request for help re SUMEX and the Boucher hearing

[David Farber <farber () central cis upenn edu>]

Posted-Date: Mon, 7 Mar 1994 14:48:52 -0500
To: farber () central cis upenn edu (David Farber)
Cc: interesting-people () eff org (interesting-people mailing list),
        crocker () tis com, vcerf () isoc org
Subject: SUMEX; Boucher hearing
Date: Mon, 07 Mar 94 14:47:08 -0500
From: Stephen D Crocker <crocker () tis com>


> From: werner () rascal ics utexas edu (Werner Uhrig)
>
>         as Gordon Watts already announced in an article posted to the
>         programmer, comm, and system newsgroups (see Message-ID
>         <gwatts-040394010246 () slip111 fnal gov>) some juvenile got his
>         kicks from breaking into SUMEX last night, deleting files
>         and directories and depositing kiddie porn, leaving behind
>         a pointer to someone's email address (to annoy, no doubt)




Well,... just exactly what went wrong?  It's not clear from the
message how the system got penetrated.  Is this a failure of network
architecture, product(s), system administration, or something else?


This turns out to be timely.  I've just been invited to testify MArch
22 in front of the House Subcommittee on Science, chaired by Rep. Rick
Boucher (D-VA) regarding the Internet breakins.  Vint Cerf and a few
others will be testifying too.


Let me use this as an opportunity to ask for help.  Vint is also
interested in gathering input from the community, so please reply to
both of us.  Vint asks that replies to him be addressed to


        vcerf () isoc org
        subject: congressional testimony




I will have five minutes to talk, and I will submit written testimony
too.  In addition to the direct testimony, there will likely be
questions.


I plan to cover roughly the following:


o The capability for sniffing is increasing, and we must consider the
  Internet is basically open to this kind of attack.


o The minimal protection is to use challenge-response systems or some
  other form of one time passwords.


o A stronger form of protection is to encrypt all traffic.


o The technology for doing so has been known for a while.  Vendors do
  not regularly include it, however.


o At least part of the problem is that export controls make it
  unpalatable to include strong protection as a matter of course.


o It would be good to have standards for network safety of products.
  Products should come configured to be safe when plugged into a net,
  not, as they now are, "unsafe out of the box."




I invite comments or pointers to others who might have comments on
these points.  I will, of course, be expressing my own view, but to
the extent that I can get input from the community and shape my
message to be consistent with the overall view, I will do so.


I'm particularly interested in hearing more about two topics before I
start writing:


- How widespread was the problem?  Who has a picture of all this?
  Dain Gary from the CERT will be one of the people testifying, and
  he'll have a moderately complete picture, but I'd like an
  independent assessment.


- What do workstation vendors think about this?  I'm particularly
  interested in contacts within major vendors.  Let me know if you
  know people I should talk to.  (I have some names, of course, but
  don't hold back.)




These points may or may not relate to the SUMEX situation.  Perhaps
something different happened there.  Thoughts, comments, suggestions,
etc. are all welcome.




Thanks,




Steve




 +-------------------------------------+-------------------------------+
 |  Steve Crocker                      | Voice: 301-854-6889           |
 |  Trusted Information Systems        | FAX:   301-854-5363           |
 |  3060 Washington Road (Route 97)    |-------------------------------|
 |  Glenwood, MD  21738                | Internet: crocker () tis com     |
 +-------------------------------------+-------------------------------+