Why Cybersecurity Isn’t Secure
Enabling international foes by not enforcing legitimate questions, one at a time
Imagine a banking system that puts the goods on the front stoop and then just hopes for the best. The action might be popular for a time, but it wouldn’t amount to much in the long term.
While recently reading the excellent book by Malcolm Nance, “The Plot to Hack America”, I was struck by the pathos of our times with regard to cybersecurity. It seems that the geniuses that created the Internet and all of its wonders do not have the capacity to protect it. That is the message at least; that is what people assume.
The breeches Nance describes are not high-tech wonders, nor are they the result of sophisticated algorithms or programs designed to penetrate otherwise ironclad systems. It is dumbell stuff — phishing, using template passwords, digging through materials to find passwords that were disclosed carelessly or by accident. We are not talking here about the ‘best of the best,’ but the ‘worst of the worst.’ Part of the problem is in commandeering desktops in this way so that all of the keys to the kingdom are laid in front of the hackers in plain graphic wonder.
This brings fear in the communities thus compromised, to be sure. There are fears coincident with participation in the system and its wonders. There are also costs and fears of not participating, particularly as any and all public interfaces and many private connections are digitized and by association are compromised.
It also invests the hackers with undeserved confidence, especially those with geopolitical aspirations. Not only do they get to do harm, they can make fun of their victims at the same time.
There is no such thing as a secure system. At least, that is what everyone says.
A friend of mine, a educational system administrator, once gave me this piece of received wisdom.
I responded to him, “What if you close off all of the ports except the secure browser port [443 typically]. Encrypt the drive with strong encryption using a strong root password and perhaps multiple biometric forms of identification and physical tokens. Support both media and logic via that port. Eliminate any sandbox behind the administrative login, where administrators or users can wander around and wreak havoc. Eliminate documents from the system entirely, only allowing access to available data via questionnaires and independent validation steps as to identification and context. Only allow for encrypted, authenticated email, with no possible means of executing any kind of email attachment within the computer. Make sure that all key aspects of the various software packages and layers are fully-tested and vetted within open source software communities. Wouldn’t that do it?”
He said, “Yes, but what would be the fun in that?”
Fun, indeed.
Fun entered into computing somewhere in the time of the late introduction of the Internet, leading to global introspection in the throes of the Year 2000 Problem, which was used as leverage to embrace fancy, new, unproven systems that happened to be breathtakingly expensive.
We are talking about the late 1990s and the early 2000s. Up to that point, computing had been interesting to be sure, challenging and sometime enthralling, but seldom if ever fun or even popular. The one exception may have been the interminable text-based Dungeons and Dragons that administrators played among themselves in clandestine secrecy.
I had a software company through the ‘nineties’. I witnessed a significant changing of the guard in that field during that time, one that occured at different technical and administrative levels and that jettisoned much good work that had gone before. Long-held goals of functionality and security and new, fancy graphical displays passed each other as ‘ships in the night’. What resulted was pretty to the eye, but also pretty scary — as in wild, unruly, and less secure than their predecessors.
Armed with knowledge and experience dating to the 1940s, designers and academicians prior to that time had answered many questions regarding functionality, flexibility, and safety of computer use. In 1970, magic happened at Bell Laboratories, where a key group of aforementioned geniuses led by Ken Thompson created an operating system called Unix that was the do-all and be-all of interconnected, highly-functional computing.
In the late ’60s and ’70s and ’80s, there was a great deal of interest in making better use of computers, particularly within organizations. Some of these efforts were highly successful. Likely the most effective was the Open Systems effort of the 1980s, which resulted in device standardization and hardware interchangeability. This led to norms that continue to this day within devices and in their connection. Software supporting this is also common, with mostly good implications.
Linux, too, came to be as an open source version of Unix, inheriting its many salient features, notwithstanding many of them dealing with security were seldom deployed. Just ask a young software engineer about Lightweight Directory Access Protocol (LDAP) and you are guaranteed to get a blank stare.
With the introduction of the Internet, there was a massive abandonment of standards. Actually, it is not accurate that there was an abandonment, it was more like the changing of the guard — a ‘ships in the night’ phenomenon as stated earlier. The old regime was washed away with the herculean Year 2000 effort, which made use of the old technologies for a time, but which was eventually used as rationale to bring in tools and ideas that had in no way been vetted, nor submitted to tests and serviceability requirements.
There had been things introduced earlier that had carved away at the mystique of the old mainframe computing model. Personal computers embodied only some of the important features of computer usage. That is what opened the door to entrepreneurial efforts of Apple and Microsoft in particular. Pointing and clicking opened up conceptual avenues for computerization by the masses. This was further leveraged with graphical displays and intuitive metaphors. Key among those was the desktop metaphor, an example of which can be seen below.
