The web, you see, is connectionless at bottom. I’m not referring to protocols, for those of you technically bent.

What I mean, in a non-engineering way, is that in the old days (say about the time of Alexander Graham Bell), to have your device connect to another person’s, you had to physically hook wires to it, generally by way of young women sitting at a wall of jack fields. That, by the way, led to a prediction that eventually we would run out of people to sit in central offices and shove plugs into jacks.

That notion evolved – I’m skipping forward rapidly – to massive computers in central offices doing the plug shoving (at least virtually). That era was called the circuit-switched era (I just coined an era!).

Then, of course, we entered the era of packet switching (skipping even more). In this era, the destination device is connected (virtually) not by wires and plugs, but by way of little packets that contain destination addresses. All these little packets find their own way to their destination. They are trusted to get there safely and without modification.

Which leads to my latest theory (file this under Harebrained, Latest): Packet switching causes the security problems inherent with the internet.

I know, I know — nothing is that simple. But when you have a system that can be used to intercept, modify, or connive readily, you will find people who intercept, modify and connive. If you can anonymously change, or spoof, a few packets instead of running drugs, heisting banks, or doping horses, crime will pay.

When the internet first started to actually work, it worked because the people building it trusted one another. That is, when you sent your personal information, Social Security number, bank account numbers, and children’s ages, the guy at the other end just figured it was test data, or that you were terribly confused, or both. They typically did not use the info to open bogus credit cards, drain your bank account, or kidnap your kids.

How things change!

Maybe a circuit-switched network was no safer, and there may be no causal link between an open, trusted model of networking and cybercrime, but it would likely be safer to run transactions on the Graham Bell, “Watson, come here” model.

Of course, it would be inefficient, expensive, and very near impossible to maintain. And life would be dull without what the internet has evolved to.

But the idea of talking to someone and otherwise exchanging information without worrying about devastating financial loss lurking behind every link is blissful.

When that universe opens up, let me know.

To believe the data, the trends, the analysts and the other interested observers, lawlessness is the status quo in computer security.

I’m just talking here. And as a colleague of mine used to grumble, I know nothing…

But what happened to the implied social contract of the internet?

In society, the theory goes, people go about living without fear because of protection afforded by the policing function of government. In fact, the need for effective protection arose from an inability of ordinary individuals to curb lawlessness.

And where does lawlessness stem from? Criminal minds, of course. That is the purview of criminologists, right? Criminology theoretically draws on the study of multiple disciplines from biology to anthropology. Crime relates to a multiplicity of conflicting and convergent influences, so any understanding of causality remains hard to pin down.

In general, however, security implies prevention – preventative measures and investigation of incidents after the fact (in theory to prevent future incidents and discourage wrongdoers). Most organizations are on their own in terms of prevention; and investigating is the last measure one would engage in if it involves outside help and notoriety.

Even if outside help were relied on, the nature of computer offenses is not something that lends itself to everyday recourses. In this country, there is a very disjointed system of governmental administration, including thousands of disparate municipal and county law-enforcement agencies and even more federal, state, and local agencies with specialized jurisdictions. 

Whether or not you agree that computer security is a law-enforcement problem, the enforcers cannot be expected to create order from whole cloth; we’re talking about a criminal behavior quite different from the usual street crime.

That is, though crimes are considered injurious to society, the onus of cybercrime is addressed mainly by commercial products aimed at prevention of overt acts in private organizations.

People engaged in business should be able to go about being productive without concern that assets they create and work with will be drained and sold in cyberspace. This freedom of action has to be protected, and it is now only through a strange amalgam of government and private efforts.

Where does one begin and the other end?

The news: Gary McKinnon, the alleged NASA hacker, has failed in his last ditch appeal to the European Court of Human Rights to have his extradition to the United States quashed.

Here’s the background: In 2002, McKinnon, also known as Solo, left this message on a computer belonging to the U.S. Army:

“US foreign policy is akin to government-sponsored terrorism these days… It was not a mistake that there was a huge security stand-down on September 11 … I am SOLO. I will continue to disrupt at the highest levels.”

