Carl Malamud: Internet Talk Radio, flame of the Internet.
This is Geek to the Week and we’re talking to Jeffrey Schiller of the Massachusetts Institute of Technology, commonly known as MIT. Jeff is manager of systems and operations, which basically means he runs Net 18 of the Internet, responsible for the Athena servers, Hesiod, Kerberos, the file servers. In other words when something goes wrong at MIT, and that’s the kind of place where things go wrong, Jeff’s the guy you call. Jeff, welcome to Geek of the Week.
Jeffrey Schiller: Thanks Carl. It’s very good to be here.
Malamud: Well good. You’re noted for your interest in security matters. Is that because you have to deal with all these precocious undergraduates? Is that would heightened your interest in security?
Schiller: Well actually, I was interested in computer security when I first showed up at MIT as an undergraduate. I just found it an intellectually interesting field of study. But indeed because we have the students that we have I have an interesting perspective on it. In fact at MIT I like to say we have only two kinds of computer security. We have very good computer security, and we have…none at all. Because nothing in between is of any consequence.
Malamud: Well what’s that mean?
Schiller: Well it means if we take a security half-measure, we’ll have some very bright student who will explain to us in the worst way, meaning by doing something we’d rather they didn’t do, that it was in fact a half-measure. They will break it. They will figure out once they’ve broken it what thing that they could do that will cause us maximum embarrassment, and them minimum pain, to make the point.
Malamud: Well let’s look at two examples. What’s an example of a half-baked security measure that wouldn’t be a good thing to implement at a place like MIT?
Schiller: A good example would be just about any protocol or service that depends on authenticity of IP addresses, or depends on workstations in public places declaring who their users are. I think the network file service, the network file system from Sun prior to the use of secure NFS is a clear example of that.
Malamud: What’s an example of a really good security measure you can institute that does stop your students that are baying at the at the doors?
Schiller: Well, to do it right what you have to do is you have to make the problem that they have to solve in order to break security too hard to solve. And there are problems that are too hard to solve or require to much computation. The clear example that comes to mind is anything based on strong cryptography if done properly will require them to break a crypto system which, as bright as they may be, if it’s going to take years of CPU time to crack a particular key, it’s gonna take years of CPU time for somebody else or for them. They’re not special in that regard.
Malamud: I’ve heard the theory that you can have good security within an environment, within MIT or within IBM, but you can’t have good security in the Internet. Do you believe that?
Schiller: Not at all. I think the reason that we see that we have good security within some environments and we don’t have it globally within the Internet is that we don’t yet have standardized ways that are widely supported by vendors that would allow security to exist on an Internet-wide basis. If you look at those places that do have very good security you’ll discover that they’ve done something non-standard, or they’ve done something themselves or they’ve gotten somebody else to do something…in some sense some amount of custom work or custom programming. And you can’t do that on a scale the size of the Internet. What we really need is we need the vendors of the software and hardware that everybody buys to implement those basic security services so that we can just basically glue the pieces together. But that’s certainly doable task.
Malamud: What are some of those custom solutions that won’t scale?
Schiller: [Mutters:] Now you’re making me think.
Malamud: That’s what we try to do here on Geek of the Week. [both laugh]
Schiller: Um…
Malamud: Is a firewall, for example? A lot of people put in firewalls and they protect their network by saying the only thing that can get into our network is electronic mail. Does that work?
Schiller: Well that’s actually a very good example, because that’s exactly— That’s a wonderful example of something that’s very crude, very effective, and absolutely the wrong thing to do. And I won’t take credit for this argument. This is actually an argument that Dave Clark has made on many occasions and I heartily agree with, which is by building firewalls what you’ve done is you’ve limited the availability of your network not only to hacking from outside, but also to good purposes that might be done. There was a collaborative project that I was working with with a rather large hardware vendor—I can’t mention their name here. And part of that collaboration would require us for debugging to send packets between their internal network and my network. And the bottom line was we weren’t able to do that because they couldn’t convince the security people who ran that firewall to let those packets through. So if you’re going to— You know, you can secure yourself, but at the same time you’re gonna lose opportunities and that opportunity cost is very hard to evaluate.
Malamud: Can you get around those firewalls? Can you build IP over email, for example?
