The Internet’s Fort Knox Problem
June 3rd, 2010 | by jz | Published in Future of the Internet | 10 Comments
A few weeks ago Internet security firm McAfee released an update to its Windows PC customers designed to protect them against a newly detected virus threat. Instead, for some, the update destroyed a legitimate, and crucial, system file. Uncountable numbers of PCs – likely hundreds of thousands, even millions – were rendered unusable. The University of Michigan medical school lost the use of 8,000 of 25,000 PCs. State troopers in Kentucky abandoned their cruisers’ mobile PCs and resorted to writing reports by hand. Some hospitals in Rhode Island turned away non-trauma patients from their ERs.
The issue is larger than one firm’s unfortunate misstep. It echoes across the entire Internet. Call it the Fort Knox problem.
Fort Knox represents the ideal of security through centralization: gunships, tanks, and 30,000 soldiers surround a vault containing over $700 billion in American government gold. It’s not a crazy idea for a nation’s bullion; after all, the sole goal is to convincingly hoard it. But Fort Knox is an awful model for Internet security.
Our IT environment has traditionally been immune from many Fort Knox issues, because its architecture has encouraged decentralization. One PC might be compromised, or Web site might fall, but others stand. Bad guys on one side of the spectrum, and well-intentioned regulators on the other, each had to sweat to have an impact on Internet activities.
But the bad guys were clever and industrious. Their digital robots came to costlessly crawl the Web looking for computers and sites to compromise, leveraging their reach. Operators of well-financed Web sites have dealt with rising anxieties about security by spending enormous amounts of money on digital bunkers and backups for their data, while littler ones have hunkered down and simply hoped they wouldn’t be hit.
The public sector has been confused about how to help. Governments know how to maintain and defend their roads and waterways, but have been stymied in cyberspace: so much of it is rightly privatized that there’s no obvious place to station a guard and no way to fill a digital pothole. Worse, since identifying those behind intentional attacks online is exquisitely difficult, the traditional state tools of deterrence and punishment are ineffective.
That’s why we now see centralization under a few major corporate umbrellas under which disparate activities can be gathered. The lures of security, interoperability and economies of scale have propelled much of the Web from a vibrant ecosystem of different, and differently managed, PCs and sites to one where a handful of private Fort Knoxes take responsibility for security.
But we can’t simply put our precious data into a single well-protected vault and peek in every few years. We need to guard our PCs and data, but we also need them to be part of a worldwide network. When we’re not masking our digital trail, we’re eagerly sharing it. If we try to centralize its protection, it’s not a one-time transaction: rather, we need a constant gatekeeper who signs our data in and out every time we want to make use of it. That’s a thread that runs from the McAfee debacle, where millions of people and firms turned the keys to their computers over to a third party to handle, through to cloud-based platforms like Facebook, where the company’s assent is increasingly needed to run unrelated applications on its platform or to log in to unaffiliated Web sites that no longer care to maintain their own digital borders.
If McAfee makes a mistake, many people pay at once. If Facebook’s computers go down or are compromised, thousands of otherwise-independent applications and sites suddenly go down with it. It’s not just our own data and transactions at risk, but our collective memory: the flip side of a centralized defense against bad guys is vulnerability to well-meaning good guys. For example, if the generally laudable Google Books project is a spectacular success, we’ll see libraries give up their moldering, isolated archives of regular books in exchange for PC terminals where patrons can peer at an ephemeral digital copy drawn from Google’s central archive. It makes sense – and no doubt Google has near-impregnable backups – but it’s also an opportunity for a government to intervene in worrisome ways.
For example, if one book in the system contains copyright infringing, or defamatory, or obscene material, those aggrieved can get a court order requiring the infringing pages of the book to be deleted from the central server. This vulnerability affects every book that is distributed and maintained through a centralized platform. Anyone who does not own a physical copy of the book – and a means to search it to verify its integrity – will now lack access to that material. By centralizing (and to be sure, making more efficient) the storage of content, we are building a world in which, as a practical matter, all copies of once-censored books like Candide, The Call of the Wild, and Ulysses could have been permanently destroyed at the time of the censoring, and could not be studied or enjoyed even after subsequent decision-makers lifted the ban.
