Cyber Panel

Speech before the Los Angeles World Affairs Council on March 29, 2000:

James Glassman
Fellow, American Enterprise Institute
Scott Charney
Director, PricewaterhouseCoopers
Robert Logan
Deputy Director, Information Services, California Institute of Technology

A Panel Discussion:
"From Cyber-Technology to Cyber-Crime"

James Glassman:

Thank you, Don Straszheim. I was really surprised to see you here and thanks for that kind introduction. I just love it here in California. I come out almost every week and I flew in from New York and they had a movie on the plane--the movie was "Air Force One." Would you believe it? Air Force One. I've seen it like four or five times. Really, that's not an appropriate movie to have on a plane so as I was getting off the plane and the fellow who was sitting next to me said "How did you like the movie?" I said "Great. I've seen it many times. It was a good movie." And he said "You know, they're making a sequel and in the sequel the terrorists don't kidnap the President of the United States, they kidnap the entire United States Congress, all 535 members and they threaten that unless their demands are met, they're going to start to release members of Congress, one by one." Really, terrible, terrible.

I know a little bit about Congress because I used to be the editor of a Congressional newspaper called Roll Call. Then for six years I wrote a column, a financial column, and an Op-Ed column for the Washington Post, and then I wrote a book about the stock market called Dow 36,000 and it's a very controversial book. Almost every financial publication has had its say about it. In the course of writing the book and in the aftermath, I became very interested in a particular aspect of one of the reasons, indeed, that the stock market has been rising and, I believe, will continue to rise. The argument we make in the book, my co-author Kevin Hassett and I, is that the proper level for the Dow Jones Industrial Average, representing the entire market, is 36,000 right now. We believe that stocks are undervalued, although that's not the subject of my talk tonight. But it's one of the important reasons I became interested in the next subject that I am going to talk about tonight, and by the way, it's not cyber-crime. They're going to talk about cyber-crime; I'm going to talk about public policy and technology.

As I became more and more concerned about an increasing government role in technology, I noted that one of the reasons that technology boomed in recent years has been that it is relatively unfettered both by taxes and by regulation. Last month I became the host of a new website--that is a new term, "host." It used to be "editor," "publisher" and now it's "host"--of a new website called "techcentralstation.com." Now, if you think that's too long or hard to pronounce, the fact is that all the good names were taken, OK? So don't blame me. Anyway, its slogan is "Where free markets meet technology." It serves as a forum for news and opinions on technology and finance from an unabashed free market perspective. We concentrate on such issues as Internet taxation, broad-band dissemination, privacy, biotechnology, high tech trade and so on. The website is a kind of watch dog in an area in which few people seem to be doing long-term principled thinking on public policy. You might describe the website as kind of a cross between an opinion magazine--I used to be the publisher of The New Republic so I know about opinion magazines--and a very tiny cyber think tank. It is also, in another sense, a continuation of a program on PBS that I hosted for four years called Techno-Politics that Don referred to. At any rate, I think in a sense we kind of invented a new sort of institution and I think we're going to see a proliferation of this.

Really, our main interest is the main interest of anyone who's concerned with public policy, which is allowing Americans to lead better lives. Technology, I think, is the key to that. The Commerce Department said that, thanks to technology, growth in the United States is about one-third greater than it would have been without recent advances in technology. So instead of growing at two and one-half percent, which has been the average since World War II, we've been growing at greater than four percent. Also, technology has lowered costs and lowered inflation by four percentage points which means lower mortgages, lower costs for consumer finance. So, what can public policy do to continue, indeed to accelerate, this prosperity? I've kind of devised, or we at the Tech Center actually, have kind of devised four principles on which we think continued prosperity rests and I want to zip through them right now because I only have ten minutes to talk. So let me just go through these.

Number one--consumers first. This does not mean listening to self-appointed consumer advocates who these days seem to be in thrall to the plaintiffs' lawyers. No, it means allowing consumers to drive the market with their free choices. Consumers naturally want more value at lower costs, and by this measurement the computer industry is the most consumer-driven industry in the history of the world. What do consumers of high-tech products want most of all right now? Well, if you've spent any time on the Internet, you know the answer. It is speed. Unfortunately, local telephone lines continue to be owned by government-created monopolies and we have been waiting a long time. Last week, in an interview that I did for Techcentralstation I asked Congressman Tom Wiley, who's the chairman of the Commerce Committee, why consumers were not getting broad-band fast access to the Internet as fast as they should. His answer was that a bottleneck has been created in the last mile, as they call it, by the local Telcos.

