เนื่องจากผมได้ยื่นเอกสารขอเลื่อนขั้นเป็น Full Member
แต่เนื่องด้วยท่านแอดมินต้องการให้ผมแปลเอกสาร Hacker Interview ซึ่งจะมีรายละเอียดการสัมพาธ์ ของบุคคลสำคัญแต่ละท่าน จำนวนทั้งสิ้น 4 ท่าน (ประมาณ 24 หน้ากระดาษ A4)
รายละเอียดโปรดดูในลิงค์นี้ครับ
http://citecclub.org/forum/-superfast-t20199.html
คำถามคือ
1. ในอดีตที่ผ่านมา Full Member ได้แปลบทความโดยทั่วไปกี่บรรทัด จึงจะได้เป็น Full member
2. ผมควรจะแปลบทความตามที่ท่านแอดมินกำหนดมาหรือไม่ หรือว่ามีแนวทางอื่นที่น่าจะเป็นประโยชน์มากกว่านี้ สำหรับผมที่เป็นคนไม่ถนัดแปลภาษาอังกฤษ
ปล.1 เหตุที่ผมเรื่องมาก เนื่องจาก ผมคิดว่าการแปลดังกล่าวมีประโยชน์น้อย และใช้เวลามากมาก อย่างน้อยๆก็ 5 วันเต็มๆ (สำหรับผม) น่าจะมีอย่างอื่นที่ใช้เวลาเท่ากันแต่มีประโยชน์มากกว่า (Put the man inthe right job)
ปล.2 ผมค่อนข้างรู้สึกเหมือนถูกหลอกใช้งานยังไงไม่รู้ และไม่รู้ว่าแปลอันนี้เสร็จแล้ว จะโดนใช้ให้ทำงานอะไรบ้างหรือป่าว
ปล.3 ตั้งแต่ผมเข้ามาในเวปนี้ ผมยังไม่ได้ความรู้อะไรเลย นอกจากเอาความรู้มาแบ่งปันเพื่อนๆ (ดูได้จาก Thank Count ที่เกิน 80)
ปล.4 ผมคิดว่าบอร์ดจะอยู่ได้ไม่ใช่เพราะ แอดมิน แต่เป็นสมาชิกที่รักบอร์ดนั้นๆอย่างแท้จริงร่วมด้วยช่วยกันต่างหาก การบริหารจัดการคนเดียวย่อมไม่เป็นผลดี
ปล.5 ผมเรื่องมากอย่างนี้สงสัยจะโดนแบนในไม่ช้า หุหุ งั้นขอลาก่อนล่วงหน้าละกัน
ปล.6 ขอบคุณแอดมินที่เสียสละเวลามานั่งอ่าน Resume ของผม
เนื้อหาที่ท่านแอดมินกำหนดให้ผมแปล ทั้งหมดอยู่ข้างล่างนี้ครับ
<div class='quotetop'>QUOTE</div><div class='quotemain'>This young hacker was caught breaking into NASA's computers and sentenced to six months in jail. The government says that at one time, he took possession of $1.7 million in software. In his interview he talks about the weaknesses he found in the government's computers and how he had warned them. Because of his age, FRONTLINE is protecting his identity.
What is it about the computer that makes it become such an obsession for young guys?
Why is that so important?
Well, everybody likes to feel in control.
In my time, they did it by playing hockey or football. How does the computer compare?
It's intellectual. It stimulates my mind. It's a challenge.
How hard was it for you to get into some blue-chip locations?
The government didn't take too many measures for security on most of their computers. They lack some serious computer security, and the hard part is learning it. I know Unix and C like the back of my hand, because I studied all these books, and I was on the computer for so long. But the hard part isn't getting in. It's learning to know what it is that you're doing.
And how do you learn that?
Oh, by reading, by talking to people. And by spending so much time on the computer, learning how it works, learning the source code and the programs and the commands.
I gather that there's quite a network of hackers out there. Do you guys share information and secrets over the internet?
Of course.
If someone told me that a 16-year-old could crack into NASA or into the U.S. Department of Defense, I'd say, "Sure. In the movies, maybe." How long did it take you to do that?
I would email system administrators sometimes and tell them their computers were vulnerable. . . . Three weeks later I would go in and I still had access to their computers. I was learning about computers and Unix and programming for two years. I was learning how to program in C for about a year. If I were targeting a computer, it would take between a few hours to a few weeks of looking around to find the way.
So is it just the rush of getting in there, of doing something smarter than they do? Or did you find anything there that was of interest to you?
Generally, the thrill is over once you've realized that you're on the computer and that you can do whatever you want--but it's not downloading their information, because usually it's pointless, bureaucratic stuff you don't need to know. . . .
When you start out, you sort of poke at various cyberfences and walls. You're just looking for the soft spots. You don't target a place because it's got something that you want--it's just that it's a challenge?
I would target a place because it looks like a challenge. Like, if I say, "The navy has a computer network in Jacksonville, maybe that would be fun to poke around." And then I'd target them. I'd look at their computers and I'd see what I can do there.
That doesn't sound like mischief. Sometimes I think you guys are like the graffiti spraypainters.
Not at all. Well, first of all, I was just looking around, playing around. What was fun for me was a challenge to see what I could pull off. But then there's other people that go into corporate web sites, government web sites, and change it. That's closer to what you're talking about-- that's mischievous. But I didn't do stuff like that.
You could have, though.
Oh, yes. I could have gotten a lot of recognition. . . .
A lot of attention was given to the fact that you downloaded software relating to the international space station. Could you have done anything with that?
No. It was for the environmental control program. Who wants that-- you can play with the air conditioner, or what? . . . The code itself was crappy . . . certainly not worth $1.7 million like they claimed. The only reason I was downloading the source code in the first place was because I was studying C programming. And what better way to learn than reading software written by the government?
