[ISN] How do you fix a leaky Net?

From: InfoSec News (isnat_private)
Date: Wed Aug 29 2001 - 22:40:11 PDT

  • Next message: InfoSec News: "Re: [ISN] CIO pushes network-centric warfare"

    By Damien Cave
    Aug. 29, 2001 
    Brian K. West simply wanted to see how his company's advertisement
    would look in the online edition of the Poteau Daily News & Sun, his
    local Oklahoma newspaper. But while trying to create a mockup, he
    discovered a security flaw that let him put the ad on the actual home
    page of the newspaper. No password or permission was required. In
    fact, anyone with Microsoft's FrontPage -- a Web site development
    program used to create the newspaper's Web pages -- could go in and
    redesign at will, wreaking havoc on the home page's structure, color
    and text.
    West, a 24-year-old sales and support employee of a nearby Internet
    service provider, didn't put his ad on the page or make any of these
    changes. He downloaded some files, apparently to verify the hole, then
    called the newspaper's editor in chief to let him know that his Web
    site wasn't secure -- that anyone could get in and "edit your
    But instead of thanking him, the suspicious editor contacted the
    police, setting in motion a chain of events that would lead to an
    18-month FBI investigation and an invitation to appear before a grand
    jury Sept. 5.
    In the community of hackers, the details outlined above could be
    expected to result in West's immediate treatment as a hero, a
    well-meaning altruist trapped by an undiscriminating justice system.
    Protests could have been scheduled, money raised. Like the recently
    indicted Russian programmer Dmitry Sklyarov, accused of illegally
    distributing code that unlocks electronic books, West might have
    become a poster child for reforms to laws that, according to critics,
    treat security research as a crime rather than a virtuous act of
    But even though charges have not yet been filed, West is not getting
    the hacker hero treatment. The reason? According to court documents
    West didn't just warn the Poteau Daily News about the hole; among the
    items he downloaded were files containing source code and passwords
    for the proprietary software that the newspaper's editors used to post
    stories from remote locations. It was only a beta version, and it's
    not clear whether West knew what he was downloading, but because the
    newspaper bought the software from an Internet service provider that
    was a competitor to West's company, the act itself did much to tarnish
    West's "good Samaritan" image.
    So, instead of becoming an icon, a victim and a martyr, he's instead a
    lightning rod for debate. Hundreds of people have written to the U.S.
    attorney in charge of the case since Aug. 17, when an abbreviated
    version of West's story appeared on the geek news site LinuxFreak.org.
    And while the prosecutor and West's lawyers exchange responses to the
    public outcry -- the latest volley appeared last Friday --
    heavyweights in the world of security don't know what to make of
    West's actions. Some, like Richard M. Smith, CTO of the Privacy
    Foundation, argue that West went too far, while others argue that West
    "is just a guy who found a flaw and tried to fix it," as cryptography
    expert Bruce Schneier puts it. Even if he poked around a bit, these
    defenders say, he shouldn't be treated like a criminal. "The
    punishment doesn't fit the crime," Schneier says.
    The debate itself is not new. It's been almost 20 years since hackers,
    geeks and lawmakers first started struggling with the question of how
    software vulnerabilities should be handled. Hackers -- as
    distinguished from crackers, who break and enter computer systems for
    purposes of profit or destruction -- have long argued that by pointing
    out security holes in software they are doing a public service. The
    companies who are the recipients of hacker explorations, and the
    vendors of software that is found to be vulnerable, often disagree,
    seeing hacker activity as illegal trespassing or worse. It's a tension
    that is at the core of hacker life; one could even argue that the
    "public service" theory is, at least in part, a rationalization aimed
    at justifying the results of hacker curiosity.
    But even though the debate is old, the stakes keep rising. The laws as
    currently written are unfriendly to "unauthorized access," regardless
    of what the intent is. The passage of the Digital Millennium Copyright
    Act (DMCA) in 1998, which, among other things, made it illegal to do
    so much as reveal how copyright controls can be circumvented, has also
    upped the ante for those who like tinkering with other people's
    software. But while high-profile cases such as Sklyarov's and the
    DeCSS lawsuit wend their way through the courts, few experts in the
    technology community have offered clear alternatives that can be
    applied in the real world.
    There's still not an accepted set of guidelines for how people like
    West should proceed -- and that's "a serious problem," says Jennifer
    Granick, a San Francisco attorney who regularly defends hackers. Until
    consensus is reached -- which won't be easy, she says -- West's
    mistakes are destined to be repeated. Every security researcher and
    every Net user who happens to find a security flaw is vulnerable. The
    witness stand could only be a mouse-click away.
    Today's discussion of Internet security can be traced at least as far
    back as Robert Tappan Morris. In 1988, the 23-year-old doctoral
    student at Cornell released a 99-line program that ate its way through
    the Internet, propagating uncontrollably and slowing data transmission
    across the network nearly to a halt. In response to the unexpected
    shock, DARPA, (the Defense Advanced Research Projects Agency), a
    federal agency that oversaw the Net, formed a group of experts who
    could coordinate responses to worms like Morris'.