Now, it's not necessarily their fault. They were originally created as monopolies. In 1996, the President and Congress did a smart thing. They agreed on a way to deregulate telecommunciations for the benefit of consumers. It wasn't perfect, that's for sure, but it was the best solution possible. The idea was to let the local telephone companies into long distance, which had already been deregulated as long as they opened up to other companies that wanted to compete with them. Well, it's taken a long time and in New York, where I live, finally the local company there, Bell Atlantic, was certified as being open enough to allow competition, but unfortunately there have been a lot of technical problems and it hasn't worked out too well. Now we see a bill has been introduced in Congress called HR-2420. Congressman Wiley says that if that bill were passed it would hold up the dissemination of broad band for a long time. This is a controversial issue, but it's one that I think all of you in this room should start to concentrate on. We really need fast Internet access, not just for the people in this room but for all Americans.

Number Two--embrace tax policies that encourage growth and innovation. What's working like gangbusters in the e-economy is unregulated commerce, free of sales taxes. This allows fast growth, which in turn is generating more wealth, which in turn is generating higher off-line revenues, higher property tax revenues, higher income tax revenues. Why would anyone want to disrupt that virtuous circle? The Internet is a virtual tax-free zone and we should keep it that way.

Rule Three--don't allow companies to run to the government for help in the market place. The fact is that you never know where the next great idea is going to come from. So, trying to help specific companies is futile and sometimes downright destructive. In the mid-1980s a husband and wife on the Stanford University campus wanted to exchange e-mail love letters at work. Unfortunately, their academic departments used incompatible computer networks. So they created a new type of digital bridge over the divide and in the process created a new company. They named it Cisco Systems, which today is the largest company in terms of its market capitalization and its value in the market place in the world. As much as the politicians may want to help, it's nearly impossible for them to know which companies will yield the greatest benefit to society. Who could have predicted Cisco from that little problem over the e-mail love letters? But, you know, sometimes in their zeal to help support new technology politicians will be very tempted to response to specific companies that say "Oh, all we want is a level playing field." Whenever I hear that I reach for my wallet. What it usually means in this case is they want the government to give them somebody else's property, and property rights are really at the heart of technological progress.

At a recent breakfast I attended, an FCC commissioner noted that consumers are creating buying groups on the Internet, which is great. So by posting a notice, thirty of them can get together and if they want to buy, let's say the same make of cars, say they all want to buy a jeep, they can go direct with a lot of buying power and buy a jeep at a lower cost. Well, I had to point out to him that unfortunately in many states, in fact, in most states, this is against the law and it's getting worse. What you're finding is the car dealers, and not just car dealers but middle men of all sorts, are busy in state legislatures, going to the state legislators and saying "We don't want consumers to be able to buy directly from manufacturers." That's a problem. That's special pleading on behalf of individual industries.

Consider another example: For a year America Online campaigned in Congress and state legislatures and in city councils across the nation to get laws passed that would force cable companies to permit AOL to use a government fixed price for cable pipelines that the cable companies, at great expense, laid down. The cable companies, such as Cox at AT&T, have shown that they have every intention of selling access to their pipes to other companies. That's the business they're in, but it is they and their clients, not city councils and state legislatures, that should decide the terms. Then in January, and this is a deliciously ironic story, AOL announced that it was buying Time Warner. You all probably know that it has 13 million cable subscribers. Suddenly AOL is now in the cable business and the shoe is on the other foot. Now, in a very embarrassing reversal, AOL has said "Oh, never mind. We don't really want the government to intervene in this area. At least not in our business." But, unfortunately, it may be too late. I was just in San Francisco where the San Francisco Board of Supervisors is moving ahead, and there's also some possibility that something will happen here in L.A. on this subject. In Portland, Oregon, a federal court will soon rule on whether local governments can become Internet regulators and a lower court said they could.

