|
      |
 |
Here's a transcript of a live chat hosted by Yahoo! Chat following the PBS television broadcast of "Hackers." Taking questions were FRONTLINE producer Neil Docherty, Richard Power, Editorial Director of the Computer Security Institute and author of "Tangled Web: Tales of Digital Crime from the Shadows of Cyberspace," and Count Zero and Reid, members of the the hacker group "Cult of the Dead Cow."
Yahoomc: First, we're going to welcome our hackers Count Zero and Reid to the event...
Count Zero: Peace and love!
Reid: Hello everybody!
Yahoomc: and Richard Power from the Computer Security Institute...
Richard: This is Richard Power, good evening!
Yahoomc: and finally, Neil Docherty from Frontline...
Neil: Hi, ready and waiting!
jasonc221 asks: Why are sensitive computers used to run major facilities around the country even connected to the internet? It seems like a pretty practical solution to just unplug them from the internet...
Richard Power: It depends upon the application we're talking about. Any computer doing ecommerce is sensitive to the company that it's making sales for...You can't do e-commerce without having computers on the internet and those are vulnerable. Now government computers, in fact, most very sensitive government computers aren't really approachable via the internet. That doesn't mean they're not at risk.
Yahoomc asks: Tell us a little bit about the Cult of the Dead Cow...
Count Zero: The Cult of the Dead Cow is an eclectic group of computer hobbyists who are interested in computer security and raising awareness.
Reid: And we love to exercise our civil liberties...we exercise it vigorously.
Richard: I might add, do it while you still can.
p_3_z asks: Why do you think people still use Microsoft Outlook ever after they know what could happen?
Reid: I think there are two reasons why people use Outlook. First of all, they come into an organization where there is already Outlook. So there is a cliff you have to climb to get everyone in the company to leave and go somewhere else. And the other reason applicable today is that if you are in IT you probably have gotten your MCSE. And so you "think Microsoft" now.
Richard: I'll just add, and this is me speaking, not Computer Security Institiute speaking, that one byproduct of the anti trust suit against Microsoft would be that it would create some space in the marketplace for people to evaluate the security of products. And I hope that the new Administration doesn't pull their punches on that case.
Count Zero: It's usually because people get it as a package deal. You get a word processor with Excel, Word, everything, so why not use it? It' s there and it's sort of the path of least resistance.
Richard: Quite often the most fundamental security problems are with the default settings that the computers and software come with. And quite often, Outlook is the default email system it comes with. Which isn't to say that the others are that much better by the way.
a_guy_nick16 asks: Have you ever heard of the program called Sub Seven? Someone once hacked into my PC using it and deleted a lot of files in my hard drive, is there anyway to be aware of it next time?
Reid: It's a Trojan horse, similar to Back Orifice in functionality, but not as well written...not as cool. You need anti virus software and you need a firewall.
Yahoomc asks: Email viruses get the most publicity, but are those really the most dangerous kinds of hacker-type creations?
Richard: No! Most email viruses are not written by "hackers" they are written by virus writers.
Count Zero: Often when you hear "email virus" it's often really just meaning someone who has sent you an attachment that has been executed on your computer, and what that does can be anything. It could just delete files on your hard drive. Once you run an attachment you basically run a program on your computer. And if your computer does not have adequate controls over what programs can do in your operating system, then the barbarians are inside the walls.
Richard: An email virus or Trojan horse, meaning an attachment to email which has a malicious code in it, is only as powerful as the cluelesssness of the user who executes it. Or the corporate network that isn't responsive enough to filter those out when they know it's begun. It's not a sophisticated a thing really, it's dependent on the cluelessness of users and irresponsibility of people running large networks.
jlintz2000 asks: Do you feel that the failure of a lot of NT systems being not secure and being hacked by vulnerabilities that have patches already available is more of the admins fault for not being subscribed to a security mailing list and receiving updates as soon as a patch is available?
