From: David Berger <dvberger@eit.COM>
Date: Wed, 11 Oct 95 11:05:04 PDT
To: John Young <jya@pipeline.com>
Subject: Re: NYT on Internet Flaws
Message-ID: <199510111812.LAA21331@viper.eit.com>
MIME-Version: 1.0
Content-Type: text/plain


Just read through the stack of news this was based on (comp.security.unix)

The Berkeley folks rightly point out that if I trust an NFS to send me a
binary, then an interaction with the server sans authentication/encryption
can leave me with a compromised binary.  This is valid when I get my binary
from out on the net.  This seems much less valid when I live behind a
firewall and trust my fellow workers who have access to the server, the
wires coming out of my cube, and my whole machine for that matter.

As a result, the only thing I think this article should say is that we need
secure ftp.  Isn't this being worked on?

As for the article - 9/10 scaring people, 1/10 semi-fact.  Be serious?  NFS
is not the basic structure of the Internet.  I'm embarrassed that an article
so weak in its explanations and so high on fluff appeared on the front page
of a well respected newspaper.

Dave

-----the article for reread-------

>   The New York Times, October 11, 1995, pp. A1, D3.
>
>   [Page One]
>
>   Discovery of lnternet Flaws Is Setback for On-Line Trade
>
>   By John Markoff
>
>
>   San Francisco, Oct. 10 -- Newly publicized weaknesses in
>   the basic structure of the Internet indicate that the
>   worldwide computer network may need a time-consuming
>   redesign before it can be safely used as a commercial
>   medium.
>
>   The flaws could allow an eavesdropper or criminal to divert
>   many types of documents or software programs traveling over
>   the Internet, examine or copy or alter them, and then pass
>   them on to the intended recipient -- who would have no easy
>   way of knowing that the files had been waylaid. Not only
>   could electronic mail be read in transit or credit card
>   numbers be copied en route, but special security techniques
>   meant to protect such transactions could be dismantled
>   without the user's knowledge.
>
>   That such security flaws exist is not surprising in a
>   system designed originally as a scientific experiment. But
>   the recent rush to the Internet by companies seeking to
>   exploit its commercial possibilities has obscured the fact
>   that giving the system a new purpose has unearthed
>   fundamental problems that could well put off true
>   commercial viability for years.
>
>   "Companies would have you believe this is a trivial
>   problem," said Eric Brewer, a professor of computer science
>   at the University of California at Berkeley. "But now there
>   is a financiat incentive to exploit these flaws and to do
>   it secretly."
>
>   The problems were described in a posting that researchers
>   at the university made on Monday to several on-line
>   discussion groups. While the discussion groups are intended
>   for computer security experts, they are potentially
>   accessible to millions of Internet users -- including
>   break-in artists, who are known to monitor such discussion
>   groups for tips on new ways to crack computer systems.
>
>   The researchers who described the Internet weaknesses
>   include two Berkeley computer science graduate students who
>   noted a security weakness in a popular Netscape
>   Communications Corporation software program last month.
>   Then as now, the students' stated motivation in publicizing
>   the problems was to underscore vulnerabilities facing all
>   companies and customers wishing to use the Internet for
>   commerce.
>
>   When the Netscape problems were disclosed last month, the
>   company said the security flaws would be corrected in the
>   next version of its software, which users would be able to
>   download at no charge from Netscape's Internet site. But
>   the newly publicized flaws in the Internet itself indicate
>   that even if a user downloaded a copy of the new, improved
>   Netscape program, a criminal could tamper with the copy
>   along the way and make it unsafe for use in credit card
>   transactions.
>
>   The problem is not Netscape's alone; it potentially affects
>   any organization that operates a computer from which files
>   or software could be downloaded over the Internet. The
>   weakness can be traced to the technical underpinnings of
>   the network, which was set up more than a quarter-century
>   ago not as a medium for conducting business but as a way
>   for academic and scientific researchers to exchange
>   information.
>
>   The disclosure of the flaws casts doubt on the aspirations
>   of companies like Netscape, which last summer had one of
>   the most successful stock offerings in Wall Street history
>   based on the promise of the impending arrival of a
>   full-fledged on-line marketplace.
>
>   "Companies should take a step back and think about this a
>   little more," said Ian Goldberg, one of the Berkeley
