Re: Perversion attacks.

Eliezer Yudkowsky (eliezer@pobox.com)
Mon, 04 Nov 1996 18:32:02 -0600


On Fri, 1 Nov 1996, Anders Sandberg wrote:

> Note that you base this on the word "frequently", which is a doubtful
> assumption (do we have any data on how computer intrusion "usually"
> happens?). Usually these clever ideas are creative and involve
> non-computer tools such as physical break in, phone calls to trick
> users into revealing information or the ability to look through
> discarded documentation. In a future information-dominated world,
> this would be simpler, but security would also be higher.

Well, I know quite a bit about computer security myself, at least in one
environment - the MOO. Due to a number of basic security flaws and
human fallibility, it is generally possible for a sufficiently creative
and clever fellow - such as yours truly - to crack the security without
stepping outside the environment of the MOO. (Although, of course, I
worked on the side of the angels, attempting to create uncrackable
systems and fair RPG games.)

As I understand it, most modern computer security centers around the
password. Crackers try to get it, and security folk try to defend it.
This doesn't much resemble the perversion attacks pictured in
cyberspace, and might not resemble the future.

Cracking a MOO - again, without intercepting a wizard's password or
faking a net packet on a wizardly connection - consists of finding
numerous 'small' conceptual flaws in the system and linking them into a
fatal chain. Take LambdaMOO's RPG as an example. One bug I found - and
was made a GM for - involved an unsupervised call to the method
:magic_effect on the room one was in. In other words, it called the
method and allowed it to alter the amount of magic present without
checking to see who owned the method, whether said player was a GM,
nada. So of course, any player could hack a :magic_effect on the room
one was in, and cast incredibly powerful spells.

The point of this sad story - and it frankly isn't all that sad, I chose
that bug because it was one of the few that were surface errors rather
than fundamental flaws, and so was fixed and is no longer classified -
is that it doesn't even take an SI to go through MOO security like
tissue paper, just a year or so of experience. While the computers of
the future are likely to be more secure than MOOs, they are also likely
to resemble the MOO in that they will contain huge masses of slightly
flawed code, and will be cracked or perverted from the inside rather
than the outside. Forget passwords, forget forged packets; those are
simple problems that will either be solved by encryption or rendered
moot by Deutsch transistors or ansibles or God-knows-what.

A superintelligence, even a new and inexperienced one, will go through
the computer security of the future without even trying.

-- 
                 eliezer@pobox.com     Eliezer S. Yudkowsky
                 "I'm sorry, my karma ran over your dogma."
Disclaimer:  My opinions do not necessarily represent those of the other
members of the Interstellar Institute for Software Development and World
Conquest.  The IISDWC is a licensed conspiracy in competition with the
Microsoft Corporation and Dogbert's New Ruling Class.  Unless otherwise
specified, I'm not telling you everything I know.