mirror of
https://github.com/nhammer514/textfiles-politics.git
synced 2024-12-30 09:46:18 -05:00
454 lines
25 KiB
Plaintext
454 lines
25 KiB
Plaintext
Mail-From: ARPAnet host SRI-CSL rcvd at Wed Sep 28 15:58-PDT
|
||
Date: 26 Sep 1983 20:08-PDT
|
||
Sender: GEOFF@SRI-CSL
|
||
Subject: Telecommunications Security and Privacy.
|
||
From: the tty of Geoffrey S. Goodfellow
|
||
Reply-To: Geoff@SRI-CSL
|
||
To: Human-nets:,
|
||
To: Telecom:,
|
||
To: Security-Forum:,
|
||
To: Info-Micro:
|
||
Cc: csl:,
|
||
Cc: others:
|
||
Message-ID: <[SRI-CSL]26-Sep-83 20:08:20.GEOFF>
|
||
Redistributed-To: dist:
|
||
Redistributed-By: GEOFF at SRI-CSL
|
||
Redistributed-Date: 28 Sep 1983
|
||
|
||
On Monday, September 26th, I appeared before and presented invited
|
||
testimony at the U.S. House of Representatives Subcommittee on
|
||
Transportation, Aviation and Materials on the subject of Telecommunications
|
||
Security and Privacy.
|
||
|
||
Due to the activities of the Milwaukee 414s and the subsequent hoopla that
|
||
has been generated in the media, HACKING has been getting a bad name. I
|
||
therefore decided to address my testimony to the TRUE nature of computer
|
||
hackers and hacking (in an attempt to put the entire situation in some type
|
||
of perspective). I also addressed what can and should be done to help
|
||
abate the 'unsavory' hacking problem. And lastly, how low tech the current
|
||
hackings have been and what we might be seeing more of in the future.
|
||
|
||
I'm told the hearings went out live over CNN -- there were at least 16
|
||
video cameras that I could count and the rest of the room was jammed to
|
||
standing room only with reporters and other media.
|
||
|
||
Individuals who presented testimony were: Neal Patrick (of the 414s); Jimmy
|
||
McClary (Los Alamos Division leader for Security); Donn Parker and myself
|
||
(from SRI); and Steve Walker (formerly of DARPA/Pentagon).
|
||
|
||
Those interested in what I had to say about hacking and such are invited to
|
||
FTP a copy of my prepared testimony from [SRI-CSL]<GEOFF>HOUSE.DOC; There
|
||
is also a .LPT version with line-printer overstriking, should you want
|
||
that. If you cannot FTP a copy for whatever reason, I'll be able to send
|
||
one by netmail if you mail a request to Geoff@SRI-CSL.
|
||
|
||
Geoff
|
||
...............................................................................
|
||
...............................................................................
|
||
|
||
|
||
|
||
|
||
TESTIMONY BY GEOFFREY S. GOODFELLOW
|
||
|
||
Before the Subcommittee on Transportation, Aviation and Materials
|
||
on the subject of Telecommunications Security and Privacy.
|
||
|
||
26 September 1983
|
||
|
||
|
||
|
||
1. Introduction
|
||
|
||
My name is Geoffrey S. Goodfellow. I am primarily employed by the
|
||
Computer Science Laboratory at SRI International, Menlo Park, California.
|
||
For the past 10 years at SRI, I have been involved in research efforts
|
||
related with packet switched computer network communication systems,
|
||
protocols and security technologies. I have also been involved in
|
||
various operating and sub-system development projects. Currently, my
|
||
responsibilities include a position as Principle Investigator of SRI's
|
||
involvement in a Department of Defense program aimed at developing and
|
||
proving secure computer systems, that operate at different security
|
||
levels and communicate via networks. A detailed biography of my career
|
||
from 7th grade school where I discovered computers (which
|
||
eventually lead to my permanent abandonment of the formal educational
|
||
system during high school) to how I got to where I am today with no
|
||
degrees or any type of equivalency to my name is included at the end of
|
||
my testimony.
