How do you fix a leaky Net?

[InfoSec News <isn () c4i org>]

http://www.salon.com/tech/feature/2001/08/29/west/print.html

By Damien Cave
Aug. 29, 2001 

Brian K. West simply wanted to see how his company's advertisement
would look in the online edition of the Poteau Daily News & Sun, his
local Oklahoma newspaper. But while trying to create a mockup, he
discovered a security flaw that let him put the ad on the actual home
page of the newspaper. No password or permission was required. In
fact, anyone with Microsoft's FrontPage -- a Web site development
program used to create the newspaper's Web pages -- could go in and
redesign at will, wreaking havoc on the home page's structure, color
and text.

West, a 24-year-old sales and support employee of a nearby Internet
service provider, didn't put his ad on the page or make any of these
changes. He downloaded some files, apparently to verify the hole, then
called the newspaper's editor in chief to let him know that his Web
site wasn't secure -- that anyone could get in and "edit your
stories."

But instead of thanking him, the suspicious editor contacted the
police, setting in motion a chain of events that would lead to an
18-month FBI investigation and an invitation to appear before a grand
jury Sept. 5.

In the community of hackers, the details outlined above could be
expected to result in West's immediate treatment as a hero, a
well-meaning altruist trapped by an undiscriminating justice system.
Protests could have been scheduled, money raised. Like the recently
indicted Russian programmer Dmitry Sklyarov, accused of illegally
distributing code that unlocks electronic books, West might have
become a poster child for reforms to laws that, according to critics,
treat security research as a crime rather than a virtuous act of
science.

But even though charges have not yet been filed, West is not getting
the hacker hero treatment. The reason? According to court documents
West didn't just warn the Poteau Daily News about the hole; among the
items he downloaded were files containing source code and passwords
for the proprietary software that the newspaper's editors used to post
stories from remote locations. It was only a beta version, and it's
not clear whether West knew what he was downloading, but because the
newspaper bought the software from an Internet service provider that
was a competitor to West's company, the act itself did much to tarnish
West's "good Samaritan" image.

So, instead of becoming an icon, a victim and a martyr, he's instead a
lightning rod for debate. Hundreds of people have written to the U.S.
attorney in charge of the case since Aug. 17, when an abbreviated
version of West's story appeared on the geek news site LinuxFreak.org.
And while the prosecutor and West's lawyers exchange responses to the
public outcry -- the latest volley appeared last Friday --
heavyweights in the world of security don't know what to make of
West's actions. Some, like Richard M. Smith, CTO of the Privacy
Foundation, argue that West went too far, while others argue that West
"is just a guy who found a flaw and tried to fix it," as cryptography
expert Bruce Schneier puts it. Even if he poked around a bit, these
defenders say, he shouldn't be treated like a criminal. "The
punishment doesn't fit the crime," Schneier says.

The debate itself is not new. It's been almost 20 years since hackers,
geeks and lawmakers first started struggling with the question of how
software vulnerabilities should be handled. Hackers -- as
distinguished from crackers, who break and enter computer systems for
purposes of profit or destruction -- have long argued that by pointing
out security holes in software they are doing a public service. The
companies who are the recipients of hacker explorations, and the
vendors of software that is found to be vulnerable, often disagree,
seeing hacker activity as illegal trespassing or worse. It's a tension
that is at the core of hacker life; one could even argue that the
"public service" theory is, at least in part, a rationalization aimed
at justifying the results of hacker curiosity.

But even though the debate is old, the stakes keep rising. The laws as
currently written are unfriendly to "unauthorized access," regardless
of what the intent is. The passage of the Digital Millennium Copyright
Act (DMCA) in 1998, which, among other things, made it illegal to do
so much as reveal how copyright controls can be circumvented, has also
upped the ante for those who like tinkering with other people's
software. But while high-profile cases such as Sklyarov's and the
DeCSS lawsuit wend their way through the courts, few experts in the
technology community have offered clear alternatives that can be
applied in the real world.

There's still not an accepted set of guidelines for how people like
West should proceed -- and that's "a serious problem," says Jennifer
Granick, a San Francisco attorney who regularly defends hackers. Until
consensus is reached -- which won't be easy, she says -- West's
mistakes are destined to be repeated. Every security researcher and
every Net user who happens to find a security flaw is vulnerable. The
witness stand could only be a mouse-click away.

Today's discussion of Internet security can be traced at least as far
back as Robert Tappan Morris. In 1988, the 23-year-old doctoral
student at Cornell released a 99-line program that ate its way through
the Internet, propagating uncontrollably and slowing data transmission
across the network nearly to a halt. In response to the unexpected
shock, DARPA, (the Defense Advanced Research Projects Agency), a
federal agency that oversaw the Net, formed a group of experts who
could coordinate responses to worms like Morris'.

