The Threatened Net: How the Web Became a Perilous Place The Washington Post Copyright Diversion Books A Division of Diversion Publishing Corp 443 Park Avenue South, Suite 1008 New York, NY 10016 www.DiversionBooks.com Copyright © 2015 by The Washington Post All rights reserved, including the right to reproduce this book or portions thereof in any form whatsoever This is a work of fiction Names, characters, places and incidents either are the product of the author’s imagination or are used fictitiously Any resemblance to actual persons, living or dead, events or locales is entirely coincidental For more information, email info@diversionbooks.com First Diversion Books edition October 2015 ISBN: 978-1-68230-136-4 Table of Contents Introduction A flaw in the design: The Internet’s founders saw its promise but didn’t foresee users attacking one another Bracing for nuclear war The first ‘killer app’ ‘It’s kind of like safe sex’ Concerns from the NSA ‘Operation Looking Glass’ A network is born Old flaws, new dangers The Long Life of a Quick ‘Fix’: Internet protocol from 1989 leaves data vulnerable to hijackers The honor system Pakistan crashes YouTube ‘Knee-deep in alligators’ Networks with no maps Unstoppable momentum ‘No one was buying’ A disaster foretold — and ignored: LOpht’s warnings about the Internet drew notice but little action Geek heaven in a Boston loft Exposing bugs for all to see Bill Gates rides ‘Tidal Wave’ 700 users, 1 dumb password A close call at the NSA Dropping the ax ‘Hackers are like water’ The rise of the black hats Hacks on the highway: Automakers rush to add wireless features, leaving our cars open to hackers The drive-by hack Taking over from far away An ‘army of zombie drones’ Helpless in a Jeep Cherokee Preventing embarrassment A coming wave of lawsuits ‘This isn’t a car problem’ The future of computing hangs on one dominant operating system that has glaring security weaknesses Accidental hero The ultimate attack surface Cassandra Signs of trouble Dodo birds had it coming More from The Washington Post… Connect with Diversion Books Introduction When talk began a half-century ago about linking computers into a revolutionary new network, few imagined the possibility of a dark side Designers foresaw the need to protect the network against potential intruders or military threats, but they didn’t expect the Internet’s own users would someday use the network to attack each other Nor did they expect how popular and essential the Internet would become What began as an online community for a few dozen researchers to move information quickly and reliably now is accessible to an estimated 3 billion people who collectively use it to pursue a full range of human motives: good, bad and everything in between The network itself, meanwhile, has not aged well The Internet can appear as elegantly designed as a race car, but it’s closer to an assemblage of “hacks” or “kludges,” short-term fixes that were supposed to be replaced yet never were They endure because they work, or at least work well enough The consequences play out across cyberspace every second of every day, as hackers exploit old, poorly protected systems to scam, steal and spy on a scale never before possible The Internet’s original design — fast, open and frictionless — is what allows their malicious code to wreak havoc so widely The flaws they exploit often are wellknown and ancient in technological terms, surviving only because of an industry-wide penchant for patching over problems rather than replacing the rot A rising waves of viruses, worms and hackers prompted a chorus of warnings in the 1990s as the Internet was exploding in popularity with the arrival of the world wide web But the federal government had neither the skill nor the will to do anything about it And now the vulnerabilities may never be fixed After hundreds of billions of dollars has been spent on computer security, the threats posed by the Internet seem to grow worse each year Where hackers once attacked only computers, the penchant for destruction has now lept beyond the virtual realm to threaten banks, retailers, government agencies, a Hollywood studio and, experts worry, critical mechanical systems in dams, power plants and aircraft As the number of connected devices explodes — from roughly billion in 2010 to an estimated 25 billion by 2020 — security researchers have repeatedly shown that most online devices can be hacked Some have begun calling the “Internet of Things,” known by the abbreviation IOT, the “Internet of Targets.” Widespread hacks on cars and other connected devices are destined to come, experts say, as they already have to nearly everything else online It’s just a question of when the right hacking skills end up in the hands of people with sufficient motives The future looks no safer as a single operating system, Linux, comes to dominate the online world despite serious security issues that could be fixed but haven’t been Yet again, other priorities — speed, flexibility, ease of use — often win out Warnings get ignored The Post’s Craig Timberg spent a year delving deeply into the story of how the Internet became at once so crucial and so insecure, by speaking to dozens of scientists, industry leaders and skeptics to tease out the unforeseen consequences of decisions made over decades His