Why Internet Security Is So Bad

I recently read two different essays that make the point that while Internet security is terrible, it really doesn't affect people enough to make it an issue.

This is true, and is something I worry will change in a world of physically capable computers. Automation, autonomy, and physical agency will make computer security a matter of life and death, and not just a matter of data.

Posted on January 14, 2019 at 11:13 AM • 32 Comments

Comments

Clive RobinsonJanuary 14, 2019 11:41 AM

@ Bruce,

while Internet security is terrible, it really doesn't affect people enough to make it an issue.

I think it does affect them in a far from trivial manner.

However we have failed to get the message across therefore the average user "does not know" how it affects them and why it's a very real issue.

It's an important difference that the old saw of,

    What you don't know can't harm you.

In effect keeps covered up. It works rather better than,

    If you have done nothing wrong, you have nothing to fear.

Which people are finally relising is a lie, thus are taking it on board but not in sufficient numbers.

andyinsdcaJanuary 14, 2019 11:47 AM

No skin in the game. Target gets hacked, a few million credit card numbers get stolen and what happens to them? Nothing. Do Mastercard, Visa, Wells Fargo, et al sue Target for causing all of the losses? No. Target issues a mea culpa, promises to do better and everyone moves on.

David RudlingJanuary 14, 2019 12:37 PM

I think one of the things that will change (for the good) in a world of "physically capable computers" is the legal view of product liability for rubbish software. Currently product liability laws largely do not apply to software driven systems but once the "death" part of life and death starts to be addressed in courts the law may well change. Once the bottom line of companies held liable starts to feel the effect, their attitude to security can be expected to change - and that is the essential change required. Pity so many will die or be maimed before that occurs.

Clive RobinsonJanuary 14, 2019 1:09 PM

@ Daniel Miessler,

Yes, this is exactly what I talked about here.

Your paper is the second Bruce links to in his first paragraph.

Atleast unlike the CSO Online paper yours is not behind a pay wall.

Oh the "Number of people killed..." is not non zero, it might be small but you can certainly find the easy ones like those killed by hospital equipment with bad UI's. There are military helicopters that due to software upgrades have ended up killing all on board. However there are others, thousands to hundreds of thousands who have been killed by poor entries in databases. Because this never gets logged or recorded.

Then there are "Industrial Control Systems" that cause "accidents" including significant releases of radioactive substances.

There others on embeded systems in vehicles and no doubt we will see the numbers killed by "autonomous vehicles" when they get out from controled environments like Amazon's store houses onto the open road.

Software definitely kills people, we just don't log it as the cause, we find something else to blaim, like the poor bl@@dy pilot, who gets the blaim because they can not defend themselves due to them being little chunks of meat wrapped around scenery etc...

The thing is blaiming software even when verifiable as such is an "idiots game" due to "liability". Often it's quite hard to point to jusy one part and go "J'Accuse...!" . Software companies also effectively rule out litigation by their Terms Of Use contract documents.

As my son points out to me from time to time "That's the way it be bro"... Because it's legaly easier under the "Deep pockets doctrine" to go after anyone but the software companies....

BearJanuary 14, 2019 1:31 PM

A lot of people don't realize (or refuse to believe) that computer security is in fact getting better, and has been getting better since the beginning.

As one of the oldest of Olde Pharts, I remember my first modem. This was before DOS was released. Every manufacturer had their own OS, and most of them were single-tasking systems that had no provision for a signal arriving at a time the OS hadn't known in advance. And if they arrived too fast, often as not they crashed the machine. "Too fast" wasn't even as fast as you can type.

Most systems at the time had printers instead of a CRT display, so EOL characters took way longer to process. EOL's on the line were normally followed by some number of NUL's to allow the system on the receiving end time to process them, and if you didn't give somebody as many NUL's as they needed you'd usually crash either the communication software they were using - leaving the caller often as not at the all-powerful command line - or crash the operating system itself.

