Use your computer fearlessly.




[ Security | Consulting | Research ]




Security: FAQ

There a great many misconceptions on the subject of computer security. This FAQ will attempt to clear them up, and will explain the ethical computing philosophy that Intrepid Net Computing applies to security.
  1. What is computer security?
  2. What is the common jargon in computer security?
  3. What is equal opportunity computing?
  4. What is open source computing?
  5. Is open source computing free?
  6. What is ethical computing?
  7. What is Internet or 'net neutrality?
  8. What is freedom of information?
  9. What is security-aware IT?
  10. So how does computer security actually work? Who does most of it?
  11. My computer and phone work fine; why do you say they probably have exploits?
  12. I travel a lot. How should I deal with security?
  13. Why do I have to keep updating my computer and spending money on security?
  14. What is the one security product or approach that I should buy?
  15. What do I do if I have been hacked?
  16. So what if someone compromises my computer; they cannot hurt me.
  1. What is computer security?

    Computer security is a state of network and operating systems that allows deterministic execution of computer programs, rather than bug-free execution. This determinism is defined in the closed system of either the operating system or the client-server system, as appropriate.

    This definition allows for bugs in the execution of both the operating systems and network infrastructure. While it is true that some bugs can be exploited for intrusion with the attacker creating non-determinism, the bugs themselves are deterministic. There are very few source of non-determinism in computing, and hacking is one of those.

  2. What is the common jargon in computer security?

    exploit n. any computer code that subverts a computer operating system for the purposes of hacking

    malware n. (short for malicious software) a piece of executable code that has malicious intent (source: Wikipedia)

    trojan n. (short for trojan horse after Greek mythology) malware that masquerades as a useful or routine piece of code (source: Wikipedia)

    worm n. (short for computer worm) stand-alone malware that self-replicates over a computer network or using some hardware interface (source: Wikipedia)

    rootkit n. malware that hides in the core operating system by installing itself inside normal OS binaries; typically grants system-wide access to the attacker

    virus n. (short for computer virus) malware that self-replicates but that must be attached as a hidden part of an existing useful file or useful piece of the operating system (source: Wikipedia)

    zero-day exploit n.p. a novel exploit that has been released by the hacker, but for which there is not a patch or exploit scanner

  3. What is equal opportunity computing?

    Equal opportunity computing is equal access to secure computing. The goal is deterministic execution of computer programs (i.e. determinism in the closed system of either the operating system or the client-server system as appropriate), rather than bug-free execution.

    If you are a minority and your employer will not defend your work computer from hackers while defending your co-worker's computers, your employer is violating the equal protection clauses in United States employment law. Please consult an attorney if you are in this situation: Kronenberger Rosenfeld

  4. What is open source computing?

    Open source is a method of publishing software that allows users to access not only the executable code, but also the source code of the software. Source code is typically written in a high-level programming language that is readily readable by humans, while the executable code is in an assembly language that is difficult for humans to read while being easy for the processor to execute. The software is usually available for free and supports equal opportunity computing.

    BSD and various flavors of the Linux operating system have been developed as open source software. BSD got its start as an academic project at the University of California Berkeley. Linux is an open source implementation of the proprietary Unix operating system.

    Much of the computing infrastructure for the Internet runs on open source software. Even Mac OS X is rumored to be based on BSD. It is essential for security professionals to contribute to keeping the open source operating systems secure.

    As a result of open source operating systems, computer security is open source by necessity.

  5. Is open source computing free?

    Software costs money to create, to maintain, and to keep secure. Someone must pay the living expenses of the people who create and maintain open source software. Increasingly, the large computing companies are all contributing to open source software.

    Open source software is free only for the experts who contribute to helping maintain and write the software. In essence, expert computer scientists have their own club for sharing software. This is similar to other professions, such as law, health care, or the automotive industry, where experts help educate each other to keep up-to-date with their profession. Everyone else has to pay more for similar services, because of the education gap.

