On a Highway to …
Welcome
![](/var/linux_magazin/storage/images/issues/2017/204/welcome/casad_joe_2.png/714314-1-eng-US/Casad_Joe_2.png_medium.png)
The Internet is a vast and beautiful thing – our ancestors would be amazed. I probably wouldn't have my job without the Internet, and if you work with Linux, the chances are your job, either directly or indirectly, depends on the Internet as well.
Dear Reader,
The Internet is a vast and beautiful thing – our ancestors would be amazed. I probably wouldn't have my job without the Internet, and if you work with Linux, the chances are your job, either directly or indirectly, depends on the Internet as well.
People in high tech like to talk about the Internet in glowing and heroic terms. The popular view is that the Internet is not just an information highway but is actually a highway on which we are all journeying to the future.
Part of the story is that the Internet is "good business," but the recent Equifax debacle illustrates how difficult it is to determine how much the Internet actually costs. A hack on the massive consumer credit reporting company comprised 143 million identities. The problem, according to several sources, was that the company failed to install routine security updates for the Apache Struts web application framework. A vulnerability in the platform was fixed back in March, but reports indicate that Equifax didn't get around to installing the update and therefore fell prey to the attack.
So now is the time when we all collectively say "What a bunch of slackers." Everybody knows you're supposed to keep current on security patches, and on Internet-facing servers, keeping up to date is an extremely critical and solemn responsibility. Internally, the company probably has its own "What a bunch of slackers" dialog going on. Some people have probably already been fired – or they will be soon.
Firing a few Equifax employees certainly seems appropriate, but it is a little too easy. We humans have a way of focusing blame on other humans, rather than on systems. When something goes wrong, we assign the blame to a person, and then when we punish that person, we all get the feeling that we're acting decisively to address the issue. Deeper down, though, the questions are a little more complicated – and thus more scary. For instance:
- Why was this vulnerability present in the first place and how did it go undetected until March of this year?
- What other vulnerabilities are still out there now that could be the cause of future events as bad as or worse than the Equifax debacle?
I don't really know the solution to the insecurity problems that face the Internet. In fact, I'm not sure I really believe an obvious solution actually exists – certainly not something that could happen within the next 5 to 10 years – but I think we would be in a better place if we would start understanding the real cost of operating the Internet and investing resources to address that cost.
The rosy picture we paint about Internet efficiency and convenience creates an imaginary world where a company can hide, making business decisions based on the illusion of security rather than on gritting out the labor-intensive reality of life in a jungle.
At Apache Struts, more code reviews, more testers, and bigger bounties would have helped find vulnerabilities sooner, but who is going to pay for it? Equifax probably could have used more training and a bigger, more qualified web admin staff, but who's going to pay for it? The way a company pays for overhead is to pass the costs back to the consumer, so they would have to raise their prices and would then lose business to competitors who are willing to live dangerously and do without enhanced security measures. (Pricing on the Internet is always a race to the bottom.)
Could the government step in and mandate security inspections or timely security patching for all companies, so failure to comply wouldn't just get you fired but would get you a fine or a jail term? Certainly not the US government, which is obsessed with reducing the regulatory burden on businesses to let them be "more efficient." The system encourages businesses to stay lean and unsafe, and the cost and inconvenience of all-too-frequent failures are passed to intrusion victims.
The effects of hidden costs are weird and difficult to trace; they are off the balance sheets used by traditional accounting, but they always show up somewhere. One of the possible effects of the Equifax intrusion, which compromised names and social security numbers, is that someone could theoretically hijack your income tax return. The remedy suggested by several experts is to file your taxes early. In other words, because you do business with a company that does business with a company that underfunded its security needs, instead of filing your taxes in April (which is your right under US law), you now have to file them in January or else someone you never met will steal your tax refund.
Isn't the Internet a marvelous thing?
Joe Casad, Editor in Chief
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
![Learn More](https://www.linux-magazine.com/var/linux_magazin/storage/images/media/linux-magazine-eng-us/images/misc/learn-more/834592-1-eng-US/Learn-More_medium.png)
News
-
NVIDIA Released Driver for Upcoming NVIDIA 560 GPU for Linux
Not only has NVIDIA released the driver for its upcoming CPU series, it's the first release that defaults to using open-source GPU kernel modules.
-
OpenMandriva Lx 24.07 Released
If you’re into rolling release Linux distributions, OpenMandriva ROME has a new snapshot with a new kernel.
-
Kernel 6.10 Available for General Usage
Linus Torvalds has released the 6.10 kernel and it includes significant performance increases for Intel Core hybrid systems and more.
-
TUXEDO Computers Releases InfinityBook Pro 14 Gen9 Laptop
Sporting either AMD or Intel CPUs, the TUXEDO InfinityBook Pro 14 is an extremely compact, lightweight, sturdy powerhouse.
-
Google Extends Support for Linux Kernels Used for Android
Because the LTS Linux kernel releases are so important to Android, Google has decided to extend the support period beyond that offered by the kernel development team.
-
Linux Mint 22 Stable Delayed
If you're anxious about getting your hands on the stable release of Linux Mint 22, it looks as if you're going to have to wait a bit longer.
-
Nitrux 3.5.1 Available for Install
The latest version of the immutable, systemd-free distribution includes an updated kernel and NVIDIA driver.
-
Debian 12.6 Released with Plenty of Bug Fixes and Updates
The sixth update to Debian "Bookworm" is all about security mitigations and making adjustments for some "serious problems."
-
Canonical Offers 12-Year LTS for Open Source Docker Images
Canonical is expanding its LTS offering to reach beyond the DEB packages with a new distro-less Docker image.
-
Plasma Desktop 6.1 Released with Several Enhancements
If you're a fan of Plasma Desktop, you should be excited about this new point release.