So what do we do? We have two things going for us that the real Fort Knox doesn’t: we can make copies of our digital gold, and there are lots of us, each with our own stake in security and autonomy.
First, so long as there aren’t undue barriers to extracting our own data from cloud platforms or our own PCs, backups can become more seamless, and made in a variety of ways, making a McAfee misstep or anything like it less costly. Then we have our cake and eat it too. The same principle applies to projects like Google Books, where participating libraries can arrange to securely maintain their own gold copies of Google’s precious trove – kept to compare against others’ copies, so omissions and changes can be detected and appropriately challenged, not leaving Google with the sole burden of holding off government speech regulation.
Second, we need to reinvigorate the Internet’s principle of open, distributed architecture that has sparked so much growth and innovation. Our choices for security aren’t simply among government soldiers, corporate mercenaries, or our own personal barricades – though each has a valuable role to play. Rather, we can reinforce open, shared early warning systems to enumerate and deal with security threats, whether against PCs, Web sites, or Internet connectivity. With a few technical tweaks, we can all further help relay data from Web sites that are under attack, stabilizing their presence. Security shouldn’t have to be purchased like a personal bodyguard. Far more flexible than Fort Knox are people, each with their own pocketed gold and machinery, empowered to look out for one another.
A version of this appeared in the Financial Times on June 3rd, 2010.
June 3rd, 2010 at 4:07 pm (#)
In the last paragraph, Proffessor Zittrain, you mention reinvigorating the Internet’s principle of open, distributed architecture. However, there are no provided examples. I believe I discovered the Web of Trust addon for firefox (and now chrome) through one of the posts here, and it would serve as a decent enough example of how to use open, distributed processes _for_ security.
-Ben
June 3rd, 2010 at 4:44 pm (#)
Hi Jonathan. It’s easy to agree that anti-virus is a broken model, for all kinds of reasons. And we certainly need to think creatively about what the right model may be. I rather suspect that it will involve ‘whitelisting’ rather than blacklisting. Most of the current whitelists arise as vendor control in app stores and similar places – but there’s no reason why we shouldn’t have a much more generative approach to this.
Rather, we can reinforce open, shared early warning systems to enumerate and deal with security threats, whether against PCs, Web sites, or Internet connectivity. With a few technical tweaks, we can all further help relay data from Web sites that are under attack, stabilizing their presence.
My fear is that such a solution would create more problems than it solves. Adding complexity to a security problem usually gives the attacker additional points to hit: it very seldom (in the long run) gives a net improvement. Or am I missing something?
June 3rd, 2010 at 5:04 pm (#)
Ahn-tie-virus?
I use Linux and Mac OS X, I don’t know what you are talking about :)
But seriously, why do my tax dollars go towards Windows and McAfee licenses when there are perfectly acceptable free alternatives? I’d rather they put that money to good use in something important like hospital *equipment* for example.
That is the problem with the cloud, what you get back from the cloud is not necessarily what you put in to the cloud, you are at the mercy of the hosting company. The best way around it must distributed cloud services such as torrents, I can get the .torrent file from any number of sites so censorship is practically non-existent (Just find the torrent somewhere else) and multiple trackers and seeds makes the system pretty robust.
June 3rd, 2010 at 6:42 pm (#)
Just to be clear, since the article doesn’t mention it, the academic libraries participating in the Google Book project _are_ maintaining independent backups. Among other projects, the Hathi Trust stands out as a large, well-supported (technically and infrastructurally) independent digital library. It contains mostly things scanned for Google, but also independently-scanned stuff. http://www.hathitrust.org
And some of the participating libraries are also independently keeping copies.
(I’m a librarian at one of the Hathi Trust partners, but not speaking on behalf of anyone but myself.)
June 3rd, 2010 at 7:23 pm (#)
[...] Read this article: The Internet's Fort Knox Problem :: The Future of the Internet … [...]
June 3rd, 2010 at 8:27 pm (#)
Simple is good — and I’m not sure a distributed solution need be more complex than something centralized.
