The Cost of Security

"Security problems" are the latest wave of Net panic. Hardly a week has gone by in recent months without an announcement of yet another security hole in a popular Net-related software product. The concept of computer security is a little fuzzy for most people; we're used to thinking of security in material terms. If I'm safe from physical harm or have a big retirement account, I'm secure. If my computer is in my house and my house is locked, my computer is secure.This changes when you get online, when you link your computer to others. When you do that, you open up a connection to the outside world that has no regard for locked doors or local ordinances. In the case of Web browsing, this connection has generally been a one-way mirror: you see stuff, but nobody sees you. Not a lot of security issues. At least that's how it used to be.A number of factors are changing this situation. Ironically, most of them have been market-driven. That is, many users have chosen to trade security and isolation for convenience and exposure. A Web browser that merely displays content (words, pictures, sounds) created by other people is more secure, but less interesting, than a browser that will also run software that manipulates that content in useful ways. To go beyond the model of the printed page, Web sites need better ways to ask you questions, process information, and display changing graphics. This entails creating little software programs to do those things, programs called "applets."Whereas new software was formerly something you explicitly chose to install on your computer (either by inserting a disk or by explicitly downloading a file from the Net), applets are more transparent.That is, the applets are designed to do their jobs without requiring extra work from you. They become just another element of the Web page, like an image or a sound. For example, a Web site with a complicated bit of animation on its home page may deliver that animation as an applet. Your browser downloads and runs the applet automatically; all you see is the animation.It's probably obvious by now how this makes things less secure Ñ how are you to know that such an applet isn't being naughty? Perhaps while it draws the pretty animated picture it's copying all your financial records from your hard drive and sending them over the Net to a computer criminal's basement in the Ukraine?Fortunately, this is not likely if the applet is written in the Java language, which most are at this point. The Java system keeps applets in a little security sandbox, and they can't go outside. No applet gets access to your files, so no rogue deletion or copying can take place. Setting up technical walls like this is the essence of computer security. And holes in these walls are the essence of computer security problems. On several occasions in the last two years, enterprising programmers have discovered ways to cheat the Java system and escape the sandbox. So far, most of these cheats have not been exploited maliciously, and the response to such reports of vulnerability is always fast. However, it's increasingly clear that there may never be a stage at which Java is perfectly secure.Similarly, Microsoft is receiving some criticism for security risks inherent in its ActiveX system, which places no sandbox-type restrictions on applets. Java fans say ActiveX is dangerous; ActiveX partisans say Java is useless.The average user is unlikely to be victimized by someone exploiting applet security defects. Most will just wait for a new version of their browser when the current one is found to be insecure, and not think too much more about it. But as we move more of our lives (finances, for example) onto our computers, and wire our computers more tightly to the global Net, more vigilance will be needed and criteria for online trust will become more stringent. If this becomes too restrictive Ñ if we decide we have traded too much, that convenience isn't worth creating personal police states within our machines Ñ I hope we have the sense to backtrack.***Sites in my SightsTo learn more about the nitty-gritty of security concerns and Web browsers, see Microsoft's frequently updated pages (www.microsoft.com/ie/security/update.htm) or Sun Microsystems' Java security info (java.sun.com/sfaq/). Don't Just Sit There, Sit There and Do SomethingWhen the Defense Department gets interested in computer security, they give it a different name: Infowar. How much of this is legitimate threat and how much is desperate post-Cold-War budgetary padding? A brash essay at this popular infowar site may help you decide (www.infowar.com/CIVIL_DE/civil_f.html-ssi).Feeling insecure? Send a letter in care of this publication or drop a line via e-mail to pb@well.com. The Cyberia Website is at http://www.well.com/user/pb/cyb/

Enjoy this piece?

… then let us make a small request. AlterNet’s journalists work tirelessly to counter the traditional corporate media narrative. We’re here seven days a week, 365 days a year. And we’re proud to say that we’ve been bringing you the real, unfiltered news for 20 years—longer than any other progressive news site on the Internet.

It’s through the generosity of our supporters that we’re able to share with you all the underreported news you need to know. Independent journalism is increasingly imperiled; ads alone can’t pay our bills. AlterNet counts on readers like you to support our coverage. Did you enjoy content from David Cay Johnston, Common Dreams, Raw Story and Robert Reich? Opinion from Salon and Jim Hightower? Analysis by The Conversation? Then join the hundreds of readers who have supported AlterNet this year.

Every reader contribution, whatever the amount, makes a tremendous difference. Help ensure AlterNet remains independent long into the future. Support progressive journalism with a one-time contribution to AlterNet, or click here to become a subscriber. Thank you. Click here to donate by check.

Close