Net Insecurity: Then and Now (1969-1998)

Peter H. Salus

peter@mids.org

-1. Prologue

Several years ago I gave a talk concerning the early history of computer security. This will not be a duplicate of that, though I will mention some of the early incidents. However, the ever-increasing growth of the Internet has altered forever the concept of just what security means.

0. Prehistory

By and large, in the 1950s and the early 1960s, you needed a white lab coat and a badge to gain access to the behemoths we thought of as computers, which were fed thousands of watts and more thousands of punch cards and emitted megacalories and either more cards or reams of accordion-pleated paper.

The computer security that was considered was one that involved sabotage or actual theft of paper.

The multiuser machine gave rise to one set of problems. Perhaps the most famous incident of the early 1960s was when a systems administrator on the CTSS machine was editing the password file and another systems administrator was editing the MOTD. Due to a `software design error,' the temporary editor files of the two were interchanged and the entire password file was printed on every file at login.

The MULTICS project at MIT, an ARPA-funded consortium of AT&T, Honeywell, GE, and MIT, brought us into the world of a modular system with many student users, multi-user capability (at least in theory), and a goal of security levels. This last was for military purposes: MULTICS machines were intended to be both resistant to external attack and to protect user's data from other users. Information was marked `Unclassified,' `Confidential,' `Secret,' and `Top Secret,' and could coexist on the same machine, where the OS would ensure that information wouldn't find its way to the wrong user. Eventually, long after AT&T had withdrawn and GE had sold its computing business to Honeywell, MULTICS supplied a level of both security and service most of our current systems haven't matched.

But in the spring of 1969, MULTICS was far behind schedule and AT&T pulled out. Without going into detail, the net result was that Ken Thompson, Dennis Ritchie, Rudd Canaday, and Doug McIlroy created UNIX in the summer and autumn of 1969. The popularity of the new OS was such that within a few years there were hundreds of sites using UNIX in over a dozen countries.

At virtually the same time, ARPA was funding an experiment in networking. In December 1968 it contracted with BBN to build a packet-switching network of four sites by the end of 1969. The first Interface Message Processor went into place at UCLA on September 2, 1969. The second went to SRI in Menlo Park in October; the third to UCSB in November; and the fourth to the University of Utah in December. The IMPs -- which were built around Honeywell 516s -- were linked by dedicated 55kbps phone lines.

There were two programs: what we would now call protocols: telnet and ftp.

1. UNIX 1970-1974

MULTICS had passwords as well as security levels; UNIX had no passwords, and little else. Why should it? Certainly, on the PDP-7 Ken wasn't concerned with what Dennis might do. Even when the PDP-11/20 arrived in the summer of 1970 no one worried. The machine (and its various upgrades to other PDP-11s) was used for two purposes: development and text processing.

First Edition UNIX is dated November 3, 1971; Second Edition, June 12, 1972. Only in February 1973, with the advent of Third Edition, did passwd find its place among ``user maintained commands.'' Fourth Edition (November 1973) was Third, rewritten in C; more importantly, it made its way out of the Labs in central New Jersey and the Bell System in Manhattan.

In October 1973, Dennis and Ken drove up to Yorktown Heights, NY, and gave a paper at SOSP. It was published in the July 1974 CACM. As I have related elsewhere (A Quarter Century of UNIX, 1994), the response was tremendous. Among other things, by mid-1974 both the University of Toronto and the University of Waterloo in Canada had PDP-11s. Tom Duff was an undergraduate at Waterloo and became a graduate student at Toronto. He told me how, in the spring of 1974, Doug McIlroy had visited to give a talk and how the students had later called Bell Labs `to grab the system source code.'

McIlroy told me that he had dialed in from the Computer Club at Waterloo. `The UNIX phone number showed up on the bill...' and so the students made use of it. Clearly a security breach.

