
The internet as existential threat - zephyrfalcon
https://www.raphkoster.com/2017/06/27/the-internet-as-existential-threat/
======
Animats
I'm getting worried. I've been harping on the Maersk downtime lately. The
ports of the largest shipping company in the world have been shut down for two
days by a cyber attack. Trucks can't unload or load at many of the world's
ports, including the main container ports of LA, NYC, and Rotterdam. They're
going to be down tomorrow, too. Maybe partial operation by Friday.[1] Maersk
even lost phone and email systems. One of the few good sources of info has
been somebody at the Port Authority of New York and New Jersey who sends out
alerts to truckers.

It's a distributed outage. The usual forms of disaster preparation involve
geographic dispersal. That doesn't work against this threat. Few companies are
as physically dispersed as Maersk, which has major facilities in 61 countries.
It didn't help.

What happens when someone figures out how to take over Windows Update or the
Intel Management Engine or Ubuntu Update?

[1]
[http://btt.paalerts.com/recentmessages.aspx](http://btt.paalerts.com/recentmessages.aspx)

~~~
xenadu02
The first step would be to stop using C (and any other memory-unsafe
language). The vast majority of these problems come about by memory corruption
tricking the computer into executing attacker-delivered code (or ROP gadgets).

Yes there will be other security flaws like missing access checks, etc. But
none are so pervasive nor so devastating as out-of-bounds read/write. If C
arrays were bounds-checked by default then the majority (literally) of
exploits would be rendered void immediately. The Rust borrow checker, Swift
ARC, or GCs would eliminate use-after-free. Combined that would drastically
reduce all available attack surface.

The second step is to assign a separate identity to every piece of code,
rather than running everything as the current user. Unless it has been
initiated by a user action there is no reason for malware to even have write
access to your files (or system files for that matter). The idea that any ol
random bit of code that manages to execute should be just as trusted as the
user is crazytown. IMHM macOS SIP is a good step in that direction, enforcing
read-only access to /System and most of /usr.

The third step is to have pervasive copy-on-write, including in all
filesystems by default. If your system does get pwned it should be a trivial
matter of booting to a read-only recovery mode and rolling back to a known-
good state.

The fourth step is to have more interlocks enforced by the system that cannot
be overridden. For example there might be a legitimate reason to truncate
shadow copies but why should anyone with admin rights be allowed to do so from
a normal login session? That's just stupid. (For those unaware, malware now
routinely disables Windows' volume shadow copy and nukes the existing copies
to stop you from rolling your files back). Stuff like that should require
rebooting into single-user mode or recovery mode.

There's always a lot of resistance to the idea of dropping C. Before you go
replying with a counter-argument I urge you to stop and think seriously. We've
been pushing secure coding standards as an industry for many years now.
Everyone is well aware of the risks. We have tools like Address Sanitizer and
Undefined Behavior Sanitizer. We have lots of static analysis tools. We have
tools like valgrind. And yet... the exploits keep on coming. Despite the
thousands upon thousands of years of effort poured into fixing it, we still
routinely have new out-of-bounds and use-after-free exploits in critical C
code. Even experienced developers get bitten by signed integer overflow and
other forms of undefined behavior... and most C code is not being written by
experienced careful developers. Embedded code is even worse. If you read the
source behind your car's ECU you'd probably never drive again.

It is time to admit the truth: programming languages should be memory-safe by
default. Period. Whatever the cost it is worth paying.

~~~
userbinator
_Before you go replying with a counter-argument I urge you to stop and think
seriously._

I have thought about these things for a _long_ time, and arrived at the exact
opposite conclusion: had such levels of security been there since the
beginning of computing, there would be no jailbreaks, rooting, homebrew, or
any real freedom. Everything would be so locked down and unbreakable that
there would be no "possibility to disobey", and that is a far more terrifying
alternative.

A world in which there is no crime is one where everyone has already been
strongly coerced into submission and every aspect of their lives closely
monitored and controlled. Ultimately, humans are imperfect and that's where
all of these exploits and vulnerabilities come from. If we attempt to
eradicate them, by essentially removing imperfection, we will literally be
taking the humanity out of life. Is that really the (cyber-)world you want to
live in, or move towards?

