swatt@rt1.eng.yale.edu (11/23/88)
From: Alan S. Watt <swatt@rt1.eng.yale.edu>
To: The Internet
From: Alan S. Watt
Date: 10-November-88
Amended: 22-November-88
Subject: Towards Better Computer Security
The recent discussions on the internet virus were interesting and
informative, but I do not see any convergence on what to do about The
Bigger Problem of foiling future virii. One camp favors the "... take
him out and shoot him as a deterrent" approach; the other camp has the
"... we should be grateful he dramatized these long-latent weaknesses"
view. While there is some justification in both views, neither really
provides any direction to take which will give us any improved
security.
There are also some who regret that all the publicity is going to
result in more restrictions, I suppose taking the view that we are all
consenting adults and we "should have known" the whole network is
insecure. I must register a strong rebuttal to complacency in computer
security; computer and computer-controlled systems are coming to
dominate more and more operations which make up our daily lives. The
foundations of our commercial and social services are increasingly
computer-mediated, if not outright computer-controlled.
No Big Deal?
------------
Computers keep my bank account, transfer money from Yale's bank to
mine, control stock and bond trading, keep track of planes in flight,
land the space shuttle, time the fuel injection in my car, control
brakes in some new cars, etc., etc. The list is very long and becoming
longer every day. It is at the point where people sufficiently expert
in compromising these computer systems could steal billions of dollars,
disrupt national air traffic (perhaps even cause crashes), and so on.
My point here is that when the potential gain, either in stolen money,
or political effects, of computer-assisted crime gets large enough, you
can be sure someone will work very hard to find a way.
We should all be concerned with computer security, and in a much wider
sense than just keeping someone from breaking into "our" system. The
social consequences of a deliberate, organized, and large-scale assault
on our computer systems of today are hard enough to enumerate; the
effects after 5 or 10 more years of computerization probably cannot be
imagined. Think of the mafia gaining control of promising young
computer professionals through bribery and intimidation and ask
yourself where that leads. What happens when white collar computer
crime gets "organized"?
The Political Response
----------------------
All of this reminds me of the hysteria some months back over the
dangers to air safety posed by so-called "plastic guns". The news
media, ever in need of sensational stories, totally ignored repeated
authoritative statements (from the FAA, from the manufacturers of
airport X-ray equipment) that the particular gun in question (Glock-17)
was easily detectible on current equipment which was properly adjusted
and maintained and staffed by properly alert operators.
The Congress, ever in need of appearing to "do something", promptly
readied legislation to "cure" this problem by outlawing "plastic
guns". Never mind audits by the FAA and GAO which showed lax airport
personnel and procedures were the most prevalent and easiest ways to
sneak weapons or explosives on board; the "plastic gun" scare got
everybody's attention and Congress would remove the threat by making
them illegal. Lost in the predictable pro- vs. anti-gun debate which
ensued was the original goal to improve airport security.
I suspect we will face this same mindless approach to computer security
sometime soon. The press will do their usual sloppy (or outright
distorted) job of reporting some incident, and the Congress will enact
some ill-considered and possibly damaging legislation just to appear
busy. I have really been surprised by the extent (but not the
quality!) of media coverage given to this incident. Given the
visibility, it can't be too long before legislation results.
The Ethics Response
-------------------
There have also been proposals that we should require computer science
people to pass ethics courses, or perhaps just one-day seminars on
being a good network citizen. While probably less damaging than letting
Congress into the act, this approach also ignores the problem. It is
indicative of an attitude that we're all good members of "the club",
and social pressures will make us conform through fear of censure.
I believe strongly in ethics, but I believe even more strongly in a
society which is robust despite the lack of ethics in some members.
Running a bank on the honor system where depositors kept their own
balances is a prescription for bankruptcy; running a national network
assuming everyone who has access will be "ethical" is equally doomed to
failure.
The rule I use for predicting behavior of states, institutions, groups,
and individuals is simply this:
When the interests get strong enough, the scruples get
correspondingly weak.
You can keep most people honest enough to pass up $10; it gets
real hard to expect honesty at the level $1,000,000.
Concentrating on the Real Problem
---------------------------------
The goal should be to make computer systems more secure. Every
proposal should be judged by this criterion.
I think people who like to tinker with breaking computer security do so
because of a special set of attitudes. People who like to do software
testing have similar attitudes: they like to break things which other
people have said "can't" be broken. A good software development
organization appreciates such people and rewards them when they succeed
in finding a fault. A society truly concerned with computer security
would similarly appreciate those with the bent and persistence to prove
security defects. The question is: how to harness the natural
tendencies of such people in a socially acceptable and technically
useful way?
Security "Privateers"
---------------------
When the airport security debate was going on, I thought the proper
approach was to issue licenses to people who wanted to try to defeat
airport security (let's call them "crackers"). Licensed "crackers"
would then be free to try to prove that security at some particular
airport could be evaded. If they succeeded by smuggling in approved
facsimilie weapons, the FAA would impose a fine on the airport and the
cracker would get a percentage of it.
The point is, you create a financial incentive for people to go into
the business of proving airports are insecure. If the fines are big
enough, all the easy ways to get weapons on planes will be quickly
foreclosed. In effect, the government would issue modern-day "letters
of marque" and create airport security privateers.
The other point is that NO security system is any good unless it is
tested frequently. If nothing else, constant cracker attempts might
make people manning those security checkpoints a lot more alert.
I believe a similar approach would have a prompt and positive effect on
computer security. It may not solve any of the genuinely hard
technical problems, but at least it will cause all the well-known and
obvious holes to be closed. The real question is what agency would
have authority to levy fines, and against whom? Unlike the FAA, there
is no agency which has regulatory authority over computer vendors.
However, the federal government buys a LOT of equipment, and it could
certainly use that power to make all its suppliers fix demonstrated
security problems.
The Feds might require, for instance, that any vendor of computer or
network gear to the government maintain a sample configuration accessable
on the internet, and publicise its name and location. Licensed crackers
would then be free to attempt computer break-ins. If successful, the
Feds would in some manner collect money from the vendors and pay a
portion of it to the crackers.
Similarly, any government installation which has computers publically
accessible on phone lines or the internet would be required to publish
the name of one of them as the "sitting duck". If a cracker could
break into it due to laxness of the installation administrators, the
government would impose the fine and pay the cracker.
It Won't Always Be a Prank
--------------------------
Whatever the merits of this particular proposal, we must remember that
very soon we will be faced with not just mis-guided pranksters, but
professional criminals. The problem will not go away; we must face it
squarely and expend effort toward making our computer systems much,
much, much more secure.
- Alan S. Watt
High Speed Networking, Science and Engineering Computing Facility
Dunham 232; (203) 432-4243,4007
watt-alan@cs.yale.edu