The following represents my own personal opinion and in no way reflects the views of James Madison University or the Commonwealth of Virginia...only that of someone who wonders where all this is going to lead.

February 28, 2000 Gary Flynn

Once upon a time, the phone company highly restricted the types of devices allowed to connect to its network. Some cynics may argue that this was a monopolistic practice solely for the purpose of making money. Given today's experiences with open networks, I'd have to argue their explanation about assuring the security and availability of their network certainly had some value.

At the time, they mainly had to worry about electrical characteristics...frequencies, signal strength, modulation, etc...that assured proper signaling and transfer of simple audio content. In other words, hardware. They also didn't have to worry too much about any complex, harmful effects on the phones at either end. On the Internet, we have software to worry about. Something that is almost infinitely variable. The electrical characteristics of the pulses that make up packets have very little to do with the disruption that may be caused by the digital content of the packets. And the effects on the phones, i.e. our desktops and servers, are extremely variable and of immense importance.

Although software engineering practices and computer science have continually made possible larger and larger software projects, the correctness of high level design, algorithms, business logic, and low level programming methods continues to be lacking which results in making software bugs the commonplace occurrence that every computer user nowadays accepts and expects.

The devices we attach to today's network are highly complex and highly functional. Much more so than most computer users realize or are able to cope with. Yesterday's companies had professional system administrators to take care of complex, network connected systems. Today's desktops, that present services to the world, can generate traffic at wire-speed, and often automatically download and execute code from anywhere including email and web sites, are administrated by the person who just unboxed it from the local department store and plugged it in expecting instant world-wide access and functionality limited only by the programmer's imagination. Technical training for these programmable, network connected boxes often consists only of how to click the browser icon. Anything more than plug-n-play is viewed user unfriendly and to be avoided at all costs. "Computers should be easy to use ". Just keep adding code. Even professional administrators today cry foul when software is difficult to configure, complex, and/or inconvenient.

Whereas viruses that attach themselves to other programs have some commonality that may let heuristics in anti-virus tools detect new ones, destructive standalone programs may not have readily detected commonalties except for their capabilities to open a network socket. The only solution to avoid such programs is careful desktop administration (which has thus far proved untenable for typical "personal" computer users),   restricted program usage, and/or the proper installation and configuration of local network access controls such as personal firewalls (which are also not a guarantee and depend upon the user's administration capabilities).

The industry has had problems with viruses, system break-ins, and various types of denial of service attacks for years. The evolution of such attacks into higher forms is inevitable given the fertile breeding ground of exploding Internet connectivity, the aforementioned bugs and complexities, and the rapid integration of network functionality into mainstream and rapidly changing end user applications. The recent tools used in distributed denial of service attacks, automated vulnerability mapping and exploitation software, the cross-site scripting issue, and the widely circulating remote control trojan programs are just four recent examples. As motivational factors to subvert security grow with e-business, Donn Parker's "automated crime" is just a short step away.

While merchants and credit card companies are responsible today for the bulk of any loss caused by online fraud or compromise this may not always be the case. The vulnerabilities associated with unsafe operation due to complexity, insufficient administration, and imperfect software cannot be tolerated when the desktop is going to be used for online banking, tax filing, voting, legally binding digital signatures, legal notifications, or storage of sensitive records.

While yesterday an organization concerned about security would communicate over dedicated, leased lines, today's organization, if it uses anything at all, uses VPNs and firewalls...still over the same shared network, still with some amount of universal accessibility. Indeed, an organization wishing to be accessible to the general public has no choice but to connect to the public Internet.

In summary, the basic technology model in today's Internet includes programmable, highly complex, unadministered machines indiscriminately connected to a shared, mostly unrestricted network of like devices. Its been wonderful. I love it. But I regretfully suspect that one of the two will need to change to provide for any semblance of order and security.

In a free society, people are allowed to travel and interact with others basically at will. Antisocial behavior is discouraged by things like social mores, the desire to fit in and be constructive, and the fear of punishment. In the Internet, computer communications are allowed to travel and interact with others basically at will. However, the factors discouraging anti-social behavior are much less effective. Near instantaneous and remote communications make trouble making easy and nearly anonymous. Social mores vary in the world community. Hackers may believe in what they do just as terrorists believe in their causes. Those same factors, combined with the struggles of politicians, lawmaking bodies, the courts, and law enforcement to deal with highly complex, rapidly changing, and interwoven technical, multinational, and philosophical issues make fear of getting caught or punishment questionable.

The situation is unfortunate. Its another example of how uncooperative members of a free society force extra burdens of regulations and restrictions on cooperative members. Perhaps everyone that wants to save the Internet as a free network should turn in a cracker/vandal every day. On the other hand, if all the "pleasure criminals" are gone, nobody would tell us how vulnerable our infrastructure is except the professional thieves and terrorists taking advantage of it.

The commercial world is taking over the Internet. Money and politics are becoming major factors. When such things as commerce, stock trades, banking,  political campaigns, and tax filings become dependent upon the network, it is just a matter of time before the network becomes designated a "national strategic resource". (OTOH, a paranoid person may suspect big government or big business of originating the recent attacks to accelerate the loss of free and open communications. Or perhaps the perpetrators are Luddites. Who knows.)

Perhaps its time to look at how the wild west can be settled.

• Perhaps two networks will evolve. One will be similar to today's Internet. Sort of like Citizen's Band radio. A "regulated" free for all. The other will use the restrictions outlined below and be the one that everyone uses for E-business, online stock trading, online banking, etc. Or, for that matter, any type of content or transaction where confidentiality, integrity, and availability are a concern.
• To solve the maintenance and vulnerability problems with today's desktop, only certified devices of a very different nature will be allowed to connect to the "secure" network. These will be hardware only devices that provide no programmability. Maybe only crippled web browser functionality. More like a telephone with highly defined functionality than a general purpose device like today's PC. In a few years, they could be wearable, contain a fair amount of local storage, and provide biometric authentication of identity.
• To ensure that subversive techniques that may evolve even with these restricted devices are not able to indiscriminately cause problems, the devices will have embedded IPSEC combined with higher level PKI content tied to licensed certifying authorities that will label packets with the source's nonrepudiable social identity. Of course, this brings up enormous privacy issues.
• ISP connections will constantly test connected end devices for compliance with the aforementioned rules. Perhaps the devices will have embedded 16,384 bit keys tied to their license in some way to prevent unlicensed devices from working.
• Something similar to an FCC license (and its testing) will be required to become a network provider of any type on the "secure" network whether it be a web server, email server, or game server. Licensees must demonstrate the skills needed to supply safe, secure, trustworthy, and cooperative services similar to public transportation or a public communications station. Its only a short leap from there to requiring that they provide "community service". Unsafe servers or those operated outside the terms of their license are removed from the network just as are unsafe vehicles or noncomplying communications stations. Repeated offenses result in loss of license.