As a result of this action, and a few others, he was indicted in 2002 by a federal grand jury on seven counts of computer fraud and related activity, and faces on each count a maximum sentence of 10 years of prison and a $250,000 fine.

The indictment says that in one instance he obtained administrator privileges to a military computer, deleted approximately 1,300 user accounts, deleted critical system files, copied a file containing usernames and encrypted passwords for the computer; and installed tools for obtaining unauthorized access to networked peers. What’s more, he did the same thing to Army, Navy, Air Force and NASA computers from Groton, CT to Pearl Harbor.

Specifically, the indictment charged that McKinnon scanned a large number of computers in the .mil network and was able to obtain administrative privileges to many of them. Once he was able to access the computers, McKinnon installed a number of hacker tools (one of which was “Remotely/Anywhere”), copied password files, then deleted a number of user accounts and critical system files. Eventually, he was able to scan more than 73,000 computers.

At the Naval Weapons Station Earle, on one of the computers used for monitoring the identity, location, physical condition, staffing and battle readiness of Navy ships, he deleted files that rendered the base’s entire network of over 300 computers inoperable. This was at a critical time: immediately following September 11.

The indictment goes on to say that once inside a network, McKinnon would use the hacked computers to find additional military and NASA hosts. In one attack, McKinnon caused a network in the Washington D.C. area to shut down, resulting in the total loss of internet access and email service to approximately 2,000 users for three days. The estimated loss for all of this has been put at approximately $900,000.

OK, then. Let me get this straight. Using his home computer, McKinnon, through the internet, identified networked government computers and from those extracted the identities of certain administrative accounts and associated passwords. Having gained access to those accounts he installed Remotely/Anywhere, which enabled him to access and alter data at any time. Right…

It’s hard to feel too sorry for this guy, considering the nature of the charges against him. If he didn’t do this stuff, or if he can justify his actions in some way (he claims he was looking for UFO information), he should tell it to the judge.

“So, I have this watch I’d like to sell you. You probably don’t need a watch, and you could likely live without this one, but the nice lady you’re with would surely be impressed if you were wearing some nice new shiny man-links on your wrist. Just look at the way she’s studying your face as you examine it!

“And the price! How can you go wrong? $20 dollars and it’s yours. You walk away a new man, your girl is bowled over, and at that price — well, you really put one over on me.”

“He’s right,” you think. “It’s flashy, I dig the design, she’s really acting as though she’s impressed. The guy looks like a good guy, and he’s talking a square deal … I think.

“What the heck? Call me a sucker, but what if this thing is legit? I may have just stepped into a bit of good luck. I’ll hand over this nice new twenty and put the glitz on…”

As you walk away, the seller disappears, the watch stops, and your girl can’t get over why in the world you would do such a thing. Her look of being impressed was really one of incredulous amazement at your stupidity.

To be human is to be weak, just read Hamlet or King Lear. And tragedy is not limited to storied interactions. It permeates all human activity, right? So it is in the modern corporations, peopled by potential tragedies sitting at every monitor and keyboard. Any user falling for a seemingly innocent ploy can bring down the whole company. Click that email attachment, download that fun game, and unknown — unseen even — a door opens to the Raiders of the Lost Bot.

The modern term of art is “social engineering,” but it may be the world’s third-oldest profession. Every generation produces people who are skilled at conning others, and a sucker is born every 60,000 milliseconds. It’s the final frontier for the current con artist, the guy who lurks around every corner of the internet stalking his next mark.

The only effective way to combat this menace, the experts agree, is end-user training, constant vigilance, and up-to-date patches. Train, watch, patch… Train, watch, patch…

Why am I reminded of a half strophe, “the day the music died” (from Don McLean’s American Pie)? The internet made the world different, but in a lot of ways the world is just the same. The criminal tragedy suffusing the internet parallels the demise of hope that the internet could be free of human malfeasance.

But, alas poor Yorrick, fellow of infinite jest, we must progress: Train, watch, patch…

It’s been a busy time on the cyber warfare front. First there were rumblings of attacks on Georgia governmental websites, then actual attacks, followed by gunfire. The usual suspects are being blamed: overzealous teenagers, Russian mafia hoodlums, nefarious spy rings.

