On a Highway to …
Welcome

The Internet is a vast and beautiful thing – our ancestors would be amazed. I probably wouldn't have my job without the Internet, and if you work with Linux, the chances are your job, either directly or indirectly, depends on the Internet as well.
Dear Reader,
The Internet is a vast and beautiful thing – our ancestors would be amazed. I probably wouldn't have my job without the Internet, and if you work with Linux, the chances are your job, either directly or indirectly, depends on the Internet as well.
People in high tech like to talk about the Internet in glowing and heroic terms. The popular view is that the Internet is not just an information highway but is actually a highway on which we are all journeying to the future.
Part of the story is that the Internet is "good business," but the recent Equifax debacle illustrates how difficult it is to determine how much the Internet actually costs. A hack on the massive consumer credit reporting company comprised 143 million identities. The problem, according to several sources, was that the company failed to install routine security updates for the Apache Struts web application framework. A vulnerability in the platform was fixed back in March, but reports indicate that Equifax didn't get around to installing the update and therefore fell prey to the attack.
So now is the time when we all collectively say "What a bunch of slackers." Everybody knows you're supposed to keep current on security patches, and on Internet-facing servers, keeping up to date is an extremely critical and solemn responsibility. Internally, the company probably has its own "What a bunch of slackers" dialog going on. Some people have probably already been fired – or they will be soon.
Firing a few Equifax employees certainly seems appropriate, but it is a little too easy. We humans have a way of focusing blame on other humans, rather than on systems. When something goes wrong, we assign the blame to a person, and then when we punish that person, we all get the feeling that we're acting decisively to address the issue. Deeper down, though, the questions are a little more complicated – and thus more scary. For instance:
- Why was this vulnerability present in the first place and how did it go undetected until March of this year?
- What other vulnerabilities are still out there now that could be the cause of future events as bad as or worse than the Equifax debacle?
I don't really know the solution to the insecurity problems that face the Internet. In fact, I'm not sure I really believe an obvious solution actually exists – certainly not something that could happen within the next 5 to 10 years – but I think we would be in a better place if we would start understanding the real cost of operating the Internet and investing resources to address that cost.
The rosy picture we paint about Internet efficiency and convenience creates an imaginary world where a company can hide, making business decisions based on the illusion of security rather than on gritting out the labor-intensive reality of life in a jungle.
At Apache Struts, more code reviews, more testers, and bigger bounties would have helped find vulnerabilities sooner, but who is going to pay for it? Equifax probably could have used more training and a bigger, more qualified web admin staff, but who's going to pay for it? The way a company pays for overhead is to pass the costs back to the consumer, so they would have to raise their prices and would then lose business to competitors who are willing to live dangerously and do without enhanced security measures. (Pricing on the Internet is always a race to the bottom.)
Could the government step in and mandate security inspections or timely security patching for all companies, so failure to comply wouldn't just get you fired but would get you a fine or a jail term? Certainly not the US government, which is obsessed with reducing the regulatory burden on businesses to let them be "more efficient." The system encourages businesses to stay lean and unsafe, and the cost and inconvenience of all-too-frequent failures are passed to intrusion victims.
The effects of hidden costs are weird and difficult to trace; they are off the balance sheets used by traditional accounting, but they always show up somewhere. One of the possible effects of the Equifax intrusion, which compromised names and social security numbers, is that someone could theoretically hijack your income tax return. The remedy suggested by several experts is to file your taxes early. In other words, because you do business with a company that does business with a company that underfunded its security needs, instead of filing your taxes in April (which is your right under US law), you now have to file them in January or else someone you never met will steal your tax refund.
Isn't the Internet a marvelous thing?
Joe Casad, Editor in Chief
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Direct Download
Read full article as PDF:
Price $2.95
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Find SysAdmin Jobs
News
-
MNT Seeks Financial Backing for New Seven-Inch Linux Laptop
MNT Pocket Reform is a tiny laptop that is modular, upgradable, recyclable, reusable, and ships with Debian Linux.
-
Ubuntu Flatpak Remix Adds Flatpak Support Preinstalled
If you're looking for a version of Ubuntu that includes Flatpak support out of the box, there's one clear option.
-
Gnome 44 Release Candidate Now Available
The Gnome 44 release candidate has officially arrived and adds a few changes into the mix.
-
Flathub Vying to Become the Standard Linux App Store
If the Flathub team has any say in the matter, their product will become the default tool for installing Linux apps in 2023.
-
Debian 12 to Ship with KDE Plasma 5.27
The Debian development team has shifted to the latest version of KDE for their testing branch.
-
Planet Computers Launches ARM-based Linux Desktop PCs
The firm that originally released a line of mobile keyboards has taken a different direction and has developed a new line of out-of-the-box mini Linux desktop computers.
-
Ubuntu No Longer Shipping with Flatpak
In a move that probably won’t come as a shock to many, Ubuntu and all of its official spins will no longer ship with Flatpak installed.
-
openSUSE Leap 15.5 Beta Now Available
The final version of the Leap 15 series of openSUSE is available for beta testing and offers only new software versions.
-
Linux Kernel 6.2 Released with New Hardware Support
Find out what's new in the most recent release from Linus Torvalds and the Linux kernel team.
-
Kubuntu Focus Team Releases New Mini Desktop
The team behind Kubuntu Focus has released a new NX GEN 2 mini desktop PC powered by Linux.