This opened the door to wide scale computer use, but it was poorly vetted for use in organizations in the long term. As a person sitting within a facility can commandeer the artifacts of a working desk environment with little outside risk, a digital, virtual desktop provides outsiders with untoward capacities once they break in. This is the famous computer sandbox. It is the environment described by Malcolm Nance that is commonly compromised by hackers. The share the desktop with all that that implies.
Phishing is a malady that is similarly lame.
The goofy implementation of email that was ultimately promoted and that people use the world over is truly the equivalent to bankers leaving their money in cash on the stoop.
As in other things political, craziness of this kind enjoys at least tacit confirmation in the thought that nothing better can be done. Based on such an assumption, computers are thought of similar to Swiss cheese, full of holes — an existential fact.
Is this true? Is it impossible to define and protect — to refine — context, one step-at-a-time? If it is, we are indeed in trouble. We can’t then live with computers in every sense even though we now know we cannot live without them.
The question boils down to one factor:
Can a decision, once made, be reflected in a state or set of conditions that in no way conflict with that decision?
By this, we are referring to not just an initial question or condition posed in the session, but all of them. With each question, you narrow down the options to be presented to only those that apply. Can this be done with confidence along the way in computer-based activity?
This has to do with a lot more than security, but it is a condition on which effective security depends. Typically, the question is, are you who you say you are — or does the system even force them to declare who they are? If you don’t even ask the question (via system and network checks if not through direct validation) you are certain to be disappointed eventually, just like the bankers with their dwindling cash.
Filling out a questionnaire is a good example of the contrary condition. We are all only too familiar with the irritation of answering one question at the beginning of a questionnaire and then dealing with the rest of the document even though that first question rendered the rest of the questionnaire irrelevant. For example, the first question might be to find out if you are male, but then all of the rest are questions that only could be answered by a female. Consider your heightened irritation if you do not consider yourself as either one. And, yet, you have to go through the whole thing because there is no guarantee that something along the line may apply to you.
The problem is twofold. What do they do with your half-baked series of non-answers on the other end? There are more fudge factors in such an interaction than there is useful information. This kind of problem exists in all sectors, public and private. There is little targeting either going into or coming out of computer sessions these days.
Similarly, in many cases online, you will be given a choice and then the program goes right along, obviously not catering to that choice. In some cases in the chaos of social media, you know that the designers are playing with you, trying to either get you to give up on your quest, say, to cancel an expensive service, or to buy more of whatever they are offering. Touch-tone systems for phones are horrible at this — obviously sending you through loops, in part by not ever giving you that choice you are looking for.
Does the proposition seem impossible? Indeed it might be based on your experience, but the question was not couched to fit your experience, nor mine, nor that of others. If we cannot answer that question with some finality, we had better give up resolving other issues, including that of security.
Does nature do this, does it treat conditions with finality in this way? It seems as though there are a lot of continuums and fudge factors built into the weather, into human and animal behavior, and into the many cycles of life that we are witness to. Conclusive situations do happen, though. Think of a fork in a river — perhaps where there is an island. The water that goes down one channel does not then go down another — although in such a case, they might later join together.
Even though it is clear that nature demonstrates a good deal of give-and-take, there are times when everything changes due to a new condition — what James Miller calls a “decider event” in a living system. Conception of a new organism occurs or it doesn’t. Rain falls or it doesn’t. Lightning strikes or it doesn’t. Items reach freezing and melting points and they freeze and melt. Cell walls are penetrated or they are not.
I have an answer to management of processes with finality of this kind from a technical standpoint, but answering that question it is not the purpose of this essay. That answer has much to do with reasserting technologies and concepts from the ’70s and ’80s, before systems became more entertaining than informative and useful. Earlier, I considered some issues of how to keep unwanted people and actions out of a system. What I mean here has to do with what you ultimately want the system to do for you, how the one question and all of its subsequent questions and issues can be handled. If you want resolve that issue, please let me know via a comment or otherwise.
The point here is that this is what we need to be asking for: Conclusivity with regard to the systems we use. Under such conditions, you will never have your time wasted once you have declared your desires, preferences, and needs. This will resolve the question of security, to be sure, but also the question of functionality. Computers should not constrain our activities, but they should liberate us from the spongy and sticky parts of life that do not let us arrive at the answers and outcomes we seek.
Finally, it is important to note that many that say that there is no such thing as a secure system are right in a way: There cannot be a secure system given the ways they set them up and use them. They leave way too many unresolved questions in their wake that can easily be taken up by others.