Computers,Security, andIndividualRights

A FriendlyIntroductionfor theConcernedCitizen

c�

June,2001Andrew D. Hwang,ahwang@mathcs.holycross.edu

Contents

1 Intr oduction 1

2 How ComputersWork—An Analogy 4

3 Networking and the Inter net 9

4 Security 18

A Computersand Inf ormation 27

B WebSitesfor Further Inf ormation 37

1 Intr oduction

Computersecurityis anissueof importanceto all citizensof ademocraticsociety.Unfortunately, many peoplebelieve the issuesaretoo complicatedto be under-stoodexceptby “experts”.Thisabdicationof judgmentis perilous,becausecom-puters,in conjunctionwith legislationpromotingcorporateinterests,canthreatenthe privacy of individuals. Laws are currently being draftedand promotedbypartiesthatvalueprofitsabovecivil liberties.

Thereareseveralreasonsto know somethingof computersecurity. You maywish to safeguardinformationsuchaspersonalemail, web browsing habits,ormedicalandcredit information. You may want to understandlegislationthat isbeingpromotedby thegovernmentor softwaremanufacturers,to bereassuredthatno oneis goingto take away your freedomof speechor claim ownershipof your

1

information. You may be interestedin why or how peoplebreakinto computersystems,andwhat they do oncethey’ve broken in. This documentis short,anddoesnot answerall of thesequestions;the aim is to provide a foundationforcontinuedself-educationby outlining thebasicaspectsof computersecurityin anon-technicalway, andproviding links to additionalresourceson theworld-wideweb.

If you comeacrossany termsyou do not understand,or find topicsthat inter-estyou but which arenot discussedin detail here,try doing a web search.Thesearchenginegoogle is top-notchfor computer-relatedtopics;theURL is in Ap-pendixB, alongwith severalothersecurity-relevantURLs.

BusinessModels and Legal Issues

The motivation for writing this article is to educateusers. There is dangeroferosionof civil liberties by restrictive computersecuritylaws. If the public isnot informedof the technical,social,andpolitical issuessurroundingcomputeruse, then legislatorswill have no incentive to passlaws that uphold the spiritof the Constitution. Lobbying for softwareandmediavendorsalreadyprovidessubstantialpressureagainstlawsthatupholdthespirit of theConstitution.EvenifyouarenotAmerican,I hopeyousharethebeliefsthatpeopleshouldcontroltheirdestinies,andthatawell-informedpublic is capableof governingitself betterthanagovernmentthatdictatesregulationsasseenfit by asmall,inaccessibleminority(oftenin theguiseof protecting“competitiveness”).

Even in a world of honest,well-intentionedpeople,thereareconflicting in-terests.A recordingcompany may have legal ownershipof a popularsong,andof courseprofitsfinancially from thesaleof copiesof this song.With theadventof homecomputers,themajority of listenershave thecapabilityto mass-producehigh quality copiesof the songmorecheaplythancanbe boughtfrom the legalowner.

Theworld’s largestsoftwarevendorshavebeentirelessadvocatesagainstgiv-ing controlof computerprogramsto users.To make ananalogy, think of a com-puterprogramasacookingrecipe.It is apieceof informationthathasnointrinsicphysicalexistence(thoughit canbestoredandsoldin variousforms),andit con-stitutesinstructionsfor performinga task. Thevendors’desiredbusinessmodelis this. Everyonewho wantsto usetherecipemusthire a butler (buy a computerandoperatingsystem).Thesepeoplemaythenrequesttherecipe(licensethesoft-ware),whichonly thebutler is allowedto read(theinternaldetailsof theprogramare hiddenunderlegal penalty). You may not sharethe recipewith neighbors

2

(copy thesoftware)nor modify the recipeto suit your own needsor tastes(alterthesourcecodeto addor remove features).

If recipeswere distributedundermodernsoftware licenses,therewould begeneraloutrage.Who would willingly deny the cook’s right to modify a recipeasneeded,to substituteoreganofor savory, leave out the salt, or usemargarineinsteadof butter? Who would pay money for the right to usea recipe,withoutactuallyowningacopy, or withoutevenbeingallowedto review theactualrecipe?Who would besatisfiedthat the recipedid not containunadvertisedingredients?Whowould feelgoodabouttelling their friends,“Yes,it is delicious,isn’t it? Butyou’ll have to pay$400for yourown copy. I don’t wantto go to jail.”

Thereareintrinsic problemswith this businessmodel,becauseof the natureof the commodity. If a recipeis stolenanddistributedwidely, it can never berecovered,becauseinformation, unlike a physicalobject, can be freely copiedwithout damagingtheoriginal. Sinceuserscaneasilymake copiesof therecipe,everysaleis a potentialtheft! Theobviousway to preventde facto “theft” is topassandenforceDraconianlaws againstcopying andsharingrecipes.But howis oneto enforcesuchlaws? Oneway, alreadybeingimplementedfor software,is to monitor cooksby assigningevery butler andevery copy of every recipeauniqueserialnumber. Eachbutler recordsthe serialnumbersof the recipesheis asked to make, andperiodicallyreportsthesenumbersbackto the vendor. Ifthe sameserialnumberon a recipeis reportedby two differentbutlers,a crimehasoccurred.Anotherway is to changetheentiremodel,sothattherecipeneverleavesthe vendor’s hands. In softwareterms,userswho want to usea programpaya licensefeeauthorizingthemto connectto acomputer(calledanapplicationserver) operatedby the vendor;they arefree to usethe softwareon the remotecomputer. Usershavenomeansof acquiringacopy of theprogram,sothereis nodangerto the vendorof “theft”. Whatever datauserscreateis returnedto them,and (accordingto the vendor)the copy of the dataon the vendor’s machineisdestroyed.

I amneitheranti-businessnoracommunist,but amwaryof conflictsof interestthatarisewhenlegal entities(especiallywealthycorporations)cananddo influ-encethepassageof laws thataffect theconditionsunderwhich they areallowedto do business.I am particularlyconcernedwhenthe commoditybeingsold—personalcomputersandsoftware—canliterally beusedlikearadiocollar, to trackindividuals’movementsontheInternet,or likethetelescreensin Orwell’s1984toseeandheareverythingthatgoeson in aroom,withouttheowner’sknowledgeorpermission. This is notalarmism,but technicalreality;anyonewhosecomputerisattachedto awebcam,amicrophone,andtheInternetis vulnerableto clandestine

3

surveillancewhile their computeris turnedon. I do not believe suchsnoopingcurrentlyoccurs,but the infrastructureto implementit is in place. Other, moresubtle,invasionsof privacy (someof themdescribedabove) arealreadyshippingandbeingeagerlyboughtandinstalledby millions of peopleworldwide.

It is truethatanindividualcansimplydecidenever to useacomputer(or tele-phones,electricity, andrunningwater),but realisticallyit is impossibleto avoidcomputerusewithout cuttingoneselfoff from themainstreamof commerceandsociallife. As individuals,weareincreasinglyfacedwith anunacceptablechoice:To drop out of the cultural mainstream,or to compromiseour privacy. This isnot an inevitable resultof themarchof technology, but is promotedby intereststhatwish(notnecessarilymaliciously)to controlindividualbehavior in awaythatwouldhaveseemedtotalitarianin the1940s.

Therearealternatives.TheFreeSoftwareFoundationhasdevelopedaprofessional-quality PC operatingsystemcalled GNU (known to most peopleas “Linux”)whosedistribution license,the GNU General Public License(GPL for short) isbasedon thetraditionalmodelof recipetrading: You cancopy, modify, anddis-tributerecipesin any way you seefit, so long asyou do not restrictthe rightsofothersto do the same.Someobjectto this enforcedcooperativeness,andpreferOpenSourcelicensesinstead,whichguaranteethateveryonecanreadandmodifyrecipesto their own needs,but limit thewaysrecipescanbedistributed.

If youuseapersonalcomputerandareconcernedwith privacy anddemocracy,you have the right (andthe responsibility)to becomeinformedof technicalandlegal issuesthatstemfrom theexpensive applianceon your desktop.I hopethisarticleis usefulto youasastartingpoint in anongoingprocessof self-education.

2 How Computers Work—An Analogy

A modernpersonalcomputeris a device that can storeand processenormousamountsof data rapidly and accurately. The familiar tasksyou do with yourcomputer—sendingandreceiving email, browsing the world-wide web, writingand printing documents,doing your householdfinances,scanningand editingphotographicimagesand audio clips, and playing games—areabstractlynoth-ing but creationandmanipulationof data. Whenyou sendemail or browsetheweb,your computerexchangesdatawith othercomputers.Whenyour computeris connectedto theInternet,it maybepossiblefor othercomputersto requestdatafrom your machine.This capabilityof datasharingis a proverbialdouble-edgedsword; it makespossibletheGlobal Village asimplementedby the Internet,but

4

bringstherisk of intrusionby individuals,corporations,andgovernments,whichcanresultin lossof privacy or evenidentity theft.

Running a Household

The internalworkingsof a computerarea little removed from everydayexperi-ence,sowe will proceedby analogywith theprocessof runninga large,compli-catedhousehold.The metaphoris imperfectandsometimeswhimsical,but youwill find thatmany thingsacomputerdoeshave familiaranalogues.

A computerconsistsof hardware: the case(really, the electronicsinside),monitor, keyboard,andmouse.In the analogy, the hardwareis the mansionoc-cupiedby the household.An emptybuilding by itself is not muchuseaslivingspace;you needfurniture anddecorationsto make the spacepleasantanduse-ful, andyou needmany servantsto run the day-to-dayaffairs of the household.Similarly, a “naked” computeris little morethananexpensivepaperweight.Youneedto be ableto create,manipulate,store,andretrieve datain orderthat yourcomputerbeuseful.

Theinstructionsthattell acomputerhow to run,andthatallow you to interactwith yourcomputer, aregenerallycalledsoftware, andaregroupedinto programs,whicharespecializedunitsthatperform(usually)onespecifictask.Thesoftwarein a computeris analogousto servantswho helpyou, theheadof thehousehold,runthingssmoothly. Dif ferentprogramscorrespondto differentkindsof servants;therearemany servantsbecausethehouseholdis very largeandcomplicated.

Justas the butler managesthe servantsin a large household,every moderncomputerhasoneveryspecialprogramthatmanagesall theotherprograms.Thisprogram,calledtheoperatingsystemkernel, or “kernel” for short,is thefirst pro-gramto startwhenyou turn on your computer, andit handlesall theoperationofthecomputeruntil youshutdown. Thekerneldoesnot reallykeephouseall by it-self; it comeswith ahostof specializedservants(plumbers,electricians,builders,gardeners,andlibrarians)calledsystemutilities thattogetherwith thekernelcom-prisetheoperatingsystem. In somehouseholds(suchasWindowsor Macintosh),you never have to give instructionsto thesystemutilities directly; otherservantspassyourrequeststo theoperatingsystem.Somehouseholdsallow youto addresstheoperatingsystemdirectly;GNU/Linux andFreeBSDarethemostcommonPCoperatingsystemsthatdonot shieldyou from thesystemutilities.