reporting, collected together for the first time in this e-book, tells an essential tale about the creation of our new digital world that’s at once thrilling and unexpectedly dangerous — with the most serious perils still waiting to be revealed A flaw in the design: The Internet’s founders saw its promise but didn’t foresee users attacking one another By Craig Timberg May 30, 2015 David D Clark, an MIT scientist whose air of genial wisdom earned him the nickname “Albus Dumbledore,” can remember exactly when he grasped the Internet’s dark side He was presiding over a meeting of network engineers when news broke that a dangerous computer worm — the first to spread widely — was slithering across the wires One of the engineers, working for a leading computer company, piped up with a claim of responsibility for the security flaw that the worm was exploiting “Damn,” he said “I thought I had fixed that bug.” But as the attack raged in November 1988, crashing thousands of machines and causing millions of dollars in damage, it became clear that the failure went beyond a single man The worm was using the Internet’s essential nature — fast, open and frictionless — to deliver malicious code along computer lines designed to carry harmless files or e-mails Decades later, after hundreds of billions of dollars spent on computer security, the threat posed by the Internet seems to grow worse each year Where hackers once attacked only computers, the penchant for destruction has now leapt beyond the virtual realm to threaten banks, retailers, government agencies, a Hollywood studio and, experts worry, critical mechanical systems in dams, power plants and aircraft These developments, though perhaps inevitable in hindsight, have shocked many of those whose work brought the network to life, they now say Even as scientists spent years developing the Internet, few imagined how popular and essential it would become Fewer still imagined that eventually it would be available for almost anybody to use, or to misuse “It’s not that we didn’t think about security,” Clark recalled “We knew that there were untrustworthy people out there, and we thought we could exclude them.” How wrong they were What began as an online community for a few dozen researchers now is accessible to an estimated billion people That’s roughly the population of the entire planet in the early 1960s, when talk began of building a revolutionary new computer network Those who helped design this network over subsequent decades focused on the technical challenges of moving information quickly and reliably When they thought about security, they foresaw the need to protect the network against potential intruders or military threats, but of software on the machine was flawlessly protected According to veteran security engineer Kees Cook, this made the Linux kernel “the ultimate attack surface.” “Vulnerabilities in the kernel generally meant that an attacker with access to a flawed kernel interface” – meaning a bug in the code – “could bypass nearly every other security policy in place and take total control of the system,” said Cook, who from 2006 to 2011 worked for Canonical, which supported the Ubuntu version of Linux, and later joined Google to work on kernel security Another expert, Brad Spengler of grsecurity, used satire to make a similar point in 2007, circulating a spoof of an illustration that had been used in promotional material for SELinux The original version showed the kernel wrapped in protective layers that repelled attacks, but the spoof overlaid images of Sesame Street characters happily penetrating these layers to menace the kernel Ernie, Bert, Elmo, Oscar the Ground and the Cookie Monster represented “Blackhats with kernel exploits,” the text said, meaning malicious hackers armed with the computer bugs that offered a way past even the heaviest defenses Brad Spengler, security expert on Linux, says nearly a dozen known Linux coding bugs could let malicious hackers defeat external defenses and take control of the kernel (Photo by Bill O'Leary/The Washington Post) Spengler later acknowledged the spoof was “childish” but said it “at least was more accurate” than the original diagram To drive the point home, he soon demonstrated how nearly a dozen known Linux coding bugs could let malicious hackers defeat external defenses and take control of the kernel The response from Torvalds to such concerns did little to calm Spengler or other critics In an era when software makers increasingly were candid about security flaws, issuing alerts that detailed problems and explicitly urged people to install safer updates, Torvalds had a different approach In messages that accompanied each new version of Linux, he described various improvements but would not spotlight the ones that fixed security problems This frustrated security experts who saw transparency as a key part of their mission They reasoned that if a software maker knew about a bug, then malicious hackers almost certainly did too and had been exploiting it for months or even years Failing to warn users directly and forcefully made it harder for them to protect themselves Torvalds, however, has held his ground on this issue He knew there were countless versions of Linux running across the world and that weeks or months often passed before updates reached individual