Schiller: Well I don’t know if you’d want to build IP over email, but in fact a lot of the firewalls that are in place today, if an employee of the organization, an insider, wants to take some measures that their management might not approve of, you can usually build tunnels through most of the firewall that’re in existence today. To be more clear, it was very possible that if I really wanted to collaborate with those folks inside of that company I was working with, that they could have, using a PC configured an IP tunnel from their institution to my institution that would allow full routing through the firewall. Now of course, they knew they weren’t supposed to do that, they were trying to be on the up and up so they didn’t do that. But keep in mind an insider who has malintent, and after all we don’t build the firewalls to keep the good guys out we build them the keep the bad guys out and sometimes those bad guys are insiders, a bad guy would have no problems building that IP tunnel and doing whatever bad thing they wanted to do with it.
Malamud: So you think firewalls are not secure.
Schiller: Uh, I think they’re more secure than not being present if you don’t use other security techniques. I wouldn’t say to somebody who has a firewall, “Knock down the firewall. Do nothing else.” Because indeed they’ll have a decrease in security. What I’m saying is two things. I’m saying to users, you gotta find other solutions to the firewalls. And I’m saying to the vendors, you’ve got to provide those solutions. The technology exists, you just gotta use it in clever ways.
And then of course the users have to tell the vendors, “We want this. Make that a priority for your products.” And then the firewalls can go away because they’ll be obsolete.
Malamud: Is security something that the users have to provide or is it something that the Internet should be providing for the users?
Schiller: Well, that’s an interesting question. Of course the Internet doesn’t consist of just the network and the users, there’s network service providers, there’s host administrators, there’s a whole range of people. Ultimately there’s the end user sitting on the desktop. And certainly the end user shouldn’t have to be a security expert in order to have a secure Internet. In fact, you can argue that the end user, be they a mathematician, be they a physicist, be they a biologist, shouldn’t even need to be a computer expert, nonetheless a computer security expert, to use the network. But yet there are those of us within the network who run part of the infrastructure who should be aware.
I should be, for example, careful to ensure that when we run the MIT network that we run it in such a fashion that my users can be protected. That means that I may have to advise my users. That means I should be lobbying vendors—and I do this and maybe I’m doing this right now—that they should be providing turnkey solutions that are safe out of the box, so when my users, my physicists, and my biologists buy them that they should just by default to be secure. I think the people who run the national networks need to be taking security seriously, and I think they actually are but they’re in some sense the wrong level. It’s sort of like asking the highway patrol to be responsible for making sure houses don’t get burgled in a local neighborhood by somehow doing something on the interstate at some level.
So there’s a role for many different players to play but I say right now the largest role is in the hands of protocol designers for communications protocols, computer system designers—the people who design these systems that we use. I think it’s of course incumbent upon the vendors and the people who work for those vendors who build these systems. And I think it’s a little bit incumbent on the users to create the market for those vendors to want to do that.
Malamud: Well let’s talk about some of the protocols that could be deployed that lead to a more secure Internet. One that comes to mind immediately is Privacy-Enhanced Mail. Privacy-Enhanced Mail seems to have two pieces. One is an underlying infrastructure of public key certificates, and the other one is secure messaging on top of it. Do you think that PEM is actually going to go someplace. Are we gonna see that widely deployed in the Internet?
Schiller: Well I think it’s still too early to tell how widely-deployed that technology will be. I’m of course hoping that it will be widely deployed; there’s some very good ideas in there. Earlier you asked me a question about can we scale security from local sites to the entire Internet. And part of the PEM technology, the public key certificate infrastructure, is exactly the technology that you need to deploy so that you can have secure sessions and secure communication that goes across the entire Internet between people who have never met each other in different states and in different countries and yet have that communication, be it electronic mail, video conferencing, you name it, be secure. Once we have that public key infrastructure, PEM as PEM—as Privacy-Enhanced Mail is but the first application that can take advantage of it. And these days we tend to think of the two as tied together because we’re using Privacy-Enhanced Mail as the way of deploying the public key infrastructure but they really are separate.
But once you have that public infrastructure, Privacy-Enhanced Mail of course if you look mail itself is one of the largest and most heavily-used applications on the Internet. It’s one of the key ways that people communicate with each other. Sometimes sending some very sensitive information. Sometimes sending information of commercial value. Not only specifications but also purchasing commitments and purchase orders. And being able to secure that both in terms of confidentiality as well as authenticity and integrity is a very important service the Internet can provide.
Malamud: You’re listening to Geek of the Week. Support for this program is provided by O’Reilly and Associates, recognized worldwide for definitive books on the Internet, Unix, the X Windows system, and other technical topics. Additional support for Geek of the Week comes from Sun Microsystems. Sun, the network is the computer.
Don’t touch that mouse, Internet Talk Radio will be right back.
