From: David Berger <dvberger@eit.COM>
To: John Young <jya@pipeline.com>
Message Hash: 2125d142bf88ceb6c43b6c3b81d3f946a61fb33738a4daafd3c08df75a9af7e1
Message ID: <199510111812.LAA21331@viper.eit.com>
Reply To: N/A
UTC Datetime: 1995-10-11 18:05:04 UTC
Raw Date: Wed, 11 Oct 95 11:05:04 PDT
From: David Berger <dvberger@eit.COM>
Date: Wed, 11 Oct 95 11:05:04 PDT
To: John Young <jya@pipeline.com>
Subject: Re: NYT on Internet Flaws
Message-ID: <199510111812.LAA21331@viper.eit.com>
MIME-Version: 1.0
Content-Type: text/plain
Just read through the stack of news this was based on (comp.security.unix)
The Berkeley folks rightly point out that if I trust an NFS to send me a
binary, then an interaction with the server sans authentication/encryption
can leave me with a compromised binary. This is valid when I get my binary
from out on the net. This seems much less valid when I live behind a
firewall and trust my fellow workers who have access to the server, the
wires coming out of my cube, and my whole machine for that matter.
As a result, the only thing I think this article should say is that we need
secure ftp. Isn't this being worked on?
As for the article - 9/10 scaring people, 1/10 semi-fact. Be serious? NFS
is not the basic structure of the Internet. I'm embarrassed that an article
so weak in its explanations and so high on fluff appeared on the front page
of a well respected newspaper.
Dave
-----the article for reread-------
> The New York Times, October 11, 1995, pp. A1, D3.
>
> [Page One]
>
> Discovery of lnternet Flaws Is Setback for On-Line Trade
>
> By John Markoff
>
>
> San Francisco, Oct. 10 -- Newly publicized weaknesses in
> the basic structure of the Internet indicate that the
> worldwide computer network may need a time-consuming
> redesign before it can be safely used as a commercial
> medium.
>
> The flaws could allow an eavesdropper or criminal to divert
> many types of documents or software programs traveling over
> the Internet, examine or copy or alter them, and then pass
> them on to the intended recipient -- who would have no easy
> way of knowing that the files had been waylaid. Not only
> could electronic mail be read in transit or credit card
> numbers be copied en route, but special security techniques
> meant to protect such transactions could be dismantled
> without the user's knowledge.
>
> That such security flaws exist is not surprising in a
> system designed originally as a scientific experiment. But
> the recent rush to the Internet by companies seeking to
> exploit its commercial possibilities has obscured the fact
> that giving the system a new purpose has unearthed
> fundamental problems that could well put off true
> commercial viability for years.
>
> "Companies would have you believe this is a trivial
> problem," said Eric Brewer, a professor of computer science
> at the University of California at Berkeley. "But now there
> is a financiat incentive to exploit these flaws and to do
> it secretly."
>
> The problems were described in a posting that researchers
> at the university made on Monday to several on-line
> discussion groups. While the discussion groups are intended
> for computer security experts, they are potentially
> accessible to millions of Internet users -- including
> break-in artists, who are known to monitor such discussion
> groups for tips on new ways to crack computer systems.
>
> The researchers who described the Internet weaknesses
> include two Berkeley computer science graduate students who
> noted a security weakness in a popular Netscape
> Communications Corporation software program last month.
> Then as now, the students' stated motivation in publicizing
> the problems was to underscore vulnerabilities facing all
> companies and customers wishing to use the Internet for
> commerce.
>
> When the Netscape problems were disclosed last month, the
> company said the security flaws would be corrected in the
> next version of its software, which users would be able to
> download at no charge from Netscape's Internet site. But
> the newly publicized flaws in the Internet itself indicate
> that even if a user downloaded a copy of the new, improved
> Netscape program, a criminal could tamper with the copy
> along the way and make it unsafe for use in credit card
> transactions.
>
> The problem is not Netscape's alone; it potentially affects
> any organization that operates a computer from which files
> or software could be downloaded over the Internet. The
> weakness can be traced to the technical underpinnings of
> the network, which was set up more than a quarter-century
> ago not as a medium for conducting business but as a way
> for academic and scientific researchers to exchange
> information.
