Wire Pirates
Someday the Internet may become an information superhighway, but right now it is more
like a 19th-century railroad that passes through the badlands of the Old West. As waves
of new settlers flock to cyberspace in search for free information or commercial
opportunity, they make easy marks for sharpers who play a keyboard as deftly as Billy the
Kid ever drew a six-gun.
It is difficult even for those who ply it every day to appreciate how much the Internet
depends on collegial trust and mutual forbearance. The 30,000 interconnected computer
networks and 2.5 million or more attached computers that make up the system swap
gigabytes of information based on nothing more than a digital handshake with a stranger.
Electronic impersonators can commit slander or solicit criminal acts in someone else´s
name; they can even masquerade as a trusted colleague to convince someone to reveal
sensitive personal or business information.
"It´s like the Wild West", says Donn B. Parker of SRI: "No laws, rapid growth and
enterprise - it´s shoot first or be killed."
To understand how the Internet, on which so many base their hopes for education, profit
and international competitiveness, came to this pass, it can be instructive to look at the
security record of other parts of the international communications infrastructure.
The first, biggest error that designers seem to repeat is adoption of the "security through
obscurity" strategy. Time and again, attempts to keep a system safe by keeping its
vulnerabilities secret have failed.
Consider, for example, the running war between AT&T and the phone phreaks. When
hostilities began in the 1960s, phreaks could manipulate with relative ease the long-
distance network in order to make unpaid telephone calls by playing certain tones into the
receiver. One phreak, John Draper, was known as "Captain Crunch" for his discovery that
a modified cereal-box whistle could make the 2,600-hertz tone required to unlock a trunk
line.
The next generation of security were the telephone credit cards. When the cards were
first introduced, credit card consisted of a sequence of digits (usually area code, number
and billing office code) followed by a "check digit" that depended on the other digits.
Operators could easily perform the math to determine whether a particular credit-card
number was valid. But also phreaks could easily figure out how to generate the proper
check digit for any given telephone number.
So in 1982 AT&T finally put in place a more robust method. The corporation assigned
each card four check digits (the "PIN", or personal identification number) that could not
be easily be computed from the other 10. A nationwide on-line database made the
numbers available to operators so that they could determine whether a card was valid.
Since then, so called "shoulder surfers" haunt train stations, hotel lobbies, airline
terminals and other likely places for the theft of telephone credit-card numbers. When
they see a victim punching in a credit card number, they transmit it to confederates for
widespread use. Kluepfel, the inventor of this system, noted ruefully that his own card
was compromised one day in 1993 and used to originate more than 600 international calls
in the two minutes before network-security specialists detected and canceled it.
The U.S. Secret Service estimates that stolen calling cards cost long distance carriers and
their customers on the order of 2.5 billion dollars a year.
During the same years that telephone companies were fighting the phone phreaks,
computer scientists were laying the foundations of the Internet. The very nature of
Internet transmissions is based on a very collegial attitude. Data packets are forwarded
along network links from one computer to another until they reach their destination. A
packet may take dozen hops or more, and any of the intermediary machines can read its
contents. Only a gentleman´s agreement assures the sender that the recipient and no one
else will read the message.
But as Internet grew, however, the character of its population began changing, and many
of the newcomers had little idea of the complex social contract. Since then, the Internet´s
vulnerabilities have only gotten worse. Anyone who can scrounge up a computer, a
modem and $20 a month in connection fees can have a direct link to the Internet and be
subject to break-ins - or launch attacks on others.
The internal network of high-technology company may look much like the young Internet
- dozens or even hundreds of users, all sharing information freely, making use of data
stored on a few file servers, not even caring which workstation they use to accessing their
files. As long as such an idyllic little pocket of cyberspace remains isolated, carefree
security systems may be defensible. System administrators can even set up their network
file system to export widely used file directories to "world" - allowing everyone to read
them - because after all, the world ends at their corporate boundaries.
It does not take much imagination to see what can happen when such a trusting
environment opens its digital doors to Internet. Suddenly, "world" really means the entire
globe, and "any computer on the network" means every computer on any network. Files
meant to be accessible to colleagues down the hall or in another department can now be
reached from Finland or Fiji. What was once a private line is now a highway open to as
much traffic as it can bear.
If the Internet, storehouse of wonders, is also a no-computer´s land of invisible perils,
how should newcomers to cyberspace protect themselves? Security experts agree that the
first layer of defense is educating users and system administrators to avoid the particularly
stupid mistakes such as use no passwords at all.
The next level of defense is the so called fire wall, a computer that protects internal
network from intrusion. To build a fire wall you need two dedicated computers: one
connected to the Internet and the other one connected to the corporation´s network. The
external machine examines all incoming traffic and forwards only the "safe" packages to
its internal counterpart. The internal gateway, meanwhile, accepts incoming traffic only
from the external one, so that if unauthorized packets do somehow find their way to it,
they cannot pass.
But other people foresee an Internet made up mostly of private enclaves behind fire walls.
A speaker of the government notes, "There are those who say that fire walls are evil, that
they are balkanizing the Internet, but brotherly love falls on its face when millions of
dollars are involved".
In the meantime, the network grows, and people and businesses entrust to it their
knowledge, their money and their good names.