229 lines
11 KiB
Plaintext
229 lines
11 KiB
Plaintext
|
|
|
|
Printed in Popular Communications November 1992 issue.
|
|
Page 4
|
|
By Tom Kneitel, K2AES
|
|
|
|
|
|
You say that someone overheard your cordless telephone and
|
|
learned your bank account number? Ho boy!
|
|
|
|
You claim that despite a federal privacy law your cellular
|
|
phone was monitored but someone who told your boss you said he
|
|
was a skinflint? Whoa, but who cares?
|
|
|
|
You tell me that some 16 year old got your company computer's
|
|
security password from a BBS, then used it to open a $5000
|
|
credit line charge account for himself? Hey, I'm all choked up.
|
|
|
|
Every couple of years a few computer hackers get caught and
|
|
are written up in the newspapers. That triggers yet another round
|
|
of astonished revelations on the tabloid TV shows. the indignant
|
|
show hosts act mortified at learning some of the computer files
|
|
that hackers have been able to invade. This invariably includes
|
|
financial and educational records, court
|
|
and police information, scientific data, and national defense
|
|
data.
|
|
|
|
This ritual of hacker discovery takes place regularly every
|
|
two or three years. Each time it's as if none of these
|
|
practices had ever before been made known to the public.
|
|
We are asked to have limitless pity for those poor owners of
|
|
those computers whose private and sacred data has been
|
|
ruthlessly violated at the hands of marauding cyberpunks
|
|
with their evil computers.
|
|
|
|
Another round of this drivel appears to be in progress now. I
|
|
recently saw a replay of the entire scenario right down to
|
|
Geraldo Rivera on TV discussing computer hackers. With a face
|
|
of stony seriousness, it was as if he had personally
|
|
discovered the first young hacker ever captured alive and
|
|
forced to confess his many sins in front of a TV camera.
|
|
Personally, I thought the hacker came across a lot better than
|
|
did Geraldo.
|
|
|
|
Despite this continuing negative public relations campaign to keep
|
|
the world living in dread fear of hackers, I'm still not
|
|
sold on the need to immediately sign up for the tar and
|
|
feather brigade. In fact, methinks I smell a red herring.
|
|
I'm beginning to suspect that all of this medial coverage
|
|
consists of nothing mote than the chintziest possible way of
|
|
finding convenient scapegoats to blame for the failure of the
|
|
nation's data security systems.
|
|
|
|
Somewhere along the line someone forgot that it's the
|
|
responsibility of those wanting security to sufficiently
|
|
upgrade their own technology to the point where it works. The
|
|
Primary responsibility for providing computer security can't
|
|
be relegated to third parties on the basis of expecting they
|
|
will offer security simply by ignoring the tempting and easily
|
|
accessible data because they are told it's "illegal" to
|
|
access, and because they should realize that it's not nice to
|
|
snoop.
|
|
|
|
That logic doesn't wash. That system of security can't work.
|
|
Why should it work for those seeking security for their
|
|
computerized data?
|
|
|
|
In the July '92 issue of U.S. Naval Institute Proceedings,
|
|
there was a feature on C4I by Robert David Steele, Assistant
|
|
Chief of Staff (in charge of C4I- command , control,
|
|
communications, computer, and intelligence) at Headquarters,
|
|
U.S. Marine Corps. He stated "The inherent danger in a
|
|
necessary but risky strategy of reliance on commercial
|
|
communications and computer equipment-to transmit much of our
|
|
operational logistics, personnel, and even intelligence
|
|
information. around the globe- exacerbates the targeting-data
|
|
and mapping shortfalls. The Marine Corps is off the limb and
|
|
out in free fall when it comes to vulnerability to our C4I
|
|
links...Our reliance on commercial satellites and ground
|
|
switching stations leaves us wide open to total shutdown of
|
|
our communications, and complete penetration of our
|
|
administrative and logistics computer systems by any skilled
|
|
hacker." He noted that this was the weakest and most
|
|
neglected, C4I link in the Marine Corps.
|
|
|
|
The man spelled it out very well. If commercial
|
|
telecommunications landlines, satellites and other facilities
|
|
are to be relied upon, then they can be penetrated by skilled
|
|
hackers.
|
|
|
|
And have you noticed that the majority of skilled hackers you
|
|
learn about from the media are young adults or even teen age
|
|
hobbyists using home computers? Some of these hackers are
|
|
benign and merely curious, others just like the challenge of
|
|
seeing how many systems they can invade. Sure, there are also
|
|
pranksters, plus a sprinkling of those who are truly
|
|
malicious. The media seldom mentions the really dangerous
|
|
professional computer security violators-those involved in
|
|
industrial espionage , or who work for foreign governments,
|
|
international drug cartels, terrorist groups, and organized
|
|
crime. Nevertheless, benign or malevolent, hobbyist or
|
|
professional, all who snoop through presumed secure computers
|
|
have the potential to steal, modify, or destroy all kinds of
|
|
data. That this can still so easily be accomplished seems rather
|
|
astonishing at this point.
|
|
|
|
Underground BBS's offering information on these techniques are
|
|
popular and known to all who wish to seek out the information.
