I’m weary. Very weary. There is just so much to keep up with in the way of patches and fixes for security vulnerabilities across so many applications and in nearly every OS that I no longer even bother trying to stay on top of it all. My main concern, of course, is Windows/Microsoft and the applications that run on that platform. But I do have to keep up with some Unix/Linux and legacy apps.
We’re losing the race, you know. The bad guys are winning and if we don’t make some major changes to our Fundamentally Vulnerable Structure, computing as we know it is doomed. Let me defer to my favorite tech guru, Steve Gibson, again:
…the architecture, the fundamental design of our machines are not secure. I mean, the fundamental architecture, the design, evolved from a time when there was absolutely no, and I mean no, concern about security…. But there was, once upon a time, no concern for security. It just wasn’t…on the map at all. And it began, of course, in the mainframe era, where you started to have multi-user systems where they said, okay, well, we need some sort of authentication…. So that sort of, that notion of some concern for security began to happen.
And then of course the Internet sort of grew organically from an experiment in, gee, could this notion of autonomous packet routing work on, be a scalable solution so that we’re able to connect things? And I remember when I first began hearing about this notion of a global network. It’s like, okay, well, that’s ridiculous. You’re not going to have that. Well, whoops. We do.
But no one foresaw what’s happening now–or if they did, they didn’t prepare for it. It all just kind of happened. Hell, I remember when when I first got on BBS’s back in the 80′s using a terminal that printed out the “session” on thermal paper. Years later, the “internet” was just starting and I had to dial up to some long distance phone number in New York City just to download a few messages–which took a long time at the incredible speed of 2400 bps. And you know what? I can still dial up an ISP with a modem and access the Internet.
In those “good ole days,” I wasn’t connected to the global network every time I turned on my computer; I had to specifically request a connection. And that connection was terminated as soon as I did my business. The rest of my work was done off-line. I read my email, composed my replies as necessary, then uploaded them as a batch to be sent by the mail server. Simple. Pretty secure, too. I never got a virus from a pure text file.
Sure, we had viruses back then; they spread by floppy disk. Most of them were nothing more than practical jokes and did little damage, so no one paid much attention. We should have. In 1995, I was hit with a boot sector virus that destroyed the data on my hard drive. That incident completely wiped out the only electronic copy of a how-to book I was selling. I had a hard copy, but it took me a month to reenter all the text.
A week later, my boss’s son was hit by the the same virus and almost lost all of his thesis for graduate school. Fortunately, for him, I had found a way to remove the infection and restore the master boot record so he lost nothing. That was my very first success as a security professional and one that I’ll never forget. But I didn’t foresee how bad it would get; I just kept fixing the problems as they occurred.
Just like everyone else did.
And now we have the cat-and-mouse game of security as it exists today.
It’s time to hit the “reset” button on all of this and completely rethink our computing model.