Was it a big shock to you that the government was using such inferior code for such important work?
Yes, but you get used to it. I'm not surprised anymore when I see the failures of the government.
When did you first suspect that they knew you were snooping around?
Well, I never knew that they would actually come to my house. That was a total shock to me. Sometimes I would get kicked off a computer. and I'd figure, "Oh, great, the admin figured something was up and re-installed the software, added a little security, and forgot about it, because they don't care that I'm here. They just fix it and move on," which is reasonable. Nothing happened to me in the weeks following, so, great. They realized that all it takes is five minutes at the keyboard and they can make a computer secure. And they didn't care. I would email the system administrators sometimes and tell them that their computers were vulnerable. I would tell them how to break in, and how to fix the problems. I'd give them advice, and they would never follow it. Three weeks later I would go in and I still had access to their computers.
Even after you told them that there's a hole in the fence?
Oh, more than that. I told them how to fix the hole in the fence, and they didn't respond, so I figured that they didn't care.
But meanwhile, they've got all the resources of the government out looking for this guy.
And they should have been spending those resources on computer security.
How did they catch you?
They haven't told me exactly how they caught me. They sealed the affidavit for the search warrant. They said it was sealed for national security or some BS reason, but from what I understood, they probably called one of my friends, who gave information about me. Then they came to my house. My mom woke me from bed and said that the FBI was at the door. It's kind of unnerving. . . . I walk out and I see everybody with vests that say Federal Agents and NASA and DOD on the back with guns and all that good stuff.
. . . Were you scared?
No, I was just wondering what was up, and then I saw that their shirt said NASA.
And they walked out with all your computers?
They took me into a room in the back and questioned me for a few hours. And I admitted everything that I did, and I said, "Yes, I'm sorry. I won't do it again." I told them how I did it, what I did. They told me not to do it again, and if I do it again, I'll leave in handcuffs, but for now, they don't consider me a criminal, and that I just shouldn't do it again. And then they told me that they're taking my computers for investigative reasons. They said they don't need to read me my Miranda rights because they're not making an arrest. They're just investigating,
So what did they take out of there?
They took five of my computers. I had a nice little network going. They took my Palm Pilot, my CDs, my "Star Trek" book.
Your "Star Trek" book?
My "Star Trek" book, yes. Don't ask me why.
And when did it get serious?
. . . I didn't hear from them for another three months. Then, three months later, they had a little meeting. I talked to the prosecuting attorney. They said they might press charges. He said that I might get probation . . . but that they were unsure of what they're going to do. Then, in July, over the summer, I was in Israel. And I got a phone call from my father, who said that they wanted to put me in jail for six months.
Let's think about it from the other side's point of view. They don't know that it's some nice guy from a nice neighborhood. . . . It could be a real bad guy in Baghdad, or wherever. What are they supposed to do when they find somebody snooping around inside their systems?
Well, first of all, they should be responsible enough to provide adequate security from the start. But once they find out that it's some harmless kid . . . I think the appropriate response would be perhaps to take my computers away like they did, and leave it at that. They could tell me that I can't use the internet for a while, to teach me a lesson, teach me that they actually do care about what I'm doing, and that I shouldn't do it again. But they shouldn't put the youth of America in jail.
How does the prospect of sitting in jail for six months affect you?
First of all--six months. While it's not as long as some other sentences, it's still a long time. And that's six months of me being surrounded by people that did these actual crimes, did bad things to other people, to humanity. And I'm surrounding myself with these people that are lower than myself. Not to sound arrogant, but they lack morals, and it would be degrading to my character . . . and I'm worried.
Are you trying to tell me that you don't think the crime you committed is on the same order? . . .
Not at all. This is just harmless exploration. It's not a violent act or a destructive act. It's nothing.
They say that, at one point, you took possession of $1.7 million worth of software, and that you made them shut down and spend weeks with 13 or 14 important government computers down. That sounds serious.
Well, I think the price of the software is irrelevant, because the government overpays for everything. But it was source code that wouldn't even compile. The computer people know what I'm talking about. It was source code that wouldn't even compile without the proper equipment, or maybe it was just bad coding, I don't know. But the only reason I downloaded it was for the sake of learning what it is that they're doing, how they program, their techniques.
And you learned basically that it was no good?
Yes. They did stupid, stupid things that an experienced programmer would know not to do. But as for claiming that the addition of computer security is damages? That demonstrates a serious lack of responsibility on the government's behalf. The failure to put adequate security up from the start, from as soon as they turn the computers on, is a lack of responsibility. And then they cover up their mistakes. They call it damages when a computer enthusiast such as myself demonstrates their ineptitude.
What did that teach you about the state of computer security, and about the ability of public authorities and government people to police the security of the computer systems out there?
I certainly learned that there's a serious lack of computer security. If there's a will, there's a way, and if a computer enthusiast such as myself was determined to get into anywhere, be it the Pentagon or Microsoft, it's been demonstrated that it's possible and they will do it. And there's next to nothing they can do about it, because there's people with skill out there, and they'll get what they want.
How would you assess the skill levels of the law enforcement people who eventually came knocking at your door?
Okay, they got lucky, because I didn't take any measures whatsoever to hide myself. I didn't cover my tracks at all, and had I done that, they would not have been able to catch me. If I wanted to, I could have hidden myself, but I didn't think I was doing anything wrong, so, why bother?
You could have escaped detection?
I could have.
You could have done a lot of damage?
If one was so inclined, you could have deleted files, or put a virus up or sell information to foreigners. You could perform a denial of service attack and cause the computers to stop performing. Someone could do any number of things that I did not do.
