swatt@rt1.eng.yale.edu (11/23/88)
From: Alan S. Watt <swatt@rt1.eng.yale.edu> To: The Internet From: Alan S. Watt Date: 10-November-88 Amended: 22-November-88 Subject: Towards Better Computer Security The recent discussions on the internet virus were interesting and informative, but I do not see any convergence on what to do about The Bigger Problem of foiling future virii. One camp favors the "... take him out and shoot him as a deterrent" approach; the other camp has the "... we should be grateful he dramatized these long-latent weaknesses" view. While there is some justification in both views, neither really provides any direction to take which will give us any improved security. There are also some who regret that all the publicity is going to result in more restrictions, I suppose taking the view that we are all consenting adults and we "should have known" the whole network is insecure. I must register a strong rebuttal to complacency in computer security; computer and computer-controlled systems are coming to dominate more and more operations which make up our daily lives. The foundations of our commercial and social services are increasingly computer-mediated, if not outright computer-controlled. No Big Deal? ------------ Computers keep my bank account, transfer money from Yale's bank to mine, control stock and bond trading, keep track of planes in flight, land the space shuttle, time the fuel injection in my car, control brakes in some new cars, etc., etc. The list is very long and becoming longer every day. It is at the point where people sufficiently expert in compromising these computer systems could steal billions of dollars, disrupt national air traffic (perhaps even cause crashes), and so on. My point here is that when the potential gain, either in stolen money, or political effects, of computer-assisted crime gets large enough, you can be sure someone will work very hard to find a way. We should all be concerned with computer security, and in a much wider sense than just keeping someone from breaking into "our" system. The social consequences of a deliberate, organized, and large-scale assault on our computer systems of today are hard enough to enumerate; the effects after 5 or 10 more years of computerization probably cannot be imagined. Think of the mafia gaining control of promising young computer professionals through bribery and intimidation and ask yourself where that leads. What happens when white collar computer crime gets "organized"? The Political Response ---------------------- All of this reminds me of the hysteria some months back over the dangers to air safety posed by so-called "plastic guns". The news media, ever in need of sensational stories, totally ignored repeated authoritative statements (from the FAA, from the manufacturers of airport X-ray equipment) that the particular gun in question (Glock-17) was easily detectible on current equipment which was properly adjusted and maintained and staffed by properly alert operators. The Congress, ever in need of appearing to "do something", promptly readied legislation to "cure" this problem by outlawing "plastic guns". Never mind audits by the FAA and GAO which showed lax airport personnel and procedures were the most prevalent and easiest ways to sneak weapons or explosives on board; the "plastic gun" scare got everybody's attention and Congress would remove the threat by making them illegal. Lost in the predictable pro- vs. anti-gun debate which ensued was the original goal to improve airport security. I suspect we will face this same mindless approach to computer security sometime soon. The press will do their usual sloppy (or outright distorted) job of reporting some incident, and the Congress will enact some ill-considered and possibly damaging legislation just to appear busy. I have really been surprised by the extent (but not the quality!) of media coverage given to this incident. Given the visibility, it can't be too long before legislation results. The Ethics Response ------------------- There have also been proposals that we should require computer science people to pass ethics courses, or perhaps just one-day seminars on being a good network citizen. While probably less damaging than letting Congress into the act, this approach also ignores the problem. It is indicative of an attitude that we're all good members of "the club", and social pressures will make us conform through fear of censure. I believe strongly in ethics, but I believe even more strongly in a society which is robust despite the lack of ethics in some members. Running a bank on the honor system where depositors kept their own balances is a prescription for bankruptcy; running a national network assuming everyone who has access will be "ethical" is equally doomed to failure. The rule I use for predicting behavior of states, institutions, groups, and individuals is simply this: When the interests get strong enough, the scruples get correspondingly weak. You can keep most people honest enough to pass up $10; it gets real hard to expect honesty at the level $1,000,000. Concentrating on the Real Problem --------------------------------- The goal should be to make computer systems more secure. Every proposal should be judged by this criterion. I think people who like to tinker with breaking computer security do so because of a special set of attitudes. People who like to do software testing have similar attitudes: they like to break things which other people have said "can't" be broken. A good software development organization appreciates such people and rewards them when they succeed in finding a fault. A society truly concerned with computer security would similarly appreciate those with the bent and persistence to prove security defects. The question is: how to harness the natural tendencies of such people in a socially acceptable and technically useful way? Security "Privateers" --------------------- When the airport security debate was going on, I thought the proper approach was to issue licenses to people who wanted to try to defeat airport security (let's call them "crackers"). Licensed "crackers" would then be free to try to prove that security at some particular airport could be evaded. If they succeeded by smuggling in approved facsimilie weapons, the FAA would impose a fine on the airport and the cracker would get a percentage of it. The point is, you create a financial incentive for people to go into the business of proving airports are insecure. If the fines are big enough, all the easy ways to get weapons on planes will be quickly foreclosed. In effect, the government would issue modern-day "letters of marque" and create airport security privateers. The other point is that NO security system is any good unless it is tested frequently. If nothing else, constant cracker attempts might make people manning those security checkpoints a lot more alert. I believe a similar approach would have a prompt and positive effect on computer security. It may not solve any of the genuinely hard technical problems, but at least it will cause all the well-known and obvious holes to be closed. The real question is what agency would have authority to levy fines, and against whom? Unlike the FAA, there is no agency which has regulatory authority over computer vendors. However, the federal government buys a LOT of equipment, and it could certainly use that power to make all its suppliers fix demonstrated security problems. The Feds might require, for instance, that any vendor of computer or network gear to the government maintain a sample configuration accessable on the internet, and publicise its name and location. Licensed crackers would then be free to attempt computer break-ins. If successful, the Feds would in some manner collect money from the vendors and pay a portion of it to the crackers. Similarly, any government installation which has computers publically accessible on phone lines or the internet would be required to publish the name of one of them as the "sitting duck". If a cracker could break into it due to laxness of the installation administrators, the government would impose the fine and pay the cracker. It Won't Always Be a Prank -------------------------- Whatever the merits of this particular proposal, we must remember that very soon we will be faced with not just mis-guided pranksters, but professional criminals. The problem will not go away; we must face it squarely and expend effort toward making our computer systems much, much, much more secure. - Alan S. Watt High Speed Networking, Science and Engineering Computing Facility Dunham 232; (203) 432-4243,4007 watt-alan@cs.yale.edu