>
> The disclosure of the flaws casts doubt on the aspirations
> of companies like Netscape, which last summer had one of
> the most successful stock offerings in Wall Street history
> based on the promise of the impending arrival of a
> full-fledged on-line marketplace.
>
> "Companies should take a step back and think about this a
> little more," said Ian Goldberg, one of the Berkeley
> students. "If it takes a bit longer but comes out more
> secure, we will all be better off in the long run."
>
> The way many Internet systems are set up -- especially the
> Internet's increasingly popular World Wide Web service in
> which software images and even video and audio clips can be
> easily downloaded -- information is stored on a computer
> called a file server and then transferred to a user's
> computer when it is needed.
>
> The newly publicized weakness occurs in a widely used
> Internet protocol -- or technical standard -- known as the
> Network File System, or NFS. Because NFS does not have any
> means for allowing the recipient of a program or document
> to verify that it has not been altered during transmission
> from the file server to the user, any interception or
> tampering would go undetected.
>
> "The Internet protocols have been insecure since day one,"
> said Jeffrey I. Schiller, the manager of computer networks
> at the Massachusetts Institute of Technology and director
> of an industry task force that is trying to design a new
> secure version of the Internet.
>
> But the group's timetable is uncertain, and even when it
> does have recommendations ready, Mr. Schiller is not
> optimistic that the industry will be willing to devote the
> time and money to put them into effect.
>
> He said that many technologies already exist for improving
> commercial security on the Internet, but many of them
> require too much technical sophistication on the part of
> computer users. He criticized makers of hardware and
> software for not moving more quickly to make easy-to-use
> security features a built-in part of the technology used on
> the Internet.
>
> "The people who should be the leaders in offering security
> have been too busy counting their money to build these
> features in to their products," Mr. Schiller said.
>
> Some commercial Internet merchants have tended to play down
> the potential for harm from an illegal interception of
> credit card information over the Internet. They point out
> that consumers routinely make their credit card numbers
> available in transactions done by mail or telephone and
> that the law puts limits on a consumer's liability in cases
> of credit card fraud.
>
> But Mr. Brewer, the Berkeley professor, said that the
> crucial difference in the proposed Internet commerce
> systems was that for the first time it would be relatively
> simple for a criminal to collect hundreds or thousands of
> credit card numbers. Then a thief could use each credit
> card only one time, making detection much more difficult.
>
> Sensitive to heightened concerns about security, Wells
> Fargo, the large California bank, which earlier this year
> began permitting customers with personal computers to view
> their account information with the Netscape software,
> suspended the service in September after the Berkeley
> students reported the flaw in Netscape.
>
> After Netscape followed with an improved version of its
> software, Wells Fargo officials found it secure enough that
> they planned to resume the service later this week. The
> bank will, however, require customers to use the corrected
> version of the Netscape program.
>
> Even then. Wells Fargo customers will be able only to view
> account balances and other information, but not transfer
> money or conduct other transactions of the type that might
> leave them vulnerable to the Internet NFS weakness.
>
> "We still hope to be able to offer transactional
> capabilities next year, but this has slowed us down a
> little bit," said Lorna Doubet, a Wells Fargo spokeswoman.
> "Many of our customers feel that security is absolutely
> essential and we have to be cautious in this regard."
>
> Executives at Netscape said yesterday that they were aware
> of the security issues surrounding NFS and would make
> changes in the next release of their software expected
> before the end of the year to permit a recipient of a
> downloaded program to check it for signs of tampering.
>
> And hoping to take advantage of the fault-finding talents
> of the Berkeley researchers and other like-minded software
> experts, the company announced a contest today called
> Netscape Bugs Bounty, in which Netscape will award prizes
> to users who find bugs or security loopholes in its
> software.
>
> Some Internet experts said they expected that many security
> weaknesses like the one the Berkeley group had demonstrated
> would be found, because the Internet was simply not
> designed to insure secure commerce.
>
> "Imagine a walled town or a house," said Noel Chiappa, a
> member of the Internet Engineering Task Force, a
> standards-setting group. "It doesn't matter if 99 windows
> are tight as can be -- if the 100th is wide open, the bad
> guys will bypass your security. "
>
> [End]
>
>
>
>
>
>
>
>
>
>
>
Return to October 1995
Return to “sameer <sameer@c2.org>”