Wire Pirates

Someday the Internet may become an information superhighway, but right now it is
more like a 19th-century railroad that passes through the badlands of the Old
West. As waves of new settlers flock to cyberspace in search for free
information or commercial opportunity, they make easy marks for sharpers who
play a keyboard as deftly as Billy the Kid ever drew a six-gun.

It is difficult even for those who ply it every day to appreciate how much the
Internet depends on collegial trust and mutual forbearance. The 30,000
interconnected computer networks and 2.5 million or more attached computers that
make up the system swap gigabytes of information based on nothing more than a
digital handshake with a stranger.

Electronic impersonators can commit slander or solicit criminal acts in someone
else\'s name; they can even masquerade as a trusted colleague to convince someone
to reveal sensitive personal or business information.

"It\'s like the Wild West", says Donn B. Parker of SRI: "No laws, rapid growth
and enterprise - it\'s shoot first or be killed."

To understand how the Internet, on which so many base their hopes for education,
profit and international competitiveness, came to this pass, it can be
instructive to look at the security record of other parts of the international
communications infrastructure.

The first, biggest error that designers seem to repeat is adoption of the
"security through obscurity" strategy. Time and again, attempts to keep a system
safe by keeping its vulnerabilities secret have failed.

Consider, for example, the running war between AT&T and the phone phreaks. When
hostilities began in the 1960s, phreaks could manipulate with relative ease the
long-distance network in order to make unpaid telephone calls by playing certain
tones into the receiver. One phreak, John Draper, was known as "Captain Crunch"
for his discovery that a modified cereal-box whistle could make the 2,600-hertz
tone required to unlock a trunk line.

The next generation of security were the telephone credit cards. When the cards
were first introduced, credit card consisted of a sequence of digits (usually
area code, number and billing office code) followed by a "check digit" that
depended on the other digits. Operators could easily perform the math to
determine whether a particular credit-card number was valid. But also phreaks
could easily figure out how to generate the proper check digit for any given
telephone number.

So in 1982 AT&T finally put in place a more robust method. The corporation
assigned each card four check digits (the "PIN", or personal identification
number) that could not be easily be computed from the other 10. A nationwide on-
line database made the numbers available to operators so that they could
determine whether a card was valid.

Since then, so called "shoulder surfers" haunt train stations, hotel lobbies,
airline terminals and other likely places for the theft of telephone credit-card
numbers. When they see a victim punching in a credit card number, they transmit
it to confederates for widespread use. Kluepfel, the inventor of this system,
noted ruefully that his own card was compromised one day in 1993 and used to
originate more than 600 international calls in the two minutes before network-
security specialists detected and canceled it.

The U.S. Secret Service estimates that stolen calling cards cost long distance
carriers and their customers on the order of 2.5 billion dollars a year.

During the same years that telephone companies were fighting the phone phreaks,
computer scientists were laying the foundations of the Internet. The very nature
of Internet transmissions is based on a very collegial attitude. Data packets
are forwarded along network links from one computer to another until they reach
their destination. A packet may take dozen hops or more, and any of the
intermediary machines can read its contents. Only a gentleman\'s agreement
assures the sender that the recipient and no one else will read the message.

But as Internet grew, however, the character of its population began changing,
and many of the newcomers had little idea of the complex social contract. Since
then, the Internet\'s vulnerabilities have only gotten worse. Anyone who can
scrounge up a computer, a modem and $20 a month in connection fees can have a
direct link to the Internet and be subject to break-ins - or launch attacks on
others.

The internal network of high-technology company may look much like the young
Internet - dozens or even hundreds of users, all sharing information freely,
making use of data stored on a few file servers, not even caring which
workstation they use to accessing their files. As long as such an idyllic little
pocket of cyberspace remains isolated, carefree security systems may be
defensible. System