On June 2, the SANS (System Administration, Networking and Security) Institute published "How to Eliminate the Ten Most Critical Internet Security Threats." This list of common security holes received quite a bit of attention around the computing community, bringing to attention several problems which non-security computer professionals might not have been aware. The list highlighted specific software packages such as bind, a piece of software that translates domain names into IP addresses, the numeric addresses that underline all computers on the Internet. Bind provides name service for an estimated 50% of all computers connected to the Internet, making it a quite attractive target. This list, while informative and quite accurate, unfortunately fails to sufficiently respond to the most important and least glamorous issues concerning computer security today: education and maintenance.

    The education of not only end users, but of developers and administrators is, quite frankly, extremely boring to the average computer security professional. Like most technically oriented people, they would rather be ramping up on the latest software and techniques than teaching principles that seem to be blatantly obvious to someone who works in the field. Nevertheless, the education of users of all sorts is necessary. The most secure authorization package in the world is useless if the user keeps a copy of his private keys on a floppy in the desk with his cat's name as the password. Insecure software installed on a home or work computer often contains backdoors that can report sensitive information to an attacker, right down to keystrokes and screenshots. Education needs not only apply to the end user. Developers and administrators need to have sufficient knowledge to realize that much of what is sold as "secure" is little more than proprietary snake oil, lulling the less-informed into a sense of false security.

    The other primary issue, which is a bit more obvious from the report, is that of maintenance. Most software companies are fairly good at issuing a "patch" or "fix" for software with security issues. The thrust of the issue is that often, administrators don't have the time to track software releases and follow various security groups that report these holes. The list primarily consisted of "holes" that have been well known for quite some while, but unfortunately exist on many systems connected to the Internet 24 hours a day.

    The image that most of the computing world has of a "hacker" (a word originally meaning someone who uses technology in new and unsuspected ways), is that of the precocious or disgruntled genius toiling away, is less than ordinary. The most common "hacker" (or "cracker"-a more agreed upon term in the computer underground) is most often, not tremendously technically astute. They will use pre-packaged "exploits" to attack well-known vulnerabilities in software that has not been properly maintained.

    The maintenance issue does not lie solely upon the head of the administrator, though. Often managers are not willing to spend the time or money on preventative maintenance, rather relying on a policy of closing the gate after the proverbial livestock have escaped.

    Soon, as the current wisdom tells us, everything will be hooked into the Internet. Already available are lighting controls, microwave ovens, and washing machines. Education and maintenance, while perhaps never achieving the status as "The Next Big Thing," but perhaps after a few burritos have been remotely burnt to a crisp by bored college students, the will be taken a bit more seriously.