Totem and Taboo in Cyberspace
Fourth edition, April 2001
M. E. Kabay, PhD, CISSP
Security Leader, INFOSEC Group, AtomicTangerine Inc.
Reprinted with permission from Security Portal
We are seeing today a period of exploration and development in a new realm reminiscent of the colonization of North America by Europeans. As in the American experience of the frontier, there are colonists and Amerinds, soldiers and outlaws, priests and thieves. The frontier is cyberspace: that immaterial world where we have phone conversations; where credit card information travels while we wait for approval of a purchase; where our medical records and sometimes our credit records paint a picture of our pains.
For an increasing number of us, cyberspace is also the place we meet new friends and keep in touch with old ones, learn more about our hobbies and our professions, and work for social and environmental change. Electronic bulletin board systems have mushroomed throughout the world, ranging from country-clubs like CompuServe and Prodigy through the grungy cafés of the hacker underground and on into the pullulating bazaar of the great Internet, where philosophers rub shoulders with dropouts and where age, gender and race are only as visible as you want them to be.
Unfortunately, the spectacular growth of cyberspace has not been accompanied by rules for civilized behavior. Cyberspace at the end of the twentieth century resembles the frontier at the beginning of the eighteenth: bullies and criminals swagger electronically through the commons, stealing what they want, breaking what they don't, and interfering with decent people's activities. Far from helping to set standards of mutual respect, some government agencies have been acting like totalitarians rather than democrats. For all these reasons, we citizens of cyberspace must evolve guidelines for civilizing our new frontier.
The Granddaddy of All Networks
The Internet is possibly the most complex and rapidly-growing construct humanity has ever created. The cathedrals of medieval Europe pale in comparison with the electronic edifice that is the Internet. The Internet grew out of ARPANET, funded in the late 1960s by the Defense Advanced Research Projects Agency (DARPA). This experimental network linked a few universities and research laboratories electronically. ARPANET begat the Internet when the National Science Foundation (NSF) decided to make internetworking possible for many more universities than the first-tier institutions that had been in from the beginning. ARPANET itself disappeared as a formal entity in 1990.From the very beginning, the group inventing ARPANET had a refreshingly non-bureaucratic attitude towards their work. For example, meetings of the network coordinators at Bolt Beranek and Newman in 1968 had two ground rules: Anyone could say anything; and nothing was official. The current management style of the Internet reflects the belief in unhindered engineering excellence as the best way to find solid solutions for technical problems. This tradition of frank criticism and unfettered creativity has been misinterpreted by some newcomers to the Internet as an excuse for frank rudeness and unfettered criminality.
The Internet today functions like a combined mail route, supermarket bulletin board, and library. Electronic mail (e-mail) is much faster than paper mail ('snail mail' as it's derisively termed on the Net). Electronic Bulletin Board Systems (BBSs), Special Interest Groups (SIGs) or Forums allow us to post electronic notes asking for advice, help, friendship, and all the other dimensions of social interactions. There are electronic equivalents of newspapers ('news groups') and magazines ('moderated news group digests') dealing with interests from the sublime to the prurient. Scientists from distant institutions collaborate fruitfully on research without concern for geographical barriers. Textbooks and novels are posted on 'the Net' (the affectionate term for the entire Internet and all the networks connected to it in any way) for enjoyment and comment, sometimes coming out better for the free flow of criticism and advice. So many repositories of information are on the Net that doing research without using its resources is unthinkable for a growing number of enthusiasts.
Because the Net has grown by cooperation and consensus rather than legislation and government regulation, there is no way to know exactly how many people use how many computers on this fishnet of the mind. Generally-accepted estimates are that there are about 13 million regular users linked via roughly 1.3 million computers ('hosts'). Registration of hosts has exploded since the Internet community agreed to allow commercial firms to join.
According to a document, (named, in typical style, '/infosource/internet_info_for_everybody / how-big-is-the-internet/domain-survey-jan93') from the Network Information Systems Center at SRI International in Palo Alto, California, there was an 80.6% increase in the number of hosts in 1992. Of the 1,313,000 hosts, 410,940 or about a third were in the educational ('.edu') domain. Some 347,486, or about a quarter, were in the commercial ('.com') domain. The annual growth rate in 1992 for .edu was 69%, but the growth in .com was 92%. The advent of users from .com has elicited howls of protest from some quarters on the Internet; however, commercial users may bring new standards of behavior to the Net.
The total rate of information transfer in the Internet is unknown; however, it appears to be Tibibytes (Tb) per day. This number, 1,125,899,906,842,624 bytes, cannot reasonably be apprehended. A byte corresponds approximately to a character of text. This article has about 50 thousand bytes. A 1,000 page textbook might have a few million bytes (mebibytes, or Mb) of text; that there are a million Mb in a Tb. Even more astounding, the total traffic is growing by about 25% every month a 14-fold increase in a year.
A Moral Vacuum
Cyberspace is growing fast, and the values which inform our lives in physical communities have not yet found their way into cyberspace. Just as in the physical world, unethical, immoral, and illegal behavior threatens the agreements that allow people to live and work together in peace.
