Internet security hasn't improved in 20 years
In other news, Windows is still a thing.
It has been 20 years since Chris Wysopal (AKA Weld Pond) and his colleagues at the Boston-based L0pht* hacker collective famously testified before the US Senate that the internet was hopelessly insecure. Youtube Video Wysopal, now a successful entrepreneur and computer security luminary, recently went back to Capitol Hill, …
Anyone else have a wonderful sense of nostalgia about those 10-15 years from '85 to 1998, when everything was changing on a daily basis and computing still so exciting. We the geeks and nerds ran things, we were like gods. The world and his wife all bought a PC or a Mac and they had no idea what to do with any of this kit. We strode the world like colossi ( is that a word? ).
Now it seems that the only new things are that some company releases a new website with a variation of an old idea, Trello pushed aside for Monday.com. Or in gaming, it's gone back to who can come up with the biggest market share of a new rip off of Unreal Tournament.
We can still hack at the grassroots level, there's still fun to be had but somehow it seems that reading about the great times we lived through, for me at any rate, the sparkle of something new in computing each day simply died somewhere back along the road in the late 2000's.
RE: Nostalgia - I remember reading a lot about L0pht in 99/2000. I may even remember the senate hearing. Was it in computer weekly? Certain names cetainly popped out, Mudge, Space Rogue - those, and others, certainly came up time and time again.
Anyone else read, or used to read, Attrition.org? Still going.
Nostalgia : absolutely. I got hooked online in 94, after a decade of tinkering on what can only be called computers, and I remember L0phtCrack fondly. I helped me sell the idea of 2FA for VPN connections in the late nineties.
But if you feel that the “something new each day in computing simply died” you’re doing it wrong. I can still have loads of fun with a Raspberry Pi and my son.
Let’s face it, we were maybe “collosi”, but only because there were giants before us. Let us now be the giants on whose shoulders our offspring will stand.
Thus spoke AC, end of sermon (cue tolling bells)
> Anyone else have a wonderful sense of nostalgia
Nope... because a ton of shit didn't work.
I remember having to compute modelines to get X11 working for a particular monitor/graphics card combination, and if you got it wrong, you could damage your monitor.
And while I'm at it, I remember shitty fixed-sync monitors. And monochrome monitors. And burn-in. And focus/degaussing problems.
I remember the nightmare of getting RS-232 working between devices that weren't a computer and a modem, and playing "guess the pinout" and trying to figure just what parts of the "standard" each side supported.
I remember slow-as-shit networking. When it worked. I remember Winsock issues.
I remember if you wanted to play this cool game, you HAD to have THAT graphics card. And not just a particular brand, but a particular model.
I remember if you wanted something faster than 9600 baud, you had to buy the same brand of modem as the other end of the connection.
Fuck all that broken shit.
The seat of the US Congress, comprising the Senate and the House of Representatives, for anyone who has never seen an American movie.
And for those individuals, congrats on getting your education from a more reliable source*.
*Any other source is a more reliable source
We're not going to see any significant change in the law until cyber crime and/or cyber war start doing much more damage then they are now. I don't like to put out suggestions that might inspire bad actors, though I wouldn't actually be telling any big secrets. But, some day we're going to start hearing some really horrific things--much more terrifying than any of these mass shootings we're seeing. And, those selling us this technology that we're using are going to have to deal with a seriously angry consumer culture--especially, when the wrongful-death law suites start flying.
@ GnuTzu
Except that you will most probably find that lawyers acting for, <insert named software/hardware corporation>, can clearly demonstrate beyond any meaningful doubt that any such matters, of which you foretell, are all comprehensively covered in the associated EULA(s).
You and I et al, as end users, will just have to soldier on and keep paying out for SaaS, together with so-called malware protection and monthly updates. I agree, such outcomes are likely to be very messy, but it won't be the peeps at the top who get shafted, it never is.
"BZZZTTT!! 1992 is *not* pre-internet"
did you try reading *the next goddamn sentence of the quote* or did you just skip immediately to the comment section with a big smile of anticipation at just how fucking clever you were about to prove yourself to be? That's pretty fking insufferable, you know. Jesus, just keep it in your pants and read the context.
