The end of e-innocence
By DUNCAN CAMPBELL
Sunday, September, 5, 1999
The giant has stumbled. On Monday, Microsoft, the Seattle-based world leader in computer software, learned of a computer hack who had opened up the private accounts and personal e-mail of 50 million worldwide users of its free Hotmail message service.
If Monday's news was bad, Saturday's was almost unbelievable. Security specialists revealed that almost every computer in the world that uses the Microsoft Windows operating system has a secret program built into it that can be controlled by the US intelligence agency, NSA.
The insecurity of Hotmail was an accident. But the loophole that appears to let US intelligence agents run secret programs in any Windows-based personal computer is a deliberate act. As news of the loophole spread, groups concerned with Internet privacy reacted with anger and astonishment.
Details of the secret back door in Windows emerged two weeks ago, thanks to carelessness by Microsoft programmers. It is built into the main program providing
security within Windows. Any flaw in this program could make a computer vulnerable to external attack, usually via the Internet.
Computer security specialists have been aware for two years that there were unusual security features built into Windows. But it was not until last month that a US
scientist reported evidence linking the mystery features to NSA.
Andrew Fernandez, chief scientist with Cryptonym, Ontario, was examining the latest updates of the Windows New Technology (NT) system, used by businesses all over the world. He found that Microsoft's developers had failed to remove identifying labels used to debug problems before sending the programs out to users.
Fernandez found that there were two keys that made Windows security functions work. One, used by Microsoft, was called KEY. The other was labelled
NSAKEY. When he and other experts challenged Microsoft's programmers about the purpose of the NSA key, they refused to answer - or to say why it had
been put there without users' knowledge.
Yesterday, Microsoft claimed that the second key also belongs to them and that it is used to ensure that its software complies with US export restrictions.
Computer experts refuse to accept this account, since the company previously said that that was the purpose of the first key.
According to Fernandez, the result of having the secret key inside your Windows operating system is that it is tremendously easy for the NSA to load unauthorised
security services on all copies of Microsoft Windows. ``Once these security services are loaded, they can effectively compromise your entire operating system.
"For non-American IT managers relying on Windows NT to operate highly secure data centres, this find is worrying,' he added. ``It's making it easier for the US
Government to access your computer.'
In contrast, what the Hotmail hack revealed on Monday was simple, but devastating. With a few lines of simple programming, anyone anywhere could tap into
anyone else's e-mail account, reading their post. They could send letters out in their name. As Microsoft watched last weekend, the ``how-to-do-it' hacker code
spread around the world, from website to website used by the computer underground.
Microsoft had no choice. At 2am on Monday morning, they pulled the plug and shut their service down. Programmers worked through dawn to re-engineer the
entire system. Then they had to ensure that the fix was safely installed on dozens of computers around the world that ran the Hotmail service. Until that was
complete, vulnerabilities remained.
It wasn't the first flaw in Hotmail that the computer underground has detected and publicised. It wasn't the first flaw to be found this year. It wasn't even the first
flaw exposed in the same week.
Last week's loophole had been exposed by Hackers Unite, a mostly anonymous international group whose only identified member lives in Sweden. Just a few days
before, however, a Canadian programmer had announced a method for sending a Trojan horse message to Hotmail users. Soon after they opened the message, their computer would mail their secret personal passwords to a waiting snooper, who could then have access to their mailbox.
To experienced Internet hands, these were just more examples of computer systems and networks that have grown too far, too fast, and in careless hands. But this
one hit the front pages around the world. The simplicity, scale and significance of the Hotmail flaw impinged on global consciousness like no problem before.
The message was clear: the brave new world of the 21st century information age is built in a swamp, on a quagmire with bottomless pits of insecurity, rickety
structures, no safety rails, and a dark population of privacy stealing demons. Public trust in the safety of cyberspace took a nose dive. It will not easily recover.