Count Zero: It is the responsibility of the administrator to make sure they have the current version of the software and all the patches. However, it's sort of a sad state of affairs when the system is not designed well enough from the very beginning when it requires continual patches to fix things that shouldn't be a problem in the first place.
Richard: One thing to remember in defense of network administrators, is that quite often installing a patch isn't as simple as just installing a patch. They have to bring the system down and answer to a lot of people why a system isn't operational for some period of time. It's not an excuse, but it's something to remember, and they quite often don't have the staffing or the clout to get the job done or insist that those kinds of things are taken care of in a timely manner. Though in most cases it's just neglect. Most people don't think they are at risk and don't care. And I certainly agree that they shouldn't have to be installing so many patches.
Reid: That's true when the patches actually exist. Unfortunately if you are using an older version of a product and are standardized on that version, sometimes vendors don't patch old versions, they tell you to get the new version. So you may not have the money to do that, or the new version might break whatever you are using it for.
ska2001 asks: Does Microsoft software have more flaws than products from other software manufacturers? Or is it just that MS is so ubiquitous that it seems to be the problem?
Count Zero: I'd say it's probably a combination. It is ubiquitous, and it is full of flaws. And unfortunately many of those flaws are not seen by Microsoft as flaws, they are sometimes seen as features.
Reid: The sad thing is Microsoft is ahead of the curve compared to most companies. Their misfortunate is that they are the world's best operating system vendor. They actually have a pretty good security team, but they are so successful at selling their product that everyone has it. Which means we live in virtually a mono-culture. That's sort of a petri dish full of agar. So if somebody creates or discovers a security issue in Microsoft Windows in affects lots of people, and for reasons we've already discussed, some people can't always upgrade.
Richard: The vast majority of internet security experts - people I would consider experts - would always choose UNIX over NT as an operating system. And there is a significant discussion to be had about the fact that the source code of NT isn't available as an open source, and therefore the only people who have access to Microsoft source code is Microsoft itself and those who steal it. We know their systems have been breached and the source code for some products has been exposed because that was pretty prominently in the paper weeks ago. So most internet security people I respect - not all - most would go for UNIX over NT. And there is the issue that most people I know would always want to have open source. Because then it's an even playing field. There are other opinions of course.
achilliesdefender asks: based upon the recent release of the first (I think) LINUX worm, won't LINUX soon be under attack more often?
Reid: Probably. It's a function of its success in the marketplace. The more successful it is, the bigger target it is. LINUX is a much less complicated product than Windows NT. There are fewer pieces. So it's easier to solve problems when they appear.
Count Zero: And the fact that it's open source means it's heavily scrutinized by everyone. So instead of just having a small team of security experts at Microsoft trying to fix your closed source, you have a global community of literally millions of people who can pro-actively look at the source code and fix them before anyone looks at them, or before they are exploited.
chris_5527 asks: Count Zero and Reid, do you two use Linux Slackware as an OS? I do and I find it quite useful when I am "doing things", do you two think that it is a good OS? I believe that it very stable and perfect for me, what about you?
Count Zero: I use it as a desktop environment, and there has been a lot of work lately with things like Gnome to provide a more user friendly interface which has always been a problem with getting regular people to use it. It used to be just a system that only real tech heads would use. But it's getting much better because of these tools that allow it to be used like a Windows system.
Reid: I have a Tavo, does that count?!?
tumrumble asks: Given the computerization of biology- genomics, bioinformatics, SNPs, do you see a danger that some time in the future our very genetic makeup can be hacked?
Reid: Sure, absolutely....but the question really is what do you mean by that? I think as stupid as it is storywise the film "Gattica" is really pretty interesting, I don't think there is anything really impossible about that movie except maybe them flying into space. The scariest thing about your genetic code is that it includes thousands of predispositions to insurance jeopardizing illnesses, and that's a problem if you want to get insurance.