 _Whatever the cost it is worth paying._

I see this continuing insecurity as consolation that we still have some
freedom left, but positions like yours --- increasingly popular, it seems ---
are strongly reminiscent of the "war on terrorism" and its associated
repugnance, because it is really the "war on cyberterrorism".

As the classic saying goes, "Those who give up freedom for security deserve
neither."

~~~
golemotron
I agree. The real danger is software monoculture. We need many diverse systems
with very different attack surfaces. Less standardization. That's the way
nature survives. We just need to learn the lesson.

~~~
bmurphy1976
Nature also has things like immune systems, but you get into very sketchy
legal territory there. Our legal system have not caught up with this new
interconnected reality.

Oh, and nature very frequently suffers all kinds of systemic collapse. Nature
isn't immune to this.

~~~
golemotron
Still kicking after 3 billion years.

------
LeifCarrotson
> The Internet ... started out by only connecting computer networks. But today
> it connects networks of vastly different sorts: computers, yes, but also
> financial networks, distribution networks, road networks, water networks,
> power networks, communication networks, social networks.

Those are all computer networks. It just happens that some of them involve
computers running financial software, or computers running electrical control
software, or computers running social software. Or computers running phone
software, or light-bulb software, or toaster software.

Perhaps we don't need networked toasters, but I don't want to go back to a
world where financial transactions are conducted based on hand-scratched notes
and shouting on trading floors.

Computers are just too powerful to ignore. The problem is not that they are
computers, but that some are locked down for user control of networking, but
simultaneously designed insecurely as, say, "smart web cams" without the
necessary incentives to keep them secure.

~~~
jff
> I don't want to go back to a world where financial transactions are
> conducted based on hand-scratched notes and shouting on trading floors.

Seemed to work pretty well for a long time.

~~~
jpttsn
Our expectations have since increased. I wouldn't want to go back to the GDP I
thought was fine ten years ago.

~~~
jimktrains2
Adjusted for inflation, has it changed that much in 10years? Ditto for median
wages.

~~~
Tuna-Fish
Absolutely yes for both. The past decade was one of the most successful ones,
if not _the_ most successful one, in global wage increases and poverty
reduction. Literally billions of people have been raised to standards of
living they didn't dare to dream of a decade ago.

Of course, these increases have been concentrated among the poorest people in
the world, so you don't see them in the US.

~~~
dredmorbius
Almost all of that in two countries: China and India. And much of that in
China. Which had a hell of a lot more to do with raising the floor than
lifting the ceiling.

Some of our international globalisation tools assisted in that -- shipping
(Maersk included), finance, and realtime shelf-to-factory inventory control.
But a lot of it didn't.

As Gibson's noted, the future's already here, it's just not evenly
distributed. You might also want to ask, from time to time, just which trends
truly represent "the future".

~~~
observation
I'm glad to see you're still here dredmorbius.

The facts and statistics in history and economics appear to be 'politically
incorrect' for every type of political belief system. Liberal, Left,
Libertarian, Conservative, doesn't matter, there's some factor out there that
hasn't been incorporated. I think the Google people say something like "unless
you're God, bring data".

~~~
dredmorbius
Thanks.

Yes, epistemology and ideology seem rather opposed.

------
nostrademons
The analogy with electricity is pretty good. When the electricity goes out,
most people are pretty screwed: it powers our lighting, air conditioning,
household appliances, refrigeration, gasoline pumps, Internet access, point-
of-sale systems, and in many places, cooking and running water too.

However, when the electricity goes out, it usually comes back on within a day
or so, because a power outage is viewed as a top priority to fix, simply
because so many aspects of modern life depend on it. And really critical
businesses (supermarkets, hospitals, etc.) invest in generators so that they
can run independently of the power grid.

The Internet will likely follow that path. It'll become indispensable to
modern life, which means that when there's a threat against it, a lot of
experts will be mobilized to put it back in service. And really critical
businesses will invest in making sure their systems work even when offline.

~~~
rocqua
The scary case isn't the internet going down. The scary thing is the internet
becoming to hostile a place.

When I can't reach the internet, all it takes is a new cable. When anything I
connect to the internet is going to be infected and DDosed to oblivion, the
fix is a lot harder.

The other scare is that some critical infrastructure is exposed but not widely
known. This allows the infrastructure to develop resilience to unintended
failures, but not malicious failures. When this finally gets found, carnage
may happen. An interesting example of this is BGP.