The problem is that when you ask the government to come in and help you basically create a Trojan horse. Perhaps the most egregious example of government action aimed at helping companies instead of consumers is the Microsoft antitrust case which may lead to settlement soon, although I think it's a shame that it's now cost investors tens of billions of dollars. It's cost consumers a lot, too, as the Microsoft management has been distracted from making great products to fighting a lawsuit and now it's not just the federal suit--we've got nineteen state attorneys general who want to get in on the act and 60 class action suits. Companies that believe they were wronged by Microsoft have a recourse. They can go to court, but boy, it's a lot easier to get the government to go to court on your behalf and that's what's happened.

Finally, rule four, very briefly. I know that this is an area of great interest to the World Affairs Council. Promote free trade around the world. All the countries win in a free trading system, but the U.S. wins more than anyone else. The whole world wants our tech products, the whole world is learning English to communicate across our networks, the whole world wants our medicines, our airplanes, our Air Jordans, our Disney movies, and we lead the world in these great high margin businesses. At Techcentralstation.com we are examining these vital issues at the intersection of technology, finance and public policy. It's an exciting area, a vital area, one where principles, and I want to stress that, principles, are at least as important as nuts and bolts, or in this case, as bytes and microchips.

I thank you very much, and Scott is next.

Scott Charney:

Thank you. I'd like to start by defining what cyber crime is because it's a term that is bandied around all the time and people use it to cover all sorts of behavior. In reality, computers play three different roles in criminal offenses. First is that they're targeted. That means that the actor's conduct is designed to steal information from or cause damage to a computer system. Second, they're tools to facilitate traditional offenses. You put up a website to defraud consumers, it's still fraud. You can use computers to distribute child pornography, it's still distribution of child pornography. Third, computers are storage devices. They are repositories of evidence.

Now the real issue for most of us dealing with computer crime is category one--targeting confidentiality, integrity and availability of systems--CIA--easy to remember, and we've had cases. In fact, computer crime is nothing new. Let's go back a minute. 1986. An astronomer named Cliff Stolle was at Berkeley and his grant had run out and they put him in the computer science lab to solve a small but vexing little problem. Berkeley was running two accounting programs. They would watch people use computers, the accounting programs would bill them for their use and all of a sudden in these two programs there was a $.75 discrepancy. So the experts couldn't figure out why these two programs had a discrepancy--they're tracking computer use, they're tracking the same thing. What Cliff Stolle figured out was someone had broken into the Berkeley system and when the person broke in he created an account in the name of Hunter in one of the accounting programs. Now, if you were a legitimate Berkeley user you would get an account name and a corresponding account number and every time you signed on you'd enter your name and your number. One program would track you by name, one program would track you by number. Because this hacker didn't realize that he created an account name but he never set up a corresponding account number, so when he signed on one program tracked him, one did not. There's a $.75 discrepancy--what does Cliff do? Cliff Stolle comes to the federal government. He says "Someone has broken into the Berkeley system." We said "What's the damage?" He said "So far I'm up to seventy-five cents." So we sent 200 agents out to Berkeley. No, we should have sent them. [Instead, we] said "Look, we don't do seventy-five cent cases. Go away." And what Cliff did was, to his credit, he investigated on his own with the phone companies and basically he tracked it back to a guy named Marcus Haas in Germany, one of three hackers known as the "Hanover Hackers" who had been paid by the KGB to steal sensitive military information off the military branch of the Internet. So we declined the case. It was KGB espionage. We learned two things. Number one--in a network environment your information is not safe. Just look at the way government agencies and companies protect information: they lock it in safes, the safes are locked in offices, they put gates around the building, they have guard dogs. When the Internet came, they started developing and storing all this property on computers. They look out the window at the guard dogs, they go home at night, they think they're safe. Not true.

The second thing we learned is that dollar loss has nothing to do with the seriousness of a computer crime--an issue I will come back to in a minute. That's an example of a confidentiality attack. Let's talk about an integrity attack. There was a hacker in Seattle who was convicted in state court of stealing computer equipment. He was sentenced to prison. Like many people sentenced to prison for nonviolent offenses, the judge gave him a surrender date. What that means is you say to the defendant "You can go home, tell the gas company you're going on vacation for sixty days, pay your bills and then show up at the prison on a certain day," usually about sixty days hence. So the defendant goes home and he has an idea. He decides to hack into the District Court and commute his own sentence to probation. This is a good plan and here's why. As an old programmer, we used to have this term GIGO-- "garbage in, garbage out." You put in bad data you get out bad data. But now it means garbage in, gospel out.