2. The ARPANET 1970-1975

Bob Metcalfe, inventor of Ethernet and influential exponent of packet switching summed up the problems of security on the ARPANET in RFC 602 -- December 1973. Here it is, in its entirety:

``The Stockings Were Hung by the Chimney with Care''

The ARPA Computer Network is susceptible to security violations for at least the three following reasons:

(1) Individual sites, used to physical limitations on machine access, have not yet taken sufficient precautions toward securing their systems against unauthorized remote use. For example, many people still use passwords which are easy to guess: their first names, their initials, their host name spelled backwards, a string of characters which are easy to type in sequence (e.g. ZXCVBNM).

(2) The TIP allows access to the ARPANET to a much wider audience than is thought or intended. TIP phone numbers are posted, like those scribbled hastily on the walls of phone booths and men's rooms. The TIP required no user identification before giving service. Thus, many people, including those who used to spend their time ripping off Ma Bell, get access to our stockings in a most anonymous way.

(3) There is lingering affection for the challenge of breaking someone's system. This affection lingers despite the fact that everyone knows that it's easy to break systems, even easier to crash them.

All of this would be quite humorous and cause for raucous eye winking and elbow nudging, if it weren't for the fact that in recent weeks at least two major serving hosts were crashed under suspicious circumstances by people who knew what they were risking; on yet a third system, the system wheel password was compromised -- by two high school students in Los Angeles no less.

We suspect that the number of dangerous security violations is larger than any of us know is growing. You are advised not to sit ``in hope that Saint Nicholas would soon be there.''

I think that all of us may crack a smile here: crackable passwords?, phone numbers on `Stickits' and walls?, breakins by high school students?

In September 1971, there were 18 hosts on the ARPANET. At the time Metcalfe was writing, there were 31 host sites. In October 1974, there were 49. In January 1976, there were 63. A decade later (February 1986), there were 2,308; five years thereafter (January 1991), there were 376,000. This number has doubled every year since. The number of users is what has made us increasingly insecure. The exponential increase over the past few years has made the system increasingly fragile in terms of security -- or, better, insecurity.

3. More about UNIX

Maurice Wilkes had discussed password security in 1968 (Time-Sharing Computer Systems). The FIPS concerning DES appeared in the Federal Register (40FR12134) on March 17, 1975. Morris and Thompson published their ``Password Security: A Case History'' soon thereafter. It has appeared in many editions of the BSD documentation (It is \(co AT&T 1979). Dennis Ritchie's contribution was a brief article ``On the Security of UNIX'' (also \(co 1979 and in the BSD documentation) and SUID -- for which he holds US Patent #4135240 `Protection of Data File Contents, January 16, 1979. Ritchie told me about the patent application:

The patent was rejected at first because the examiner was unconvinced that the disclosure was complete and explicit enough for a person ordinarily skilled in the art to implement it. So I wrote a tiny, toy OS framework with Unix protection modes less SUID, and we gave it together with the patent to a bright guy, new to Unix, in the local Comp center. He succesfully added SUID to the code, and a brief affidavit from him fixed the problem. .)q .in 0

SUID (and SGID) still provide a way to grant users system access to which they are not otherwise entitled. This is extremely useful, but it also makes us insecure in other ways. In 1984, Grampp and Morris wrote a brief article on ``UNIX Operating System Security.'' It contains four ``important handles to computer security':

Later they itemize a half-dozen points:

  1. The insecure nature of passwords
  2. Protection of files
  3. Special privileges and responsibilities of administrators
  4. Burglary tools and protection against them
  5. Networking hazards
  6. Data encryption

Also in 1984, Reeds and Weinberger published ``File Security and the UNIX System Crypt Command.'' Here they pointed out that while .(q No technique can be secure against wiretapping or its equivalent on the computer. Therefore no technique can be secure against the system administrator or other privileged users ... the naive user has no chance. .)q

In his Turing Award lecture in 1983, Ken Thompson described an insidious Trojan Horse using the C compiler as a tool that would miscompile the \fHlogin\fP command. I will refrain from either detail here.