Delusion and disappointment
To early preachers of the hopes of Internet liberation, such as US media pundit Douglas Rushkoff, cyberspace is already tarnished, turned in a few short years
from a people's electronic park to a new stomping ground dominated by manipulative advertisers, traders and con artists. His new book Coercion, published in the US on Wednesday, confesses his disillusionment with the new media he once cited as the hope of humankind. Monday's message added to that gloom and
disappointment. And it promptly got worse. Less than 24 hours after riding the Hotmail crisis, Microsoft announced that all the software it has been distributing for the last five years is fatally flawed.
In a bulletin published that morning, Microsoft explained that anyone who has ever used its web browser, Internet Explorer, may unknowingly have turned control
of their personal computer over to a malicious third party. According to the Microsoft announcement, if you use or have used Internet Explorer to look at a web
site that contained suitable hidden code, the writer of the booby-trapped page and not you may now be in charge of your computer.
The net effect of the vulnerabilities is that a web page could take unauthorised action against a person who visited it. Specifically, the web page would be able to do
anything on the computer that the user could do, says Microsoft.
Anything! If a flaw as serious as that affected kettles, electric trains, or teddy bears, the manufacturers would be expected to take action, advertise prominently to
their customers, send out safety devices or even withdraw their products. Not so Microsoft. Unless you happen to have read Tuesday's security bulletin, and
downloaded and installed the security patches they offer, your computers are still vulnerable. The malicious code writers could have got in yesterday or they may get in tomorrow.
With an attitude like that, it's no wonder that the computer underground hates Microsoft like nothing else on earth. It's not just because Microsoft boss Bill Gates is the richest man in history, with a wealth beyond many states. It's because Microsoft's virtual monopoly has foisted most of the world with an operating system that
is inherently insecure, unreliable, and easily open to serious abuse.
Some members of the computer underground search for security holes in order to exploit them maliciously; others do it to win peer group acclaim or for intellectual
satisfaction. Bulgarian hacker Georgi Guninski, who identified the Internet Explorer security flaw, had already exposed many dangerous flaws in Microsoft products.
Tuesday's bulletin was the 32nd Microsoft security warning to go out during 1999. Since then, another two warnings have been prepared. Yet, unless you know
where to find the warning bulletins, keep going to them, and follow the instructions in each one, you will never know how unsafe it is to walk alone in cyberspace.
Until this week's revelation of the NSA key inside Windows, no underground computer group has pilloried Microsoft more effectively than the Cult of the Dead
Cow. Two months ago, one of its stars, known only by his hacker nickname of DilDog, released the latest version of an astonishing program called Back Orifice
2000.
Back Orifice is precisely the sort of program that ruthlessly exploits loopholes like those exposed on Tuesday. If it is loaded on a computer without the user's
knowledge, it sneaks in the back, unseen, and literally takes over. It can change files, delete data or relay information to remote observers. It can switch off your
computer, lock you out, and wipe your disks. The name is a deliberate play on the title of another Microsoft program, called Back Office.
The Cult of the Dead Cow say, cheekily, that Back Orifice 2000 (BO2K) was written with a two-fold purpose: to enhance the Windows operating system's
remote administration capability and to point out that Windows was not designed with security in mind. Anyone visiting their web site can download a copy of
BO2K within a few minutes. Where they put it is up to them.
Microsoft, say the Cult of the Dead Cow, wasn't thinking of making computers foolproof when they put together their operating systems. By releasing BO2K, they and fellow hackers hope graphically to demonstrate the insecurity of Windows, and to compel users to think about safer computing.
The scary aspect of these loopholes and dangerous programs is that we only know about them because the hackers and computer scientists who found them chose
to publicise them rather than exploit them. No one knows what other loopholes and rogue programs are out there in the wild doing their harm unseen and
undetected.
These worries notwithstanding, the chances are that few people will pull the plug on the Internet and wrap an electronic condom around their computer. But they
will have learned an important lesson about trust. Don't.
The Internet has reached a defining moment. It's the end of the age of electronic innocence |
