When the “black hats” - as orderlies of the wild forest of cyberspace - turn out to be particularly successful in their black work, the yellow media squeals with delight. As a result, the world is starting to look at cyber security more seriously. But unfortunately not immediately. Therefore, despite the ever-increasing number of catastrophic cyber incidents, the world is not yet ripe for active proactive measures. However, it is expected that in the near future, thanks to the “black hats,” the world will still begin to look at cyber security seriously. [7]

Just as serious as the fires ... Once the cities were very vulnerable to catastrophic fires. However, despite the potential danger, preemptive protective measures were not taken - even after a gigantic fire in Chicago, in 1871, which claimed hundreds of lives and deprived hundreds of thousands of people of their homes. Preemptive defensive measures were taken only after such a catastrophe repeated again three years later. The same with cyber security - the world will not solve this problem unless there are catastrophic incidents. But even if such incidents happen, the world will not solve this problem right away. [7] Therefore, even the saying: “As long as the bug does not burst, the peasant does not overpatch,” it does not work completely. Therefore, in 2018, we celebrated the 30th anniversary of rampant insecurity.

Put the Internet in 30 minutes

Back in 1988, the legendary hacker group L0pht, speaking in full force before a meeting of the most influential Western officials, said: “Your computerized equipment is vulnerable to cyber attacks from the Internet. And software, and hardware, and telecommunications. Their vendors do not care at all. Because modern legislation does not provide for any responsibility for the negligent approach to ensuring the cybersecurity of the software and hardware produced. Responsibility for potential failures (even spontaneous, even caused by the intervention of cybercriminals) lies solely with the user of the equipment. As for the federal government, it has neither the skills nor the desire to solve this problem. Therefore, if you are looking for cybersecurity, then the Internet is not the place to find it. Completely break the Internet, and accordingly take complete control over the equipment tied to it - can each of the seven people sitting in front of you. By oneself. 30 minutes of choreographic keystrokes - and it's done. " [7]

The officials nodded meaningfully, making it clear that they understood the seriousness of the situation, but didn’t do anything. Today, exactly 30 years after the legendary L0pht, the world is still “unrestrained” insecurity. Hacking computerized equipment tied to the Internet is so easy that the Internet, initially representing the realm of idealistic scientists and enthusiasts, gradually occupied the most pragmatic of professionals: fraudsters, scammers, spies, terrorists. They all exploit the vulnerabilities of computerized equipment — to gain financial or other benefits. [7]

Vendors neglect cybersecurity

Vendors sometimes of course try to fix some of the identified vulnerabilities, but they do it very reluctantly. Because the profits they bring are not protection from hackers, but new functionality that they provide to consumers. Being focused solely on short-term profits, vendors invest only in solving real problems, not hypothetical ones. Cybersecurity, in the eyes of many of them, is a hypothetical thing. [7]

Cybersecurity thing invisible, intangible. It becomes tangible only when problems arise with it. If they take good care of it (they spent a lot of money on its provision), and there are no problems with it, the final consumer will not want to overpay for it. In addition to increasing financial costs, the implementation of protective measures requires additional development time, requires limited equipment capabilities, leads to a decrease in its performance. [eight]

It is difficult to convince in the expediency of the listed costs even own marketing specialists, what to speak about end users. And since modern vendors are interested only in short-term profit from sales, they are absolutely not inclined to take responsibility for ensuring the cyber security of their creations. [1] On the other hand, more caring vendors, who nevertheless took care of the cybersecurity of their equipment, are faced with the fact that corporate consumers prefer - cheaper and easier to use alternatives. So Obviously, corporate consumers are less concerned with cyber security. [eight]

In light of the above, it is not surprising that vendors tend to disregard cybersecurity, and adhere to the following philosophy: “Keep building, keep selling and, if necessary, make patches. Has the system dropped? Was the information rubbed? Stolen database of credit card numbers? In the equipment identified unrecoverable vulnerabilities? It doesn't matter! ”In their turn, consumers have to follow the principle:“ Patch and Pray. ” [7]