Communications programs were based on raw memory accesses and usually written by people who hadn't even considered what a lot of those OS's did when individual characters or character sequences that had been assigned meanings by hardware. Most computers did things based on the characters they read from their buffer before the program attempting to read them even got them. So if you wanted the operator's attention, you could transmit a series of BEL characters and make his computer beep, because that's what it did when it read a BEL. If you sent ESC EOT, often as not it would hang up the phone without terminating the communication program, and then you could call back and be connected without going through any login - which was often the "admin" mode of the host software and allowed you to do anything. If ESC EOT didn't work, a lot of systems did the same thing in response to an EOF character followed by the string "ATH" - the latter was a hardware command interpreted by the modem.

Otherwise, if you sent an EOF, often as not it would cause the host program to error out leaving you at the all-powerful command line. And so on.

This stuff happened all the time, just by accident. I wound up looking at other people's command lines - frequently CP/M filesystems - accidentally, many times, and I'd usually leave a text file with a short note explaining what bug they needed to fix in their "Ground" directory (CP/M's file system wasn't recursive. Directories had files but didn't contain other directories. "Ground" was the directory where you started). Being a "hacker" at the time just meant you made a game or intellectual challenge out of hunting down bugs in communications programs. But, for most of us, we just kept finding those bugs by accident.

That's the starting line, folks. Commercial BBS systems, let alone vast networks like FIDOnet and later ARPANET, could not possibly exist until computer security, at least in some small measure, began.

The way I see it, we're halfway through the course now. People lose track of the fact that we have in fact come a REALLY long way toward real security. And, by degrees, it's still getting better. People keep telling me real security is hopeless, but I think they're wrong. We'll get there eventually. One challenge at a time. It's just taking longer than we expected.

VRKJanuary 14, 2019 2:16 PM

Speaking of old saws

Signal evidently claims that it's

a fast, simple, and secure messaging experience
and yet everyone would also agree that it's completely useless against targeted endpoint attacks. THEN it receives our kind endorsements anyway.

People ARE absolutely blind. Ok, we know this now. Dang.

Folks, we have seen the problem logic reiterated a thousand times here. A certain vigilante road kill is contemplating talking to cell proximity sensors by sending joeblow infrared-remote airgap smokesignals, with pest control ultrasonics and incandescent Christmas lights to jam keystroke leakage. (Got the idea from Huey across the street). More dang. Or is the cigarette paper idea the only viable long distance solution in 2019. :p Keep firing your ideas into the air.

Or would someone with ACTUAL talent please hide away in a cage long enuf with a soldering gun, and a pipe to newark to fix this mess?

Hint: The robots apparently can't refill the 3D printer.

"God hides stuff at times; but kings like dragging it into the open."


Petre Peter January 14, 2019 3:39 PM

"The Internet has become physical infrastructure; now it's becoming physical.

Anon Y. MouseJanuary 14, 2019 4:45 PM

"This is true, and is something I worry will change in a world of physically capable computers. Automation, autonomy, and physical agency will make computer security a matter of life and death, and not just a matter of data."

Prezackly.

Starting with self-driving cars, aka autonomous vehicles. It's like
extending the Internet Of Things to include 2000-pound, wheeled robots
set loose on public streets.

Proponents of self-driving cars claim that they will be able to "talk"
to each other to exchange information about road conditions, etc. Which
means they will be subject to denial of service attacks, virus infiltration,
etc.

If we have the means to do secure vehicle-to-vehicle communication, then
we could use those same means to secure the Internet. And if we can't
secure the Internet (and so far, we can't), then what makes anybody think
we can securer V2V communications in self-driving cars?

VinnyGJanuary 14, 2019 7:17 PM

@Bear re: security improvement - I think you will find that there are several readers here of the same approximate vintage. When I began, modern personal computers bore brands such as Altair and MIT. My first commercial system was an IBM Model/3 with input from 96 column punch cards (an IBM mid-range variation on Hollerith.) In absolute terms you are of course correct - there was approximately zero security. On the gripping hand, there was also approximately zero threat, and what really matters is the effectiveness of security vs threat. On that score, I am far from convinced that the situation has improved, or is improving...