machines Publicly revealing details about computer bugs – even if fixed in the latest release – gave an edge to malicious hackers until the software fixes arrived, he believed Torvalds also resisted suggestions that security deserved a special place in the hierarchy of concerns faced by software makers All flaws, in his view, were equally serious This attitude got enshrined in a public e-mail in July 2008 saying, “I personally consider security bugs to be just ‘normal bugs’ I don’t cover them up, but I also don’t have any reason what-so-ever to think it’s a good idea to track them and announce them as something special.” This comment – often recalled in shorthand as Torvalds’s declaration that “bugs are just bugs” – is the line most often quoted by his critics as they seek to explain what they consider a persistent, almost willful tone-deafness on security These experts say while most bugs are mere glitches that might cause a function to fail or a program to crash, others are far more serious, offering malicious hacker an opening they can use to take total control of computers Those who specialize in security think in terms of categories of bugs Each one is a cousin of others, some already known, some not yet discovered, based on what functions they exploit By studying each new one carefully, these experts believe it’s possible to create defenses to thwart hackers even if they penetrate outer rings of defenses But in his recent interview with The Washington Post, Torvalds rejected the notion that bugs could be usefully sorted into categories “I refuse to waste a second of my life or any other developer’s life trying to classify something that can’t be classified,” he said Rather than trying to create protections against “classes” of bugs, Torvalds seeks to inspire better coding in general “Well-written code just doesn’t have a lot of special cases It just does the right thing … It just works in all situations.” As for the exceptions, Torvalds shrugs: “Sometimes reality bites you in the ass Sometimes it’s just bad coding.” Cassandra There has been a recurring sub-plot in the history of the online world: For every advance, every thrilling new vista of possibility, there are those who warn of dangers lurking in shadows ahead To borrow from Greek mythology, they are the Cassandras – often right in their prophecies, yet generally ignored until disaster actually arrives The leading Cassandra in the Linux story has been Spengler, whose critique of SELinux featured malevolent Sesame Street characters in 2007 He and a pair of colleagues, who worked for an affiliated project called PaX, had over several years developed patches that dramatically hardened Linux The best-known of these techniques, called Address Space Layout Randomization, reshuffled each computer’s memory almost continuously So even when hackers found their way to the kernel, they became became so disoriented that it was difficult to steal files or implant malicious code Despite such innovations, Spengler did not become a popular figure within the upper reaches of the Linux community, among whom he was seen as extreme in his views and sometimes brittle in his manner Plus the grsecurity and PaX patches, though universally regarded as cutting-edge security measures, can slow down computer performance Some also caused some features to not work as well, violating Torvalds’s cardinal rule against “breaking userspace.” Torvalds said recently of Spengler, “He’s one of the crazy security people, no doubt about it, and so we’ve butted heads.” He added that Spengler “is somebody I respect from a technical standpoint,” but a split emerged that was philosophical and, eventually, personal as well Torvalds was happy to let Spengler’s project toil on the fringes of a sprawling Linux empire, but Torvalds showed little interest in overhauling the kernel itself to address complaints from the security community, especially if that meant exacting a significant price in operating system performance “The market for that is pretty small in the end,” he later said of Spengler’s project “Most people don’t want the GR Security system.” The limited consumer demand for security was not news to anybody who worked in the field Spengler often lamented how, as Linux spawned a multi-billion-dollar industry, he and his colleagues struggled to raise enough in donations to underwrite their work “People don’t really care that much,” Spengler later said “All of the incentives are totally backwards, and the money isn’t going where it’s supposed to The problem is just going to perpetuate itself.” Because the Linux kernel is not produced by a business, it doesn’t respond to market conditions in a conventional way, but it is unquestionably shaped by incentives – and most of all, by the priorities of Torvalds To carry out this vision, Torvalds has surrounded himself with dozens of code “maintainers,” each of whom help manage different elements of the operating system Anyone with an idea for improving Linux can craft the relevant code and submit it to a maintainer, who vets each proposal before sending the best ones upward to Torvalds himself From his home office above a three-car garage, Torvalds then approves – and occasionally rejects – the changes submitted by the maintainers and consolidates them in a week of frenzied activity called “the