Then speculation came in over the wire that the Air Force Cyber Command was doomed. The Navy was supposed to take over. A statement rushed out from the pentagon countered by saying:

“The Air Force remains committed to providing full-spectrum cyber capabilities to include global command and control, electronic warfare and network defense. The Secretary and Chief of Staff of the Air Force have considered delaying currently planned actions on Air Force Cyber Command to allow ample time for a comprehensive assessment of all AFCYBER requirements and to synchronize the AFCYBER mission with other key Air Force initiatives. The new Air Force leaders continue to make a fresh assessment of all our efforts to provide our nation and the joint force the full spectrum of air, space, and cyberspace capabilities.”

So now what? One of the main tenets of modern warfare is that the first target of choice in any campaign is the enemies’ command and control capability. Destroy that, and you can get on with obliterating the civilian populace. Given that most command and control relies on IP networks everywhere, instead of wasting munitions on cabling plant and computer centers, all that is necessary is to overwhelm the enemy with a few dozen hackers in a well-connected bunker.

Nevertheless, a cyber arms race is raging. McAfee has claimed that approximately 120 countries have been developing ways to use the internet as a weapon. And the U.S. military, the most technological in the world, is not exactly unaware of its cyber strengths and vulnerabilities. For example, it has long implemented a classified, encrypted military internet that parallels the ordinary internet, called SIPRNet. SIPRNet is made up of interconnected computer networks to transmit secret information by packet switching over TCP/IP protocols. Sound familiar?

Considering the general impression that comes on the heels of Black Hat and Defcon, this is a daunting revelation considering how dozens of presenters seemed to prove once again that IP is doomed. SIPRNet is securely sealed off, but you get the impression from some researchers that, regardless, implementing military network security is like chasing a will o’ the wisp.

The point is that conflict in the future, if the Georgian conflict is any guide, will involve cyberspace in a big way, and reliance on internet communications should be considered tenuous even before the bullets fly. 

After his presentation at the Black Hat conference in Las Vegas, keynoter Ian O. Angell, professor of Information Systems. London School of Economics, sat down with reporters in the Black Hat press room (yes, the one that was hacked), and talked about his take on technology, security, and much of the rest of the universe, as fits his philosophical bent. In some quarters, he is known as a cheerful pessimist.

In a prologue in the Black Hat brochure, he is described as having “very radical and constructive views on his subject, and is very critical of what he calls the pseudo-science of academic information systems. He has gained notoriety worldwide for his aggressive polemics against the inappropriate use of artificial intelligence and so-called knowledge management, and against the hyperbole surrounding e-commerce.”

Here are some excerpts from what he had to say.

On security:

“The problem with security is that there are so many silos of specialty that do not interact with each other. The breakdown is because they don’t talk to one another; they can accidentally conspire against one another.

“What we are seeing is not there; that is, we are not seeing security as it is. There is a latency, a link that does not appear anywhere in what we see.”

“The art of the security professional is seeing the problem before the amateur does.”

On the futility of quick fixes:

“When you focus on any single thing, you leave many things unobserved. There is no way to fully observe anything. There is a paradox as a result – almost a butterfly effect of paradoxes, a paradox that is smirking. The only thing systems have in common is that they fail.”

“If the internet crashes, it will be an accident.”

On complexity:

“Any entrenched culture is self-referential. The self interests of disparate groups are not alike.”

On innovation:

“We need more innovation. Innovation is ideas following on ideas, following on ideas. Large organizations do not innovate; they only fund orthodoxy. Professors research yesterday’s failures.”

On privacy:

“Privacy is monitoring people. The collective thinks it owns the individual; the collective strives until it destroys itself.”

“The government cannot ever get inside your head. When you see control freaks recognize their impotence, it’s wonderful.”

“Regulation can be the ultimate destroyer of the internet.”

On warfare:

“Using the internet in attacking another country is just another example of the use of innovative weapons in the history of warfare.”

