[IWAR] DATASEC "We're not prepared"

From: Mark Hedges (hedgesat_private)
Date: Sun Jul 05 1998 - 17:32:38 PDT

  • Next message: Mark Hedges: "[IWAR] infopeace"

    Date: Fri, 3 Jul 1998 15:23:08 -0400
    To: cypherpunksat_private, cryptographyat_private
    From: Robert Hettinga <rahat_private>
    Subject: We're Not Prepared
    
    --- begin forwarded text
    
    Date: Fri, 03 Jul 1998 14:43:14 GMT
    To: "DaveNet World" <davenet-worldat_private>
    From: dwinerat_private (DaveNet email)
    Subject: We're Not Prepared
    
    -------------------------------------
    >From Scripting News... It's DaveNet!
    Released on 7/3/98; 7:43:14 AM PST
    -------------------------------------
    
      Yesterday was the highest-flow day ever on scripting.com, and
      rightly so. We had the most detailed information on the $DATA
      security hole in IIS and other Windows-based web server software. It
      was a breaking story, I believe a bigger story than the Intel Pentium
      public relations fiasco over two years ago.
    
      Microsoft's response was excellent, but the industry press
      response was frightening. This morning there's barely a mention of
      the story on the sites I check on a regular basis. I'm tempted to say
      that this was not the catastrophe that I'm concerned about, but it
      *was* the catastrophe, and there are certainly a lot of system
      operators that still aren't aware that they have a major security
      hole, and given the coverage given by the press, it seems they aren't
      likely to find out.
    
      Even though dozens of reporters are on DaveNet, only one inquiry came
      in from a press person, and that inquiry was about the trust issue I
      mentioned in the postscript, which is a long-term issue largely of
      interest to web server developers, and shouldn't concern system
      managers and users much.
    
      Why weren't the reporters interested in this story? Is there any
      lesson I can learn from this? Maybe I'm not trusted? Maybe the press
      people don't get it? How can I do better to deserve their trust or to
      educate them about how precarious our security is, now that web
      servers manage sensitive information like customer credit card
      info, medical records, and nuclear secrets?
    
      ***An open airline database
    
      My moment of greatest fear yesterday came when I got a link into a major
      airline's frequent flier database, and presumably I could have
      altered my records in their database (I'm a customer).
    
      As an experiment I tried calling their main number to see if they could
      receive a security alert over the phone, and found that they had a
      company policy to not give out phone numbers. I could make a
      reservation, but I couldn't speak with their computer operations
      people. I said it was an emergency. I asked to speak to their
      president, but the request was refused.
    
      How frightening for them! Airline safety is a big deal. Sure a hacker
      probably can't impact airline safety thru a frequent flier mileage
      database, but we don't know that that's the only hole that was opened
      yesterday.
    
      And I saw the password they chose for their database and was even more
      shocked! Oh man. Passwords 101. Change that password right now
      folks. Even without the IIS hole, a hacker could easily guess the
      passwords that many people are using.
    
      ***Remember Murphy
    
      Further, since the hole has been there since IIS shipped, we have no
      idea what other data was compromised due to the hole that was revealed
      yesterday.
    
      Remembering Murphy's Law, anything that can go wrong will go wrong.
      It seems prudent to assume that your passwords are compromised, and
      go from there.
    
      ***Are we prepared?
    
      We have an emergency response system for other kinds of
      catastrophes, earthquakes, fires, power outages, etc., but the
      response system for computer security holes is totally inadequate.
      It may take a meltdown to bring this home to the public, something that
      people can relate to, an event that costs everyone money or jobs, or
      kills people, or breaks a system that people depend on.
    
      Then the press will be outraged, and the anger will likely be directed
      at computer industry, but it would be misplaced. This time the
      industry acted responsibly, but the press didn't pick up the story.
      There's still time, and something important that still needs to be
      done. The press is a crucial link in the communication system. People
      have a right and need to know about this stuff.
    
      Microsoft shipped a fix for the problem yesterday. Now, system
      operators have to install the fix. The press can help by spreading the
      word, and perhaps for once tell the story of an industry that's doing
      its job in an honorable and open way.
    
      The bottom line, security holes happen. I don't believe people who
      say Unix or Mac systems aren't subject to holes. No one knows.
      Programmers are human, we make mistakes, software has bugs, and
      servers have holes. The measure of our quality is how open we are about
      our mistakes, when we take the high road and let people know, even if it
      makes us look human, we're doing the right thing. I hope the press
      tunes into this.
    
      Dave Winer
    
    -------------------------------------------
    Scripting news: <http://www.scripting.com/>
    
    --- end forwarded text
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:10:56 PDT