« Who is Nixon? Yoda. Yoda was a muppet. | Main | No one hears your screams »

Reactions to WTC

Nimda! Nimda! Nimda!

My web sever is getting hit with it all the time. I've modified my code red script to also look for Nimda signatures (all 16), and to mail the owner back (if they're running an SMTP server). It will also mail abuse@telocity.com if they source is in telocity.com. I could probably expand it to mail "abuse" (and others) at any two-level domain, but I'm not that ambitious. :-)

10854 hits of Nimda and counting.

This dwarfs the total number of Code Red (and variant) hits that I've gotten: 3283.

Some of my new CD's contain beeps that sound identical the beep from my mail program (pine) indicating that there is new mail.

It causes many false positive indications of mail.

I am quite concerned about some of the proposed legislation in Congress in response to the WTC attack. This is my particular field of expertise, so I'll keep it to the facts.

  • The administration has taken the opportunity of the WTC attacks to bring back proposed legislation for mandatory "backdoor" access to all cryptography products. Essentially, this means that the FBI will have a "backdoor" to be able to instantly decrypt anything that is encrypted with cryptography software that is made in the US. From a law-enforcement standpoint, this is not a bad thing. You can always see what the Bad Guys are saying -- right now, there are most likely all kinds of Bad Guys using encryption to hide their nefarious plans. Even if the FBI (legally) intercepts their communications, they can't decrypt them, so they can't get a lead on what the Bad Guys are planning. This is obviously Bad.

    However, the proposed solution solves nothing. It solves nothing because there are many software companies outside of the US that produce crypto products that do not have these backdoors. So:

    • American crypto products will be weaker than the rest of the world's crypto products
    • Terrorists will use non-American crypto products
    • US law enforcement will be in the same situation where it is today (can't decrypt terrorist communications)
    • Americans will have to use weaker (and potentially breakable) crypto

    Before you say, "who cares?", consider what this means to you. What happens when you buy something on the web, say from amazon.com? You're using crypto. "But so what if the FBI can crack that -- what do they want with my credit card number, anyway?" Nothing. That's not the problem. There are two main problems:

    • The potential for abuse here is amazing. If the government (not just the FBI, mind you) can arbitrarily decrypt anything that is legal for a US citizen to use, then nothing is safe from the government. Don't get me wrong, I'm a believer in big government, but I don't trust them that much. Sorry, I digress from facts here.

    • Undoubtedly, the "backdoor" will be leaked into the Bad Guys. I guarantee that it will happen -- there is no computer system in the world that is secure enough to hold this precious data. Plus the fact that the data will selectively have to be released to government personnel to be used. With the number of people that "need" to know the backdoors for actual legal use, they'll be leaked sooner or later. And then we'll all be screwed, because all US-based encryption will be breakable by anyone.

      I simply do not believe that the backdoors can be protected (by anyone, not just the government). Look what happened with DVD encryption -- the "backdoors" (for lack of a longer explanation and better name) are almost common knowledge today. The recording industry has turned to litigation to protect DVDs -- do you want to use litigation to protect your company's secrets and/or your financial data? I don't think so -- that's reactionary. You can only protect it after it's been stolen. Kinda defeats the point of encryption, doesn't it?

      How will you feel when your credit card can get trivially stolen by some random script kiddie (i.e, a 12 year old) when you buy something from amazon.com?

  • There's also stuff before Congress about the ability to conduct wiretapping operations without a court order. I believe that it has to be suspected terrorist activity in order for this to occur (i.e., without a court order), but that's a pretty broad term. This is really, really scary -- the government can just tap into whatever you're doing (and remember, everything is open to them because they can decrypt everything you do). So it's up to random FBI agents to determine if what you're doing is "suspected terrorist activity". I'm sure they have to file some paperwork, but so what? Who's really going to question their judgment? Regardless of the usage, the government will always be able to fall back on "we thought it might be terrorist activity".