|
||
|
||
I am a coauthor of the Hacker's Dictionary -- A Guide to the World of
|
||
Computer Wizards, a new book being published this fall.
|
||
|
||
THE STATEMENTS INCLUDED HEREIN ARE MY OWN AND DO NOT NECESSARILY
|
||
REPRESENT THOSE OF SRI INTERNATIONAL OR ANY CLIENTS OF SRI.
|
||
|
||
2. The Nature of Computer Hackers and Hacking.
|
||
|
||
The primary nature of a computer hacker can be defined as follows:
|
||
|
||
- A person who enjoys learning or knowing the details of computer
|
||
systems and how to stretch their capabilities, as opposed to most
|
||
users of computers, who prefer to learn or know only the minimum
|
||
amount necessary in order to get their job done.
|
||
|
||
- One who programs computers enthusiastically, for the sheer fun of it,
|
||
and gets a non professional amount of enjoyment out of using them.
|
||
|
||
- A person capable of appreciating the irony and beauty (i.e. `hack
|
||
value') of a program.
|
||
|
||
- A person who is good at programming quickly or is an expert on a
|
||
particular program. (This definition and the proceeding ones are
|
||
correlated, and people who fit them congregate).
|
||
|
||
Unfortunately, though, hacking has an unsavory faction to it:
|
||
|
||
- A malicious or inquisitive meddler (i.e. `poacher') who tries to
|
||
discover information by poking around. For example, a "password
|
||
hacker" is one who tries, possibly by deceptive or illegal means, to
|
||
discover other people's computer passwords. A "network hacker" is
|
||
one who tries to learn about the computer network (possibly because
|
||
he wants to interfere--one can tell the difference only by context,
|
||
tone of voice and manner of approach).
|
||
|
||
Hackers of all factions, whether benign or of the unsavory flavor,
|
||
consider themselves somewhat of an elite, though one to which new members
|
||
are gladly welcome. Hacking is meritocracy based on ability.
|
||
There is a certain self-satisfaction in identifying yourself as a hacker
|
||
(but if you claim to be one and are not, you'll quickly be labelled
|
||
`bogus').
|
||
|
||
The hacker is intensely interested in technology and is a very
|
||
inquisitive person. Many are social outcasts who don't enjoy the same
|
||
things as most other kids their age. Hackers of the unsavory flavor are a
|
||
very curious breed of individual -- many can best be described as
|
||
loners looking for someone to appreciate their talents. They know full
|
||
well that what they're doing errs on the `dark side (of the force)' --
|
||
to coin a phrase. Unsavory hackers want to get caught so they can be given
|
||
the appreciation they desire -- and the process of getting caught adds an
|
||
essence of thrill to their endeavor.
|
||
|
||
I would like to state for the record, that benign hackers, such as I,
|
||
deplore the unsanctioned entry and subsequent rummaging of mainframe
|
||
computer systems and networks. These types of activities are tarnishing
|
||
the profession of hacking and giving it a bad name.
|
||
|
||
In the Real World, computer system organizations are generally run
|
||
like totalitarian police states. This unfortunate reality fosters
|
||
resentment in hackers and a desire to challenge the reverence of
|
||
authority develops. As a result, the way hackers bring themselves to a
|
||
system managers attention is via the medium they know and relate to best:
|
||
a terminal and modem and your computer system. In most cases, the hacker
|
||
wouldn't personally think of or know how to go about calling up the
|
||
director of a computer system and offering his services to you as a bright
|
||
young guy for the fear of reprisals or not being taken seriously.
|
||
Instead, they choose to `introduce' you to them by meddling with your
|
||
computer system, cavalierly circumventing security and protection
|
||
mechanisms, in order to satiate their hunger for knowledge and
|
||
develop an understanding of how things work.