[Ask Dr. SNMP segment omitted]
Malamud: The public key infrastructure that we’re deploying is based on some some somewhat proprietary technology that comes from RSA. Is that the right technology to be basing this global security infrastructure on?
Schiller: It’s the best technology that I’ve seen. Basically all other technologies that would compete with it have the property that the people who wish to communicate have to somehow meet. They have the somehow exchange some secure information outside of the context of the Internet. And many people on the Internet who communicate only communicate through the network, because of economic reasons, geographic distances, or what have you. The network to be really useful must be a whole unto itself, and public key cryptography is one of the key technologies and enables it. And indeed in this country, in the United States, it is a proprietary technology. And one of the challenges facing us is figuring out ways to deal with that proprietary technology to ensure that the owners of it are properly compensated and yet the technology is widely deployed in a manner that is not offensive to the end users.
And I might add that public key technology is not the only proprietary technology that’s in widespread use. Ethernet, one of the key local area networking technologies, is a proprietary technology. There are many patents that cover it. And when you buy Ethernet hardware, part of the money that you pay for that goes to pay the patent holders. And so what we need is to figure out a fair and equitable way of compensating the inventors of the public key technology and the patent holders, and yet is as innocuous and as in essence unnoticed as the payments of patents on Ethernet boards.
Malamud: The Internet is a global infrastructure. And the RSA technology is subject to some export restrictions. How is that gonna impact our ability to deploy that infrastructure?
Schiller: Well actually there’s a very simple answer to that, which is— Some people might argue with this, particular people within the export control area, not that I want to say bad things about them. You can draw your own conclusions, but there are some people who think that only smart people exist in the United States. But frankly my experience shows that that’s just not true. And indeed export control says that an implementation of Privacy-Enhanced Mail or any protocol that would be using public key cryptography, or any cryptography for that matter, can’t be exported from the US but there’s nothing to say that somebody in another country can’t implement something according to the same set of RFCs and have them interoperate. One of the beauties of the Internet standards process is because so much emphasis is placed on interoperable implementations, and the standards are fine-tuned so that is two people or two organizations read the standard and code to it that they would result in something that would you interoperate, we’re a leg up. I mean it’s very likely that we will see, and in fact we’re already beginning to see, PEM implementations done in other countries that will interoperate with ours. And in that context export control’s just not an issue.
Malamud: But are the export controls rational? Do they have any technical basis in fact? If people in other countries are able to do that technology what’s the purpose of an export control?
Schiller: Well, I’m not the right person to ask that question. Obviously you have to find the right people within the government, and I’m not sure that their forthcoming with this type of stuff to come out explain their rationale. But I can speculate.
I think what’s happening— If I was in their position, if I was to take their point of view, I think the thing that concerns the export control people and that concerns law enforcement agents is, their nightmare is a terrorist or a drug dealer going into a Radio Shack store and buying the Realistic Telephone Authenticator And Scrambler, which uses technology so strong that they cannot break it and yet there it is for ten bucks, anybody can walk off the street and buy it. That’s their nightmare. I don’t think they’re concerned with an Internet professional writing a program or even a PEM implementation and distributing it, because that’s not going to be available on the shelves of Radio Shack.
Malamud: We should mention that product is not available on the shelves of Radio Shack.
Schiller: No, no. I have recently been in a Radio Shack store and I assured there are no such products on the shelves of Radio Shack stores. And if you lifted export control, and if you deregulate all of that technology, then you really would see such products. So there is a price to be paid.
Malamud: The Internet is well over twenty-five years old by this time, yet security has been a long time in coming. We have a few things. We have things like passwords when you try to FTP in to a certain account. But we don’t have a real security infrastructure. Has the Internet tried to do security too well, and as a result not come up with things that we can use today?
Schiller: Well I think the lack of security on the Internet is— First of all this is not a problem that is unique to the Internet. If you look at other networks that are built, they either have no security or, worse yet, they have the half-measure security that I say our students break trivially. Security that appears to be security for the end users, but in fact is not proof against any kind of a serious attack. Within the Internet we have very little half-measure security. I hardly think we have any at all. We have a lotta no security and I think a lotta that is based on the history of the Internet having come from the ARPANET, coming from a research community, researchers, good guys, lotsa other good guys, not thinking of the network as a commercial vehicle. I mean certainly the early people who built it were not saying, “Hey I’m building a banking network.” They said, “No, I’m building up a network to do my research on, and nothing that somebody else can do to this network is particularly interesting or damaging to me.” In fact the Internet Worm incident, which I think scared a lotta people in 1988 on the Internet, to some parts of the research community was an interesting curiosity. Gee, I didn’t know you can do something like that. That’s pretty neat.
