SCN: Security

[Steve]

x-no-archive: yes

=============================


Every security researcher and every Net user who happens to find a 
security flaw is vulnerable. The witness stand could only be a 
mouse-click away.  


(Damien Cave, Salon)---Brian K. West simply wanted to see how his 
company's advertisement would look in the online edition of the 
Poteau Daily News & Sun, his local Oklahoma newspaper. But while 
trying to create a mockup, he discovered a security flaw that let him 
put the ad on the actual home page of the newspaper. No password 
or permission was required. In fact, anyone with Microsoft's 
FrontPage -- a Web site development program used to create the 
newspaper's Web pages -- could go in and redesign at will, 
wreaking havoc on the home page's structure, color and text.  

West, a 24-year-old sales and support employee of a nearby 
Internet service provider, didn't put his ad on the page or make any 
of these changes. He downloaded some files, apparently to verify 
the hole, then called the newspaper's editor in chief to let him know 
that his Web site wasn't secure -- that anyone could get in and "edit 
your stories."  

But instead of thanking him, the suspicious editor contacted the 
police, setting in motion a chain of events that would lead to an 18-
month FBI investigation and an invitation to appear before a grand 
jury Sept. 5.  

In the community of hackers, the details outlined above could be 
expected to result in West's immediate treatment as a hero, a well-
meaning altruist trapped by an undiscriminating justice system. 
Protests could have been scheduled, money raised. Like the 
recently indicted Russian programmer Dmitry Sklyarov, accused of 
illegally distributing code that unlocks electronic books, West might 
have become a poster child for reforms to laws that, according to 
critics, treat security research as a crime rather than a virtuous act 
of science.  

But even though charges have not yet been filed, West is not getting 
the hacker hero treatment. The reason? According to court 
documents West didn't just warn the Poteau Daily News about the 
hole; among the items he downloaded were files containing source 
code and passwords for the proprietary software that the 
newspaper's editors used to post stories from remote locations. It 
was only a beta version, and it's not clear whether West knew what 
he was downloading, but because the newspaper bought the 
software from an Internet service provider that was a competitor to 
West's company, the act itself did much to tarnish West's "good 
Samaritan" image.  

So, instead of becoming an icon, a victim and a martyr, he's instead 
a lightning rod for debate. Hundreds of people have written to the 
U.S. attorney in charge of the case since Aug. 17, when an 
abbreviated version of West's story appeared on the geek news site 
LinuxFreak.org. And while the prosecutor and West's lawyers 
exchange responses to the public outcry -- the latest volley 
appeared last Friday -- heavyweights in the world of security don't 
know what to make of West's actions. Some, like Richard M. Smith, 
CTO of the Privacy Foundation, argue that West went too far, while 
others argue that West "is just a guy who found a flaw and tried to 
fix it," as cryptography expert Bruce Schneier puts it. Even if he 
poked around a bit, these defenders say, he shouldn't be treated 
like a criminal. "The punishment doesn't fit the crime," Schneier 
says.  

The debate itself is not new. It's been almost 20 years since 
hackers, geeks and lawmakers first started struggling with the 
question of how software vulnerabilities should be handled. Hackers 
-- as distinguished from crackers, who break and enter computer 
systems for purposes of profit or destruction -- have long argued 
that by pointing out security holes in software they are doing a 
public service. The companies who are the recipients of hacker 
explorations, and the vendors of software that is found to be 
vulnerable, often disagree, seeing hacker activity as illegal 
trespassing or worse. It's a tension that is at the core of hacker life; 
one could even argue that the "public service" theory is, at least in 
part, a rationalization aimed at justifying the results of hacker 
curiosity.  

