Forwarded from: William Knowles <wk@private> http://www.eweek.com/article2/0,4149,1517369,00.asp By Peter Coffee February 5, 2004 Every few years, I find it worth my time to re-read Ken Thompson's August 1984 article, "Reflections on Trusting Trust," based on his 1983 Turing Award lecture that described what he called "the cutest program I ever wrote." The lecture does not merely describe the anatomy of a clever hack: it demonstrates the need for important IT systems to be treated as fundamentally untrustworthy, and to be guarded by independent technical and procedural limits on what they are able to do. Thompson's lecture is still being cited, for example, in discussions of computer-based voting systems in elections. His warnings also come to mind after reading William Safire's column for the New York Times, released this morning, about the West's deliberate sabotage of the former Soviet Union's campaign of Cold War technology theft--specifically, the Trojan Horse that was implanted in stolen pipeline-control software to create "the most monumental non-nuclear explosion and fire ever seen from space" (as described by Thomas Reed in his forthcoming book, "At the Abyss: An Insider's History of the Cold War.") If you don't want to wait for next month's publication of Reed's book, you can find additional background on Safire's column in an article by Gus Weiss, whom Safire calls the "mild-mannered economist" who "engineered" the sabotage effort. Thompson's device for concealing a "back door" superuser account was discoverable only by someone with access to the entire chain of system software, including the compiler that was used to compile the compiler. It was not a theoretical exercise, but a convenient method that he devised for ensuring access to the early Unix systems that he was often asked to help fix. And Thompson's lecture was followed, ten years later, by my April 1994 article, "Distributed Objects Form Info Highway Hazards": although no longer online, so far as I can determine, that article was cited by another writer later that year in a still-accessible Defcon II conference paper on the nature of cyber-crime. My key point was that compound documents, with their invisible invocations of the applications that create their embedded objects, are constantly re-linking the user's chain of trust through unknown participants: the expected results, I argued, were both local breaches of security and global surges of network activity. Five years later, in April 1999, I suggested (in the wake of the all-too-predictable Melissa worm) that ease-of-use features in the then-forthcoming Office 2000 would further fuel the firestorm, with deadly combinations of features such as the Outlook preview pane and the incorporation of active content into HTML-formatted e-mail. Harried SCO Web site staff can only wish that I'd been more successful in persuading people that our network-intensive applications need anti-lock brakes, so to speak, as well as automatic transmissions. That ends this morning's history lesson, and I hope you'll pardon the retrospective tone. It's hardly original to point out that most successful IT attacks involve long-known vulnerabilities, but this morning's headlines seemed to call for this review of both old demonstrations and newly disclosed examples. I welcome your own war stories, cold or hot, at peter_coffee@private *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org ================================================================ Help C4I.org with a donation: http://www.c4i.org/contribute.html *==============================================================* - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Feb 06 2004 - 02:45:07 PST