The Macrosite for News, Analysis and Opinion about the Future of the Internet
Rick Cook

Why It's IT's Job to Rescue the Internet

Written by Rick Cook
10/26/2012 43 comments
no ratings
DISCUSS     Email This

The Internet has enormous resiliency against damage. Unfortunately, it has very little against malice -- and that's becoming an ever-larger issue for IT managers.

While it's not true that the Internet was designed to withstand damage from a nuclear war, it can handle external threats with its decentralized, packet-based architecture.

However, the people who designed the network trusted each other, and by extension, all the other people who would use the system. They were worried about communication, not security, and they didn't think in terms of intrusion from within. As a result, the Internet is frighteningly vulnerable to malicious disruption from the inside.

Map of the Arpanet, a precursor to the Internet, c. 1974. (Source: Wikimedia)
Map of the Arpanet, a precursor to the Internet, c. 1974.
(Source: Wikimedia)

As the Internet has moved from being a tool for a few academics to a central part of our culture, we have been correcting this, but not nearly fast enough. There are still far too many vulnerabilities to attacks by bad guys -- attacks that can do anything from making a Website unavailable to bringing the whole Net to its knees.

The process of fixing this is painfully slow, in part because it's hard to change something as big as sprawling as the Internet has become and partly because the vast majority of IT managers and administrators are blissfully unaware of just how vulnerable the whole jury-rigged contraption really is.

At this point, change isn't so much a technical problem. We know what we need to change, and in most cases we have several different schemes of change to choose from. The real problem is generating enough awareness to force the change. In large part, this is going to be a job for IT management.

Indeed, if IT managers and other people using the Internet do not wake up and demand change, some bad guy is going to collapse the whole thing, causing chaos.

One of the contributing problems is that many of these vulnerabilities involve Internet minutiae that most IT managers, never mind ordinary users, aren't familiar with. The problems take a lot of explaining, no matter how dangerous they are.

Take, for example, the Internet's creaky routing system, and most specifically the Border Gateway Protocol (BGP). BGP is the glue that holds together the sub-networks that make up the Internet. Its job is to keep correct routing data so packets of information from inside an area are correctly routed outside the area. Since the Internet has no central directory for all routing, this is obviously a vital service. Unfortunately, it is also a vulnerable one. Or, as one Internet engineer put it: "The dirty little secret is that the Internet is still a handshake deal."

Theoretical diagram of the Border Gateway Protocol (BGP). (Source: Wikimedia)
Theoretical diagram of the Border Gateway Protocol (BGP).
(Source: Wikimedia)

BGP is also responsible for updating routing information sent to connecting ISPs. If by accident or malice the ISP shares incorrect information, the routing system can blithely propagate it to all the other ISPs it is connected to. They blindly forward it on, and very bad things happen very quickly.

This isn't theoretical. We have already seen instances where by design or sheer dumbness the routing protocols have failed spectacularly.

In one notable example, a good part of the world was cut off from access to YouTube in 2008 because the authorities in Pakistan ordered their national ISPs to block access to some "anti-Islamic" video on YouTube. The ISPs took the easy way out and changed the BGP routing to dump all YouTube requests generated in Pakistan.

The short form is the ISPs made a mistake and transmitted the incorrect routing information to a regional center in Hong Kong as well as Pakistan. From Hong Kong, the new -- and incorrect -- routing information propagated to routers all over the world, and pretty soon everyone was trying to use the wrong directions to get to YouTube. The protocols accepted the changes as entered and knocked out access.

Now one can argue that cutting off access to YouTube might even be a public service, but the danger is that this can be done to any Internet address anywhere in the world. In fact, it could be done to hundreds or even thousands of them. The result would be ugly in the extreme.

Like most Internet vulnerabilities, this isn't a technical problem. There are a number of active proposals for modifying the BGP to make it significantly more secure, and most of them would work. (You can find a more complete discussion of the problem and proposed fixes here.)

Fundamentally, the problem is getting the momentum to actually implement the solution Internet-wide.

This and similar security holes aren't going to get fixed until IT managers everywhere demand it. It will take a broad effort to fix these problems and that will require broad and deep support from IT professionals of all stripes.

Related posts:

— Rick Cook is a prolific technology writer and author of the Wizardry series of fantasy novels.
DISCUSS     Email This
Current display:       newest comments first       display in chronological order
Page 1 of 5   Next >
pcharles
IQ Crew
Monday November 19, 2012 6:18:20 PM
no ratings

I guess that's why Republicans & Demoscrats argue about the role and size of government in our society.

There has to be some middleground that provides balance.

Kim Davis
Thinkernetter
Friday November 2, 2012 4:33:56 PM
no ratings

I thin you're right, pcharles.  We need to see organized, systematic cooperation between the various standards bodies, and bodies reponsible for the Internet's infrastructure, but there would be significant downside's to placing control of the Internet in the hands of one, solitary organization (even if it could be done, which I doubt).

nasimson
Thinkernetter
Friday November 2, 2012 3:43:50 AM
no ratings
After reading this article,the first and last thought that has popped into my mind, is that after cyber crimes like  hacking,cyber bullying,stalking etc, internet now has to face a problem which ,uptill now, seems undecipherable except to the IT specialists.   
Moreover if this problem remains unsolved and IT managers will not succeed in surmounting this harmful activity ,the internet world & thus the physical world will remain vulnerable.

