Scientist Blames Web Security Issues on Repeated Mistakes
May 24, 2005 5:00 AM PT
Scientist Peiter "Mudge" Zatko makes his living anticipating and protecting users against the next generation of cyber threats. His problem is simple: When he talks, not everybody really listens.
If they did, the next generation of cyber threats wouldn't be lurking around the next unprotected computer.
Zatko was a witness for the House and Senate Joint Judiciary Oversight Committee and testified before the Senate Committee on Governmental Affairs in 1998. There he warned that, if they were so inclined, hackers could bring down the Internet in 30 minutes and keep it down for several days.
Government officials took note of his views. In 2000 he was invited to participate in a security summit with former U.S. President Bill Clinton and ex-Attorney General Janet Reno.
From Zatko's view, the Internet is a hostile environment because those who use it keep repeating the same mistakes over and over again.
Zatko sees the Internet as being strained from misuse and badly needing repair. It might be broken, but it isn't beyond repair, he believes.
"We haven't learned too well from previous and current threat levels to buttress ourselves against new threats," security expert Zatko told the E-Commerce Times.
He said program designers and network engineers continue to make the same horrible mistakes visited by proponents of the arms race. The slightest modification is met with more modifications.
"We can't keep playing a catch up game with security measures any more," he said.
He offered poorly written programs as just one example. Take for instance, buffer overruns. Software critics wrongly preach that if buffer overruns were eliminated, all would be safe on the Internet.
"If we got rid of all of them, there wouldn't be any difference. There are plenty of other vectors made available in program code," he said.
One of the biggest problems with hardening the Internet is the countless holes found in application coding. This is where poorly written programs once again rear their ugly heads.
From Zatko's perspective, Internet security issues won't go away until programmers stop tainting code. Program coding is based on trust, but that trust is misplaced when programmers create access holes.
Tainted coding occurs through calls within a program for certain convenience actions. For example, a program will contain code calling for access to certain files or links to other computers.
Hackers put these coding vulnerabilities to good use. They easily tap into binary executables, Zatko said.
No Silver Bullet
There is no single solution to Internet security, according to Zatko. The fault lies in the critical infrastructure abuse.
"The Internet is nothing more than a collection of protocols strung over a common line," Zatko said.
Part of the problem with the failing infrastructure lies in overtaxing the intended use of the Internet.
Zatko likened the weakness to an automated banking teller machine. He said people don't expect to be able to play a game on it while completing a transaction.
"So why do the protocols for the Internet have to stretch to other catchall uses?" he asked rhetorically.
Not Seeing the Solutions
In order for the security problems inherent with the Internet to be solved, Zatko said the solution finders have to move around.
"We need to break up the old boy network," Zatko said about finding solutions to the security problems.
That cannot happen until experts in their particular fields cross the boundaries of their own disciplines. Zatko said scientists have to take advantage of each other's strengths by cross-fielding their knowledge.
"New minds can see trends in others' fields," he said.
Security issues are worsening because scientists and engineers keep making the same mistakes. Utilities have moved onto the Internet. So has telephone service.
This only adds to the burdens of the security-weakened Internet. Critical utilities are now running on vulnerable computer networks.
He said Microsoft made the same mistake by building one complexity onto another one.
"Look at Linux. The same mistakes were made there," Zatko said. "We have to decentralize where the research is going."
What Has To Happen
Clearly, the Internet is heading for a catastrophic failure. However, that doesn't have to happen, Zatko believes.
To prevent an Internet catastrophe, people have to wise up and fix what is wrong with it, he maintains.
"Hackers don't really want the Internet to fail. It's their livelihood," Zatko said.
He does see signs that industry is realizing this. He sees the technology industry moving back to dedicated devices instead of multipurpose devices.
"We need to continue this trend. We need more of the thin servers," he warned.
What It Will Take
The minders of the Internet will start to pay closer attention when not doing so becomes too costly, Zatko predicts.
People will stop repeating past mistakes when the Internet becomes too risky, too painful, and too difficult to use safely.
"That's when people will demand government regulation of the Internet," Zatko predicted.
At a Glance
Zatko has a long track record of success in the security industry. He most recently founded Intrusic, the first security software company to target the "Insider Threat." He is renowned for running L0pht Heavy Industries and later founding @stake Inc., a hacker research collaborative and consultancy that released security tools such as L0phtCrack, which is now the industry-standard Microsoft password-auditing tool.
Zatko also created AntiSniff, the world's first remote promiscuous system detector that was used across primary Department of Defense entities. Other innovations by Zatko include Tempwatch, now a distributed component of Linux and BSD distributions, and SLINT, a pioneering tool in automating source code analysis to discover security coding problems.
Zatko in March rejoined BBN Technologies as a division scientist. BBN Technologies is an advanced technology and research and development firm. Zatko joins a group of over 75 scientists and engineers at BBN who perform leading edge research and development to protect Department of Defense data and systems and are also well known for their IP security expertise.
"It's exciting to be back at BBN, working alongside the very people who helped invent the Internet and defending against some of the toughest information warfare threats," Zatko said. "I've often said that my personal mission is to 'make a dent in the universe,' and what better place to do that than at BBN, where the focus is on protecting vital networks from the most critical and challenging attacks."
He originally joined BBN Technologies in 1994, before founding @Stake and Intrusic and consulting for the White House, the Pentagon, the FBI, and Fortune 500 companies.
"BBN is currently tackling some of the toughest security problems for our government and high-profile corporations," Tad Elmer, president of BBN Technologies, said.