[1025] in WWW Security List Archive
Re: New York Times article
daemon@ATHENA.MIT.EDU (Bob Quinn)
Thu Oct 12 19:06:35 1995
Date: Thu, 12 Oct 95 16:14:38 EDT
To: www-security@ns2.rutgers.edu
From: rcq@ftp.com (Bob Quinn)
Reply-To: rcq@ftp.com
Errors-To: owner-www-security@ns2.rutgers.edu
Markoff reveals a serious lack of understanding of Internet protocols.
His article implies that NFS is used by SMTP, FTP and HTTP. Somehow
he got it in his head that NFS is a keystone for the entire Internet
protocol suite.
--
Bob Quinn rcq@ftp.com
FTP Software, Inc. No. Andover, MA
--------- article attached (copied without permission) ------------
"Discovery of Internet Flaws Is Setback for On-Line Trade"
New York Times, October 11, 1995 by John Markoff
San Francisco, Oct. 10 - Newly publicized weaknesses in the basic
structure of the Internet indicate that the worldwide computer
network may need a time-consuming redesign before it can be safely
used as a commercial medium.
The flaws could allow an eavesdropper or criminal to divert many
types of documents or software programs traveling over the Internet,
examine or copy or alter them, and then pass them on to the intended
recipient - who would have no way of knowing that the files had been
waylaid. Not only could electronic mail be be read in transit or
credit card numbers be read en route, but special security techniques
meant to protect such transactions could be dismantled without the
user's knowledge.
That such security flaws exist is not surprising in a system designed
originally as a scientific experiment. But the recent rush to the
Internet by companies seeking to exploit its commercial possibilities
has obscured the fact that giving the system a new purpose has un-
earthed fundamental problems that could well put off true commercial
viability for years.
"Companies would have you believe this is a trivial problem," said
Eric Brewer, a professor of computer science at the University of
California at Berkeley, "But now there is a financial incentive to
exploit these flaws and to do it secretly."
The problems were described in a posting that researchers at the
university made on Monday to several on-line discussion groups.
While the discussion groups are intended for computer security
experts, they are potentially accessible to millions of Internet
users - including break-in artists, who are known to monitor such
discussion groups for tips on new ways to crack computer systems.
The researchers who described the Internet weaknesses include two
Berkeley compuyter science graduate students who noted a security
weakness in a popular Netscape Communications Corporation software
program last month. Then as now, the students' stated motivation
in publicizing the problems was to underscore the vulnerabilities
facing all companies and customers wishing to use the Internet for
commerce.
When the Netscape problems were disclosed last month, the company
said the security flaws would be corrected in the next version of
its softwar, which users would be able to download at no charge
from Netscape's Internet site. But the newly publicized flaws in
the Internet itself indicate that even if a user downloaded a copy
of the new, improved, Netscape program, a criminal could tamper
with the copy along the way and make it unsafe for use in credit
card transactions.
The problem is not Netscape's alone; it potentially affects any
organization that operates a computer from which files or software
could be downloaded over the Internet. The weakness can be traced
to the technical underpinnings of the network, which was set up
more than a quarter-century ago not as a medium for conducting
business but as a way for academic and scientific researchers to
exchange information.
The disclosure of the flaws casts doubt on the aspirations of
companies like Netscape, which last summer had one of the most
successful stock offerings in Wall Street history based on the
promise of the impending arrival of a full-fledged on-line market-
place.
"Companies shiould take a step back and think about this a little
more," said Ian Goldberg, one of the Berkeley students. "If it
takes a bit longer but comes out more secure, we will all be
better off in the long run."
The way many Internet systems are set up - especially the Internet's
increasingly popular World Wide Web service which software, images,
and even video and audio clips can be easily downloaded - information
is stored on a computer called a file server and then transferred
to a user's computer when it is needed.
The newly publicized weakness occurs in a widely used Internet
protocol - or technical standard - known as the Network File System,
or NFS. Because NFS does not have any means for allowing the
recipient of a program or document to verify that it has not been
altered during transmission from the file server to the user, any
interception or tampering would go undetected.
"The Internet protocols have been insecure since day one," said
Jeffrey I. Schiller, the manager of computer networks at the
Massachusetts Institute of Technology and director of an industry
task force that is trying to design a new secure version of the
Internet.
But the group's timetable is uncertain, and even when it does have
recommendations ready, Mr. Schiller is not optimistic that the
industry will be willing to devote the time and money to put them
into effect.
He said that many technologies already exist for improving comm-
ercial security on the Internet, but many of them require too much
technical sophistication on the part of the computer users. He
criticized makers of hardware and software for not moving more
quickly to make easy-to-use security features a built-in part of
the technology used on the Internet.
"The people who should be the leaders in offering security have
been too busy counting their money to bulid these features into
their products," Mr. Schiller said.
Some commercial Internet merchants have tended to play down the
potential for harm from an illegal interception of credit card
information over the Internet. They point out that consumers
routinely make their credit card numbers available in transactions
done by mail or telephone and that the law puts limits on a
consumer's liability in cases of credit card fraud.
But Mr. Brewer, the Berkeley professor, said that the crucial
difference in the proposed Internet commerce systems was that for
the first time it would be relatively simple for a criminal to
collect hundreds or thousands of credit card numbers. Then a
theif could use each credit card only one time, making detection
much more difficult.
Sensitive to heightened concerns about security, Wells Fargo,
the large California bank, which earlier this year began per-
mitting customers with personal computers to view their account
information with the Netscape software, suspended the service in
September after the Berkeley students reported the flaw in
Netscape.
After Netscape followed with an improved version of its software,
Wells Fargo officials found it secure enough that they planned
to resume the service later this week. THe bank will, however,
require customers to use the corrected version of the Netscape
program.
Even then, Wells Fargo customers will be able only to view
account information, but not transfer money or conduct other
transactions of the type that might leave them vulnerable to
the Internet NFS weakness.
"We still hope to be able to offer transactional capabilities
next year, but this has slowed us down a little bit," said Lorna
Doubet, a Wells Fargo spokeswoman. "Many of our customers feel
that security is absolutely essential and we have to be cautious
in this regard."
Executives at Netscape said yesterday that they were aware of
the security issues surrounding NFS and would make changes in
the next release of their software, expected before the end of
the year, to permit recipient of a downloaded program to check
it for signs of tampering.
And hoping to take advantage of the fault-finding talents of the
Berkeley researchers and other like-minded software experts, the
company announced a contest today called Netscape Bugs Bounty,
in which Netscape will award prizes to users who find bugs or
security loopholes in its software.
Some Internet experts said they expected that many security
weaknesses like the one the Berkeley group had demonstrated would
be found, because the Internet was simply not designed to insure
secure commerce.
"Imagine a walled town or a house," said Noel Chiappa, a member
of the Internet Engineering Task Force, a standards-setting group.
"It doesn't matterif 99 windows are tight as can be - if the 100th
is wide open, the bad guys will bypass your security."
--- end of text ----
