November 5th, 2007
Michael Barrett on Web 2.0: This stuff scares the hell out of me
When Michael Barrett (CISO, Paypal) heard the Eric Nolin was putting on Defrag, he called up and said “I’d like to come and talk because this stuff scares the hell out of me.” His key messages: (a) we’re doomed to repeat history if we ignore it and (b) security is hard. Not exactly earth shattering news–but one we’re inclined to ignore in our giddy rush to new uses for the Web.
Michael puts up a rogue’s gallery of protocols that have missed security: telnet, SNMP community strings, Kerberos, and WEP. He says of WEP: “What were they thinking?” WEP cost TJ Maxx somewhere in the $200 million dollar range. He adds OpenID to the list. When it’s used outside specific use cases, OpenID is open to phishing attacks.
The Web 1.0 standards are broken: You can’t write a safe Unicode webapp. Most Web sites are vulnerable to cross site scripting. It’s impossible to write software that fully validates it’s inputs and screens it’s outputs. DNS poisoning is a threat on any network–especially open ones. How can you build secure eCommerce when 30% of the endpoint PCs on the Internet are compromised?
What’s worse, nothing in Web 2.0 has done anything to fix the Web 1.0 issues–it’s simply given us more poorly executed protocols and standards to worry about. A couple of examples:
The problem is exacerbated the fact that even well-designed protocols get implemented poorly by programmers who don’t fully understand them.
Of course, there’s no silver bullet. A very reliable source recently told Michael that the take from electronic crime is now higher, worldwide, than that from illegal drugs! The bad guys are extremely well funded and the take is huge. As a result, the problem is likely to get worse–especially if we ignore it.
Phil Windley is an Associate Professor of Computer Science at Brigham Young University. See his full profile and disclosure of his industry affiliations.