"This is pre-internet, 1992. If you were on the internet then you've [either] got a corporate or academic connection. I was working at Lotus at the time and I was dabbling with understanding the internet..."
BIX and Delphi both had some commercial Internet access in ''92. I knew of several BBSes that offered shell accounts with full Internet access (such as it was) in late '84 or early '85 ... I ran one of 'em. It was coloed at the old CO on Bryant Street in Palo Alto, which allowed connection to both the NSFNet and the ARPANet via connection to the fledgling BARRNet. Over all of 6 USR HST modems, at a blistering 9,600. And trust me, I was neither corporate nor academic in that venture. My several dozen subscribers paid just barely enough to keep the lights blinkin.
It wasn't strictly legal, but it wasn't strictly illegal either. The PTB knew what I was doing, and pretty much looked on me as an anomaly that they tolerated with some bemusement. My friends elsewhere with similar setups were seen pretty much the same way. Two of those friends were in Boston. The "brilliant" kids in the loft (I can't bring myself to type skiddie/haxor today, sorry) somehow managed to miss their local resources. Sad, that.
BIX and Delphi both had some commercial Internet access in ''92.
True, and we could certainly quibble about whether 1992 was pre-commercial-Internet. I think most people who remember the historical details would be more likely to call 1991 the watershed year for commercial Internet; that's when CIX was formed and ANS CO+RE opened for business.
But 1992 was when ANS and CIX agreed to interconnect, and when the SAT Act changed the NSFNET usage terms to allow general commercial traffic. (There had been limited "experimental" use of NSFNET for some commercial traffic as early as '88.)
So it's while it's inaccurate to say that there were no commercial Internet users in 1992, most commercial users got connections after that year.
There is no consequence for writing insecure software. No vendor therefore gives a shit.
There is also no consequence for deploying that insecure software and not keeping it patched against whatever holes they found last month. The small amount they pay in fines when hacked is still cheaper than mitigating the risk, and customers have very short memories.
As I've said before:
All code is written by offshore idiots to the lowest price
This shitty code is in your medical devices, cars, industrial systems, phones, apps and most devices in your homes. It's present on every website you visit.
Insecure by negligence and stupidity, it's everywhere in your life.
But hey - psychopaths are running the companies that make this stuff & they don't give a shit. They are cutting cost to get paid. You are not the 1%, so fuck you.
All code is written by offshore idiots to the lowest price
Even just the "offshore" part of this is patently untrue, probably for any continent. I haven't verified that there's anyone writing code in Antarctica at the moment, but unless that's where you live, you're prima facie wrong.
Just as a software application has it's exploitable bugs removed and is made secure, more features are added, which are buggy and exploitable. And by the time these newly introduced flaws are fixed, new features are added...
Humans can be manipulated into breaking secure software or passing on login credentials to strangers just has they always have been.
Ergo, I am not surprised Internet security has not improved.
I am not surprised Internet security has not improved.
There's probably no useful definition of "Internet security" that's acceptable to actual security experts, and claiming the security of any non-trivial system has or has not "improved" is a dubious proposition as well. But under any reasonable threat model, software security has improved significantly over the past few decades, in the senses of removing many prominent branches from the attack tree and increasing costs for attackers. It simply has a long way to go yet.
On Flag Day, January 1, 1983, TehIntraTubes (note: no "Web") switched from NCP to TCP/IP. It wasn't secure. We knew it wasn't secure. And we knew it couldn't be made secure. But that was the entire point ... it was designed to make it easy to share stuff globally, not to block the sharing of that stuff. To this day, it's still not secure, and still can't be made secure. Not without another Flag Day, when we change from TCP/IP to whatever comes next.
The first Flag Day went without a hitch. The next one will probably be be globally traumatic. I'm not looking forward to it.
I was smoking some good weed back then and can remember 19k2 was as fast as you got back in 1993, what were you guys smoking ?
56k modems didn't come out till '98-2000.
Back in 95 we had a max 28k bulletin board connection to a small local ISP which had an ISDN line back to the local university. Log on daily, do an up/down load then logout.
