ECPA

blackcat@neuro.usc.edu (01/19/90)
In article <4613@helios.ee.lbl.gov> Jef Poskanzer <jef@well.sf.ca.us> writes:
>In the referenced message, burch@quik07.enet.dec.com (Ben Burch) wrote:
>}I think here we have the beginnings of a war over the definition of the
>}term hacker! ... personal definition of hacker appears here ...
>This is your definition.  It is even the original definition.  It is *NOT*
>the only definition.  Please do not chase off the telecom hackers.  You
>clearly have a lot to learn from them.  
Whether one likes change or not, the definition of specific words tends to
change with common usage over time.  There can be little doubt that public
opinion subsequent to the release of the movie "War Games" would tend to
support the use of the term "hacker" to refer to people who try to obtain
unauthorized access to computer systems or communication networks.  I fail
to see the point of beating this dead horse any further into oblivion.

Now, on to more serious matters.  Whatever preconceived notions you hold
about people who seek unauthorized access to computer systems, I ask that
you suspend judgement for a few moments and consider the following points:

    o  Not every hacker attempts to gain access to systems with freely
       published passwords (as in the case of DEC's VAX fiasco wherein
       the os installation manuals contained the default passwords for
       the field service and system testing  accounts), easily guessed 
       passwords (exploiting the lax security practices of authorized 
       users), spoofing authorized users to give their account/password
       in response to a bogus login message, rumaging through dp center
       trash, or by entering lengthly random trial and error sequences.  
       Tiny children often exploit these vulnerabilities.

    o  Some hackers gain access by discovering little known defects in
       system software (e.g. side effects of operating system calls);
       scavenging communication devices or buffers for the plain text
       account/password combinations; rewriting microcode for public 
       access communication devices; running code under temporarily
       suspended privileged accounts while charging resources used to
       currently active nonprivileged accounts; passively monitoring 
       rf emissions from computer terminals, phone lines, microwave
       towers, and satellite links to secure plain text identification,
       communication access points, and operating procedures; or by a
       wide variety of other means requiring some minimal amount of
       technical expertise.  Teenagers exploit such vulnerabilities.

    o  A very small number of hackers acquire red (crypto secure) data
       communications, break the codes, and steal national defense and
       commercial business secrets.  College kids, some West Germans,
       and not a few government sponsored and freelance intelligence
       agents fall into this category.       

    o  One sorry bugger to date has introduced a virus that managed to
       utilize a little known defect in DEC and SUN system software ...
       and the rest of his case is currently on trial & making history.
       I would note that his effort (the INTERNET virus) meets each of
       the criteria discussed so far in this group for being a "hack"
       of the highest level ... one requiring a considerable degree of
       expertise ... and one (from personal examination of virus code)
       which was not readily understood by an experienced hacker.

    o  Personally, I believe the current attempts to write most computer
       crime/abuse/antihacker statutes are misdirected.  They proscribe
       behaviours that are commonly performed by system managers, site
       security personnel, vendor maintenance personnel, and many others.
       These statutes may give the public a false feeling of security and
       provide prosecutors with an additional tool to selectively harass
       someone they don't like.  But none of these statutes address the
       fundamental weeknesses in existing data processing systems.  The
       primitive security techniques these statutes attempt to support
       (plain text challenge and response with account names/passwords)
       were developed in the 1960's with little thought about persistent
       attack.  Such statutes will accomplish little more than the ECPA
       (electronic communications privacy act) which forbids listening
       to cellular telephone communications.  Such calls are broadcast
       at 30 KHz intervals in the band from 870-890 MHz.  A quick scan
       of this broadcast band will indicate that few if any callers are
       aware that their voice can be received anywhere within the range
       of the repeater servicing their call.  Simple plain text challenge
       and response offer little more security for computer systems.

    o  I believe the law should be changed to match the anti gun statutes
       ... "USE A COMPUTER IN THE COMMISSION OF A FELONY: GO TO JAIL" ...
       crimes require criminal intent ... the government should be forced
       to prove that intent ... if unintended damage is caused, some civil
       action to recover the cleanup costs may be appropriate ... and, if
       the government can prove intent, as in the case of a spy with full
       documentation of a continuing pattern of abuses, then find a tall
       tree and hang'em high ... but never sidestep the issue of intent 
       ... it may not be easy to prove ... but our entire criminal legal
       system is built on a foundation of intent ... throw that away and
       no citizen (however blameless) will be safe from persecution.

    o  In any case, I believe the new generation hackers (intruders) may
       be better served by being invited by the old generation hackers
       (obscure code craftsmen) to participate in this discussion group
       and attempt to become interested in more productive activities --
       (e.g. fixing public domain INGRES to run on current generation
       unix systems, updating the old X10 server for the ibm/pc to work
       with X11R4, etc).  I would offer them lists of anonymous ftp/xfer
       systems containing millions of lines of code from small programs
       to large systems that would meet their need to explore (without 
       the very time consuming and wasteful process of breaking uninvited 
       into personal, commercial, and government systems), be challenged,
       and perhaps even contribute to the wealth of good hacks available
       to the public.

    o  No one should be insulted ... or otherwise baited or goaded into
       breaking into systems as a sign of rebellion against established
       authorities like the people who brow beat the bored and restless
       children who have written into this group in an attempt to make
       contact with something more stimulating than an assignment to
       write a "C" program to solve an arbitrary combinatorics problem.
>
Obligatory hacking report: I am trying to fix a generic security problem
involving the triggering of data terminal answerback buffers by whatever
program elects to send a ^W in the course of displaying a message.  The
specific problem I have encountered is a public access computer terminal
room where one of our students entered "^Y@dra0:[name]x.bat" into the
answerback buffer, waited for a privileged user to access that terminal,
sent email containing a ^W to that privileged user, the privileged user
read the email, triggered the answerback buffer, and promptly changed
the protection on the user authorization file and the user authorization
program to rwed access for all users on the system.  The student user ran
the user authorization program, reset the password on a dormant privileged
account, logged out, logged back in as the dormant privileged user, reset
the protection on the user authorization file and the user authorization
program, read and copied mail between numerous high level administrative
users, introduced numerous trapdoors to allow reentry to our system, and
logged out with nary a trace (some details of the audit trails that were
successfully used to secure a full confession have been left out) of her  
presence.  This is a purplexing problem ... why do manufacturers still
put an answerback buffer in computer terminals ... such buffers should
have disappeared with the Model 35 TTY.  Currently, short of periodically
sending ^W to all of our inactive terminals (and gobbling up the response),
there is no evident way to prevent such abuse.  Suggestions anyone?

FINAL COMMENT:  The INTERNET virus should be treated as a product liability
question.  In my opinion, DEC and SUN should pay the cost of the cleanup
effort.  If it were not for latent defects in the products distributed by
these two manufacturers (which have been subsequently repaired by emergency
hacks and official patches), the relatively innocuous INTERNET virus could
not have spread so far so rapidly.  The show trial of some poor student who
happened to test for the presence of this defect and found he had created a
an extremely large chain reaction of systems passing this virus from one to
another ... is only detracting from the central fact -- today's vendors are
incapable of producing computer products without significant security (and
for that mater day to day operational) defects.  These defects regularly
result in unintended system crashes, destruction of data, communications
outages, denial of service, etc.  If we are not going to put a very large
number of unwitting vendor software development people, system managers, 
users, and maintenance people in jail for unintentionally triggering such
disruptions ... then we are going to have to find a better way to secure
systems ... some way that is better than the Morris show trial.