Wehavesofar likenedacomputerto ahousewhoseaffairsarerunby abutler;thebutler slavishly follows instructions,but worksveryquickly, anddoesnot tirefromrepetitivetasks.Mostcomputersshipwith anoperatingsysteminstalled.But

5

likeastaffedhousethathasnofurniture,acomputerwith nothingbut anoperatingsystemcando very little, thoughit is morenearlycapableof communicatingina languagehumanscanspeakandunderstand.Theservantsyou talk to regularlyareapplicationprograms, roughly analogousto secretaries,accountants,artistsand craftspeople,jesters,and possiblyothers. With their help, you can stockthe kitchen,bathroom,library, andgameroom, build your own furniture, hangartwork, andgenerallymakethehouselivable.Thephysicalobjectsin yourhouseareanalogousto thedataon yourcomputer.

Operating systems

Not all operatingsystemsare equal. The mostcommonPC operatingsystemshave two substantialtechnicaldrawbacksandoneunfortunatefeature:

� Thebutler is capableof handlingonly onetaskat a time; ratherthanallow-ing theservantsto gooff andperformtheirtasksin theirown time,returningwhenthey havefinished—thebutlerworkssequentiallywith oneservantatatime. In technicalterms,theoperatingsystemis notmulti-tasking. In suchahousehold,thebutlerspendsmostof thetimewaiting for otherservantstofinish their tasks.

� Theservantsdonotgooff to separateroomsto dotheirwork; consequently,their taskssometimescrosspaths,aswhenthe cooksetsdown a cauldronof soupon the cleanlaundry waiting to be ironed. When this happens,oneor bothservantsgetconfusedandstopwhat they weredoing,waitingfor further instructions. If oneof theseservantshappensto be the butler,the entirehouseholdstops(the familiar “blue screenof death”or “bombicon”, dependingon theoperatingsystem),requiringyou to “reboot”. Thesoup,thepartially cleanedsheets,andthesecretary’s notesareall lost. Intechnicalterms,the operatingsystemis not running in protectedmemorymode, sodifferentprocessescanwrite ontoeachothers’addressspace. Thisis notabug,but adesigndecision.

Sometimesservantsneedto talk to eachotherabouttheir respective tasks;in computerscience,this is calledinterprocesscommunication. Ratherthanputtingservantsin thesameroom,it is saferto put themin differentroomsandlet themspeakby intercom. A goodoperatingsystemhasintercoms,oftencalledpipesandsockets.

6

� Finally, asalreadymentioned,theservants’ instructionscomein sealeden-velopesthatyou areforbiddento readby law. You canonly trust thecom-pany thatbuilt your houseto haveprovidedinstructionsthatreally do whatthey claim. The butler (or anotherservant) may be performingtasksthatyoudid notaskfor. Wewill returnto thispossibilitylater, becausethereareseveralmore-or-lesssinisterwaysin which thebutlercanbesubverted.

In other words, the source code for the software on a PC is not usuallyavailable in human-readableform. Thereare two distinct movementsinoppositionto this stateof affairs:

– The FreeSoftware movement,which is built on thephilosophythattheprogramsyou run shouldbeyourswith specificrights,similar totherightsthatprotectspeechor your right to traderecipeswith neigh-bors. The intent is to make computerusea neighborlyactivity, inwhich everyoneis ableto shareandimprove existing computerpro-gramsfor thebettermentof all.

– TheOpen Sourcemovement,whosephilosophyis morepurelyprag-matic. The idea(which worksexceedinglywell in practice)is that ifeveryonecanreadandcheckthesourcecodefor importantprograms,thenerrorscanbefoundandrepairedquickly, andotherimprovementscanbedistributedeasily.

Neither movementforbids the selling of software, and both have shownthemselves to be viable and efficient meansof creatingpowerful, usefulsoftwareof unparalleledquality. Theplurality of webserversin useat thiswriting areFreeor OpenSource,andrunonFreeor OpenSourceoperatingsystems.Both movementsembody“competition” in thebestsense:A pro-gramis evaluatedby how well it doesits task,andhow usefulthe taskis,notby meaninglesscriteriaof popularityor superficialattractiveness.

Application Programs

A computerprogramis createdby writing a detailedsetof instructionsfor a cer-tain task,thenusingaspecialcomputerprogramcalledacompilerto translatethehuman-readableinstructionsinto machine-readableones.Evena simpletaskre-quiresa lengthysetof instructions,becauseacomputercannotdoanythingunlessit is explicitly told to.

7

A cookingrecipeis a humananalogueof a computerprogram.But eventhesimplestrecipeleavesout common-sensedetailsthat a computerrequires. Forexample,considerthe recipefor brewed coffee: “For each6 oz. of water, use2 Tbsp.of groundcoffee.” A humanwould know without askingto counthowmany peopleareexpectedto wantcoffee,to searchthekitchenfor acoffeepotandcheckthatit is in working order, to addthewaterandcoffeein theproperplaces,thento turn on thepower andwait. A humancouldalsodealwith contingencies:Thereis no groundcoffee in the house,the carafeis cracked, thereis alreadywaterin thereservoir. A computerknowsnoneof thesethings,andmustbegivenexplicit instructionsfor every eventuality. If a computerprogramfinds itself in asituationfor which it hasno instructions,it will simply stop. If the instructionstell thecomputerto re-try a stepin theeventof failure,themachinewill futilelytry foreverunlesstold to stop.

Whenseveral programswork together, the chancesof oneprogrampassingimproperinformationto anotherprogrammultiply. Maybethereis anotherpro-gramthatcountsthenumberof peopleathomeandpassesthis informationto thecoffeebrewing program.If therearemany coffeenon-drinkers,theprogramwillcausetoomuchcoffeeto bemade.Worse,if therearetoomany peoplehome,thecontrolprogramwill overflow thecoffeemakerby trying to makemorecupsthanthecarafecanhold. Thiscouldcausefurthererrorsto occur, suchasanelectricalfire in thekitchen.

All but thesimplestsoftwarehas“bugs”, unforeseencontingenciesor behav-ior differentfrom whattheprogrammerintended.Publicallydistributedsoftwareusuallydoesnothaveobviousbugs,but maybeveritablyriddledwith subtle,hid-denbugs. Most of thesebugs areharmless,but aswe shall seesomeof themareastreacherousasfrayedelectricalwiring or defective door locks in a high-crime neighborhood.Softwaremay alsohave arcane,undocumented“features”thatrangefrom thequirky to thepotentiallysinister. All youcandoasauseris tobecarefulabouttheprogramsrun on yourcomputer. It is easierto “be careful” ifyouuseFreeSoftwareor OpenSourceSoftware.FreeandOpenSourceprogramsarenot bug-free,but their sourcecodeis continuallyandthoroughlyauditedby aconcernedcommunityof ablevolunteers,andthebugs—oncefound—aredocu-mentedopenlyandclearly, andarefixed with extremerapidity. It is alsopossi-ble to “be careful” with proprietarysoftware,but bugsareusuallynot publicizedopenly, norarethey fixedquickly. Further, youmusttrustthesoftwarevendornotto haveulteriormotives.Computersoffer anunparalleledmeansof collectingandcatalogingmarketingprofilesof individuals. It is naive to believe thata softwarevendorwhoownsamarketingagency will notuseits softwareproductsto further

8

its marketinggoals,regardlessof theimpacton individuals’privacy.

3 Networking and the Inter net

Bugsaside,computersareso fastandreliable that we (asindividuals,andasasociety)rely on themincreasinglyfor all mannerof informationmanagement.Inparticular, moreandmorepeopleconductfinancialandother legal transactionsover the“Internet” andthe“world-wideweb”.

Justasinformationcanbesentfrom onehouseto anothervia thepostalser-vice, computersworldwide arelinked by the Internet. If your computeris con-nectedto the Internet(usually througha modem),you cansharedatawith anyothercomputerthatis alsoconnectedto theInternet.Thisallowsyou to sendandreceiveemailandbrowsetheweb,for example.

Whena packagearrivesat your house,thebutler receivesit andactsaccord-ingly uponit, eitheropeningit immediately, passingit to anotherhouseholdser-vant, or putting it whereyou will find it andthenwaiting for instructionsfromyou (aswith an email message).The postalanalogyis fairly good,but not per-fect,becausetherearecrucialdifferencesbetweendataandthecontentsof postalpackages:

� First, data can be transmitted rapidly , almostanywherein the world inminutesor seconds.

� Second,data can be copied easily, while physicalobjectscannotbe. Ifyou sendyour sistera Venetianblown-glassvase,you cannotkeepa copyfor yourself. If thevasewere,instead,digital data,you couldsenda copyto asmany peopleasyouwanted,asmany timesasyouwanted.You couldmake a sparecopy for safekeeping,in casethecatknockedtheoriginal offthemantel;this is known asbackingup data.

� Third, data may contain instructions that will be performedwhen thepackageis received. The butler doesnot consultyou on eachindividualpackage(theremay be thousandsof packagesper hour arriving at yourhouse),so often theseinstructionsarefollowed without your direct inter-vention.

In an idealworld, all of theseattributesof dataarebeneficial.You canshareyour dataquickly andasmuchasyou like without losing it yourself. You can

9

emailfamilyphotosto friendswithouttheoriginalsleaving yourpossession.Shar-ing recipesis apre-computerexampleof dataexchange;nomatterhow many peo-ple you giveyour recipesto, you do not losetheoriginal. Thecopiescanbeusedto make morecopies,all identical to the original. (By contrast,the ingredientsusedin a recipecannotbeduplicatedandshared;if you givea neighbora cupofsugar, youhaveonecuplesssugaryourself.)In theform of instructions,datacanbea labor-saving device,allowing you to automatelengthyor tedioustasks(suchasalphabetizinga long list of namesor balancingthe householdbudgetwith aspreadsheet).With an Internetconnectionyou cantelecommute,working with-out physicallygoing to your office, even printing documentsremotelyfor yourco-workers. Theseareconveniencesthatwe increasinglytake for granted.Eachof thethreepropertiesof datais a fundamentaldifferencebetweenphysicalcom-moditiesand information,andeachplaysa part in the power andutility of thecomputer.

It doesnot requiremuchimaginationto seethatthesepropertiesof datacarryrisks. Your householdservantsare permittedto performany actionsrequested(cleaning,moving furniture, cooking, taking out the garbage),but areslavishlyobedientandby default childishly trusting. If a strangersendsa packageaskingthebutler to choptheHepplewhiteinto kindling andstuff thepiecesinto thetoilet,thebutlerwill do asaskedunlessyouhavecautionedthebutler to ignoredestruc-tive requestsfrom strangers.Theoutcomewould bedamagingin a differentwayif thebutler honoreda requestto duplicateandmail off a copy of your financialrecords,including your bankaccount,credit card,andsocialsecuritynumbers.Thespeedandtransmissabilityof datameanthat sucha requestcanbe initiatedhalf a world away, andbehonoredin a very shorttime, perhapsundera minute,withoutyourbeingthewiser. Naturally, youwantto protectyourselfagainstdam-ageto thepossessionsin yourhouse,andto controlthedivulgingof yourpersonaldata. Unfortunately, it is not simpleto achieve thesegoals,shortof refusingallpackages,which is tantamountto disconnectingyourselffrom theInternet.