~~~
nostrademons
The same concerns were expressed about electricity [1] when it was first
invented. The usage of the electric chair for executions was sponsored by
Edison Electric [2] (now GE) as a way to link rival alternating current (and
specifically Westinghouse; Thomas Edison made sure that the first executions
were conducted with Westinghouse machines) with death in the public's mind.

The solution wasn't to give up on electricity, it was to adopt basic safety
precautions like step-down transformers to household voltage, elevated power
lines, and insulated couplings.

[1]
[https://en.wikipedia.org/wiki/War_of_Currents#Safety_concern...](https://en.wikipedia.org/wiki/War_of_Currents#Safety_concerns)

[2] [https://en.wikipedia.org/wiki/Electric_chair#The_Medico-
Lega...](https://en.wikipedia.org/wiki/Electric_chair#The_Medico-
Legal_commission)

~~~
Nomentatus
The three-letter agencies haven't changed their minds. They still think that
every computer being insecure makes us all more secure, and they will and they
have acted to create this situation. That's the difference between now and a
century ago. The govt back then didn't feel it was in their interest for
electricity to be fundamentally unsafe for consumers. Until the agencies
genuinely reverse course, inventions to promote safety can't move forward.
We'd have basic safety now, as you describe, had room been made for it. But
instead, they played past the edge - way past the edge, and have no profound
regrets about that that I've heard.

------
elicash
> I’ve often wanted to sit down with Mark Zuckerberg and argue with him about
> Facebook. It is premised on the notion that "connecting everyone" is an
> unmitigated good.

This isn't the author's _major_ point. But worth noting Zuckerberg changed
FB's mission recently to "Give people the power to build community and bring
the world closer together."

Said Mark: "Connecting friends and family has been pretty positive, but I
think there is just this collective feeling that we have a responsibility to
do more than that and also help build communities and help people get exposed
to new perspectives and meet new people -- not just give people a voice, but
also help build common ground so people can actually move forward together."

~~~
davidivadavid
Wow, that's really interesting. Hadn't noticed the change in the mission
statement. For reference, it used to be: "Give people the power to share and
make the world more open and connected."

They changed from making the world more "open" to making it "closer", which
are antonyms in a certain way. They changed from the idea of having Facebook
be this sort of universal community of people getting together to searching
for more intimacy, getting people closer, etc. but they keep talking about
"the world."

I've always thought there was room for an "anti-Facebook" that would be the
opposite of their original vision statement. Its goal is not to "share
things", i.e. to make things public, but to create more private communities
that are tighter; not to make the world "more connected" (everyone having 5000
friends) but better connected (i.e. the value of relationships is higher).

It seems like FB may be trying to go in that direction after all, but who
knows what they really meant.

~~~
tsunamifury
It seems to be facebook acknowledging that close-ties networks are of
significantly more long term transactional value than the loose-ties network
who's value is almost entirely advertorial.

~~~
davidivadavid
Yeah. But what does that mean for their business model?

~~~
dasil003
Not much. If they can still be the place where all the small communities
gather then they still have all the data. It's clearly in Facebook's best
interest to provide maximum value to their users; whether that is small or
large groups doesn't matter to them.

------
rsync
"But today it connects networks of vastly different sorts: computers, yes, but
also financial networks, distribution networks, road networks, water networks,
power networks, communication networks, social networks."

This is, I hope, incorrect.

Power, water, road, etc. should not be Internet connected and in many cases
should not be networked at all.

Homeowners doing cute things with arduino and their lawn sprinklers (and
learning good lessons about simplicity and fragility) are one thing. It's
quite another to bear the responsibility for critical infrastructure.

I hope the adults in the room have the wisdom and experience to eschew these
kind of "improvements".

~~~
rocqua
Sensor networks are great boons to any infrastructure. It allows for much
quicker reactions and much better tuning. However, this network doesn't need
to be public.

I can see how you'd pick the internet as a base-layer for this network, which
would be a bad idea. The alternative is building an entire separate network,
which seems almost un doable.

~~~
ldp01
For some industries it makes sense. Rail and power networks use their own
physical infrastructure as they have specific latency and reliability
requirements for protection and signalling systems and it's convenient to just
build their own comms networks alongside their other infrastructure.