merge” before releasing the next version Each merge, he said, typically touches 200,000 lines of code Though once largely a volunteer effort, top maintainers today typically have day jobs with tech companies that have a stake in the growth of the operating system and pay salaries to developers to support that common goal But the Linux development process still remains de-centralized, relying heavily on the individual interests and initiative Even many Linux enthusiasts see a problem with this from a security perspective: There’s no systemic mechanism for identifying and remedying problems, or for incorporating the latest advances in defensive technologies “Security is an easy problem to ignore, and maybe everyone thinks somebody else should do it,” said Andrew Lutomirski, a maintainer for part of the Linux kernel and an advocate for introducing better defenses overall “There certainly are people who have security as a much higher priority than Linus Torvalds does.” Spengler’s quest to improve overall Linux security peaked in 2010, when he spoke at a Linux conference in Boston He prepared an extensive presentation titled, “Linux Security in 10 Years,” detailing a range of ideas for keeping the kernel safe even when hacks inevitably happened The proposals seemed so urgent to Spengler that he expected to see top Linux maintainers and possibly even Torvalds himself in the audience But when looked out across the half-empty room, Spengler saw none of them They were all off at other meetings “These guys are just working on things that they’re interested in, and, for most of them, what they’re interested in is not security,” Spengler said recently “My feeling with Linux is that they still treat security as a kind of nuisance thing.” Signs of trouble In the years since Spengler and others began warning about the security of Linux, it has triumphed in the marketplace Google released its first version of the Android mobile operating system, which is based on Linux, in 2007, allowing Torvalds’s work to reach hundreds of millions of smartphones each year Google also made the kernel the basis of Chrome OS, used in an emerging category of low-cost computers called Chromebooks Companies building the so-called Internet of Things – a massive universe including everything from online thermostats to heart-rate monitors to in-flight entertainment systems – also came to prefer Linux, which require no fees that might drain away profits Those worried about security arguably have bigger problems than Linux, at least for now Hackers are more likely to prey upon Oracle’s Java and Adobe’s Flash and Acrobat But while many older, vulnerable pieces of software are being gradually phased out, Linux is conquering new computing worlds that were scarcely imagined back then As the operating system explodes in popularity, the debate over security has begun drawing attention beyond the world of Linux insiders Sergey Bratus, a Dartmouth College computer science associate professor, argues that kernel should be overhauled to streamline the code and also to integrate the type of security features long advocated by Spengler and other critics – even if the features slow computers down “In a device that I trust my life to, I would prefer this,” Bratus said The most famous overhaul in software history came in 2002, when Gates ordered engineers at Microsoft to make security their top priority, a process that took several years and helped the famously hackable staples of that company’s lineup get considerably safer The security situation with Linux is not nearly so dire as it was for Microsoft in 2002 It’s also harder to see how an overhaul could happen for an open-source project “Linux cannot just be turned around by a memo from Linus He’s not Bill Gates,” said Bratus “But a culture change is definitely needed before we start relying on these systems for everything.” The Linux Foundation did suffer an embarrassing hack in 2011 More recently, in 2014, Linux devotees were unhappy to discover that an Italian surveillance company, called the Hacking Team, had swiftly turned a Linux exploit called “towelroot” into a skeleton key capable of unlocking hundreds of millions of Android phones This allowed Hacking Team to turn Android devices into powerful spy tools – capable of tracking targets, listening to their conversations, rifling through their files, even taking pictures of them – on behalf of customers that included some of the world’s most repressive governments “It works :),” wrote one Hacking Team developer to another in an email about towelroot, according to a trove published by Wikileaks “Good job, thanks.” This summer came another warning sign about Linux when a pair of car-security researchers, Charlie Miller and Chris Valasek, took remote control of a Jeep Cherokee – affecting the steering, brakes, acceleration and more – by hacking their way into a dashboard information and entertainment system that was connected to the Internet and running Linux The stakes were underscored in the keynote address at an August summit on Linux security that pointedly compared the blinkered attitude of software makers today to that of the automobile industry in the 1960s, whose products functioned well but failed to protect people during unforeseen events such as crashes – leading directly to unnecessarily suffering