Real-Life Attacks

Anyone who follows the nightly news hasheardstoriesof computerexploits.Many homeusershave beenpersonallyaffected,perhapsunknowingly. Theseattacksrangefrom cruelly ironic to merelycruel. To avoid beingthevictim, youneedto know how the attackswork, how to secureyourselfandyour computerfrom vulnerability, andhow to detectsignsof anattack.

10

Email Worms

In the real world, wherepeoplewith less-than-honorableintentionsreside,con-nectingyour computerto the Internetis a risk. Imaginea world, very muchlikeour own, in which 90%of thepopulationlivesin housesbuilt from thesamesetof blueprints,andemploying thesameservantswhoperformthesametasks.Onemorning, a packagearrivesat your house;becauseit is an email message,thebutler putsit into your inbox. You seethat it is from a friend, andis labelled“Aspecialgift for you”, so you tell the butler to go aheadandopenit. Inside thepackage,thebutler finds the message,“Go to thedesk,find theaddressbook inthetop left drawer, andcopy thefirst fifty names.Make fifty copiesof this pack-age,andsendthemto thosefifty people.Thengo throughall thepicturebooksinthelibrary andwrite ‘I loveyou’ in permanentredmarkeroneachpage.” Thebut-ler, whoroboticallyfollowsdirections,trashesyour library andsendsthepackage(technically, a worm) to fifty of your friends,very likely trashingtheir librariesandcausingeachof theirbutlersdutifully to copy thepackagefifty times,spread-ing thejoy to 2500people,whosebutlersunwittingly attackyetmorepeople.Theentireprocess,from your telling thebutler to openthepackageto thedestructionof your books,takesa few secondsat most. Theremay be a delayuntil yourfriendsopenthespecialgift, but afterperhapshalf adaythepostalservicewill bein dangerof collapsefrom thesheervolumeof mail, andmillions of peoplewillbeleft angryandviolated.Luckily, yourhousecanberebuilt in its originalcondi-tion in aboutanhour, thoughany personaltouchesyouaddedmaybedamagedorlost, especiallyif you did not make sparecopiesof all your photoalbumsbeforetheattack.

Of course,suchan attackdid happen,andcostpeopleworldwide uncountedhoursof cleanupand repair. The attackoriginatedin a country with no lawsagainstemail worms,andtherewas little evidencetying the releaseto an indi-vidual, so prosecutionwasessentiallyimpossible. The prime suspectclaimed,probablytruthfully, to have beentrying to steala few users’passwords,not tobring down email serversanddamagemillions of users’computerdataworld-wide. Why did suchan attackwork? Onereasonis that so many housesweresetup the same,so it waseasyto give the genericbutler simple instructionstocarryout theattack.Second,in thevulnerablehouses,thebutler wasallowedtofollow instructionsfrom postalpackages,without askingfor confirmation.Sadly,thiswasthedefaultbehavior written into thebutler’scontractwhenthehousewasbuilt, and the owner eitherdidn’t know the dangeror felt the conveniencewasworth therisk.

11

Theeventwasreminiscentof a child playingwith matcheswho accidentallyburnsdownalargepartof acity. Of course,thechild shouldnothavebeenplayingwith matches,but hadgoodfire-fighting infrastructurebeenin placethedamagewould have beenfar less. Thereis no safeway to run a programof unknownorigin, andit is arguablynegligent of a vendorto ship email softwarethat is bydefaultconfiguredto runprogramsreceivedin amail message.Ratherthanlayingblame,it is betterto secureyourown computersothatit is lessvulnerableto emailattacks.

Non-Windows usersshouldnot feel superiorto thoseaffectedby the “I loveyou” worm. In 1988,a similar event,perpetratedby a computersciencegraduatestudentnamedRobertMorris, crashedhundredsof Unix andVMS mainframes.Theproblemwasabugin thedefactostandardmail handlingprogram,sendmail,thatagainallowedapieceof softwareto duplicateandsenditself automatically.

Virus Hoaxes

A curioussocialphenomenonhasemergedthat illustratesthe dangerof havingonly a little knowledge.Most homecomputerusersareawarethat “viruses” ex-ist, but few know how real exploits work, wherethey comefrom, or how newsof them is officially distributedduring an actualevent. Several times a year, Ireceive dire-soundingemail claiming to reveal a newly-discoveredvirus. Therearealwaysvaguereferencesto authoritative sources(IBM, Microsoft, Intel, andthetelevisionnetworks),andinstructionsonavoiding thevirus,whichusuallyar-rivesin an email messagewith a distinctive subjectline. Thesemessagescomefrom friends,anduniformly imploreme to forward the importantwarningon toeveryoneI know.

Without exception,the warningis a hoax. Ironically, the warning itself is aworm,whosepurposein life is to clogInternetconnectionsandemailserverswithbogusmessages.Theactof passingthewarningonspreadstheworm,lessrapidlybut justassurelyasallowing anemailprogramto runexecutablecodein anemailmessagemight. The irony is thatusers’concernfor otherusers(combinedwithignoranceanda bit of credulity) causesthemto perpetratethe very act they aretrying to prevent.

Human-propagatedwormsareusuallynothingbutannoyances,but recentonescandamageyour operatingsystem. In May, 2001, I received a messageto theeffect thata nastyvirus wasspreading,andwould install itself on theharddriveundera certainname. If not deletedimmediately, this virus would erupt on acertaindatein thenearfuture,erasingall thedataon theharddrive. In reality, the

12

nameof the “virus” referredto a real (but obscure)Windows 98 systemfile. Atleastsomepeoplewho received thewarningdutifully deletedthefile; thebogusmessagecorrectly advisedthat Windows would try to stop the deletionof theoffendingfile, but thatoneshouldcontinueanyway. Luckily, thefile waseasilyrestoredfrom the installationdisk, so the outcomewas little more than publicembarrassment—thistime.

In responseto theMorris InternetWorm of 1988,theU.S.Government’sDe-fenseAdvancedResearchProjectsAgency formedthe“computeremergency re-sponseteam”.Theorganization,now calledCERT/CC(CERT CoordinationCen-ter), is housedat Carnegie-Mellon University in Pennsylvania. Their web URLis in AppendixB. (CERT is a trademark,not an acronym.) All major computerexploitsareofficially announcedanddocumentedby CERT/CC.If anexploit doesnot appearon the CERT/CC web site, thereis a very goodchancethe “exploit”is a hoax. Do not forward “virus warnings”without checkingtheir authenticity,regardlessof how much you trust the sincerity of the friend who sentyou thewarning.

Remote0wn3rship

You arein a chatroom; a newcomerentersandputssomeenticingoffer on thescreen,available from a web URL. (If the chat room is for children or teens,the offer may be for a cool prize relatedto a new movie. In an adult room, thelink might promiseunsavory video pleasures,or offer a fantasticdeal “as seenon TV”.) You, or your child, click the link, andare taken to a pagethat seemsto deliver on thepromise.However, you have unwittingly donesomethingrisky;a web URL causesdatato be sentto your computer, and in most popularPCoperatingsystems,yourbutler’sdefaultbehavior (if thedatacontainsinstructions)is to regardyourclicking thelink aspermissionto follow theinstructionsthatarereceived.Unbeknownstto you,your butler receivesapackagethatsays,“Put thisreceiver in your ear. Be surenot to let anyoneknow you’ve got it. Any time youhearsomethingthroughthe receiver, do it but act naturallike you’re just goingaboutyourbusiness.Destroy thismessage,anddon’t tell anyoneyoureceivedit.”Yourbutler, who is naiveandobedient,compliesto theletter.

The worst,mostviolating computerattackis whensomeonegainscompletecontrol of your machinewithout your knowledge. Uniquely computer-ish at-tributesmakesuchattackspossible,andusers’desirefor conveniencemakesthemincreasinglywidespread.Thedetailsdiffer, but the resultis thesame:Your but-ler endsup obeying ordersfrom a third partywithout your permission,andoften

13

without your knowledge.In systemcracker lingo, your machinehasbeen0wn3d.As longasyourmachineis connectedto theInternet,theattackercandoanythingwith yourcomputerthatcanbeachievedby softwarealone.Theattackercanviewyourkeystrokes,capturingyourpasswords;copy or deleteyourdata,anduseyourmachineasastoragedepotfor stolenprograms,or asaspringboardto attackothercomputers;turnonyourwebcamandstreamtheoutputto aremotemachine,cap-turingvideoof therealroomin whichyourcomputersits.Hangingupthemodemor rebootinghaveno lastingeffect; thenext timeyouconnectto theInternet,yourbutler will sendtheattacker a message,sayinghow to reachthehouse.Currentlythesehijinks appealmostly to voyeursandmaladjustedyouths,but identity theftis a realpossibility if you keepfinancialrecordson your computer. Obviously, itcanbeverydifficult to determineif yourmachinehasbeenattacked,preciselybe-causeagoodattackerwill forceyourcomputerto lie to youaboutits own internalstate.

The Windows family of homeoperatingsystemsfacilitatestheseattacksbypermittingyour computerto run invisible processes, programsthat do not maketheirpresenceknown to you,theuser. Further, therearemany waysto trick eitherthe butler or you into giving the attacker a foot in the door. The GNU/Linuxoperatingsystemis oftenvulnerablein thedefault configuration,but for differentreasons.We will explore this issuein detail later. For now, suffice it to saythattheoperatingsystemoffers limited accessto thecomputer(which canbea goodthing), andcanbetrickedinto offering completeaccess(a very badthing). MostGNU/Linux usersdo not know how to give restrictive instructionsto theservantsto repeltheseattacks,nor do they know how to detectsignsof anexploit.

Freedomand the Inter net

Many powerful legal entities(mostly softwareandmediacorporations)seetheInternetasapotentialMarketers’Paradise,andthey areabsolutelycorrect.Com-puterscanautomaticallytabulate,organize,andtransmitdataaboutwhereusershave beenon the web andwhat they have doneat individual sites. If you entersomeseeminglynon-identifyingdataat one web site, it can be merged with acompositeprofile of you whenyou go to anothersite. How? First, distinct sitesmayhave thesameparentcompany, or mayotherwisehave a legal agreementtosharemarketing data. Second,your webbrowsermustidentify itself to the websitesyouvisit, for how elsearethewebpagesto arriveatyourcomputer?Third, inorderto “personalize”yourbrowsingexperience,many websitesputsmallpiecesof identifyingdata,calledcookies, onyourharddriveasyoubrowse.Thesecook-

14

ies identify your specificcomputerto the web site if you leave andreturn. Youcandisablecookies,or tell your browserto notify you eachtime it is offeredacookie,but youmightaswell forgetaboutwebbrowsingif youdo. Try it andseewhy if you’re curious. Again, this is not a technologicalnecessity, but a fact oflife dictatedby marketing interests.About the bestyou cando is to deleteyourcookiesperiodically, andcertainlyafter eachbrowsing session.You’ll find thatwebsitesarenot asfriendly or personalizedwhenyou first arrive,but that’swhatyou’d expect. And of course,you can’t uncollectall the informationthat’s beenaccumulatedfrom pastbrowsing,becausethereis nodisclosureof whostoresthedata,whatdatais stored,or whomayaccessthedata.

