April 07, 2009
At the Computer Emergency Response Team Coordination Center’s 20th Anniversary Technical Symposium, Harvard Law School Professor Jonathan Zittrain ’95 discussed why the Internet’s once-celebrated openness has led to the now regularly occurring security threats, and sketched solutions to deal with these threats.
“There was a playfulness at the founding of the Internet,” Zittrain said. The Internet was built based on a rough consensus, by early pioneers whose approach was “we’re not trying to run the show, we’re just showing up, exchanging some ideas and trying to see what will work.”
This simple approach, however, did not always anticipate the things that can go wrong. This ultimately misplaced trust was embodied in the belief that “people would never want to lie about their email addresses.”
Today, relatively simple techniques can cause major problems, such as the internet service provider in Pakistan that, under orders from the Pakistani government to block access to YouTube, used a technique that caused a worldwide outage of the popular video streaming site within minutes. The site was restored in a few hours thanks in part to the work of volunteers in the North American Network Operators Group (NANOG), who diagnosed the problem and suggested solutions.
Zittrain suggested a few alternative futures for this increasingly untenable situation. One is ever-more-powerful protection software for PCs, though he doubts this solution’s viability. In an interview with Leslie Stahl of CBS News’s 60 Minutes, Zittrain discussed why anti-virus software is not able to deal with vulnerabilities such as the Conficker Worm, for example.
Zittrain predicts that we will see an increasing move toward more controlled appliances and services, such as the Apple iPhone, the Amazon Kindle, and the Facebook Applications platform, which only allow their own, or approved, applications and content to run. Also, the companies behind these platforms—or the government—can control them, blocking content, deactivating applications, or even, in the case of an OnStar-like system in automobiles, allowing the FBI to eavesdrop on conversations.
Zittrain proposes another alternative: to build technical architectures to let people take more responsibility. For example, we could allow machines to install a small amount of code to relay machines’ vital signs back to the community. This would enable us to ask questions about whether a new piece of code is really new or has already been used by many others. Other examples include an online clearinghouse of bad sites where content resides that could damage a visitor’s computer, such as the Google/StopBadware project and the Berkman Center’s recently launched website BadwareBusters.org.
The two-day event, which was sponsored by Carnegie Mellon’s Software Engineering Institute, brought together influential leaders from industry, government, and academia who are looking at the challenges of cybersecurity.
Zittrain, who returned to the HLS faculty full-time last fall, is a co-founder of the Berkman Center for Internet and Society. He recently launched a new project called Herdict that aims to report and map website inaccessibility around the world.