But even though the debate is old, the stakes keep rising. The laws 
as currently written are unfriendly to "unauthorized access," 
regardless of what the intent is. The passage of the Digital 
Millennium Copyright Act (DMCA) in 1998, which, among other 
things, made it illegal to do so much as reveal how copyright 
controls can be circumvented, has also upped the ante for those 
who like tinkering with other people's software. But while high-profile 
cases such as Sklyarov's and the DeCSS lawsuit wend their way 
through the courts, few experts in the technology community have 
offered clear alternatives that can be applied in the real world.  

There's still not an accepted set of guidelines for how people like 
West should proceed -- and that's "a serious problem," says 
Jennifer Granick, a San Francisco attorney who regularly defends 
hackers. Until consensus is reached -- which won't be easy, she 
says -- West's mistakes are destined to be repeated. Every security 
researcher and every Net user who happens to find a security flaw 
is vulnerable. The witness stand could only be a mouse-click away.  

Today's discussion of Internet security can be traced at least as far 
back as Robert Tappan Morris. In 1988, the 23-year-old doctoral 
student at Cornell released a 99-line program that ate its way 
through the Internet, propagating uncontrollably and slowing data 
transmission across the network nearly to a halt. In response to the 
unexpected shock, DARPA, (the Defense Advanced Research 
Projects Agency), a federal agency that oversaw the Net, formed a 
group of experts who could coordinate responses to worms like 
Morris'.  

The group soon called itself CERT -- for Computer Emergency 
Response Team -- and the plan it came up with seemed simple. 
People were supposed to send information on vulnerabilities to the 
group; CERT would then verify that the hole existed and alert the 
vendor. Publishing only occurred once the vendor plugged the hole.  

CERT still maintains the procedure, but after a few years, people 
started to rebel. "There were three main complaints," writes 
Schneier in an essay on the issue of publicizing vulnerabilities. 
"First, CERT got a lot of vulnerabilities reported to it, and there were 
complaints about CERT being slow in verifying them. Second, the 
vendors were slow about fixing the vulnerabilities once CERT told 
them. And third, CERT was slow about publishing reports even after 
the fixes were implemented."  

Hackers who spotted vulnerabilities weren't the only ones unhappy 
with CERT's lack of speed. The larger community of computer 
scientists and, in particular, systems administrators and security 
specialists entrusted with the responsibility of keeping networks 
safe and reliable, also chafed at the ponderous pace. By the time a 
vendor plugged a hole in its software, a great deal of mischief could 
already have occurred.  

Frustration with CERT led to what's now called "the full-disclosure 
movement" -- based on the hacker-friendly philosophy that more 
information is always better. Scott Chasin led the way, creating a 
mailing list in 1993 called Bugtraq that promised to publish 
vulnerabilities regardless of vendor response. Bugtraq's policies 
led to friction with vendors of software. Not only do software 
companies detest the bad publicity that is associated with news 
reports announcing serious problems with the software, but they are 
also wont to argue that publicizing a breach before a fix is available 
is tantamount to inviting a horde of juvenile delinquents to rummage 
through your unlocked home.  

But "the environment at that time was such that vendors weren't 
making any patches," says Elias Levy, an early Bugtraq subscriber 
who has moderated the list since 1996. "So the focus was on how to 
fix software that companies weren't fixing."  

Only a few hundred people signed up at first. In 1996, only 2,000 
people subscribed.  

But the messy dangers of security research hit home while Bugtraq 
was just getting started. In 1993, Randal Schwartz, an independent 
contractor working for Intel, decided to run a program that tested the 
vulnerability of passwords on the company's network. The program 
(called Crack) found 48 "weak" passwords (words that would be easy 
to guess) but Schwartz was hardly rewarded for his vigilance. 
Instead, he became the target of a criminal investigation, at the 
direct request of his own employer. An indictment came down in 
1994 and in 1995, an Oregon judge sentenced him to 480 hours of 
community service, five years of probation, 90 days in jail and 
$68,471.45 in restitution. The Oregon Court of Appeals eventually 
suspended the jail time and reversed the restitution order, but 
upheld all the convictions.  