Oneof thegreateststrengthsof theInternetis its lack of globalorganization.The Internetis a powerful mediumof communicationbecauseso many peoplehave accessto it, andcanpublishtheir views for all to consider. Not everyonecanbroadcasttheir own radio programor television show, or publishtheir ownmass-distribution newspaperor magazine,but anyonewith accessto a computercansetup andmaintaina web site. Attemptsto regulatethecontentof Internettraffic arecertainto benefitthealreadywealthyandpowerful, andto marginalizethosewith views (evenjust, rationalviews) thathappento beunpopular. On theflip side,it is a sadfactof life thattherearemalignpeoplein theworld. Someofthesepeopletwist FreeSpeechto theirown endsby promotinghateandprejudice,advocatingviolence,or simply by distortingor fabricatingthe truth. Othersusetheir freedomto attackothers,eitherfor mischief(suchasvandals)or for profit(huckstersandthieves).

A strongdemocracy dependson the ability of the averagecitizen to evalu-ate ideasthey encounter, and to filter out uncomfortabletruths from flim-flam,propaganda,lies,andhate-mongering.WhenInternetcontentis regulatedby gov-ernments(or voluntarily, by InternetServiceProviders), it is a sadday for civilliberties. Onecantake only small comfort in the internationalnatureof the In-ternet,which actsin oppositionto attemptsto legislatetheInternetby individualcountries.Thelaw hasnotyetcaughtupwith technologyregardingjurisdictionofactionson the Internet;an Australianattacker canbreakinto an Americancom-puterby usingan accounton a machinein the Netherlands.(In reality, attacksareoften far moreconvoluted.) If two of the countriesinvolved do not have anappropriatetreaty, or if their lawsarein directconflict,prosecutionmaybelegallyimpossible.

I believe thereis no legal solutionto theessentiallysocialproblemof malignhumannature,andthatattemptsto legislatebehavior ontheInternetaredangerousto individuals’ freedoms.Consequently, I believe it is theright andresponsibility

15

of eachpersonusingtheInternetto beawareof therisksandto take appropriatestepsto protectthemselvesandtheir data.TheInternetmaybea frontier society(with all thegoodandbadaspectsentailedby benignanarchy),but peoplewill-ing to becomeinformedcandefendthemselvesagainstindividual attackers. Bycontrast,no oneis safefrom aninstitutionalizedinformationpolice,beit govern-mentalor corporate.

Regardlessof whatis or is not legalon theInternet,therewill alwaysberisksassociatedwith computernetworking, becausethe natureof computersandthecomplexity of their softwaremakesthemvulnerableto remotesubversionby ma-licious attackers. Securityis a technicalandsocialproblem,andcannotbe leg-islatedaway by restrictingInternetcontent. While you cannotdo much aboutmalignhumannature,you canavoid many technologicalpitfalls,andsetup yourcomputerin a way thatis difficult to subvert.

The structur eof the Inter net

TheInternetis anetwork of computerslocatedin countriesthroughouttheworld.Any two computersconnectedto the Internetcancommunicateby exchangingdatawith eachother. To givea morefamiliar analogy, think of theInternetasthepostalservice,andof individualpersonalcomputersashouses.Sharinginforma-tion betweencomputersis roughlyakin to sendinga packagefrom onehousetoanother;indeed,theunitsof informationon the Internetarecalledpackets! Thepostalanalogyis not perfect,andwe will successively refineit aswe go, but fornow it will do.

Whenyou senda packageto a friend in anothercountry, you do not needtoknow thedetailsof how thepackagewill be transported;you simply write yourfriend’saddressontheboxandtaketheboxto thepostoffice. Exchangeof dataontheInternetis, to theuser, similar; eachpacket of datahasa destinationaddressthat getsthe packet to the propercomputer. The packet also carriesa sourceaddress(analogousto the returnaddresson a package)so that any datasentinreply to thepacket canbereturnedto you.

TheInternetis abstractlylaid out muchlike a systemof roadsandhighways.Therearea few broadhighwaysthatconnectlarge,distantpoints.Branchingofffrom the highwaysarestreetsof varying size; a singlestreetmight connectthebackboneto a few large universities,businesses,or clustersof Internetserviceproviders. Connectedto the streetsaremultitudesof alleys that arefinally con-nectedto thedrivewaysof individualhouses.Eachbranchpoint (or “postoffice”)is a computercalleda router; the router that connectsyour sub-network to the

16

Internetis sometimescalledyour gateway, andactsasyour local postoffice, towhichyou takepackagesto bemailedandwhereyou receive replies.

TheInternethasanenormousnumberof connections;like roads,connectionson the Internetcarryvaryingamountsof traffic (dependingon their location,thetime,andthedayof theweek),whichcancausethespeedof transmissionto slowdown noticeably. Unlike roads,theseconnectionscomeandgo,asmachinesstartup or shutdown. A routeractsin part like a traffic helicopter, attemptingto senddatathroughconnectionsthatarerelatively unburdened.

Two computerson theInternetcantypically exchangedataby a pathpassingthroughno morethantwo dozenintermediaterouters.Implicit in this assertionisasoberingthought:All thedatayousendover theInternetpassesthroughseveralmachineson theway to its destination;thesoleexceptionis traffic betweenyouandyourgateway, or betweenyouandyourISP’sdial-in server. Youhavenocon-trol overwho canreadthedatain transit;thedangeris not thatthepostalservicewill snoop,but that thepostalservicehasbeenwiretappedby anattacker. Homecomputersarenot the only machinesvulnerableto being0wn3d, andprogramscallednetworksniffersexist thatrunonrouters,scanningall thetraffic thatpassesthrough,usuallysifting for passwordsandcreditcardnumbers.

The behavior of the Internetis local andcooperative. Traffic is routedovertheInternet“dynamically”: You specifywhereapacket is to besent,but thepaththedataactuallyfollows dependson theexisting connectionsandtheamountoftraffic duringtheactualtrip. A singlemessageis usuallybrokeninto piecesby thesender, andthepiecesof a singlemessagewill often take differentpathsto theirdestination.

Considerhow arealpostalpackagegetsdelivered:Youtakethepackageto thepostoffice. Theclerk doesnot know thelocationof your friend’s house(or evenhow to get thepackageto your friend’s country),but doesknow wherethecity’smainpostoffice is. At themainbranch,theclerk seesthat thedestinationis notwithin thecity, andsendsthepackageup to a higherlevel. At lastyour packagearrivesat a nationaldepotwhereall mail to Switzerlandgoes.Oncethepackagearrivesin Switzerland,the Swisspostsendsit to the appropriatecity post,whopassit to aneighborhoodoffice,andfinally thepackageis deliveredto your friendby herneighborhoodmail carrier. Theprocessis remarkablebecauseit doesnotrequireany onepostoffice to know everythingabouttheentirepostalsystem,butonly aboutits immediateneighbors(in thepostalsystemhierarchy).RoutingofInternettraffic is similar, asit mustbe,becauseno centralentity canmaintainalist of computersattachedto theInternetat agivenmoment.

MostInternettraffic is routedusingtheDomainNameSystem(DNS),aglobal,

17

distributed,dynamicallyupdateddatabase.Theadjectivessimply meanthat“thelist” of all computerson the Internetis scatteredamongcomputersworldwide,andis updatedin real time ascomputerscomeonlineor shutdown. Unlessyourun GNU/Linux or FreeBSDon your PC,you will probablynever needto knowmoreaboutDNS.

The Internetwasdesignedasan environmentwhereuserswerecooperating,responsibleacademicsandgovernmentscientists.Theprotocolsonwhich theIn-ternetrunswerenot designedfor security, andthe programsthat computersuseto communicatewere not designedto prevent dishonestuse. Not until the ex-plosionin popularitydueto the inventionsof hypertext, multimediacontent,andwebbrowsersdid theInternetbecomeapublicarena.As morepersonalinforma-tion (medicalandcredit information,purchasingpatternsandbrowsinghabits)isstoredandtransmitted,andasmorebusinessis conductedelectronically, the in-formationflowing throughpotentiallyinsecurechannelsbecomesof greatervalueto hucksters,thieves,voyeurs,andmass-marketers.

4 Security

In orderto understandwhich risksareandarenot within your control,you mustfirst know what generalrisks are. Whenyou mail a package,you assumeim-plicitly thatthepackagewill not beopenedexceptby theintendedrecipient(andcustomsagents). The contentsof a packageyou sendare private,and tamper-ing is easilydetected.A datapacket, by contrast,is justly likenedto a postcard;anyonewho handlesthe packet canreadit—even make a photographiccopy ofit—without yourknowing. Preventingothersfrom readingyourdatawhile it is intransitis thebroadareaof networksecurity.

Individual computerswhich addresson the InternetarecalledInternethosts.Protectingthedatain your own computeris thepurvey of hostsecurity. Severalpeoplemay have physicalaccessto your computer, andtherearegoodreasonswhy you’d want to keepdifferentusers’dataseparateandprivate. Hostsecurityis alsoan issuebecausea computercanreply to requestsfrom strangerson re-motemachines,andis childlike in its naivet́e of who it trusts,unlessyou tell itotherwise.

18

Encryption

Duringwartime,whenmessagesmustbekeptfrom enemyhandsduringtransmis-sion,thecontentof amessageis encrypted, or convertedinto aform thatcannotbereadunlessonehasa secretpieceof informationpossessedonly by the intendedrecipient.In thesameway, youcanprotectyourdataasit travelsovertheInternetby encryptingit, providedthereis a softwareinfrastructurein place.Thereis nootherway of protectingtransmitteddata,becauseof theway the Internetworks:Unlessyou setup a privatenetwork, your datawill travel throughmachinesthatarenot underyour control.

Recentversionsof NetscapeandInternetExplorersupportfairly strongen-cryption, thoughnot all sitesoffer encryptedbrowsing. Most web sites’ URLsbegin http://. A sitewhosenamestartshttps:// is encrypted;the“s” standsfor “secure”. It is a badideato purchasegoodsor servicesfrom a site thatdoesnot encryptthe transaction.It is not necessarilysafeto purchasegoodsandser-vicesfrom encryptedsites! As you will easilysurmise,the hostsecurityof themachinestoringyour personaldatais crucially importantto you, and is some-thing overwhich you have no control. Email canalsobeencrypted,but becomessubstantiallylesseasyto use.Eachindividualmustcurrentlyweightheir concernfor privacy with theaddedburdenof encryptinganddecryptingemail.