and death “Let’s not take 50 years to get to the point where computing is fun, powerful and a lot less likely to maim you when you make a mistake,” concluded the keynote speaker, Konstantin Ryabitsev, a security expert for the Linux Foundation Dodo birds had it coming The Cassandra myth reached its tragic climax when she warned the Trojans that a giant wooden horse on their shores – supposedly a gift of surrender after a long siege – actually was filled with warriors who soon would emerge to destroy Troy The Trojans laughed and ridiculed Cassandra They realized their error when it was too late In the days after Ryabitsev gave his August keynote address suggesting that software makers should rethink how they approach security, several Linux maintainers exchanged messages on a public mailing list about the possibility of revisiting some of the issues long raised by Spengler and other critics “We have some measures in place, although we are really not doing everything we can,” wrote James Morris, maintainer of Linux’s exterior defenses against attackers As evidence of his concern, Morris cited occasions when bugs are discovered that are thwarted by grsecurity – Spengler’s patches – but not the main kernel released by Torvalds Spengler’s name soon came up explicitly in the discussion, though participants correctly guessed that he had little interest in participating in such an effort now (“I already did it in 2010,” he said in an interview afterward “It’s kind of annoying that nothing came of it at the time… I feel it would be better if they came up with their own ideas.”) Among those who were part of the discussion was Kees Cook, the Linux security engineer who now works for Google He too recalled Spengler’s call to action in 2010 Cook said there have been improvements since then – what he called “the low-hanging fruit” – but not enough Veteran security engineer Kees Cook calls the Linux kernel "the ultimate attack surface (Photo by Amanda Lucier/The Washington Post) “We’re five years into that list, and we’ve only scratched the surface,” said Cook, who in addition to his work for Google is a maintainer for Linux and part of a kernel security response team “There is not the cultural shift I’d like to see.” Yet Cook and others say the chances of a major reconsideration of kernel security may now be better than ever before Edward Snowden’s revelations about the extent of government spying – and about how the NSA took advantage of security weaknesses that experts often knew about but had failed to get fixed – have alarmed many in the tech community So have the recent rash of high-profile hacks, such as the massive pilfering of personal data from the U.S government computers at the Office of Personnel Management “Given some of the evidence of the widespread security problems, it’s a little easier to introduce the topic again,” said Morris, the Linux security maintainer, in an interview “Now that we’re looking at literally billions of Linux systems out there, I think people are starting to wake up.” The online discussion sparked by Morris in August has produced at least one tangible result: At the annual Linux Kernel Summit in Seoul last week, he and Cook made a presentation that echoed many of Spengler’s points from 2010 – only the list of problems needing serious attention had doubled, from six to 12 And this time, Torvalds and some of his top deputies were there Torvalds himself still instinctively resists anything smacking of a dramatic overhaul, asking the world to trust the Linux development model’s gradualist, evolutionary approach in which problems – and the trouble that often results – lead to computer code continually improving “I don’t think you have an alternative,” Torvalds said in the Post interview “I don’t think you can design things better than they evolve… It really is working very well.” And what, he was asked, of the inevitable costs of evolution? The entire species, like the dodo bird, that have died off? Must progress come at such a price? Torvalds smiles again: “Dodo birds had it coming.” But dodo birds, driven from existence after humans ruined their native island habitat, had little chance to protect themselves from doom What about the Trojans? More from The Washington Post… Get the latest news and essential information directly in your inbox from The Washington Post Sign up for free e-newsletters and alerts Connect with The Washington Post on Twitter @washingtonpost and on Facebook Learn more about The Washington Post Series: Connect with Diversion Books Connect with us for information on new titles and authors from Diversion Books, free excerpts, special promotions, contests, and more: ... Bill Gates rides ‘Tidal Wave’ 700 users, 1 dumb password A close call at the NSA Dropping the ax ‘Hackers are like water’ The rise of the black hats Hacks on the highway: Automakers rush to add wireless features,... work in an era before smartphones, before cybercafes, before even the widespread adoption of the personal computer The attack sparked both rage that a member of their community would harm the Internet and alarm that the network was so... on the ARPANET and other networks that wanted to communicate with it had to start using TCP/IP And gradually they did, linking disparate networks together in a new, global whole So was born the Internet