|
"a fish, a barrel, and a smoking gun" |
||
|
|
Last week's "distributed denial of service" attack that disabled Yahoo, Amazon, eBay, E*Trade and other popular Web sites has already produced some solid results: helpless hand-wringing, pompous declarations and
amusingly ineffectual government
conferences it hasn't produced as of this writing is a perpetrator. Which just means that everybody's looking in the wrong place. The guilty party is obvious, and right under our noses. Does anybody know where Kevin Mitnick is? Only kidding. Mitnick — recently released from the Jenny Craig Federal Correctional Facility — is probably the one person in the country who can safely be ruled out, his parole agreement forbidding him to do anything more technologically sophisticated than banging two rocks together. But that leaves plenty of other people to point the finger at, and the population of the Net — never a group for quiet reflection when wild hysteria will do — has enjoyed a merry week of pointing it at just about everybody. Among the potential culprits: Microsoft, the Russians, Linux, the FBI, college students, Microsoft, the affected sites themselves, the disgruntled
DeCSS crew security experts, Microsoft, and Suck.com. The actual perpetrator is more likely a surly thirteen-year-old kid, tired of knocking over neighbor's mailboxes. Or he's a railing anti-consumerist, hopped up on grade-B agitprop and ready to take down the Man. Or he's a Canadian — you just know they're involved somehow — amusing himself by testing what makes Americans panic. The specifics hardly matter.
He's armed himself with a Linux box, a few readily available
tools set up both. The technical-knowledge-to-media- impact ratio of this caper is laughable low. Just a few hours at the keyboard and wham! He's notorious. Or he will be if he fails to keep his mouth shut. If you're looking for sponsorships, Jacques, we'd like to make an offer. But the people who truly deserve the blame for the public's hours-long inability to swap "Steam Engine" jackknives on eBay are the short-sighted, tight-fisted monkeys who managed to build a multi-billion dollar industry on an insecure networking system, something so fragile that it can be brought to its knees by anyone willing to bother. The fact that a target as big and fat as Yahoo is fundamentally vulnerable to something as simple as a DoS attack is a clear invitation to go right ahead and shut them down. And if such vandalism is inevitable — and it is — then the responsibility for preventing it falls to the targets, and the society that they make up. If politicians, business-owners and retailers agree that the scourge of spray paint is dangerous enough to keep locked away from anyone not old enough to be drafted, then we sure as hell should be doing something about IP. IP, or "Internet Protocol," is the Net's lingua franca, and it was created decades ago. Its main goal was military, to route data around outages and ensure that email could still be delivered in the event that, say, the Soviets managed to wipe Chicago from the face of the earth. Security did not play a big part in the design of what everybody assumed was going to be a cooperative network. When academics, programmers and some forward-thinking companies discovered that a resource existed for easily communicating among different, private networks — a task bordering on the impossible before the Internet — they all jumped on board. As the Net grew, the inherent value of the common protocol grew as well, until suggestions to change it caused people's bowels to loosen. Why bother? Things are working fine!
Then the Web hit. Today, billion-dollar companies, not to mention trillion-dollar economies, depend on IP for their future growth, if not their continued existence. Poor IP just isn't up to the job. You can fatten the pipes to shuffle more data around, you can slap cryptography around each packet to make sure that your credit card number arrives safely at hotlesbiansexxx.com, but you can't stop low-level hacks like smurfing, SYN floods and other denial-of-service attacks. IP is broken, bucko, and there's nothing you can do about it. solutions to the basic failures of the protocol, but all of them have gone almost exactly nowhere. A while ago, amid fears that the Internet's "address space" was running out, there was a big push for an improvement called IPv6. IPv6 solves many of the problems of the current version, including preventing untraceable network attacks like last week's. But as concern about address space faded, so did the enthusiasm for the switch-over. The earliest date for an IPv6 Internet is a decade in the future. The vast majority of applications and operating systems don't even pretend to support it. As the foundation of the Internet has rotted away, the people capable of pushing for improvements have been too busy being fat and happy. Why bother? Things are working fine! Of course, the improvements in IPv6 are not without detractors. The protocol, for instance, allows each and every packet to be traced back to its source. This feature raises a host of privacy issues, but all of them are fairly easy to solve, and most of the solutions are already implemented, in the form of anonymous remailers and anonymizers. Keeping the current, out-dated version of IP on privacy grounds, because it can be easily hacked to hide your identity, is short-sighted and stupid.
Internet apologists make loud noises about how nobody was really hurt by last week's attacks, how no data was lost, how this is all a big to-do about nothing, foisted on us by the clueless media herd. They cite the "client side" as the real problem, the millions of badly administered computers just waiting to be exploited by crackers for their own ends. They note that brick-and-mortar stores are "down" for twelve hours every night. But each of these arguments misses some fundamental points. 1) This is the brave new world that we're talking about here. Glibly comparing the Web's limitations to the long-derided weaknesses of "meatspace" may be convenient, but it is a huge rhetorical step backwards. 2) Securing the client side — an enormous proposition, even before the widespread roll-out of DSL and cable modems — addresses the symptoms, not the cause. Excusing the inadequacies of IP by shifting the blame upward, to the operating system or the system administrator (especially if that "system administrator" is just a Windows user), does nothing to solve the actual problem. 3) Who says the next attack will be on such meaningless targets? Amazon may not be vital to your life, but these problems affect the very DNA of the network, the foundation of the entire Internet. Giggle into your sleeve at all the hapless suckers banging on the doors of E*Trade if you want, but everybody is walking around in a bull's-eye t-shirt. The Internet is a technological marvel, regrettably built on a rapidly expanding swamp. All the laws and caveats and justifications in the world can't change that fact. Moving to a more robust, more secure protocol will be expensive, inconvenient and time-consuming. But until the major beneficiaries of the Net — the government, the dot-coms, Microsoft, the Linux crowd, everybody — manage to get off the collective crapper and do it, they've only got themselves to blame for what's happened and what's to come. courtesy of Greg Knauss picturesTerry Colon |
|
|
|
|
|
|
|
|
|
|
||
![[]](/daily/2000/02/15/a.gif)
![[]](/daily/2000/02/15/b.gif)
![[]](/daily/2000/02/15/c.gif)
![[]](/daily/2000/02/15/d.gif)