In the cryptographyworld, transactionsare describedbetweenhypotheticalparticipants,Alice andBob. Theirnemesis,Charlie,is theevil man-in-the-middlewho is trying to eavesdrop.

Themostcommontypeof encryptionin usetodayis calledpublickey encryp-tion. Public key encryptiondoesnot refer to a singlemethodof encodingdata,but to a whole classof algorithmsthat sharethe following description.Using acomputerprogram,Alice andBob eachgeneratetwo piecesof information,theirpublic key and their private key. As the namessuggest,the public key may befreely distributed,while theprivatekey mustbeknown only to theuser. In orderto communicatesecurely, Alice andBob musteachpossessthreekeys: Alice hasherprivatekey, andbothherandBob’spublickeys,while Bobhashisprivatekeyandbothpublic keys.

SupposeAlice wantsto senda messageto Bob. After writing the text of hermessage,sheusesa computerprogramtogetherwith Bob’s public key to convertthetext of hermessageinto seeminggibberish.ShethenemailsBobtheencryptedmessage.Bob receivesthegibberishfrom Alice, but armedwith a computerpro-gramandhisprivatekey, heis ableto recoverthetext of Alice’smessage.Charliemay interceptAlice’s message,but without Bob’s privatekey Charliecannot(in

19

practice)recover theencryptedtext. (In principle,Charliecancracktheencryp-tion, but it maytake thousandsof yearsandall theworld’scomputingpower.)

Thereis an additionalwrinkle, though,becausethe addressof the senderiseasilyforgedin an email message.Alice canbe certainthat only Bob canreadher message,but how is Bob to be certainthat the messagehe received reallycamefrom Alice? To authenticateherselfto Bob, Alice mustsomehow encodeher messagein a way that only sheis capableof. Using her private key, Aliceencryptsa shortmessageandappendsit to heroriginal messageashersignature,thensheusesBob’s public key to encodethemessage.Now, whenBob decryptsAlice’s message,thereis somegibberishat the end. To checkthat the messagereally is from Alice, Bob attemptsto decodethe gibberishwith Alice’s publickey. If the attemptis successful,Bob can be certain that Alice encoded(andpresumablysent)themessage.Otherwise,Bobsuspectsa forgery.

Thebeautyof publickey encryptionis thatsecretdataneedneverbetransmit-tedbetweenAlice andBob;beforesendingprivatemessages,theonly informationthey needexchangearetheirpublickeys. Thesecurityof themethoddependsonlyon theintegrity of their privatekeys; eventhedetailsof theencryptionprocedurecanbepublicized!Thesubstantialdrawbackof publickey encryptionis thatemailprogramsdonoteasilysupportit; Alice mustsignandencryptby handeverymes-sageshesendsto Bob, andBob mustdecryptandauthenticateevery messagehereceivesfrom Alice.

TheU.S.Governmentopposesgeneralencryption,underthebelief thatterror-istsandinternationalcriminalswill useit to communicatein secret;until thefallof 1998,the “RSA algorithm” for public key encryptionwasconsidereda mili-tary weaponby theStateDepartment,andwasprohibitedfrom export. TheFBIreluctantlysupportscitizens’right to encryptdata,but hasproposeda key escrowsystem,in which everyoneregisterstheir privatekey with a neutralthird party.Thatway, in theory, individualscansendprivateemail,but law enforcementof-ficersarmedwith a court ordercanobtaina suspect’s privatekey andthereforereadthesuspect’semail,justasthey cantapasuspect’s telephone.Thereareseri-ousprivacy issuesandlogisticaldifficultieswith key escrow. How exactlyarethekeys to bestored,whatsortof clearancewould berequiredto have accessto thekey database,andhow arekeys to betransferredto “authorizedlaw enforcementofficials”? If thekeys resideonamachineconnectedto theInternet,they aresus-ceptibleto beingstolen,like any otherdata. But how elseis thenationwidekeydatabaseto bemaintained?

20

Fir ewalls

A firewall is aprogramthatcontrolsthetraffic thatflowsbetweentheInternetandyourcomputer(s).In ourhouseholdanalogy, afirewall is aservantthebutlercon-sultswhenevera packagearrivesfrom theInternet.In “mission-critical” settings,anentiremachineis oftendedicatedto thepurpose,andtheterm“firewall” refersto theentiremachine.Therearetwo general“policies” a firewall canfollow: Al-low everythingthat is not expresslyforbidden(easierto setup, but lesssafe),orrejecteverythingthat is not expresslypermitted(requiresmoretweakingat first,but far saferin the long run). To explain how a firewall works, it is necessarytosaymoreaboutnetworking.

Clients and Servers

Mostcomputerinteractionsworkonaclient-servermodel. Onemachinehassomeusefulinformation(perhapsdataor multimediafiles) or accessto hardware(say,a printer, or to the computeritself); the othermachinewantsa copy of the in-formation,or accessto the hardware. For example,considera database,a largecollectionof informationthatcanbeorganizedandgroupedaccordingto severalcriteria. The actualdataresidesin a file (or several files) on the first computer,whichrunsaprogramcalledadatabaseserver. Thedatabaseserverwaitsfor cer-tain typesof packagesto arrive, namelythosethat requestinformationfrom thedatabase.Whena requestarrives,theserver programdeterminesthat therequestcamefrom anauthorizedcomputer, thenrepliesto therequest,usuallyby sendingapackagecontainingtherequesteddata.

At theotherendof thetransactionis a computerbeingusedby a personwhowantsinformationfrom thedatabase.Onthiscomputerrunsaprogram,theclient,that sendsappropriatelyformed requestsfor datato the server. If you are likemost users,the client is the database;you ask it for information, and the datamagicallyappearson your screen.Behindthescenes,however, is aslightly morecomplicatedpicture.Youmaybeaccustomedto speakingof aparticularcomputerasa “server”; in many organizations,severalkindsof servicearehandledby thesamecomputer, andtheonly reasontheaverageuserinteractswith themachineis asaclient. However, it is moreaccurateto separatethephysicalhardwarefromtheprogramsrunningon it. A singlemachinecanbea client for oneprocessanda server for another. In fact,every computeris a server for its own display;yourcomputermonitor is a hardwareresource,anda remotecomputerhasto askforpermissionbeforeit candraw on yourscreen.

21

Negotiatinga Network Connection

Datais sentovertheInternetin relativelyshortpieces,analogousto smallshippingboxes.Theamountof datain a typical requestis muchtoo largeto beshippedinonepiece. If you usea web browser(a typeof client, by the way) to downloada web page,even a singleweb pagemay requiredozensof packets. The servermustthereforedivide thepageinto chunks,andyour computermustre-assemblethesechunksbeforethepagecanbedisplayed.

Themeansby which computersarrangeto sharedatais a little involved,butelegant. Whentwo computerswant to “speak”, they needto verify that they arespeakingto whomthey think. Theusualprocedure,calleda three-wayhandshake,authenticateseachcomputerto theother. Theclientinitiatesatransactionby send-ing ashortpacketto theserver; thepacketsays,“I wantto initiatecommunication.My sequencenumberis 36451.” (Thenumberis chosenby thebutler. Themorerandomthenumber, the betterfor security.) Theserver receivesthis packet andsendsamessage,“I acknowledgereceiving yoursynchronizationrequest,andthenext packet I expectto receive is 36452. My sequencenumberis 912.” The in-crementedsequencenumberprovesthat theserver really did receive theoriginalrequest.Finally, theclientauthenticatesitself to theserverby saying,“I expecttoreceive packet 913 from you. Hereis the informationI want.. . ”. At this point,thetwo computershave establisheda connection,andeachknows exactly wherein theconversationit is.

Connectionestablished,the server splits the information into piecessmallenoughto be transmittedover the Internet. If the reply is split into 156 pack-ets,theserver startssendingdatanumbered,“Page1 of 156” andsoforth. Yourmachinenow knows to expect156packetsin reply. Eachtime your machinere-ceivesa packet, it sendsanacknowledgementto theserver. It doesnot matterifthepacketsarrive out of order, becausethey arenumbered.(BecausetheInternetroutestraffic dynamically, thereis a goodchancethe packetswill not arrive insequentialorder.) If theserver hasnot receivedacknowledgementof receiptof apacketafteradecentinterval, it sendsthepacketagain.Onceall 156packetshavebeentransmittedsuccessfully, theconnectionterminates.

Theprocedureoutlinedhereis calledthe transmissioncontrol protocol, TCP.Email,webbrowsing,file anddatabaseaccess,andremotelogin sessionsarecon-ductedviaTCP. Thecompletetechnicaldetailscanbefoundathttp://www.faqs.org/rfcs/rfc761.htmlif you’recurious.

22

Port Numbers

As alreadysuggested,a single computercan act simultaneouslyas a server inmany capacities.Whena requestcomesin, how doesthecomputerknow whichprogramshouldreceive the request?The answeris that differentkinds of ser-vice areassociatedwith an addressanalogousto an apartmentnumberor roomnumber. Therearedozensof commonservices,but thereareplentyof availablenumbers,so it is no problemto assigneachtype of servicea differentnumber.The “apartmentnumber” is technicallyknown as a port number, andcommonnetwork servicesareboundto port numbers.For example,webpagerequestsgoto port80,requeststo locatetheaddressof ahostname(somethinglike“directoryinformation”for theInternet)goto port53,file transferrequestsarriveonport21,andwhenaWindowscomputerboots,it askson port137for anaddress.

Recallthatatthestartof apacketareadestinationaddressandasourceaddressthattell theInternetwherethepacketcamefrom andwhereit is going. In additionto thedestinationaddress,a packet hasa sourceport numberthat tells thebutlerwhatremoteprogramsentthepacket,andadestinationport numberthattells thebutlertheprogramfor whichthepacketis intended.Thebutlerseesthedestinationportnumberandhandsthepacket to theappropriateservant,er, server. Youmightthink of thefoyer of your househaving severalmail slots;not all theslotswill bein use,but eachserverhasits own mail slot.

Port Scanning

If you werea burglar, you would casea neighborhood,looking for housesthatareeasyto breakinto, testingdoor locks, telephoningto seeif anyoneis home.The network analogueis a port scanner, a programthat sendspackets to everyallowableport at a given addressandexaminesthe replies. On the basisof thereturnedinformation,thescannerdeterminesinformationaboutthehost,suchasits operatingsystemanda list of serverswaiting for incomingrequests.

It is easyto portscannot just a single address,but hundredsof hostswhoareon the samestreet(in the sameaddressblock). Thereareprogramsthat dothis automatically, andwhich sortandtabulatethedatathey receive accordingtoyour systemresourcesandvulnerabilities. If you think no onewill notice thatyour print sharingis turnedon, or that you’re running a vulnerablefile server,you’remistaken.Expectto beportscannedaboutonceanhourall thetimeyou’reconnectedto the Internet. Becausescanscan be run from anywhere, they areequallylikely to occurat any timeof thenight or day.