Here's what will happen. A guy will go home, he'll change his sentence to probation. Now what would normally happen is sixty days later the prison would get a list of the people who were supposed to surrender. If you're on the list, but you don't show up, they issue a warrant for your arrest. If you're not on the list, no problem. So what he does is this: he wants to attack the court house, but he doesn't want to dial directly into the court house because then they'll trace it right back to his house. So he hits Boeing, the avionic giant. He goes to a machine that they use to develop software to fly planes. He then hits the court house. This is the sad part of the story: He was convicted in State District Court--he hit the Federal District Court. He got convicted again. For Boeing, they said "We have no reason to believe he did any damage to our system and we didn't admit to any damage but we can't take the chance, because if he intentionally damaged something to which he is not confessing, or he accidentally damaged something, a plane could go down." It cost them $75,000 just to confirm that nothing had happened. That's an integrity attack.

The last kind of attack is the "A" in 'CIA"--availability. The Yahoo and the E-bay cases are cases of denial of service, but this, too, is an old problem. 1988: Robert Morris, Jr. is a student at Cornell University. He reads the Unix Source Code. Unix is an operating system that is widely used, and he finds a bug--finds a problem with the source code. So what he decides to do is write a little program and launch this little program to show the world that there's a flaw in Unix. So he writes this program and he sends it on its way. Unfortunately for Mr. Morris, he made a programming error, and the program replicated itself far more often than he had intended. Within twenty-four hours he shut down 6,000 computers around the world. So Mr. Morris goes to a friend--he's panicking now. He tells his friend what happened and then he goes and tells his father, Robert Morris, Sr., head of computer security at the National Security Agency at Ft. Meade, Maryland. Robert Morris, Sr., calls the FBI and says basically "I think you should talk to my son about this worm." In law enforcement terms, that's called a "clue," Robert Morris was convicted after a jury trial in the Northern District of New York in Syracuse. This was 1988. The story was carried by the New York Times because it was into technology but virtually no one else was.

So these attacks on computer networks that everyone is talking about today have, in fact, been around for a long time. The difference is we're far more dependent on the networks today than we've ever been before, and these availability attacks raise the issue of critical infrastructure protection. The concern, loudly voiced now around the country is that attacking certain critical networks will disable the U.S. economy and so badly affect national security and public safety that we need to do some fairly dramatic things. The problem is, you can think of a whole bunch of networks that, if impaired, would just crawl us to a halt. Telecommunications, banking and financing, power delivery, there's a whole series, transportation. The concern is both that a network itself will be taken down and, too, this concern about what we call the cascading effect, which is how is an attack on one network affects other networks. If Telecom goes down, how do banking and finance do electronic funds transfers. Is this theoretical? No, we've had a case.

A juvenile in Worcestershire, Massachusetts attacked the phone switch in the town of Worcestershire. He hacked the switch and the switch, asked him a question--"Do you wish to reinitialize the switch? Yes or No?" Well, he had a fifty percent chance, but he guessed wrong. He said "Yes, reinitialize the switch." What that did was throw away all the settings that had been installed by the phone company and put the switch back to its default mode as if it had just come out of the box from the manufacturer. As a result of that, phone service in part of Worcestershire, Massachusetts, was disabled. So, you have an attack on a telecom switch and you lose telecom services. Why is that cascading effect? It turns out that that switch serviced a small airport. It was an unmanned tower. When planes were flying in they would radio the tower, a signal would be sent across the telecommunications network to turn on the landing lights on the runway. Planes coming in radioed the tower, lights don't go on, airport closed, planes diverted. So we had a transportation failure based on a telecommunications attack by a juvenile.