News item:

The Neosploit team is leaving the IT underground.

Citing a negative return on investment, the Neosploit developers are walking away from their support for their web exploitation malware suite. There will be no new exploit sets available.

News item:

Phishing kits found to be compromised.

Kits available for sale on the internet to steal information from phishing victims have been set up with backdoors. When they are used, information stolen by the phishers is sent back to the kits’ creators.

Hi, I am Iggior. I just purchased a nice new suite of malware from my dealer. I am so proud. I spent at least half the money I have been saving for my wedding, but it will surely be worth it. I can make money by the fistful. And I can keep making money, all I want, in huge quantities! And all I have to do is push a few buttons!

And guess what else? If I don’t make money, all I have to do is tell my malware dealer, and he will return my wedding money. Wow!

And if you can’t trust your malware dealer, who can you trust? Yeah!

What’s that? The phishing software I bought has a backdoor? What? My dealer can’t get in touch with Neosploit?

Hmmmm. Oh, man — I was almost rich…

But I know the woman will understand…after all, it’s not like she hasn’t seen this before. She calls me Ralph Kramden. I prefer Homer Simpson…

Maybe it’s just me, but it seems that some small inroads are being made by law enforcement in fighting cybercrime. For example, in recent weeks signs of progress have come to light, according to headlines such as:

New York Man Who Participated in Online Piracy Ring is Sentenced

Chinese National Sentenced for Committing Economic Espionage to Benefit China Navy Research Center

Botmaster Robert Matthew Bentley AKA LSDigital Sentenced

Largo Man Sentenced in Certegy Data Theft

Woman Gets Two Years for Aiding Nigerian Internet Check Scam

Romanian Pleads Guilty Over Phishing Scam

DBA Gets Jail Time for Data Thefts

AOL Spammer Gets 30 Months in Prison

Chinese Man Jailed for Hacking Red Cross Quake Site

Hacker Sentenced for Stalking Internet Celebrity

Seattle Spam King Dark Mailer Faces 47-Month Sentence

As Churchill might ask: Though this may not be the end, or even the beginning of the end, does it signal the end of the beginning? Not by a long shot.

The underworld market is just too lucrative, the ease of execution too great, the number of willing victims too high.

I am not a criminologist, and I’m not so sure there have been exhaustive studies into the mind of a cybercriminal, but I think the main thing on any criminal’s mind is: “I do not want to get caught!” So why risk pulling a gun on someone, when you can get much more money with far less danger and do it from thousands of miles away?

In any case, though it’s been difficult to catch them, and it is not likely to get much easier, at least some of those apprehended will get time to think about repeating another pushbutton crime.

In an era of shameless self promotion, it’s time to be shameless. SC Magazine is planning a conference, called the SC World Congress, that will bring to the New York area a roster of security luminaries that will, it is hoped, enhance the conversation on ways and means to address security threats.

I cannot add or detract from what the marketing folks have done here. It is for me, rather, to be dedicated here to the unfinished work of getting the word out in an informal way, adding to the effort thus far so nobly advanced.

Ooops, sorry to have injected the Gettysburg address into this discussion, but keep the date in December open.

Among the speakers we have scheduled are:

Rich Baich, principal for security and privacy, Deloitte and Touche. Rich has led multi-national teams designing, implementing, measuring and advising organizations to effectively and efficiently balance risk, technology and data management decisions with data protection risks, regulatory compliance issues, privacy and security controls. Baich is former CISO at ChoicePoint where he held enterprise-wide responsibility for information and technology security. Previously, he held leadership positions within NSA, McAfee and the FBI. In 2005, Baich authored “Winning as a CISO,” a security executive leadership guidebook.

Steve Collins, director, Text 100 Public Relations. Steve Collins is a director at Text 100 Public Relations, a global PR consultancy. Steve manages the Text 100 North American Security Sector Team. Security clients represented by Steve and his team include Cisco, Corillian, the PCI Security Standards Council, IBM Tivoli, Bit9, Raytheon, and Websense. The team has more than 30 years of combined security experience in facets of security technology ranging from aviation security, biometrics, email filtering, encryption, homeland security, ID theft prevention, PKI, network security, spyware protection virus control and Web filtering technology.

