[Clips] Department of Computer Security? It's a Joke
R. A. Hettinga
rah at shipwright.com
Fri Jan 20 13:05:39 PST 2006
--- begin forwarded text
Delivered-To: clips at philodox.com
Date: Fri, 20 Jan 2006 15:59:27 -0500
To: "Philodox Clips List" <clips at philodox.com>
From: "R. A. Hettinga" <rah at shipwright.com>
Subject: [Clips] Department of Computer Security? It's a Joke
Reply-To: rah at philodox.com
Sender: clips-bounces at philodox.com
--- begin forwarded text
From: "Mises Daily Article" <article at mises.org>
To: <article at mises.biglist.com>
Subject: Department of Computer Security? It's a Joke
Date: Fri, 20 Jan 2006 10:20:02 -0500
Organization: Mises Institute
Mailing-List: contact article-help at mises.biglist.com
Rothbard's Masterpiece, available again:
<http://www.mises.org/store/Austrian-Perspective-on-the-History-of-Economic-Thought-2-volume-set-P273C0.aspx>The
History of Economic Thought ($45).
Department of Computer Security? It's a Joke
by Jeffrey Tucker
<http://www.mises.org/story/2017>[Posted on Friday, January 20, 2006]
To receive the Daily Article in your inbox, go
to <http://www.mises.org/content/elist.asp>email services, and
<http://www.mises.org/invitation.aspx>tell others too!
If you want to make a geek laugh derisively, suggest that responsibility
for computer security be turned over to the government. This reaction is
guaranteed, regardless of ideology. Everyone knows that this is not
possible, but rarely are the implications for political economy noted.
Now, keep in mind that geeks know that producing fabulous looking and
acting things for the web is only part of the job. These are people who
spend a fantastic amount of time dealing with security issues, which change
every season, day, hour, and even minute.
People know about viruses. Spyware and adware, meanwhile, is an incredible
threat to people's home computers. A new computer can be slowed to a crawl
in a few days of quick browsing without good security against hijackings.
And a huge industry has sprung up promising solutions, some good and some
almost as dangerous as the thing they allegedly stop. Some of these are
free, and some quite expensive, and the typical geek must work to discover
what's what.
Other threats are less well known, such as the possibility that your own
computer can be hijacked and controlled by other people who want to use it
to store files or scan for other hijackable ports. This is mainly a threat
faced by servers running large websites�huge magnets for hijackings and
hacks�but it even affects home computers.
For example: I was recently talking to a technical administrator of a
prestigious host of thousands of servers. He was amazed by the number of
root-level compromises that had been taking place in recent months. The
possible holes in people's systems are without limit. Software must be
constantly upgraded. Even one small mistake can lead to data loss and
disaster.
He tried a little experiment. He installed a new operating system on a new
laptop, and disabled the firewall. He then hooked it up to a non-secure
wireless network in an urban area. The first attack came in 6 minutes. In
12 minutes, the computer had already been hacked and was under the control
of somebody or something else. All data on the computer was rendered
vulnerable, available for looting or selling. In a few minutes more, it
would have become a work station for more port scanning, denial-of-service
attacks, or some other menacing behavior, and been added to the empire of
servers being controlled by some of the world's smartest criminal minds.
Not that a good firewall and secure connection are infallible solutions.
There is always a way in for someone with high-level skills and the will to
take the risk. To keep threats away involves the technical equivalent of
street fights between hackers and security professionals.
The fighters have similar skills; it's just that one group wears the blacks
hats and one wears white hats. Some are criminals, some are saviors. The
battle never stops. And yes, some of them change hats depending on their
career prospects. The fight involves deploying skills that are far beyond
what most any normal person could conceive of possessing. They can run
circles around most computer science professors and even run-of-the-mill
webmasters.
Some will rant and rave against the security holes in proprietary products
such as those offered by Microsoft. And users of Internet Explorer would be
likely to agree. The thing hasn't been properly updated in many years. It
has not kept pace with the times, and so attracts web-based evil like a
landfill attracts flies. Other products, however, are different.
Server-level software is constantly monitored for holes, with updates sent
out automatically and often (though not always as often as the people might
like).
Still, open-source advocates say that this proprietary stuff is expensive
and dangerous. The companies don't respond soon enough to threats, and no
one but company employees can view the underlying code. That means that
improvements come more slowly. With open source, the world community of
programmers have access and work constantly to improve the product. To be
sure, hackers too have access to the same code. So here too you have a
battle between good and evil.
Among the good guys, there is a debate: should software holes be announced
publicly (full disclosure) in the hope that the firms that work on open
source will fix it before the hackers find out? But between the
announcement and the fix, there is a gap that hackers can exploit. Perhaps
then the hole should only be revealed to the firm or individuals who manage
the open-source product (limited disclosure). The downside here is that the
people responsible will lack the frantic sense of urgency that generates a
quick hot-fix. Geeks thrive in emergencies, while non-emergencies fail to
inspire.
So the debate over security rages furiously: open source or proprietary
code, public security announcements or quiet revelations, development or
risk? At any one time, all solutions are being used, with bulletin boards
filling up thousands and thousands of pages of debate based on experience.
