Saturday, June 4, 2011

Why the bad guys are winning

In his June 1st Computerworld story, blogger Michael Horowitz wrote an article titled "Why the bad guys are winning." He listed thirty-four reasons, the last of which I hope to help him with:
34. Judging by the stats I get, virtually no one reads this blog.
To my thousands of readers, I strongly endorse Mr. Horowitz's blog (you can link to his work by clicking on his name in the Computerworld article).

My goal today is to do a Venn Diagram showing where our two efforts intersect. Namely, Michael's first two points are the crux of my own efforts in diving into The Morgan Doctrine. His list starts as follows:
  1. The game is rigged in favor of the bad guys: To avoid breaches, the good guys have to succeed 100% of the time. The bad guys only have to succeed once. 
  2. TCP/IP, the underpinning of the Internet was never designed with security in mind. Ditto Ethernet, the underpinning of almost all local area networks. You may recall that on the Internet, no one knows you're a dog.
I've harped on these two points again and again. 

1.  The deck is indeed stacked against the good guys.

As I wrote yesterday, our cybercrime laws make it impossible for us to really identify the bad guys. Which is why Microsoft looks like a bunch of idiots. They can't even identify the author profiting from the Rustock botnet. Of course, it doesn't help that they gave the Chinese access to Windows source code. It is my opinion that licensed and bonded cyber privateers (guys with a get-out-of-jail-free card) and who are bound by my Cyber Privateer Code of Conduct are the only truly workable solution. 

Paraphrasing Vin Diesel in the movie XXX, "Ya gotta treat this like a Playstation. Let's blow up some stuff!" And yes, I've given similar advice to Sony on multiple occasions (do a search in the box to the left). 

2.  TCP/IP was never designed with security in mind.

In my memorial tribute to the great Tom West, made famous by Tracy Kidder's Pulitzer-winning book The Soul of a New Machine, I pointed out that TCP/IP is just an outgrowth of DECnet and was originally designed to help academic institutions keep in touch. If we'd told TCP/IP designers that sane people would actually be using this technology to do online financial transactions, and that a whole industry called "The Cloud" would depend upon it for on-demand business communication, I'm sure their response would have been profanely incredulous.

The good news here is that "the bad guys" are constrained by the same architectural weakness as "the good guys." Which means we can turn the tables on them with the same technology they use. We can do this, that is, if the U.S. law is modified to allow us to turn those tables. And my twenty-two principles for The Perfect Virus are the technological road map. 

And if we do not change U.S. law?

Not to worry, Grasshopper. It will take just one sovereign entity (ie, Australia, Israel, Switzerland) to take a public stand and implement cyber privateering as a solution to Internet security. The first-mover advantage could net them trillions of dollars.

No comments:

Post a Comment

Implementation suggestions for THE MORGAN DOCTRINE are most welcome. What are the "Got'chas!"? What questions would some future Cyber Privateering Czar have to answer about this in a Senate confirmation hearing?