Professor Hannu H. Kari of the Helsinki University of Technology is a smart guy, but most people thought he was just being provocative when he predicted, back in 2001, that the Internet would shut down by 2006. "The reason for this will be that proper users' dissatisfaction will have reached such heights by then that some other system will be needed," Kari said, "unless the Internet is improved and made reliable."
Ed Amoroso, CISO of AT&T, says that among the 2.8 million e-mails sent to his company every day, 2.1 million, or 75 percent, are junk. The increasing clutter of online junk is driving people off the Internet. In a survey by the Pew Internet and American Life Project, 29 percent of respondents reported reducing their use of e-mail because of spam, and more than three-quarters, 77 percent, labeled the act of being online "unpleasant and annoying. Kari may have overstepped by naming a specific date for the Internet's demise, but fundamentally, he's right. The trend is clear. Amoroso of AT&T believes that the fundamental security problem is that during the past decade, and quite unintentionally, the network's intelligence has migrated to the edge. "We're all sys admins," he says. And millions of end users holding sway over their security settings translates to millions of potential dumb configurations, boneheaded double-clicks and unintentional security lapses. Accidents happen, and bad guys take advantage of the fact that not all end users are created equal in terms of security. After all, Amoroso argues, do you control power distribution around your house, or do you just plug stuff in?
He thinks AT&T can make a ton of money off this idea: Return control to the network providers (like his own company's phone system in the 1970s, he says, a time when Ma Bell controlled everything, including the technology's interface), and let the providers charge you for doing all of the filtering, traffic analytics, worm detection and incident response. "That's my solution," Amoroso says. "Create a service. Make money." Mary Ann Davidson, CSO of Oracle and champion of the quality coding movement, says she's tired of coders arguing that their jobs are too creative to eliminate errors such as buffer overflows—that coding's an art, not a science. She applauds ethical hacking, where developers attempt to break software before selling it. Davidson says some schools now divide developer classes in two, a green team for writing code and a red team for breaking it. The application's relative security becomes part of its final grade. "Why isn't that standard development process?" she asks.
Part of the problem of securing business online is that the risk is often invisible. In the physical world, visual clues exist to help us discern who's a legitimate merchant and who's a crook. We know which neighborhoods to go to and which ones to avoid. Several people suggest using XML and meta-data to tag websites with safety, reputation, past performance and other security ratings to act as signposts for dangerous cyberneighborhoods. A virtual Better Business Bureau could manage the data so that when users visit a website, their computers pull down the XML meta-data about that site. The data might tell the browser to go ahead and load the page because this really is a bank's website, their reputation is good, and they use strong encryption and have appropriate privacy policies. At bad sites, the browser would simply deny the page load, thereby preventing a phishing scam or some spyware from being installed on the user's system.Setting up that independent managing body to not only create the meta-data criteria but to manage it, too, would be a huge job. But it would protect us from our blindness to online warning signs in profound ways.
Category : Internet
.
|