Paul DeGraaff, chief security officer, American International Group. Paul DeGraaff is globally responsible for AIG’s Information Security Program. Paul has received several security awards, such as an award from The Secure Software Foundation at the 2005 RSA Show for leadership in secure software development, from Archer Technology for technology innovation in 2005 and Vanguard Integrity Professionals at their 2002 conference for contributions to the security community.

John Iannarelli, supervisory special agent, FBI. Supervisory Special Agent (SSA) John G. Iannarelli entered on duty with the Bureau in April of 1995. In recognition of his investigative work, SSA Iannarelli has received the FBI Director’s Distinguished Service Award. He is now at the Phoenix Division, where he currently serves as the supervisor of the Cyber squad, overseeing all Cyber investigations for the state of Arizona. Iannarelli is also an attorney admitted to the practice of law in California, Maryland and the District of Columbia.

Dan Lohrmann, chief security officer, State of Michigan. With the help of a mere 29 employees, Dan Lohrmann is responsible for safeguarding 19 state agencies, which equates to some 55,000 employees and their desktops, as well as the public at large. He has spent some 13 and a half years in the intelligence community, working much of that time with the National Security Agency (NSA). He graduated from Valparaiso University with a Bachelor of Science in Computer Science.

Winn Schwartau, founder, SCIPP International. Winn Schwartau thinks asymmetrically; some would say “Out of the Box”. If it’s originality in thought, writing, presentations or training, call Winn. He balances his time between writing, lecturing, teaching and building corporate and national security-awareness programs and consulting on cyber-conflict and Infowar to multinational organizations and governments worldwide. In addition to being called, “The Civilian Architect of Information Warfare,” he is one of the country’s most sought leading experts on information security, infrastructure protection and electronic privacy.

Neil Warner, chief information security officer, Go Daddy. Neil is responsible for the Go Daddy’s IT Security, Business Continuity, SSL Registration Authority, Spam/Abuse, IT Audit, Product Quality Assurance and IT Operation organizations. Before joining Go Daddy, Neil served as Director of Technology/Security for NDC Health, a health care information provider. Prior to that, Neil supervised computer operations and administration at Motorola Computer Group. Neil is a Certified Information System Security Professional and a Certified Business Continuity Professional.

Plan to attend and say hello.

Human nature can rarely change, and when it does, it is mostly a reaction to environmental variation. This is Darwinism, and was famously reflected in Lincoln’s observation about human nature: “…repeal all compromises — repeal the declaration of independence — repeal all past history, you still can not repeal human nature.”

Thus it is with security in the interconnected world. When we think of security at all, it is from a defensive standpoint. Our forebears built fences, walls, castles, forts, and each of those defensive measures waned in turn. In the great conflagrations of the 20th Century, only when strategy turned from defensive posturing to offensive maneuvering did the winning side prevail.

Could our current plight in the face of a constantly evolving threat state only be rectified with a transformation of human nature? Should we abandon all further hope of creating the decisive defensive weapon and simply go after the attackers?

It’s hard to imagine such a radical shift. The environmental variation has not sunk in – most of the industrial world seems only vaguely aware that a problem of security exists.

Thus, repealing human nature seems unlikely. The answer may be that threats must be preempted. And the only way to see that happen peacefully is through governmental cooperation, on a level that requires more than just police action.

Therein lies the rub. Governments are made up of humans, and Darwin, Lincoln, and your local DHS office are not going to repeal the defensive mood.

What am I driving at? Until everyone senses some kind of a worldwide criminal breakdown — chaos, anarchy, disorder, and monetary collapse — our defensive mentality is unlikely to change. The industry is safe for venture capitalists.

But if doomsday approaches, then survival may depend on a more proactive approach to the bad guys who thrive in the current setting. The pressure on governments, however reluctant, to cooperate in finding and eliminating cybercriminals behind their lines may push the cretins out of the picture.

But I’m not holding my breath.