OS/2 eZine - http://www.os2ezine.com
February 16, 2002
Pete GrubbsPete Grubbs is a self-described OS/2 wonk, a former doctoral candidate in English literature at Indiana University of Pennsylvania, a former part-time faculty member at Penn State and is still mucking about with a copy editing/creation service, The Document Doctor, which tailors documents for small businesses. He has also been a professional musician for 20 years.

If you have a comment about the content of this article, please feel free to vent in the OS/2 eZine discussion forums.

There is also a Printer Friendly version of this page.

Previous Article
Next Article

Buy the CD 'This Space for Rent' by Pete Grubbs

How Secure Do You Want to Be?

For some of us, IT security isn't anything new or chic; it's been an issue for a long time, but it's received even more attention since the events of September 11 last year. I've devoted one or two editorials to the subject as it pertains to OS/2, but I think the combination of Bill Gates' vision of the 'home of tomorrow,' along with Microsoft's Passport and .Net initiatives coupled with their latest difficulties in creating a secure product make it appropriate to consider the issue again. We OS/2 users may not have a great deal of leverage in this situation, but we can have some impact, even if it's relatively small and local.

Let me tell you about Cows

I was raised on a working dairy in Western Pennsylvania, so I grew up with cows. In some ways, cows are a good binary example: They're either in the pasture or in the barn. When they're in the barn, there are walls which control their movements, keeping them out of places they shouldn't be (the feed box) and in the places they need to be (their stalls so they can be fed, milked, and so on). When they're in the pasture, there are electric fences (on our farm, at least) which perform the same function walls do in the barn. It was my job to build and maintain these fences. Armed with wooden posts, rolls of smooth wire, insulators, nails, hammer and post maul, I'd head out at semi-regular intervals to deal with the damage caused by deer, wind storms and fallen tree limbs. In theory, my outings should've occurred once a week, but that was more the exception than the rule. In theory, I should've found every weak post, cracked insulator and down line that was there to be found and, for the most part, I would. But there were times when I overlooked something that would short out the fence. It's not that I'm easily distracted, but I had other responsibilities on the farm, as you might imagine, and I had other things in life I wanted to do. Fence building isn't nearly as exciting as it appears on the surface and it's hard to meet hot chicks when you're in the middle of the woods, miles and miles from the nearest town.

Now, contrary to popular belief, cows are not stupid; they're abysmally stupid. As our vet once said, "Cows are the only animal that can stare at the same spot on a wall for six months and not go stir crazy." However, what cows lack in intellect they more than make up for in focus. For a cow, there are only three important things in life: Eating, reproducing, and sleeping, in that order. A hungry cow will go to great lengths to eat. She'll stretch to the end of her chain to reach one mouthful of ground feed, even though she's cutting off her own oxygen supply in the process. She'll kneel down and stretch under a hot fence wire to wrap her tongue around one tuft of grass at the risk of getting zapped.

She'll run the length of the pasture to be the first member of the herd to the barn when it's time for supper. Healthy cows are, in fact, obsessed with eating and it is this focus which makes them difficult to keep inside a fence. You see, cows are convinced that anywhere else MUST have better fodder than the pasture they're currently inhabiting. If you were to plant a pasture in the middle of the Sahara desert, water it constantly until it had grass two feet high, fence it off and put a herd of cattle on it, at least one tenth of them would look longingly over the fence at all that sand, certain that they'd be happier there.

And they'd do exactly what our cows did: They'd patrol that fence constantly, inspecting every millimeter of it, looking for a way through it. They'd spend every waking minute of their time searching for a way into the desert. I've actually watched cows look at a fence for hours, trying stare to a hole into it. Rest assured, when there's a flaw in a fence, at least one animal will find it, communicate the discovery to her mates and head through it, looking for something to eat.

