The previous week saw three days of distributed denial-of-service (DDoS) attacks, disabling Yahoo, Amazon, eBay, CNN.com, Buy.com, ZDNet, E*Trade, and Excite.com for a few hours each. The flooding attacks were triggered from a variety of unknowing intermediate zombie systems that had been penetrated, although the launched DDoS attacks required no penetrations of their target systems. The events should be no surprise to RISKS readers. The likelihood of such attacks has been discussed for a long time, and scripts (such as Trinoo, Tribal Flood Network TFN and TFN2K, and Stacheldraht -- German for barbed wire) have been available as well. It may seem unnecessary for me to note here that our information infrastructures are riddled with vulnerabilities that made these attacks easy to carry out, but that is simply the way it is. The media had a field day with talking heads, soundbites, one-line quotes, speculations, and very little hard information on what techniques were used and who was responsible. I have just finished my April 2000 Inside Risks column for the Communication of the ACM on this subject, although it is clearly not an April Fool's joke. The column will appear on my Website shortly before 1 April, but I won't replicate it here. The following note from Lauren Weinstein was distributed to the PFIR mailing list. In general, RISKS will not reproduce PFIR messages, to avoid undesired duplication for readers of both lists. However, this particular message saves me the trouble of trying to PGN-ed-itorialize on all of the recent media reports in what is still an ongoing saga. Besides, RISKS-20.79 has been pending for too long already.
PFIR Statement on Recent Internet Denial of Service Attacks (http://www.pfir.org/statements/02.09.00) PFIR - People For Internet Responsibility - http://www.pfir.org Greetings. The recent rash of "Denial of Service" (DoS) attacks on major Internet sites such as Yahoo!, E-Bay, CNN, and others, has caused outcries of surprise and consternation in many quarters, and has become the lead story for many newscasts. But these attacks come as no surprise to many of us, who have long predicted that these sorts of events would come to pass. It's basically easy to understand. Imagine a small firm with two phone lines. Now have 10,000 people at pay phones scattered around the world all trying to call that company at once, and hanging up as soon as there is an answer. Few (if any) customer calls will get through, and finding the perpetrators will be problematic at best. A variety of software tools are available for launching effectively anonymous DoS attacks on the Internet, which in many cases may involve otherwise innocent computers "hijacked" for this purpose. While some of the simpler attack methods may be repelled to a degree by "filtering" to block some of the offending data, the fundamental structure of the existing Internet makes complete solutions essentially impossible. We can expect to see a rapid evolution in the sophistication of such attacks and their relative invulnerability to quick eradication. There will not be simple answers of any lasting value. There are a number of very important lessons to be learned from these events. It seems apparent that the rush to move all manner of important or even critical commercial, medical, government, and other applications onto the Internet and Web has far outstripped the underlying reality of the existing Internet infrastructure. Compared with the overall robustness of the U.S. telephone system, the Internet is a second-class citizen when it comes to these kinds of vulnerabilities. Nor will simply throwing money at the Internet necessarily do much good in this regard. More bandwidth, additional servers, and faster routers--they'd still be open to sophisticated (and even not so sophisticated) attacks which could be triggered from one PC anywhere in the world. In the long run, major alterations will be needed in the fundamental structure of the Internet to even begin to get a handle on these sorts of problems, and a practical path to that goal still remains fuzzy at this time. For now, it might be advisable for everyone to remember that the Internet, for all its wonders, is in many ways very fragile. We must not allow ourselves to get into a position where being cut off from a site for a few hours--or even longer--puts people or property at risk. Our lives should not revolve around guaranteed 24/7 access to E-Bay, or Yahoo!, or *any* site on the public Internet, regardless of its importance. The need for alternative access methods for critical systems, and the potential recklessness of eliminating older systems in exchange for 100% Internet dependence, cannot be overstated. The current attacks are sure to be but the beginning. Many even more attractive targets are likely to be appearing that will draw ever more sophisticated fire. Imagine what a concerted denial of service attack might do to an election with Internet/Web-based voting--a technology being pushed on a fast track in many quarters. It's time to get past the "dot com" hype and to start considering carefully the realities, and limits, of the technology on which we're trying to base so much, so very fast. If we continue to plow ahead without heeding these lessons, it will be at our extreme peril. Lauren Weinstein <firstname.lastname@example.org> Co-Founder, PFIR: People for Internet Responsibility - http://www.pfir.org Moderator, PRIVACY Forum - http://www.vortex.com Member, ACM Committee on Computers and Public Policy