23

For obviousreasons,it is impolite to port scanmachinesat random,but it isnot illegal in the United States. It is forbiddenby many ISPs,but enforcementis lax. Even if scanningwere illegal, preventionandenforcementare impossi-ble. Attackerstypically scanblocksof addressesfrom stolencomputeraccounts,andtheelectronictrail oftenleadsbackto a countrywith no laws againstsystemcracking.All you cando is to ensureyour machinegivesaway little informationto aport scanner.

Effective port scannersarewidely available,but far from wishing they wereillegalyoushouldembracethemasavaluabletool: By runningaportscanonyourown machine,youcanfind probableentrypointsfor intruders,andclosethemup.A port scanis oftentheeasiestway to determineif a machinehasbeenattacked;any unauthorizedservices(suchasthe login server thatgivesanattacker remoteaccessto your machine)will show up in a portscan,evenif theoperatingsystemclaimsnothingis runningontheport. Think of aportscannerasanexternalTigerTeamauditorwhocantell youwhat’s really goingon with theservants.

Statelessand Stateful Fir ewalls

A firewall is a sort of door guardor mail censor. The firewall examinesthe ad-dressinformationandport numbersof eachpacket, andactson instructionsyougive. Thefirewall canallow packetsto passsilently, sendthemthroughbut postacautionarynotein a log file, dropthemin thetrashwithoutaword,or many otherthings. For example,somesourceaddressesare, like 1234Main St., AnytownUSA, obviously bogus;you would probablytell your firewall to throw away anypacket claimingto comefrom suchanaddress.

Thesimplestkind of firewall determinesthefateof a packet solelyon theba-sisof informationin thepacket. In orderto block incomingrequeststo useyourprinter, you could have your firewall block any packets that containa synchro-nizationrequest.Sucha firewall is saidto be stateless; it hasno memoryof anexisting transaction,andmakesdecisionspacket by packet. TheLinux 2.2kernelutility ipchains offersonly statelessfirewalling.

Statelessfirewallswork well for homeuse,but arealittle gullible. Theaddressandport information in a network packet canbe forgedeasily. If your firewallblocksonly synchronizationrequests,an attacker canstill conceivably get pastthe firewall by sendinga packet that pretendsto be an acknowledgementof arequestfrom your machine.A statelessfirewall maywell admitsucha packet. Astatefulfirewall keepstrackof existing TCPconnections;if anacknowledgementarrivesbut your machinehassentno synchronizationrequest,thefirewall canbe

24

instructedto drop the packet. The Linux 2.4 kerneloffers the statefulfirewallutility iptables.

Firewalling capabilitiesare built into the Linux kernel. By contrast,someoperatingsystemsrelegatefirewalls to applicationprograms.If youaretruly con-cernedaboutremoteexploits, you shouldnot run your firewall on a single-useroperatingsystem.

Operating Systemsand Security

Many popularPCoperatingsystemscannotbemadethebasisof asecureInternethost; they weredesignedfor userconvenienceratherthan for security, and thefoundationsuponwhich they werewritten reflecttheir origins. If you run oneofthese,thereis not muchyou cando but disableautomaticexecutionof programsin email messagesandweb pages,turn off file andprinter sharing,andbe verycarefulaboutwhereyou go on the Internet. Somefeatures,suchasenablingofJava andJavaScriptfor webpages,mayturn themselveson automaticallyevenifyou disablethem,soevery time you starta webbrowserit is prudentto double-checkthatthesescriptingcapabilitiesareturnedoff.

If you areconcernedwith securityin your homecomputer(s),GNU/Linux isanexcellentchoiceof operatingsystem;it is aFree,low-cost,professional-qualityoperatingsystemthatrunson severalcommontypesof PC.Its maindownsideistherelative lackof user-friendliness,andthedifferencebetweenits userinterfacemodel (often a commandline and simple text editing) and that of “point-and-click” operatingsystems.GNU/Linux is not trivial to configure,but onceproperlyconfiguredwill runstablyandsafelyfor monthsat a time.

Using Freesoftware givesyou good control over the useof your machine;whenseriousbugsarefound,they arepublicizedin well-knownplaces,andpatches(correctionsto thesoftware)areoftenavailablewithin days—sometimeshours—of publicationof thebug. RunningGNU/Linux is somethinglike designingandbuilding your housefrom high-quality, pre-madeparts. If you don’t like theway somethingruns, its inner workings are documented.You are free (hencethename“Freesoftware”),evenencouraged,to learntheinnerworkingsof yoursystem,andto improve themif you areable. Freesoftwareis alsoastonishinglycheapif you areaccustomedto proprietarysoftware. A complete“distribution”of GNU/Linux—theoperatingsystemandhundredsof utilities andapplicationprograms,including excellent tools for writing and compiling software—costsaboutUS$5 at this writing, and can be downloadedat no charge from many

25

sitesaroundthe world. Equivalenttools for otheroperatingsystemscould eas-ily cost$2000or more.

Therearemany resourceson the web for installing, configuring,andusingGNU/Linux. If the idea of using Freesoftware appealsto you, pleaseseetheURLs at theendof this paperfor placesto look for moreinformationon gettingstarted.

SecuringGNU/Linux

Linux, the kernelof the GNU/Linux operatingsystem,is a multi-tasking,fullymemory-protectedcloneof Unix, themainframeoperatingsystemwith 30 yearsof developmentbehindit. GNU/Linux offersall theusersecurityof Unix; differ-entuserscannotreador destroy eachothers’files, andonly thesuperuser, root,hascompletepermissionto modify or deletesystemfiles. If you,asaGNU/Linuxuser, fall prey to a URL attack,you cannotcompromisemorethanyour own ac-count;it is not soeasyto gainsuperuseraccessremotely.

Thatsaid,thereareahandfulof potentiallyseriousrisksin usingcertaindistri-butionsof GNU/Linux. Luckily, they areeasilyfixed. To explain them,we mustfirst outlinewhathappenswhenyou install andbootGNU/Linux.

By default, themostpopulardistributionsof GNU/Linux (RedHat, Caldera,andMandrake) setup your computerasa server for web documents,databases,files, electronicmail, andothercommonnetwork facilities. After you install andboot for the first time, your computerwill be readyand willing to answerre-questsfrom thewide world. To many convertsfrom otheroperatingsystems,thisplethoraof abilitiesis incrediblynifty; for $5,you’ve gottenhundredsof dollars’worthof softwareidenticalto whatprofessionalsat largebusinessesanduniversi-tiesuse.To asystemcracker, anewbie’sGNU/Linux box is agoldmine.

By portscanningan addressblock, an attacker caneasilyfind your machine,andwith afew widely-availabletoolscantell whatdistributionandversionyou’veinstalled. The companiesthat packagedistributionshave to datebeenrelativelylax aboutsecurity, and several of the servers that are installedand enabledbydefault canbe remotelyroot compromised. This means,in plain language,that ifyou install RedHat 6.2 (or whatever) thenleave your machineconnectedto theInternet,you have built a housecapableof launchingpowerful attackson othercomputers,but have left thedooropenfor anyoneon theInternetto walk in andtakecompletecontrol.

Thefive mostnotoriousserversaresendmail (electronicmail), bind (Inter-net nameresolutionservice,or DNS), wu-ftpd (the WashingtonUniversity file

26

transferprotocoldaemon),rpc-statd (a server usefulon networks of Sunma-chines),andLPRng (aprint server). Learnhow to disablethese,andturn themoffbeforebringing your machineonto the Internet. If you mustrun theseservices,get up-to-datepatchedversions(with no publishedvulnerabilities)andpossiblyfirewall theportssothey areinaccessiblefrom theInternet.

As of February, 2001,therearefully automatedworms(Ramenand1i0n,seeAppendixB) traversingthe Internetthat scanfor vulnerablemachines,thenat-tack oneor more of the serviceslisted above, gainingsuperuseraccess.Theyinstall copiesof themselvesandmail password andsystemconfigurationfiles tofour emailaccounts(two in theU.S.,two in China).They installa few backdoors,allowing ahumanto log onremotelyasthesuperuser, andcleanuptracesof them-selves,deletinglines in log files andreplacingsystemutilities with versionsthatdo not show existenceof theworm. Thenthey begin to scanfor morevulnerableboxes.In theforensicanalysisof oneRamenattack,theelapsedtimebetweentheinitial port scanandtotal remoteownershipof themachinewas87 seconds.TheHoneynetProjectreportsthatthemeantimeuntil anunsecuredRedHat machineis root compromisedon the Internetis 72 hours;oneof their “honeypots” wasrooted15minutesafterbeingbroughtonline.SeeAppendixB for theURL of theHoneynetProject.

A Computersand Inf ormation

Computersareelectronicmachinesthat storeandmanipulatedataat incrediblespeed.Computerscanbe connectedto eachother(or networked) in a way thatallows themto sharedata. Whenyou sendsomeonean emailmessage,a chunkof datacalleda file is transferredfrom your computerto your friend’s computer.Whenyou browsetheworld-wideweb,files on a webserver arecopiedandsentto your machine,whereawebbrowserconvertstheinformationthey containintothetext andimagesyou seeonyour screen.

Text (emailmessagesandwebpages),proprietaryformatfiles (word proces-sor documentsor spreadsheets),andmultimediafiles (soundsandpictures)arecommontypesof dataona typicalhomecomputer. Themostimportantattributesof electronicdataare that it canbe copiedquickly andrepeatedly, andthat theinformationcanbetransmittedto anothermachineanywherein theworld, aslongasbothmachinesareconnectedto theInternet.

27

Electronic Representationsof Data

Abstractly, the information in a computeris storedas a patternof bits (binarydigits), often representedasa string of 0s and1s. If you arealreadystartingtofeel lost, pleasekeepreading;the detailsmustbe explainedbit by bit (no pun).If computerinternalsarenew to you, therewill beshortintervalsof confusionasyou read,followed by pleasantmomentswhenyou suddenlyunderstandhow apiecefits into thelargerpicture.

In moderncomputers,thesmallestunit of datathatcanbemanipulateddirectlyby the hardwareis a byte, consistingof eight bits. Thereare256bytes,namely256distinctsequencesof 8 bits. Thesearelistedin Table1; thedecimalnumbersat left serve to enumeratethe bytes,while the typewriter stringsare the actualbytes.

0 00000000 64 01000000 128 10000000 192 110000001 00000001 65 01000001 129 10000001 193 110000012 00000010 66 01000010 130 10000010 194 110000103 00000011 67 01000011 131 10000011 195 110000114 00000100 68 01000100 132 10000100 196 11000100

......

......

62 00111110 126 01111110 190 10111110 254 1111111063 00111111 127 01111111 191 10111111 255 11111111

Table1: Eight-bit bytes

Think of the eight bits in a byteasnumberson an odometer. Whena wheelreachesthe highestnumber, it rolls over to zero,andthe next wheel to the leftincrements.The differencewith an ordinary odometeris that hereeachwheelhasonly two positions, 0 and1. If you areunfamiliar with binaryarithmetic,youmayenjoy writing down afew moreodometerreadingsuntil yougeta feel for thepattern.

