Unsafe at any speed

How likely is it that a handful of juvenile delinquents could shut down the entire internet? Not very. But how likely is it that a bunch of kids could wreak millions of dollars' worth of havoc? That would be almost routine.

The US Federal Bureau of Investigation announced last month that in December, it broke up an international ring of teenagers who had bragged that their goal was to "take down the internet" on New Year’s Eve.

Four kids were arrested in Israel, and others in California, Michigan and Washington state had their PCs confiscated and are still under investigation.

Yeah, right, you’re thinking — how likely is it that a handful of juvenile delinquents could really shut down the entire internet? Not very. But how likely is it that a bunch of kids could wreak millions of dollars’ worth of havoc? That would be almost routine.

Until a dozen years ago, nobody even thought that taking down the internet was possible. In November 1988, it took a bona fide Unix expert — Cornell University graduate student Robert Morris Jr — to create a self-replicating worm program that brought the internet to its knees.

Now, 16-year-olds try it to impress their friends.

What happened? You’d think that after 10 years of working to make the internet secure and safe for business, we’d be looking at a solid, stable platform instead of staring into the face of Armageddon with acne.

Sure, part of the problem is that over the past decade, the tools for attacking the internet have gotten infinitely more sophisticated and easier to use. These days, any script kiddie with an internet account and a few garden-variety hacking tools taken off the web can crank out worms, macroviruses and Trojan horses by the yard.

But it’s also true that the internet has grown more fragile over the past 10 years. Fragile? Sure. Today the internet is piled high with undermaintained servers full of security holes. Their owners — dot-coms and ISPs and even some corporate IT shops — are more worried about shaving the costs of running them than about staving off security risks.

Those are the systems that script kiddies target with their mutating email viruses and domain-name redirection scripts and distributed denial-of-service attacks. They can barely keep running under the best of conditions, much less withstand a clever cracker’s exploit.

And when those systems crack, they make the internet a dangerous neighbourhood for everyone else.

Oh yeah, and there’s one other thing that’s created this let’s-bring-down-the-net attitude: us. Face it, just by being there, corporate websites present a challenge to any kid with a political agenda or bad attitude or just too much time on his hands.

Once, that challenge would have required dedication for a would-be cracker to just figure out how to make contact with our systems. Now, thanks to the internet, he can collect the details of our servers in seconds.

And we’re stuck. There’s not much we can do about hacker tools and script kiddies. And there’s no way to retreat to our old corporate networks. We need the internet so our salespeople can get to customers and our inventory systems can contact our supply chains — so our users can get their jobs done. Being giant targets is our only option.

But at least we can be giant moving targets. So keep reading the security alerts and applying the patches and tuning the firewalls and haranguing the users to kill suspicious email instead of opening it.

And if the CEO grumbles about the security budget, remind him that there’s nothing as dangerous as a 16-year-old who thinks he knows everything — including how to shut you down.

And take heart: International conspiracy of teens or no, you’ll probably never have to worry about hackers taking down the whole internet.

Just your little corner of it.

Hayes, Computerworld’s senior news columnist, has covered IT for more than 20 years. Contact him at frank_hayes@computerworld.com.

Join the newsletter!

Error: Please check your email address.

More about Federal Bureau of InvestigationHayesUS Federal Bureau of Investigation

Show Comments

Market Place

[]