"I'm now a triple felon for merely wanting to help my main client of 
five years, by running a simple tool to gather evidence that another 
group within the company was not providing the minimum company-
mandated standard level of protection," Schwartz says. "This is 
crazy. All I wanted to do was help."  

Then, Internet mania struck. With millions coming online, dot-coms 
appearing out of thin air and Web-based services like Hotmail 
growing exponentially, the security environment radically changed. 
More holes appeared and more people found them. Today, Bugtraq 
counts 46,000 subscribers, many of them journalists who spread 
news of vulnerabilities to millions.  

The expanded attention at Bugtraq and other places on the Net has 
fueled the already heated debate. The discussion that had once 
taken place in the equivalent of a small theater has now moved into 
a cacophonous coliseum. Some maintain that those who exploit a 
vulnerability in order to prove that it exists are violating property 
rights. Others follow CERT's moderate stance, arguing that testing a 
hole was fine as long as the tester told the vendor about the hole 
and kept the vulnerability private.  

At the other end of the spectrum sit those who take a more 
libertarian line. They argue that ferreting out vulnerabilities -- by any 
means possible -- is the best way to keep them from forming in the 
future. Some diehards even declare that high-profile crackers like 
Kevin Mitnick -- the notorious computer expert who spent five years 
in jail for illegally accessing corporate networks -- should be lauded 
as heroes, cyber-investigators who showed the world how fragile 
networks could be.  

"These problems are complex and ambiguous," says Smith of the 
Privacy Foundation.  

"It's an extremely difficult issue," adds Schneier, echoing the 
sentiments of other security experts. "The more I look at it, the 
harder it seems to get."  

West's case sidesteps a few of these difficulties. He didn't attempt 
to publish the vulnerability at the Poteau Daily News, and, according 
to his lawyer, didn't intentionally copy valuable security software as 
Mitnick did.  

But his case is powerfully relevant. Experts say that his actions at 
the Poteau site -- from finding the hole to downloading a competitor's 
publishing software and a file which had the passwords and log-ins 
that offered access to that software -- reignite many of the difficult 
questions that the technology community and courts are still trying 
to answer.  

Does everyone have a right to look under the hood of every product 
they buy, of every Web site they can access? Once someone finds 
a possible vulnerability, must he or she inform whatever company 
might be affected by it? If someone exploits a vulnerability in order 
to verify that it exists, should the access be considered criminal, or 
does it depend on what is gained through the act of exploitation? Or, 
even more subjectively, does it depend on the intent of the hacker?  

Even before West discovered the Poteau Daily News flaw, he had 
some experience with such queries. A few months prior, he noticed 
that his bank's online services included his account number in the 
URL, so by plugging in other numbers, he could (and allegedly did) 
access other peoples' accounts. He never changed these accounts, 
and told the bank about the flaw. They fixed it, without calling the 
cops.  

West could have been prosecuted for his bank discovery too, just 
as was Randal Schwartz. The courts haven't given any clear 
answers to the burning questions surrounding computer access, 
says lawyer Granick. Although other people have found holes and 
been prosecuted for accessing private files, and in some cases for 
extortion -- charges that arise when people demand money for 
information on how to patch a given hole -- few of these cases went 
to trial. Most were settled without a judge's decision. There are 
exceptions, such as the DeCSS case, in which the publisher of the 
magazine 2600 was enjoined from distributing code that decrypts 
DVDs. But for the most part, the courts haven't clarified the laws 
surrounding security, so enforcement tends to be subjective.  

"The whole concept of 'unauthorized access' is in question," Granick 
says. "There isn't enough case law to go on."  

So, in the absence of legal authority, can the ambiguities be 
eliminated, or at least diminished? Granick, Smith, Levy and other 
security experts suggest that a formal, accepted set of guidelines -- 
voted on and supported by the security industry -- would improve 
the situation.  

Granick argues that the resulting code should treat the Internet as an 
entity unto itself, rather than some kind of electronic home.  