ISDN terminal adapters run at 56K (probably 57600 to match the serial port speed, to be pedantic), an ISDN routed connection runs at 64K per channel. That may account for the memory. Towards the end of dialup this caused problems, because some TAPI profile creators forgot terminal adapter mode existed.
V.90 was late 90s, yes, because it needed an ISDN endpoint. Plenty of places were still using standard phone lines.
No patience required, it was text only. How fast can you read, anyway?
And of course, binaries were batched for overnight transfer ... Not a lot of cute cats & pr0n in the days of Procomm & Qmodem[0]. Odd that they were still a good percentage of the traffic, though ...
[0] tip or cu, if you were more enlightened.
the days of Procomm & Qmodem
Telebit Trailblazers were my drink of choice, before I had a 56K leased line. SLIP over those for interactive stuff, then drop the SLIP connection and use the modems' uucp g-mode spoofing for bulk transfer. Worked fine for editing code with vim and the like.
It's easy to pin this on the Big Bad Companies more than willing to take your money peddling sub-par unfinished wares left and right - and they totally do deserve everything they get blamed for and more; but the truth is* all their cost-cutting and greed contributes to the problem of insecure software only peripherally - it does not create it.
Simply put, I don't think there's any field of human endeavour where piled-up complexity is comparable even within orders of magnitude with what is happening inside computers today; and it has long ago reached and far exceeded the limit of what we - or the tools we were able to create - can cope with.
Once it was feasible to write a piece of code on a Spectrum that did all you wanted done and exactly that, without any bugs. It was incredibly hard, but it could be done. It still can be done with a microcontroller with a few kilobytes of RAM and ROM. But not with any OS-driven PC or smartphone, with its gigantic spider-web of layers upon layers of libraries and frameworks and services all full of unforeseen edge cases and imperfect joints.
And that's only the parts that - against all our efforts such as they are - end up too rickety to support their own weight; we have yet to account for the myriad of other places where the bracing is more or less reasonably sound, but not armour-plated: all the code that manages to not collapse on its own but remains vulnerable to deliberate malicious interference. How much time does it take to create the best, most solid code we can possibly create, such as that governing spaceships and aeroplanes and weapons...? Years and years - and even so that code doesn't typically need to withstand getting picked apart and abused by adversaries, since most of it remains inaccessible to tampering.
Bottom line, since this rant is getting to long anyway: we would need to stop releasing ANY new software for a whole decade. Everything frozen in time. NO new features whatsoever - none. The world's entire IT industry, only hunting and fixing bugs and vulnerabilities. And you know what? After ten years, having gotten rid of everything we could find, there would still be countless bugs and countless vulnerabilities still remaining in all that code, only now a number of "Y" instead of "X". Not "some". Not "few". Not even necessarily "fewer".
I don't know what the solution is - what I do know it's definitely not "focus harder", nor "patch harder". Neither of those will ever get us anywhere NEAR "no-bugs" or "no-vulns" nirvana. Not soon - EVER. We need something completely different if we are to ever get there, assuming it is even possible at all...
* Needless to say, all of the above is "IMHO".
"We the geeks and nerds ran things, we were like gods. The world and his wife all bought a PC or a Mac and they had no idea what to do with any of this kit. We strode the world like colossi"
Albeit like slightly pedantic, gauche and "on the spectrum" deities ...The hubris in the above is palpable.
More on topic, Security has improved vastly, but the world has moved on even quicker. Relatively we are still behind, but we are still massively ahead collectively on where we were in the year 2000.
Looking at the nostalgia over speeds like 56k, 28k and even 9,600, I have my own nostalgic moment remembering back to the early 80's when I bought my first modem for my Commodore 64 to connect to the South African version of Prestel called BelTel which was barely more than text with colours.
A mini version of the Internet. We did our banking over that and sent electronic messages all over the place as well as connecting to various BBS - I was even a Sysop on one for a while.
The speed of my modem? Split-speed 75/300! I could type faster than the uplink.
As mentioned, we did all our personal and business banking over that, with never a thought of security, and never any reports of any miscreants stealing data or funds either.
*Sigh* the good old days!