Now, contrary to popular belief, cows are not stupid; they're abysmally stupid. As our vet once said, "Cows are the only animal that can stare at the same spot on a wall for six months and not go stir crazy." However, what cows lack in intellect they more than make up for in focus. For a cow, there are only three important things in life: Eating, reproducing, and sleeping, in that order. A hungry cow will go to great lengths to eat. She'll stretch to the end of her chain to reach one mouthful of ground feed, even though she's cutting off her own oxygen supply in the process. She'll kneel down and stretch under a hot fence wire to wrap her tongue around one tuft of grass at the risk of getting zapped.
She'll run the length of the pasture to be the first member of the herd to the barn when it's time for supper. Healthy cows are, in fact, obsessed with eating and it is this focus which makes them difficult to keep inside a fence. You see, cows are convinced that anywhere else MUST have better fodder than the pasture they're currently inhabiting. If you were to plant a pasture in the middle of the Sahara desert, water it constantly until it had grass two feet high, fence it off and put a herd of cattle on it, at least one tenth of them would look longingly over the fence at all that sand, certain that they'd be happier there.
And they'd do exactly what our cows did: They'd patrol that fence constantly, inspecting every millimeter of it, looking for a way through it. They'd spend every waking minute of their time searching for a way into the desert. I've actually watched cows look at a fence for hours, trying stare to a hole into it. Rest assured, when there's a flaw in a fence, at least one animal will find it, communicate the discovery to her mates and head through it, looking for something to eat.
What happens when you have a situation like this? Cows get out. It's as simple as that. They may not get out every day; they may not get out every week, but they do get out and then you have to chase them down, return them to their pasture, repair the fence and get ready for the next time. The only way to keep cows from getting out of a pasture is to avoid having any cows in the pasture. Nothing else is 100% effective. Nothing.
Everything.
You see, I know that the only completely secure information is information that's never been written on paper or saved to disk. If it's been committed to some media, it isn't secure. Period. It may be difficult to retrieve, particularly for someone who isn't supposed to get it, but there is always an irreducible chance that it will be retrieved by someone who isn't supposed to have it. The only way to make it truly secure is to avoid putting it on any media. Everything else represents just one of the many various levels of insecurity. So, when we consider that all saved data is inherently insecure, we need to know what prevents this data from being accessed by someone who isn't supposed to see it. It's a lot like the fences I used to maintain for my folks. There are firewalls, and passwords, and best practices, and so on, but it finally comes down to this: The fence will only keep the cows in (and the crackers out) if the people maintaining it are as obsessive with their job as the cows and crackers are in their attempts to breach a given system. A large chunk of the real issue becomes, finally, how devoted security people are to their jobs.
Now, I'm not here to cast aspersions upon anyone who does this for a living. I'm not suggesting that the vast majority of people working in security have any huge morale problem or conduct themselves less professionally than anyone else in IT. However, I am suggesting that, as a whole, they're probably not any more professional and committed than the rest of the IT world. In other words, they go to work every day for the same reason you do: They get paid for it. They have lives beyond their cubicles; they have interests which have nothing to do at all with computers, networks, security, crackers, code and caution. They're real people.
On top of all this, let's not forget how difficult some of the world's most popular software is to keep secure. I subscribe to e-mail news updates from ComputerWorld and e-Week and it's a rare week indeed when those publications aren't reporting a new flaw in a Microsoft product which can be exploited to launch a DDoS or other attack. Granted, the kind of intense scrutiny that Windows is subject to would stress damn near any product, but the continual race by Redmond's Richest to release code that was developed with an attitude that stressed features and ease-of-use over security certainly hasn't helped matters. So, take ubiquitous IT products that require lots of time to maintain with regards to security, add IT staff that may very well have other jobs to do besides security plus lives beyond their desks, and you get the current situation we now face: secure it ain't.
Crackers, on the other hand, are more than a little obsessive when it comes to cracking. They sit down to their machines and hack for a variety of reasons, but few, if any, do it because they're paid to. To swipe a phrase from the U.S. Department of the Navy, for them, "It's not just a job; it's an adventure." I'm betting that crackers do what they do for the same reason that I'll sit at my machine for 6 or 10 or 12 hours at a time when I'm really hooked on a game. I'm not getting paid to ruin my posture and my eyesight; I'm doing it because I want to solve the problem, to beat the game. I want bragging rights when I beat Diablo before either of my sons do or get an all-time score in Civilization III that's twice as high as my buddy's best game. I don't get paid a dime for it, but I've done it before and I'll probably do it again as soon as I find a game I like well enough. Like me at a game or cows on patrol, a cracker isn't concerned with the clock or a paycheck, office politics or work schedules. He's concerned with winning the game and, if he's as obsessive as I am, he'll stay with it until he gets into a system. The fact is, anyone who is willing to commit sufficient time and effort to breach a system can and will.
The economic inertia Windows has now will continue to keep it on desktops and servers for years to come, regardless of litigation and Microsoft's version of innovation. It is hard to imagine (hard for me, at least) what economic forces could break the company's grip on the IT world. And, for all the blather that Microsoft has tossed around through the years about being responsive to users' needs and wants, it's always been pretty apparent that those issues aren't really driving the company's agenda. If they were, it wouldn't have taken them nearly a decade and a half to make security a top priority. (After all, the billions of dollars that have been lost to crackers, worms and viruses didn't come out of Microsoft's bank account; they came from the pockets of those customers who relied on Microsoft products. I can't think of a single CFO who would welcome that sort of unnecessary expense. Conversely, there must be hundreds of executives who would've gladly lost the animated paper clip that made Office so unique and efficient in exchange for better protection against Word macro viruses.)
The eCS-OS/2 situation is quite a different story. eCS users have a direct impact on the day-to-day decisions made by Serenity Systems. We may not be able to realize our slightest whims or fancies, but we can have genuine, meaningful dialog with Bob St. John and Kim Cheung and we can affect the choices and decisions that eCS vendors make. Personally, there are a number of capabilities I'd like to see in future versions of eCS, but I can live without any of them if they compromise its security (or stability, for that matter). With that said, here's my agenda for eCS:
In a culture which seems to be hurtling recklessly towards coerced collaboration and a default standard that severely limits personal privacy, I want software that allows me to decide which information is private and which is public and gives me control of that information. I want tools that enable me to do my work efficiently without forcing me to surrender my privacy (by requiring me to provide information about myself that I don't want to make public) or my ethics (by lying about said information). I want to be able to choose something that definitely differs from the norm, the de facto standard. I want it to run every day without fail. I want it to put me in control of the data I entrust to it, not the other way around. I want to spend the majority of my time working with it, not maintaining it. I want it to enhance my productivity, not detract from it. I want to control what happens on my computer; I don't want anyone else, crackers, friends, enemies or software vendors, to control my computer. In short, I don't want the Windows paradigm.
Give me a product like that, keep it reliable and secure, and I'll stick with it until the cows come home.
Pete Grubbs (mailto:petegrubbs@yahoo.com) is a
self-described OS/2
wonk, a former doctoral
candidate in English
literature at Indiana
University of
Pennsylvania, a former
part-time faculty
member at Penn State
and is still mucking
about with a copy
editing/creation service, The Document
Doctor, which tailors documents for small
businesses. He has also been a
professional musician for 20 years.
This article is courtesy of www.os2ezine.com. You can view it online at http://www.os2ezine.com/20020216/page_3.html.