Rose-colored glasses and sepia-tinted memories

Over the past two years, I have seen a number of memes across the Internet decrying personal income tax and how the government worked just fine without taxes before 1913.  Memes like this are destructive because they only show a portion of the true story and tell a false narrative.  Much like the perception that historical legacy systems were more secure than they really were, memories are tinted like the sepia tones of old photographs and fade over time. 

Knowing the true story helps us realize that we have many of the same issues today that we had in 1828, and that while we as a society have undergone significant evolution, we have to understand the context in which decisions were made in the past before we go posting memes that are not true and give a distorted view of history.  It is this view that causes people to make irrational decisions and choices and make incorrect assumptions about how the government and society at large operate.

The history of taxation

Before the early 20^th century, the economy of the United States was mainly agrarian and piecework.  Employees were paid based on how many items they produced.  The Guild system, which provided oversight to crafts and trades performed, set the rates by which pieces were sold or services performed.  These originated in Europe in Medieval times and made their way to America.  Guilds held monopolies on the production of items, goods, or services.  They provided education and professional development from apprentice to master to grandmaster.  Many of these terms still exist today, specifically in the construction trades.  The logical descendants of these guilds are the Screen Actors Guild for actors, Bar Associations for lawyers, the American Medical Association and the International Brotherhood of Electrical Workers, amongst others.

Guilds fell out of favor as the Industrial Revolution progressed, and technological innovations such as the Cotton Gin reduced the amount of expertise needed to complete tasks.  Frederick Taylor’s Scientific Management theory introduced the concepts of productivity management and quantitative performance measurement.  Henry Ford’s usage of the assembly line concept to assemble Model T cars, high hourly wage and its subsequent adoption by other manufacturers led to a significant consolidation of industry.  The number of domestic auto manufacturers in the United States dropped from several hundred to the three we have today. 

The implementation of these three innovations in particular led to a complete change in lifestyle.  The use of technology lessened the need for experts and lowered the bar to entry.  The Industrial Revolution caused a shift in industry from agriculture and piecework to assembly lines and hourly wages.  This meant that there was a shift in the economy that needed to be accounted for, as less people owned property and the cost of goods dropped with innovation.

Before 1913, income was not taxed, but property, inventory and excise taxes on specific goods and services were.  There was high variety in how these taxes were processed from state to state.  Tariffs were imposed on imports.  The northern states wanted high tariffs to protect industry, and the southern states favored low tariffs to allow cheap imports.  The Tariff of 1828, which was a major contributor to the Civil War, set a 38% tax on 92% of all imported goods, and was enacted to protect Northern industry.  Southern states, which were still mostly agrarian and relied on strong reciprocal trade with Great Britain, resisted these taxes.  Up until 1860, excise taxes were the major source of federal revenue for the United States.

The Revenue Act of 1913 re-implemented the federal income tax, originally established to pay for the Civil War in 1861, after the Sixteenth Amendment was ratified.  It established the Income Tax to compensate for the loss of tariffs due to the downward shift in pricing because of technological innovations, the shift from an agrarian to industrial economy, the loss of the monopoly power of guilds, and some will say, the robber barons of the Gilded Age using arbitrage to make significant amounts of money tax-free.

The truth of the story is that as the economic drivers of the United States shifted, the country had to pivot to be able to continue operations and fund itself.  Tariffs dropped significantly after the Revenue Act was implemented, facilitating international trade.  If items were taxed at the rates they were before the Act today, the cost of consumer or manufactured goods would rise significantly, and it would have a cascading ripple effect on the economy.  The first steps toward true globalization happened here.

The epochal history of security

Information Security has had a similar sepia tint to the past.  One of the major complaints that we hear about legacy systems is that we now have to implement controls and methods that we didn’t have to in the past to protect them.  Much like the change in taxation so that the Federal government could fund itself and continue operations, we’ve had to undergo several epochal changes to protect the confidentiality, integrity and availability of systems. 