|
|
|
|
The data in the computers that hackers are accused of
|
|
accessing is just sitting there. It's tempting, tantalizing,
|
|
juicy, ripe and practically crying out to be called up. To
|
|
some amateurs and computer hobbyists, this is what amounts
|
|
to an "attractive nuisance", similar to a swimming pool of a
|
|
high tension electric tower. Attractive nuisances are
|
|
potentially dangerous, but desirable and easily accessible
|
|
things that require a fence or other security measures, lest
|
|
the owner be declared negligent. Every individual, industry,
|
|
and government entity is responsible when they create and
|
|
maintain an attractive nuisance. They can post all of the "No
|
|
Trespassing" signs they want, but they still must have
|
|
safeguards such as fences. If their safeguards are violated,
|
|
the owner of the attractive nuisance can still be considered
|
|
to have been less than diligent in keeping out intruders. The
|
|
intruder may be only minimally held responsible for getting
|
|
through.
|
|
|
|
Somehow, though, the communications industry is unique in that
|
|
it gets off the hook with being responsible for its many
|
|
attractive nuisances. A "No Trespassing" sign is hung up, and
|
|
intruders are considered to be in the wrong after that.
|
|
|
|
Common sense dictates that those wanting or needing real
|
|
security have no right to fall back upon low tech public
|
|
access telecommunications systems, then cry "foul" when the
|
|
security systems don't work for them. This includes all
|
|
categories of governmental users, including the military.
|
|
Maybe they'll have to hang up and use circuits closed to the
|
|
public.
|
|
|
|
Those business firms, universities, government entities, and
|
|
others who demand tight security but need to or elect to
|
|
remain connected to the public access telecommunications
|
|
system are going to have to get better security advice, and
|
|
more efficient programs. Don't want to? Then they can and
|
|
will continue to have their data exploited by outsiders. They
|
|
must tolerate it without complaining.
|
|
|
|
It's hard for me to have very much pity for multi-million
|
|
dollar companies, or the federal government when I hear about
|
|
their broached computer security. Not when I learn that it
|
|
can be zapped by a hobbyist with a personal computer and a
|
|
program that was downloaded from a BBS. I don't quite go so
|
|
far as those hackers who claim that they're performing a
|
|
public service by pointing out the security loopholes in
|
|
computer security systems. The main service they are
|
|
performing is in embarrassing those folks in charge of
|
|
computer security. This is a service that is hardly
|
|
appreciated, and is undoubtedly what has sparked their
|
|
hilarious and hysterical media diversionary blitz and
|
|
smokescreen on the evils of hackers
|
|
|
|
My own policy on cellular and other comms has been that if you
|
|
want privacy, it's solely your responsibility to assure that
|
|
you take whatever steps are required to cause your system to
|
|
be secure from outside interception. The responsibility can't
|
|
be effectively dumped onto third parties either by
|
|
legislation or by appeals to public ethics and good-will. So
|
|
let it also be with the data stored in computers.
|
|
|
|
I'm not an advocate for computer hackers, or for hacking-
|
|
quite obviously some of it has resulted in damage to and theft
|
|
of data. But let's be at least a little fair bout this
|
|
ridiculous media overkill relating to amateur hackers. How
|
|
about sharing some of the blame by shifting the complete focus
|
|
off the hackers? Let's also see groups of these inept and
|
|
impotent computer security experts dragged out in front of the
|
|
tabloid TV cameras to own up to the public about their total
|
|
inability to protect data about you and I, and on national
|
|
defense, stored in and exchanged between public access
|
|
computers.
|
|
|
|
How about asking financial institutions, business, and
|
|
governmental agencies to explain why the data they are
|
|
supposed to be holding in trust? And, forgetting about the
|
|
hobbyists, let them admit to the potential threat to their
|
|
stored data from terrorist groups, foreign governments,
|
|
organized crime, and other high powered professional operations.
|
|
Nobody wants to talk about any of these things. If the public
|
|
ever learned the real threats to stored data, they would no
|
|
longer be too worried about amateur and hobbyist hackers.
|
|
|
|
Hobbyist hackers have been around for more than a decade.
|
|
It's really time now to stop the crocodile tears for the
|
|
government and big companies that get their data rifled by an
|
|
image of *Billy Whizbang* and his souped up *Commodore 64*.
|
|
If companies and agencies are so stupid and lazy that they
|
|
still can't protect important and vital data, then what they
|
|
deserve is our anger and derision, not public pity. The
|
|
public, in turn, needs some real answers instead a of a lot of
|
|
garbage blaming it all on teenage hackers.
|
|
|
|
Fifty years ago, young people reacted to attractive nuisances
|
|
by swimming in a neighbors's pool while the people were on
|
|
vacation. Or they stole the bell from the town church.
|
|
Today, maybe they are into computer hacking instead. These
|
|
are bright and creative people-let's not forget that. One the
|
|
one hand, people complain young people wrecking their brains
|
|
on drugs and loud rock music. Hobbyist hackers are young
|
|
people who aren't spending money on drugs and rock CD's
|
|
(typist's note...I have a LOT of rock CD's). Take your choice.
|
|
|
|
We aren't condoning computer hacking. Certainly the practice
|
|
must be monitored and discouraged until the computer industry
|
|
can find some people intelligent enough to devise valid
|
|
security systems. But we should be mindful that in a few
|
|
years, these young hackers are the bright people who will be
|
|
on the cutting edge of developing future technologies.
|
|
Instead of getting bent all out of shape about their
|
|
undirected curiosity, let's think about trying to channel
|
|
their talents and interests into more constructive
|
|
directions! In all fairness, we can't allow the inept
|
|
computer security industry make them sound too evil when,
|
|
after all, hackers are (at worst) no more than a small part of
|
|
the computer security problem.
|
|
|
|
Retyped for your pleasure by BMO (scanners? BAH!)
|
|
|