So it’s a different point of view. And of course now we’re playing catch-up. Now we have a situation with the Internet, in some sense while we weren’t looking, went in a very short period of time from that research toy to being a major commercial network where people… And you know, people will say well it’s not really a commercial network. But I would say that there’s a lot of people if not most people today who use the Internet…use it as part of the thing that they have to do to do their job. So it’s part of their life. And they view it as a secure production service that has gotta be there. And that may not be commercial…though of course we’re becoming more commercial, but that is certainly not a research network either.
And so we’re playing catch-up. And we have people who have criticized the people doing security in the Internet on insisting on doing very strong measures. And those strong measures sometimes have problems like using proprietary technology, like running head-on into export control laws, that cause things to slow down and not be immediately available. But I think in the long run that’ll be a very— I think that’s the wise course to take, because otherwise we’d have a proliferation of half-measures which would probably last us two or three years until some bright, obnoxious Robert Morris Jr. lookalike decides to demonstrate how bad they are. I think if we’re gonna deploy a security technology it really does have to be good enough that we don’t all wind up with egg on our face.
Malamud: There’s a movement out there that says that PEM is too complicated and too secure and we oughta be using a software product called Pretty Good Messaging. Can you comment on that? Is that just one of those half-baked measures?
Schiller: Uh, no. Pretty Good Privacy, the PGP program is actually—has benefited from the PEM technology. If anything it is an implementation of the basic concepts and ideas of PEM, with a couple of interesting twists added to fit the political bent of its designers. It’s not compliant with PEM; I don’t wanna say it’s a PEM implementation. But it’s certainly been influenced by the PEM RFCs. You might say it’s a freeform version of PEM, with some liberties taken with message formats and encryption algorithms.
The controversy that swirls around it has to do with that with the fact that the people who own the technology in the United States are not party to it and are not getting compensated. And there’s some political issues around that that I don’t really want to get into. And of course because it’s flowing across borders, mostly from Europe into the US because it was developed for the most part—the current version—beyond the US borders, I like to joke that we’ve created a new class of software. We have commercial software, we have freeware, we have shareware. Well PGP was the first example I’ve seen of forbiddenware. And as such it has a certain appeal to a certain sort of mindset that exists on the network.
But it’s not a half measure and in fact if anything it’s demonstrating that the features that the PEM technology and the public key technology can provide are both wanted and very valuable.
You’re listening to Geek of the Week. Support for this program is provided by Sun Microsystems. Sun Microsystems, open systems for open minds. Additional support for Geek of the Week comes from O’Reilly and Associates, publishers of books that help people get more out of computers.
This is Internet Talk Radio. You may copy these files and change the encoding format, but may not alter the content or resell the programs. You can send us mail to mail@radio.com.
Internet Talk Radio, same-day service in a nanosecond world.
Malamud: GIF files are interesting because there have been occasions in which let’s say overzealous MIT students have put pornographic GIF files on the network and sent them out. And I’m sure you like other network administrators occasionally get other networks calling you up and saying, “Stop those people from doing that.” Is that something that you as a system administrator should be able to do? Should you be able to stop your people from doing things?
Schiller: Well. The pornographic GIF images is actually a very complicated issue. Because there are several different sources of those images. The case we have at MIT is MIT does have a harassment policy and we do have a policy for the use of the MIT network that does make certain types of pornographic images inappropriate to send across our network. But frankly, I know of no incident where one student’s sent a pornographic image personally to another student that ever caused a problem.
The case where we have problems is when somebody operates an archive, or a file server, or an FTP server, with a publicly-writable directory and people literally all over the world store these files and fetch these files. So in some sense it’s an exchange site, so to share with your friends. And in fact I’ve monitored some of these and you see a file appears with a name like “please upload such and such file.gif” And a few days later a file with that name appears, and presumably the person who created the file with the long funny name has actually gone and fetched that file. And now of course it’s still sitting there for anybody else who might want it. And the situation we’ve had on the MIT campus has been that we have faculty members who’ve actually run one of these machines that basically say that they don’t endorse pornographic images on their system, but at the same time they’re not going to be policemen and go around and cleaning it up. They said they have a legitimate reason for having that publicly-writeable directory, and they’re not going to be playing Internet copy, in essence. And we—myself as a system administrator—are just not in a position to do anything about that. If the faculty of MIT want to deal with this at a faculty meeting or otherwise censure other faculty members or come up with a policy statement, well that’s certainly something that might happen. But I don’t have the authority as the network manager at MIT to unilaterally go and stomp people.