~~~
rocqua
Rail and power also already have physical infrastructure and property along
which they can setup networks.

------
marsrover
I don't think this is a revelation to anyone in tech circles. For this reason,
I usually choose products that aren't internet enabled.

~~~
mark_edward
The article's point is more than about consumer devices being internet
enabled, it's about how many things are internet _dependent_. Everything from
critical infrastructure to production and distribution networks are now
Internet dependent in terms of actual delivery.

~~~
digi_owl
In large part because of companh and government cost savings via off the shelf
parts and BYOD.

------
empath75
I'm starting to believe we need some kind of Geneva convention among
intelligence services.

It's one thing for them all to be spying on dissidents and terrorists or
however they want to bother their internal populations, because they'll be
limited in how much damage they want to do to their own economies.

Once you have intelligence services engaged in all out warfare with each
other, there's really no limit to how much damage they can do. Up to and
including deaths.

We need to get to some kind of gentlemans agreement between the CIA and the
FSB really quickly before the world economy collapses.

------
gavinpc
It is kind of ironic, since the internet was designed as exactly the opposite:
a damage-tolerant coast-to-coast communications system, i.e. one without a
single point of failure.

~~~
crpatino
Double-plus-so. The Internet continues to be damage tolerant. The problem is
that we have collectively expended the last 20 years building single points of
failure, and hooking them up all through the Internet.

------
Filligree
Site got ycombinator'd, so here's a google cache:
[https://webcache.googleusercontent.com/search?q=cache:AyxA4F...](https://webcache.googleusercontent.com/search?q=cache:AyxA4FAqnfcJ:https://www.raphkoster.com/2017/06/27/the-
internet-as-existential-threat/+&cd=1&hl=en&ct=clnk&gl=ie)

~~~
amyjess
Unfortunately, the Google Cache is still trying to load data from
raphkoster.com

Do you have a pastebin dump?

~~~
xaedes
Webarchive works for me:

[http://web.archive.org/web/20170628133305/https://www.raphko...](http://web.archive.org/web/20170628133305/https://www.raphkoster.com/2017/06/27/the-
internet-as-existential-threat/)

~~~
amyjess
Thanks!

------
gaius
Tainter postulates that societies collapse when they reach their limit of
complexity.

[https://en.wikipedia.org/wiki/Joseph_Tainter#Social_complexi...](https://en.wikipedia.org/wiki/Joseph_Tainter#Social_complexity)

------
Unbeliever69
When Raph speaks my ears always perk up.

------
akoster
Site not loading for me. Internet archive mirror:
[http://web.archive.org/web/20170629000253/https://www.raphko...](http://web.archive.org/web/20170629000253/https://www.raphkoster.com/2017/06/27/the-
internet-as-existential-threat/) (Also I realize I share a surname with the
author but am of no relation that I know of.)

------
pascalxus
Thanks for reminding me to back up my gmail and gdocs.

I think she makes a good point about not getting one's paycheck - that could
definitely have a devastating ripple effect on the economy. But, is it really
possible, that the entire internet go down?

~~~
scottLobster
That's the thing, he seems to be ignorant of just how redundant and reliable
the system is. He uses the example of a worldwide economic collapse if Google
went down for a month. Which is probably true. Thing is, that's about as
likely as a worldwide economic collapse from the US being nuked off the face
of the planet and everyone else left untouched.

The beauty of software is that it can be replaced/repaired quickly. If a power
plant gets utterly destroyed, it could take a minimum of months to build a new
one. If a piece of software gets corrupted, you load from backups or buy a new
copy. Downtime is incredibly minimized for even the worst designed system.

That's not to say disasters can't happen, but they will be limited in time and
scope so long as there's enough money to throw as the problem, and if the
amount of money-throwing ever becomes too much to swallow then we might
finally see some widespread solid security practices.

Honestly simply keeping systems updated would mitigate most of the potential
"devastating" attacks, the reason the recent ransomware attacks got as far as
they did is lack of funding/will, because it's largely cheaper for
organizations to let themselves get pwned then it is for them to protect
themselves.

