|
<<
^
>>
Date: 1998-08-11
Kassandra/zwei: Rachitisches Internet
-.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
Wichtigster Satz in dieser ernüchternden Diagnose von
Crypto/Head Bruce Schneier zum gegenwärtigen
Sicherheits/Zustande des Internet:
The real threat is ignorance: in companies, in the media, in
the public.
-.-.- --.- -.-.- --.- -.-.- --.-
Internet is rickety
The Internet is fragile, rickety. It is at the mercy of
every hacker and cracker. In recent congressional testimony,
hackers from the group calling itself L0pht boasted that
they could bring down the Internet in less than 30 minutes.
Should we be concerned?
In almost every area, those with the expertise to build our
social infrastructure also have the expertise to destroy it.
Mark Loizeaux is president of Controlled Demolitions Inc.;
he blows up buildings for a living. He's quoted in the July
1997 Harper's magazine as saying, We could drop every bridge
in the United States in a couple of days. . . . I could
drive a truck on the Verrazano Narrows Bridge (connecting
Brooklyn to Staten Island) and have a dirt bike on the back,
drop that bridge and I would get away. They would never stop
me. Ask any doctor how to poison someone untraceably, and he
can tell you. Ask someone who works in aircraft maintenance
how to knock a 747 out of the sky, and he'll know. The
Internet is no different.
...
Sometimes it doesn't even take that much skill. Timothy
McVeigh destroyed the Oklahoma City federal building, even
though his sloppy and excessive use of explosives probably
disgusted a professional like Loizeaux.
Sloppy and excessive Internet attacks can also be
successful; it doesn't take a rocket scientist to realize
that you can choke someone's e-mail server by subscribing
him to every one of the thousands of Usenet mailing lists.
So at first glance the Internet is no different from any
other critical piece of infrastructure: fragile and
vulnerable. But the nature of the attacks is very different.
McVeigh had to acquire the knowledge, go to a private farm
and practice, rent the truck, fill it with explosives, drive
to the federal building, set the fuse and get away. For our
doctor to poison someone or our aircraft maintainer to
sabotage a 747, they have to get close to their target, put
themselves at risk, get in, get away, leave evidence, make
mistakes. And they all have to know what they are doing.
...
Ehud Tenenbaum, a.k.a. The Analyzer, the Israeli hacker who
wowed the world with his works against the Pentagon, didn't
do anything new. He downloaded an existing tool to exploit
an old security flaw that was patched years ago and attacked
a bunch of computers that never had their systems updated.
The real news is that the Pentagon doesn't bother installing
free patches to protect its computers against published
attacks.
Fear will always play a part in security, whether it is
airline safety, terrorist countermeasures, or Internet
security. But the real threats aren't from ethical hackers
like the L0pht members, who uncover security holes and then
announce their results so they get fixed. Nor are they from
sophomoric hackers like the Analyzer, who download pirated
software programs and run them without fully understanding
what they are doing.
The real threat is ignorance: in companies, in the media, in
the public. As the world begins to conduct business over the
always-under-construction Internet, we need to understand
the real threats to the system. We need to understand what
levels of security are possible, even desirable. We need to
fix security flaws when they become known, and not just give
the problem lip service until the press coverage blows over.
And we need to make sure critical systems have redundant
backup plans.
The doomsday scenario is real: An ethical hacker discovers a
security flaw, someone else writes a program that
demonstrates it, someone else with less ethics modifies it,
and someone with no ethics decides to use it in a way no one
ever envisioned.
Suddenly, there's a Web site that has a Java application:
Click here to bring down the Internet. It's not a pretty
thought.
Bruce Schneier is president of Counterpane Systems & author
of `Applied Cryptography'
full text
http://www.mercurycenter.com/premium/business/docs/hotbutton09.htm
-.-.- --.- -.-.- --.- -.-.- --.-
TIP
Download free PGP 5.5.3i (Win95/NT & Mac)
http://keyserver.ad.or.at/pgp/download/
-.-.- --.- -.-.- --.- -.-.- --.-
- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
edited by Harkank
published on: 1998-08-11
comments to office@quintessenz.at
subscribe Newsletter
- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
<<
^
>>
|
|
|
|