>   students. "If it takes a bit longer but comes out more
>   secure, we will all be better off in the long run."
>
>   The way many Internet systems are set up -- especially the
>   Internet's increasingly popular World Wide Web service in
>   which software images and even video and audio clips can be
>   easily downloaded -- information is stored on a computer
>   called a file server and then transferred to a user's
>   computer when it is needed.
>
>   The newly publicized weakness occurs in a widely used
>   Internet protocol -- or technical standard -- known as the
>   Network File System, or NFS. Because NFS does not have any
>   means for allowing the recipient of a program or document
>   to verify that it has not been altered during transmission
>   from the file server to the user, any interception or
>   tampering would go undetected.
>
>   "The Internet protocols have been insecure since day one,"
>   said Jeffrey I. Schiller, the manager of computer networks
>   at the Massachusetts Institute of Technology and director
>   of an industry task force that is trying to design a new
>   secure version of the Internet.
>
>   But the group's timetable is uncertain, and even when it
>   does have recommendations ready, Mr. Schiller is not
>   optimistic that the industry will be willing to devote the
>   time and money to put them into effect.
>
>   He said that many technologies already exist for improving
>   commercial security on the Internet, but many of them
>   require too much technical sophistication on the part of
>   computer users. He criticized makers of hardware and
>   software for not moving more quickly to make easy-to-use
>   security features a built-in part of the technology used on
>   the Internet.
>
>   "The people who should be the leaders in offering security
>   have been too busy counting their money to build these
>   features in to their products," Mr. Schiller said.
>
>   Some commercial Internet merchants have tended to play down
>   the potential for harm from an illegal interception of
>   credit card information over the Internet. They point out
>   that consumers routinely make their credit card numbers
>   available in transactions done by mail or telephone and
>   that the law puts limits on a consumer's liability in cases
>   of credit card fraud.
>
>   But Mr. Brewer, the Berkeley professor, said that the
>   crucial difference in the proposed Internet commerce
>   systems was that for the first time it would be relatively
>   simple for a criminal to collect hundreds or thousands of
>   credit card numbers. Then a thief could use each credit
>   card only one time, making detection much more difficult.
>
>   Sensitive to heightened concerns about security, Wells
>   Fargo, the large California bank, which earlier this year
>   began permitting customers with personal computers to view
>   their account information with the Netscape software,
>   suspended the service in September after the Berkeley
>   students reported the flaw in Netscape.
>
>   After Netscape followed with an improved version of its
>   software, Wells Fargo officials found it secure enough that
>   they planned to resume the service later this week. The
>   bank will, however, require customers to use the corrected
>   version of the Netscape program.
>
>   Even then. Wells Fargo customers will be able only to view
>   account balances and other information, but not transfer
>   money or conduct other transactions of the type that might
>   leave them vulnerable to the Internet NFS weakness.
>
>   "We still hope to be able to offer transactional
>   capabilities next year, but this has slowed us down a
>   little bit," said Lorna Doubet, a Wells Fargo spokeswoman.
>   "Many of our customers feel that security is absolutely
>   essential and we have to be cautious in this regard."
>             
>   Executives at Netscape said yesterday that they were aware
>   of the security issues surrounding NFS and would make
>   changes in the next release of their software expected
>   before the end of the year to permit a recipient of a
>   downloaded program to check it for signs of tampering.
>
>   And hoping to take advantage of the fault-finding talents
>   of the Berkeley researchers and other like-minded software
>   experts, the company announced a contest today called
>   Netscape Bugs Bounty, in which Netscape will award prizes
>   to users who find bugs or security loopholes in its
>   software.
>
>   Some Internet experts said they expected that many security
>   weaknesses like the one the Berkeley group had demonstrated
>   would be found, because the Internet was simply not
>   designed to insure secure commerce.
>
>   "Imagine a walled town or a house," said Noel Chiappa, a
>   member of the Internet Engineering Task Force, a
>   standards-setting group. "It doesn't matter if 99 windows
>   are tight as can be -- if the 100th is wide open, the bad
>   guys will bypass your security. "
>
>   [End]
>
>
>
>
>
>
>
>
>
>
>