Wire Pirates Essay

Someday the Internet may become an information superhighway, but right now it is more like a 19th-century railroad thatpasses through the badlands of the Old West. As waves of new settlers flock to cyberspace in search for free informationor commercial opportunity, they make easy marks for sharpers who play a keyboard as deftly as Billy the Kid ever drew asix-gun.It is difficult even for those who ply it every day to appreciate how much the Internet depends on collegial trust and mutualforbearance. The 30,000 interconnected computer networks and 2.5 million or more attached computers that make up thesystem swap gigabytes of information based on nothing more than a digital handshake with a stranger.Electronic impersonators can commit slander or solicit criminal acts in someone else´s name; they can even masquerade asa trusted colleague to convince someone to reveal sensitive personal or business information.'It´s like the Wild West', says Donn B. Parker of SRI: 'No laws, rapid growth and enterprise - it´s shoot first or be killed.'To understand how the Internet, on which so many base their hopes for education, profit and international competitiveness,came to this pass, it can be instructive to look at the security record of other parts of the international communicationsinfrastructure.The first, biggest error that designers seem to repeat is adoption of the 'security through obscurity' strategy. Time andagain, attempts to keep a system safe by keeping its vulnerabilities secret have failed.Consider, for example, the running war between AT&T and the phone phreaks. When hostilities began in the 1960s,phreaks could manipulate with relative ease the long-distance network in order to make unpaid telephone calls by playingcertain tones into the receiver. One phreak, John Draper, was known as 'Captain Crunch' for his discovery that a modifiedcereal-box whistle could make the 2,600-hertz tone required to unlock a trunk line.The next generation of security were the telephone credit cards. When the cards were first introduced, credit cardconsisted of a sequence of digits (usually area code, number and billing office code) followed by a 'check digit' thatdepended on the other digits. Operators could easily perform the math to determine whether a particular credit-cardnumber was valid. But also phreaks could easily figure out how to generate the proper check digit for any given telephonenumber.So in 1982 AT&T finally put in place a more robust method. The corporation assigned each card four check digits (the'PIN', or personal identification number) that could not be easily be computed from the other 10. A nationwide on-linedatabase made the numbers available to operators so that they could determine whether a card was valid.Since then, so called 'shoulder surfers' haunt train stations, hotel lobbies, airline terminals and other likely places for thetheft of telephone credit-card numbers. When they see a victim punching in a credit...

