Want more advice for
locking down your network? Stay on top of the latest security issues and
industry trends by automatically
signing up for our free Internet Security Focus newsletter, delivered each
Monday.

It’s common knowledge that using something you don’t
understand means incurring a certain degree of risk. Since computer users can’t
possibly know everything about the software they use—and most users have no
hope of writing it themselves—they must accept some degree of risk when using
the Internet.

But security risks are cumulative, and I believe we’ve
reached a point where it’s no longer possible to hide the fact that there’s a
horrible problem with core Internet security—from the architecture of TCP/IP to
the applications used on PCs worldwide.

However, keep in mind that how we arrived at our current
Internet security problems is rooted in the past. Does that mean we’re too late
to redeploy core Internet security? Let’s look at how we got here.

Ancient history

More than a decade ago, after recovering from multiple
security incidents with Sendmail and the Washington University-modified FTP
daemon, I decided to write my own implementation of some of the core Internet
application programs. Of course, as with most programming tasks, I didn’t
finish what I set out to do.

I had the skills, but the job just required considerably
more effort than I was willing to commit. In addition, I was writing my own
code, and none of my coworkers were proficient in C or C++ at the time—meaning
I was completely on my own.

I did manage to write a specialized POP3 daemon, which, at
the time, operated in a considerably more secure manner because it didn’t
require root-level privileges to operate. Unfortunately, I failed to recognize
that POP3 servers are generally not interesting targets for would-be intruders.

So, while I partially accomplished what I set out to do, it
didn’t have any significant impact on Internet security where I worked. I fixed
a security problem that didn’t yet exist, and the time it took to implement the
security outweighed the benefits it offered.

Then again, this was 1991, and the vast majority of people
had no knowledge or use for the Internet on a daily basis anyway. While
security incidents did occur, they didn’t target general Internet users—there simply
weren’t enough of them to make it worth the effort.

The more recent past

Of course, we’re all aware of how things have changed. With
the millions and millions of users now surfing the Web—many of whom couldn’t
care less about security—incidents take on a whole new importance.

In my opinion, the companies that dominate the Internet,
particularly the incumbents such as Cisco and Microsoft, have been asleep at
the wheel for a long time. For example, Microsoft ignored the Internet until it
became clear that it posed a threat to the software giant’s operating system
dominance.

When Microsoft finally did respond by producing its own
Internet applications, it focused on developing competitive products rather than secure ones. And this behavior has continued. Rather than embracing
the goal of security by design and attempting to redeploy Internet core
applications and protocols, these companies have simply maintained the status
quo.

But Cisco and Microsoft aren’t the only companies to blame.
There are hundreds of companies producing Internet products that are more
concerned with sales than developing a product that’s superior in both function
and security. And there are more than enough users willing to accept that
someone else is looking out for their security.

The tumultuous present

All of this has led us to the current state of problems with
the Internet. On a daily basis, users face the perils of viruses, spam,
spyware, phishing, pharming—and the list continues to grow. I recently read
that a single e-mail worm (a Sober variant) may be responsible for more than 75
percent of all virus activity and more than 5
percent of all e-mail, and the news was far from surprising.

If a company such as Microsoft or Cisco had researched and
implemented an open standard to replace SMTP, I’ll bet this e-mail worm wouldn’t
even exist. But even so, it’s a good bet that something else out there would be
causing problems on the Internet.

What next?

When it comes to computing and technology, we’ve established
a “culture of convenience” that emphasizes usability and enjoyment
over everything else. We have produced software and deployed technology using
the Internet without paying any regard to fostering an understanding of its use
by consumers or its impact on security.

And I believe this will be the downfall of the Internet as a
whole. While I don’t think the Internet itself will cease to function, I
predict that, for a lot of people, the costs of Internet security will eventually
outweigh its usefulness.

In my opinion, we’re close to reaching the point where we
have only two choices. The first option is to change the culture of the
Internet, which is probably impossible. The second choice is to completely
redeploy core Internet security—from top to bottom. While this option may also
appear impossible, I believe it’s the only viable long-term solution.

Jonathan Yarden is the
senior UNIX system administrator, network security manager, and senior software
architect for a regional ISP.