So, obviously these are big issues. Now, there are two other things to think about in this area. One is the power of this technology and how, particularly in world affairs matters, that makes things very hard to address in sensible ways. Here's why. If you remember in the mid-1980s a Korean jetliner went down. Everyone supposed it was the Russians; they denied it for the world's longest time and finally they admitted that they had done it. Prior to their admission, everyone knew it was either state-sponsored or a rogue state agent. Why? Civilians do not have access to fighter jets. But now you have very powerful technology in the hands of everyone. You can disable a transportation network, not with the a fighter jet, but with a small PC sitting in someone's home. Now, the government has ways of dealing with such problems. If they think it's criminal, they dispatch law enforcement. If they think it's espionage, they dispatch foreign counter-intelligence authorities; if they think it's information warfare, they dispatch the Defense Department. The difficulty is, when you are being hacked, even if it's a critical system, what do you know about what's happening to you? You don't know who's doing it, from where, or why. The only thing you can say with any certainty is that the hacker is somewhere on planet Earth. Knowing only that, what powers do you exercise when you have a problem?

I'll give you a case in point. A couple of years ago I got beeped at 2:00 a.m. from the Defense Department. We were gearing up for air strikes against Iraq and suddenly the Defense Department computers were under attack from the Middle East. Fortunately, the people at the Defense Department who called me also understood this technology, but they said "We are concerned that maybe this is an information warfare attack. That someone is trying to cripple our network so that we can't launch air strikes against Iraq." I said "OK, where are the attacks coming from?" They said "The United Arab Emirates. This is as far back as we've traced it so far." I said "Well, the last time I looked they were our friends." They said "Yes, but we also don't know where it's really coming from." And I said "Yes, and we also know that means it could be coming from any where in the world." We did track it back to its source. It was two juveniles in Cloverdale, California, who were looping through the Middle East and then coming back and whacking U.S. Defense Department sites. We had another hacker in the United Kingdom who went through the United States into a North Korean nuclear facility, and our biggest concern was that the North Koreans would think it's us. And it wasn't.

To show you how difficult it is in this environment, I'll leave you with one more story about the globalization of the Internet, because companies want borderless activity, and they want to be global, but in fact all countries are not our friends. We do have borders for a reason, and part of that reason is so that you can protect your own citizens from the laws of others. Go back to 1992. President Clinton is just sworn in and they decide one of the first things they were going to do is tackle health care. They start looking at health care programs and one of the options on the table is a national health care system. Everyone will pay money into the government, the government will pay all claims. This is a good plan because the government handles money so well.

At the same time I get a call from Don Peragoff [sic]. I'm at the Justice Department in the U.S.; he's Justice Department in Canada. He says he wants to come down and talk about computers. So he comes down with some guys from the RCMP. They're sitting in my office and he says "You know, in Canada we have a national health care system." I said, "I know. We're looking at a potential model for the United States." He says, "Well, we have fraud in the health care system." I was shocked. I couldn't believe it. Fraud! I said, "So what." He said, "Well, we do health care fraud investigations." I said, "So do we. So what?" He says, "Well, we have to go get health care records and insurance records and government records." And I said "Well, we have some government records, Veteran's Administration, it's mostly private stuff. So what?" He says "Well, even though they're government records we have to get a search warrant to get the records because of privacy laws in Canada." I said "Well, that makes sense. We have search warrants, grand jury subpoenas and a judicial process, and medical records are private." He said, "That's right, but we realize we could have a problem. Let's suppose we're investigating a health care fraud case and we think the system administrator is involved in the fraud." I said, "Well, that would be bad." He said, "Right, because we'll go and give him the warrant and he'll hide information, he'll produce the wrong records. It's really bad." I said, "OK." He says "So, here's what we've decided to do. If we think the system administrator is involved in the fraud, the RCMP are going to get off their horses, handcuff the guy, and then they're going to execute the warrant and they're going to seize the data." So I said, "Don, why do I care about this?" He said "The Canadian health care records are stored in the State of Ohio." So I said, "You can't do that. You have no authority to execute a Canadian search warrant on U.S. territory." And he said, "But, they're my records." And I said, "Then you shouldn't have stored them in my country." I said, "Why would you store the Canadian health care records in Ohio." And he said, " It's funny but storage is a lot cheaper in Ohio than in Ottawa."

Thank you very much.

