP can be significantly greater than the area of physical damage. It is therefore extremely good sense, if you are in a business where preservation of data is extremely important, to back up to a distant and safe site. (This kind of decentralization was, of course, one of the reasons for the development of DARPAnet more than 30 years ago.)

Cyber Threats

After all that has happened, the appearance yesterday of yet another Microsoft IIS worm was almost funny, illustrating as it did something that would have been a huge outrage 10 days ago and that now seemed almost insignificant. (Additionally, anyone who still runs unpatched Windows boxen is so dimwitted that it's surprising they have enough working brain cells to sustain life.) The new worm appears to have nothing to do with the attacks of terror and death, but that doesn't mean that the potential for an orchestrated and sustained cyber attack doesn't exist. Despite the fact that it has never happened, it is possible to bring down the Internet. And just as people learned the folly of entrusting all their savings to dotcom investments, they would come to learn the folly of entrusting their commerce to a network that at the moment isn't all that safe. In fact, the bad guys learned this a few days ago, when a European cracker busted open a machine run by radical Moslems and published the email addresses he found there. So much for the fabled encryption brilliance of these guys.

Which raises an issue I've talked about before: there is more to computer crime than the script kiddie stunts, the release of virus and worm code, and DDoS attacks. We now believe that the people responsible for last week's attacks actually shorted equities that would lose value as a result of the attacks, thereby making a great deal of money. So we are not talking a lack of sophistication here. Nor are we talking a single group that is interested in acquiring anything on your machine that might be of value -- garden variety criminals are very likely up to this, too.

What to do? Firewall everything, tightly. Don't send anything of importance over non-secure connections. Really beat your system up in an effort to find vulnerabilities, then fix them. Kill all nonessential services, which for many will be all services. (Distributions, bless 'em, have mostly now dropped their practice of turning everything on by default. That's a good step, but the rest of the path you need to take yourself.)

Time for Some Serious Rethinking

Remember a decade ago, when we were treated to all sorts of stories about how we'd all be telecommuting within a year or two? Have you noticed how that mostly didn't come to pass? Well, time has come for serious reconsideration of just that. Yes, there are businesses for which this is impossible and yes, I mentioned above how it is possible to bring down the Internet, which could result in loss of productivity during cyber attacks that are increasingly frequent. But in many, many cases telecommuting would be exactly the right thing, for several reasons.

First, it eliminates the possibility that an entire enterprise could be wiped out -- I'm talking people, not just facilities. Many enterprises are utterly vulnerable today. Last Tuesday, even very big companies lost people essential to their functioning, and those companies will very likely not reopen. Other companies lost everyone.

Second, it makes multiple backups to remote sites somewhat simpler.

Third, if the effects of last Tuesday unfold as it seems they will (and as I very much hope they do), there is considerable likelihood that anything that reduces gasoline consumption will be an important consideration.

(My apologies if you're the computer technician in your company, because a company serious about this would want to own and maintain the computers for security and other reasons, leading to the rise of the door-to-door system administrator. "Ding dong -- IT calling.")

There are other things we need to consider, and they have no obvious answers. There has been talk of our liberties being stripped away as a result of last Tuesday's events. Those who believe that government at every level was just waiting for an excuse to pounce probably can't be reasoned with here, but a calmer view of history illustrates precedents and the likelihood that many of our fears are unfounded. In times of crisis there have frequently been what could be called infringements of our civil liberties. These have ranged from the blocking off of areas to traffic to the security and rationing impositions of World War II to the truly Draconian measures imposed by Woodrow Wilson during World War I, to the firearms prohibitions of 1933 and since. We're already seeing airport security measures that may or may not do much good -- the terrorists' car that was found at Boston's Logan Airport contained a ramp pass, meaning that someone who had been in that car had supra-gate access to airliners. There will be more of this. As readers of this column know, I don't much trust the government, and I take a very dim view of some of the diminution of our Constitutionally protected liberties that has already taken place. But, frankly, in my estimation now is not the time to get too noisy over the idea that Internet privacy, a phantom to begin with, is somehow sacred and inviolate. (There was a lot of community outrage a few weeks ago when the FBI raided a radical Islamic website in Texas. For some reason, you don't hear it brought up so much anymore.) No matter where you come down on it, I suspect you'll agree with me that appending trigger words to the end of email messages ought to get those who do it a spanking and removal of their computer privileges for awhile. In any case, we have no Constitutional right to unfettered Internet use, and anybody who thinks that this is the time to press the case before the Supreme Court is just plain nuts.

The Unknown

We can none of us know, have, really, the slightest idea, of what's to come. Strangely, we have a far better idea now, though, than we had nine days ago. The attacks in New York and Washington, and the attack that was apparently aborted in the skies over Pennsylvania by people who we can only hope we would emulate in such a situation, were in many respects the biggest and most terrible event ever to occur on these shores; certainly the biggest in many decades. Yet it was not unexpected in some respects -- at CBS 15 years ago we discussed the likelihood of a terrorist attack on the World Trade Center. John McPhee discussed it 12 years earlier than that. We never dreamt of the manner of the attack, though, and certainly didn't think we'd see it on live television. I suspect that the shock of it, the sheer starkness of it all, will not wear off anytime soon. I know people, good, strong people, who even now burst into tears at the sound of the National Anthem. A friend, a television reporter who has seen some pretty horrible stuff, completely lost it upon making eye contact with a New York City fireman, who, too, soon had tears on his cheeks. We are still stunned, and that makes it more difficult to do what must be done.

But we do all have work to do. We need to secure our systems. We need to plan for the further unhappy events that are certain to come. We need to be especially vigilant, and especially as to the machines we oversee. We must be serious and purposeful in doing our jobs. Because even if we are not directly involved in protecting civilization, we are directly involved in making sure there is a civilization to protect.