Security and Commerce

Security, stability, and ease are a holy grail to current e-commerce vendors . The usual disclaimers and arguments prevail about the scope of the supposed problems. These are all very technically interesting, but from the point of view of the end user , all very irrelevant. The original demographics that drove the interest in e-commerce are simple.

Remember back to some of the original surveys of Internet denizens in 1993/94, especially some of the "average Web user" results. Most of these surveys showed that the average Web surfer was highly educated , upper middle class income, with rather large discretionary spending habits. And at that time that was mostly true because outside of the University settings, only the somewhat technocratic elite even had an inkling of the Web thingie.

Show those demographics to a marketing manager and he or she practically starts panting and drooling. Thus the Internet Gold Rush was born. As with the real gold rushes of the past few centuries, most of the real, hard cash was made by providing the miners with supplies . ISPs, Web site creators , network and computing hardware vendors, and related infrastructure providers grew and prospered.

The last thing on the suppliers minds in most cases was security. Next to last was long- term planning. While the early Internet had security problems, the stresses were moderate and fairly convoluted in use. Breaches tended to be few in number but complex and convoluted in execution due to the preponderance of large time-shared systems with accounting structures.

Security was a subject that was researched and catalogued, a la CERT, CERIAS, and similar organizations. There were alerts and processes for patching and mitigating the breaches. The process was almost leisurely in contrast even to the long-term development of the protocols. The actual connection density of the Internet was only beginning to expand. And as with the superhighway system, the greater connection density and mobility of the Internet would fracture the security model and force a whole new structure.

As with the automobile and the telephone, the emergence of the Internet started over a period of time with fractional parties fighting to promote their service and vision. With standardization and eventually serious commercial reasons, a la the Web, the use of the product surged. The masses had arrived. What goes around comes around, especially when considering a redefining technological invention.

Consider that before the advent of direct dial you would have a difficult time making a crank call. Noting that direct dial was the direct result of a perceived commercial problem, you can easily see the parallels to the Internet of the early 1990s. Once the masses were ensconced, the rules of the game changed.

Consider today the reference to the "Slashdot Effect," usually e-coded as "/. effect". This effect refers to what happens when you are mentioned on a widely read Internet news source and suddenly millions of people are trying to reach your Web site. Many sites have crashed or at least slowed to a crawl due to the massive surge in volume. Indeed, there is at least one instance where a suspicion exists that the site was purposely promoted to an Internet news site in order to slam the referenced site into the ground.

Such actions are only the tip of the iceberg. Just as crank calling evolved into phreaking and other attacks using the telephone systems, so too with the security structures of the Internet. As with most phenomena it was predictable yet unknown. The supposed power brokers tried to pan it off as rogue adolescence that would fade as new, more powerful and well-designed computers and operating systems were released onto the market. So here we are with all of these more powerful operating systems and computers fighting a battle for control against the dark side.

What exactly is being fought? Is it a ruthless , intellectual elite bent on wreaking world havoc? A global conspiracy to silence the oh so wonderfully innovative companies whose dazzling products are the salvation of computing kind? Or just a bunch of inquisitive people? Sadly, the answer lies more toward the last group .

As with the commercial interest that produced the automatic dialing systems, most computing products, especially operating systems, are designed for the benefit of the manufacturer. Security is a cost center, just as Information Technology is a cost center. To paraphrase the IBM commercial, realizing that your business is based on your Web site ”that is an epiphany. And that epiphany has not yet taken hold.

Rather than promote security to a profit center by blending it into the design and development of a product, it is easier to blame the evil forces that surround each and every one of us. And as with the computer virus problem, why design to remove the problem when you can make a profit tending it instead? Just think of the financial losses that would be incurred if any of the secure computing structures designed several decades ago were to be enforced. Most of the anti-virus, firewall, and security consulting firms would crash and burn.

No, those structures are not hard to use. Just ask anyone who has a higher level security clearance who has been a user on a trusted computer system. The vast majority of the time you do not notice that the system prevents you from doing harm. It is only if you try to do something that is not permitted for your level that you see the results of the security structure. Now the old draconian lockstep argument arises. We would all be slaves to the machines is the battle cry.

The point is that if you consider the vast majority of supposedly horrific attacks, especially in terms of costs, on the Internet in the last half of the 1990s, over 85% of them would not have occurred with just a modicum of security structures within the computing platforms and networks in use. Some of the simple steps are being taken but often are both seen and advertised as amazing and difficult work.

In such an environment, can you imagine the carnage of the implementation of IPSec or IPv6? It's bad enough that in many cases IPv4 is still not implemented correctly. And consider too the current status of Policy Routing.

From this perspective the current statements about e-commerce and security are inherently ludicrous. For every single credit card number stolen on the Internet in 2000, dozens or hundreds of people were mislead by telesales, swindles, and other direct interface security breaches. That pendulum is starting to swing. The necessary technical systems and structures do exist to prevent that swing. But it remains to be seen whether the commercial incentive will be seen in time.

And that brings up the other problem of the Internet Gold Rush: long-term planning. The security problems faced on the Internet are much the same in concept as the security problems of the telephone and the automobile. You can break into a site and make your getaway with the goods. You can impersonate or internally compromise a site. And you can coerce others into giving you the goods in good faith.

Today if you were to start a physically located business, say in a strip mall, you would leave the doors unlocked at all times. Especially when you were not there. And you would not bother using a cash register that locks or even closes the cash drawer . And most assuredly you would not know what you had in stock at any given point in time because you were only interested in this minute right now.

Ok, you can tone down the laughter . All of these steps are essentially what you would obtain today with the vast majority of Internet commerce proposals. And this includes just being a participant, let alone the proprietor. This is largely due to a lack of foresight, also called long-range planning.

If you go into a bank, or to the Venture Capitalists, or other sources of business funding today for your strip mall store, you will find that what they really want to see is whether you have planned out the long-term and short-range goals. This is often referred to as a business plan. If in the details of your business plan you have not allowed for some basic security structures, you will be denied immediately. Unfortunately, that is only now starting to be implemented for Internet commerce.

The long-term planning of most e-commerce sites even now consists of: Grow big by losing money, IPO and sell out. Usually the entire sequence is considered to be complete within two years . The long-term planning that is starting to be seen, especially in the details, is more along the lines of: Protect the assets, and nurture the position into recurring revenue. And you can bet that those details now contain the locks, keys, and provisions for counting the merchandise before and after the sale.

So the security, stability, and ease factors are starting to return. Ease was first and often at the complete detriment of stability and security. Now a balance is being found as the hollow tones of "you cannot have your cake and eat it too" are being shown as simple lack of foresight coupled with a sales incentive to care less about the actual consumer. The security and stability of systems are ever increasing with the same ease still present. And this is mainly due to the leap of the competing interests and proprietary systems into the acceptance and implementation of standards.

As with the early telephone systems standards and the issuance of rules of the road, the standards of the Internet are evolving to promote cooperation and foster a secure, stable, and easy path to interconnection. Progress can be seen in the mere acceptance of many of the system design security standards laid down in the seminal 1975 article of Jerome Saltzer and Michael Schroeder from Proceedings of the IEEE 63(9) pp 1278-1308. As time marches on in the Internet, the standards change. Perhaps the best point about the change structure of the Internet is that it is not driven by any one or any group of corporate interests. Thus the eventual apogee will provide security, stability, and ease of use for all.