    The fact of the matter is that court orders for wiretapping are not perfect. But it does create a check-and-balance system such that one agency does not have the authority to conduct survelliance by itself. There's a good reason that this system was put in place -- to prevent abuse. Why is it suddenly a good idea to ditch that check-and-balance system now?

  • There are ever articles being published about how the FBI wants to install Carnivore at all ISPs, "just for future use". Wow. Amazing. Are we going to a Big Brother government, or what? "Just trust us" is effectively what the FBI is saying -- "we'll only look when it matters". But the problem is that with that kind of mechanism in place, especially if you don't need a court order to do wiretapping, abuse is virtually unavoidable. And it will be called legal.

  • Ashcroft has proposed legislation to classify all hacking as "terrorist activities", and to carry huge penalties (e.g., life in prison). Hackers would have to give DNA samples and effectively be treated like sex offenders. I have to say that I'm pretty divided on this one -- while I'm certainly all for stiffer penalties for hackers, this legislation is just opportunistic. With the speed that this legislation was introduced, I seriously doubt that enough thought has been given to the issue and/or the ramifications of this legislation. It scares me because it will have wide-reaching effects on the bullets mentioned above (use of Carnivore, wiretapping without court order, and mandatory breakable encryption), and it may seriously curtail legitimate activity. Will attempts to reverse-engineer IIS to try and find exploits in my own web server in order to make it more secure be "terrorist activities"? If nothing else -- the corner cases have not been clearly delineated such that legitimate users won't be affected by this law. It's too fast, and too reactionary to what has just happened to the WTC.

Indeed, even if the FBI/government gets all these measures, how the heck is the US government going to enforce all of this? They don't have anything approaching the number of trained personnel to make this a reality. This means we'll get untrained bozos doing the job who won't understand the issues, and [more] mistakes will be made. Innocent users will become targets.

I can even cite a concrete reactionary example of my fears coming to life.

I know an employee of one of our national government labs. This story takes place in the wake of the events of the data being stolen by the alleged spy from Sandia -- it was about a month or two after the fact. This friend of mine was writing some PHP web pages. He made a mistake at one point, and realized that he had actually written a security vulnerability in his web pages. In order to confirm the problem, he tested it (as any good scientist would). He sent multiple HTTP requests to his web server and exploited his security vulnerability to retrieve the /etc/passwd file from the server.

Keep in mind that this was his server -- he has superuser access on the machine and can easily examine /etc/passwd (and /etc/shadow, for that matter) any time he wants to. It was not a lab-owned server, and there was no confidential data leaked.

His HTTP requests tripped an electronic alarm, and an "incident" report went up the chain of command. I saw the initial report myself
-- the technician even said something to the effect of: "I'm pretty sure that this 'friendly fire' incident..." Meaning that he recognized that it was someone testing their own code, and it wasn't a "real" incident.

But the whole thing escalated into a week long struggle for my friend to keep his job. He was almost fired and convicted. For "hacking" his own server.
I can foresee this scenario (and countless others like it) repeating across the country. It's just like sexual harassment -- it doesn't matter at all whether a sexual harassment claim is true or not. Once an allegation is made, most people assume that the person is guilty.

Reactionary legislation and its fallout cannot be good for any of us.

In summary, I am not convinced at all that these proposed measures will have any noticeable effect on preventing terrorism. Instead, they will curtail our civil liberties with no tangible benefit. We'll become a police state. Terrorists will still use unbreakable crypto. If all of our actions are watched, it is inevitable that law-abiding citizens risk having their legitimate practices brought up before a judge.

We are giving in to the terror, which is exactly what the terrorists want.

This does not sit well with me at all.

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)


This page contains a single entry from the blog posted on September 26, 2001 7:36 AM.

The previous post in this blog was Who is Nixon? Yoda. Yoda was a muppet..

The next post in this blog is No one hears your screams.

Many more can be found on the main index page or by looking through the archives.

Powered by
Movable Type 3.34