Malamud: Well let’s say I’m the manager for the research network in Freedonia, for example. And my users are going across and grabbing all these files and are hosing my network. They’re offending my users, they’re getting rid of my infrastructure. Shouldn’t you be doing something since you’re the source of those files? You as MIT?
Schiller: Well certainly things I can do is I can point out to the faculty members who run the system that there’s real harm being done, particularly when we have situations of bandwidth saturation and what have you. And when a specific incident like that happens we usually can do something about it. I mean, the faculty members involved are not without sympathy to the problem, and will react to a particular incident. Again, they just don’t want to be made into the Internet cops. And if I say that a particular file or a particular situation is causing a particular problem right now, they’ll certainly respond to that. They won’t say well that’s just somebody else’s problem. It’s just that again, it’s not so much the reaction to the incident, it’s the “I won’t be the cop” mentality.
Malamud: Okay, well they’re not the cop. And you’re not the cop. Who’s the cop? Should it be the FBI? Do we need a police on the Internet? The Bit Police.
Schiller: Well, one of— You know, you raise an interesting point. Because if all the traffic was within one country, we might say, “Well, you know, if the stuff that’s being transmitted is against a law, well, there are legal authorities.” Of course a lot of the stuff that’s around is actually crossing borders. And in fact it’s not uncommon at all to see the connections that come into places to get images and even software—let’s face it, legitimate users are coming from in all continents and many many countries. So in fact it’s very hard to figure out what the “Internet Law” would be. So I would try to stay away from trying to create Internet cops because it’s not clear what law it is they have to enforce.
Malamud: There was a recent article in the Communications of the ACM which dealt with the question of cryptography and crypto keys, and the role of law enforcement. And that proposal basically said well…you know…if we have totally secure messaging and totally secure Internet, then we’re in a position where the FBI won’t be able to track down a terrorist or a drug dealer, and therefore that encourages crime. Should there be a loophole in a security system or a way that the FBI ought to be able to come in with a proper warrant to be able to figure out what what’s been going on?
Schiller: Well…there’s actually two answers to that question. Let me answer more generally.
The use of cryptography to provide privacy to messages is a new thing, at least in terms of very strong cryptography being available potentially to a very large number of people. And that’s a very big plus for providing privacy. And you know, computers to date have had a really bad track record on the privacy front. Usually they’re used to take away your privacy. Corporations, credit card companies, have databases of people. I understand some states are looking to digitize the picture that’s on your driver’s license and that’ll be stored in the database. And so computers have been the source of removing privacy, and here’s an example where actually some privacy can be brought back not only to individuals, but that self-same technology can be used by the organizations, credit card companies, or what have you that want to do the right thing and protect their databases against hacking and what have you.
So it’s a two-edged sword; both edges cut in our favor. We get personal privacy, and by providing the tools to improve security, those who do have database will be able to better protect them from bad entries and hacking and what have you. So, that’s the first answer I’ll give you.
And as far as I sympathize with law enforcement’s concerns that the bad guys of the world might be able to use this technology to communicate beyond the ability of the FBI to listen in, and that will make crimes easier to commit and that will aid criminals, well my comment is: telephones aid criminals. Automobiles aid criminals—heck, before you had the automobile doing a fast getaway was next to impossible. And yet—
Malamud: Well, horses aid criminals too.
Schiller: [laughs] So you say you know, maybe we should outlaw automobiles, or maybe we should put a feature in your automobile that the FBI by remote control can like, make it stop. And I don’t think people would sort of go along with that, and this is just another example. As technology advances it changes the way the world is. It makes some crimes easier to commit and makes certain law enforcement easier to do, and it’s a two-edged sword.
Malamud: It sounds like you’re saying that the technology is not necessarily gonna take away privacy. That the Internet can actually enhance privacy if properly applied? Or at least protected?
Schiller: You know, technology provides the ability for individuals and organizations to do different things. And I think technology on the Internet will provide for increasing privacy of personal communications. Or, if not properly used, or at not used in the interest of individual privacy can be used to take it away. It’s all up to how we use the technology, and how others use the technology. It’s not the technology itself.
Malamud: Thank you Jeff Schiller. This has been Geek of the Week. We’ve been talking to Jeffrey Schiller from Massachusetts institute of Technology.
This has been Geek of the Week, brought to you by Sun Microsystems, and by O’Reilly and Associates. To purchase an audio cassette or audio CD of this program, send electronic mail to radio@ora.com. Internet Talk Radio, the medium is the message.