Take Away the Sandbox and You Take Away Cyber Risks
Written with Miroslaw Manicki
The sandbox itself is the problem.
I have three stories to tell. They have to do with the security breaches perpetuated by bad actors — from the ones that are surfacing now to those that have vexed society since at least the advent of networked systems after growth of Internet applications.
Before this, it is important to note that in cyber terms, I am ancient. In college, I learned to shuffle punched cards, which you would submit on a tray to white-coated mystery men who would run them through the massive mainframes that would generate large format reports that would display the pros and cons of your programmed argument. Apple II, yes, CPM, yes, Osborne “sewing machine”, yes. Pre-IMB PCs, including the Victor, yes. I learned of spreadsheets in a Boston think tank using VisiCalc before it was a commercial product. From the original MS-DOS through the Macintosh Wall Street Journal deal — you show up with a credit card that they would not run and they would give you a Macintosh overnight, yes, I did that all-nighter and kept the machine, which I soon upgraded with 2 MB of RAM and ultimately a monarchical 10 MB hard drive. I lugged a Macintosh to China in 1989 in the overhead to make a presentation.
I lived through all of that as a user and a VC investor. Then came the enterprise. I became a developer and was a witness to and participant in the the database war, which the bad guys won. I fought in the trenches of the Open Systems movement, which the good guys won. I learned of the Internet in the footnote of a Businessweek article when that was a thing. I got dialup accounts to the main services and downloaded Mosaic from Marc Andreessen & Co. when he was still in school. I became an enterprise system developer, with visions of sugarplums as to what could be done. I built a solid system with some gifted partners, in conjunction with their employer and others.
If you are a typical tech maven, you have no idea what I am talking about. To you, the world began with Google. In large part, the world of IT ended with Google. That is when the purloining started in earnest. Look them up — Ken Thompson, for example, the father of UNIX. Therein lie solutions to the various and many resolved issues that flew out the window with desktop metaphors and shared networked data. Does anyone even know who George Sorter is any more? Of course, they don’t. Tim Howes — father of LDAP, the federally-funded project for secure access to resources in a network? Now, that would be fine, wouldn’t it, but it predates history — coming from a 1993 federal project and thus irrelevant to the social medial information highway. Nobody I know in tech even knows what LDAP is.
The Year 2000 Problem separated the men from the boys. The men marketed unfathomable complexity and dazzle. The boys marketed security and functionality. That was even before social media companies came to the bowling alley and knocked down all of the pins. Forget all of those carefully-scribed protections and context-saving barriers, all was to be taken over by a bazar of consumer surveillance. People were to be invited in for free while vendors behind the curtain engaged in a wild bargain to purloin their new customers’ privacy and quiet enjoyment.
Ah, the sandbox. This was new. This was the thing. Inside the sandbox you could function with impunity — all things were plastic and whoever was let in could have the run of the place. The concept for this hearkened back to when Steve Jobs purloined the ideas for the desktop metaphor from the Xerox Parc Labs, which Bill Gates then purloined from him. Jobs had the audacity to sue. The Microsoft retort was a cogent one, apparently — “We are all criminals here”. The idea was to make the computer interface seem like a literal desktop, where data was stored in folders that looked like folders and most work took place within a new construct called a “word processor,” which took a great deal of time to make sense to the masses. One comment I recall — “Is it something like a food processor?” Alas, yes.
This leads to the first story. In 2000, I got a job at a research institute in conjunction with graduate studies. They had agree to use some of my software in a project. That software was designed so that all sessions were secure, protected with strong encryption. They said that we had to do away with that because the internal system would not support it. I knew this was trouble. That system forced our system to break open the context of what it was about in order to be reassigned temporary IP addresses — nothing to do with the Internet ones — and then function in the sandbox that was that organization’s environment. Once you got through their own security — which amounted to the tradition login and password — you were IN. You inherited the rights of whatever user whose password you purloined.
This was state-of-the-art stuff. I was screaming inside, and to some degree, outside. This did not make friends of my colleagues, who had the good graces of their military and security communities to fall back on. No, they weren’t interested in highly-encrypted, high-context, process-based sessions if they compromised their sandbox. They weren’t interested with multiple, staged, and logical means of accessing processes to parcel out data based on knowledge-based processes (not AI, but processes laid out by human experts) and enterprise rules. They had no problem with their winner-take-all token system. You just had to have passwords that were so long and convoluted and arcane that no human could remember them — necessitating the little booklets or raggedy laminated sheets with every password ever thought of since the first grade. Imagine what would happen if the “Russians” ever got hold of those.
Precisely. Hackers are described as genius obfuscators and highly-skilled, brilliant people. OK. I’ve read the stories. At some point, somebody left out a password, granting access to the sandbox. Ta da, brilliant. This is like the best castle in the sand. It is still a castle in the sand.
Here is my second story. I was talking to a good friend, a system administrator. He told me that no system is secure. I asked, how about if you hardened the machine by encrypting the data, set up strong access encryption and closed off all of the ports but a secure web port (443) and a secure login port (22) and run all of the services through the secure web port? His response? “Sure, but what is the fun in that?” I don’t know, I kind of think that speaks for itself.
Here is my third story. It is more of a commentary. Why on Earth did the NSA allow access to the crown jewels of American security to a snot-nosed twenty-something-year-old punk? This is a dirty little secret. Contemporary systems have the back door wide open for business for similar kids who took no virtue tests to get their jobs. This has to do with the desktop metaphor in the first place. Why is anything laid out to bare in documents — and don’t get me started on emails. Institutional communications should never be held hostage to the prerogatives of individuals. It should be manifestly impossible to communicate in an institutional contexts outside of the institutional infrastructure. Take the Hillary Clinton problem. She should have been issued her means of communicating by the government and that was the end of it. You want the job, you use the system.
There should be a layered approach to systems where technicians are responsible for function and security in their layer and that layer only and given tools that have been developed that are fit for the job. These exist. Some predate the Google world — if fact, most do. They need to be dusted off.
Functionality needs to be put in the hands of people based on either their knowledge or their administrative responsibilities. Legitimacy of organizations is now dependent of legitimacy of their systems. Thus, they must take control of them. This involves what we call fluidity. Elements of this existed back to the 1970s and 1980s. We work on it now. Many are not interested. What would be the fun in that? Spy vs spy, that’s the thing.