Count Zero: I would just add that our genome is continually trying to be hacked, by biological organisms on the planet earth - like opportunistic infections and things like that, so there are a lot of lessons we can learn by looking at biology. We are living organisms and we can learn a lot by looking at other organisms trying to infect our bodies....
Neil: There is actually a group discussing this who are concerned by this very scenario. The guy, Chris McKinstry, can be contacted at mindpixel.com, and they have a discussion group on the idea of human genome hacking.
joerdanmartinez asks: Are patches a business strategy scheme to get the product out sooner...and worry about the fixes later...or do you think they really don't see problems forthcoming...?
Richard: I would say that more often than not people really don't see the problems coming. I worked in Silicon Valley for over ten years before I got into computer security. The one thing I knew about security before I started here, is that I never heard the word once in ten years in Silicon Valley. And you have a valley full of fire stoves down there really. And on the other hand, viruses and other malicious code has often been suspected of being marketing ploys of anti-virus software vendors. But vendors generally are rushing to get their product to market and they don't understand security anyway. And once it gets out into the open, serious people on both sides of the law beat on it and find out what it's really made of.
photocrimes asks: Should Microsoft be held liable for negligence? Outlook for example. If you read the EULA I think you would find it unacceptable with any other product, so why do we put up with it?
Richard: I don't want to bash on Microsoft to the point of saying they are more liable than anyone else. Someone earlier pointed out that they are simply the largest provider. I think there is a big space into which civil liability lawyers are eventually going to wander. But if you've ever read the warranty on a software package, you shouldn't even expect it to boot up. So there' s no culpability for them.
Reid: Microsoft EULA shields them from any damage it causes your system or hardware. So if your computer explodes, they are not liable.
Neil: I think one of the things that concerns a lot of people is that the industry is trying to make these tremendous limitations on their liability as industry practice, and therefore testing these limitations will become increasingly difficult.
Richard: The internet is free. Everyone wants it to remain free. But people who are against regulation are often against regulations for two different reasons. You and I as individuals are probably against regulation for the sake of freedom. Corporations are against the regulations of the internet, any aspect of the internet, the same way Japanese whalers and Texas oilmen are against regulation. You can't expect to treat cyberspace or the internet like infrastructure and not have any responsibility. You can ask anybody who lives in California which just had their utility industry deregulated a few years ago, what no regulation on corporate interests does.
gojets2001 asks: You seem to complain a lot about the insecurities of Windows NT etc... but what have you ever done to make it more secure?
Count Zero: The best we can do is to shine a bright light on the inadequacies and hope that Microsoft will fix what we find by doing that. We can't rewrite it for them, the source code is closed.
Reid: We don't contribute to Windows NT security directly, but we aren't paid to either. As opposed to say, hmm let's see, the world's largest software company, whose chairman is the world's richest man....
martydukes asks: Please explain what motivates most hackers to hack, and what separates a real hacker from some guy making trouble?
Reid: I think age. I think talk to your favorite white hat hacker and he's got a huge closet full of skeletons. But those were all juvenile years, and he grew out of that kind of stuff. I think you give somebody enough responsibility and eventually they clue into the repercussions of their actions. That's kind of cynical but it's kind of the truth.
Count Zero: I would say the future of security really lies in the exploratory drives of all of the young people who are young hackers. The problem is that many of them are dealing with growing up and issues of power. They are doing the same things they are doing in the physical world.. They may be spray painting graffiti, and sort of screwing around. And it's just a matter of them maturing. So I wouldn't say that all young hackers are bad, it's just that many of them are misguided. And the trick is to educate them on how they can use their skills positively to make the world a better place.
Richard: This question always angers me because it always comes back to the "problem" of juvenile hackers. Really there are professionals and there are a variety of motivations, from adolescents to people who really are brilliant and for whom technology is to them like what jazz was to Coltrane or chess to Bobby Fischer, and then there are mercenaries who do it for money. And juveniles, whether they are hackers or physical world vandals or drug users or anything some of us might have been in our youths, should be treated differently.