How it happens: examples from the wild

A vivid example of neglecting cybersecurity in the development is the corporate motivational program of Microsoft: “Out of deadline, you are fine. I did not have time to submit the release of my innovation on time - it will not be implemented. It will not be implemented - you will not receive shares of the company (a piece of cake from Microsoft profits). ” Since 1993, Microsoft has begun to actively tie up its products on the Internet. As this initiative operated along the same motivation program, the functionality was expanded faster than the defense could keep up with them. To the delight of pragmatic vulnerability hunters ... [7]

Another example is the situation with computers and laptops: they do not come with a pre-installed antivirus; and the pre-installation of strong passwords is also not provided. The implication is that the end user will install the antivirus and set the security configuration settings. [one]

One more, more extreme example: the situation with cybersecurity of commercial equipment (cash registers, PoS-terminals for shopping centers, etc.). It so happened that vendors of commercial equipment sell only what is sold, and not what is safe. [2] If vendors of commercial equipment take care of something in terms of cyber security, it’s about the fact that in the event of a controversial incident, the responsibility falls on others. [3]

A case in point is this: the popularization of the EMV standard for bank cards, which, thanks to the competent work of bank marketers, looks in the eyes of the inexperienced technical knowledge of the public, as a safer alternative for “outdated” magnetic cards. At the same time, the main motivation of the banking industry, which was responsible for the development of the EMV standard, was to shift the responsibility for fraudulent incidents (caused by carders) - from stores to customers. Whereas previously (when payments were made with magnetic cards) for discrepancies in debit / credit financial responsibility lay on the stores. [3] banks processing payments put the responsibility either on merchants (who use their remote banking systems), or on banks issuing payment cards; the latter two in turn shift the responsibility on the cardholder. [2]

Vendors hinder cybersecurity

As the surface of digital attacks expands inexorably, thanks to the explosive growth of devices connected to the Internet, it becomes harder to keep track of what is connected to the corporate network. In this case, concerns about the safety of all equipment connected to the Internet, vendors shift to the end user [1]: “Saving the drowning is the work of the drowning”.

Not only do vendors not care about the cybersecurity of their creations, but in some cases they also hinder its provision. For example, when in 2009 the Conficker network worm leaked to the Beth Israel Medical Center and infected some medical equipment there, the technical director of this medical center in order to prevent similar incidents in the future, decided to disable the support function on the affected worm. with the network. However, he was faced with the fact that "the equipment cannot be updated due to regulatory restrictions." It took considerable effort to coordinate with the vendor disabling network functions. [four]

The fundamental cyber-non-security of the Internet

David Clark, the legendary professor of MIT, who has earned the nickname “Albus Dumbledore” with his ingenious insight, remembers the day when the dark side of the Internet opened up to the world. Clark presided over a telecommunications conference in November 1988 when news broke that the first computer worm in history had slipped across network wires. Clark remembered this moment because the speaker who was present at his conference (an employee of one of the leading telecommunications companies) was held accountable for the spread of this worm. In the heat of emotion, this speaker inadvertently let slip: “Those are on! I kind of closed this vulnerability, ”he paid for those words. [five]

However, it later emerged that the vulnerability through which the aforementioned worm spread was not the merit of an individual. And this, strictly speaking, was not even a vulnerability, but a fundamental feature of the Internet: the founders of the Internet in developing their offspring focused exclusively on data transfer speed and fault tolerance. They did not set themselves the task of ensuring cyber security. [five]

Today, decades after the founding of the Internet, when hundreds of billions of dollars have already been spent on futile attempts to ensure cybersecurity, the Internet has not become less vulnerable. The problems with its cyber security are only getting worse every year. However, do we have the right to condemn the founders of the Internet for this? After all, for example, no one will condemn the builders of freeways for the fact that accidents happen on “their roads”; and no one will condemn the urban planners for the fact that robberies are occurring in “their cities”. [five]

How the hacker subculture was born

The hacker subculture was born in the early 1960s, in the "Railway Technical Modeling Club" (operating within the walls of the Massachusetts Institute of Technology). Enthusiasts of the club designed and assembled a model of the railway, so huge that it filled the whole room. The club members spontaneously divided into two groups: peacekeepers and system analysts. [6]

The first worked with the elevated part of the model, the second - from the underground. The first collected and decorated models of trains and cities: modeled the whole world in miniature. The second worked on the technical support of all this peacekeeping: the intricacies of wires, relays and coordinate switches located in the underground part of the model, all that controlled the “above ground” part and powered it with energy. [6]