Thenames0 and1 areconventional;they could just aswell becalledfalseand true, or off and on, or black and white. The significanceof this willbecomeclearshortly.

28

Character Coding

Supposeyou wishedto storea text documentas a string of bits. One methodwould be to let lettersof thealphabetcorrespondto countingnumbersfrom 1 to26: a� 1, b� 2, c� 3,.. . , z� 26. Theword “cat” would correspondto thelist ofthreenumbers3 1 20,andthelist 4 15 7 would correspondto theword “dog”. Ifeveryonein theworld agreedon this codingscheme,thenstoringa text messagewould be tantamountto storing a (ratherlong!) list of numbers,one for eachcharacterof text. Computersarebuilt for just suchtranslationtasks;translatingtext into astringof numbersis simpleandrepetitive,but needsto bedonequicklyandaccurately.

What doesthis have to do with bits and bytes? By Table 1, the numbersbetween0 and255correspondto stringsof eightbits. If wecombinethiswith ourearliertext-codingscheme,wewouldget,for example,

cat � 3 1 20 �����������������������������������������������

Providedthecomputerparsesthestring000000110000000100010100 correctly,it canstorethe word “cat” asa sequenceof bits. Bits canbe encodedby otherequivalentschemes.Usingour primitive charactercoding,“cat” might bestoredonabarcodeor compactdiskaslight anddarkspots:

��������������� ��������������������������������������������� ��� ������������� � ����� � � � ���

The correspondencejust describedis not quite adequate,becauseactualtextdoesnot consistsolely of lower-caseletters,but also includescapitals,numer-als, andpunctuation.However, you have probablyrealizedalreadythat we had256 numbersat our disposalfor encoding,andhave usedonly 26 of them. Al-lowing for upper- andlower-caseletters,numerals,punctuation,andvariousothercharacters(suchasspace,tab,carriagereturn,anddelete)requires128differentsymbols. Thus,all plain text canbe encodedasa string of bytes(onebyte percharacter),andcanbedecodedsolong astheauthorandreaderagreeon thepre-ciseschemeof encodinganddecoding.A commonstandard,publishedin 1968bytheUnitedStatesAmericanStandardsInstitute,is ASCII, theAmericanStandardCodefor Information Interchange. In ASCII, the phrase“A line of text.”(16 bytesincluding the carriagereturn)encodes,with spacesbetweenbytesforclarity, to

01000001 00100000 01101100 01101001 01101110 01100101 0010000001101111 01100110 00100000 01110100 01100101 01111000 0111010000101110 00001010

29

Using ASCII, any two peoplein the world cancommunicateusing the Romanalphabet,storingandtransmittingtext asastringof bytes.TheInternationalStan-dardsOrganizationhaspublisheda hostof characterencodingsto handlenon-Romanalphabets.In view of thetranslatedsnippetabove, ASCII mayseemter-ribly inefficient, but computersarecapableof storingunimaginableamountsofbytes. A pageof text is roughly a thousandbytes,while a modernhard drivestorestensof gigabytes, tensof millions of pagesof text. Moreover, if youexam-ine thesizeof awordprocessorfile, you’ll find it is about20 to 100timesthesizeof the raw text it contains.Suchproprietaryencodingsarefar lessefficient thatASCII, andaremuchslower to transferoverslow connectionssuchasmodems.

A crucial point to rememberis that the string of bytesitself hasno intrinsicmeaning;the original text cannotbe recoveredfrom the string of bytesunlessthecodingschemeis known. Sometimesthis is desirable,aswhenoneencryptsa message,and other times it is not, as when one wants information to be aswidely available as possible. The free sharingof information betweenpeopledependsupon an openstandardof encodingthat anyone may use. Proprietaryencodingstandards(word processorfiles, for example)arecommon,but have theunfortunateeffect of excludingpeoplewho do not have accessto programsthatknow thecodingscheme.

Other Data Types

Almost any information that can be storedin physical form—a photographorpainting,a written work, anaudiorecording—canbestoredasa streamof bytes.Naturally, themorecomplicatedtheinformationor themoredetailedthedescrip-tion, themorebytesarerequired.(For aphotograph,“moredetail” means“higherresolution”,while for anaudiorecordingit means“better fidelity”.) A string ofabout10 million bytesis enoughto encodeanordinaryphotographwith reason-ably high resolution,or to storea 3 minutepop song,both usingcommon(andnot necessarilyefficient) codingschemes.For illustration, hereis roughly howtheprocessworksfor photographs.

If you look closelyat a color television screenor computermonitor, you willseea tiny honeycombof phosphorescentspotsgroupedin threes.In eachgroupis adotcapableof producingred,green,or blue.All thecolorsthatamonitorcandisplayareformedby amixtureof these(“subtractive”) primarycolorsin varyingbrightnesses.

Eachtrio of dotsis sosmallasto appeara singlespot,or pixel, to thehumaneye. The color stateof a pixel canbe describedby threebytes: The first byte

30

(which,asabove,representsanumberbetween0 and255)encodesthebrightnessof red in the pixel (with 0 meaning“off ” and 255 meaning“all the way on”),thesecondbyterecordsgreen,andthethird encodesblue. This particularcodingschemeis called “24-bit RGB” for obvious reasons. In 24-bit RGB coding, astreamof bytesis interpretednot asa string of characters,but asa sequenceofpixel states.Again, it is not thebytesthemselvesthatareimportant,but howtheyare interpreted.

Thenumberof colorsthatcanberepresentedwith 24bitsis 256 � 256 � 256 �16� 777� 216,or “millions of colors”. Five yearsagothis wasstate-of-the-art,butnowadays24-bit color is consideredsomewhat inadequate;with 32 bits (fourbytes),a computercandisplayover 4 billion colors. This approachesthe lim-its of thehumaneye to distinguish.Goodmodernscanners,which arehardwaredevicesthatconvertphotographsinto streamsof bytes,usea40bit (fivebyte)dataencoding.

Describinga 24-bitRGB imagerequiresthreebytesperpixel. Thenumberofpixels requiredto describea picturedependsuponthe resolutionof the picture.A relatively low-resolutionpicturerequires600 � 480 � 288� 000pixels,or aboutonemillion bytesof 24-bit color, while a high-resolutionrenderingmight require1600 � 1200 � 1� 920� 000pixels,or abouttenmillion bytesof 40-bit color. Themainpoint is thatevena photographcanbestoredasa longstringof bytes.

Data Storage

As mentionedabove, dataof many typescanbestoredasa stringof bytes. Bitsthemselves(eightto abyte)simplycorrespondto oneof two possiblealternatives,or “states”. In your computer, bits are representedphysically in threeprimaryways:

� In “volatilestorage”,or RAM (random-accessmemory).A computermem-ory chip is a latticeof millions of microscopicelectronicswitchesthatcanbeturnedoff andon in afew billionthsof asecond.If power is notsuppliedcontinually to the chip, the switcheswill begin to turn off spontaneouslyaftera few million clock cycles(or about1/1000of a second),their states(whetherthey are“off ” or “on”) will drift, andthestoredinformationwillbelost.

Perhapsnowhereelsein a computerdoesoneencounterthe ephemeralityof data;aphotographor audiorecordingcanbeencodedasastringof bytesandstoredin memory. Thestoredinformationcanberetrievedin its entirety

31

unlessthe power is interrupted,in which casethe datawill vanishalmostinstantly.

� In “permanentstorage”,on thehard drive. Theharddrive of a modernPCconsistsof one or more rigid magneticdisks, sealedinside a metal caseaboutthesizeof a paperbacknovel. Whenthedrive is operating,thediskspinsrapidly (abouta hundredtimesper second).Data is readfrom andwritten to the drive by meansof a magneticheadthat is mounteda smallfractionof amillimeter from thesurfaceof thedisk. In adata-writingoper-ation, themagneticpolarity of theheadflips rapidly, magnetizingthediskas it passesthe head. The patternof the magneticdomainson the actualdisk is abstractlyequivalentto a streamof bits. Datais readfrom thediskin thereverseoperation:Whenthediskspinspastthehead,theheaddetectswhetheradjacentdomainsonthediskhavethesamepolarity(0) or oppositepolarity (1).

Like an audiocassette(or a bar magnet!),a harddrive doesnot requireaconstantsupplyof electricityin orderto storedata;magneticdomainsretaintheir polarity until they arere-written.A floppy disk is similar in principleto a harddisk, but canstorefar lessinformation,andis slower. Themainadvantageis thatafloppy diskcanberemovedphysicallyfrom themachine.

� In “read-only” storage,suchasa CD-ROM. A compactdisk consistsof athin sheet(about1 mm thick) of transparentacrylic, coatedwith a micro-scopicallythin layerof reflective aluminum.As thedisk spinsin thedrive,a lasershineson its surface,andis reflectedinto a photo-detector. To storedata,smallholesorpitsareburnedinto thealuminumlayer;asthediskspinspastthelaser, thebeamis eitherreflectedby thealuminumlayerwhenthereis no pit (0), or is not reflectedif thereis apit (1). Thestreamof pits windsaroundthedisk in a tight spiral reminiscentof thegroove in a phonographrecord;the entireline of bits on a full disk is about1 kilometerlong, andstoresseveralhundredmillion bytesof information.Writablecompactdiskswork on similarprinciples.

Theadvanceof computertechnologyin thelasttwo decadesof the20thCen-tury is truly mind-boggling.Theingenuityrequiredto developthemeansof writ-ing, storing,andretrieving hugeamountsof datais awe-inspiring,andthesuccessis phenomenal.At thiswriting, 128megabytesof RAM costsaboutUS$50,20gi-gabytesof harddrive storagecostsaboutUS$100,anda 650megabytecompact

32

disk canbeboughtin bulk for lessthanUS$0.20! Good-qualitycomputerhard-wareis incrediblyreliable:A harddrivecanbeexpectedto mis-reador mis-writeonebytein every million billion bytes.This is roughlyequivalentto copying theentireLibrary of Congressandmakinga singletypo.

Processing

A computer’sothersalientattribute(thefirst beingdatastorage)is rapidprocess-ing of data.Abstractly, processingis therapidexecutionof arithmeticoperationson short stringsof bytes,calledwords. Most modernprocessorsusefour-bytewords,andare therefore“32-bit machines”. Eight-bytewords(64-bit architec-tures)areslowly beingphasedin, andwill bethenormin a few years.