Could you have done those things?
I could have.
They couldn't have stopped you? And they couldn't have caught you?
No. They could not have caught me.
What are you going to do now? People of my generation would ask if you've learned your lesson.
I've learned my lesson. I shouldn't do stuff like that.
But it seems to me that the big lesson is just how vulnerable everybody is to this technology.
It's a lesson to us all.
What are you going to do about it? Are you going to try and fix it?
Yes, maybe I'll start a computer security company.
Reid and Count Zero are members of the Cult of the Dead Cow, a hacker organization which developed "Back Orifice," a computer program which allows the user to remotely view and control computers running Windows 95 or later. They say they developed the program to demonstrate the weak security in Microsoft products.
What drove you to release the Back Orifice software?
REID: For us, the motivation for releasing Back Orifice was that Microsoft has the world's most popular operating systems installed on 90 percent of the computers in the world, or at least the desktop computers. And those people are being encouraged, urged, to take those computers and plug them into the internet. Unfortunately those people are wide open to attack of various kinds. We thought we would be serving the community best by demonstrating that we could easily write a tool that would take advantage of that, and proof for the ability to do that.
For the layperson who's never heard of it before, what would it allow someone to do?
REID: Back Orifice is a program that comes in two parts. It allows someone sitting at one computer to control everything going on at a computer at the other side of the internet. So you can be sitting at a local machine and you could see what's happening on a remote machine that maybe you've never actually been to. As long as they've got the Back Orifice server installed, your client machine can see what's on their desktop. They can take out the mouse, take over the keyboard, and watch what's happening on the keyboard. You could upload files to that computer, and download files from that computer. You have what's known in the community as a "root kit." Essentially, you have control over that machine as if you were there. In fact, you have more control over that machine than the person sitting at the keyboard does, because we expose more power through the Back Orifice tool than Windows 98 Desktop does.
What did you hope to achieve by putting it out?
REID: Ultimately, we were trying to get Microsoft to admit that they were encouraging people to join this global community with a completely insecure product, and then hopefully people will not store their credit card numbers on their hard drives. They would not keep their diary there. They wouldn't conduct business with this computer. Or, even more optimistically, we were hoping that maybe they would implement a strong security model in Windows. Neither of these things actually happened, so it's a failure on that count. But those were pretty high goals, I think.
What was Microsoft's response?
REID: Originally, Microsoft's response was that Back Orifice was not an issue, that it was something that no one should pay attention to. And then two or three days later, they changed their tune, and suddenly Back Orifice was a malicious tool designed to do nothing but wreak havoc. And then, less than a week after that, their response was that Back Orifice is a tool that does not expose any security holes in Microsoft Windows and should be considered a safe and innocuous administration tool in the hands of a professional.
So everyone in the world who is using Microsoft at the moment is vulnerable to Back Orifice, as we speak?
REID: Yes, either Back Orifice or Back Orifice 2000. They're capable of running on Windows 95/98, [NT] and Windows 2000 machines. That's basically everybody. . . .
best definition I heard of a hacker was somebody who if they saw something closed and it was doing something, they just wanted to open it up to see how it was working. And then how to maybe play with it a bit to make it work better COUNT: . . . People are saying, "Oh, there are going to be a lot of people who are just. . . really mad at CDC for doing this," because their computers could potentially be abused because of these vulnerabilities. Our take on this was, "Well, they should be really mad at companies like Microsoft, who create these environments that are just so unstable." We take it for granted now that computers will crash several times a day. We take it for granted that you have to be afraid when you get an email attachment; you have to figure out where it came from. "Is it worth it to open this spreadsheet where I might blow up my computer?" We've developed a kind of culture of a passive, beat-down fear. . . . If you got in your automobile and every day it would stall several times, and every once in a while it would just sort of randomly explode into flames and destroy all of your personal belongings, like when your computer crashes and you lose your files, you would be really mad, and furious at the car manufacturer. . .
I think it's a real travesty that we see . . . these insecure environments as the way it has to be, because, "Heck, it's always been that way." The people who are calling the shots in terms of building it are just building them their way, and they don't care. . . .
REID: It's more than just Microsoft producing what amounts to almost a negligent security model in their operating system. It's also the fact that they're marketing it specifically to end users who want to go on the internet, people who may have bought their first computer ever. Those people are not computer security experts. They don't know what's out there.
So it's like building a really cheap car and saying, "Now, drive this on these really rocky roads," deliberately putting them in an environment where you know that what they have designed is so inadequate for that environment, and marketing it to student drivers. . . .
It seems patently obvious to the layman that if you point out this fundamental flaw, it will be fixed. Why isn't it fixed? Why don't they fix it? . . .
COUNT: They won't change something unless the people demand it. That's the trick. And people are not demanding the security. . . .
REID: Although, in all fairness, we should point out that the beast on Microsoft's back here is the fact that they need to be backwards-compatible with previous versions of Windows operating system, which themselves were insecure. So there may be legitimate technical hurdles for them to overcome in order for a new version of Windows to have, in our eyes, nice security. But then again, what kind of software company do you think could take on a challenge like that, if not Microsoft? Do you think anyone other than the world's largest software company could pull that off? And if they can't, then we're all in trouble.
It's already happening. The open source movement is a kind of response to that, where if the companies aren't doing it, then heck, all of these millions of programmers around the world will do it. Apache is the most popular web server software because . . . all the people who were building it were the people who were going to be using it. And they . . . solved that problem. Models will be built in there, because it will have truly been something designed by technical people, who created security models from the very beginning as part of the product. . . .
Back Orifice could now be used by the state to run surveillance on any computer it wants?
REID: Absolutely. In fact, there have been various press releases by different federal and state agencies, talking about how they've in fact hired companies to write tools. Or there have also been news stories about clandestine operations to write software, or companies putting out press releases, stating that they've been hired by unnamed government agencies to write software to do small subsets of Back Orifice's functionality.
I think even slightly more interesting is the possibility that somebody took our open source code for Back Orifice 2000 and tailored it for their own purposes and never told us. The entire code for Back Orifice 2000 is available on our web site, and you can download it, you can inspect it, and you can make modifications. All we ask is that you please submit those changes to us for our own perusal, and you don't sell it. It's quite likely that somebody has already taken BO2K source and written their own tools that haven't surfaced yet in public. . . .
Do you see dangers in us being so wired and connected the way we are at the moment?
COUNT: I think about that a lot. . . . I think a lot of the fear that's happening is fundamentally because there are big misconceptions of what the internet is all about. The internet is not a nicely packaged lined up row of books in a library where everything's organized by the Dewey Decimal System and everything is published by a handful of publishers that control all of it. It's not something that's sanitized, categorized, shrink-wrapped and freshness-dated on a shelf. The internet is a mirror of society. It truly is something that reflects all of the elements in the physical world--the types of people who use it, the types of things that are on it, what's being said, and what you'll see and read. . . . People who are criminals are going to be on there. There are going to be people on there where you just cannot understand where they're coming from, and that'll scare some people. . . .
Society is complex, and it's often very messy. And I think people just have to deal with that, roll up their sleeves, and jump in and just get involved and try to fix things that are broken, and accept the fact that other people are going to say that things you don't like a lot of times.
REID: The internet itself was constructed with this idea that we were all going to be nice to each other. All of the standards and all of the protocols assume, basically, that no one is going to lie or cheat or steal. It was designed basically for the US government in planning a war, and then it was co-opted by scientists to coordinate research. And there was really no effort made early on to insulate that, or to protect against people who just are outside the trust model, people who just want to go in and see what they can do, and they just don't care. Unfortunately, it's hard to build on top of a system like that and not retain some of those strengths and weaknesses. Those protocols are very simple, they're fast, they're efficient. But they are wide open.
Nowadays, we are paying for the sins of our fathers in the same way that we had the Y2K bug, which we spent years gearing up for--and thank God we did, because it could have been awful. The general public is sick of hearing about Y2K, and they assumed it was a big joke, but it never was. That could have been very devastating. But those kinds of problems exist on the net in spades. If somebody wanted to take down the internet, they could do it; they could still do it. None of that has changed. . . .
How should the public view hackers like you? Are you demons, are you crusaders, should we be embracing you, should we be attacking you?
REID: I think the first misconception that people have about hackers is that it's a giant political party, or it's a voting bloc, or it's organized somehow. And it's not. It's like asking what should people think about carpenters. It's just a very loosely defined group of people. In fact, we can't even seem to agree on a definition of hacker most of the time. . . .
COUNT: It implies curiosity, and looking at how you can use tools in different ways and how you can think of new tools to extend people's abilities to do things. But the best definition I heard of a hacker was just someone who . . . if they saw something closed and it was doing something, they just wanted to open it up to see how it was working, and then how to maybe play with it a little bit to make it work a little better. . . . It's just a general loose sort of mentality based on focusing on technology.
. . . I don't think the public should be afraid. I think hackers in general are explorers. They're exploring new territory. And of course when you're exploring territory, some people are going to cut down all the trees and screw up the environment, and other people are going to catalogue all of the wildlife and create very useful scientific resources. . . . The key thing that you'll find probably at conferences like this is that hackers like to talk about what they're finding. . . . So as long as people continue to engage with the "hacker community," then we can all learn and move the whole society forward and continue to expand the frontiers of the digital world. . . .
Do you have a sense that you are in a historical time, playing a historical role?
REID: I think we're all sitting in on a historical moment. The internet ranks as one of the world's great inventions, like the wheel, or germ theory, or anesthesia, or any of those things, and it has the power to transform the globe in ways that are almost unprecedented. The United Nations just released a report stating that, by the year 2004, no human being on the planet will be more than half a day's journey from a physical connection to the internet. And they specifically cited the case of somebody in the middle of the Sahara Desert, who, by their estimates, ought to be a half a day's ride from an internet terminal. . . .
COUNT: . . . Ultimately, the concept of going somewhere to get on the internet will become sort of very quaint and old-fashioned, because everyone will be online all the time, and everything will be online, communicating with other things. We're a unique species in that we do two things really well--we create language and we create tools. And now we're actually creating tools that have their own language that can then communicate with other tools. As everything becomes computerized, your refrigerator will tell your watch that you need milk, so when you're in the car and you drive by a store. . . . It'll tell your watch, which will then speak to you and say, "Why don't you go pick up some milk." . . .
I'm very concerned that we make sure we get it right in terms of the security. Because it's one thing if your computer blows up and crashes on your desktop and you're like, "Well, I'll go get a cup of coffee while I reboot." It's another thing if . . . ultimately, your entire life sort of crashes around you--your refrigerator crashes, your car crashes, and a new implant in your body crashes. How do you reboot that? . . . It's just going to become more ubiquitous--this internet environment, this global digital network. And if we don't get it right, it's just going to be a big mess, and that scares me a little.
Curador is a 18-year old hacker from rural Wales who in the winter of 2000 stole an estimated 26,000 credit cards numbers from a group of e-commerce web sites and posted the numbers on the web. After ex-hacker Chris Davis tracked him down, he was arrested in late March 2000, and charged under the United Kingdom's computer crime statute.
What kind of thrill do you get out of hacking? Is it sort of the New Age equivalent of sex, drugs and rock-and-roll?
I suppose you could call it that, in a way. After the first ten minutes, when I was waiting for the five and a half thousand credit cards I was to download from the first site . . . certainly there was a great rush, so to speak. You do get a rush from doing it--definitely. There is a lot of adrenaline, if nothing else, while you're trying to track it down. I sometimes spent two days solid trying to do something without sleep, without anything, just constantly trying to do it. And when you finally get through, the relief is not just from the fact that you got it, but now you can sleep. . . .
But what is the incentive that keeps you doing it? It's not as if you're going to get the secrets that are going to make you a wealthy man all of a sudden.
I'm just a very nosy person. I'm like your nosy neighbor on steroids, basically. ...You can see a lot of someone's life just from the contents of their PC.When I'm 28, definitely, I'll have either gone to university or be starting. You never know who's got what in their PC at the end of the day. When you get on to one PC and one network and that network's getting through another network, you might get in somewhere really interesting. You might find out that there's going to be a new "X-Files" show. You might find anything.
Is that really worth staying up all night for?
I think so yes, basically. . . .
What do computers give you back?
Computers are my career as well. I can get paid for doing the kind of work that I do. And you get a lot back in satisfaction, really, from writing programs and things like that, finding new ways of doing things, maybe figuring out a new way to perform a neural network for artificial intelligence, which is something I'm really interested in. . . .
But you're like a burglar who breaks into the houses just to see what's in there. You don't take anything. What's the point?
I think, obviously, I'm just a very nosy person. I'm like your nosey neighbor on steroids, basically. It can be interesting, because when you see into someone's computer, it gives you an idea of how they work, who they speak to, what they're interested in, whether they actually do any work, what their job is. You can see a lot of someone's life just from the contents of their PC. Some people even have correspondence with their family at home from their PCs, and so on. So it just depends.
What are you going to be doing in ten years?
I do want to go to university at some point in time. I'd like to try and get some kind of research grant or something, and . . . go into artificial intelligence in a big way, robotics, making equipment for the disabled, basically increasing the quality of their lives. Just looking for things and ways for computers to interact with people better, so that you feel a lot more at home with the computer. . . .
That's what you're going to do . . . if you're not in jail?
Indeed, if I'm not in jail. If I'm in jail, then I'm going to lift a lot of weights. Not much else. . . .
You didn't break in and take all those credit card numbers just to show the world how stupid and sloppy these people were. What were you really after?
Well, if I was trying to do something else, you seem to know more about it than me, because quite literally, I don't know. . . .
What's your fascination with credit card numbers?
They're a good choice. People don't like other people to know they have their credit card numbers. . . .
That's because people that get them use them to buy stuff.
Yes.
Is that why you were getting them?
No, I didn't try and buy anything with them that wasn't refunded. . . . There are loads of things I could've used them for. . . . But I didn't. The whole point of it was the message.
And what was the message?
There are a lot of people out there who won't even safeguard their own safety, let alone the safety of their customers. At the end of the day, it's the fault of these companies. The buck does stop with them. . . . But they're not even trying to protect their own business from that.
He is Chief Executive Officer & Co-Founder of iDefense, a private agency specializing in information intelligence. He has published 12 books on intelligence and covert warfare and serves on the National Security Agency Advisory Board and the Dept. of Defense's Joint Service Advisory Group. His latest book is The Next World War-Computers Are the Weapons and the Front Line Is Everywhere,
How has the digital age changed the nature of global conflict?
What's been happening for the last few years is a migration from the terrestrial to the virtual. . . . In the same way that we've had down the centuries, terrestrially, the seeds of conflict--power, money, political influence, territory and so on--they're all being replicated in the virtual space. And with it, conflict is migrating too. The significant difference though, is that down the years, it's been soldier, sailor and the marine that's been in the front lines. That's true to some extent still; you'll still have Bosnia, you'll still have Somalia, Rwanda and so on. They're different types of conflicts, but still very serious. In the virtual space, it's going to be the private sector, as well as government, that is going to be in the front line. It's the soft underbelly. That's where you attack because you get maximum leverage, more bangs for your buck.
That's a different paradigm from any one that's been before. It's not simply a matter of the CIA or the NSA defending the government, or intelligence agencies serving governments around the world. It needs to be done differently. Because every private sector company of any size, and every government agency who are under attack on a very regular basis needs to have intelligence, indications and warnings: "This is coming at you tomorrow and it looks like this," kind of thing. Then they can respond to it. And that's what our defense has been set up to achieve.
So it's basically the same old risks--thieves and rapists and pillagers in a different environment. . .
I'm not sure about rapists, but thieves and pillagers, certainly. And what you see being replicated is all the problems that existed terrestrially. You've got vandals, you've got organized crime, you've got extensive economic espionage, you've got 30 nation-states with very aggressive offensive information warfare programs. So you're seeing all the stuff that we had before. But it's also very different, because you and I can go into our local computer store and buy what is essentially an immensely powerful weapon: the computer. And you can load that weapon with very powerful bullets, which are hacks downloaded from the web, and you can fire that weapon at pretty much anybody you choose. . . .
The Pentagon demonstrated it was possible - easy - to hack into the power grids of the 12 largest U.S. cities, hack into the 911 system, and shut all off with a click... Historically, it's been governments that have invested in some new gizmo or other. They take 20 years to get into service, and they've had the access and the control of that technology. Now you and I have control. That's a huge shift. And it's a shift that governments are ill equipped to deal with, because it's a fundamental change in how you look at national security, what you look at as defense and offense. And the world in which we are currently living in, this kind of different environment, is essentially a world of chaos. There is no arms control. There are no mechanisms by which we can produce order out of chaos---not yet. There will be, in time, but there isn't at the moment. So it's a sort of free-for-all in the virtual space. . . .
It's a very different world, and we're only just beginning to see the dimensions of it. And nobody yet has a true handle on the threat, the opportunity, what is effective defense, what can we do to create an effective offense. Nobody has got that yet. But we're getting a picture, even though it's a little blurred.
But what are we defending against here?
. . . For example, when I was in Moscow a couple of years ago, it was very clear to me, from talking to the senior people in the scientific and intelligence communities, that they already feel they're at war. They are convinced that they are engaged in the next world war, that it is happening in cyberspace, and that they're losing. They're very active in the area, but they think that America has a very significant advantage, which is why the Russians have come up with two proposals for arms control agreements in cyberspace.
Well, they haven't got much of a reception for that, because America and its allies think that we're winning the war, so why should we have a treaty? But it is a very dynamic environment, where everybody sees that they need to play, and everybody is trying to seize advantage. And all the aggressors currently have the opportunity, because nobody is properly defended.
What can you say to the average person, to persuade them that this war really matters--that their sons and daughters will not be hauled off and shot in foreign places in this war?
A little while ago, the Pentagon demonstrated in an exercise that it was possible--even easy, actually--to hack into the power grids of the 12 largest American cities, and to hack into the 911 emergency system, and shut all of those off with a click of a button. Now, that isn't somebody getting shot, and you don't see the blood coming out of the body, and the body collapsing on the ground. But I can assure you, tens of thousands of people would have died.
To put that slightly differently, the cost of the "Love Letter" virus, which affected everyone . . . ranges between $4 billion and $10 billion. That's the equivalent of a complete obliteration of a major American city. And that was one individual from thousands of miles away.
So these things are extremely expensive, and very damaging. And they are also going to create a change in how nations balance against each other. Who is powerful and who is not, what is power projection and what is not? Does Singapore become more powerful than the United States because they understand how to control territory? . . . This is creating a whole different way of thinking about how we conduct our affairs, what threat looks like, and how we address and confront that threat.
Given the fact that the United States is so far ahead of everybody else, are we looking at a whole new era of American imperialism?
Well, I think that there is a both a yes and a no. America is the most advanced technology country in the world, no question. It is also the most vulnerable, because we are so connected. The capabilities that currently exist to wage information warfare, to attack a system, to destroy a network, to turn off a city or devastate a country are around.
The problem is, America is a huge and largely inert bureaucracy. I can attack a nation that I know is attacking me today--Russia, for example. I know that they have created significant damage to me. Now, can I retaliate? Do I have the capability? Yes. Can I do it? Well, that depends. You need legal sign-off. Is it an act of war or is it aggression or can you allow it? Is it a breach of a convention ? Will the politicians bear that? Can you actually convincingly supply the evidence? And on and on and on and on.
Now, if I am a market-state, as CEO, I can arbitrarily take decisions. If I am a small nation-state, a dictatorship if you like, that creates a very different dynamic. It's not a question of my needing to have ten tank divisions to have any impact at all. I just need a couple of smart guys with a really cool computer who understand how to do stuff. I can achieve an awful lot more with very little, provided I'm flexible and dynamic.
I could argue that you can achieve all that because you're not hamstrung by values like democracy and accountability.
Absolutely. Of course, that's true. . . .
Are we heading to a whole new realm of dictatorship?
We're looking at a change in the dynamic. The influence of the nation-state is absolutely declining. Nobody argues that. The influence of the market-state, the big global companies, is rising very powerfully. Many of them are more powerful than nations, in fact. . . . So the challenge for the nation-state is to continue to remain relevant. Now, does Washington remain relevant to its people? . . . If you go to Silicon Valley, or any other high technology center, Washington is largely irrelevant. They don't do anything. They don't actually know anything about the pace and course of the revolution. So how relevant do I consider government to be? In my line of business, I consider it to be very relevant. I also consider government to be a very important, vital instrument of democracy, and I believe very strongly in democracy. But while that's all well and good, you have to continue to provide value as a government. And if you don't, you're lost.
Why is the ability of government, of the traditional nation-state, falling so far behind the new market-state in terms of delivering value?
Because the nation-states, as they should in a democracy, slowly evolve. They take pressure and they absorb pressure and then they bring out change in a slow and well-paced way. That's a great strength in a democracy. This is a revolutionary environment, however. And the pace of change is enormous. We've all seen it--how many new chips do we get each year for our computer, what how many new PDAs or Palm Pilots have we seen emerge in the last 12 months? The pace is enormous. And it's going to continue in this way, everybody seems to agree, for as far as one can see. . . . What can government do to move at that kind of pace? . . .
Governments can always do something. The question is, can they do something fast enough? And if you look at the way the process is currently working, you have to agree that the pace of change is not matching the challenge. . . . All I have done my whole life is cover war and its consequences . All of the seeds of war are here: tremendous conflict and tension in society; the growth of the disenfranchised; all the things that you can see as points of potential conflict are around. And yet, governments, because they're largely inert, are treating business as if it's business as usual. Well, it very definitely is not. And it's a big concern, frankly, because I think democracy is going to find it very hard to adapt to these kind of very fundamental changes that are occurring. And most political leaders have no idea--none--because they're out of touch with the people.
But if a war is largely conducted, led, and prosecuted by the market-state, as you call it--the private sector--and in the commercial interests of the private sector--what will that war look like?
. . . For example, we had some human intelligence the other day that an oil company was going to be attacked, in the virtual space, by a group that believed it was pillaging the rain forest. Well, they didn't succeed in attacking the oil company, so then they went for a company that is heavily invested in the oil company. And they went into their email system, and caused a high degree of chaos. Now, that's not a usual protagonist, but it's a protagonist using the virtual space.