    The group soon called itself CERT -- for Computer Emergency Response
    Team -- and the plan it came up with seemed simple. People were
    supposed to send information on vulnerabilities to the group; CERT
    would then verify that the hole existed and alert the vendor.
    Publishing only occurred once the vendor plugged the hole.
    CERT still maintains the procedure, but after a few years, people
    started to rebel. "There were three main complaints," writes Schneier
    in an essay on the issue of publicizing vulnerabilities. "First, CERT
    got a lot of vulnerabilities reported to it, and there were complaints
    about CERT being slow in verifying them. Second, the vendors were slow
    about fixing the vulnerabilities once CERT told them. And third, CERT
    was slow about publishing reports even after the fixes were
    Hackers who spotted vulnerabilities weren't the only ones unhappy with
    CERT's lack of speed. The larger community of computer scientists and,
    in particular, systems administrators and security specialists
    entrusted with the responsibility of keeping networks safe and
    reliable, also chafed at the ponderous pace. By the time a vendor
    plugged a hole in its software, a great deal of mischief could already
    have occurred.
    Frustration with CERT led to what's now called "the full-disclosure
    movement" -- based on the hacker-friendly philosophy that more
    information is always better. Scott Chasin led the way, creating a
    mailing list in 1993 called Bugtraq that promised to publish
    vulnerabilities regardless of vendor response. Bugtraq's policies led
    to friction with vendors of software. Not only do software companies
    detest the bad publicity that is associated with news reports
    announcing serious problems with the software, but they are also wont
    to argue that publicizing a breach before a fix is available is
    tantamount to inviting a horde of juvenile delinquents to rummage
    through your unlocked home.
    But "the environment at that time was such that vendors weren't making
    any patches," says Elias Levy, an early Bugtraq subscriber who has
    moderated the list since 1996. "So the focus was on how to fix
    software that companies weren't fixing."
    Only a few hundred people signed up at first. In 1996, only 2,000
    people subscribed.
    But the messy dangers of security research hit home while Bugtraq was
    just getting started. In 1993, Randal Schwartz, an independent
    contractor working for Intel, decided to run a program that tested the
    vulnerability of passwords on the company's network. The program
    (called Crack) found 48 "weak" passwords (words that would be easy to
    guess) but Schwartz was hardly rewarded for his vigilance. Instead, he
    became the target of a criminal investigation, at the direct request
    of his own employer. An indictment came down in 1994 and in 1995, an
    Oregon judge sentenced him to 480 hours of community service, five
    years of probation, 90 days in jail and $68,471.45 in restitution. The
    Oregon Court of Appeals eventually suspended the jail time and
    reversed the restitution order, but upheld all the convictions.
    "I'm now a triple felon for merely wanting to help my main client of
    five years, by running a simple tool to gather evidence that another
    group within the company was not providing the minimum
    company-mandated standard level of protection," Schwartz says. "This
    is crazy. All I wanted to do was help."
    Then, Internet mania struck. With millions coming online, dot-coms
    appearing out of thin air and Web-based services like Hotmail growing
    exponentially, the security environment radically changed. More holes
    appeared and more people found them. Today, Bugtraq counts 46,000
    subscribers, many of them journalists who spread news of
    vulnerabilities to millions.
    The expanded attention at Bugtraq and other places on the Net has
    fueled the already heated debate. The discussion that had once taken
    place in the equivalent of a small theater has now moved into a
    cacophonous coliseum. Some maintain that those who exploit a
    vulnerability in order to prove that it exists are violating property
    rights. Others follow CERT's moderate stance, arguing that testing a
    hole was fine as long as the tester told the vendor about the hole and
    kept the vulnerability private.
    At the other end of the spectrum sit those who take a more libertarian
    line. They argue that ferreting out vulnerabilities -- by any means
    possible -- is the best way to keep them from forming in the future.
    Some diehards even declare that high-profile crackers like Kevin
    Mitnick -- the notorious computer expert who spent five years in jail
    for illegally accessing corporate networks -- should be lauded as
    heroes, cyber-investigators who showed the world how fragile networks
    could be.
    "These problems are complex and ambiguous," says Smith of the Privacy
    "It's an extremely difficult issue," adds Schneier, echoing the
    sentiments of other security experts. "The more I look at it, the
    harder it seems to get."
    West's case sidesteps a few of these difficulties. He didn't attempt
    to publish the vulnerability at the Poteau Daily News, and, according
    to his lawyer, didn't intentionally copy valuable security software as
    Mitnick did.
    But his case is powerfully relevant. Experts say that his actions at
    the Poteau site -- from finding the hole to downloading a competitor's
    publishing software and a file which had the passwords and log-ins
    that offered access to that software -- reignite many of the difficult
    questions that the technology community and courts are still trying to
    Does everyone have a right to look under the hood of every product
    they buy, of every Web site they can access? Once someone finds a
    possible vulnerability, must he or she inform whatever company might
    be affected by it? If someone exploits a vulnerability in order to
    verify that it exists, should the access be considered criminal, or
    does it depend on what is gained through the act of exploitation? Or,
    even more subjectively, does it depend on the intent of the hacker?