The group soon called itself CERT -- for Computer Emergency Response
Team -- and the plan it came up with seemed simple. People were
supposed to send information on vulnerabilities to the group; CERT
would then verify that the hole existed and alert the vendor.
Publishing only occurred once the vendor plugged the hole.

CERT still maintains the procedure, but after a few years, people
started to rebel. "There were three main complaints," writes Schneier
in an essay on the issue of publicizing vulnerabilities. "First, CERT
got a lot of vulnerabilities reported to it, and there were complaints
about CERT being slow in verifying them. Second, the vendors were slow
about fixing the vulnerabilities once CERT told them. And third, CERT
was slow about publishing reports even after the fixes were
implemented."

Hackers who spotted vulnerabilities weren't the only ones unhappy with
CERT's lack of speed. The larger community of computer scientists and,
in particular, systems administrators and security specialists
entrusted with the responsibility of keeping networks safe and
reliable, also chafed at the ponderous pace. By the time a vendor
plugged a hole in its software, a great deal of mischief could already
have occurred.

Frustration with CERT led to what's now called "the full-disclosure
movement" -- based on the hacker-friendly philosophy that more
information is always better. Scott Chasin led the way, creating a
mailing list in 1993 called Bugtraq that promised to publish
vulnerabilities regardless of vendor response. Bugtraq's policies led
to friction with vendors of software. Not only do software companies
detest the bad publicity that is associated with news reports
announcing serious problems with the software, but they are also wont
to argue that publicizing a breach before a fix is available is
tantamount to inviting a horde of juvenile delinquents to rummage
through your unlocked home.

But "the environment at that time was such that vendors weren't making
any patches," says Elias Levy, an early Bugtraq subscriber who has
moderated the list since 1996. "So the focus was on how to fix
software that companies weren't fixing."

Only a few hundred people signed up at first. In 1996, only 2,000
people subscribed.

But the messy dangers of security research hit home while Bugtraq was
just getting started. In 1993, Randal Schwartz, an independent
contractor working for Intel, decided to run a program that tested the
vulnerability of passwords on the company's network. The program
(called Crack) found 48 "weak" passwords (words that would be easy to
guess) but Schwartz was hardly rewarded for his vigilance. Instead, he
became the target of a criminal investigation, at the direct request
of his own employer. An indictment came down in 1994 and in 1995, an
Oregon judge sentenced him to 480 hours of community service, five
years of probation, 90 days in jail and $68,471.45 in restitution. The
Oregon Court of Appeals eventually suspended the jail time and
reversed the restitution order, but upheld all the convictions.

"I'm now a triple felon for merely wanting to help my main client of
five years, by running a simple tool to gather evidence that another
group within the company was not providing the minimum
company-mandated standard level of protection," Schwartz says. "This
is crazy. All I wanted to do was help."

Then, Internet mania struck. With millions coming online, dot-coms
appearing out of thin air and Web-based services like Hotmail growing
exponentially, the security environment radically changed. More holes
appeared and more people found them. Today, Bugtraq counts 46,000
subscribers, many of them journalists who spread news of
vulnerabilities to millions.

The expanded attention at Bugtraq and other places on the Net has
fueled the already heated debate. The discussion that had once taken
place in the equivalent of a small theater has now moved into a
cacophonous coliseum. Some maintain that those who exploit a
vulnerability in order to prove that it exists are violating property
rights. Others follow CERT's moderate stance, arguing that testing a
hole was fine as long as the tester told the vendor about the hole and
kept the vulnerability private.

At the other end of the spectrum sit those who take a more libertarian
line. They argue that ferreting out vulnerabilities -- by any means
possible -- is the best way to keep them from forming in the future.
Some diehards even declare that high-profile crackers like Kevin
Mitnick -- the notorious computer expert who spent five years in jail
for illegally accessing corporate networks -- should be lauded as
heroes, cyber-investigators who showed the world how fragile networks
could be.

"These problems are complex and ambiguous," says Smith of the Privacy
Foundation.

"It's an extremely difficult issue," adds Schneier, echoing the
sentiments of other security experts. "The more I look at it, the
harder it seems to get."

West's case sidesteps a few of these difficulties. He didn't attempt
to publish the vulnerability at the Poteau Daily News, and, according
to his lawyer, didn't intentionally copy valuable security software as
Mitnick did.

But his case is powerfully relevant. Experts say that his actions at
the Poteau site -- from finding the hole to downloading a competitor's
publishing software and a file which had the passwords and log-ins
that offered access to that software -- reignite many of the difficult
questions that the technology community and courts are still trying to
answer.

Does everyone have a right to look under the hood of every product
they buy, of every Web site they can access? Once someone finds a
possible vulnerability, must he or she inform whatever company might
be affected by it? If someone exploits a vulnerability in order to
verify that it exists, should the access be considered criminal, or
does it depend on what is gained through the act of exploitation? Or,
even more subjectively, does it depend on the intent of the hacker?