Ideology can play a part here but, in the end, it comes down to what works
best. And all the while, the war continues, pushed onward by the relentless
pace of development and progress towards better living standards.
We haven't even touched on the war between the virus makers and the virus
killers. The competition here is also intense. When a new virus is
unleashed, the first firm to produce the fix wins new levels of consumer
devotion and attention. A nothing company can become the next big thing by
producing a fix for two or three viruses in a row, and doing it before the
established firms get there. An established firm can lose its market edge
in a month by failing to update its virus definitions in time. The
difference between winners and losers in this struggle comes down to
minutes, not days or weeks.
In this never ending struggle, there are always tradeoffs between the pace
of development and its security risks. No software is perfect. They all
have bugs. But people demand development. The market never rests. We must
all take some risk. How much is acceptable?
Competition prevails here too. A bad choice in favor of security over
development can leave a company eating other companies' dust. A bad choice
in favor of development over security can lead to bankruptcy in the face of
a high-stakes security compromise. Geek personalities reflect this
trade-off: some develop on live servers and deploy every beta the hour it
appears, while others test and test and prefer only the tried and true.
All these fascinating details aside, keep in mind that the terrain on which
these wars rage is wholly market based. The idea that any public
bureaucracy could oversee the process is unthinkable. So let us ask the
question again, so that the reader may join in the derisive laughter: in a
world populated by black hats, should the government to be the sole wearer
of the white hat?
Actually, is there any point at all in giving a white hat to the state? It
has no incentive to join the struggle. It lacks the calculational means to
assess the trade-off between security and development. It lacks the
entrepreneurial drive to produce either. The nature of the bureaucratic
organization is to stay put, protect itself, and only move when kicked good
and hard by political bosses.
As for the power to do good, how can anyone guarantee that it won't quickly
become the power to do evil? If experience is our guide, the government in
a position of authority is more likely to be creating viruses and spyware
rather than stop them. As for the impact of the law, I vaguely seem to
recall some legislation passed a few years ago that made spam illegal.
<http://www.mises.org/store/Mises-Institute-Pro-Cap-P276C0.aspx>
<http://www.mises.org/store/Mises-Institute-Pro-Cap-P276C0.aspx>Wear the
blue hat: $18
Government can't produce software that can outsmart every hacker. Not now,
not ever. But the government can violate liberty and waste vast resources
in the attempt.
As important as computers have become, there are interesting implications
here. On a day-by-day basis the security of these machines is a far bigger
matter than the threat of terrorism. Whether we like it or not, and
regardless of ideology, we all depend on market competition to bring us not
only innovation but also to protect us in our dealings with information
technology. It is not a perfect solution. It can be messy and fallible. But
the market is strongest and best hope for security, and the alternative is
unthinkable.
How interesting that we have been told for, oh, some 400 years, that
government is the agency we need to give us the security that markets
cannot give us. There are a thousand rationales why intellectuals have
believed this, but none of them seem very robust by comparison of the
experience of our times.
Jeffrey Tucker is editor of Mises.org.
<mailto:tucker at mises.org>tucker at mises.org. Special thanks to some white
hats who commented on this piece. You can comment on
the <http://blog.mises.org/archives/004584.asp>blog.
<http://www.mises.org/story/2017>[Print Friendly Page]
<http://www.mises.org/store/>
<http://www.mises.org/content/webcasts.aspx>
<http://www.mises.org/elist.asp>Mises Email List Services
<https://www.mises.org/donate.asp>Join the Mises Institute
<http://www.mises.org/store>Mises.org Store
<http://www.mises.org/>Home | <http://www.mises.org/about.asp>About |
<http://www.mises.org/elist.asp>Email List |
<http://www.google.com/u/Mises>Search |
<http://www.mises.org/contact.asp>Contact Us |
<http://www.mises.org/journals.asp>Periodicals |
<http://www.mises.org/articles.asp>Articles |
<http://www.mises.org/fun.asp>Games & Fun
<http://www.mises.org/fun.asp>FAQ |
<http://www.mises.org/StudyGuideDisplay.asp?SubjID=117>EBooks |
<http://www.mises.org/scholar.asp>Resources |
<http://www.mises.org/catalog.asp>Catalog |
<https://www.mises.org/donate.asp>Contributions |
<http://www.mises.org/calendar.asp>Freedom Calendar
You are subscribed as: rah at ibuc.com
Manage
<http://mises.biglist.com/list/article/?p=prefs&pre=l&e=13958347&pw=1tyvx5togc>your
account. Unsubscribe
<http://mises.biglist.com/list/article/?m=571&p=unsub&pre=l&e=13958347&pw=1tyvx5togc&msgnum=571>here
or send email to <mailto:article-unsub-13958347 at mises.biglist.com>this
address.
Report abuse or Spam on the
<http://mises.biglist.com/abuse/article/13958347/571>abuse page.
--- end forwarded text
--
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
_______________________________________________
Clips mailing list
Clips at philodox.com
http://www.philodox.com/mailman/listinfo/clips
--- end forwarded text
--
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
More information about the cypherpunks-legacy
mailing list