I had yet another journalist call me to ask if Vendor X’s security solution was the security product to solve all our security problems. The typical conversation goes something like this:
Journalist: “Hey, do you think Product A from Vendor X will solve all our security problems?”
Me: “No, I think security is only going to get worse and every proposed product is doomed to failure. I predict that within a few days the internet will collapse and online communication as we know it will cease to exist. On the positive side, we’ll all have a lot more time for our family soon.”
Journalist: [pause] “Huh?”
To be fair, a little more than half of them know I’m pulling their leg. Only a few formally ask if they can quote me.
It bothers me that a lot of journalists don’t really know security. Not that I’m an expert, but when a vendor’s press release starts out with the phrase, “We detect all threats known and unknown, without frequent updates,” I immediately discount that product.
Usually, I end up explaining to the journalist how none of the security products we use will ever be perfect because they are all point solutions ignoring the real problem: most hackers and malware spreaders never get caught. If hackers and malware writers knew we could catch them, we wouldn’t even need anti-virus software or firewalls, because our security threats would be almost gone.
This is analogous to speeding on the highway. Nearly everyone speeds because few speeders get caught. But if every speeder got a ticket every time, you’d see all drivers slow down.
The real computer security problem is a lack of persuasive authentication.
If the internet allowed default authentication and accountability for every packet and every program (from source to destination), hacking and malware would stop overnight.
In a better world, if someone sent me a malicious program, I could track it back, not only who sent the program to me, but to who sent the program to them, and so on ... back to the original creator, with nearly 100% certainty. Hacking would cease to exist.
It’s not as if this idea is unknown to the world. Many security solutions attempt to tackle authentication: PKI, S/MIME, PGP, ActiveX, smart cards, network access control solutions. But each of these is only a point solution, tackling a particular part of the problem but not every possible scenario.
Lots of people are trying to build a holistic solution, but persuasive authentication isn’t easy or fast to accomplish. The Trusted Computing Group’s open standards are a good place to start. They offer guidance to computer device manufacturers and software developers attempting to build in default trust and authentication.
The idea is that everything needs to be authenticated, including the hardware, operating system, application software, and anything the software creates or sends.
It all starts with trusted hardware components, to prevent software from manipulating and invalidating the trust routines situated in the hardware.
Currently, many hardware and CPU vendors are building TPM (trusted platform module) chips onto the motherboard. Linux and Microsoft are already starting to use the chips; enterprise versions of Windows Vista will use the TPM chips to store encryption keys that lock up the hard drive prior to booting, to prevent boot-around attacks.
Once the hardware is secure, vendors can build trusted and authenticated operating systems that rely on the trusted hardware. Then application vendors can rely on the OS for trust and allow people to send trusted data back and forth.
In the future, it is highly likely that the internet version 2.0 will require default authentication on all messages, from source to destination.