May 30, 2024

Classic Security Paper, with New Commentary

If you’re interested in computer security, check out the new paper by Paul Karger and Roger Schell. Thirty years ago, Karger and Schell wrote a classic paper reviewing the security of the Multics operating system, which was then the state of the art in secure OS design. Their new paper looks back on the original and reflects on what has happened since.

Wireless LANs, Security, and Intrusions

News.com has an article about drive-by spam. The idea is that a spammer will find a building with a wireless LAN. The spammer will then connect to that LAN, without permission, from outside the building, and use the building’s email server to send a big load of spam email.

This is abusive behavior. The spammer is exploiting the wireless network owner, who ends up paying for the email, and who might get blamed for spamming. (The network owner can prevent this by tightening up the security of their email system, but this is not cost-free, and it doesn’t excuse the drive-by spammer’s actions.)

The problem here is that wireless nets do not respect property lines, walls, or other physical boundaries. If you’re running a wireless network, it is almost certainly open to people outside your site. This is a security risk for you – drive-by spamming is only one of the ways an outsider could exploit the availability of your network. (And even if you turn on the “secure mode” of your wireless network, you’re probably not safe against a sophisitcated adversary.)

It seems reasonable to adopt the ethical principle that you should not use somebody else’s wireless net without permission. (And if you do use it, you should use it only to access the greater Internet, and not to use their internal servers.)

Now suppose you’re in a public place. You pop your wireless card into your laptop, and it finds a connection. What should you do? How do you know whether you have permission?

The answer is that you don’t know. Maybe the wireless net is open because of an oversight, or because its owner wasn’t able to close it. But maybe it’s open on purpose. Some sites use their wireless nets to provide complimentary service to their customers or to the public. Sharing your network feed is a neighborly thing to do, so an open wireless net might be an invitation rather than a mistake.

How can you tell the difference? Unfortunately, the technology doesn’t help. You just shove your network card into your laptop, and it either does or doesn’t find a connection. There’s nothing in the technology that helps you figure out whether the network’s owner objects to your using it. There might not even be an easy way to find out who the network owner is.

What we need is some kind of social norm to help us out. If “everybody knows” that a network configured one way is meant to be open to the public, and one configured otherwise is not, then the boundaries will be clear. Until then, we’ll just have to do our best to behave reasonably and treat others’ wireless nets with the same respect we should normally afford to others’ property.

Situations like this often invite legislation and legal line-drawing. That seems like a mistake here, as any new law would likely be farther from the “right” answer than the eventual social norm will be. So far I haven’t seen any proposed legislation regulating use of others’ wireless nets, but I wouldn’t be surprised to see some.

Homeland Insecurity

Nice article by Charles Mann in the September 2002 issue of the The Atlantic, about Bruce Schneier and his opinions on homeland security. Bruce thinks insightfully about security, and is a great communicator as well. If you’re interested in computer security, Bruce’s CryptoGram newsletter is a must-read.

Bruce says that much of the money and effort being spent on improving homeland security is wasted, going to high-tech systems that fail often and sometimes catastrophically, and to new procedures that have little connection to any real threat. He argues that we should match our defenses carefully to the threat, and that we should rely more on human judgment and less on gee-whiz machines. All of this makes sense.

The article is properly skeptical about biometric identification technologies like fingerprint readers and iris scanning, explaining how many of them can be defeated by low-tech methods. Skepticism is the right response to any new security technology, but for some reason biometrics and the like often get a free pass. Many people know that new technologies are unreliable; yet they seem strangely predisposed to assume that big-brotherish ones will work.

Washington Post: Break-Ins to Military Computers

Interesting article today in the Washington Post about some freelance consultants who apparently rummaged through a bunch of Department of Defense computers without authorization. What they found was pretty appalling. But what they did seems pretty appalling too – although the article takes pains not to mention this. Here is the beginning of the article:

Security consultants entered scores of confidential military and government computers without approval this summer, exposing vulnerabilities that specialists say open the networks to electronic attacks and spying.

The consultants, inexperienced but armed with free, widely available software, identified unprotected PCs and then roamed at will through sensitive files containing military procedures, personnel records and financial data.

[…]

ForensicTec officials said they first stumbled upon the accessible military computers about two months ago, when they were checking network security for a private-sector client. They saw several of the computers’ online identifiers, known as Internet protocol addresses. Through a simple Internet search, they found the computers were linked to networks at Fort Hood.

Former employees of a private investigation firm – and relative newcomers to the security field – the ForensicTec consultants said they continued examining the system because they were curious, as well as appalled by the ease of access.

What is amazing to me is that the writer seems to be working hard to avoid pointing out that what these guys did looks to have been unethical and probably illegal. The rule is pretty simple – honest discussion of security vulnerabilities: good; actually breaking into other people’s computers: bad.

True, careful readers of the article might still connect the dots between the description of what the ForensicTec guys did, and the mention fifteen paragraphs later of laws against unauthorized intrusion. But isn’t it the writer’s job to point out such basic connections?

It’s hard to believe the writer and his editor would have missed this obvious point. Yet I can’t understand why they would have chosen to ignore it. Any suggestions?

UPDATE: Within hours of appearance of the above-mentioned Washington Post article, the FBI raided the offices of ForensicTec.

Princeton Accused of "Hacking" Yale

[This is slightly off-topic, but as a Princeton person I have gotten lots of questions about this incident.]

Somebody in Princeton’s admissions office, probably an associate dean of admissions, apparently accessed without authorization a Web site that Yale set up for people who had applied for admission to Yale. Yale says that 11 students’ records were accessed, on 18 occasions. Princeton admits that the accesses occurred, and has suspended the associate dean in question pending an investigation. The FBI is sniffing around.

I don’t have any direct knowledge of the relevant facts, so I’ll just assume for now that the press reports are accurate.

Three comments are in order. First, Yale was pretty irresponsible to put applicants’ private information on the Web with only the applicant’s social security number and birthdate as “passwords.” It’s no secret that it is easy to learn anybody’s SSN and birthdate, so Yale’s scheme left the applicants’ information open to almost any unscrupulous person. According to today’s Washington Post, the Yale site was designed and built by a Yale junior. I wonder how much adult supervision he had. (Of course, none of this can excuse the improper accesses that Princeton people, or anybody else, might have made to the site.)

Second, the Princeton admissions person who apparently made the accesses told the press that he was just trying to verify the insecurity of the Yale system. Whether the facts (e.g. the pattern of accesses) are consistent with this excuse remains to be seen. In any case, it’s an utterly lame excuse, as one could have verified the insecurity of the site without breaching it. This excuse was Slate’s Whopper of the Week.

Finally, this case illustrates one of the differences between computer intrusions and tinkering. An intrusion like this is wrong not because somebody disapproves of it, and not because somebody gains an advantage by doing it, but because it involves an unauthorized access to a system that belongs to somebody else. People often apply the same kind of rhetoric (i.e. “hacking”) to cases of tinkering, where the purported crime is to “break in” to one’s own property.