Robert Logan:

I'm going to talk about hacker and security experience more from the university view point because that where I am. Caltech ITS does two things besides being the internal ISP for Caltech running the network. We also provide service for the Caltech community which means we have dial ups and ISDNs and cable modems. So we see everything from the ISP viewpoint, kind of like a mini-Earthlink, but we also run the computers for most of the academic folks and students. So we see hacking from their viewpoint, too. As Scott mentioned, one my machines was taken down by the Morris worm in 1988, and we all scratched our heads and we finally figured out where it was.

Actually, hacking started before that. I think my first real introduction to hacking over the Internet was once we had scheduled some-down time for one of our big servers, time-sharing servers. Now you could probably buy one for $400 at CompUSA, but for the time it was pretty big. As we started shutting it down we noticed that all the files were going away and what it turned out was some hacker had gotten into it and had not read the message of the day, which clearly stated "This machine is going down at 10:00 for maintenance." He thought we were on to him, so he was erasing all the files. We eventually did, I think, find that guy who was hacking in from another university, UCI [Univerity of Caliornia at Irvine], and we managed to talk to their security folks and they had a video camera in the lab. He was not a UCI student, he was off the street, and had a security camera in the lab, and so we got to watch the video of him being arrested.

Unfortunately, we have something like five or six hacking incidents every day, and we've never had anything quite that exciting. So why are the universities targets? Why were they targets? Well, first of all, that was all there was twenty years ago and then, as now, they had good Internet connectivity, big fat pipes as opposed to somebody who dials up on a 56K modem--of course, back then it was more like 300 baud. The university did not have a name recognition problem. You could say "Oh, what's a good university? Well, OK, how about "Caltech.ed?" This was before searches. You didn't even need a search engine to figure that out, and one of the main reasons is that there are always vulnerable systems at a university and that's just because of the way things are done. Typically, a new grad student's professor would hand him a new machine out of the box and say "Here, here, go set this up." And he would, and he'd get it tuned up pretty nice. Eventually he'd graduate, and this machine could live on for years and years. One of the first commandants of running servers is that you need to keep up with all the security patches, like every day, and so you can see after about a year it's going to be pretty vulnerable. As a matter of fact, sometimes you get so lost. There was this machine, it's name was Kalihari and for about a year it was doing moderately bad things, but not bad enough so we wanted to find it, and we'd inquire, "Oh, where's this thing, where's that thing?" And nobody knew about it. Finally, we broke into it ourselves, took the list of users, matched the names and started calling them up one at a time: "Hey, do you remember this machine, remember this machine?" It was actually locked in a closet, piled behind a bunch of stuff. It was still plugged in, still plugged into the net, and so you can imagine how long it would take hacker to to get into these days.

Who are these hackers? Well, in ancient times--three years ago--they actually needed some moderate skills to find the system and understand, "Oh, yeah, this is a VSD system, or this is an SGI system". But now technology has aided the hackers probably more than its aided the cyber- cops. There are hacker chat rooms where they share information. Some of the more skilled ones set up scripts that anyone of you here could use, if you can read a two paragraph description of what to do. It says, you know, "choose your target" or you don't even have to choose anything. You can have a random number generator that goes and probes all over the net until it finds a list of vulnerable systems, and then you can look at them and say "OK, I'll go attack that one." And you can likely get in. Or you don't even have to do the search, because there are places where they share: "Oh, here's a list of a thousand systems, and here's what they are, here's what they're likely vulnerable for." We call these people script kitties. So if you ever hear that term that's what it means.

So why do they do that? Well, there's not a heck of a lot commercial interest you could steal at a university. There is, but all the ones we know about who attack us have been doing it for primarily two reasons: one is for bragging rights--the ones who get caught, who we find out about--bragging rights. They're juveniles, they just want to show their friends that they can do this kind of thing. The second reason is vendettas. Because of chat rooms, people are in chat rooms all the time now, and people get into fights and one of the things they want to do is shut down their new-found enemy. So what they do is they hack into, because of our good connectivity a university machine or several hundred university machines and send packets of various kinds at their enemies such that you can't use the Internet connection any more. Some years ago, actually, they used to end up shutting down entire what we called "Mom and Pop ISPs," that only would have a fairly low-speed Internet connection. They could easily stop all of the customers from doing any activities.

