By Gary Gach
Special to Cyberspace Today
Kevin Mitnick, a 31 year-old convicted felon and infamous computer hacker was arrested by the FBI last month after being on the run from parole violations for two years. In a cyberspace spy story that will certainly become a Hollywood thriller, Mitnick let his ego get the best of him when he foiled an advanced security system devised by Tsutomu Shimomura, 30, a security expert and research fellow at the University of California San Diego's supercomputer center.
After a relentless search spearheaded by Shimomura, and with the cooperation federal law enforcement officials and executives of local Internet service providers, Mitnick was arrested in Raleigh, NC after being tracked to a apartment complex using advanced communications surveillance equipment.
The security of personal data and the business activities of The WELL, a Sausalito-based Internet service provider was seriously compromised by Mitnick, according to printed reports. In fact, The WELL was off-line for a maintenance period last week to upgrade their systems. "We're ready to move on. What's more important are the greater issues, such as security on the Internet, and trust," said Ron Pernick, the WELL's marketing director.
The Internet is a community, as author and WELL denizen Howard Rheingold frequently points out, and communities are built on trust. "This is also about ignorance. Computer systems that people use to telecommunicate by are, by definition, unsecure. So we should be aware. For example, never put in anything that you don't want looked up unless you encrypt it. That's what it's all about," said Rheingold. Computer, phone, and cellular networks are all vulnerable. But suddenly providers, and businesses large and small, and individual users are all wondering: How vulnerable is my system, my passwords, e-mail and my security programs? And what safety precautions must I now make?
In the case of the Internet, the older Sun systems that provide much of the infrastructure will need upgrading. The older SunOS operating system has many security holes that are well known to crackers who only have a modest amount of hacking skills. Fortunately for the WELL, they have already planned to upgrade their operating systems and upgrade their capacity. Having now migrated to a Sun SPARCserver 1000E, they have faster processing capability, more memory and capacity, while simultaneously enhancing security. With that in place, they don't expect to go off-line again in order to upgrade further on down the line.
Pernick advises that they've reinstalled software from binaries and are requiring all users, new and old, to select a new password (adhering to standards that make password cracking more difficult - such as using upper and lower case and nonalphabetic characters).
"End-to-end encryption is critical," Pernick adds. "These are net-wide issues. Through cooperation and opening the dialog on these issues, we can see greater security."
U.S. Attorney Kent Walker, a coordinator of the Mitnick investigation who is also co-founder of the Silicon Valley High-Tech Crime Force, advised, "Whenever you have a new technology there are going to be ways of exploiting it. People shouldn't assume that the Internet is unsafe because of this one incident.
"The lesson people should draw is 'Use common sense.' Use encryption where appropriate. Use trustworthy Internet service providers. Don't download files whose origin you don't know," added Walker.
Encryption is a field for healthy debate. "Encryption has many beneficial social uses," states Walker, "but unbreakable encryption poses a significant social threat where it makes it impossible for government to find out about criminal activity. The Department of Justice and the Administration strike a balance through Clipper Chip. The goal is to encourage Americans to adopt strong encryption, as part of their privacy interests, but allows law enforcement, if need be, after government obtains a court order."
Last year the Secret Service reported 2600 attempted break-ins to Internet- linked computer facilities. Yet Walker is optimistic that with the help of the citizens of cyberspace they can stay ahead of the curve and stay abreast of new technology used by criminals. Certainly, had Mitnick wanted to, with the almost unimaginable power he amassed on his desktop he could have wreaked billions of dollars of damage upon untold, unsuspecting, innocent people. Yet while his apprehension can serve as a model for future public-private collaboration, it also amplifies a sore point: the government classifies encryption as a munition, and thus bars it from export.
To appreciate the richness of the full debate, readers may wish to attend the international CFP conference Heckman will be chairing March 28-31 in the San Francisco Bay Area. [See accompanying sidebar.] (Ironically, the account at the WELL where Mitnick stashed some of his cyberbooty, and which triggered off an alarm there, was that of the CFP.) If only a solution could be arrived at that would reflect the degree of successful mutual interaction that the public and private sectors displayed in Mitnick's apprehension.
In the aftermath of the big Event, Shimomura has said Mitnick "did nothing imaginative. I see nothing new." In other words, there are chinks in the system that are at least a decade old.
Assume Gary Oldman is being considered to play Mitnick in that Hollywood thriller. The rest of us who use the Internet to conduct business or personal correspondence need to approach this technology with our eyes wide open.
Return to March 1st Issue Index | Return to Cyberspace Today home page