Security or privacy? No easy answers

It is often said that life is a series of compromises. Nowhere was this more apparent than in the recent distributed DoS attacks against the Internet.

It is becoming more and more apparent that when major companies were building their Internet presences, they made the choice of quick instead of secure. However, this quick-and-dirty mindset is starting to permeate all of computing. Often, performance is enhanced at the cost of stability; scalability is reduced to ease management; and, more often than not, security is compromised for the sake of convenience.

Which brings to mind another colloquialism: You can't get something for nothing. Although every pundit has had some explanation for these denial-of-service attacks, no one has addressed how to effectively stop them. Why? Because there is no way to effectively prevent a DoS attack. I said as much in my Nov. 1, 1999, column, and I'll go one step further now: The current Internet cannot securely and reliably support high-volume e-commerce.

The Internet will only work as long as everyone plays by the rules. The minute one person deviates, all hell breaks loose. But I don't think the Internet will be the weak link in the e-commerce phenomenon. Without a doubt, people will be the weak link, and the only remedy will be a willingness to forsake convenience and speed for the sake of security and stability.

We've already seen some of this in the shift of many companies toward Linux from Windows NT. Although I'm not ready to debate the stability of either platform, I can say that NT is more convenient than Linux. But for many, this convenience isn't worth all of NT's other problems; hence the move to the less convenient Linux.

Passels Of Passwords
Does anyone besides me remember the days of RACF security, when passwords had to be changed every two weeks, and you couldn't use a dictionary word? Now I have Microsoft's Internet Explorer 5.0 asking if I want it to remember my passwords. Exacerbate this problem with a different password for every single site that I visit, and it is easy to see why people always choose their dog's name as a password.

This proliferating password problem could be solved by a national public-key infrastructure, possibly administered by a federal agency such as the U.S. Postal Service. In the same way you apply for a Social Security number, you would apply for an X.509 certificate.

Unfortunately, this remedy could have chilling effects on privacy by offering another unattractive choice: security or privacy. The simple fact is that there is no anonymity in a secure world. A cornerstone of e-commerce and IP Security is nonrepudiation. An online merchant must be able to confirm the identity of a person who has ordered goods from it.

Security issues aside, scaling the Internet will be a pain in and of itself. Companies will have to install multiple single-processor boxes instead of a single multiprocessor box. This means they must replicate content, synchronize it and manage it. Then they have to globally distribute it.

All this will cause management head aches. And sites will need an out-of-band network to manage all of this. Just one more in a series of compromises.

West Coast Technical Director Pankaj Chowdhry can be reached at pankaj_chowdhry@zd.com.