Hack Attacks

Hardly a week goes by without a report of some new virus or other security risk on the Internet. Microsoft’s Internet Explorer was a particularly fertile ground for bug-hunters, as is explained. Depending on whom you talk to, browsing the Internet is as safe as a walk in the park, or as dangerous as a walk alone at night in Central Park.

Is your data being read by prying eyes? Intercepted by third parties? Altered or obliterated by crooks or pranksters? How concerned should you be, and what exactly is at risk?

D ata can be compromised while it resides on your computer or during transmission from one place to another. (To see why transmission is so risky, see this explanation of.)

The best way to secure your data from outsiders is via encryption. The goal here is to prevent others from accessing it or, as a last resort, preventing them from reading it or tampering with it if they do succeed in accessing it. Encryption works on the principle of a lock and key. The lock is the encrypted data; the key is a number. The number can’t be derived from the encrypted data, so the lock can’t be opened without the key.

The simplest and most effective kind of encryption is single-key encryption: The author puts his data in a box, locks it, and sends it to an audience that already has a copy of the key. Single-key encryption works fine for broadcast situations such as a military command sending orders to its units, but not so well for two-way interactions. Public/private-key encryption provides an elegant solution to the problem. Under public/private-key encryption, everyone gets an individual lock with two keys. One key locks it, the other key unlocks it, and you can’t derive one from the other. If Bill wants to send Joe mail, he locks it with Joe’s public key, which is available for all the world to see. Now it is locked, and only Joe can unlock it with his private key, so only he and Bill can know the contents. Unfortunately, there is currently no standard way for someone to get or publish a key, which is one reason encrypted e-mail is not common today. PGP (Pretty Good Privacy) is a free utility that lets you do public/private-key encryption.

E ncryption comes in different strengths, denoted by the size of the numeric key. The bigger the key, the harder it is to break the encryption (pick the lock). Since encryption inhibits the ability of the government to spy on private dialogues, there are public-policy issues surrounding encryption. This is another reason encrypted e-mail is uncommon today, a topic which David Plotz covered in an earlier “The Gist” in Slate. SSL (Secure Sockets Layer), an Internet standard for encrypting data, is built into recent versions of Microsoft’s Internet Explorer and Netscape’s Navigator. But because encrypting and decrypting data is fairly slow, SSL tends to be used only where privacy really matters–typically, electronic commerce.

Sometimes it’s desirable to have data that are publicly available, but untamperable. For instance, the government publishes a crop report that a commodity broker then passes on to a client. How can the client know that the broker hasn’t altered the report? Digital signatures solve this problem. Mathematics can reduce any document to a few unique numbers–the signature. Changing the original data in any way results in a different signature. This signature is then encrypted with a private key. Using a public key, anyone can confirm that the signature matches the document. The document can’t have changed because the signature is the same, and the signature can’t be forged because only the creator has access to the private key that encrypted it.

What about protecting the data on your hard drive? Typically this is done at the operating-system level by restricting access to certain users. Ideally, users would carry around giant numeric keys to identify themselves, but computer marketers could never sell that solution. In the end, most systems identify users by passwords. Users enter their names and passwords. The name is public, but the password is private. The simplicity of the system is its power. While an encrypted document gives a code breaker something to analyze, an empty password prompt is simply empty.

Unfortunately, computer users betray themselves. Anecdotal evidence shows that most passwords are birth dates of family members, maiden names, favorite sports teams–things that are easy to guess. That’s why the best passwords aren’t real words, but combinations of letters, numbers, and punctuation. The best password contains enough nonsense so that no one can guess it, but not so much nonsense that you can’t remember it. And therein lies the other problem with passwords: People forget them. This is so common that, for every network, there is someone (the system administrator) who has the power to retrieve or change your password. The world’s best password is useless if the system administrator’s password is easy to guess, or if someone can get her drunk or blackmail her. But the alternative is frightening, which is why we don’t encrypt our hard drives with the password as our key. If we lost the key, that would be that.

