There were two anniversaries last week. The first was the 15th Birthday of INEX – the Internet Exchange Point in Dublin. To celebrate this, they organised a rather good event at Dublin’s history-steeped Mansion House (the first Dáil sat there in 1919) complete with distinguished speakers such as Dan Kaminsky and Geoff Huston, and a rather good dinner from the adjoining Fire Restaurant.
It was also Arthur’s Day, another excuse to drink copious quantities of the black stuff. Coincidence? You decide…
Dan spoke for over an hour, including Q&A, with no slides, no sheaf of notes, just this interesting stream of consciousness that made you want to sit up and listen.
Some things that Dan said got me thinking, not least the comment that “The world’s social life is being run from Silicon Valley”, and more to the point by a bunch of nerds (e.g. Facebook, G+, etc.), maybe some of the most anthrophobic people you might find! This linked up with some other stuff I’d been reading.
So I thought I’d try and make sense of what was going through my mind.
Disclosure: One of the issues relating to disclosure is that people who suffer security breaches don’t have an incentive to report them because of what often happens afterward: they are publicly ridiculed and hectored (in the press, for instance) for being the victim of a security incident, while the “bad guys” get away uninvestigated, unpunished, and occasionally lauded.
Compare this to other non-Internet aspects of life, where a victim receives treatment for their injuries, support from the authorities, and the Police go after the bad guys. No-one says, “Oh, it’s your fault for wearing those clothes/going into that neighbourhood/driving that car.”
Victims of security breaches have got to have more confidence that there is benefit in disclosure, or the “don’t ask, don’t tell” attitude won’t change.
“Security as Standard”: Why do things ship with exploitable holes left in them? Why do people declare a security concern as “out of scope“? Or ignore it and hope it might not be discovered (at least on their watch)? Usually because they are scared of how much security will cost them in terms of time and/or money.
Security needs to be normal. Something you just do. It shouldn’t be an optional extra. Who would buy a car with no alarm and only the most rudimentary of locks on the doors? Yet we deploy systems onto the Internet with less than stellar security.
Dan argued it needs to reach a point where it is easier and cheaper to be secure than not. Trying to ask people to pay extra for security in a depressed economy isn’t a good state of affairs.
Social Norms: The same week as the INEX event, there was this article about the UK Riots on BBC News. It questioned not why there was rioting in the first place, but why there isn’t more rioting.
It came to the conclusion that there isn’t more rioting in places like the UK because people, for the most part, choose to live by the rules, voluntarily, out of their own free will – a social norm of a co-operative society, and doing the right thing.
But does this exist on the Internet? Might poor security have redefined these social norms? Internet related security incidents seem to fall into two broad categories: anarchistic, such as defacements, redirections, and opportunistic theft of things such as user data from large corporations; and criminal, using security holes to make money, such as phishing attacks, 419-type scams, spamming, and the like – for instance, the Rustock botnet.
The first is doing it “for the lulz”. If the motivation of the UK rioters is anything to go by, it’s the Internet version of a riot; their way of striking back at authority. The second is professional criminals and scammers moving their business, like the rest of the world, onto the Internet.
Both of them benefit from the fact that, as we’ve already said, the support infrastructure for the exploited is poor, and it’s difficult to go after the bad guys, certainly when compared to being robbed in the street, for instance.
Back to our geeks with their Facebook friends in Silicon Valley. Bet you they watch Star Trek. The society that the crew of the Enterprise lives in is an egalitarian ideal; the United Federation of Planets is a co-operative society, doing (for the most part) the right thing. Sure, they have their bad guys, but they are more than often found out and rarely get away with it.
When the Internet was built, the assumption made was that it would be other academics and like-minded, Star Trek-watching, folk that would connect to it. Those who share the same social norms.
That assertion no longer holds true, but unlike those in a Roddenberryian utopia, we’re still playing catch-up with our bad guys, who don’t share the social norms of the original Internet users.
If you’ve made it this far, thanks for sticking with it, maybe you’re still wondering what the second anniversary was?
Someone at the Dublin meeting said they almost didn’t recognise me, but in a good way; I wasn’t pale with dark circles under my eyes anymore. More than one person who I hadn’t seen in a while commented how well I looked.
It’s been an interesting, and different year. It’s been eye-opening in some ways, relaxing at times, and challenging at others. I stayed in touch with the industry like I promised myself (and others!) I would, at times no mean feat without an expense account behind you, but also been able to catch up with things, and people, I’d long neglected. I even managed to indulge myself in a fulfilling hobby that also brings smiles to lots of faces.
I’ve had the break I promised to give myself, dipped my toe back in earlier this Summer, and now gearing up to take on the new challenges that might come my way. Whatever I do next, I’m looking forward to it.