From: John Young <jya@pipeline.com>
Date: Wed, 11 Oct 95 02:48:02 PDT
To: cypherpunks@toad.com
Subject: NYT on Internet Flaws
Message-ID: <199510110939.FAA26747@pipe4.nyc.pipeline.com>
MIME-Version: 1.0
Content-Type: text/plain


   The New York Times, October 11, 1995, pp. A1, D3.

   [Page One]

   Discovery of lnternet Flaws Is Setback for On-Line Trade

   By John Markoff


   San Francisco, Oct. 10 -- Newly publicized weaknesses in
   the basic structure of the Internet indicate that the
   worldwide computer network may need a time-consuming
   redesign before it can be safely used as a commercial
   medium.

   The flaws could allow an eavesdropper or criminal to divert
   many types of documents or software programs traveling over
   the Internet, examine or copy or alter them, and then pass
   them on to the intended recipient -- who would have no easy
   way of knowing that the files had been waylaid. Not only
   could electronic mail be read in transit or credit card
   numbers be copied en route, but special security techniques
   meant to protect such transactions could be dismantled
   without the user's knowledge.

   That such security flaws exist is not surprising in a
   system designed originally as a scientific experiment. But
   the recent rush to the Internet by companies seeking to
   exploit its commercial possibilities has obscured the fact
   that giving the system a new purpose has unearthed
   fundamental problems that could well put off true
   commercial viability for years.

   "Companies would have you believe this is a trivial
   problem," said Eric Brewer, a professor of computer science
   at the University of California at Berkeley. "But now there
   is a financiat incentive to exploit these flaws and to do
   it secretly."

   The problems were described in a posting that researchers
   at the university made on Monday to several on-line
   discussion groups. While the discussion groups are intended
   for computer security experts, they are potentially
   accessible to millions of Internet users -- including
   break-in artists, who are known to monitor such discussion
   groups for tips on new ways to crack computer systems.

   The researchers who described the Internet weaknesses
   include two Berkeley computer science graduate students who
   noted a security weakness in a popular Netscape
   Communications Corporation software program last month.
   Then as now, the students' stated motivation in publicizing
   the problems was to underscore vulnerabilities facing all
   companies and customers wishing to use the Internet for
   commerce.

   When the Netscape problems were disclosed last month, the
   company said the security flaws would be corrected in the
   next version of its software, which users would be able to
   download at no charge from Netscape's Internet site. But
   the newly publicized flaws in the Internet itself indicate
   that even if a user downloaded a copy of the new, improved
   Netscape program, a criminal could tamper with the copy
   along the way and make it unsafe for use in credit card
   transactions.

   The problem is not Netscape's alone; it potentially affects
   any organization that operates a computer from which files
   or software could be downloaded over the Internet. The
   weakness can be traced to the technical underpinnings of
   the network, which was set up more than a quarter-century
   ago not as a medium for conducting business but as a way
   for academic and scientific researchers to exchange
   information.

   The disclosure of the flaws casts doubt on the aspirations
   of companies like Netscape, which last summer had one of
   the most successful stock offerings in Wall Street history
   based on the promise of the impending arrival of a
   full-fledged on-line marketplace.

   "Companies should take a step back and think about this a
   little more," said Ian Goldberg, one of the Berkeley
   students. "If it takes a bit longer but comes out more
   secure, we will all be better off in the long run."

   The way many Internet systems are set up -- especially the
   Internet's increasingly popular World Wide Web service in
   which software images and even video and audio clips can be
   easily downloaded -- information is stored on a computer
   called a file server and then transferred to a user's
   computer when it is needed.

   The newly publicized weakness occurs in a widely used
   Internet protocol -- or technical standard -- known as the
   Network File System, or NFS. Because NFS does not have any
   means for allowing the recipient of a program or document
   to verify that it has not been altered during transmission
   from the file server to the user, any interception or
   tampering would go undetected.

   "The Internet protocols have been insecure since day one,"
   said Jeffrey I. Schiller, the manager of computer networks
   at the Massachusetts Institute of Technology and director
   of an industry task force that is trying to design a new
   secure version of the Internet.

   But the group's timetable is uncertain, and even when it
   does have recommendations ready, Mr. Schiller is not
   optimistic that the industry will be willing to devote the
   time and money to put them into effect.

   He said that many technologies already exist for improving
   commercial security on the Internet, but many of them
   require too much technical sophistication on the part of
   computer users. He criticized makers of hardware and
   software for not moving more quickly to make easy-to-use
   security features a built-in part of the technology used on
   the Internet.

   "The people who should be the leaders in offering security
   have been too busy counting their money to build these
   features in to their products," Mr. Schiller said.

   Some commercial Internet merchants have tended to play down
   the potential for harm from an illegal interception of
   credit card information over the Internet. They point out
   that consumers routinely make their credit card numbers
   available in transactions done by mail or telephone and
   that the law puts limits on a consumer's liability in cases
   of credit card fraud.

   But Mr. Brewer, the Berkeley professor, said that the
   crucial difference in the proposed Internet commerce
   systems was that for the first time it would be relatively
   simple for a criminal to collect hundreds or thousands of
   credit card numbers. Then a thief could use each credit
   card only one time, making detection much more difficult.

   Sensitive to heightened concerns about security, Wells
   Fargo, the large California bank, which earlier this year
   began permitting customers with personal computers to view
   their account information with the Netscape software,
   suspended the service in September after the Berkeley
   students reported the flaw in Netscape.

   After Netscape followed with an improved version of its
   software, Wells Fargo officials found it secure enough that
   they planned to resume the service later this week. The
   bank will, however, require customers to use the corrected
   version of the Netscape program.

   Even then. Wells Fargo customers will be able only to view
   account balances and other information, but not transfer
   money or conduct other transactions of the type that might
   leave them vulnerable to the Internet NFS weakness.

   "We still hope to be able to offer transactional
   capabilities next year, but this has slowed us down a
   little bit," said Lorna Doubet, a Wells Fargo spokeswoman.
   "Many of our customers feel that security is absolutely
   essential and we have to be cautious in this regard."
             
   Executives at Netscape said yesterday that they were aware
   of the security issues surrounding NFS and would make
   changes in the next release of their software expected
   before the end of the year to permit a recipient of a
   downloaded program to check it for signs of tampering.

   And hoping to take advantage of the fault-finding talents
   of the Berkeley researchers and other like-minded software
   experts, the company announced a contest today called
   Netscape Bugs Bounty, in which Netscape will award prizes
   to users who find bugs or security loopholes in its
   software.

   Some Internet experts said they expected that many security
   weaknesses like the one the Berkeley group had demonstrated
   would be found, because the Internet was simply not
   designed to insure secure commerce.

   "Imagine a walled town or a house," said Noel Chiappa, a
   member of the Internet Engineering Task Force, a
   standards-setting group. "It doesn't matter if 99 windows
   are tight as can be -- if the 100th is wide open, the bad
   guys will bypass your security. "

   [End]