Information Security News: Reflections on Thompson's 'Reflections'

[InfoSec News <isn () c4i org>]

Forwarded from: William Knowles <wk () c4i org>

http://www.eweek.com/article2/0,4149,1517369,00.asp

By Peter Coffee 
February 5, 2004 

Every few years, I find it worth my time to re-read Ken Thompson's 
August 1984 article, "Reflections on Trusting Trust," based on his 
1983 Turing Award lecture that described what he called "the cutest 
program I ever wrote." The lecture does not merely describe the 
anatomy of a clever hack: it demonstrates the need for important IT 
systems to be treated as fundamentally untrustworthy, and to be 
guarded by independent technical and procedural limits on what they 
are able to do. 

Thompson's lecture is still being cited, for example, in discussions 
of computer-based voting systems in elections. His warnings also come 
to mind after reading William Safire's column for the New York Times, 
released this morning, about the West's deliberate sabotage of the 
former Soviet Union's campaign of Cold War technology 
theft--specifically, the Trojan Horse that was implanted in stolen 
pipeline-control software to create "the most monumental non-nuclear 
explosion and fire ever seen from space" (as described by Thomas Reed 
in his forthcoming book, "At the Abyss: An Insider's History of the 
Cold War.") If you don't want to wait for next month's publication of 
Reed's book, you can find additional background on Safire's column in 
an article by Gus Weiss, whom Safire calls the "mild-mannered 
economist" who "engineered" the sabotage effort. 

Thompson's device for concealing a "back door" superuser account was 
discoverable only by someone with access to the entire chain of system 
software, including the compiler that was used to compile the 
compiler. It was not a theoretical exercise, but a convenient method 
that he devised for ensuring access to the early Unix systems that he 
was often asked to help fix. 

And Thompson's lecture was followed, ten years later, by my April 1994 
article, "Distributed Objects Form Info Highway Hazards": although no 
longer online, so far as I can determine, that article was cited by 
another writer later that year in a still-accessible Defcon II 
conference paper on the nature of cyber-crime. My key point was that 
compound documents, with their invisible invocations of the 
applications that create their embedded objects, are constantly 
re-linking the user's chain of trust through unknown participants: the 
expected results, I argued, were both local breaches of security and 
global surges of network activity. 

Five years later, in April 1999, I suggested (in the wake of the 
all-too-predictable Melissa worm) that ease-of-use features in the 
then-forthcoming Office 2000 would further fuel the firestorm, with 
deadly combinations of features such as the Outlook preview pane and 
the incorporation of active content into HTML-formatted e-mail. 
Harried SCO Web site staff can only wish that I'd been more successful 
in persuading people that our network-intensive applications need 
anti-lock brakes, so to speak, as well as automatic transmissions. 

That ends this morning's history lesson, and I hope you'll pardon the 
retrospective tone. It's hardly original to point out that most 
successful IT attacks involve long-known vulnerabilities, but this 
morning's headlines seemed to call for this review of both old 
demonstrations and newly disclosed examples. 

I welcome your own war stories, cold or hot, at 
peter_coffee () ziffdavis com


 
*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
----------------------------------------------------------------
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
================================================================
Help C4I.org with a donation: http://www.c4i.org/contribute.html
*==============================================================*



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.