Written on September 29th, 1995 - Mid afternoon to early evening.
There's been a lot of talk (and some action) in the past few
years about the Internet and security. Not the usual concerns of password
protected computer accounts and such, but over the actual safety and
privacy of data transmitted over the 'net.
This has primarily come about with the near tangent-like increase
of commercial interts on the 'net. In the past, most companies that were
involved with the Internet were either manufacturing products related to
it (hardware and software), or were using it to support their
computer-related products. Very little commercial transactions occured on
the 'net in the past.
But now there are hundreds, perhaps thousands of businesses that are
getting on the Internet and pushing their wares, not simply advertising
but selling their produts on-line. For this to work, people need to give
out their credit card numbers, or create special debit accounts with
services such as First Virtual. Sometimes you even need to do both. And
all of this monetary-related information is being bounced across a global
network that was never designed for the purpose at all.
Think about it: The Internet grew out of a project started
decades ago, a network of computers for military defense research. At
that time, it was plain illegal to try and use ARPAnet for commercial
purposes. Not that any commercial companies were interested in, or even
knew about that early computer network.
Over the years, many changes have been made (or occured), many
developments and advances. The Internet grew out of the base work done on
the ARPAnet project, and the interest of thousands of computer scientists
across the world at Universities and research institutes. By the 80's,
the USA was saturated with sites and almost every continent was on the
'net. The primary goal for this vast co-operative network (heavy emphasis
on the co-operation) was to freely and widely disseminate information,
mostly educational and research oriented materials.
No one, at any point in this whole lengthy process (which was rather
decentralized), gave any serious thought about securing this
multi-quadrillion network of hundreds of thousands of nodes. Sure,
individual systems have their own security (though that's pretty
dependant on the competency and thoroughness of the sysadmins at each
site), but that only applies to the data on the storage media and the
accounts. Once data is transmitted from a computer onto the TCP/IP
network of the Internet, it will travel through many nodes, without
anything to prevent it from being grabbed by others.
Kevin Mitnick proved that IP spoofing can be done (and got
arrested for it, but that's another matter). This has been theorized for
some time but no one really wanted to spend the time to test the theory
out. Except Kevin.
Robert T. Morris proved that the entire Internet could be brought
grinding to its need with a relatively simple program that exploited a
few bugs in some of the most commonly used software.
The Church of Scientology has proved that regardless of what
promises a corporation or individual may make about the privacy of your
personal information, that information can be obtained, legally, via
warrents and other court orders. Netcom, an Internet Service Provider,
was forced to give up records of a particular user (including name,
address, phone number, and even credit card numbers) when faced with a
court order for such. An anonymous remailer service in Finland had to
give up information one particular account for the same reason, and this
involved InterPol.
Two students at Berkley University in California were able to
break Netscape's key-generation system with a moderate amount of
computing power and time. Anyone with the skills and knowledge (I.E. a
rather large group of people) could do the same and grab any of the
supposedly-secure commerce information passing between a user and
whatever entity they're attempting to purchase from.
It is obvious that if you put your personal information, credit card
numbers, social security number, or other personal and/or
financially-related information on the 'net, especially for the purpose
of transmitting to another site, that it's about as secure as a glass
house with an open door.
There are many proposed solutions. Some of them are very good.
But even with strong encryption, firewalls, advanced identification
methods, and other new security concepts, the information sent is only as
secure as a given password... If someone breaks into your account on the
service you use, they can wreak havoc. If they get your social security
number and know what commerce services you use, you may find yourself
with $5,000 of beef jerky on your next VISA bill.
I'm not pretending to be a security expert. But it's become
painfully clear to me that the dull-witted and ignorant commercial sector
of our society is so eager to find a new way to try and suck down as much
as it can get that the Internet is being pushed far beyond the limits of
its infrastructure. At least in regards to security, if not other areas
as well.
More on that issue in the next essay.
Copyright 1995, 1996 by Jeff Carl Mercer. All rights reserved.
This document is "fair-use friendly". Quote at will.
Please contact the author if you wish to reproduce this document in whole.