"The problem lies with the notion of 'went in,'" she says. "There's a 
barrier to going into a house or store that doesn't make sense in a 
computer context. If you type something in and see something 
you're not supposed to see, it's not the same as walking into 
someone's house. It's more like walking by a window without the 
shades being drawn."  

Schwartz holds to a similar line. "There must be safe harbor for the 
people trying to help," he says, because otherwise holes will 
proliferate. When the law doesn't allow researchers the freedom to 
find and plug holes, bugs will go unreported; fear will keep the 
helpful away, leaving room for the intentionally malicious. 
"Everyone loses," he says. "And as the law currently stands, it's the 
whistleblowers (like me) that stand to lose the most."  

But others disagree with Granick's logic. Tony Morgan, co-owner of 
Cyberlink, the ISP that wrote the software West copied, argues that 
West didn't just see the vulnerability. "He exploited it," Morgan 
says. "Finding the hole wasn't wrong; I back the hackers and 
crackers on that. The illegal part is when someone takes or destroys 
something. We feel that [in West's case] the line was crossed."  

And Morgan -- who claims the software West downloaded could be 
sold for about $5,000 -- isn't the only one arguing that computers 
should be treated like offline property.  

"If you screw with a service [as opposed to a product], you're 
screwing with someone's property," says Levy of Bugtraq. "Most 
people who have been doing security research for a while wouldn't 
have done what Brian did. Most people would know that the first 
thing you should do is get a waiver to verify the vulnerability."  

On the other hand, the DMCA is also problematic precisely because 
it treats digital content as its own unique animal. While traditional 
copyright law allows people to, say, copy a book for a school 
project, the DMCA makes no room for such fair uses of digital 
content. Simply showing people how to unlock an electronic book, as 
Sklyarov is now discovering, becomes cause for imprisonment.  

People already think the Internet and other new technologies are 
more unique than they actually are, says Schneier. And because the 
general public errs on the side of fear rather than respect, he says 
"the law needs to be technologically neutral."  

David Touretzky, a computer science professor at Carnegie Mellon 
who testified at the DeCSS trial, believes that new technologies 
should be treated like your local bank.  

"It's a place of business, open to the public," he says. "But not 
every inch is open to the public. Suppose I go wandering down the 
hall and walk into some guy's private office and walk over to the 
desk and take a look at the papers lying out in plain view. Am I guilty 
of breaking and entering? No. Am I trespassing? Well, yeah, but the 
building was open the public."  

At this point, because he would be somewhere he wasn't supposed 
to be, "the bank would be right to ask me to leave, maybe even tell 
me never to come back again," he says. "But having me arrested for 
wandering into an office? Nah. That would be overkill."  

Still, with so many ideas swirling about, can a coherent set of 
guidelines ever form? At least one security expert -- Chris Wysopal, 
head of research and development at the security firm @Stake -- is 
making the attempt. But Wysopal, a former hacker who's known 
online as "Weld Pond," has just begun gathering industry input. 
Even though the Net would be better off "with a set of moral codes," 
says Schneier, the community probably won't come up with anything 
useful anytime soon.  

"The only way to do it is through case law," he says. "That's how we 
did it with phones and wiretaps, and that's how it will happen here." 
West should not be punished harshly for his mistakes, he says, but 
regardless, the case may actually improve the present security 
environment. The only problem, he adds, is that the law moves 
slowly.  

"It will take years to figure this out," Schneier says. "When the legal 
system hits Internet time, the results are a mess."  

Brian West probably agrees.  


Copyright 2001 Salon.com





* * * * * * * * * * * * * *  From the Listowner  * * * * * * * * * * * *
.	To unsubscribe from this list, send a message to:
majordomo at scn.org		In the body of the message, type:
unsubscribe scn
==== Messages posted on this list are also available on the web at: ====
* * * * * * *     http://www.scn.org/volunteers/scn-l/     * * * * * * *