|
||
|
||
The organization will respond in kind by trying to `plug the leak' of
|
||
an intrusion into their system by erecting barriers. This type of
|
||
reaction is precisely the wrong approach to take, because the hacker
|
||
will notice the beefed-up defenses and see them as a further
|
||
challenge of his prowess and ingenuity and legitimate users are subjected
|
||
to greater inconvenience.
|
||
|
||
Instead, what an organization should do is try to befriend hackers which
|
||
have penetrated their inner sanctums. The perspective that should be
|
||
taken is one of "Is it helpful or useful for you to do this?" rather
|
||
than "Are you authorized to do this?". You must in effect come down to
|
||
the hackers level and circulate among them. Show them that you appreciate
|
||
their talents. If you ask them nonforeboding questions and take a genuine
|
||
interest in what they're doing, most of the time you'll find they're more
|
||
than happy to tell you exactly what it is they're looking for or
|
||
interested in. The hacker wants to learn and you can be their
|
||
guide/teacher. This is how I was dealt with by the firm that caught
|
||
me during my unsavory hacking days in 1973 when I breached security on a
|
||
large commercial timesharing network and many of its host computer
|
||
systems. I was very much inspired by this method of catching and steering
|
||
unsavory hackers towards more constructive use of their talents.
|
||
|
||
There is, however, a more virulent strain of the unsavory faction, namely
|
||
the electronic vandals or joy-riders (N.B. NOT HACKERS). This strain
|
||
includes, for example, kids whose parents are of an affluent nature. As a
|
||
result, these kids have an inflated world picture and little or no true
|
||
sense of reality, due to the nature of their care-free life styles and
|
||
upbringing. These kids plague computer systems and networks as they
|
||
would spray paint on school walls, t-p someone's house, or engage in the
|
||
use of so called 'recreational' drugs. In other words, these illicit
|
||
activities are engaged in with absolute reckless abandon and disregard for
|
||
the rights or sovereignty of other people's property. As with regular
|
||
vandalism, the primary motivators seems to be simply doing it because
|
||
they can get away with it, and because of the respect it brings them
|
||
among their equally disrespectful peers. This differs from the unsavory
|
||
hacker in that there is no constructive purpose or motive involved, such
|
||
as learning or acquiring knowledge. This problem is further
|
||
exacerbated by the juvenile age of the perpetrators and the unlikelihood of
|
||
prosecution, even if caught. The perpetrators are smugly aware of their
|
||
immunity in most cases!
|
||
|
||
3. What Can and Should Be Done to Help Abate The Unsavory Hacking Problem?
|
||
|
||
From my own observations and inspections of systems and from what I have
|
||
been reading in the press, I have come to the conclusion that
|
||
computer site administrators are not taking reasonable and prudent
|
||
measures to protect their computer systems from even the most casual
|
||
methods of circumvention. A rather egregious example of this would be the
|
||
installation of which the 414s allegedly logged into with username "test"
|
||
and password "test". Usernames and passwords of this sort are not uncommon
|
||
and sites which set up logins like this are just asking for a break in
|
||
-- just as someone who would leave a key in the lock on the front door of
|
||
their house, complete with the WELCOME! mat out for all to see, invites
|
||
the casual burglar.
|
||
|
||
The way I view `reasonable and prudent' measures of protection from the
|
||
casual penetration is by drawing a paradigm with the way DoD classified
|
||
information is handled.
|
||
|
||
With respect to the handling and use of classified information, it is
|
||
the responsibility of the organization to which you belong, in conformance
|
||
with DoD guidelines, to provide you with rules and regulations in
|
||
the handling of classified information. It is also the responsibility of
|
||
your organization to provide you with a safe place (i.e. a vault) to
|
||
store said information and to provide adequate safeguards (such as alarm
|
||
systems, security personnel and patrols) to prevent unauthorized access.
|
||
|
||
The same methodology should be taken to heart by administrators of
|
||
computer systems. It's their responsibility to provide reasonable and
|
||
prudent measures to prevent unauthorized access attempts from gaining
|
||
access to the system. This means a few very basic things like:
|
||
|
||
- Forcing users to choose reasonable passwords - not their spouse's
|
||
name or their dog's name.