June 4th, 2010 at 4:45 pm (#)
It seems to me that centralization and decentralization are two poles, and most of the examples listed are somewhere in between them. Take the Fort Knox example: the government doesn’t hold the only stock of gold, and we therefore don’t lose all of our nation’s wealth if its security is compromised.
I’m not perfectly well versed in security technology, but I imagine the same is true with respect to McAfee. It’s true that as more of our lives are tethered to data and internet connected devices, we’re going to take a few risk-neutral, or even risk-seeking, security shortcuts for the sake of sanity. We’re going to concentrate our security expertise so the benefits of a few brilliant techies can be spread across a wider array of clients for cheaper. That means well-meaning good guys have our lives in their hands. The same might be said to represent the pitfalls of our current financial problems. Everyone placed their retirement funds in the hands of a few seemingly trustworthy mortgage brokers who were connected to financial technologists who were actually way over their heads.
I think we also need to be careful about giving up the cost-saving measures of centralization. From your perspective, it seems we need to stand athwart history screaming “non-proprietary protocols and standards!” =) I remember the poignant imagery on the cover of The Future of the Internet: railroad tracks going off a cliff. There is a reason, though that this shift is happening. Small and medium sized businesses are outsourcing their IT in order to achieve better cost controls for consumers and shareholders. Profit margins are a powerful force to be curbing, of course. So perhaps capitalist interests can protect themselves. Still, it’s worth keeping in mind that Joe and Jane Taxpayer might actually be on the other side of this debate when times are tough, (perhaps even if their government’s computers go down and they need to cart their loved ones to the hospital down the street in an emergency).
As always, this was a great, thought-provoking post. Looking forward to the next one!
June 4th, 2010 at 6:37 pm (#)
Me too, regarding having problems with:
“Rather, we can reinforce open, shared early warning systems to enumerate and deal with security threats, whether against PCs, Web sites, or Internet connectivity. With a few technical tweaks, we can all further help relay data from Web sites that are under attack, stabilizing their presence. Security shouldn’t have to be purchased like a personal bodyguard. Far more flexible than Fort Knox are people, each with their own pocketed gold and machinery, empowered to look out for one another.”
This isn’t an unexamined problem! In fact, as you know, a big problem is that most people *don’t* even know how to look out for themselves, much less each other.
June 6th, 2010 at 6:57 am (#)
[...] see also Christian Sandvig, The Television Cannot be Revolutionized (multicast) and Jonathan Zittrain, The Internet’s Fort Knox Problem (The Future of the Internet and How to Stop [...]
June 6th, 2010 at 9:12 am (#)
Here’s another comment about this paragraph:
“Rather, we can reinforce open, shared early warning systems to enumerate and deal with security threats, whether against PCs, Web sites, or Internet connectivity. With a few technical tweaks, we can all further help relay data from Web sites that are under attack, stabilizing their presence. Security shouldn’t have to be purchased like a personal bodyguard. Far more flexible than Fort Knox are people, each with their own pocketed gold and machinery, empowered to look out for one another.”
The first thing there looks like reputation based antimalware software. If one person reports “malfunction” or there’s reasons to believe something are wrong, anything that’s not normal is checked. Everything is reported too. The more negative reports about a certain file, the more likely it is that it’s bad.
It can be used in many other ways too. that WOT thing mentioned above is similiar.
The second thing you mentioned reminds me of Freenet, a distributed and anonymous data store system. There are also lots of other ways to dezentralize data storage (and downloading of it).
Now when there’s talk about implementing “resource packages” (http://limi.net/articles/resource-packages-spec-ready-for-prototyping), we could go so far as using torrents (with DHT) and all to distribute all images, videos and other embedded data.
The issue here is then this: How do we decentralize the downloading of the index.html file? We can’t really do that in a sane way with dynamic sites.
We need some kind of browser plugin that creates a bittorrent like network parallell with the normal http-based internet connections to servers. It would simple share the cache with others for various sites, and when those sites are down, a custom static version of the index.html file (predefined by the server) would be shared too.
I think that can work.