Many users of cyberspace are well-behaved. They are sensitive to nuance, capable of expressive and articulate prose, careful not to hurt feelings, and responsible in spreading verified information and not rumor.
However, we also find the cyberspace equivalents of slum lords, drug pushers, boors and bully-boys. There are people running private BBSs that cater to thieves, drug users, Nazis, and pedophiles. People who might never think of insulting a stranger to her face write nasty and juvenile notes.
Different service providers adopt different stances about the content of communications on their network. For example, the commercial value-added networks (VANs) Prodigy and CompuServe are among the most custodial in their attitude towards the message base. These services employ system operators (Sysops), volunteers who manage specific sections by monitoring traffic, responding to questions and cooling tempers. Some Sysops on commercial services and private BBSs explicitly censor unacceptable or irrelevant contributions, usually to howls of protest and hyperbolic invective from the censored authors. These howls are then themselves removed from view, prompting yet more appeals to First Amendment rights. As a Sysop myself, I have had to explain that the Forum or SIG is not public and that the Sysop has a responsibility to maintain a professional tone and to prevent abuses such as posting text files or software without permission of the copyright holders. Some moderated news groups on the Internet also have strict enforcement. For example, the RISKS Forum Digest is tightly controlled by its moderator, who personally determines whether any given message reaches the members.
At the other extreme, there are networks, Forums, SIGs and BBSs where anarchy reigns. Contributions are unfiltered, unfettered, frequently ungrammatical, and sometimes illegal. Some boards and groups pander to unusual sexual orientations, with hundreds of pornographic text and picture files available online. Others specialize in stolen or malicious software, and instructions on picking locks, stealing services and building bombs.
Such rude, unethical, immoral and illegal behavior puts the entire Net at risk from self-appointed as well as legally-delegated guardians of public morality and corporate interests. I fear that politicians looking for an easy target may impose restrictions on the content of electronic communications. Legislative interference would likely include requirements for paperwork and would render the volunteer job of Sysop impossibly demanding. The ultra-religious forces of intolerance could also seize the opportunity to attack a new den of iniquity, whipping up their doctrinaire supporters to acts of harassment, sabotage and even physical violence.
Crimes in Cyberspace
What kinds of problems are there? The issues boil down to theft of services
and software, invasion of privacy, outright damage, and the threat of terrorism.
In a landmark study, John Haugh and his colleagues at Telecommunications Advisors Inc. in Seattle, WA, have recently built up a staggering picture of the extent of toll fraud (using someone else's telephone services illegally) and telabuse (using one's employer's phone service without authorization). Haugh et al. consider that the total losses to the economy from toll fraud and abuse of corporate telephone systems are in the $2-8 billion range per year. Toll fraud rings using stolen telephone credit card numbers have been operating virtually unchecked in all major urban centers. The cycle often begins with 'shoulder surfing,' in which someone watches as a victim punches their access codes into a public telephone in a public place. Organized gangs of youths have been caught in New York's Grand Central Station and La Guardia Airport. Within days, the credit card can be used for hundreds of long-distance phone calls generating thousands of dollars of expense for the victim. Although the phone companies generally do not insist on repayment, these calls do cost the U.S. economy something: inter-carrier charges must be paid to the national telephone services of the countries of destination. Most of the stolen calls go to South American drug havens, certain Caribbean islands, and to the Indian subcontinent.
Some criminals use control codes or special tone generators ('Blue Boxes' and others) to steal telephone services; others dial into corporate phone switches using public 800 numbers, then use outbound lines for long-distance calls. Some victims have had more than a quarter million dollars of calls placed in a single weekend. The invoices from the phone companies sometimes fill several crates with thousands of call details -- all fraudulent.
Voice mail subversion is another tactic used by 'phone phreaks.' Voice mail systems allow callers to leave messages for specific employees. Unless supervisors pay close attention to usage statistics, a voice-mail system can become host to dozens of unauthorized accounts for strangers, thus putting an unexpected load on phone lines and consuming storage space on the voice-mail computers.
By far the greatest problem caused by criminal hackers is the loss of confidence in system integrity. Take for example a computer system used for production of mission-critical information. There can be no tolerance for error. Programs written for such a system are subjected to strict quality-assurance procedures; every program must pass extensive testing. When the operating system (the software that coordinates communication among programs and regulates access to different kinds of computer resources) has to be changed ('updated'), many system managers run acceptance tests over an entire weekend to ensure that there will be no glitches once production starts up again. It is considered normal to forbid programmers to modify production databases; and careful audit trails are usually kept to track exactly which specific user altered what specific records at any give time in the files.
Discovering unauthorized use causes chaos in the production shop. A hospital pharmacy discovers the transposition of two digits in its pharmacy database, leading to potentially fatal errors in drug administration for patients. A faulty program in a telephone switching center disrupts phone service over an entire geographical region. Since there is no way of knowing what intruders have done (criminal hackers do not leave neat system alteration notices), the only reasonable response to intrusion is to audit the entire production system. That means time-consuming, mind-numbing labor to run verification programs on all the data, careful comparison of every program with a known-good copy to see if it has been altered illegally, and hours of overtime for quality-assurance and system management personnel.
Page 1 of 2