I have noticed that a junk e-mailer has taken to using a closed mailing-list server as a relay for his unauthorized messages. The scam works like this: 1) Criminal locates a closed mailing list that responds to unauthorized postings by sending back an automated rejection notice that includes the original message. 2) Criminal sends junk e-mail to the closed list using the desired _target's_ e-mail addresses in forged header. 3) Closed list obligingly bounces the original message back to the target's address. Authorized users of the closed list do not need to receive a message informing them that their messages have not been accepted (presumably due to some oversight or glitch) because they will likely note the absence of their message on the list anyway. Unauthorized users of the list do not need to see the text of their message at all in their electronic rejection note -- a stock reply explaining how to gain admission to the list is more relevant. Therefore I recommend that at the very least, administrators for closed e-mail lists prevent their listserv from sending the _complete text_ of a bounced message back to the supposed originator. However, there is a more serious vulnerability here: infinite loops between two or more closed lists. If an attacker forges the originating address of a closed list that sends back automated rejection notes to another closed list that sends back automated rejection notes, then each forged message will generate a mailstorm as a function of the speed of the servers in sending bounce messages to each other. The chain can be extended to multiple closed-list servers, causing even more useless traffic and potentially contributing to denial of service for the legitimate users of the closed lists. RECOMMENDATIONS: A) Turn off automated notification of rejection altogether on all closed lists; or if you feel that the notification messages are important, then B) Configure the listserv to send back only the title of a rejected message, not the complete text; or if you feel like addressing the potential vulnerability head-on, C) Design a check of a log file so that the listserv for a closed list can quickly identify a mailstorm and stop it by turning off automated notification of rejection when it is being abused. M. E. Kabay, PhD, CISSP, Security Leader, Information Security Group Adario, Inc., 255 Flood Road, Barre, VT 05641-4060 +1.802.479.7937 [NOTE the push-pull duality between a mailstorm and a maelstrom. A mailstorm pushes things in, whereas a maelstrom pulls them in. PGN]
Last week, MP3.com released a version of its Beam-it system for Linux. This is a system meant to allow you to "beam" your audio CDs to the MP3.com server, which would then provide them back to you as streaming MP3 files. Because only a small amount of data is actually transmitted during the protocol, this is touted as an efficient and novel network service. MP3.com already has the music on its servers. "Beaming" is really proving you own a CD, and thus MP3.com feels safe putting a reference to it in your online account. The RIAA (Recording Industry Association of America) has other thoughts on the matter, and is currently engaged in some testy litigation with MP3.com. Meanwhile, the service continues to run. On 4 Feb 2000, MP3.com posted a Linux version of their Beam-it client software and took the unusual step of releasing *most* of it as free source, with a small closed source pre-compiled component. In addition to some posters on Slashdot, we reverse engineered this module and studied the protocol. MP3.com did a reasonable job. It's unlikely you'll successfully "beam" a music CD to them unless you are physically holding the CD (or a bit-for-bit copy of it). Aside from this, there are still some privacy concerns about their system. It's also completely trivial for users to share accounts (which might be a concern for the RIAA). For those interested in more details: http://www.cs.rice.edu/~dwallach/pub/beam-it.html Dan Wallach, Rice University
Sorry to be difficult, but organisms clearly do adapt to their environment, both behaviorally (build houses, e.g.) and physically (e.g. grow thicker fur in the winter, suntan, etc...). But this isn't the basis of evolution of species - which is due to *populations* adapting to their environment by virtue of well-adapted individuals reproducing at differentially higher rates than poorly adapted individuals. Bob Blakley, Chief Scientist, Tivoli SecureWay Business Unit
I think you meant the opposite! In nature (to personify emergent behavior) systems only function in riskful dynamic states. The static state for an organism or other ecosystem is called death. The conversion of necessities into luxuries is most natural. Skin, for example, is no longer an option. I think you meant to say the conversion of luxuries into necessities is most natural, as yesterday's luxuries are nearly always today's necessities. Gordon Foreman, Los Alamos National Laboratory 505-667-3368 phone
I just tried it with netscape and OE and got the same result. The bug is with pine -- it returns multipart/alternative and should have returned multipart/mixed. The multipart/alternative means that the sending client is guaranteeing that the body portions are exactly equivalent, and so clients that understand the higher level text (html), are free to throw away the downlevel text (plain text). But since pine edited the text/plain part, it made the body parts unequivalent but other clients that follow the RFC throw away the part they don't need. Neither outlook nor any other HTML aware client should ever show an attachment for the plain text body part on a multipart/alternative message - that would defeat part of the purpose of that content type. I will report the bug to the pine authors. Next time you should be more careful when pointing fingers. [ZDNet.com/zdnn/stories/news reports that Windows 2000 apparently has about 63,000 defects, although later comments suggest under half of those are significant. PGN]
"Database Nation: The Death of Privacy in the 21st Century" by Simson Garfinkel O'Reilly & Associates, 2000 ISBN 1-56592-653-6 <http://www.databasenation.com> First, of all, I should disclose what is probably a conflict of interest. Simson and I have been friends for years, and we have collaborated on a number of projects, including 3 books. As such, some people (who don't know me well) might suspect that I wouldn't provide an objective review. So, if you think that might be the case, then discount my recommendation by half -- and still buy and read this book. Simson has done an outstanding job documenting and describing a set of issues that a great many people -- myself included -- believe will influence computing, e-commerce, law and public policy in the next decade. They also impact every person in modern society. This book describes -- well, and with numerous citations -- how our privacy as individuals and members of groups has been eroding. Unfortunately, that erosion is accelerating, and those of us involved with information technology are a significant