    Even before West discovered the Poteau Daily News flaw, he had some
    experience with such queries. A few months prior, he noticed that his
    bank's online services included his account number in the URL, so by
    plugging in other numbers, he could (and allegedly did) access other
    peoples' accounts. He never changed these accounts, and told the bank
    about the flaw. They fixed it, without calling the cops.
    West could have been prosecuted for his bank discovery too, just as
    was Randal Schwartz. The courts haven't given any clear answers to the
    burning questions surrounding computer access, says lawyer Granick.
    Although other people have found holes and been prosecuted for
    accessing private files, and in some cases for extortion -- charges
    that arise when people demand money for information on how to patch a
    given hole -- few of these cases went to trial. Most were settled
    without a judge's decision. There are exceptions, such as the DeCSS
    case, in which the publisher of the magazine 2600 was enjoined from
    distributing code that decrypts DVDs. But for the most part, the
    courts haven't clarified the laws surrounding security, so enforcement
    tends to be subjective.
    "The whole concept of 'unauthorized access' is in question," Granick
    says. "There isn't enough case law to go on."
    So, in the absence of legal authority, can the ambiguities be
    eliminated, or at least diminished? Granick, Smith, Levy and other
    security experts suggest that a formal, accepted set of guidelines --
    voted on and supported by the security industry -- would improve the
    Granick argues that the resulting code should treat the Internet as an
    entity unto itself, rather than some kind of electronic home.
    "The problem lies with the notion of 'went in,'" she says. "There's a
    barrier to going into a house or store that doesn't make sense in a
    computer context. If you type something in and see something you're
    not supposed to see, it's not the same as walking into someone's
    house. It's more like walking by a window without the shades being
    Schwartz holds to a similar line. "There must be safe harbor for the
    people trying to help," he says, because otherwise holes will
    proliferate. When the law doesn't allow researchers the freedom to
    find and plug holes, bugs will go unreported; fear will keep the
    helpful away, leaving room for the intentionally malicious. "Everyone
    loses," he says. "And as the law currently stands, it's the
    whistleblowers (like me) that stand to lose the most."
    But others disagree with Granick's logic. Tony Morgan, co-owner of
    Cyberlink, the ISP that wrote the software West copied, argues that
    West didn't just see the vulnerability. "He exploited it," Morgan
    says. "Finding the hole wasn't wrong; I back the hackers and crackers
    on that. The illegal part is when someone takes or destroys something.
    We feel that [in West's case] the line was crossed."
    And Morgan -- who claims the software West downloaded could be sold
    for about $5,000 -- isn't the only one arguing that computers should
    be treated like offline property.
    "If you screw with a service [as opposed to a product], you're
    screwing with someone's property," says Levy of Bugtraq. "Most people
    who have been doing security research for a while wouldn't have done
    what Brian did. Most people would know that the first thing you should
    do is get a waiver to verify the vulnerability."
    On the other hand, the DMCA is also problematic precisely because it
    treats digital content as its own unique animal. While traditional
    copyright law allows people to, say, copy a book for a school project,
    the DMCA makes no room for such fair uses of digital content. Simply
    showing people how to unlock an electronic book, as Sklyarov is now
    discovering, becomes cause for imprisonment.
    People already think the Internet and other new technologies are more
    unique than they actually are, says Schneier. And because the general
    public errs on the side of fear rather than respect, he says "the law
    needs to be technologically neutral."
    David Touretzky, a computer science professor at Carnegie Mellon who
    testified at the DeCSS trial, believes that new technologies should be
    treated like your local bank.
    "It's a place of business, open to the public," he says. "But not
    every inch is open to the public. Suppose I go wandering down the hall
    and walk into some guy's private office and walk over to the desk and
    take a look at the papers lying out in plain view. Am I guilty of
    breaking and entering? No. Am I trespassing? Well, yeah, but the
    building was open the public."
    At this point, because he would be somewhere he wasn't supposed to be,
    "the bank would be right to ask me to leave, maybe even tell me never
    to come back again," he says. "But having me arrested for wandering
    into an office? Nah. That would be overkill."
    Still, with so many ideas swirling about, can a coherent set of
    guidelines ever form? At least one security expert -- Chris Wysopal,
    head of research and development at the security firm @Stake -- is
    making the attempt. But Wysopal, a former hacker who's known online as
    "Weld Pond," has just begun gathering industry input. Even though the
    Net would be better off "with a set of moral codes," says Schneier,
    the community probably won't come up with anything useful anytime
    "The only way to do it is through case law," he says. "That's how we
    did it with phones and wiretaps, and that's how it will happen here."
    West should not be punished harshly for his mistakes, he says, but
    regardless, the case may actually improve the present security
    environment. The only problem, he adds, is that the law moves slowly.
    "It will take years to figure this out," Schneier says. "When the
    legal system hits Internet time, the results are a mess."
    Brian West probably agrees.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Thu Aug 30 2001 - 00:19:01 PDT