We can divide these into multiple evolutionary epochs of security controls.  Understanding the whole picture can provide better insight as to why we have the controls we do today, and why they are necessary, much like the shift in taxation to personal income from a property-based, agrarian and piecework system to fund the government was.  The goal is to provide insight of the whole picture, as opposed to just one meme-able piece.

Epoch 0 – Technology and attacks are timeless

What we call Epoch 0 is the realization that technology can be used as a means of mass disruption.  Whether it’s by the historical usage of the Cotton Gin to revolutionize textile production, the use of exaggerated news stories to start a war, such as what happened in 1898 with the Spanish-American War, or the breaking of the Enigma codes and use of encryption in World War II.  This continues today with false or exaggerated news stores, false memes and the continued intrusions on networks across the world.  Both past and present attacks have been and continue to be sponsored by individual groups, companies and nation-states.

Epoch 1 – Before modems and internet were popular

Epoch 1 is the usage of computer security before modems or consumer telecommunications became popular, starting in the 1960’s and ending around 1980.  Security controls at this time included mainframe security such as CA Top Secret or IBM RACF, user-based security such as built into MULTICS or VAX, and physical security.  The Computer Room was a heavily isolated and guarded place.  However, that didn’t stop people from attempting attacks such as compromising compilers used to write code, code injection attacks (such as SQL Injection) to make programs do different things than designed based on bad inputs, or the first rudimentary remote compromises.

Epoch 2 – The start of remote access

Epoch 2 is when remote access via modems and terminals became popular, starting in 1980 and ending around 1988.  Default and simple usernames and passwords were used to compromise many networks, and the first remote attacks occurred.  Viruses also spread through contaminated floppies and downloads.  There were some terminal-based attacks as well.

Epoch 3 – The first remote exploits

Epoch 3 is when exploits and vulnerabilities started to be exploited remotely, starting in 1988 and ending in 1996.  In 1988, the Morris worm used vulnerabilities in several Unix programs to spread across and cripple the nascent Internet, causing the formation of the first CERT.  It was the first major vulnerability to utilize buffer overflows to do so.  The first concerted effort to stop a “wiper” attack occurred in 1992 when the Michelangelo virus threatened to destroy the hard drives of many DOS-based computers.  Many people who connected to the Internet in the early days before firewalls also fell victim to these attacks, such as with WinNuke, terminal reset tools and other “script kiddie” attacks.  This is the time when default passwords and configurations were changed, the first personal firewalls started appearing, and anti-virus became popular.  Phishing also started here.

Epoch 4 – Smashing the stack for fun, profit and lasting influence

Epoch 4 started with the release of Phrack 49 on November 8, 1996.  The article “Smashing the Stack for Fun and Profit” by Aleph One was featured, which described in detail how to corrupt the execution stack of a running C program to get it to run code it was not intended to.  This led to its mass exploitation across a number of programs.  While the Morris worm gets the credit for being the first known vulnerability to use them, and Thomas Lopatic gets credit for publishing that vulnerability type on the Bugtraq list in 1995, the Phrack article brought it mainstream.  Buffer, heap and stack overflows have been a mainstay of exploits ever since, and have led to major architectural redesigns of major operating systems and applications.  If there is a single type of attack that has influenced the security world outside of Ransomware, this is it.

Epoch 5 – Distributed Denial of Service Attacks and Web 2.0

Epoch 5 started with the first Distributed Denial of Service (DDoS) attacks in 2000.  Mafiaboy proved in 2000 that you could take down major web sites very easily.  This led to numerous additional protections for networks to ensure that one rogue actor could not take down entire sites, and is a contributing factor toward multiple approaches to system resiliency.  DDoS attacks are still proven to be profitable, both for the attackers and the service providers who provide DDoS protection.  The Mirai botnet was an example of DDoS threatening the Internet itself, and we expect significantly larger attacks in the future.  With DDoS came the cloud, Web 2.0, and the additional resiliency both brought to the table.