factor in that trend. Credit bureaus accumulate information on our spending, governments record the minutiae of their citizens' lives, health insurance organizations record everything about us that might prove useful to deny our claims, and merchants suck up every bit of information they can find so as to target us for more marketing. In each case, there is a seemingly valid reason, but the accumulated weight of all this record-keeping -- especially when coupled with the sale and interchange of the data -- is frightening. Simson provides numerous examples and case studies showing how our privacy is incrementally disappearing as more data is captured in databases large and small. The book includes chapters on a wide range of privacy-related issues, including medical information privacy, purchasing patterns and affinity programs, on-line monitoring, credit bureaus, genetic testing, government record-keeping and regulation, terrorism and law enforcement monitoring, biometrics and identification, ownership of personal information, and AI-based information modeling and collection. The 270 pages of text present a sweeping view of the various assaults on our privacy in day-to-day life. Each instance is documented as a case where someone has a reasonable cause to collect and use the information, whether for law enforcement, medical research, or government cost-saving. Unfortunately, the reality is that most of those scenarios are then extended to where the information is misused, misapplied, or combined with other information to create unexpected and unwanted intrusions. Despite my overall enthusiasm, I was a little disappointed in a few minor respects with the book. Although Simson concludes the book with an interesting agenda of issues that should be pursued in the interests of privacy protection, he misses a number of opportunities to provide the reader with information on how to better his or her own control over personal information. For instance, he describes the opt-out program for direct marketing, but doesn't provide the details of how the reader can do this; Simson recounts that people are able to get their credit records or medical records from MIB, but then doesn't provide any information on how to get them or who to contact; and although he sets forth a legislative agenda for government, he fails to note realistic steps that the reader can take to help move that agenda forward. I suspect that many people will finish reading this book with a strong sense of wanting to *do* something, but they will not have any guidance as to where to go or who to talk with. The book has over 20 pages of comprehensive endnotes and WWW references for the reader interested in further details. These URLs do include pointers to many important sources of information on privacy and law, but with a few puzzling omissions: I didn't see references to resources such as EPIC or Lauren Weinstein's Privacy Digest outside of the fine print in the endnotes. I also didn't note references to ACM's Computers, Freedom and Privacy conferences, the USACM, or a number of other useful venues and supporters of privacy and advocacy. Robert Ellis Smith's "Privacy Journal" is mentioned in the text, but there is no information given as to how to subscribe it it. And so on. I also noted that the book doesn't really discuss much of the international privacy scene, including issues of law and culture that complicate our domestic solutions. However, the book is intended for a U.S. audience, so this is somewhat understandable. A few other topics -- such as workplace monitoring -- are similarly given more abbreviated coverage than every reader might wish. Overall, I recognized few of those. On the plus side, the book is very readable, with great examples and anecdotes, and a clear sense of urgency. Although it is obvious that Simson is not an impartial party on these topics, he does present many of the conflicting viewpoints to illustrate the complexity of the issues. For instance, he presents data on the need for wiretaps and criminal investigation, along with accounts and descriptions of bioterrorism, including interviews with FBI officials, to illustrate why there are people of good faith who want to be able to monitor telephone conversations and e-mail. If anything, this increases the impact of the book -- it is not an account of bad people with evil intent, but a description of what happens when ideas reasonable to a small group have consequences beyond their imagining -- or immediate concern. The death of privacy is one of a thousand cuts, each one small and seemingly made for a good reason. Simson has committed to adding important information to the WWW site for the book. Many (or most) of the items I have noted above will likely be addressed at the WWW site before long. Simson also has informed me that the publisher will be making corrections and some additions to future editions of the book if he deems them important. This is great news for those of us who will use the book as an classroom text, or if we recommend the book to policy makers on an on-going basis. Those of us with older copies will need to keep the URL on our bookmark list. Overall, I was very pleased with the book. I read it all in one sitting, on a flight cross-country, and found it an easy read. I have long been interested in (and involved in) activities in protection of privacy, so I have seen and read most of the sources Simson references. Still, I learned a number of things from reading the book that I didn't already know -- Simson has done a fine job of presenting historical and ancillary context to his narrative without appearing overly pedantic. This is a book I intend to recommend to all of my graduate students and colleagues. I wish only there was some way to get all of our elected officials to read it, too. I believe that everyone who values some sense of private life should be aware of these issues, and this book is a great way to learn about them. I suggest you go out and buy a copy -- but pay in cash instead of with a credit card, take mass transit to the store instead of your personal auto, and don't look directly into the video cameras behind the checkout counter. Once you read the book, you'll be glad you did.
Please report problems with the web pages to the maintainer