    Furthermore, as criminals increasingly use computers to commit crimes, this drives up the cost of computing for everyone. The public needs to pay for safe computing by supporting the law enforcement efforts to catch computer criminals.

    Please contribute to open source software by paying for the computing services that you use and by paying to keep computing safe.

  6. What is ethical computing?

    Intrepid Net Computing practices ethical computing which means that our security methods are defense-only. The best way to learn to defend against hackers is to defend, not to hack. Very few vulnerabilities are actually fixed with patches, and knowing how to hack tells you very little about defending. We strive to provide simple and cost-effective defense by employing consumer electronics and consumer software in innovative ways to directly block exploits.

    Intrepid Net Computing can consult on vulnerabilities and detect exploits. However, we will not do penetration testing which uses known exploits to test for known vulnerabilities. We call our approach ethical computing. We believe that life and work provide plenty of exposure to exploits without the need for professionals to hack.

    Intrepid Net Computing policy on ethical computing. We endeavor to employ people who are ethical and do not access computers without authorization. Any employee caught hacking will be fired. Our founder, Dr. Kirkpatrick, is an ethical computer scientist.

  7. What is Internet or 'net neutrality?

    Many computer scientists believe that the Internet should be politically and economically neutral. This means that the Internet infrastructure is available equally to all users, regardless of their national origin, their political persuasions, or their social economic status. This is a concept in ethical computing that supports the ethical use of the Internet.

    The 'net is neutral when your web page, regardless of content, can be served just as efficiently from any server in the world and when your other networking activity is routed without regard to content. It is a an idealistic concept, since bandwidth, infrastructure, computing platforms, and Internet law vary around the world. Many computer scientists think that the laws of some countries violate 'net neutrality. For example, China is known to practice Internet censorship.

  8. What is freedom of information?

    Freedom of information is the right to freely access public information. When taken too far, the idea becomes hacker-speak for the right to steal private data and trade secrets. Freedom of information can result in a lack of privacy, in cases where the two ideas are at odds.

    'Net neutrality preserves the rights of users to decide what they want to share. In particular, the notion of open source has developed as a respectful way for programmers to share code, and the programmer decides if they want their source code to be open. Typically, code that has been developed by academics as part of a government grant is released either open source or free for academic use (with commercial users paying).

  9. What is security-aware IT?

    Security-aware IT is the professional practice of providing information technology services while being cognizant of security issues. It can and has been argued that all IT professionals should be security-aware. However, it is becoming evident that most IT professionals do not have the training to consider and adapt to a constantly changing security environment. In particularly as the Internet of things grows and computers become ubiquitous, it is necessary for security professionals to trouble-shoot complex electronic environments.

    First and foremost, security-awareness requires and understanding that users are the first line of defense and that people can often detect novel intrusions during their so-called zero-day period. The zero-day period for an exploit is the time between when the hacker writes the exploit and a patch or scanner becomes available. This means that responding to user security complaints is the first line of defense, and just so happens to also be an ethical business practice.

    Second, ethical security requires an understanding of the complicated dynamics of how all the computing communities work together. What is shared freely, what do people profit from, who talks with whom, and who pays for what. These communities in the US involve: academics, open source programmers, for profit companies, non-profit companies, government, NSA, and military. After that, security professionals need a strong understanding of international dynamics, since different countries have different computing legislation.

    We believe that security-aware IT professionals should have a strong grounding in undergraduate computer science, excellent interpersonal skills, and a good grasp of the economics of computing. Background in algorithms and the theory of computing is required, because secure computing is deterministic and difficult to detect. Interpersonal skills are necessary to work effectively with users who have fewer technical skills and translate their observations into technically relevant language. Effectively addressing vulnerabilities and complicated environments requires that security professionals understand who to talk to about which problems and with whom to share information.

