by Mark Trescowthick - GUI Computing
All you don't want to know about Internet security and should be afraid to ask.
I thought I knew that the Internet wasn't secure. I also thought (or perhaps, assumed) that I'd heard of all the large Internet security problems - or at least of those in the public domain. @ Large proved me wrong on both counts.
Essentially the story of one lonely, disabled and very probably disturbed teenager, this is a true story and one with some very scary overtones. In short, this not-very-competent kid managed to gain access over a period of nearly two years to literally hundreds, and probably thousands of networks of all descriptions. Any not just "hey I got in!" access - root access. That's SuperUser, as in "Format C:" stuff. He did so with no programming skills, and not much in the way of any other computer skills so far as the authors can discern. All he had was an incredible persistence - 14 hour days not being uncommon, and stints of online time over three days having been recorded.
His techniques were universally described as mundane, yet he gained access everywhere from NASA to Intel to Sun to MIT. He, along with a C-smart compatriot, were well on their way to inserting a packet sniffing "worm" on the US backbone when the incident was shut down. It's plain bizarre that he could get that far, but he had. He'd purloined time on a number of supercomputers to run their customised password cracking program (customised to work on parallel computers) - computers at Los Alamos, NASA, Thinking Machines, the National Institute of Health and others. They'd obtained a full copy of the source to SunOS, and stored it on the hard drive of a PC at Texas A&M. This is, I assure you, weird stuff indeed.
I couldn't help wondering all the way through this snappily-written account what would have happened if this kid had been a crook into the bargain, or a spy, or just plain malicious. The FBI and Secret Service, who finally tracked him down and arrested (but never charged) him make it plain throughout the book that it worries them too.
Another worrying fact - although I would hope that things have improved somewhat in the nearly seven years since these events began to unfold - is the almost total indifference of the authorities to repeated attempts from multiple system administrators to get someone, anyone, to do something to shut the repeated cracking down. And the fact that some system administrators, when confronted with the fact that they were being penetrated, basically chose to do nothing at all.
I'd like to think, too, that security techniques have improved a bit since 1992, when most of these events took place, but I feel I've got to agree with the authors that in all probability they haven't, or if they have then the bad guys' tools have improved equally, or more than that.
This is not a book for the easily frightened, and not a book for the paranoid, but it's a damn good, if sometimes a little simplistic, read and it certainly makes you think. Best summarised, I think, by the following two comments from Gene Spafford, a Security Director from Purdue University, quoted in the book :
"The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete bunker, and is surrounded by nerve gas and very highly paid armed guards. Even then, I wouldn't stake my life on it."
"Using encryption on the Internet is the equivalent of arranging an armoured car to deliver information from someone living in a cardboard box to someone living on a park bench."
By David H. Freedman and Charles C. Mann
Simon & Schuster