~~~
__jal
Part of the issue is not redundancy, but heterogeny. It is like monoculture
crops - doesn't matter if you're growing 4x what you need if something comes
along that kills all of them.

> If a piece of software gets corrupted, you load from backups or buy a new
> copy

Software is cheap, as you say. Data isn't. The piece's author indicated that
the influenza-of-the-month was launched via tax software, which generally
isn't interoperable. If there is no reasonable replacement, what do you do?

Heterogeneous systems are more expensive to operate, require more expertise,
and cause more compatibility problems than monocultures. But they also don't
all die at once due to the same bug.

~~~
scottLobster
The same thing you do if physical tax/medical/financial records get lost in a
fire, or any other data for that matter. It's a major loss, maybe even an
economic crisis for some, but not an unrecoverable one. Worst case scenario
you move foreword with less data and insurance does what it can. Create
countermeasures so it doesn't happen again. Said data should also be backed up
for this very reason.

Also, just because devices are on the same network does not mean they're
homogenous. A Windows vulnerability won't take out a Linux server or an IoT
webcam. For everything to truly "die at once due to the same bug" you'd need a
network layer attack. Compromising the internet protocol itself, even if
possible would cut off the attacker as well, so that leaves us with denial of
service attacks, which are common. But services like Cloudflare already
effectively defend against such attacks, and even compromising an entire major
cloud platform (as in the author's AWS hypothetical) will simply result in the
cloud provider as well as other interested parties pouring all possible effort
into fixing the problem as quickly as possible.

Imagine that your monoculture crop could develop immunity to a new disease
within hours, days or weeks, with immunity developing faster for more serious
diseases. Then all you need is a big enough field to absorb any potential
losses.

~~~
__jal
> Worst case scenario you move foreword with less data and insurance does what
> it can

Well, yes. Just like, after a house fire, you rebuild and try to carry on. It
is still catastrophic.

> Also, just because devices are on the same network does not mean they're
> homogenous.

Of course not. The point is that there are many pressures towards running
homogenous systems - easier to hire for, easier to manage, fewer support
systems to run, fewer interop problems, bigger vendor discounts, etc. etc.

These pressures are hard to resist, but we have to do better at running
heterogenous systems, because without them, your entire farm can burn down
before you notice.

Nothing you say is wrong, but just because "it's just software" doesn't mean
these aren't catastrophes.

~~~
scottLobster
Not saying they're not, but the author specifically mentions "existential
threat", "paralyzed economies", and worlds where people without technical
skills are instantly hacked upon connecting to the internet. He uses the
example of water supply so completely poisoned that no one can drink from it.

The author seems to be making an assumption that we could enter a world where
insecure technology could be taken offline all at once by some random
hacker(s) and remain in such a state long enough to completely destroy
economies and institutions. Frankly the system just isn't that brittle, if it
was it would have failed long ago.

It's like looking at Hurricane Katrina, which while catastrophic was never an
existential threat to the US, and saying, "now imagine if Hurricane Katrina
happened everywhere, every day!" without considering if such a thing were
possible or likely in the first place.

As for heterogeneous systems, what do you think the cloud is? Sure it may be
homogenous for users, but that's all abstraction for what is a VERY
heterogeneous system under the hood. Sure having independent/redundant
subsystems is ideal for reliability, but at the end of the day I don't see the
need for all the frightful abstractions. The farm isn't going to burn down
without anyone noticing, there are simply too many powerful interested parties
and too much built-in resiliency.

I'm all for building in more resiliency/redundancy to prevent catastrophes as
you mention, but the author takes a couple of major security incidents and
spins them into apocalyptic techno-panic.

------
partycoder
If anything, the Internet was created with resilience in mind. In fact there's
no "the Internet" but rather a network of networks that is by design very hard
to shut down.

You could argue that there's DNS and that's more centralized. Sure, point
granted. But in theory you can use any DNS server you want... and there are
projects which make it less centralized.

Now, a different topic is how devices can be taken over... and that's
something where we are largely to blame. The EFF, and the old-school Open
source folks like Stallman have been warning for years that we are giving away
our freedoms by trusting in closed source. And they were right. Now we are in
the endgame where every single computer has one of these "management engines"
that cannot be turned off and have total control over a computer, and where
your source of entropy is RDRAND.