 

pcharles
IQ Crew
Wednesday October 31, 2012 11:57:25 PM
no ratings

I have stated this previously that there are 'standards' organizations but who is really checking them??? I think it needs to be an ecosystem of standards rather than a single body making rules that are tough to enforce.

KMT568
IQ Crew
Wednesday October 31, 2012 7:45:30 PM
no ratings
That is an interesting idea, but I think it would be very hard to make the Internet a data less place. I do think that with all the emphasis placed on the Internet, better measures need to be taken to protect the storehouses of data.
nathanwosnack
IQ Crew
Wednesday October 31, 2012 3:04:11 AM
no ratings

I think that the argument of the article is that IT people understand the technology, and should use their inherit techie bully pulpit to influence management and other decision makers to implement better security. For in the end, everyone looks towards the engineers and other techies to solve these problems as we see with BGP.

Also; "Now one can argue that cutting off access to YouTube might even be a public service, but the danger is that this can be done to any Internet address anywhere in the world."

- Hehe. Hilarious. :)

robjvargas
IQ Crew
Tuesday October 30, 2012 11:04:23 PM
no ratings

I think part of the problem is that the standards bodies (using the term rather loosely) have different objectives.  I seem to recall that OSPF was intended as a Cisco-proprietary protocol that enabled a level of performance that other switch and router manufacturers would have trouble emulating.

Also, there are some functions that may work better inside a private LAN one way, that should operate somewhat differently for Internet.  One rather rough example is that I still see devices with serial management ports, although that kind of communications over the Internet is very much the minority.

Paul Whyte
Researcher
Tuesday October 30, 2012 3:50:09 PM
no ratings

So that maskes it hard to effect the need changes Rick is talking about in this blog. But these organizations are suppose to colloborate when it comes to imporatnt decisions that affect the future of the internet. 

robjvargas
IQ Crew
Tuesday October 30, 2012 2:52:05 PM
no ratings

There isn't one body, Paul.

IETF, IEEE, even national and regional bodies.  Isn't OSPF a Cisco creation, not a real standard?  So manufacturers have a role as well.

nimantha.de
IQ Crew
Tuesday October 30, 2012 11:19:07 AM
no ratings

I dont think its on ITs job. Its everyones duty. Basically non IT guys are the most users of internet and they are the people who find strange but useful research stuff via IT.

Page 1 of 5   Next >
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
previous posts from Rick Cook
Rick Cook
Rick Cook   11/5/2012   19 comments
Risk-averse IT managers need to move to the latest version of the Internet protocol or suffer the consequences, which could mean rationing the amount of Internet-connected devices in their enterprises.
Rick Cook
Rick Cook   10/3/2012   8 comments
How reliable is your network? Can it shift to off-site backup in the event of a disaster? Will the window of renewed uptime meet the recovery time objective (RTO) you have planned?
Rick Cook
Rick Cook   8/17/2012   9 comments
Deep packet inspection (DPI) is becoming increasingly popular as a tool for network security and for shaping and managing traffic. It consists of examining the contents of packets, not just the headers, as they move over the network. This is usually done at the firewall, but it can be done within the network.
Rick Cook
Rick Cook   7/9/2012   24 comments
The massive power outages and widespread service interruptions for cloud customers recently drove home an unpleasant lesson for cloud proponents and the Internet in general: The security and reliability of the cloud is what lawyers call a "rebuttable presumption." In other words, as the old song says, “It ain't necessarily so.”
5
of
Beau Brendler
Terrorism Expert Says US Gave Away Stuxnet Tech
4|4|12   |   3:29   |   9 comments

US counterterrorism expert Richard Clarke, who came to prominence with his prescient warnings before the 9/11 attacks, tells Smithsonian Magazine the US was responsible for the Stuxnet supersmart worm that attacked parts of nuclear reactors in Iran – and in the process, has given away one of the world's most sophisticated cyberweapons.
Second Shooter
Cisco & Linksys: A Problem at the Edge
1|4|13   |   2:15   |   No comments

Cisco's rumored sale of Linksys suggests we may have problem with innovation and profit at the edge of our Internet, and that could be critical to the evolution of many Internet-delivered services.
Mary E. Shacklett
Financial Services Policies Lag Tech Advances
12|4|12   |   2:18   |   6 comments

Regulations haven't kept up with advances in mobile devices and credit cards.
Mary E. Shacklett
Watch Your Business Secrets on Multi-Tenant Clouds
11|26|12   |   1:56   |   1 comment

Multi-tenant clouds assure security for clients, but not necessarily for their ideas. Here's one thing you should discuss with your cloud provider before you sign on.
Wisdom of the Big Chair
FBI Turns Attention to Mobile Security
10|30|12   |   3:45   |   8 comments

