ITS 4050 - Internet and Web Security

Chapter 1, From Mainframe to Client/Server to World Wide Web

This lesson presents some background material from chapter 1. Objectives important to this lesson:

1. Shifts in technology
2. WWW so far
   
3. E-commerce concerns
   
4. IoT concerns
5. Securing communications
   

Concepts:

Chapter 1

Our text begins with a very basic start, reminding us that data is raw information and that it needs to be processed to become information. Processing may take place on a computer, or in the mind of an analyst, but it is still processing. In order for a computer to help us with anything, a human had to figure out what needed to be done, either by the human or by the device. The text offers us some history about the invention of calculating devices,  Many of you will not have heard of John Napier, Wilhelm Schickard, or Blaise Pascal. They made some wonderful progress in the first half of the 17th century in making devices that aided in calculation. Follow this link to the Computer History Museum and browse some of the devices in their discussion of the subject.

The object shown on the left is a realization of Schickard's machine, made from his surviving plans. The object in the image on the right is a pascaline, one of the actual devices that Pascal created, invented for his father who was a tax collector.

A more "recent" contribution to computing was the invention of the Jacquard loom, a weaver's device that could produce identical pieces by using patterns saved on punched cards. The cards, essentially, held programs for the loom. That was invented in 1801 by Mr. Jacquard, but he did not create it all by himself. The book barely mentions it, but this video by James Burke, a part of his TV series called Connections, gives you more information as well as a some quick references to other precursor technologies that Burke talked about in his program, technologies that Jacquard and his predecessors used to build their creations.

Almost two hundred years after Pascal (1820s and 30s), several attempts were made to design a general purpose machine by Charles Babbage. (Click the image below to watch a video about Babbage and his inventions.) Babbage's attempts might be seen as an evolution in technology that was not implemented when it was invented, because it was too complicated and too expensive to build.

In 1889, the US Census changed forever due to the work of Herman Hollerith, who had worked on the 1880 census, found it to be in dire need of an information engineer, and subsequently created a punched card system for tabulating the census data. His system was used by many other countries for their censuses. He started a company to market his services. It eventually merged with others and became IBM.

The rate of growth in computing power accelerated with the application of electricity and, later, electronics, which really started in World War II and the Cold War. Computers were an invention that needed electronics to become what we consider them today. The text presents a list of significant events on pages 6 and 7, taking us from 1941 to 2002.

On the next several pages, the text reviews the progression from mainframes (centralized computing) to personal computers (distributed computing), which led to networking computers to share resources, primarily through client/server networks. Mainframe computing put all processing on one device, the mainframe. Workstations were only terminals in those systems. Networking provides services and resources on servers (centralization), while allowing processing to take place on each client (distribution).

The world changed again when the Internet became generally accessible, and commerce became common on it. It may seem odd to you, but there was a time when there was a lot of debate and doubt about the wisdom of allowing commercial entities (businesses) to have a presence on the Internet, much less allowing them to conduct the majority of their business on it. Security was not an essential part of the Internet when it was designed. It was not planned to be a system that everyone in the world would be able to access. Pay attention to the four features on page 11 that provide confidence in electronic commerce. They are a little different from usual CIA components:

• integrity - part of CIA, the confidence that electronic transmissions are sent, processed, and stored as intended
• nonrepudiation - the state in which there is proof of what each party in a transaction has agreed to do, and who those parties are
• authentication - confidence that an online user or provider is who they appear to be
• privacy - the CIA element called confidentiality, the trust that private information is and will remain private
  

These four area of concern are important to this text, and to any information security professional. The text presents four common features of an e-commerce site that we should keep in mind as areas to secure and areas that will be attacked:

• catalog - This is the area of a commercial web site that discusses/presents the products and services of a business. (It might be compromised by failing to present anything, or by presenting incorrect information.)
• shopping cart - The feature that tracks what a customer is about to buy, or is considering buying. (This provides tracking information about product interest, even is a purchase is not made.)
• transaction and payment processing - This is arguably the most complex part of the system. It calculates costs to the customer, and collects payment information that is of extreme interest to attackers.
• fulfillment system - Warehouse instructions, shipping instructions, updates to the customer, and confirmation of the transfer of goods and services happen here.

The text continues with some history about messaging and email, as well as some material about early search engines, Gopher, Archie, and Veronica. There is also a brief mention of a shared calendar as an example of groupware, software that allows users to collaborate on a single document or a project. This is not critical to the topic of the chapter, so we will move on.

The Internet that most people know is only a portion of it, but it is the most popular portion: the World Wide Web, invented by Tim Berners-Lee. Berners-Lee and Robert Cailliau invented the web, as well as Hypertext Transfer Protocol, Hypertext Markup Language, and the first web browser. You really needed all of those things together to make the web possible and practical. The text discusses three phases of the development of the World Wide Web:

• Web 1.0 - The creation of web servers and documents happened here. Users followed links to read files that were stored on web servers. Searching on the web allowed searches in the text of documents, not just in their titles, which was an improvement over Gopher. Web portals began to appear to present menus or collections of links to users.
• Web 2.0 - The text tells us that this version is characterized by blogging and social networking. Interactive websites were created, such as Wikipedia, which allows users to post and correct already posted information. Text file sharing evolved to include audio, photo, and video file sharing. The ability to create a web site was made available to everyone with an ISP account. Web applications like games, productivity software, and commercial streaming became common.
• Web 3.0 - The text quotes Tim Berners-Lee as referring to Web 3.0 as a single, connected, searchable database. Most users would assume we are already there. The difference is more a matter of what goes on behind the curtain, and what will be available, storable, and sortable.

The Internet of Things (IoT) refers to all the devices that can be connected to the Internet, and that can be queried, controlled, and used through those connections. For instance, a consumer grade printer may be attached to a home LAN, and the device's owner may take a photo with a web enabled smart device which can then be printed immediately on that printer from almost anywhere. The "almost" is important: the devices must be on live Internet connections for this to work. The text offers three areas in which this concept might be applied:

• manufacturing - The text mentions that connected manufacturing devices might report not only their use and productivity, but their needs for maintenance and resupply. Self diagnostics may be used to warn that a failure is becoming likely before such a failure occurs. Information leaking to competitors could be a problem.
• healthcare - IoT sensors can report a patient's condition to a doctor (or a monitoring AI) to watch a condition, to monitor the result of a treatment, or provide statistical data that would be unavailable without real time monitoring. Privacy violations are a major concern.
• transportation - The text points out that companies like OnStar monitor the condition and performance of vehicles, and that shipping companies monitor the progress of their vehicles and individual packages for clients. It does not mention the smart device applications that allow information sharing about current traffic and weather conditions along an intended route, which can be most helpful to travelers and to emergency services staff trying to resolve problems.

The text lists some issues about information from IoT devices: privacy of data, necessary encryption that may not have been considered, authorization and authentication for users, and software updates that may need to be delivered. This is more challenging than it sounds. Enabling secure services on a computer can be done, but how do we do it on a door lock or any other common item that may be a very limited device?