What happens when you have a situation like this? Cows get out. It's as simple as that. They may not get out every day; they may not get out every week, but they do get out and then you have to chase them down, return them to their pasture, repair the fence and get ready for the next time. The only way to keep cows from getting out of a pasture is to avoid having any cows in the pasture. Nothing else is 100% effective. Nothing.

Why should I care about Cows?

After years of dealing with cows and fences, I finally asked myself a simple yet crucial question: Why is it so difficult for me to keep cows in a fence? The answer I came up with was just as simple: Cows have nothing else to do but get out of fences. They don't file income tax forms; they don't write articles for magazines; they don't attend Broadway shows; they don't get distracted by life's minutiae. They live to get out of fences. So, I reasoned, if I want to build fences that cows can't get out of, I have to build fences with the same attitude cows have when they're trying to get out of them. Building the fence is the whole universe; nothing else matters; nothing else is important; nothing else exists.

Crackers, Cows, Security and You

What, you may reasonably ask, does any of this have to do with Microsoft and security issues?


You see, I know that the only completely secure information is information that's never been written on paper or saved to disk. If it's been committed to some media, it isn't secure. Period. It may be difficult to retrieve, particularly for someone who isn't supposed to get it, but there is always an irreducible chance that it will be retrieved by someone who isn't supposed to have it. The only way to make it truly secure is to avoid putting it on any media. Everything else represents just one of the many various levels of insecurity. So, when we consider that all saved data is inherently insecure, we need to know what prevents this data from being accessed by someone who isn't supposed to see it. It's a lot like the fences I used to maintain for my folks. There are firewalls, and passwords, and best practices, and so on, but it finally comes down to this: The fence will only keep the cows in (and the crackers out) if the people maintaining it are as obsessive with their job as the cows and crackers are in their attempts to breach a given system. A large chunk of the real issue becomes, finally, how devoted security people are to their jobs.

Now, I'm not here to cast aspersions upon anyone who does this for a living. I'm not suggesting that the vast majority of people working in security have any huge morale problem or conduct themselves less professionally than anyone else in IT. However, I am suggesting that, as a whole, they're probably not any more professional and committed than the rest of the IT world. In other words, they go to work every day for the same reason you do: They get paid for it. They have lives beyond their cubicles; they have interests which have nothing to do at all with computers, networks, security, crackers, code and caution. They're real people.

On top of all this, let's not forget how difficult some of the world's most popular software is to keep secure. I subscribe to e-mail news updates from ComputerWorld and e-Week and it's a rare week indeed when those publications aren't reporting a new flaw in a Microsoft product which can be exploited to launch a DDoS or other attack. Granted, the kind of intense scrutiny that Windows is subject to would stress damn near any product, but the continual race by Redmond's Richest to release code that was developed with an attitude that stressed features and ease-of-use over security certainly hasn't helped matters. So, take ubiquitous IT products that require lots of time to maintain with regards to security, add IT staff that may very well have other jobs to do besides security plus lives beyond their desks, and you get the current situation we now face: secure it ain't.

Crackers, on the other hand, are more than a little obsessive when it comes to cracking. They sit down to their machines and hack for a variety of reasons, but few, if any, do it because they're paid to. To swipe a phrase from the U.S. Department of the Navy, for them, "It's not just a job; it's an adventure." I'm betting that crackers do what they do for the same reason that I'll sit at my machine for 6 or 10 or 12 hours at a time when I'm really hooked on a game. I'm not getting paid to ruin my posture and my eyesight; I'm doing it because I want to solve the problem, to beat the game. I want bragging rights when I beat Diablo before either of my sons do or get an all-time score in Civilization III that's twice as high as my buddy's best game. I don't get paid a dime for it, but I've done it before and I'll probably do it again as soon as I find a game I like well enough. Like me at a game or cows on patrol, a cracker isn't concerned with the clock or a paycheck, office politics or work schedules. He's concerned with winning the game and, if he's as obsessive as I am, he'll stay with it until he gets into a system. The fact is, anyone who is willing to commit sufficient time and effort to breach a system can and will.