When a traffic problem arose and someone invented a new ingenious solution to fix it, this solution was called a "hack." For club members, the search for new hacks has turned into a self-valuable meaning of life. That is why they began to call themselves "hackers." [6]

The first generation of hackers realized the skills acquired in the “Railway Simulation Club” when writing computer programs on punch cards. Then, when, by 1969, ARPANET (the forerunner of the Internet) had arrived at the campus, hackers had become its most active and qualified users. [6]

Now, decades later, the modern Internet resembles that very “underground” part of the railroad model. Because his ancestors were these same hackers, students of the Railway Modeling Club. Only hackers now instead of simulated miniatures are operating with real cities. [6]

How did BGP routing come about?

By the end of the 80s, as a result of an avalanche-like increase in the number of devices connected to the Internet, the Internet approached the tough mathematical constraint embedded in one of the basic Internet protocols. Therefore, any conversation of the then engineers, eventually, turned into a discussion of this problem. Two friends were not an exception: Jacob Rechter (an IBM engineer) and Kirk Lockheed (the founder of Cisco). Having met by chance at the dinner table, they began to discuss measures to preserve the efficiency of the Internet. The buddies wrote about ideas that came to hand, a napkin soiled with ketchup. Then the second. Then the third. “Three napkins protocol”, as the inventors called it jokingly - known in official circles as BGP (Border Gateway Protocol; Border Routing Protocol) - soon revolutionized the Internet. [eight]

For Rechter and Lockheed, BGP was just a casual hack, designed in the spirit of the Railroad Modeling Club mentioned above, a temporary solution that should be replaced soon. The buddies developed the BGP in 1989. However, today, already 30 years later, the prevailing part of Internet traffic is still routed by the “protocol on three napkins” - despite more and more alarming bells about critical problems with its cybersecurity. The temporary hack has become one of the basic Internet protocols, and its developers have learned from their own experience that "there is nothing more permanent than temporary solutions." [eight]

Networks worldwide switched to BGP. Influential vendors, wealthy customers, and telecommunications companies — very quickly fell in love with BGP and got used to it. Therefore, even in spite of more and more alarming bells about the insecurity of this protocol, the IT public does not show enthusiasm for switching to a new, more secure, equipment. [eight]

BGP Routing Cyber ​​Non-Security

What is so good about BGP routing and why is the IT public not in a hurry to refuse it? BGP helps routers make decisions about where to send giant data streams sent across a huge network of intersecting communication lines. BGP helps routers choose the right paths, despite the fact that the network is constantly changing and traffic jams are often formed on popular routes. The problem is that there is no global routing map on the Internet. Routers using BGP make decisions about choosing one path or another - based on information received from their cyberspace neighbors, who in turn collect information from their neighbors, etc. However, this information is easily falsified, which means BGP routing is very vulnerable to MiTM attacks. [eight]

Therefore, there are regular questions like the following: “Why did the traffic between two computers in Denver make a giant hook through Iceland?”, “Why did the Pentagon secret data once be transited through Beijing?”. Such questions have technical answers, but they all boil down to the fact that the work of the BGP protocol is based on trust: on trust in the recommendations received from neighboring routers. Due to the trusting nature of the BGP protocol, mysterious masters of traffic can, if they wish, lure other people's data streams into their possession. [eight]

A living example is China's BGP attack on the American Pentagon. In April 2010, the state-owned telecommunications giant, China Telecom, sent tens of thousands of routers around the world, including 16,000 from the United States, a BGP message about the availability of the best routes. In the absence of a system that could verify the authenticity of BGP messages from China Telecom, routers around the world began to send data in transit through Beijing. Including traffic of the Pentagon and other sites of the US Department of Defense. The ease with which traffic was redirected, and the lack of effective protection against such attacks, is another bell of insecure BGP routing. [eight]

BGP is theoretically vulnerable to even more dangerous cyber attacks. In the event that international conflicts unfold in cyberspace in full force, China Telecom, or some other telecommunications giant, could try to declare areas of the Internet that do not really belong to it. Such a move would confuse routers that would have to rush between competing requests for the same blocks of Internet addresses. Not being able to distinguish a valid bid from a fake, routers would begin to act erratically. As a result, we would be faced with the Internet equivalent of nuclear war — an open, large-scale manifestation of hostility. This development of events in times of relative peace seems unrealistic, but technically it is quite feasible. [eight]

