A Hacker Horror Flick

The Net Still Has Too Many Holes, Experts Warn

July 5, 1995

By Scott Rosenberg

HONOLULU -- As horror movies go, it was oddly tame, you might even say minimalist: just fragments of white text unfolding in bursts across a black screen. But "Adrian Visits the Tropics," a six-minute documentary, mesmerized and horrified its audience nonetheless. Speakers at the Internet Society's annual meeting here last week joked afterwards about having wet their underwear.

The film reconstructed a computer-screen's view of a busy 1991 weekend in the life of a Dutch hacker, whose typing had been captured and preserved by American computer-security expert Tsutomu Shimomura.

As Shimomura -- celebrated for trapping the fugitive Kevin Mitnick six months ago -- provided line-by-line commentary, the crowd watched "Adrian's" screen, rapt, as the hacker broke into a computer system halfway around the world.

He quickly logged in using a generic ID, "readme." He found a security backdoor labeled ".junk." That gave him root access -- general system entree, the system's version of top-secret clearance.

None of this looked difficult. That's what made the film such a horror show: The computer under attack belonged to the Pacific Fleet Command in Hawaii, and the break-in took place during the Gulf War.

If you trust the panelists who commented after the film -- and they are almost certainly the best people to trust on the subject -- "Internet security" remains an oxymoron. Industry leaders are "in deep denial" about security problems. And, ironically, one of the chief obstacles to making the network safer is the U.S. government itself.

The Internet evolved chiefly because scholars and scientists wanted to share research, and its technologies have always emphasized open access. Today, as businesses seek to transform it into a network for commerce and individuals adapt it for their own ends, the Internet is struggling to balance its natural openness with a growing need for privacy. It's as if a public library suddenly found itself performing the services of bank and post office, too.

As Vinton Cerf, long-time Internet Society president and one of the Internet's chief architects, put it, "The Net has been a very collaborative place, where people share everything. But now we've grown up -- like a small town that wakes up to find that it's New York City."

Not that there's general agreement of any kind that the Internet is a less secure place than, say, your typical hotel lobby. IBM's John Patrick, a panel speaker, pointed out that Internet Society conference attendees who worried for their cyber-safety had handed their credit card numbers over to perfect strangers when they checked into their hotels. He predicted that in a few years, transactions would be more secure on the Net than in the physical world.

Today, though, the biggest problem, according to Shimomura, is that people think the Internet is far safer and more private than it really is. "There's a big difference between what the network actually does and what we want it to do," he said. "And too many people have the attitude, 'As long as nothing bad happens, it's okay.' "

Today's most popular security measure is the building of "firewalls," defensible borders around chunks of Internet territory. The panelists argued that firewalls are no panacea, and could quickly become dangerous anachronisms lulling people into a false sense of safety -- like cyberspace Maginot lines.

"We're building deeper moats and taller walls in an age of fighter-bombers," Shimomura said. In other words, firewalls may prove useless in the face of new, automated threats. Quoting from Sun Tzu's "The Art of War," Shimomura urged companies and organizations to confront intruders instead of relying on passive defenses: "Engage the opponent, rather than sitting there waiting to be beat up on."

The single most important step toward making the Internet a more secure place for private correspondence and business transactions, everyone at the conference seemed to agree, would be widespread adoption of a technology known as public-key encryption. This tool allows any two parties to exchange messages in coded form without sending secret information over the public network; it provides protection from prying eyes and confidence in a correspondent's identity.

Public-key encryption is widely and freely available now on the Net via a program called Pretty Good Privacy (PGP), developed by Philip Zimmermann. The trouble is, U.S. government export laws treat all powerful cryptography tools as "munitions," making it a crime to export them. Since international borders don't exist on the Internet, it's pretty much impossible to distribute software on the Net without "exporting" it.

A Federal grand jury has been investigating Zimmermann since last year. Until the law relaxes or changes, the commercial software publishers who might use versions of PGP to build security into their systems aren't going to run the same risk.

Why is the government so intent on controlling encryption? It can hardly be for reasons of international security, since any foreign power, would-be terrorist or hacker who wants the tools downloaded them long ago. But the F.B.I. knows that a program that protects your mail and files from Kevin Mitnick can also post a big "keep out" sign for Uncle Sam.

Federal officials accustomed to tapping telephones do not look kindly on technology that blocks similar access to electronic information. That's why the Clinton Administration backed the voluntary Clipper chip plan, which would have given the government a phone-tap-style back door to most locations in cyberspace. Experts argue that the Clipper plan is itself riddled with holes. If you have anything to hide, of course, you'll simply choose not to use the Clipper technology -- and even if the Clipper plan had been made mandatory, you'd ignore it.

According to most observers, the Clipper scheme was dead on arrival. PGP is available, but it hangs under a legal cloud. And Internet privacy remains a concept whose time has not yet come.

Will that retard the network's growth or smother fledgling Net-commerce experiments? Not according to the experts. As Shimomura said, "Since when has lack of safety ever stopped us? We've always used the Net for purposes it wasn't intended. That's the mark of a successful tool."

0 Back to 1995 Archive Index