Panel: Accept the Net is vulnerable to attack

Companies and home Internet users need to accept that the global computer network is inherently vulnerable to attacks, worms, trojans and anything else miscreants want to unleash on it, and then accept that securing the system is everyone's responsibility, a panel of security experts said Monday at the Comdex trade show.

Security can't be accomplished through applying patches to vulnerable software, panelists agreed, though they varied in how best to make the Internet more secure and disagreed sharply in some areas, with Bruce Schneier, founder and chief technology officer of Counterpane Internet Security Inc., serving as the naysayer -- a role he seemed to relish.

"As a scientist, I can tell you that we have no clue how to write secure code," Schneier said, prompting agreement from John Weinschenk, vice president of the Enterprise Services Group at VeriSign Inc., who said the best that can be done is to protect corporate computer systems and Web sites so that if there is an attack they aren't taken out for a long, costly period.

"I think every software vendor here can do a better job of providing more secure software," Gene Hodges, president of Network Associates Inc., chimed in. As the discussion went on, though, it was that idea that led Schneier into one of his favorite topics -- liability.

The panelists were led by moderator Andrew Briney, editor-in-chief of Information Security Magazine, into chatting broadly about their views on whether there should be more government regulation related to securing cyberspace, and as the other panelists talked, Schneier went from grinning to smirking to shaking his head. Briney commented that Schneier seemed to be disagreeing and asked him which comments he found fault with to which Schneier replied: "Which part should I respond to -- I don't even know."

Then things got lively.

"The reason the software you buy isn't secure is that companies don't care," Schneier said. Software vendors care about profits and without a sufficient push from concerned users willing to pay more for security features, companies just are not going to slow the production cycle to add those features. Security is not a priority.

Microsoft Corp. with its ballyhooed Trustworthy Computing initiative drew particular invective. "Microsoft is producing software that is completely insecure," Schneier said, prompting scattered applause from the audience. "The reason is there is no liability for producing a shoddy product." If car makers produced vehicles that did not operate properly, they would be held liable and sued, but the same doesn't happen with software makers, Schneier said.

"Microsoft produces software that has three systemic flaws a week and nothing happens to them," he said, adding that the company simply releases patches and that's that. The Boeing Co., which makes airplanes, "won't use Windows at all," he said, because the company is "playing in the real world" where problematic software matters.

When Schneier was called to task for singling out Microsoft, he was quick to note that Microsoft isn't the only offender, just an easy one to cite.

The security vendors represented on the panel, in fact, could all be doing a better job of making more secure software, Hodges had said before Schneier ranted on Microsoft. Part of the problem is that the security software industry is reactive. First, criminals exploited vulnerabilities in floppy disks and so antivirus software was created that prevented disks from spreading viruses. Then, the Internet flourished and criminals figured out ways to exploit holes in that system and the companies responded, creating products and patches dealing with specific malicious code. Then, criminals started sending nasty code by e-mail and the companies responded by creating products and patches for that.

Wireless networks present the next major challenge. Companies need to set up VPNs (virtual private networks) and other technology and products including firewalls and also establish policies that forbid employees from bringing their own wireless equipment into offices and using it on corporate LANs, several panelists said. There was some back and forth on that point, though, because one sentiment is that employees won't heed those policies, so companies are better off to assume employees will violate the rules and to figure out ways to keep networks safe in any event.

One things corporate users can't do is to rely on wireless security standards. "The people who designed wireless protocols did a horrible job with security," Schneier said, referring to WEP (Wired Equivalent Privacy) and IEEE 802.11, which has been notoriously problematic from a security standpoint.

"It's something that's not just insecurity, it's robustly insecure," he said.

Securing wireless LANs requires putting "enforcement technologies on your network so you can tell when those (rogue devices not approved by the IS department) are plugged in," said Dan McDonald, vice president of Nokia Corp. Internet Communications.

In the view of some panelists, steps are already under way to focus on security nationally with the initiative of President George W. Bush, whose administration released a series of recommendations aimed at educating Internet users and leading to cooperation between private industry and the public sector.

Some have criticized the effort as lame because it doesn't go far enough, but Tom Noonan, president and chief executive officer of Internet Security Systems Inc., who is a member of the National Infrastructure Protection Board, which is spearheading the initiative, defended it as focusing on prevention through education, creating a mechanism to respond to attacks and cluing the public in to how the computer infrastructure works and how to protect it.

"The problem is pretty vast, it's pervasive and the problem is significant as far as how we're going to approach it," he said.

Businesses want to deal with system security without government interference because "the last thing you want to do is to fully expose everything you're doing to protect yourself because this is a cat-and-mouse game," he said. Some have called for government to force businesses to reveal what they are doing to keep their networks secure.

Further complicating the issue of creating new laws and regulations is that system administrators are already burdened and "can't get to patches from last year," let alone figuring out how to comply with additional federal requirements, Noonan said.

Asked by Briney to comment on the one thing that they either believe is a myth about security or that they would like to see change, most panelists said they want everyone to take responsibility for security -- which is part of the administration push -- including home users who need to insist that the software they buy have security features.

Schneier had a different take, saying he wishes government and companies would focus on "actual criminals and not hackers ... I think we focus too much on the kids, on the spraypainting and not on the actual crime," including those who break into systems and steal information or otherwise cause havoc.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Nancy Weil

PC World
Show Comments


Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >


Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >


Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >


Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?