Tuesday, January 24, 2012

Cyber construction

kw: observations, computers, computer security

I've been reading a book about computer hacking, the criminal kind. I find it remarkable just how easy it is. Most of the exploits we've read about have, as their underlying secret, a bit of social engineering. Someone got talked into revealing a password. In any operating system, there are a great many vulnerabilities, but it is typically easier to deceive someone to get access. Our human monitors need our support, because they are both the strongest and the weakest link.

There are problems in general with writing computer software. Computer code is remarkably fragile. A programmer (or programming team) has to think of literally everything that the program may be faced with, and write specific code to respond appropriately. A saying has been going around for years: "If we built houses the way we write computer programs, the first woodpecker that came along would destroy civilization."

I realized why this is so: the materials of construction do not have innate properties that help a program builder achieve his or her objective. If you build a house using stone or brick, the characteristics of the materials automatically assure a basically secure structure. You don't have to worry about (most) people blasting their way in through the wall, you just have to worry about making the doors and windows secure. Think of the three little pigs. The only weak point in the brick house was the chimney, and it was small enough to be defensible.

People have been learning how to build with stone, brick, wood and other materials for thousands of years. It was largely a matter of learning which material has what properties. Computer code has no intrinsic properties that can help you. We have been building software for only about seventy years (except for Ada Lovelace, who wrote software in the 1840s). We have no "stones", so we have to invent them. Software libraries provide building blocks that make programming easier, but there is still a problem. Most of those "building blocks" are still made of "jello". We haven't truly thought of everything yet.

This is because computer code is inherently bosonic, rather than fermionic. A digression into particle physics is needed:
  • Bosons obey Bose-Einstein physics and, in particular, can pass through one another; many can occupy the same space simultaneously.
  • Fermions obey Fermi-Dirac physics and, in particular, cannot pass through one another, but bounce off one another; two fermions cannot occupy the same location.
Light is made of bosons called photons. Matter is made of fermions such as protons, neutrons and electrons.

In cyberspace, everything is bosonic unless you specifically write fermionic properties for it. An environment such as Second Life has to be very carefully written, with a good "Physics package" to ensure that you don't walk through a wall. Otherwise, walking through walls is the norm. Buildings would not need doors. Our best security software is an attempt to produce a solid door. Sadly, even the best "firewall" software is a bit softer than the average piece of Balsa wood. If you can't prevent a break-in, you at least have to make the firewall "noisy" so it lets you know when it was broken through.

At my company, a double-layered firewall scheme is used, with plenty of very "noisy" alarms to log entry attempts (or entries), but the key to keeping our environment secure is a large contingent of people who spend all day, every day monitoring the noisemakers and snooping on the incoming traffic. Intrusions still occur, but it's a crack team; not much gets by them, and never for very long.

Thus, people are still the key to good security. Imagine if the front door to your house was made of rice paper (like the internal walls of Japanese houses). You'd need a hired team of bodyguards to keep strangers out. People are fermionic; things bounce off and stuff can't pass through unnoticed.

Until our software libraries include truly bullet-proof code, we'll continue to need human monitoring of everything. That's why you need to have strong passwords (ten or more characters, MiXed CasE and with numb3r5, at the very least), but you also need to monitor your accounts and keep good relations with the folks at the other end who are tasked to also monitor things. A skilled social engineer may get past a company monitor, but if those monitors know you are watching, they are less likely to give in to the blandishments of a fast-talking impersonator.

Jesus said, "When a strong man, fully armed, guards his own house, his possessions are safe, But when someone stronger attacks and overpowers him, he takes away the armor in which the man trusted and divides up his plunder." A hint: hackers are clever, but not strong. Guard your own stuff.

No comments: