December 2004 Letters to the Editor 3
Total Page:16
File Type:pdf, Size:1020Kb
DEAR EDITOR, Wireless Security: A Discussion Rik Farrow writes in the August ;login: that “the downside of Note from Rob Kolstad: This article [offshoring] is that real com- summarizes an email discussion munication between software between Marcus Ranum and Bill developers and program man- Cheswick after Marcus had an letters to agers will get even worse.” This “interesting experience” at the presumes a model where devel- USENIX Security Conference. the editor opers only communicate with Thanks to both of them for allow- managers, not directly with ing us to share it publicly in order users. My advice for how to be- to foster discussion. come offshoring-proof is to edu- cate yourself in contextual de- MARCUS RANUM: sign (or any of the other meth- odologies that likewise pre- I had an interesting experience at sumes extensive contact be- the USENIX Security Conference, tween developers and users), and I’d like to share it here for dis- and to complement your com- cussion. Like many conference puting skills with a liberal-arts attendees, I took advantage of the education, which will develop wireless network so I could check your communication skills and my email, update my Web site, etc. your ability to understand non- At virtually every USENIX confer- computing perspectives. ence, someone sets up dsniff and collects passwords as they cross the MAX HAILPERIN wireless, and this latest conference [email protected] was no exception. For the past few http://www.gustavus.edu/+max/ years I’ve basically chosen to ignore the snoopers because, frankly, I hoped they’d grow up and go away. This year I finally got sick and tired of it, and confronted one of the snoopers who had emailed me my own password. What bothered me most about this experience was that the folks who do the snooping are security practi- tioners. When I raised the issue, the immediate response was sur- prising. Basically, I got the exact same set of excuses that crackers have been using for years: “I wasn’t abusing the information,” “it was for my own research/curiosity,” etc. I’m afraid I lost my temper quite badly in the face of what seemed to me to be a lack of clarity on the part of the security community regarding basic issues such as whether or not we’re justified in doing exactly the same things as the “bad guys” as long as we’re the “good guys.” I think the whole sit- uation was further exacerbated by the fact that the whole issue was not in my opinion taken adequately 2 ;LOGIN: VOL. 29, NO. 6 seriously by the USENIX Board law enforcement cases, many have “bad guys.” The bad guys break members at the conference. advised lawyers, courts, and the US into systems, compromise their So I think the whole incident Congress on such matters. integrity, modify their software, etc. becomes a microcosm of today’s Much of what many of us have Marcus asks, “What is the differ- security experience. It motivates done is “ahead of the law” (to ence between the good guys and me to ask questions like: quote one lawyer), and since the bad guys if their actions are What is the difference between the Leviticus (and Numbers, adds Dan largely the same?” I think “largely good guys and the bad guys if their Geer) and the New Testament the same” is neither ethically nor actions are largely the same? appear to be mute on the topic, we morally “the same.” The crackers have traditionally had to grope our who justify their actions in court Why do we place the onus of self- own way towards personal and with “I wasn’t abusing the informa- defense on the victim, instead of societal rules for using the Internet. tion” and “it was for my own demanding ethical behavior from Concerning the legality of using research/curiosity” aren’t in court the perpetrator? dsniff, the IANALBs appeared to because they ran dsniff. I felt that my privacy was being vio- cover the spectrum from “illegal’’ to Even though this was an upsetting lated, and, more to the point, I was “not covered.’’ Several laws appear experience for me, the hallway going to be forced to waste time to be involved, and it looks like a track continues to provide deep, installing security measures courtroom toss-up to me. thoughtful discussions on the cut- because of someone’s “harmless I have given a lot of thought to the ting-edge issues of our industry curiosity.” Indeed, I find it ironic (if ethics of various Internet experi- and society. not outright contradictory) that ments and practices I have adopted USENIX, which is normally a over the years. I believe that this is MARCUS RANUM: haven for privacy advocates, would an especially important thing to do, Bill observes that many security tolerate this behavior over a given this novel medium and the lengthy period of time. practitioners are “ahead of the law,” nascent state of case law. I have but I feel that professional conduct, used sniffed passwords to make an BILL CHESWICK: and what is tolerated by an organi- important point in a number of my zation like USENIX, should be I just returned from the San Diego talks in the past. I am still satisfied about “right and wrong.” Hiding USENIX Security Conference, reli- with the ethics of doing so, despite behind legalisms is not leadership. ably one of the top security confer- the lecture I received, but the point USENIX is an organization full of ences of the year; this year’s was no is not important enough to fight privacy advocates, an organization exception. The keynote in particu- for. I have agreed not to display that cares enough about its mem- lar was one of the best security sniffed passwords publicly, for any bers’ privacy that it protects talks I have heard in years (and I reason, in the future, and did not attendee email addresses and the hear a lot of security talks); there do so at the invited talk. like. By consistently turning a blind were several excellent papers; and I think USENIX’s response was eye to people sniffing the confer- most of the hall track meetings measured and proper. They asked ence network, USENIX has implic- alone were worth the trip. us nicely not to sniff the network, itly encouraged the kind of “any- I had several things to accomplish and I, for one, complied. That is thing goes” attitude that is more at this conference, including prepa- about all they can do without clos- appropriate at DEFCON than at a ration for an invited talk I was ing the network or implementing respected conference concerned asked to give at the last moment. extremely invasive procedures. I with its attendees’ privacy. As an These activities were curtailed expect that future conferences will organization of thought leaders in when I was accused of being legally include similar requests. the computing arena, I think and ethically on the wrong side Marcus raises several specific USENIX should pay attention to concerning the use of the dsniff issues. Some are matters of basic the leadership shown by confer- program. law; the rest deal with our commu- ences like SANS, which will eject The incident precipitated swirls of nity’s position on the forefront of a attendees for sniffing the confer- hallway conversations about the new technology. ence WAN or any other hacking- legalities and ethics of using dsniff. type activity. If we are, indeed, Marcus asks, “Are individuals justi- “ahead of the law,” then it’s more This is not your average crowd of I- fied in doing exactly the same am-not-a-lawyer-buts as they important that our behavior be, lit- things as the ‘bad guys’ as long as erally, exemplary. debated the ethics and legalities of we’re the ‘good guys’?” The prob- password sniffing. Not only has lem here is in the question. We are I’m a fairly open person, and I’ve this crowd assisted in numerous not doing “the same things as the always been interested in helping ;LOGIN: DECEMBER 2004 LETTERS TO THE EDITOR 3 other practitioners with their and I hope he’s forgiven me for Would permission have been research. If Bill had wanted to screaming at him in public; I think granted? I never thought that know how often I change my pass- it’s good that this issue has been deeply about this in this particular word, he could have just asked. aired before USENIX has to deal venue: I skipped the step in my Instead, he stole what would have with an incident involving less for- rush to deal with other pressing been gladly given, and was amused giving people. things at the conference. I should by the fact that he was able to. It’s not have. almost a USENIX tradition that BILL CHESWICK: I have also let bygones be bygones. some wiseacre posts passwords on As for asking permission, that’s I’m glad we got this out in the the bulletin board with a sign say- quite true, and I have done so at open. ing “CHANGE THESE” at every other conferences, with the explicit conference. This whole issue would purpose of reporting the penetra- USENIX RESPONDS: never have surfaced if Bill had tion of secure protocols into the asked for, and gotten, permission This has been an instructive experi- common packet stream. Of course, ence for all of us. Future confer- from USENIX to sniff the network I never cared about the particular before doing so.