So you can see conflict happening at a number of different levels, with a number of different target sets. A market-state may choose to take out another market-state. Take a hypothetical situation where the whole telecoms world is operating virtually. It's all migrating there now. And you get a kind of Saddam Hussein of the telecoms business. Well, what are telecoms going to do? . . . Are they going to call on the UN or are they going to get the Group of Eight to come and help them? No, they're going to take care of business. And they would produce an environment that would take that particular individual out of their face. And then they would create something among themselves that would try to ensure that there were some checks and balances that made sure it didn't happen again.
There's no rule of law there, though.
Right. . . . And this environment is global. It has recognized no national boundaries, and all our laws are framed around national boundaries. And it is very difficult, when boundaries fall away, to make law apply effectively. For example, the National Security Agency is not allowed, by law, quite rightly, to gather any information on any American entity, be it a company or an individual. And they don't. Now, are they able to take advantage effectively of the largest information resource that the world has ever seen--the world wide web? No, because it's not very secure, and their processes are not designed to deal with that very effectively. Can they help American business to confront information warfare attacks that come from overseas? Well, not really. . . . . Can I do all of those things? Absolutely. Why? Because I'm private sector, and I'm free moving. Now does that make me amoral? Very definitely not. I'm a highly moral guy, and I run a highly moral company.
But what about the guy that comes after you?
Well, that's the problem. Because there are lots of people out there who see the world with very different eyes. The movement against globalization, for example, is already producing virtual terrorism, and that is going to be an accelerating problem. .. .
But your job is being on the frontier of the security sector in this new market-state. You work without rules. You work without a net. How do you distinguish yourself from, say, a vigilante organization--an Old West posse? How do you assure people that you are not part of a very, very dangerous trend in society?
Well, from a personal perspective, because I've seen so much of the consequences of war and of chaos, I wish to play a part in not having chaos. My job is not offensive information warfare. Could we have the capability if we chose? Sure. But would I ever launch an offensive attack? Absolutely not. That's not our business. If others choose to do that, fine. All I provide is the intelligence that says, "This is an indication, this is a warning, this is what you need to do." And I can then serve, not just America, but I can serve Japan and Asia from iDefense Japan, and I can serve Europe from iDefense UK. So hopefully, I can serve the globe without fear or favor in an impartial way, with intelligence that enables everybody to defend themselves.
But you have been shaped by a couple of thousand years of morality and ethics. How do we know that, in the future, these techies will be shaped by any of that? What kind of a world are we looking at, in which these market forces go at each other without any restraint?
That's a very interesting question. I actually believe that we may have been shaped for 2000 years or whatever of morals and ethics, but you can strip that away in a heartbeat. It's gone. Look at Bosnia--an evidently civilized society, as we use that term, and doing the most appalling butchery, and it happened in a heartbeat. So I don't think it takes much to get from where we are today to where we don't want to go tomorrow.
And I think that your question is well posed, because the generation that is coming up behind me, the real computer-enabled generation, has a whole series of values that are different to mine. They have also a very different experience. They've been educated and lived by and in the virtual space. . . . And so what you and I might choose to see as a moral and ethical framework in which we can perform is really not going to exist in the same way. The guidance and the structure that we get from our parents and from our government and from our legislators and so on is simply not there. They are not around to provide it. So we'll make this up as we go along . . . and we hope it's all going to work out, because by and large, we're good people. And by and large, I choose to believe that people are good . But there's an awful lot of bad in the good, and who is going to provide that over-arching guidance? It's a bit of a vacuum right now. . . .
How can the public sector ever develop the capability of dealing with these kinds of problems when you gobble up their talent? You pay their people three or four times more than the taxpayer is prepared to pay.
Well, that is a very good question. A lot of the government agencies that have been a home for highly trained talent are finding that they're hemorrhaging the best people, because people like me are hiring them. And it's absolutely true, I offer a lot more money, I offer better benefits, and I offer share options. . . . So in every area, whether it be law enforcement or intelligence or the defense community, there is a tremendous pressure on government, and they are simply not able to match it. They're stovepiped into the old matrices--you punch this ticket, you rise up the ladder and so on. And it's just not suitable for this environment. They have to compete on equal terms. I was speaking to somebody in a private sector company the other day who has hired a number of people out of the FBI. And Louis Freeh, the director of the FBI, had asked him to come to the office and he said, "Look, you can't keep hiring my people." Well, get a life, you know, this is capitalism at work, and this is a capitalist society. And we're not going to defend you from your own incompetence. We're going to do what we can to make ourselves more successful. . . .
He is Manager of Information Security, Frank Russell Company and in 1995 he founded 'the Agora,' a regional association of information systems security professionals. He served as an Advisory Panelist to the U.S. Security Policy Board on private sector perspectives concerning critical infrastructure issues.
What were you trying to prove when you turned a bunch of computer experts loose to find out as much as they possibly could find out about you?
As a security professional, it's become clearer and clearer to me . . . that there are growing problems out there on the internet with use of different technologies. One of my largest challenges as a professional is educating people about what these issues are all about. I felt the only way that I could educate people about the issue of privacy where I had the freedom to do it was to exercise my choice to disclose my privacy . . . so people could see how easily it was compromised, how easily my life was invaded by this technology and by the investigators. . . .
What sort of stuff did they find out about you?
It was a remarkable cache of information. Real quickly, the most damaging document was a certified copy of my birth certificate. This is a legal document that can be used for the purposes of identifying myself. A complete color copy of my college transcripts with the embossed seal from the university. From online, they got out a complete listing of online court documents that are related to me, everything from my dissolution of marriage documents to a failed business . That information was out there. They got maps of how to get to my house . . . and the names of all my different neighbors, possible properties I've owned . . . a whole laundry list of personal information. . . .