|
||
|
||
- Setting up proper modem controls on dial-up/remote access ports so
|
||
that disconnection causes any jobs (or trojan horses left on the
|
||
port) to be flushed and results in resetting the port to not-logged
|
||
in status.
|
||
|
||
- Reporting incorrect password attempts to the system console or log
|
||
file.
|
||
|
||
- Causing line disconnection after a few successively repeated
|
||
incorrect password attempts.
|
||
|
||
- Using encrypted passwords, so it is not possible to compromise an
|
||
entire systems password list when circumvention of a systems
|
||
protection mechanisms is attained. This is analogous to the DoD's
|
||
compartmentalization of information -- so a breach in one area does
|
||
not sacrifice security in all areas.
|
||
|
||
The second facet of the paradigm is the users' responsibility. I don't go
|
||
out to lunch and leave my secrets sitting on my desk. I put them in a
|
||
vault. And I don't go throwing them over the embassy walls. So it is
|
||
the same for the computer system user. It is the users
|
||
responsibility to choose reasonable passwords and not leave them written
|
||
down anywhere, such as on their desk blotter or white board or to
|
||
pass them out to others.
|
||
|
||
The third matter is a paradigm of a different nature. This has to do
|
||
with socially acceptable values. Namely, when I was brought up, I was
|
||
taught about trespassing. If I went to someone's house and found the front
|
||
door wide open, I don't really know of anyone who would walk right in
|
||
and look around. They would instead stand at the door, ring the doorbell
|
||
or knock or call out. This type of responsibility or sense of morals
|
||
has to be applied to the computer technology field.
|
||
|
||
Research into methods of improving the safeguarding of information flow
|
||
through technology should be pursued. One such project is the one of which
|
||
I am the Principle Investigator of at SRI, which has to do with this type
|
||
of technology. Our involvement has to do with developing and proving
|
||
technologies that will absolutely assure that I will only have access to
|
||
information in a computer system database of which my clearance and
|
||
my `need to know' entitles me too, while prohibiting me from information I
|
||
am not cleared or permitted to access. However, one must carefully weigh
|
||
the value of increased security with the cost in user convenience and
|
||
flexibility.
|
||
|
||
Explicit federal and state criminal statutes should be enacted to
|
||
allow a vehicle for vigorous prosecution, should it be warranted or
|
||
desired, by injured parties. These explicit laws would also hopefully
|
||
act as a method of deterrence.
|
||
|
||
4. Let Us Not Lull Ourselves into a False Sense of Security.
|
||
|
||
In general unsanctioned computer system penetrations can be
|
||
performed by individuals who possess three basic aspects of computer
|
||
knowledge: access, skill and information.
|
||
|
||
Access can be defined as a terminal and modem. Skill can be
|
||
defined as ingenuity or familiarity with computer systems, especially
|
||
with the given system type that the penetration is directed
|
||
towards. Information can be defined as dial-up phone numbers, network
|
||
address or means of accessing a given computer system -- perhaps even
|
||
physical. Information can also include various methods, most likely in the
|
||
form of 'bugs' (i.e. shortcomings) or 'features' (i.e. an aspect
|
||
inherent to the hardware or software design of the system) which will
|
||
permit the holder to circumvent the operating system security and
|
||
protection mechanisms, and in effect gain carte blanche access to the
|
||
computer. Carte blanche can be defined as allowing the holder to override
|
||
file security and protection considerations, in that you can read or alter
|
||
any data and even change the nature of the computer operating system
|
||
software itself.
|
||
|
||
In the good ol' days such skill and information was not widely known.
|
||
However, with the ever increasing number of computer systems, both
|
||
personal and mainframe alike, information and skill is spreading to an
|
||
ever increasing number of individuals and institutions.
