Re: MSNBC article on artificial humanity (morphing into computer

Kyle L. Webb (kwebb@gkar.phys.unm.edu)
Mon, 8 Jun 1998 10:39:09 -0600


security)
To: extropians@extropy.com
Date: Mon, 8 Jun 1998 10:39:19 -0600 (MDT)
In-Reply-To: <357BDD01.3F9DDF93@gate.net> from "Harvey Newstrom" at Jun 8,
98 08:45:53 am
X-Mailer: ELM [version 2.4 PL25]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-extropians@extropy.com
Precedence: bulk
Reply-To: extropians@extropy.com

>
> And a poor article at that. Peter Sommer, senior research fellow at the
London
> School of Economics says that to hit a major network you need to know
"...what
> back-up there is," "You would need to infiltrate someone into the
> organisation," and "They would need to know how to write code and
introduce it
> onto the system."
>
> Do any security experts on this list think that hacking involves back-ups?
> that hacking requires a person on the inside? or that hacking requires code
> writing and an entry point to run code on the system?

I'm not a security "expert", but I am a sysadmin at a financial site, so I
do have to deal with security issues.
Back-ups are a critical element in security. If you have backups that can be
trusted, the damage to financial data can be limited to only that which has
changed in the time since the attack. Believe me, having to reenter one day
of data is far better than having to reenter a couple months of it (I've been
through both situations at my current company). If you are trying to nail a
system for the long term rather than just a quick raid that destroys some
data, or causes some action to be taken, the backups are a very high priority
to subvert. If you can put false data into the backups over a period of time
or otherwise make them untrustworthy, that greatly increases the damage to
systems involved in record keeping, or transaction processing. It's less so
for systems that are only involved in control, and don't keep long term
records
but even there, it's a major target. It's far faster to reinstall a complex
system from a full backup, than to reinstall everything piecemeal, and have to
set all the system parameters again.
As to the part about needing to get into the organization to get into the
systems and subvert them, it depends. For most of the sites on the internet,
no. For sites running high level secure systems, provided they aren't making
silly mistakes, it's probably the most straightforward way to get at them.

> The article then goes on to dismiss teenage hackers as being "lucky" rather
> than skillful when they crack into military computers. The article
dismisses
> Cyber Terrorism as being a "Theoretical Danger", but not actually likely to
> ever happen.

There are two parts to my answer to this. Are there dangers? Yes.
But; Are the dangers being inflated? Yes.
Most of the hackers that I've encountered are script kiddies. They use
prepared
scripts to exploit known system weaknesses, and don't really have the info to
find new ones, save through getting lucky. There's a smaller group that do
have
the skills and understanding. If it's a government trying to target your
system
as in true info warfare, that's a whole different ball game, as they have
a lot of resources, and likely will be trying to infiltrate not only your
network, but your organization as well.
I've seen an awful lot of hype about info war and cyber terrorism, and a
lot of
it has come from people who want to sell me, and the company I work for a new
spiffy security system that will solve the problem of all those evil crackers
out there. What I've found is that the best defense is exactly what one of the
people quoted in the article either implies or mentions directly. Thoroughly
trained, alert, and technically skilled admins, combined with
auditing/security
policies that make sure the known holes are plugged, and the users are trained
how not to make the worst of the common security mistakes.

And would our government make use of fears over this to push key escrow, and
other policies? Well, in light of such things as the CDA, I leave that
as an exercise for the reader.

Kyle L. Webb Dept. of Physics +
Astronomy
kwebb@gkar.phys.unm.edu University of New Mexico