We take for granted that all this information is out there about everybody. But what we don't understand is that, basically, it's accessible by anybody.
For the most part, that's true. I think the average citizen would be amazed at the thin veneer of control that really exists for their privacy. There are assumptions everybody makes every day about what's available and what's not available about them and how much control they have over that. . . .
Is there any easy way working within the technology of protecting privacy?
Yes, there are there are ways that you can construct technology configurations that harbor personal data that allow for the protection of that data, or at least create a situation where the privacy is reasonably protected. That can be achieved. The problem with that is . . . that what has to be done represents complexities in accessing the data, it means delays, restrictions or more money associated with the access and control of that data. . . . People do not like waiting in line.
I think the average citizen would be amazed at the thin veneer of control that really exists for their privacy. For instance, I remember, in banking, the startling revelation that I received from the company newsletter . . . There was an interesting announcement from the marketing department. They had done surveys and research, and had determined that the teller window now had only really an eight-second time frame to operate in before the customer felt uncomfortable with the institution. In other words, if I wanted to cash a check and if I handed the check to the teller to ask for the check to be cashed . . . there's really a narrow range of time before people begin to feel encroached on. We want our identity and our transactions to go through quickly and swiftly . . .
So where will the protection of privacy come from, if it's not going to come from a general grassroots consensus?
There's an interesting process taking place in the health care industry and in the financial services industry. Both are large industries that respectively harbor sensitive data about all of us in one regard or another. They have now been given the responsibility to comply with very strong security and privacy regulations that have been passed down. In health care, it's been through HIPAA, the Health Insurance Portability and Accountability Act of 1996, and in financial industry, it's the Gramm-Leach-Bliley Act. [This legislation provides] very strong requirements that help support protection of the way those industries handle the data. . . . How those industries respond and how well those regulations work . . . will be a good indictor for a lot of us, about how well legislation works, how well enforced regulations work, as opposed to busines's best practices [and] codes of conduct that they come up with on their own. It will also show us what people could do through their own efforts as individuals interacting with their service providers. . . .
But what would a secure system really look like?
For an individual at their desktop, or for a corporation? If I were at home, for instance, and I wanted to have internet access, there would be some essential tools that I would have that aren't sold with the computer that you buy. First thing I'd do is evaluate carefully whether I wanted broadband with connections like the cable modem or a DSL connection. Those are fine services, but they come with some additional configuration challenges that maybe the average person wouldn't be aware of. If they're not properly configured, those are the kinds of connections to the internet which I refer to often as the "dirty" public wire. Those connections need to have something that stands in the way as a gatekeeper between you and that public environment. So I would buy a personal firewall of some sort that would provide me a couple of services. One, it would let me see clearly who was knocking at my door through that connection. That's another thing that the public surprisingly is not aware of. The internet isn't something you plug into and feed data into and accept from people who have directed it to you. It is a random connection that gets lots of random interaction. A firewall can clearly show you where those random hits against your particular address are coming from, what they are.
I would also be careful to manage my desktop and the data on my system to limit the kind of data I would have in my system. I'd also be careful in my habits on the internet. I'd be careful where I'd go. I'd be more responsible and understand that environment better than just ad hoc travelling around on that environment.
Can you describe a scenario where you could have a major catastrophe in terms of information leakage?
That's a question that's often been asked. The President's Commission on Critical Infrastructure did a lot of research into that. There have already been some very intriguing incidents. For instance, the theft of large listings of credit card numbers are much more provocative to me than how the average public may view it. A lot of people I've talked to are comforted by the fact that their financial liability is limited to maybe $50 with the credit card company that they're associated with. I'm not worried about my credit card being used to financially harm [me]. Well, I'm worried about that, but what concerns me most about the theft of my credit card is the fact that that's a piece of identification that can be used to leverage an identity theft. And I'm worried about scenarios where whole groupings of people are victimized by identity thefts. . . .
. . . This technology cannot be secured, and that's fact. I would debate that with any vendor, with any inventor of internet technologies, with any business that is deployed . . . . I would debate that with anybody. I believe it cannot be secured. It can only be risk-managed. All the technology that underlies this whole internet web phenomena is technology that was meant for communication. It was not meant to conduct business. It is open technology. Everything that you have to do to secure it is . . . afterthought stuff. And because it is afterthought stuff, because it is not part of the infrastructure itself, it creates a slew of problems and costs. The fundamental problem is that vendors and people are involved in the myth of how good it is, and they don't want to diminish that story by recognizing the fact that it may not be as cost-effective or as sensible a use as they would like to think it is. People are having a hard time giving up what they believe this is, what the internet is going to be, what this technology can provide. . . .
So what should it be doing--what are the limits? . . .
Well, I don't know if you have to limit it. You just have to understand how you are going to use it, and use it wisely. I have been in many conversations with bright people who are trying to market worthwhile products, and I challenge them often when they say that this technology is going to save you money. . . . I always interrupt them at that point and tell them that that is not necessarily true. As a matter of fact, my contention is, that by electing to deploy business technologies on the web and on the internet, you have chosen probably the single-most expensive environment to deploy services onto. Because if you properly deploy them, to protect privacy, to protect the environment that is created there, to protect the people who visit that service or that business, you have to spend a lot more money than businesses are spending now.
And would that make it slow and cumbersome and safe?
Well, the impression could be that it would be slow and a little bit more cumbersome . . . .
Would it be safe?
It would be safer. . . .
Okay, let's assume that people are not willingly going to go more expensive or less convenient and are, therefore, going to be left with more unsafe. What can you do to protect them in spite of themselves?
Education is a