|
||
Unfortunately, not all of the individuals are as scrupulous as they
|
||
should be. Such instruments as `Pirate Bulletin Board' systems are
|
||
being used to disseminate this information on a nationwide, on-call, as
|
||
needed basis.
|
||
|
||
What does this mean?
|
||
|
||
Up until now most unsanctioned computer system penetrations have not been
|
||
the high technological acts of chicanery the media has made them out to
|
||
be. They were primarily performed by individuals who were as familiar
|
||
with computer technology as, say, an auto enthusiast is with what goes
|
||
on under the hood of your car. The 'auto whiz' has the breadth of
|
||
knowledge necessary to 'hot wire' a motor vehicle, just as your computer
|
||
literate individual has the breadth necessary to perform a
|
||
technological 'hot wire' inside a computer system.
|
||
|
||
However, the current low to medium technological approaches to
|
||
system penetrations are likely to change.
|
||
|
||
I define the technological levels as follows: high tech is defined as a
|
||
new method of circumvention. High tech methods are primarily
|
||
invented by individuals or a group of individuals who have an in depth
|
||
understanding of the desired technology the caper is directed against.
|
||
Medium tech can be defined as an individual who has the same basic level
|
||
of understanding as the high tech guy, but uses the knowledge and
|
||
perhaps fine tunes or refines it a bit (i.e. the medium tech individual is
|
||
a knowledgeable user). The low tech individual is just a user of
|
||
the knowledge with little or no understanding of what is involved in making
|
||
the technology perform its desired function.
|
||
|
||
In the not to distant future with higher stakes, increased levels of
|
||
knowledge and other aspects better understood, I believe we will see a
|
||
trend towards a more 'higher tech' level of system penetrations and
|
||
circumventions. These capers will be harder to detect and deter.
|
||
|
||
The further development of formal specification and verification techniques
|
||
and associated technologies will permit the system developers,
|
||
reviewers or specifier himself to verify that a given system
|
||
specification is consistent with a given model of desired operation.
|
||
|
||
5. Recommendations
|
||
|
||
In conclusion, I would like to say that I believe the scale of the
|
||
hacking problem is going to escalate dramatically as more of the technology
|
||
makes its way into the mass market. There is no one easy solution to
|
||
these problems. The directions that need to be taken are technological,
|
||
ethical/moral and social. Hopefully an increased awareness of the
|
||
vulnerability of our systems to penetration and circumvention will allow us
|
||
to see the light, in the form of solutions, at the end of the tunnel. And
|
||
hopefully that light, is not a train.
|
||
|
||
6. Biography (The Making of a Hacker)
|
||
|
||
My first experience with computers (and the world of `hacking')
|
||
manifested itself during my 7th grade school when I discovered a room
|
||
full of teletypes connected to a computer system at Stanford University
|
||
which offered Computer Assisted Instruction/drill programs.
|
||
|
||
Having discovered `The Computer Room', I started arriving at school early
|
||
each day to be able to play with them. I would also spend the lunch
|
||
hour, recess and as long as I could after school in the computer room, as
|
||
well.
|
||
|
||
Luckily, that summer I was permitted to hang-out at the Stanford facility
|
||
which had the computer system that served our school and others. This
|
||
allowed me the opportunity to interact with the system designers and
|
||
learn how everything worked. At the facility, I quickly began to
|
||
develop a keen interest in system-level software, such as the
|
||
operating system and privileged type programs which only `the wizards'
|
||
could run or know the inner workings of. However, I did not let this
|
||
fact keep me from learning about the system.
|
||
|
||
During the 8th grade, my parents wishing to contribute to their son's
|
||
apparent avid absorption of computer technology, procured a used teletype
|
||
machine and modem from a large time-sharing computer firm. I don't
|
||
know how, but in the process, they managed to talk the firm out of `free'
|
||
account for after hours and weekend use. The firm then promptly
|
||
forgot about me. After running the usual course of computer games, which
|
||
quickly became quite boring, my attention turned towards the operating
|
||
system and its protection mechanism, which I took delight in finding
|
||
ways around. This of course, was noticed by the time-sharing
|
||
company and one summer evening, after they were sure it was me inside
|
||
their system, their vice president and district manager came knocking at
|
||
our door, and in effect said, "gotcha!". The result of being caught was
|
||
that I was hired for the summer to help them make their system more
|
||
secure and plug the holes that I had uncovered in my wanderings.
