Security on the Net

A Cautionary Tale

by Bruce R. Koball
15 March 1995

The recent arrest of fugitive computer hacker Kevin Mitnick made headline news, but it is important to look at the story behind the story. Mitnick stands accused of using the global complex of computer networks known as the Internet, as well as public telephone and cell phone networks, to break into numerous academic and commercial computer systems and illegally copy large amounts of sensitive information, including proprietary data from large corporations, credit card numbers, and individuals' personal files.

This case has generated a remarkable amount of media attention. I speak here from personal experience. Although I only played a small role in this drama, I've been besieged by journalists seeking a good story.

Strange Files

My involvement began on 27 January of this year when I logged onto the WELL, a computer conferencing system in Sausalito, California. Among the day's email was a note from the WELL's conferencing manager asking about an unusually large amount of storage (over 150 MB) in an account that the WELL had provided in support of the Computers, Freedom and Privacy (CFP) Conference, an annual public policy event that I help organize. The WELL's technical staff had apparently been running a diagnostic looking for disk hogs.

I checked the account and verified that none of the files seemed to belong to CFP. Obviously an intruder had somehow gained unauthorized access. Some of the mysterious files contained email, so I scanned them in an to identify their owner. All of it was addressed to a single individual. I didn't recognize the address until later that evening when the 28 Jan issue of the New York Times landed on my door step.

On the front page of the business section was an article by NYT reporter John Markoff, detailing the computer break in that Tsutomu Shimomura, a computational physicist and computer security expert at the San Diego Supercomputer Center, had suffered over Christmas, including the fact that a large number of very sensitive files had been stolen. I realized that the files I had found were probably his.

Well, the alarm bells went off, and I immediately contacted the WELL with the bad news. I also contacted Markoff, whom I've known for some years, and talking to him off the record, I described the situation. He put me in touch with Shimomura and in the quick discussions that followed, we positively identified the files in the CFP account as those stolen from his system.

This discovery proved to be the intruder's downfall. For the next two weeks Shimomura, who was already on a crusade to catch the intruder, worked closely with consultants, volunteers, and the WELL's technical staff on an electronic manhunt that stretched across cyberspace as well as across the country to help law enforcement nab the suspect.

It's not difficult to see the appeal of this story. It has all the elements of a high-tech suspense novel and it reads like a movie script. Indeed, reports of book and movie deals have already surfaced. But to focus entirely on the drama of cyber- sleuth versus cyber-thief is to miss some interesting ironies and ultimately the most important implications of these events.

One amusing irony was the intruder's choice of the CFP computer account as a cache for his plunder. It was at last year's CFP conference in Chicago that the FBI detained a conference attendee because he reportedly bore a resemblance to Mitnick, who was then wanted for parole violation. Another was that several years ago, Markoff and his wife Katie Hafner co-authored the book Cyberpunk, detailing Mitnick's early exploits in computer crime.

Crime and Privacy

A more important connection, though, has to do with the purpose of the CFP conference itself. Created in part because of concerns about computer crime and the proper response of law enforcement to it, the CFP conference regularly assembles computer security experts, legal scholars, law enforcement officials and computer users to discuss these issues, and has resulted in a better understanding by all the parties of each other's concerns.

Consider the question of how law enforcement should treat private electronic mail contained in the computers of systems such as the WELL when those same computers may also contain evidence of a crime. It wasn't long ago that some law enforcement agencies would simply have seized the entire computer or at least its contents as evidence, compromising the privacy of the system's users in the process and effectively shutting down the system. Indeed, this has happened in past cases.

Such inappropriate action did not occur in this case, however, because the law enforcement folks involved now understand networks and email, and the laws governing them. At the insistence of the WELL's management, search warrants were issued for only those files directly related to the case, thus no user's privacy was violated by unnecessary government intrusion. In another small irony, Kent Walker, the Assistant United States Attorney in San Francisco who became the lead federal official in this case, is also one of the CFP organizers this year.

Issues And Implications

The electronic pursuit of the intruder raised other interesting issues. After I discovered the stolen files on the WELL, it soon became clear that the intruder had "hacked root," a technical term indicating that he had illicitly gained complete control of the WELL's computers. This meant that the intruder could read or modify any information on the system, invading the privacy of its users and generally wreaking havoc, should he choose to do so.

It also became apparent that the intruder had probably made similar attacks on other computers across the country, using the Internet and the public telephone system. Potentially, this intruder was a threat to a much larger community of computer users than just those on the WELL.

So the WELL's management faced a difficult decision; should it quietly patch up the hole through which the intruder had entered and hope that he hadn't left others hidden in the mass of computer code that run such systems, or should it allow the invasion to continue in an attempt to track the intruder, possibly incurring his wrath and risking the privacy and security of the WELL's subscribers. Computer system administrators often take former path because they fear alarming their users and inviting copycat attacks.