Ron GJanuary 14, 2019 9:01 PM

"...while Internet security is terrible, it really doesn't affect people enough to make it an issue."

Tell that to all of the tens of thousands (at least) of people who had to evacuate their buildings on December 13th, 2018.

Tell that to all of the officers and swat teams that had to be called out in response to the multitude of spam bomb threats across at least five countries.

Clive RobinsonJanuary 14, 2019 11:12 PM

@ Bear, VinnyG,

Re the security -v- threat time line.

Yes computer security did improve quite quickly untill we got to "firewalls and AV software" then it virtually ground to a halt other than "Patch, patch and yet more patching" of OS's and applications. None of which realy do much more than diddly squat against phishing or other social engineering attacks which predominate these days.

Even "black listing" has too large a window of opportunity for attackers and "White listing" only has limited use due to the fact you usually have no control over what a site you have white listed does about security.

Every so often I ask the question that could be seen as the ultimate white list,

    Why are so many work PC's inappropriately connected to the Internet or other networks?

The few answers that come back are realy handwaving or excuses... Simply cutting them off from such networks would make a major improvment in most work place security.

The other problem is the threats, basically Politicians fear the internet whilst other criminals see it as a new place to ply their trade but with much less risk.

Attackers come in two basic types those who target and those who are opportunistic in a target rich environment.

It's been said you can not stop a "targeted attack" actually that's not true. There are several layers of targets which are generaly based on the amount of resources an attacker is prepared to use against them. Most actually stop long short of either "infiltration" or "black bag jobs". Not being connected to the Internet or any other networks puts you in the position of being "targeted attack proof" unless you are of sufficient interest to attract the much greater level of resources. And prottecting against those sorts of attack need entitely diferent resources than those of the ICTsec domains.

As for the "Opportunists" if you are not connected to the Internet or other networks, they are not going to see you because you are not in their target rich hunting environment.

As for what goes on behind the political and SigInt edifices, I'll leave that alone for now as the post is long enough as it is.

CallMeLateForSupperJanuary 15, 2019 7:57 AM

@VinnyG
"correction: IBM System/3 (not "model")"

I almost corrected you. :-)

When I began, there was no such thing as "personal computer". The closest thing, size-wise, were mini computers from the likes of e.g. DEC, Data General, Hewlett Packard, but they usually bolted into 19"-wide "telephone" racks. Think microwave oven. And they were anything but mini from a cost and weight standpoint.


@Bear
I worked with CR, LF, and Bell. Ugh. Like you imply, today's "new line" - moving a cursor full left and to the next live - hadn't been invented yet. Because.. carriage.

The shrewd operator sent *two* CR, expecting that the first one would complete during the second one and before the linefeed.

Oh... and on those dear clatter-box Teletypes, sending Bell caused an actual bell to ding.

VinnyGJanuary 15, 2019 9:58 AM

@Clive Robinson re: state of security - As I read your reply, it occurred to me that perhaps we (wide scope) should be separating practical security measures into two domains: those measures that can largely be automated; those measures that intrinsically rely on knowledge on the part of the user or user's direct (human) proxy.

albertJanuary 15, 2019 10:19 AM

@Clive,
"...Why are so many work PC's inappropriately connected to the Internet or other networks?..."

Indeed.
And why are most work environments provided with wifi?
Why do they have easily accessible USB ports and optical drives?

In the good ole days, everyone used work computers for non-work-related activities, because they couldn't as yet afford home systems, especially Internet-connected ones.

We're way past that now.

Or are we?

. .. . .. --- ....

parabarbarianJanuary 15, 2019 10:39 AM

When I worked as an engineer in Aerospace, we had a saying: You can have Good. You can have Fast. You can have Cheap. Pick any two.

Now that I work in IT, my experience is that Fast is firmly in the drivers seat and Cheap rides shotgun. Good is allowed to sit in the backseat as long as he keeps his mouth shut. If Good does speak up he is immediately thrown under the next available bus. I suspect this why we do not have secure software. People want features and they want them at low cost. Manufacturers respond to the price signals that the customers are sending.