|
||
|
||
While employed for the summer, 1973, I chanced to meet up with another
|
||
summer hire who had done some work at NASA-AMES and had knowledge of a
|
||
Department of Defense computer network, called the ARPANET, which linked
|
||
together computers all over the country at various research
|
||
establishments, universities and military bases. My new-found friend
|
||
passed me a dial-up number, and on a scrap of paper, wrote a few commands
|
||
that would allow me to connect up to various systems on the network.
|
||
|
||
In these early days of the ARPANET (which pioneered packet
|
||
switching technology, a method for allowing computers of different flavors
|
||
and types to `talk' to one-another), the majority of the computers had
|
||
`guest' accounts on them with purposefully obvious and published passwords.
|
||
This was done in order to promote the free use of resources at other host
|
||
systems and to let users of the network have a chance to explore, learn and
|
||
use said systems.
|
||
|
||
Needless to say, this was a gold mine that no hacker, such as myself,
|
||
could pass up. So I spent the better part of the summer learning and
|
||
using as many different computer systems as possible, all over the country.
|
||
|
||
One of my favorite systems to use was the guest login account on a host
|
||
called SRI-AI, a PDP-10 running the Tenex operating system, which
|
||
belonged to the Stanford Research Institute's Artificial Intelligence
|
||
Center. I thought it nice to have a system right in my very own home
|
||
town. I made it a point to get to know the operations of this system as
|
||
well as I could in hopes that perhaps someday I might have a login account
|
||
of my own to use and it would be nice to be familiar with it in such an
|
||
event.
|
||
|
||
Well, that day came when, as usual, I logged into the public guest account,
|
||
and out popped a message of the form "Welcome to the SRI-AI computer
|
||
public guest account. If you think you have a need for your own account,
|
||
send a note (with the on-line electronic mail program, of course) to
|
||
the system administrator, explaining your need."
|
||
|
||
Such an invitation was just to good to pass up and having my very own
|
||
login account is something I had dreamed about. So, I took it upon myself
|
||
to send a message saying I was a hacker who had been spending time on the
|
||
public guest account learning about their system and wanted to have an
|
||
increased level of access and login area of my own to store files. In
|
||
return, I would freely help improve the systems capabilities thru my
|
||
hacking.
|
||
|
||
After some initial trepidation on the part of the systems administrator
|
||
was overcome, my account was granted. This allowed me to make SRI-AI my
|
||
home base of network operations. I immediately proceeded to hack
|
||
away to my heart's content, now that, in effect, I had become a legitimate
|
||
network user.
|
||
|
||
After demonstrating my competence and some semblance of responsibility, I
|
||
was granted system privileges (i.e. carte blanche access to all system
|
||
resources). This permitted me to learn and develop a further understanding
|
||
of the system.
|
||
|
||
So, I hung around SRI for about 9 months. I was given a building pass, so
|
||
as to have physical as well as electronic (remote) access to the computer
|
||
systems. This allowed me to come and go at odd hours, which are the
|
||
hours hackers are best known to keep.
|
||
|
||
Then, there was an opening for a part-time weekend computer operator's job,
|
||
and since I had demonstrated my competence, I was immediately hired
|
||
for the position. I was now in my senior year of high school, and as a
|
||
result of my increased access to computers, my grade average followed the
|
||
typical hacker curve, i.e. down. until, two weeks into the final quarter
|
||
of my senior year in high school, I dropped out, and became full-time at
|
||
SRI. I have never returned to a classroom since the day I left school in
|
||
1974.
|
||
I dropped out, and became full-time at
|
||
SRI. I have never re |