Epoch 6 – Custom malware and the theoretical becomes real

Epoch 6 started with Stuxnet in 2010.  For the first time, targeted malware designed to work on and off networks aimed at specific hardware devices designed by nation-states was found in the wild.  While there has been transportable malware for years, this took it to a whole new level with the targeted sabotage of the Iranian nuclear program by other nation-states.   Many of the attacks once written about in books or given in presentations at conferences started appearing in the wild.

Epoch 7 – The rise of ransomware

Epoch 7 started with ransomware in 2013, which exploded in use in 2015.  While there had been extortionware for years before, several factors converged to make this stick.  A number of readers and players for document formats such as Flash or PDF had been discovered that allowed full system access.  The Snowden revelations led many sites to start using encrypted traffic, which confounded many security scanners that were not designed to sniff it.  There was an explosion in vulnerabilities for content management software and associated plugins across the Internet.  The use of Bitcoin made it easy to anonymously pay.  The use of Tor and Darknets to mask the Command and Control servers also helped.  Uncooperative foreign jurisdictions and their refusal to prosecute their own citizens for these attacks led to a significant increase.  However, the largest factor has been the fact that this is a low-cost and high-benefit attack, as the cost of paying vs. replacement, as evidenced by the City of Atlanta’s attack, has caused many people to just pay the ransom.

Further attacks such as WannaCry, Petya, NotPetya and wiper ware are all based on the basics started with ransomware in 2013.  Combined with the blowback from the Snowden revelations, which caused a significant increase in encrypted traffic, this has made it harder than ever to detect and prevent ransomware, and the exploits for many common sites have made it easier to deploy.

Ransomware, and the targeted variants, have grabbed significant headline space due to the major companies that have fallen victim.  This has caused many companies who never thought they were vulnerable to realize how much work they needed to do to protect themselves.  If there is any single type of attack that has proven the need for defense in depth security, and the need to increase protection, it’s this one.

Epoch 8 – Cryptomining, pervasive cloud and resource re-appropriation

Epoch 8, where we are now, which started in 2018 is the age of resource re-appropriation.  The popularity of crypto-mining and cryptocurrency has led to mass hijacks of computers using fileless malware and scripts on web pages to “mine” cryptocurrency on behalf of others.  It’s about getting something for nothing using someone else’s resources.  While there has been hijacking of PCs and the cloud to run mail servers, DNS servers, and complete infrastructures on someone else’s resources, this is something new.  We live in a fully distributed infrastructure, and the importance of securing resources across business partners is more important now than it has ever been.  Blockchain is no exception.

Where are we at now?

Where we are at is that we continue to implement new technologies, such as blockchain, without an eye to the past or an understanding as to the history that brought us to this current point of security.  We make many of the same mistakes that we have in the past.  We make many assumptions based upon viewing the past through rose-colored glasses, or through incorrect conclusions based on a few data points from the past that have little or no relevance to our current situation.

We need to understand our past and the context in which decisions were made and why.  Through rose-colored glasses, people see the past as a utopia where everything worked well, which clearly was not the case.  Making memes saying otherwise without knowing how the past really was is making false statements.

What do we need to do in security?  What are our takeaways?

Security is the same way.  We need to understand the changes at each epoch and the full story to be mindful of how we move forward, protect our data and build for the future, rather than sending the wrong message.  We also need to be aware of what epochs our systems were developed in, as this has a direct effect on their ability to be configured to address security issues.  It’s very hard to retrofit a system developed in the past to be modernized.  Currency is important because as the number of epochs increases between initial implementation and current time, the ability for a system to be protected is significantly limited.  We need to look at the world through modern eyes, not sepia-toned memories, and realize that we need to keep as current as possible.  The past is the past and staying there doesn’t help reduce risk.  Making false assumptions about it doesn’t either.