The Internet Emperor has no clothes Fragility of computerized economy exposed by hack attacks ANALYSIS By Russ Cooper MSNBC CONTRIBUTOR Feb. 10  Lets see. The COOs and CIOs of the attacked sites, the FBI, the U.S. Attorney General, and the President of the United States all say: We dont know what it was. Security experts say, It was probably... this or that. All the while some of the biggest sites on the Internet are dropping off as attacks against them seem to go unchecked. What do you think? Over the past few days the Internet has been targeted by unknown assailants who, whether they intended to or not, have demonstrated one of the fundamental weaknesses of the basis of our entire economy.

THESE SITES, and others like them, represent the majority of your retirement savings if you happen to be having a good investment year. The fact that they can so easily be knocked out of business, even if only temporarily, should cause alarms to ring in your ear.

Over the past few days the Internet has been targeted by unknown assailants who, whether they intended to or not, have demonstrated one of the fundamental weaknesses of the basis of our entire economy. The fragility of the Internet could not have been shown more clearly than it was when one of the largest, and most successful dot-com companies  Yahoo.com  was taken out of business for more than three hours on Monday. In the following days, other companies have been shown that their capabilities cannot overcome the flaws that are at the foundation of e-commerce. THE MURKY DETAILS Since the FBI has determined that all information relating to these attacks cannot be disclosed outside of the agency, its impossible to say with any certainty precisely what has been happening. All we do know for sure is that the attacks were effective and broad-based. I have seen logs from the attack on Yahoo.com, and they indicate it was based on a flaw in the Internet Control Message Protocol (ICMP). An attack (commonly known for more than a year) called Smurf was probably used to initiate requests to computers from around the Internet. Those computers would then reply to computers within Yahoo.coms network. Those replies overwhelmed Yahoo.coms normally robust infrastructure, causing the site to seemingly disappear off the Internet.

I have received partial logs from other attacks that would indicate a different type of attack took place on at least one other site. This other attack took advantage of the way the Internet works in order to flood the target. In this case, it appears that numerous computers around the Internet were instructed to send numerous very small messages to the target site.

In both cases, the Internet Standards as defined by the Internet Engineering Task Force (IETF), dictate that your network must permit such traffic through if you expect to deal with the Internet public. The bottom line is that if you want to be in business on the Internet, you must open yourself to these forms of attacks. Sound reassuring? Now lets add to this anxiety. HOPING AGAINST HOPE The FBI conducted press conferences several times this week and advised the Internet-using community that the only defense against such attacks is to apply certain measures to your own computers. They said that if you didnt, your computers might be used in attacks against others. This is akin to saying that if you dont lock up your gun at home, someone might break in, steal it, and use it in a crime against someone else. Wonderful, but how does that protect me? What theyre saying is that if we walk around with a smile on our faces, and do unto others as wed have them do unto us, the Internet will be a happy and safe place to live. Problem is, theres no way to enforce such a do-gooder ideal. Theres no way to verify it. Theres no recourse if people dont comply, and the Internet community of privacy advocates would attempt to kill any methods that might achieve compliance assurance. In other words, the only way to protect yourself is to hope you dont get attacked. Again, sound like a solid foundation upon which to base an entire worlds digital economy? Wait, it gets worse. MORE DO-GOODER THEORY Two weeks ago the Computer Emergency Response Team (CERT) at Carnegie Mellon University, an auspicious group that has been handling security incidents for ages, issued an advisory to the world. The advisory clearly stated that dynamic HTML  Web data that is created on the fly when you view it  has the potential to harm you, the Internet consumer. Um, OK. That doesnt sound very good. So how do I protect myself? If people write good programs, youll have nothing to worry about. But if they dont, theres nothing you can do about it.

Well, the advisory goes on to say that the only way to prevent this problem is to have all programmers who create these dynamic Web-based applications use sensible programming practices. Huh? Thats right, its the do-gooder theory again. If people write good programs, youll have nothing to worry about. But if they dont, theres nothing you can do about it. Well, the computer industry has been plagued with a problem for over 30 years that continues to grow: Buffer Overrun. A Buffer Overrun is the result of poor programming practices; it can allow you to be attacked, and it hasnt been resolved in over 30 years. In fact, its getting worse. Yet CERT believes we can resolve the issues of poor Web programming practices that, more or less, are exactly the same as the problems with Buffer Overruns. Doesnt sound like much of a strategy to me. WHAT THEYRE TELLING YOU So let me summarize what some of the most important governmental agencies are telling us all about the Internet. If you connect to the Internet, beware, you can be attacked no matter what you do to protect yourself. If you rely on the Internet to do business  be it a home worker connecting to the corporate offices, or a Web-based business doing e-commerce  beware; your ability to conduct business may be interrupted for an indeterminate amount of time ... and you cant do anything to prevent it. If you visit a Web site, beware, that Web site might attack you while youre viewing its pages. Theres nothing you can do about this either (except to disable most of the features in your browser that make going onto the Web enjoyable for the vast majority of consumers today). If you give any information to a Web site, beware. Your information may be stolen from that site. Theres nothing you can do about this either. If you use Web-based e-mail, beware. Mail you receive may attack your computer, or cause your Web surfing experience to be tracked, monitored, or altered. Theres nothing you can do about this.

Basically, the Internet is the kind of place where youre at risk no matter where you go, and theres nothing you can do to minimize those risks other than to get out of there. PROBLEMS STACKED ON PROBLEMS Whats most worrisome about all of this is that it has nothing to do with 15-year-old hackers, or hacker cliques that are attempting to change the world. It has everything to do with our willingness, or desire, to attain what we believe the Internet can bring about. The majority of the public has been willing to ignore the risks that have continually been presented and discussed in security circles for years. And stock analysts who typically brush off these issues as growing pains continue to invest more and more of our economy in this feeble technology.

Government has been wondering what, if anything, it should do about the problem. Advocates who would prefer to keep regulation to a minimum have continually said: The Internet is self-policing, self-regulated, and were working to resolve the problems. Well, if there is nothing else that government can do, they can DEMAND that the self-policing, self-regulating bodies involved in the design and operation of the Internet solve the problem. Theyre not doing a good job of it, largely, I believe, because theyre unwilling to force a radical change in the way the Internet is built or operates. Theyre too nice, too understanding, too willing to give into another intellectual discussion about what it should or shouldnt do. Nobodys there who can put their foot down and say, Thats it, this is the way its going to be!

In the end, I believe, they are forcing the hand of government to take away the IETFs mandate. Marcus Ranum said that we could easily design and implement a new Internet, one that has fewer risks and allows individuals and corporations to protect themselves rather than relying on the goodwill of the rest of the world. I agree, we can. He also said it would never happen, simply because it would break too much in the process.

If the observations above dont convince you that things are already broken, nothing will.

http://www.msnbc.com/news/368784.asp

-- Martin Thompson (mthom1927@aol.com), February 15, 2000