[ISN] Reflections on Thompson's 'Reflections'

From: InfoSec News (isn@private)
Date: Fri Feb 06 2004 - 00:31:38 PST

  • Next message: InfoSec News: "[ISN] Packet Storm is OFF-LINE, temporarily."

    Forwarded from: William Knowles <wk@private>
    
    http://www.eweek.com/article2/0,4149,1517369,00.asp
    
    By Peter Coffee 
    February 5, 2004 
    
    Every few years, I find it worth my time to re-read Ken Thompson's 
    August 1984 article, "Reflections on Trusting Trust," based on his 
    1983 Turing Award lecture that described what he called "the cutest 
    program I ever wrote." The lecture does not merely describe the 
    anatomy of a clever hack: it demonstrates the need for important IT 
    systems to be treated as fundamentally untrustworthy, and to be 
    guarded by independent technical and procedural limits on what they 
    are able to do. 
    
    Thompson's lecture is still being cited, for example, in discussions 
    of computer-based voting systems in elections. His warnings also come 
    to mind after reading William Safire's column for the New York Times, 
    released this morning, about the West's deliberate sabotage of the 
    former Soviet Union's campaign of Cold War technology 
    theft--specifically, the Trojan Horse that was implanted in stolen 
    pipeline-control software to create "the most monumental non-nuclear 
    explosion and fire ever seen from space" (as described by Thomas Reed 
    in his forthcoming book, "At the Abyss: An Insider's History of the 
    Cold War.") If you don't want to wait for next month's publication of 
    Reed's book, you can find additional background on Safire's column in 
    an article by Gus Weiss, whom Safire calls the "mild-mannered 
    economist" who "engineered" the sabotage effort. 
    
    Thompson's device for concealing a "back door" superuser account was 
    discoverable only by someone with access to the entire chain of system 
    software, including the compiler that was used to compile the 
    compiler. It was not a theoretical exercise, but a convenient method 
    that he devised for ensuring access to the early Unix systems that he 
    was often asked to help fix. 
    
    And Thompson's lecture was followed, ten years later, by my April 1994 
    article, "Distributed Objects Form Info Highway Hazards": although no 
    longer online, so far as I can determine, that article was cited by 
    another writer later that year in a still-accessible Defcon II 
    conference paper on the nature of cyber-crime. My key point was that 
    compound documents, with their invisible invocations of the 
    applications that create their embedded objects, are constantly 
    re-linking the user's chain of trust through unknown participants: the 
    expected results, I argued, were both local breaches of security and 
    global surges of network activity. 
    
    Five years later, in April 1999, I suggested (in the wake of the 
    all-too-predictable Melissa worm) that ease-of-use features in the 
    then-forthcoming Office 2000 would further fuel the firestorm, with 
    deadly combinations of features such as the Outlook preview pane and 
    the incorporation of active content into HTML-formatted e-mail. 
    Harried SCO Web site staff can only wish that I'd been more successful 
    in persuading people that our network-intensive applications need 
    anti-lock brakes, so to speak, as well as automatic transmissions. 
    
    That ends this morning's history lesson, and I hope you'll pardon the 
    retrospective tone. It's hardly original to point out that most 
    successful IT attacks involve long-known vulnerabilities, but this 
    morning's headlines seemed to call for this review of both old 
    demonstrations and newly disclosed examples. 
    
    I welcome your own war stories, cold or hot, at 
    peter_coffee@private
    
    
     
    *==============================================================*
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    ----------------------------------------------------------------
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    ================================================================
    Help C4I.org with a donation: http://www.c4i.org/contribute.html
    *==============================================================*
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Fri Feb 06 2004 - 02:45:07 PST