Aliens in This World

An ordinary Catholic and a science fiction and fantasy fan.

Sunday, September 07, 2003

More Signs of the Decline and Fall

A couple of IT stories, courtesy of Slashdot. (If you're not reading Slashdot every day, maybe you should be.)

Read Cringely's column "The Innovator's Ball: Why Business Isn't Fun Anymore" for cautionary tales of how corporate grifters steal companies from their founders and do other fun things.

Sharp business is cheating and not getting caught...We've gone from following the rules to playing the odds.

Meanwhile, there's a warrant out for the arrest of a "white hat" famous for finding holes in company computer security, then informing the company so it could fix them. This man who does no damage and makes no money from his activities, who has saved corporate America countless millions of dollars -- this man is to be treated as a criminal. I bet they'd throw Shane in jail, too.

In December, 2001, Lamo was praised by communications giant WorldCom after he discovered, then helped close, security holes in their intranet that threatened to expose the private networks of Bank of America, CitiCorp, JP Morgan, and others.

Lamo believes the arrest warrant is for his most high-profile hack. Early last year he penetrated the New York Times, after a two-minute scan turned up seven misconfigured proxy servers acting as doorways
between the public Internet and the Times private intranet, making the latter accessible to anyone capable of
properly configuring their Web browser.

Once inside, Lamo exploited weaknesses in the Times password policies to broaden his access, eventually browsing such disparate information as the names and Social Security numbers of the paper's employees, logs of home delivery customers' stop and start orders, instructions and computer dial-ups for stringers to file stories, lists of contacts used by the Metro and Business desks, and the "WireWatch" keywords particular reporters had selected for monitoring wire services.

The real scandal is how incompetent, lazy or (to be charitable) overworked these major companies' IT people must be. Small companies usually keep tabs on their folks, and though underpaid, they're diligent
about patches and the like. Meanwhile, the big companies suffer from virus outbreaks again and again, or have horrible security. (Sigh.)

Some of this also may be cultural misunderstanding. I know a guy who's a security expert. The first thing he usually does at a company is find a computer with the user away from the desk and the email program up, or accessible without a password by clicking on the icon. From there, he can almost always find all sorts of goodies. And in fact, looking through emails is one of the most popular tricks used by corporate spies. I was very impressed by this and have tried ever since to spread the word and keep my emails protected. But many to whom I've told my story are more appalled by my friend's actions than what makes them possible. Even though he was explicitly hired to find such security holes, they think he shouldn't do it!

Furthermore, many people simply have different goals which are fundamentally incompatible with security. I was recently instructed by my boss that I must keep my email open all day, so as not to miss getting an email five seconds after it's sent. (The fact that our corporate email is actually not as fast as all that aside. And never mind all the impact on my productivity of having to stop and read email every time someone sends me some forwarded thing with forty large pictures included....).

But the real problem -- the reason there's a problem with people cracking systems in the first place -- is that Microsoft and other irresponsible corporations believe in mind control over substance. As long as nobody knows there's a great gaping hole in security you can drive a truck through, you're safe. The person who left the hole there, endangering everyone, is a respectable businessman who finished the walls on time -- whether or not the walls were any good. But the Mack truck driver who points out the dimensions of the hole is a criminal and a danger to the bottom line.


Post a Comment

<< Home