ThantiK asks: Do you think the penalties for hacking now [make it] worth hacking after the age of 18?
Reid: I guess the answer is no, and besides all the stuff you want to learn you could buy a computer and install LINUX now. In the 1980's you had to hack into a mainframe. Today information is out there on the web. If all you want to do is learn, you don't have to break any law at all. Unless we are talking about the Digital Millennium Copyright Act.
Count Zero: I would just add that many people are truly driven by curiosity to hack and may end up screwing up and accidentally causing damage. I think that will always exist no matter what the penalties are. The motivation is what counts, and I think most of the time it's curiosity about how things work and sometimes that gets you into trouble totally by surprise.
Richard: We have to have computer crime laws. But they only kick in when security has failed in some way, but more often than not, it's a failure in security that brings us to the point where we have to decide whether or not to prosecute someone. So laws are never the solution, they are only the fallback position. The solution for corporations and organizations is to dedicate more resources - human resources, budget dollars and organizational clout - to people who understand security, information security.: And if you do that, guess what you also do at the same time? You hire bright young people and you pay them a lot of money. And they are less likely to be getting themselves in trouble, because there is a future.
barnowlcom asks: The panelists seem so anti-Microsoft. Is there anything good to say about Microsoft security?
Reid: They've improved, I guess they get Most Improvement. They used to be very head-in-the-sand about security problems, now they actually return your email.
Count Zero: Microsoft is doing what it does best and that is to listen to the market and only recently has the market been demanding security. So they are beginning to respond to that and that is very positive.
Neil: I would like to say that Howard Schmidt, head of security and Steve Lipner the security analyst, were very accommodating to us.
Richard: I don't know if the situation would be all that much better if it were something other than NT that was the operating system du jour, for not doing what they have to do. So it's not like they are the ultimate to blame. A great deal of blame still resides with the owners of corporate networks and organizational networks to secure their own systems under the circumstances.
Mink222 asks: Are there any KNOWN attempts by the Bin Laden followers to hack US gov systems? Is the US prepared for their attacks? Anyone know the level of competence they possess?
Neil: I don't know specifically about Bin Laden, I was never able to track that down.
Richard: I would only add that you read in the newspapers that he lives in caves in Afghanistan but he has satellite connectivity in those caves and he uses email. And even if he didn't, those responsible for national security have to consider the implication of what if he did, or someone like him did. They have to think that through. A network attack will never have the impact of a car bomb on Wall Street, but if you were to have a car bomb and at the same time dealt a serious blow to the internet or phone system, you could create serious disruption, and so sow fear in a large number of people. Cyber terrorism doesn't replace physical terrorism, it adds a dimension to it that you have to consider.
Count Zero: I would add that often cyberterrorism is very cheap, and easier than other types of physical world terrorism, so naturally it will be something explored by these groups.
jofigirl asks: Has any of the panel noticed any marked improvement in the DOD or other government agencies security, say over the past 3 years?
Richard: It would be easy to say no, but I would say from my experience that if you were to look at what Keith Rhodes and the US GAO have done--serious security assessments of vital aspects of the government's networks --they know more about what's wrong with their systems than many people in the corporate world. They are not in denial about it. They also have a bigger problem.
All: LOL!
Reid: If they are, they are doing a pretty lame job of it!
Reid: My only message is Increase the Peace.
Count Zero: Power to the People! And POWER is with a Zero, not an O.
Richard: Count the vote in Florida!
Neil: My advice to everyone is leave a hammer by the computer so you can always reconfigure your hard drive.
Yahoomc: Excellent closing thoughts from our panelists. Thanks to all of you for your great questions. And thanks to our experts for a fascinating chat.
home · who are hackers? · risks of the internet · who's responsible · how to be vigilant · interviews
discussion · video excerpts · synopsis · press · tapes · credits
FRONTLINE · wgbh · pbs online
some photos copyright ©2001 photodisc
web site copyright WGBH educational foundation | |
|