Originally published in May 2005
I am interested in computer security. I have been since I worked at what was Coopers & Lybrand in their Computer Audit Assistance Group in the 1980’s. There have been at lot of changes since then, but I think there are a few areas where we have not made much progress.
We have virus checkers and spam checkers. Microsoft has improved security so much that popular humor columnist Dave Barry wrote that, with their security features enabled, it was impossible to either send or receive email. Security for the “corporate” environment has improved (well, at least the entire mail system is not being shut down these days by script viruses), but no one is looking out for the needs of the small business and home user.
I have the ability to send digitally signed and encrypted email. I have had it for years. Every year, I test it to make sure I still know how to use it. I thought, maybe, if I used a secure method to identify myself, people might not be afraid to open my emails. But hardly anyone uses digital signatures or encryption. When we check our email, we are told that we must only open mail from entities that we trust. We trust what we see—despite the fact that we are told how easy it is to generate fake emails.
The protections against Identity Theft and fraud are a joke. Last month, two Boston Globe reporters wrote about how easy it was to forge one another’s identity and get hold of fraudulent credit cards. They did it in a few days.
There are computer security and identity mechanisms which can be used to help protect us. I wish people would start using them.
There are quite a few firms that offer help in this area. Unfortunately, I think most of them are more interested in exploiting computer security for profit than in making computers more secure. The same goes for identity theft. Until we get financial institutions more interested in protecting our identities than in how many new cards they can issue, or how many more special protection add on packages they can sell, we are in big trouble.
Widespread adoption of computer security and identity management is required and that is not going to happen unless there are some major changes. There are a few organizations that are trying to promote a more “trusted computing” environment. There is the free thawte web of trust at http://www.thawte.com/wot/ for acquiring personal email certificates.
There is a more expansive effort by the folks at CAcert.org. They offer free digital certificates for a variety of purposes. I was certified by them by a member of their board of directors. I am a Notary Public in Massachusetts. In my opinion, Cacert’s free certification process was just as valid as that afforded by the Commonwealth of Massachusetts to notaries.
I have looked into getting certificates from other sources, but when they tell me it costs $400.00 (or $600) per year, I don’t pursue it. But their certification and approval process is basically the same. And I am pretty sure the person who would approve me is sort of like me, but with a few more restrictions on what he could do. So the person doing the certifying might be instructed to only provide certificates to those whose payments clears and then, maybe they check to see that their are no outstanding felony warrants for the applicant in the local police jurisdiction. That person would get a certificate—so what if he also wants to take flight lessons (but just for taking off, landing is not necessary), that’s not his problem.
Quite honestly, given the shafting the public has gotten from such corporate stalwarts as Enron and Worldcom, I am more inclined to trust the little guys.
When I worked at Coopers and Lybrand (PriceWaterhouseCoopers in its current incarnation), I worked on a little project evaluating a manufacturing software package for its security features. As it turned out, my assessment got me into hot water. Another Coopers office called the partner in charge of my unit and said: “What is this guy trying to do? We want to do business with these folks and we can’t have one of our staff members saying that one of the primary security concerns for this package is that it be properly installed and administered.” I should say, for the most part, that I saw a lot of good work done at Coopers; however, there were instances where I thought they could be investigated under the Racketeer Influenced and Corrupt Organizations (RICO) act.
There are legitimate concerns about the security mechanisms I am alluding too. But way to often, I think we are just nitpicking.
I remember reading an article “Hello World Gets Mixed Greetings” that illustrates my point in the ACM’s February 2002. A teacher puts forward an example of a first programming assignment, and generates a lot of controversy. The example program took around 10 lines of code, the comments explaining its deficiencies filled up pages. It’s a first assignment, not OOP in a nutshell. We often find a lot of negative things to say, and not much positive.
I think the computer security world should shift its focus from trying to get it perfect, to getting people to start using existing technologies and to committing to be responsive to needed changes.
The benefits of using the existing technologies outweigh the potential cost of their being exploited. There are billions of dollars being lost in fraudulent transactions every year using existing safeguards. If we believe we can totally prevent fraud, we are sadly mistaken. If we believe we will find a one size fits everything solution, we are sadly mistaken. No matter what, some people will still manage to shoot themselves in the foot, despite the safety.
So what to do? Doing it now imperfectly versus waiting until later to get it perfect is a theme expressed in “Speed is Life: Street Smart Lessons from The Front Lines of Business” from Lycos founder Bob Davis. If doctors waited until perfect cures were found, many more of us would be dead. You can’t wait for perfect, but you can get something pretty good today—why not use it?
I hope the folks at http://www.CAcert.org are successful. I hope that someone stops the folks who have sent me hundreds of emails offering penis enlargement. I hope we come to our senses and realize that we can’t trust the FROM field in our emails and that all of our lives would be easier if all computer code was signed and that we could have assurance that the developer’s identity could be verified.