  10. So how does computer security actually work? Who does most of it?

    Security is a very complicated process involving many people, including: users, systems administrators, open source programmers, software companies, academics, government, law enforcement, and military. Security professionals must be aware of all these players and how they work together to solve complex problems. Good security professionals will work for the equal access computing for all users and will work to put themselves out of a job by stopping all hackers.

    Open source programmers come from every part of the computing industry. Some proprietary companies support their programmers contributing to open source. Some open source programmers are college students. Some are systems administrators. Some are currently out of a job. They come from any country in the world, and have any gender. These people know the guts of the open source operating systems.

    Academia has produced much of the software engineering and code that is used to run our existing computing infrastructure. Academic work is funded by universities and by government granting agencies. Because of this, much of the academic software is freely available. Academic computer scientists also work to keep that software secure by fixing vulnerabilities. Academic computer scientists often work closely with the open source community or contribute directly to open source projects.

    Software companies often develop proprietary software, and they are responsible for almost all of their security issues after users report them. However, the governments around the world have become increasingly interested in security, and they often aid companies in fixing vulnerabilities. This aid is similar to the US bail-out of the financial industry and has an undisclosed dollar value for the computing industry.

    Systems administrators and users are together responsible for the maintenance and use of the computing infrastructure that they operate. Both parties are responsible for correctly and quickly reporting intrusions, helping identify vulnerabilities, and updating systems with patches.

    The government funds scientific computing through the granting agencies: NSF, NIH, DOE, and DHS. Science policy is set by law-makers in conjunction with the AAAS in Washington, DC. Scientists help decide which projects get funded, after the broad policy goals are set by law-makers. This is how academic operating systems research gets funded, and this is how the fledgling Internet was funded.

    Law-makers have also outlawed various forms of hacking using the Computer Fraud and Abuse Act which was passed in 1986 and amended many times. However, hacking is difficult to define and various forms have been allowed to continue even to the present day. Law-enforcement including police, FBI, and Secret Service are involved in investigating putative violations of Internet law. These agencies often work with their own experts and academic experts to do forensics and track down the perpetrators. These agencies are also key players in helping communicate vulnerabilities, so that the computing communities can create patches.

    Militaries around the world have become increasing interested in the military applications of hacking. Exploits have been used in conjunction with traditional methods of war. These same militaries are interested in protecting their citizens from just such an attack by an other nation. Ethical security people condemn the use of exploits for war.

    Security professionals should be trained in computer science and should have a strong understanding of how the various players work together to make security happen. This allows security professionals to properly advise their customers on the quickest and safest routes to improving security.

  11. My computer and phone work fine; why do you say they probably have exploits?

    Most consumer computers have exploits on them. For example, your computer may have picked up a virus from an email, a trojan from a USB stick, or a worm from the Internet. These exploits live in your operating system until you get rid of them. They allow hackers to cannibalize your operating system, steal your data, and use your computer to attack organizations.

    Here's a thought experiment. If your computer or phone is used by someone else to attack an organization and steal trade secrets, who is responsible? You bought the computer, provide it power, and network access. You might not be responsible for the exploit or the hacker's action, but you are responsible for responding as soon as you know there is a problem. This means reporting violations of privacy and attempting to secure your computer, phone, and data. Your ignorance of a hackers activities may not protect you from the legal ramifications of them using our device(s).

    Business, government organizations, and academic institutions are required by US law to report privacy violations whenever personal data under their control is hacked.

  12. I travel a lot. How should I deal with security?

    Travel exposes your laptop to the most vulnerabilities, since the security of the networks you access is unknown to you. Also, foreign countries have a variety of computer and Internet laws that may influence your computing activities. For example, some countries do not allow encryption, and some countries do not allow political discussions online.

    We recommend that you get a travel check-up for your laptop, just as you have travel health checkups for yourself, when traveling internationally. Check-ups are also recommended when visiting some domestic locations: California, Florida, and New York.

    Many IT organizations do travel checkups on laptops. To see the Canadian government's travel recommendations, please refer to: cybersecurity while traveling, and Get Cyber Safe.

