CSAM Back to Basics: Networks

Software, and the computer hardware to run it, provides transformational capability on a stand-alone basis. For soldiers from World War II forward, artillery targeting calculations took minutes instead of days. As word processors replaced typewriters, it signaled the beginning of the end for both whiteout and for the secretarial pools that used it. In the mid-1980s, I used an early Macintosh to rack and stack Space Station payload photo_mac84pmanifests for NASA, only to discover that weight and volume limitations would necessitate 3 or 4 times as many space shuttle flights as originally anticipated.

Yes computers are powerful, but connecting them across networks is what has made them ubiquitous. To be sure, networks developed virtually in parallel with the computers themselves. And as the well-known “network effect” or Metcalfe’s Law indicates, the power of a network grows exponentially with the number of users connected to it, now exceeding some 3 billion users and 15-20 billion devices on the Internet.

The magic is Internet Protocol (IP), that mixture of numbers and dots (Google, for example, uses among many others) that identifies an address on the internet. Later the World Wide Web added names and lookup tables so people would not have to remember all those numbers (like the contact list in your phone), and the familiar but ugly “http://” to find specific documents or other resources (the uniform resource locator, url), but the underlying mechanics are unchanged. For several decades we have used version 4 (IPv4) of the Internet Protocol as the basis for the internet. Its 32-bit addresses provided for 2**32 or approximately 4 billion unique addresses. These have now all been allocated, and this 2015 event signifies the transition to the newer version, IPv6, and its 2**64 possible addresses.

There are other differences. When IPv4 was defined, the assumption was that users would be well-behaved and cooperative, so security was not necessarily a priority. And once again the layer upon layer of complexity have provided ample room for mischief.

The big issue with networks is knowing who is on the other end of a connection and whether anyone is trying to listen in along the way. For cybersecurity this has resulted in a very large array of attacks, defenses against those attacks and so forth, and also the highly-publicized questions about surveillance. If there were a fool-proof way to establish the identity of a remote, unseen, probably unknown counter-party to every transaction, and guarantee that only that person could see the transaction (whether e-mail or funds transfer) our cybersecurity worries would be greatly reduced.

Encryption is the current answer to the privacy question, and there is a strong effort under way to make sure that every transaction is encrypted and every web site uses the security layer known as “SSL” (secure socket layer or https://) for transactions. The current “Cryptowars 2.0” debate about whether law enforcement can listen in, even with a warrant, seems to be heading in the direction of strong encryption for everybody on their consumer devices, with the pros and cons hotly contested.

Identity is another matter. We use security certificates to let third parties vouch for a computer’s identity, and two-factor authentication or personal information to validate people on the other side of those computer screens, since everybody knows that username/password is ineffective and hopefully on its way out. But as the professionals tell us, attribution for a cyberattack is extremely difficult and identity theft is not uncommon. IPv6 may help some, since it adds or updates many security features, including some of the methods used to hide the actual identity of perpetrators. One other interesting approach being discussed for personal identity is “block chaining”, the same technology underlying the e-currency Bitcoin. Its combination of private identity but public visibility of historical transactions represents an interesting and relevant combination of features.

So what can a user do? Make sure you know who you are connecting to. Best practice is to type the name of a website yourself rather than clicking on an email link. Check the names of places you visit (generally visible in your browser window) to make sure they appear legitimate. Try to use SSL or other types of encryption (VPN is another) where possible. Enthusiastically embrace two-factor authentication or similar security measures when available, since these are a positive step forward. If you operate a network, at home for example, make sure you know how to look and understand who is attached to your network.

In this complex, complicated world of the internet, a lot of your personal security and our collective security depends on at least a basic familiarity with these technologies, and your diligence in knowing and applying best practices wherever possible.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s