The FBI recently issued a warning to smartphone users, highlighting two mobile malware applications: Loozfan, which steals personal information, and FinFisher, which is spyware that takes over a smartphone's functions.
Mitch Wagner
A Humbling Lesson From Libya on Why IT Matters
9|17|12   |   3:09   |   5 comments

Sean Smith, a US Foreign Service IT manager, gave his life in service of his country and the world. His life and death are a humbling example for all of us who work in IT.
Second Shooter
The Real Problem With Cloud Security
8|17|12   |   2:12   |   7 comments

All the recent hoopla about cloud security overlooks an important point, which is that it's not strictly a cloud problem. The linkage of online services into cooperative chains creates the risk, and only biometrics and federation of providers can save us.
Kim Davis
Google-Oracle Jury Reaches an Indecision
5|8|12   |   2:24   |   3 comments

The jury in the Google-Oracle copyright case made up its mind to... not make up its mind.
Mary E. Shacklett
Law Will Define Next-Gen Privacy
4|25|12   |   1:48   |   7 comments

The plan for unmanned police drones to patrol traffic and other city conditions in Seattle has sparked a new set of legal concerns about privacy. Law traditionally lags technology, but we can expect now to see a new round of activity in the courts as legal definitions begin to emerge on what "next-gen privacy" will look like.
Ann Cavoukian
The Need for Biometric Encryption
11|10|11   |   3:25   |   10 comments

Ontario's information privacy commissioner explains the unintended consequences of facial recognition technology and how biometric encryption can make it safer.
IETV: the thinkerNet on film
5
of
Kim Davis
Big-Data Can’t Always Sell Wine
5|21|13   |   2:23   |   4 comments

Whole Foods Global Wine Purchaser Doug Bell told me about some of the constraints on using analytics in the US wine market.
Paul J. Fleuranges
Digital Signage Keeps NYC Subway Straphangers on Track
5|6|13   |   3:51   |   No comments

New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
Kim Davis
Fast Forward to the Future
4|23|13   |   2:29   |   20 comments

A look back at tech writing in the 90s makes us wonder where enterprise IT will be 20 years from now.
Mitch Wagner
Google Launches Its Most Depressing Service Yet
4|15|13   |   2:59   |   10 comments

Google's new Inactive Account Manager lets you control how Google disposes of your accounts when you die.
Second Shooter
Argument Over Top-Level Domains Is 'Stupid'
4|11|13   |   2:07   |   3 comments

The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
Kim Davis
Ladies, Your Tablet Awaits
3|21|13   |   2:22   |   37 comments

ePad Femme is the world’s first tablet “made exclusively for women.”
Wisdom of the Big Chair
NFC Moves Into the Mainstream
3|20|13   |   2:16   |   No comments

While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Wisdom of the Big Chair
Integrating Security Into Your Cloud Contract
3|19|13   |   3:35   |   No comments

Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Brian Baron
How Edmunds.com Collects Customer Information
3|18|13   |   1:15   |   No comments

Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
Brian Baron
How Edmunds.com Uses Analytics to Customize Site
3|14|13   |   0:47   |   No comments

The automotive website uses propensity modeling to target ads and customer registration forms, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
an IBM information resource
sponsored content
big blue blog
Todd Watson
an IBM information resource
sponsored content
Expert Integrated Systems: Changing the Experience & Economics of IT
In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator.
READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE!
REGISTER HERE
Wanted! Site Moderators
Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?

Please email: moderators@internetevolution.com
Internet Evolution – not for thickies
Keep Critical Data With a Knowledge Management System
Taimoor Zubair
Fortune 500 companies lose at least $31.5 billion a year by failing to share knowledge. A Knowledge Management System (KMS) can help companies significantly reduce these costs.
CLICK FOR MORE
M2M: Rise of the Machines? Not Yet
David Weldon
In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M.
CLICK FOR MORE
Write a Strong Corporate Social Media Policy in a Wishy-Washy World
Mary E. Shacklett
Social media has been with us for a decade -- but employer policies and the law are anything but firm about the most appropriate usage of this powerful tool.
CLICK FOR MORE
IT Helps Companies Find the Water
Matt Heusser
I've been writing about how the next evolution of the Internet might just be an advertising revolution, and how corporate IT can stay involved as the enablers and providers of the technologies that make this possible.
CLICK FOR MORE
Write a Strong Corporate Social Media Policy in a Wishy-Washy World
Mary E. Shacklett
Social media has been with us for a decade -- but employer policies and the law are anything but firm about the most appropriate usage of this powerful tool.
CLICK FOR MORE
M2M: Rise of the Machines? Not Yet
David Weldon
In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M.
CLICK FOR MORE
Is Your Site .Com or .Irrelevant?
Dan Cypra
Businesses often struggle to decide which domain to use. When it comes to purchasing a domain name, you have plenty of extensions to choose from, ranging from .com and .net, to .me, and even .mobi. But which one should you pick?
CLICK FOR MORE