Some (many?) people find low security not just tolerable but actually desirable. If you are ever in a trolling mood, just bring up securing the authentication, authorization and accounting (AAA) on voting and watch the excuses fly.

Patrik chartrandJanuary 15, 2019 10:54 AM

More and more as I encounter negative impacting events on the job - (As IoT Design Engineer and Full Stack) - I realize that widespread eduction is the first form of protection.

Perhaps an initiation to Cyber Security should be taught in middle school.
More and more we see programming being taught to early age kids, In my opinion this does raises the overall risk level.

Ok I am calling my congressman...

FrankJanuary 15, 2019 11:17 AM

Shouldn't we see it coming already? Automated cars ... already hackable and ever will be. The more we will have on the street, the more interesting it will become for hackers. By chance, accident or intention... there will be blood!!! :-(

HJohnJanuary 15, 2019 11:34 AM

One problem with technology is so much of the use and decision making is being performed by people whose VCRs have been flashing "12:00" for two decades.

Clive RobinsonJanuary 15, 2019 11:46 AM

@ VinnyG,

it occurred to me that perhaps we (wide scope) should be separating practical security measures into two domains

It would be a sensible starting point.

@ Albert,

Or are we?

I remember a time when the D in BYOD, stood for either "Drink" or "Drunkard", depending on who was inviting who and to what social event.

But insanity now says it's "Device" and it's not social but work... So the Boss and his boys get to put their iPlodephones or Handroid directly onto the core systems the company are reliant upon. Then act surprised when it all goes wrong.

Maybe DIY should now be "Do in yourself" or "Dumbass Incharge Yipes"...

Clive RobinsonJanuary 15, 2019 12:39 PM

@ Frank,

Shouldn't we see it coming already? Automated cars

The bottom line is nobody sees the car that runs them over as a threat untill it's way to late to do anything to stop it...

Nearly all automobile accidents happen due to people not paying attention. Most usually the person being least observant is the one causing the accident, who is also the person who can most easily stop it progressing towards being an accident.

Clive RobinsonJanuary 15, 2019 12:44 PM

@ HJohn,

One problem with technology is so much of the use and decision making is being performed by people whose VCRs have been flashing "12:00" for two decades.

That's because they work silky hours have no social life don't have a partner, thus no kids to set the VCR for them...

Speaking of Children how are your "youngsters" I should think they must be getting on for their teens?

MikeAJanuary 15, 2019 12:45 PM

The argument in the (second) paper seems to be based on "so far, so good" and "mostly harmless", but I still see more than I'd like of "frog boiling" and "first they came for ... and there was nobody left to speak out for me".
By the time the Lizard People (or however you imaging powerful sociopaths) have gotten so cheeky that even self-described "normal people" (non-tech, 90+ percentile, or imagine themselves as such) notice, the boot will be millimeters from their own faces.

HJohnJanuary 15, 2019 2:25 PM

@Clive Robinson: Speaking of Children how are your "youngsters" I should think they must be getting on for their teens?
__________

Great memory, Clive! My identical twin daughters will be 10 in June.

Hope life is going well for you!

Clive RobinsonJanuary 15, 2019 3:45 PM

@ HJohn,

Hope life is going well for you!

Well the medical proffession as normal have decided I'm a contrary person... The latest is I now have AF with an ECG pulse rate of around 150-60 when sitting normally. It then goes up to around 180 when just slow walking. There is a little formular that says max heart rate equals 210 minus your age in years. As I'm older than our host who is 55 today you can see I have a "hit the end stop" problem... But there is the contrary side as well, which is occasionaly my heart was beating about once every five seconds... Which might acount for me nose diving into pavements and carpets if lucky, or furniture which generally was unluky for it. So they have fitted a pace maker to stop it dropping below one beat a second, which is fine by me. However it's pushed the resting pulse rate up a little bit with the result I've been hitting 220 BPM when doing house work with a duster... This causes me to start blacking out because the blood is not actually getting pumped when the heart runs that fast...

