Chapter 4. Cryptography and the Web

only for RuBoard - do not distribute or recompile

When you get right down to it, the Internet is an unsecure communications system. While the Internet was designed to be efficient and robust, it was not designed to be inherently secure. The Internet's original security was provided by simple access control: only trustworthy military installations, corporations, and schools were allowed to have access. At each of those organizations, only trustworthy individuals were allowed to have accounts. In theory, people who abused the network lost their access.

The idea of using access control to ensure security failed almost immediately. In December 1973, Robert Metcalfe noted that high school students had gained access to the Internet using stolen passwords; two computers had crashed under suspicious circumstances. In RFC 602 (reprinted on the following page) Metcalfe identified three key problems on the network of his day: sites were not secure against remote access; unauthorized people were using the network; and some ruffians were breaking into computers (and occasionally crashing those machines) simply for the fun of it.

Today, the Internet's overall security posture has changed significantly. As we saw in Chapter 2, the simple act of browsing a web page on a remote computer can involve sending packets of information to and receiving them from more than a dozen different computers operated by just as many different organizations. The division of responsibility among multiple organizations makes it possible for each of these organizations and many more to eavesdrop on your communications, or even to disrupt them.

Yet in many ways, today's Internet is more secure than the early network of the 1970s and 1980s. The reason is the widespread and growing use of cryptography.

RFC 602

Arpa Network Working Group Bob Metcalfe (PARC-MAXC)Request for Comments: 602 Dec 1973 NIC #21021

"The Stockings Were Hung by the Chimney with Care"

The ARPA Computer Network is susceptible to security violations for at least the three following reasons:

Individual sites, used to physical limitations on machine access, have not yet taken sufficient precautions toward securing their systems against unauthorized remote use. For example, many people still use passwords which are easy to guess: their first names, their initials, their host name spelled backwards, a string of characters which are easy to type in sequence (e.g., ZXCVBNM).
The TIP^[1] allows access to the ARPANET to a much wider audience than is thought or intended. TIP phone numbers are posted, like those scribbled hastily on the walls of phone booths and men's rooms. The TIP requires no user identification before giving service. Thus, many people, including those who used to spend their time ripping off Ma Bell, get access to our stockings in a most anonymous way.
There is lingering affection for the challenge of breaking someone's system. This affection lingers despite the fact that everyone knows that it's easy to break systems even easier to crash them.

All of this would be quite humorous and cause for raucous eye winking and elbow nudging if it weren't for the fact that in recent weeks at least two major serving hosts were crashed under suspicious circumstances by people who knew what they were risking; on yet a third system, the system wheel password was compromised by two high school students in Los Angeles, no less.^[2]

We suspect that the number of dangerous security violations is larger than any of us know and is growing. You are advised not to sit "in hope that Saint Nicholas would soon be there."

^[1] The Terminal Interface Processor was the ARPANET's anonymous dialup server.

^[2] The wheel password is the superuser password.

only for RuBoard - do not distribute or recompile