After much agonized debate, the WELL's management decided on the latter path, but with painstaking surveillance of the intruder's every online move. Should he do anything that directly threatened the WELL's users, the plug would be pulled immediately. Indeed, as law enforcement officials were closing in on Mitnick a continent away, the intruder's probably-accidental deletion of a small amount of some accounting data prompted the watchers at the WELL to do just that. Within a few hours, however, Mitnick was in custody in North Carolina, and the tense vigil in California came to an end.

The decision by the WELL's management to take the proactive path might be compared to community residents forming a neighborhood watch group against graffiti vandals and is, to my mind, an exemplary demonstration of good cyber-citizenship.

No Guarantees

Unfortunately, the arrest of Mitnick is no guarantee that all is now well in cyberspace, and this leads us to what is perhaps the most important issue underlying this case; the security of computer and telephone networks.

The intruder's attack on the WELL and other computer systems on the Internet required only a modicum of skill to execute. The techniques that were used to break into these systems are well known to computer security experts and anyone else with an interest in such things. It's a good bet that there are others with the skills and knowledge required to repeat this mischief.

The simple fact is that the open nature of the computer technology that has fostered the remarkable growth of the Internet also makes it vulnerable. When everyone knows how the technology works, it's easy to use and to build upon, and it's also easy to subvert. Openness is a double-edged sword.

But keeping the inner workings of the technology secret -- security through obscurity-- is not the answer. Secrecy tends to impede technological development, and in the long run it simply doesn't work. Secrets never remain so for long and again Mitnick helps prove the point. His ability to manipulate the public telephone system has been well documented, despite the fact that telephone companies don't widely disseminate their sensitive technical information.

The inescapable conclusion is that all of these networks -- computer, telephone, cell phone, all of them-- are fundamentally insecure and unsecurable. Unsecurable, that is, unless we consider something called cryptography.

Cryptography And Data Security

Literally "the science of secret writing," cryptography can be used to "scramble" information --the text of an electronic mail message or the voices of a phone conversation-- so that only the intended recipient can understand it.

Once strictly the province of spies, government security agencies and the military, cryptography has seen increasing use in sensitive commercial applications such as electronic funds transfer in banking. Recent theoretical developments in the field have yielded cryptographic codes that are, for all practical purposes, unbreakable. And because information moves across computer and telephone networks digitally --in the form of numbers-- the numerical techniques of cryptography mesh nicely with the information it protects.

The greatest irony in this case is that, while the government is spending its time and resources pursuing Mitnick and his ilk, it is also actively suppressing the technology that could have made his forays much more difficult or even impossible. While government sings the praises of the national and global information infrastructure, and its potential to drive our economy well into the next century, it discourages commercial development of the only technology that can guarantee the security essential for the growth of commerce on the Net.

And why is our government doing this? Because it is afraid that the widespread use of unbreakable cryptography would eliminate its ability to listen to our phone conversations or read our electronic mail, even in the face of a compelling need to do so. How is our government doing this? Primarily by through the International Traffic in Arms (ITAR) regulations which classify cryptographic technologies as "munitions" --like hand grenades or machine guns-- and place strict controls on their export, effectively discouraging the development of commercial products using secure cryptography.

Standardized cryptographic capabilities built into our computer and telephone networks could eliminate many of their security problems; but at what cost? Government spokespeople often cite hypothetical examples of terrorists and kidnappers in arguments for maintaining their ability to listen in when they feel they must, but these claims often seem overblown. There is certainly a basis in law for the application of wiretaps when the proper search warrants are issued, but there is as yet no law mandating limits on technological advances that may render wiretaps moot. Indeed, some experts think such a law would be a dangerous precedent.

As in any application of technology, the answers lie in a careful assessment of its risks and benefits. There are arguments on both sides of these complex issues. Many will be raised in discussions at the upcoming CFP conference. The most important impact of the case of the Internet intruder may be the extent to which it increases public awareness of the security problems in computer and telephone networks and the potential for solving them with the laws of physics and mathematics, and not with laws made by Congress.


Bruce Koball is a technical consultant in Berkeley, CA. He may be reached on the Internet at: bkoball@well.com

Additional information about the Computers, Freedom and Privacy Conferences is available at: www.cfp.org

A somewhat shorter version of this article originally appeared in the 19 March 1995 issue of New York Newsday.

(c) 1995 Bruce R. Koball - All rights reserved - this article may be reproduced in any form for any non-commercial use as long as it is reproduced in its entirety and this notice is included.