. . . . . . This just in: Bill Gates, Chief Software Architect to God and the ENTIRE UNIVERSE has just announced that "Security is Important." Millions of IT professionals around the world stood in awe of this colossal insight as pundits and their editors slobbered in ecstasy. Yes, a scant 14 years and billions of dollars after the first self-propagating worm was released on the Web, Mr. Gates has devoted his company's energy and focus to creating secure software. Experts expect results any minute, as soon as Microsoft's entire corporate culture, history and product line can be rewritten. We now return you to our regularly scheduled rant, already in progress . . . . . .


An Island of eCS in a sea of Windows

As the world is coming to know, Bill Gates has a plan for everyone who sallies forth on the Web. He's going to make it easy for those users to buy, sell and move around the cyberverse by providing a cental location for all of their personal and (pertinent) financial information. He also has a plan for the PC networked home of the future: Every device in the house will communicate through the home's wiring with a central server that's linked to the Internet. Your refrigerator will talk to the server to let you know that you're out of milk or eggs; your heating system will keep track of energy usage in every room, adjusting itself for optimum performance and efficiency; your voicemail will follow you around, ringing your cell phone or PDA to get priority messages through, and so on. Of course, all of these units will depend upon Microsoft software and a Windows operating system to function. When you consider the multiple layers of complexity that each networked device will bring to the system as a whole and Microsoft's track record on security, it's a pretty good bet that someday we'll read headlines about a cracker who used a networked toaster oven to access servers at the Pentagon. And when that happens, I hope people like you and me still have eCS or another version/offspring of OS/2 around to work with, but the final decision on that issue comes down to us.

The economic inertia Windows has now will continue to keep it on desktops and servers for years to come, regardless of litigation and Microsoft's version of innovation. It is hard to imagine (hard for me, at least) what economic forces could break the company's grip on the IT world. And, for all the blather that Microsoft has tossed around through the years about being responsive to users' needs and wants, it's always been pretty apparent that those issues aren't really driving the company's agenda. If they were, it wouldn't have taken them nearly a decade and a half to make security a top priority. (After all, the billions of dollars that have been lost to crackers, worms and viruses didn't come out of Microsoft's bank account; they came from the pockets of those customers who relied on Microsoft products. I can't think of a single CFO who would welcome that sort of unnecessary expense. Conversely, there must be hundreds of executives who would've gladly lost the animated paper clip that made Office so unique and efficient in exchange for better protection against Word macro viruses.)

The eCS-OS/2 situation is quite a different story. eCS users have a direct impact on the day-to-day decisions made by Serenity Systems. We may not be able to realize our slightest whims or fancies, but we can have genuine, meaningful dialog with Bob St. John and Kim Cheung and we can affect the choices and decisions that eCS vendors make. Personally, there are a number of capabilities I'd like to see in future versions of eCS, but I can live without any of them if they compromise its security (or stability, for that matter). With that said, here's my agenda for eCS:

In a culture which seems to be hurtling recklessly towards coerced collaboration and a default standard that severely limits personal privacy, I want software that allows me to decide which information is private and which is public and gives me control of that information. I want tools that enable me to do my work efficiently without forcing me to surrender my privacy (by requiring me to provide information about myself that I don't want to make public) or my ethics (by lying about said information). I want to be able to choose something that definitely differs from the norm, the de facto standard. I want it to run every day without fail. I want it to put me in control of the data I entrust to it, not the other way around. I want to spend the majority of my time working with it, not maintaining it. I want it to enhance my productivity, not detract from it. I want to control what happens on my computer; I don't want anyone else, crackers, friends, enemies or software vendors, to control my computer. In short, I don't want the Windows paradigm.

Give me a product like that, keep it reliable and secure, and I'll stick with it until the cows come home.

Previous Article
Next Article

Copyright (C) 2002. All Rights Reserved.