Now, as mentioned, another reason they do it is just to hide their tracks, if they actually want to do something. These may be actually people who'd want to do commercial espionage or something like that. One of the things they would do is come to a hacked-in system as part of hiding their tracks. And in fact during the Serbian war, the Kosovo war, we noticed we could usually trace back one or two steps to see where they're coming from and we noticed a big spike in people coming in from Serbia, and we're in touch with some military police and so on. Because they were, in fact, trying to do some of that. But ninety percent of the stuff we see is just juveniles--or juvenile in spirit anyway. Doing it for bragging rights or doing it to get at one of their targets.

But this is now changing. As I said universities had good connectivity and that was one of the main attractions. But now with DSL and cable modems, I presume probably a handful--or more than a handful of you people--have always-on connections now, and many people now have their own domain names, JohnDoe.com, so there's not a bigger pull for the universities, especially at least some place like Caltech. We monitor probes and we shut them down fairly quickly, but these scripts that go out and search for vulnerable systems now are just as likely to pick one of you as one of us. Should you be worried about that? Yeah, you should be worried. Should you be panicked? No, no you shouldn't panic. Due to the wonder of capitalism, there's now a big demand for what they call private small/office home office firewalls and intrusion-detecting systems which you can get from anywhere from $30 to $100, and you can also buy some low-end firewall products for $20. It's probably a good idea to buy stock in those companies.

Those who were first out with a product means they're likely to cut corners. Well we know they cut corners on the functionality of the thing cause they break. So you can imagine that they're certainly cutting corners on checking for security problems, and a lot of it [shows they're] just not thinking. Take the WORD macros, Microsoft WORD's macros, which nobody thought that there would be a security hole but they are because they allow someone to send you a document which can essentially take over your own PC, and hide a Trojan horse, they can do things later, hunt down interesting information like your tax returns or whatever, and send it off. But of course that's still at a relatively low level.

Another problem with commercial software is, for instance, you buy a work station from Sun or SGI, they ship it with the default configuration of everything turned on, mail servers, every bell and whistle is all set and ready to go, and when you call them on it, they say "Well, you know, we sell to corporations and we assume they have a secure net behind firewalls and a big security staff to make sure everything's ok. It's not true at the university and its probably not true in your home. But that's the way they're set up, so you have to take some care when you bring up a new system, make sure it's not changing passwords, for example; because now someone on the Internet could get on to it in a minute. In fact, we have some colleagues working for oceanographic research places and they say "Well, you know, we set up these Linux boxes and go out to sea, and everything's fine. We come into port, plug in the power, plug in the Internet, and within a day all the Linux boxes were hacked into" They figured out well, you know, we can't just plug it in right out of the box .

We can point our fingers at the OS and application vendors, but what do you do now? The ISPs could be more helpful on tracking back to the previous site. Right now if you're e-bay, and you're under attack, you can call up your ISP account manager and get action right away. But if you're Johndoeconstruction.com, working out of a garage, you know you can call you SIP and you'd be lucky if you got a call back in a couple of weeks. But there are privacy concerns about that, too, and one proposal is that every so many packets there has to be some kind of identification sent out so that they know where it came from. But it's a trade off.

There are some elementary things that people should do, like make sure that every packet has a source address. But a hacker can come in and send out a packet with a bogus address. It's called "spoofing," and it's called egress and ingress filtering. All the ISPs and companies and you and your garage business were careful that all the packets going out had your name on it, that would also help in tracking things back. And as I mentioned there's a big business in firewalls. All the big vendors, Cisco, etc., have firewalls and there's independent firewalls you can buy to install on, say, a Linux box for $100. Also, intrusion detection units are somewhat similar to the anti-virus business. Years ago viruses came out: "What do we do, what do we do?" and now there's a market--you have a choice now of tens or maybe even a hundred anti-virus programs. And I think that you'll see the same thing on intrusion detection and virual products. If you want to know more, you can search for "security" on any of the Internet search engines and you'll get more hits than you know what to do with. Most of the people that offer these intrusion detection or personal firewall products make an attempt to explain them fairly well on their websites, although I must say you still have to be somewhat technical to really do it right. But, on the other hand, you can get rid of 90 percent of the risk just by having one of these products and that's it. On to the panel discussion.

Thank you.