Devil's Advocate: Why computer security's so primitive

In real life, you can instantly identify people you know. But not so online. Until we can improve this capability, says Martin Brampton, your best defence against malicious users is parnoia.

It is no wonder computer networks are vulnerable to attack. It took millions of years for human beings to evolve the abilities they use in ordinary encounters. Now, in a few years, we are attempting to emulate them for electronic encounters.

Take, for instance, this fact: The average person can accurately identify a friend, seen from a distance at an awkward angle and in a poor light. This is a remarkable ability, and is pretty reliable, despite the billions of people in the world. Seemingly effortless recognition of faces is a skill that has resulted from generation after generation of evolution. It is not understood in detail, and certainly involves some amazing information processing.

Even voices are often distinctive. How many people do you instantly recognise as soon as you hear them speaking on the phone? And when you transact with unfamiliar people, you often rely on familiar features of the material world, such as a company's livery decorating a shop or office. Again, most of us are quite sensitive to small cues that confirm what is going on and are expensive for imposters to reproduce.

Turn to the internet, and it is all different. How do you know who you are talking to? There are plenty of cases to demonstrate how easily we can be fooled. And the solutions proffered remain unconvincing, despite government enthusiasm. Part of the issue is that large sections of IT seem to view the issues through rose-tinted spectacles.

Take the question of patches for software vulnerabilities. It has always seemed a weak solution to deploy software widely, then attempt to fix problems by applying patches. Few organisations have robust systems for distributing software automatically, let alone patching it automatically. The result is much insecure software that remains insecure even though a fix is available.

But the thinking on this subject views the problem as purely technical. Microsoft is telling businesses that they should buy into automatic systems for the installation of updates. There are at least two reasons why this is, at best, a limited solution.

The first problem is that patches commonly introduce fresh problems. It is dangerous to install them without testing. At the same time, patches are used by hackers to find the very weaknesses the patches are intended to fix. The hackers keep getting quicker, so that a patch can provoke a new attack, which is launched before cautious organisations have had time to test the patch.

Even if that could be overcome, it is precisely global information distribution that has enabled the various ills of viruses, worms and so on. How could we be sure that a wholly automated distribution system for patches would not play straight into the hands of the hackers? If such systems became widespread, we would not need to wait long before the first malicious patch appeared.

Of course, not everyone would fall for it, but how confident can we be that the damage would not still be considerable? After all, we have not really solved the question of how to recognise who we are dealing with in our electronic transactions. So far, just about every technique that has gained mainstream acceptance has been shown to have serious weaknesses.

Perhaps we will have to adopt the revolutionary approach of designing software to be closer to the ideal of being robust and secure when first released. Which brings us back to the issue of how to test software effectively. Until then, what can we do? Be paranoid.