4. Why bother?

We now have firewalls; we have both private and public key encryption; etc. But we are far from secure. In fact, those of us who own a car lock it when we are not in it on the street; we lock our windows and our doors at home. Nonetheless, I'm certain that there is no one here who thinks that a determined assault on one's car or home would be turned away. We know that a hammer or a battering ram would provide easy access to a determined foe.

Moreover, several surveys show that most computer theft and computer damage is done by insiders, not outsiders. however, perhaps worse, auto-dialers make external assaults quite simple.

When we talk about computer security, we generally mean theft of data, corruption of data, theft of corporate secrets, the publication of personal information. The music and book publishers worry about illegal digital copies. These sorts of things are easily placed in appropriate slots in the corpus juris.

But what about something that causes a denial of service? What if a spammer jams an ISP so that no other customer can employ the site?

In other words, is interfering with my enjoyment of something for which I have contracted or paid criminal? So another of our chores becomes how to deter/stop/prevent spam -- junk email. In Europe the flood of unwanted and unrequested postal mail is a mere trickle. On most days, it occupies about 60% of the bulk the postal service delivers.

In a period when ISPs have become more and more conscious of Quality of Service, the unwanted burdens of spam are truly onerous. Rob Kolstad spoke about spam yesterday. He wasn't kidding: I averaged 35% spam in my email during the month of October. procmail and filters help. But they cause problems, too. My daughter phoned a few months ago because I had blocked earthlink.net; and so she had gotten email bounced.

At that point, my question shifted. In view of the fact that I know that my wallet or baggage might be stolen in transit; that my flat or house or car might be burglarized or broken into; why so I want to do more than deter? Is real security -- as opposed to pseudo-security -- really worthwhile?

And I decided it was.

One needs special abilities to pick locks; to hot wire ignition; to steal things and gain funds through selling them. The same is true for electronic damage or theft. But the simple methods of probing a site's vulnerabilities are learnt quite rapidly. The scribbling on US Defense Department web sites and the destruction of others are far from sophisticated activities. As Simson Garfinkel has pointed out, most of the information required to become an intruder can be learnt in a few weeks.

5. Institutional Alzheimer's Disease

One of the biggest problems confronting us today is, in my opinion loss of memory. Many contemporaries seem to have no recollection of even the recent past. Thus, at the end of last July, The New York Times carried a story about a bug in MS's Outlook Email and Outlook 98 as well as Netscape Mail that were susceptible to breakins employing the ``overflow buffer.'' It is 10 years since Bob Morris loosed the Internet worm. One would have hoped that folks in Redmond, WA, might know about that vulnerability. Guess not.

6. Conclusions

Multiuser systems have been around for more than 30 years. Problems with passwords have been with us nearly as long. Those which arise as a result of our connecting computers with telephone wires have been with us for over 20 years. Despite the knowledge gained from the CTSS problem, despite the warnings of Metcalfe, despite the work of Ritchie, Thompson, Morris, Grampp, Reeds, and Weinberger, we arrived at the point where Sun was causing explosive growth in the use of \s-1UNIX\s+1 and the Internet was beginning geometric growth, with only the merest improvements in security.

One of the holes exploited by the `worm' in 1988 was that of rsh. The very existence of an Internet within which one could remotely access a machine was one of the flaws.

Gene Spafford has pointed out that security comes at cost. If we want our machinery and our data to be secure, we will have to surrender much of our flexibility and ease-of-access. We have had more than enough warnings, but despite the `worm,' despite the German gang uncovered by Cliff Stoll, despite Kevin Mitnick, it is only within the past year or two that businesses and individuals have begun wholesale implementation of firewalls.

Like folks who leave cameras on the seats of cars, we do not heed warnings and expose temptations to others. My New York apartment was burglarized in 1965. I have been very careful about my dwellings since then.

Delivered at SANE '98, 19 Nov. 1998