Decisionquestionsof thetheform, “If A is true,thendo B; otherwisedoC,”canbe phrasedin termsof binary arithmetic. Binary arithmetic,in turn, canberepresentedphysicallyby simpleelectroniccircuitscalled logic gatesbuilt fromtwo or threetransistors.A modernPC processorconsistsof severalmillion mi-croscopictransistorsetchedinto the surfaceof a silicon wafer. A clock on thechip emits pulsesperiodically, which serve to synchronizethe activities of theprocessoranddatacomingin from main memory(RAM). The clock speedof aprocessoris measuredin “ticks” persecond;a 600 MHz processor’s clock tickssix hundred million timesper second.If time werescaledto oneclock tick persecond,onesecondof real time would last almost20 years.To a computer, ourfamiliarworld is almoststationary.

The coreof the processorconsistsof the actualprocessingunit andseveralregisters, small memorylocationswheredatais held during the few clock tickswhenit is needed.Theprocessorchipalsohasarelatively smallamountof mem-ory on it, about32 thousandbytesworth of level onecache thatcanbeaccessedat full clock speed,anda largeramount(a few hundredthousandbytes)of leveltwo cachethatbeaccessedat aslowerspeed,usuallyhalf theclock speed.

At thecoreof theprocessor, dataqueuesup waiting to be operatedupon. Asecretarykeepstrack of the locationof the datato be operateduponat the nextclock tick, known asthestack pointer, andthelocationof thenext operationto beperformed,the instructionpointer. Thesepiecesof informationchangefrom tickto tick accordingto theoutcomeof theoperationitself. By performinghundredsof millions of simpledecisionspersecond,a computerexhibits intelligent (or atleastresponsive)behavior.

33

RemoteExploits

Asidefrom theintrinsic interestof how a computerworks,thedescriptionaboveis necessaryto understandhow a machinecan be tricked into following rogueinstructions. Imaginefirst that the computeris running a file server. Becausethefile server needsto have accessto files ownedby differentusers,theprocesshasroot privileges;anything the file server wantsto do will be allowed by theoperatingsystem.

In orderto acceptandrespondto requestsfor file transfer, thefile server setsasidespacein memory, called an input buffer, where information relatedto arequestcanbewritten temporarily. Thebuffer holds,say, 256bytes,largeenoughto accommodateany reasonabletransactiona usermight request,andthensome.Thecrucialerroris thatthisfile serverdoesnotcheckthesizeof anactualrequestasit fills theinput buffer; no reasonablerequestwill fill thebuffer, but aprogramshouldstill checkusers’inputto ensurethelengthconformsto theavailablespace.In ourcase,anattackerhasfound,eitherby carefullyauditingthesourcecode,orby accident,thatthereis no checkingof theinput buffer’s size,andthattheinputbuffer and the operatingsystem’s instructionpointer are in abstractlyadjacentsectionsof memory. Theattackercarefullycraftsa fakeclient requestthatexactlyfills the input buffer with a small program,andthenwrites a few bytesof datathatmustbeplacedwith precision;a missingor extra byteof paddingwill spoiltheattack.Thesmallprogramasksthekernelto starta shell (commandprompt)with rootprivilegesonthefile server’sport; theextradatathatoverflowstheinputbuffer overwritesthekernel’s instructionpointer.

Now the stageis set. The file server sits waiting for incomingconnections.Thekernelseesa seeminglylegitimatesynchronizationrequestarrive for thefileserver, makesa noteof the next instructionit will performwhenthe file serverhasfinished,andhandsoff controlof theprocessor. Thefile serverblindly copiesthe incoming data—theattacker’s requestfor a root shell—to the input buffer,exactly filling it. If that were all, the file server would ask the kernel what todo next, the kernelwould say, “Parsethe input,” the file server would discoverthat the input is not a legitimaterequest,andwould harmlesslysendtheattackeran error message.However, a few bytesof dataremainin the incomingsignal;the file server, unawareof any problem,writes theseinto the adjacentmemory.But astheattacker carefullynoted,thenext few bytesof memoryin themachinearethe post-it padwherethe kernelwrote the next instructionto be performed.With thelastfew bytes,theattackerhasoverwrittenthememo,replacingthenextlegitimateoperationwith thetheattacker’s requestfor a rootshell. Thefile server

34

saysto thekernel,“Input received.Now what?”andthekernel,whotruststhefileserver completely, follows theattacker’s pointerandstartsa root shellon thefileserver’sport. Theattacker, at thefarendof a remoteconnectionto thefile server,now hascompletecontrolof themachine.

The attackjust describedis a typical buffer overflow exploit. Careful pro-grammersdo not acceptuser-suppliedinput without checkingthat it conformstowhat the programexpects,but potentialbuffer overflows canbe difficult to findin existing programs.Thefive serviceslistedearlierareperiodicallyfoundto bevulnerableto buffer overflows. Single-useroperatingsystemsandtheir softwareareparticularlyvulnerablebecausethereis noconceptof anon-rootuser, soeveryapplicationis potentiallyasourceof attack.

Unfortunately, thoughpatchesto vulnerableprograms(for GNU/Linux) areusuallydistributedalmostsimultaneouslywith the exploit report,many systemadministratorsdo not immediatelypatchtheir software.Thereis, consequently, awindow of opportunity, sometimeslastingmonthsor years,betweenthe time anexploit is announcedandthetimewhenthelastvulnerablemachineis patched.Ifyouareasystemadministrator(for example,if you runGNU/Linux onyourPC),it’ s a good idea to subscribeto CERT’s mailing list, anda goodhabit to patchexploitableservicesimmediately.

Script Kiddies

Buffer overflows andotherremoteattacksmayseemabstruseandof little causefor concern,but they arefar morewidespreadthanthe difficulty of writing onemight indicate. The real risk is that oncea vulnerability is found, an exploit isusuallypublishedquickly, asproof of concept.Thesourcecodefor exploits getspostedin well-known locationsontheInternet(doagoogle searchfor “hacking”or “alt.2600” andseewhatyou find), andmaladjustedyouthsknow wherethesesitesare. The endresult is that thousandsof kids (usuallymaleteenagers)whoknow almostnothing aboutcomputersare capableof successfullygetting rootaccessonvulnerablemachines.It is darklycomicto view systemlogsof compro-misedmachines;attackersoftenbumblearoundtheexploitedmachine,trying tofigureouthow theoperatingsystemworks.

In securitycircles,theseattackersareknown genericallyasscriptkiddies, andareanannoyancemorethana danger. Thescriptkiddie subcultureis patheticbuttragic; many areintelligentchildrenwith unhappy family or schoollives. Beinga computeroutlaw givesthema senseof worth andpurpose,malignthoughit is.LanceSpitzner, a systemsecurityexpert,haswritten a seriesof excellentpapers

35

onattackers(mostlyscriptkiddies)thatcanbedownloadedfrom theweb,seetheURL for theHoneynetProject.Thesepapersrangefrom a fascinatingview intothepsychologyof the“typical” scriptkiddie,to theactionsthey performoncetheygaincontrolof yourcomputer.

Availability and Legality of Attack Tools

Every attacktool hasa generallybeneficialuse,namelyto testsystemsfor vul-nerability. It is in legitimateusers’bestinterestthatthesetoolsbeeasilyavailableand freelyusable. To understandwhy, considerthat—ascomputerprograms—attacktoolsconsistof data. They canbewritten by any competentprogrammerregardlessof motivation,andoncewritten canbe freely copiedanddistributed.Shortof turningtheInternetinto a virtual policestate,thereis no way to restrictaccessto attacktools, any more thanthe exchangeof ideasor informationcanbecurtailed.Becausethe Internetextendsworldwide, thereis currentlyno legalentity thathasglobal jurisdictionanyway, soevenDraconianlaws in onecountrywill not stoptheauthorshipanddistributionof attackprograms.If thesetoolsaremadeillegal,userswho do not wish to breakthelaw (or for whomthepenaltyofuseis truly dire)will losethepotentialbenefits,while attackerswill not.

Thoughthis argumentis superficiallythe sameas the rationalefor keepingfirearmslegal, the fundamentalissueswith software are completelydifferent.First, a gunshotmaykill or irreversibly injure someone.A computerattackmaydestroy data,but youcanmakeanexactbackupcopy. If gunsweretruly analogousto attacksoftware,onecouldresurrectgunshotvictims. Second,thedeterrentar-gumentwith gunsis thethreatof retaliation;a muggeris lesslikely to attackyouif hethinksyou mayshoothim. With attackprograms,thebenefitis not to detersystemcrackers, but to obviate their attemptsto attackyour computer. By us-ing portscannersandremoteexploit programsagainstyour own machine(s),youcansearchfor andrepairpotentialvulnerabilities,so thatattacksagainstyou aresimply ineffective.

Restrictive lawsontheuseof attacksoftwareareseductivebecausethey seemtoprotectinnocentusers,whocannotbeexpectedto stayabreastof newly-discoveredvulnerabilities,securitypatches,andotherdevelopments.But the government’sjob is not to protectcitizensasparentsprotectinfants,nor canit bein thecaseofcomputertechnology, withoutbecomingtotalitarian.Theonly way for citizenstoprotectthemselvesandtheirpersonaldatain electronicform is to giveall respon-siblecitizensthemeansto do so,bothin termsof educationandin availability ofappropriatesoftwaretools.

36

Computersanddataare,in fundamentalquantitativeways,differentfrom anyprior or existing technology, and the legal establishmentis working diligentlyto legislatesocietalconductwith respectto electronicinformation. The comingyearswill be a time of rapid andrevolutionarychangein computerlaw. If weconcernedcitizensdo not educateourselvesof the technological,legal, social,andeconomicissuessurroundingcomputersandtheiruseasvehiclesfor financialandlegal transactions,we will bearthebruntof laws draftedin the interestsof afew wealthycorporations.Theseentitieshave a right to do businessfor a profit,but their aimsareoftenat oddswith the(American)ConstitutionalguaranteesofFreedomof SpeechandtheRight to Privacy. Technologyis changingrapidly, andthe processof self-educationis dauntingandongoing,but ascitizensof a FreeSociety, we would all do well to regardcomputersoftwareissuesasmattersofFreeSpeech,ratherthanastradesecretsdesignedto protectcorporateprofits,orasthepurvey of expertswecannothopeto understand.

B WebSitesfor Further Inf ormation

I amnotpersonallyaffiliatedwith any siteslistedhere.

� http://www.google.org (Searchengine)

� http://www.fsf.org (TheFreeSoftwareFoundation)

� http://www.opensource.org (TheOpenSourceProject)

� http://www.linuxdoc.org/links/index.html(TheGNU/Linux DocumentationProject)

� http://www.cert.org (CERT/CC)

� http://project.honeynet.org (TheHoneynetProject)

� http://www.whitehats.com (Max Vision’ssecuritysite)

� http://www.whitehats.com/library/worms/lion/index.html(Analysisof the1i0nworm)

� http://www.linuxsecurity.com(A securityportalfor GNU/Linux users)

37

� http://www.attrition.org andhttp://www.insecure.org(Hackersitesin thebestsenseof theword)

� http://www.cultdeadcow.com/cDc_files/cDc-351(TheTao of WindowsBuffer Overflow, a detailedbut salty technicalpaperonwriting buffer overflow exploits.)

38