So walking a tight rope still, even if it's a different on, but... With the chance that with careful excercise managment I can atleast start getting some of my fitness back :-D

As for your twins, I wish them well and hope they do well at school thus have choices in life. Contrary to the old saying the more you know generally the better you can get a grip on the madness we call modern living.

tiger_spotsJanuary 16, 2019 1:01 AM

I think that readers of this blog probably have only the vaguest notion of how security illiterate many internet users are, and even very computer savvy people may not know how much even their deliberately publicised info can affect security.

As a freelancer, I've occasionally taken temp jobs. One of these revealed that the company intranet for the call centre of a major international brand looked much like a "worst web design faux pas of the dialup era" just two years ago, flashing gifs and all. I can't imagine what the security was like in this third party call center, with multiple well known brands using their call centre and logistics services. Add to this some shockingly poor to non existent integrations of various parts of the website / order system, and the fact that the call centre agents had minimal training, minimum wage (with no enhancements for late hours, national holidays, or overtime), and average churn rates of staff lasting less than a week.

What it did do is serve as a stark reminder that we really don't know where our data is or who has access to it. Everything ran via Citrix over the same infrastructure that bad design staff member was in charge of.

As for the effects of general poor internet security, many many people will still happily plug bank and PayPal details in to Internet Explorer long after their computer is an infected popup laden mess. Just because you don't know anyone personally like that doesn't mean there aren't plenty out there. Companies are hardly going to bend over backwards to be secure when many users have no idea about protecting themselves or what good security looks like.

Even my bank has replaced an easily remembered word and number combination username with an impossible to remember so must keep it safely stored. Well done bank.

wowowJanuary 16, 2019 3:11 AM

“Deepfake porn,” which involves using artificial intelligence software to swap faces in pornographic videos, is quickly emerging as a troubling new method of sexual exploitation. Motherboard has reported extensively on the growth of this worrying phenomenon, by which celebrities, exes, or classmates can be made to look like they’ve participated in porn.

Notice severe hash collision: "EXEs"

still workin' on support

bonus: linguistics and phonemics of those without teeth (or any other biological part).
bonus: linguistics of those who mistranslate or misunderstand the words "literally" and "literal" and "liter" and "litter"

"homologues/homologs/homonyms/homogenous/etcetera"

This is still a severe issue in my opinion.
Spelling and grammar analysis functions and pragmatics are not easy.
The English/Ingles/Spanglish/Espanol/Spanish language set is too problematic

Also, words that end in common affixes/suffixes/etc are an accidental vulnerability much of the time.

Also tragic is ".bis modem or router speeds" "biss" and the word "new" just do NOT combine safely.

The words "NEW" and "fresh" are pretty much off limits for those of us trying to prevent hash collision disasters which affect much much more than data.

Safety and security and hope without built-in prisons and "walls"

sincerely,
wowow

Trung DoanJanuary 16, 2019 5:28 AM

Might part of a solution be "Name & shame"? Say, an online list of makes and models with known problems. Before buying, buyers consult it.

TRXJanuary 16, 2019 10:36 AM

> And why are most work environments provided with wifi?

And why do even cheap USB inkjet printers have wifi enabled by default, and "strongly suggest" you let them upload every print job or scan to someone's "cloud"? And why do they need a built-in web server that can't be turned off?

Lots of people worry about malware and routers and hackers, but other than cursing at the price of cartridges, printers are never on their radar...

madmikeJanuary 16, 2019 6:30 PM

@Anon Y. Mouse

"If we have the means to do secure vehicle-to-vehicle communication, then
we could use those same means to secure the Internet. And if we can't
secure the Internet (and so far, we can't), then what makes anybody think
we can securer V2V communications in self-driving cars?"

I think networked self driving cars are a safety and liability nightmare just waiting to happen but we'll rush full steam ahead for the sake of convenience.

Sounds like an assassination vector. Just hack some dignitary's car and run it off a cliff.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Security.