A futile attempt to move from BGP to BGPSEC

When developing BGP, cyber security was not taken into account, because at that time hacks were rare and the damage from them was insignificant. The developers of the BGP protocol, since they worked in telecommunications companies and were interested in selling their network equipment, had a more pressing task: to avoid spontaneous Internet breakdowns. Because interruptions in the work of the Internet could alienate users, and thereby reduce sales of network equipment. [eight]

After the incident with the transfer of US military traffic through Beijing in April 2010 - the pace of work to ensure the cybersecurity of BGP routing certainly accelerated. However, telecommunications vendors do not show much enthusiasm to bear the costs associated with the transition to a new secure routing protocol BGPSEC, proposed as a replacement for insecure BGP. Vendors still consider BGP to be perfectly acceptable, despite countless traffic interception incidents. [eight]

Radia Perlman, who was dubbed the “mother of the Internet” for the invention in 1988 (a year before the advent of BGP) of another important network protocol, was defended at MIT by her doctoral thesis, which had become prophetic. Perlman predicted that a routing protocol that depends on the integrity of neighbors in cyberspace is fundamentally insecure. Perlman advocated the use of cryptography, which would help limit the possibility of fraud. However, the introduction of BGP was already in full swing, the influential IT community was used to it, and did not want to change anything. Therefore, after well-reasoned warnings from Perlman, Clark and some other prominent world experts, the relative share of cryptographically protected BGP routing did not increase at all, and still amounts to 0%. [eight]

BGP routing is far from the only “hack”

And after all, BGP routing is not the only hack that confirms the idea that "there is nothing more permanent than temporary solutions." Sometimes the Internet, plunging us into fantastic worlds, seems as elegant as a racing car. However, in reality, because of the hacks piled on each other, the Internet is more like Frankenstein than Ferrari. Because these hacks (which are more officially called patches) are not replaced by reliable technologies. The consequences of such an approach are deplorable: daily and hourly cybercriminals hack vulnerable systems, expanding the scope of cybercrime to previously unthinkable scales. [eight]

Many flaws exploited by cybercriminals have been known a long time ago, and have been preserved solely due to the tendency of the IT public to solve emerging problems - temporary hacks / patches. Sometimes, because of this, outdated technologies have been piled up for a long time one on another, making life difficult for people and putting them at risk. What would you think if you knew that your bank builds its vault on a foundation of straw and dirt? Would you trust him to keep your savings? [eight]

Linus Torvalds carefree attitude

Years passed before the Internet reached its first hundred computers. Today, it connects to 100 new computers and other devices - every second. With the avalanche-like growth of Internet-connected devices, the relevance of cybersecurity issues is growing. However, the person who could have the greatest impact in solving these problems is to neglect cybersecurity. This person is called a genius, a ruffian, a spiritual leader and a benevolent dictator. Linus Torvalds. The vast majority of devices connected to the Internet are running its operating system, Linux. Fast, flexible, free, - Linux over time is becoming increasingly popular. At the same time behaves very stable. And can work without rebooting for many years. That is why Linux is honored to be the dominant operating system. Virtually all of the computerized hardware available to us today is running Linux: servers, medical equipment, on-board computers, tiny drones, warplanes, and more. [9]

Linux succeeds mainly because Torvalds focuses on performance and fault tolerance. However, he does this emphasis - to the detriment of cyber security. Even when cyberspace and the real physical world are intertwined, and cybersecurity has become a global issue, Torvalds continues to oppose the introduction of secure innovations into his operating system. [9]

Therefore, even among the many fans of Linux there is growing concern about the vulnerabilities of this operating system. Especially the most intimate part of Linux, its kernel, which Torvalds works on personally. Linux fans see Torvalds not taking cybersecurity issues seriously. Moreover, Torvalds surrounded himself with developers who share this carelessness. If someone from the nearest circle of Torvalds starts talking about introducing safe innovations, he is immediately anathematized. One group of such innovators Torvalds fired, calling them "masturbating monkeys." , : « . ». , . [9] , :

« – . : , . , – . , -. . - . , . , , , . , , , . . ». [9]