Mapping the real world to the Internet (Was Re: [Techtalk] 216 ssh login attempts, what to do?)

Devdas Bhagat devdas at dvb.homelinux.org
Thu Oct 14 00:03:52 EST 2004


On 13/10/04 07:40 -0700, Raquel Rice wrote:
<snip>
> I agree with you on that!  We lock the doors of our homes and expect
> that is enough to keep people out, even though in reality it's not. 
> Yet, most people don't try.  Most of those who do are prosecuted. 
> Why isn't my computer considered the same?

Since Carla hasn't yet declared the ranting season open, I will sneak a
little rant in.

A doorlock is a clear visible symbol that access is prohibited.
Computers do not give such visible signs. Imagine a country of the
blind, where the only way to find an open door is to actually try to
open it. In such a case, putting up a fence around the house is a good
way to keep unwanted people for knocking on your door (think firewall).

The great advantage of computers is that they make repetitive things
easy. The disadvantage of this is that repetitive things are easy for
the bad guys as well. Bruce Schenier illustrates this point quite well
in his book: Secrets and Lies (ref discussion on bank ATM security, and
the example of siphoning off the fractional pennies on interest).

The other big feature on the Internet is anonymity. In real life, I can
see who you are if you knock on my door. I might have a security camera
photographing you as well. On the Internet, I am cloaked behind an IP
address. I could just as easily claim that I have not written this mail,
and someone else spoofed my email. Or if they actually managed to prove
that it was sent from my computer, they still have to prove that my
computer was used only by me at that time. Compromising digital evidence
is trivial. This tends to make people behave in ways that they would not
in the real world, particularly when they cannot be proven guilty
without effort that would be far more expensive than what it is worth.

The third point is that the Internet is truly global. The implications
of this are /not/ understood by most people. Your laws do not apply to
me, and mine do not apply to yours. Now consider a person breaking into
US based computers to relay spam to a user in the UK advertising sites 
hosted in China with the DNS in Brazil and the registrar in Europe through 
a compromised system based in Korea.
You need all these countries to cooperate to catch your favorite local
spammer.

It isn't that doorlocks make your house secure. They just provide an
indicator that this area is restricted and offlimits. This is enforced
by social conditioning which teaches us that breaking locks is wrong.
This social conditioning is not widespread around the Internet.

Also, from the law enforcement point of view, the costs of enforcing
such security are too high for them to bear. They have much higher value
targets to catch, and as usual, the low hanging fruit gets eaten first.
>From another point of view, proving the costs of physical damage is far
easier than proving the damage done by breaking into an electronic
system which is not as fully integrated into the lives of the general
populace as physical things are. This goes hand in hand with the lowered
expectations of reliability and security provided by a computer. 
We /require/ that cars be held to a certain standard of manufacture.
Software is not held to such standards because general purpose software
cannot be held to such standards. And if there are no easily provable
standards, and valuations of data, then estimating realistic numbers for
damage is not possible.

Much as we try to maintain the illusion of civilization, the human race
is not really civilized to the point where any random stranger can be
trusted to be polite and helpful. The Internet has been implemented as a
commons, and the benefits come with costs. Responsible behaviour online
needs to be encouraged and costs imposed on reprehensible behavior.
However, it is extremely hard for most people to agree on the costs to
be imposed and to be willing to pay the price for imposing such social
costs. The Internet is still a wild west, and the only sheriffs are
people responsible for securing a limited portion of the network.

Securing a computer is easy. Securing a computer and leaving it fully
usable is slightly harder. Taking a fully Turing compliant system and
expecting it to be as easy to use and hard to break as a car is wrong.
If it was possible to have a Turing compliant system which was as easy
to use and hard to break as a car, I think that the designer would have
a killer system on his/her hands. 

To answer your question, your computer is considered the same in the
eyes of the law as your home. Enforcing that concept across the Internet
is not easy, and things simply do not work the way we expect them to.
If it were that easy, we would have achieved world peace by now.

Devdas Bhagat


More information about the Techtalk mailing list