The greatest perils to your precious data are the programs you’ve installed on your computer. Who hasn’t accidentally told a computer to delete the wrong file or stood by helplessly while the operating system crashed and took all the files with it?

Then there are programs designed to do damage. The worst are Trojan horses, programs that claim to be one thing but are really another, such as a program that is supposed to be a calendar but secretly erases your hard drive or copies its contents somewhere else. Then there are the legitimate programs that have been infected with subprograms called viruses. Viruses are crafty things that are cleverly (if perversely) designed to replicate themselves whenever their host program is run. Once replicated, they might then do harm to your data, just like biological viruses can do harm to their hosts.

Further perils to your data are programs like operating systems and browsers, which are supposed to protect you from harm. Like a brick wall, they resist any frontal attack. But like a brick wall, some of these programs have holes. The most insidious kind of hole is a back door, put there with a benign purpose (like letting in the dog) that can be exploited for nefarious ends (like letting in a trained monkey to steal your wallet). The recent Internet Explorer was just that. Some people feel that, found in most browsers, are a security hole, but I strongly disagree.

H ow can you be sure your programs are safe? Either obtain your programs from trustworthy sources, or ensure that the programs behave. Both have their trade-offs. If you were a photographer and had to hire child models for an important shoot, you could hire from a reputable modeling agency that guaranteed its clients, or you could hire children off the street and also hire an authoritarian nanny to watch them every second. The agency can’t really ensure their client’s behavior, but you would know that it had done its very best to choose only well-behaved children. The nanny, by comparison, can be trusted to control the children, but her constant presence irritates the children and slows down the shoot. Either way, you’re paying someone (the agency or the nanny). The best case of the agency is best (everyone behaves and is happy), but the worst case of the agency is worst overall (all the children go into hysterics at once). With the nanny, you know what to expect. Your shoot will never go as well as the best case of the agency, but then neither will it ever descend into chaos.

With software, the “agency” is an independent, trusted body verifying that software comes from where it claims. A digital signature ensures it came straight from the manufacturer, picking up no stray viruses along the way. Microsoft’s Internet Explorer uses this method for its ActiveX controls, which it calls “AuthenticodeTM.” These controls are small programs with no artificial constraints on their behavior. They allow for the highest possible performance and functionality, but also the highest potential for damage. If you download a control that has not been signed by a trusted agency, you’re putting your data in danger.

The “nanny” approach is the one taken by Java, a special programming language available in both Internet Explorer and Navigator that restricts the behavior of its programs. Because the abilities of these programs are restricted, they can’t harm your data. But because they are restricted, they are slower and can do less. For example, Java programs cannot read the files created by your personal-finance program. That’s good for safety, but rotten for functionality if you’re trying to write a program to help people analyze their personal finances. Another Java advantage is that because its programs do less, they can run on almost any computer, no matter what the operating system (Windows 95, Mac OS, OS/2, Unix, etc.).

Both approaches have merit for different applications. A high-performance video game can’t afford the performance penalty of Java, but if you trust the manufacturer, digital signatures that guarantee ActiveX give you the confidence to run it. On the other hand, a fill-in-the-blanks tax application doesn’t require breakneck performance, so a Java version that can run on almost any computer might be desirable. In fact, a hybrid approach may yield the best results: for example, Java presentation software that uses machine-specific ActiveX controls for high-performance animation and sound.

The concern over Internet security is somewhat overblown. There isn’t a mob of data villains waiting on the other side of the wire to steal your money, read your e-mail, and kidnap your dog. There is no documented case of a credit-card number being stolen over the Internet. Sure, viruses do spread and data are occasionally lost, but the main reason you hear so much about security is that it’s a great marketing tactic. “Don’t buy their browser; ours is safer.” Or, “Viruses can kill! Buy our anti-virus software.” Microsoft, Netscape, and others compete to make sure their products are as secure as possible. So maybe paranoia is sometimes a good thing.