Port 80

In Neuromancer, William Gibson wrote about “black ice” - offensive computer security systems. ZDNet is running an article suggesting that this concept is one step closer to becoming reality.

Although the article is filled with misgivings about the system, I think that it’s a concept whose time is rapidly coming. The problem with the Internet as present is that is an anarchistic system, but is not recognized by most of its users as such. As a result, there is a large amount of outright negligence among those Internet users with regards to security. Countless help desk technicians and sysadmins have tried to spread the message over the last few years that security is everyone’s responsibility, but this message has been getting lost. Perhaps it’s time to apply some consequences for running an insecure system which is then hijacked and used for DDoS attacks, spamming, or hosting of illegal content.

The article makes much of precisely these hijacked users as a reason who this system is a bad idea, painting a picture of havoc unleashed upon hapless bystanders: “You may be taking out grandma’s computer in Birmingham that has got a 100-year-old cookie recipe that has not been backed up.” However, if Grandma has let her system go unpatched and un-firewalled for the last few months, opened unsolicited attachments, and generally been lax in security, the fact of the matter is that Grandma has been grossly negligent with her system’s security.

The best analogy is one of a car: If Grandma has left her Oldsmobile unlocked on the street with the keys in the ignition for the last three months, and it is taken for a joyride down Main street by a pair of teenagers, Grandma doesn’t have much of a right to complain if the police dent the car in the process of stopping it. By failing to apply basic due diligence, Grandma has left herself open to the risk of incurring damage if others hijack what she has failed to secure.

This particular issue — the ethics of negligence in computer security — is one that I have been mulling over for a few days. I hope to write a longer post, or perhaps a paper, on the subject next week in an attempt to do it justice. As more and more critical infrastructure is connected to the Internet, and as the Internet becomes more and more critical to financial transactions, it’s time to take a long, hard look about the consequences of irresponsibility on the Internet.

There is one major difference between Gibson’s “black ice” and the computer security issues we are faced with today - “black ice” was a lethal defensive system. We haven’t yet seen the first fatality from a computer virus. However, this may just be a matter of time.