Even before West discovered the Poteau Daily News flaw, he had some
experience with such queries. A few months prior, he noticed that his
bank's online services included his account number in the URL, so by
plugging in other numbers, he could (and allegedly did) access other
peoples' accounts. He never changed these accounts, and told the bank
about the flaw. They fixed it, without calling the cops.

West could have been prosecuted for his bank discovery too, just as
was Randal Schwartz. The courts haven't given any clear answers to the
burning questions surrounding computer access, says lawyer Granick.
Although other people have found holes and been prosecuted for
accessing private files, and in some cases for extortion -- charges
that arise when people demand money for information on how to patch a
given hole -- few of these cases went to trial. Most were settled
without a judge's decision. There are exceptions, such as the DeCSS
case, in which the publisher of the magazine 2600 was enjoined from
distributing code that decrypts DVDs. But for the most part, the
courts haven't clarified the laws surrounding security, so enforcement
tends to be subjective.

"The whole concept of 'unauthorized access' is in question," Granick
says. "There isn't enough case law to go on."

So, in the absence of legal authority, can the ambiguities be
eliminated, or at least diminished? Granick, Smith, Levy and other
security experts suggest that a formal, accepted set of guidelines --
voted on and supported by the security industry -- would improve the
situation.

Granick argues that the resulting code should treat the Internet as an
entity unto itself, rather than some kind of electronic home.

"The problem lies with the notion of 'went in,'" she says. "There's a
barrier to going into a house or store that doesn't make sense in a
computer context. If you type something in and see something you're
not supposed to see, it's not the same as walking into someone's
house. It's more like walking by a window without the shades being
drawn."

Schwartz holds to a similar line. "There must be safe harbor for the
people trying to help," he says, because otherwise holes will
proliferate. When the law doesn't allow researchers the freedom to
find and plug holes, bugs will go unreported; fear will keep the
helpful away, leaving room for the intentionally malicious. "Everyone
loses," he says. "And as the law currently stands, it's the
whistleblowers (like me) that stand to lose the most."

But others disagree with Granick's logic. Tony Morgan, co-owner of
Cyberlink, the ISP that wrote the software West copied, argues that
West didn't just see the vulnerability. "He exploited it," Morgan
says. "Finding the hole wasn't wrong; I back the hackers and crackers
on that. The illegal part is when someone takes or destroys something.
We feel that [in West's case] the line was crossed."

And Morgan -- who claims the software West downloaded could be sold
for about $5,000 -- isn't the only one arguing that computers should
be treated like offline property.

"If you screw with a service [as opposed to a product], you're
screwing with someone's property," says Levy of Bugtraq. "Most people
who have been doing security research for a while wouldn't have done
what Brian did. Most people would know that the first thing you should
do is get a waiver to verify the vulnerability."

On the other hand, the DMCA is also problematic precisely because it
treats digital content as its own unique animal. While traditional
copyright law allows people to, say, copy a book for a school project,
the DMCA makes no room for such fair uses of digital content. Simply
showing people how to unlock an electronic book, as Sklyarov is now
discovering, becomes cause for imprisonment.

People already think the Internet and other new technologies are more
unique than they actually are, says Schneier. And because the general
public errs on the side of fear rather than respect, he says "the law
needs to be technologically neutral."

David Touretzky, a computer science professor at Carnegie Mellon who
testified at the DeCSS trial, believes that new technologies should be
treated like your local bank.

"It's a place of business, open to the public," he says. "But not
every inch is open to the public. Suppose I go wandering down the hall
and walk into some guy's private office and walk over to the desk and
take a look at the papers lying out in plain view. Am I guilty of
breaking and entering? No. Am I trespassing? Well, yeah, but the
building was open the public."

At this point, because he would be somewhere he wasn't supposed to be,
"the bank would be right to ask me to leave, maybe even tell me never
to come back again," he says. "But having me arrested for wandering
into an office? Nah. That would be overkill."

Still, with so many ideas swirling about, can a coherent set of
guidelines ever form? At least one security expert -- Chris Wysopal,
head of research and development at the security firm @Stake -- is
making the attempt. But Wysopal, a former hacker who's known online as
"Weld Pond," has just begun gathering industry input. Even though the
Net would be better off "with a set of moral codes," says Schneier,
the community probably won't come up with anything useful anytime
soon.

"The only way to do it is through case law," he says. "That's how we
did it with phones and wiretaps, and that's how it will happen here."
West should not be punished harshly for his mistakes, he says, but
regardless, the case may actually improve the present security
environment. The only problem, he adds, is that the law moves slowly.

"It will take years to figure this out," Schneier says. "When the
legal system hits Internet time, the results are a mess."

Brian West probably agrees.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.