    If you wish, Intrepid Net Computing can help train your IT staff in travel security. Dr. Kirkpatrick has many years experience in academic teaching, and can teach extremely technical content to lay people.

  13. Why do I have to keep updating my computer and spending money on security?

    Computer science theoreticians believe that there is no such thing as guaranteed computer security. The reason that we believe this is that we suspect the security problem is reducible to program verification and the halting problem. These are two problems for which there exist no algorithms to solve them. Alan Turing used mathematical logic to prove this fact. But, notice the use of the word suspect. As far as Dr. Kirkpatrick knows, this suspicion has not been proven.

    Barring revolutionary developments in algorithmic theory, we suspect that computer security is inherently an arms-race. This means that clever hackers will be able to invent new exploits, and security people will need to remove those exploits from computers and address the vulnerabilities.

  14. What is the one security product or approach that I should buy?

    In many cases, it is sufficient to keep your operating system updated and occasionally scan your computer for viruses. However, in extreme situations, additional security measures will be required. These measures include: off-site data backups, off-site operating system backups, cleaning of compromised network infrastructure, cleaning of compromised computers, reporting intrusions to law-enforcement, and cooperating with law-enforcement and/or military.

    The fact that you must continue investing in computer security and computer software is not a desperate scheme on the part of technology companies to make money. Rather the constant investment seems to be required by the limits of computing and computational theory.

  15. What do I do if I have been hacked?

    Report the intrusion to your employer, the responsible network administrator(s), your computer administrator, and the police. The most extreme cases may involve the FBI, forensics experts, and security experts. The forensics experts would attempt to attribute the attack(s) to the perpetrators. The FBI is the law-enforcement body in the US that is responsible for criminal proceedings. The security experts would help you recover your computers to a secure working condition.

    Any data breach involving financial information must be reported to the effected individuals. Any data breach involving the health data must be reported to the Department of Health and Human Services for full compliance with HIPAA.

    Your employer is morally obligated to report the intrusion to any user who may be influenced by theft of personal data or by compromised systems. Reports to law enforcement depend on jurisdiction. Since criminal proceedings and forensics can take quite some time, ethical organizations will report intrusions as soon as they are detected, even before the exploit code is discovered and the perpetrator found. Early reporting is essential so that the extent of the intrusion can be accurately detected. Is it one employee that is affected, your whole business, or is everyone in your city/state/nation affected? Knowing the extent of intrusion helps us to discover the vulnerability, to triage which vulnerabilities to patch, and to get the patches released.

    Consider hiring a consultant to walk your through the process of cleaning up the mess. Typical IT professionals are not specialized enough in their experience to know all the critical aspects of the situation. A specialized consultant can help you quickly identify the high risk areas and ethical actions to take.

  16. So what if someone compromises my computer; they cannot hurt me.

    Congratulations on feeling invincible.

    Dr. Kirkpatrick disagrees with this assessment of invincibility due to personal experience of health decline while having been hacked consistently for 2 years and performing essential job functions using targeted systems. If your livelihood depends on computing technologies, then being targeted by hackers can cause anxiety, sleep loss, irritability, depression, autoimmune problems, and declining job performance. These days, everyone's health relies partially on computing technologies and this opens victims to misdiagnoses and mistreatment.

    We emphasize that hacking is a near-anonymous way for bigots to practice overt discrimination with impunity. Since the forensics requires expert computer scientists, many perpetrators get away with their crimes. Hacking, meaning unauthorized access to computer systems, has arguably been illegal in the United States only since 2008. Many hackers still think they can attack with impunity in the cyber-Wild-West, and some systems administrators employ vigilante justice by hacking the hackers.

    Legislation, law enforcement, and politics are slowly catching up with Internet and computer crime. This makes it especially critical for computing professionals and Internet-using organizations to have ethical standards that exceed the legal standards.




bbkirk@intrepidnetcomputing.com




© 2015, 2016, 2017 Intrepid Net Computing. All rights reserved.