Why are the newspapers full of reports of hackers defacing government Web sites and nasty viruses wreaking havoc on computers around the world?
In no small part it is a cultural problem that goes back to the '60s origins of personal computing and the Internet. Many of the Internet pioneers were bearded longhairs, academics and engineers whose techno-hippie ethos suffused their new world. They knew each other, were part of a community. Trust was the rule. The early Internet was much more about openness and communication than walls and locks. The faults it was supposed to correct were in the machines, not in us: corrupted packets, not corrupted morals.
"Once upon a time there was the time of innocence," says Clifford Stoll, whose work tracking down European hackers became a popular book, "The Cuckoo's Egg." "Once upon a time computers were not used except in academia, where there really is nothing that's mission-critical. Once upon a time computers were mainly play toys for the techno-weirds--techie play toys."
In that environment, hacking was part of the fun of what Stoll has called the early Internet "sandbox."
"In that environment, there seems to be a cachet of 'Hey! I wrote a virus! Hee-ho!' In that environment, it seems funny to break into somebody else's computer. . . . It seems somewhat innocent to read somebody else's e-mail."
It started with hacking telephone systems. The founders of Apple Computer--Steve Jobs and Steve Wozniak--got their start in business peddling "blue boxes"--little devices that allowed users to hack the telephone network and make long-distance calls for free. These "phone phreaks" were seen by some as cultural heroes--free spirits striking a blow against the suits, the evil corporations seen as the enemies of spontaneity and creativity.
Once computer systems were connected by networks, "remote hacking was an attractive challenge," Internet pioneer Vinton Cerf recalls via e-mail. "Surreptitiously making your way into the operating system from your secret hideout. . . . Much of the motivation was like picking locks or scaling walls--just to see if you could do it. Harm was not the objective, most of the time."
Katie Hafner, who has written books about the history of the Internet and about the lives of hackers, says that this metaphor of nerds at play is compelling--and accurate. "It was a big open playscape for these guys," she says. "The Net was built as a completely open community. People would actually be offended if files were protected." To be sure, there were some early nods to security issues--the fledgling ARPANET, the precursor to today's Internet, required passwords. It was funded by the military, after all. However, "the subtext was this was an open community because this was an experiment," Hafner says.
It was built by guys like Jon Postel, the Internet pioneer who died last year. Postel had a vision of an Internet that didn't need a center to survive, a network that could be governed by standards and consensus without ever putting anybody in charge. Utopian? Sure. Vulnerable? Uh-huh.
That culture rejected attempts to create computer operating systems that incorporated security from the ground up, but were complex and cumbersome. Computer security expert Peter Neumann says: "Viruses exist only because of the shortsightedness of subsequent developers who almost completely ignored the security problems" that some designers had effectively solved.
The problem is that the Net caught on, and in the biggest possible way. The anarchic, antiauthoritarian, don't-tell-us-how-to-run-our-lives ethic that defined the burgeoning network--and is still held out by most of the experts as the source of its vitality and strength--has retained that early vulnerability. Broader penetration of the Internet into society meant broader penetration of society into the Internet; it became more like the real world, and the real world is a tough place.
In '60s terms, the idea of free spirits being outside the control of central authority was the best of all possible worlds. But with no one in charge, it was damnedly hard to plug security holes.
A big wake-up call came in 1988 when Robert T. Morris Jr., then a student at Cornell University, released a computer program that single-handedly crashed systems across the Internet. His father, a famous programmer and security expert, was of the generation that had hacked for fun. Morris Jr. didn't mean to bring down the Net. "His mischief was kind of in the spirit of the Net," says Hafner. But by then the Internet was no longer a playscape, and the damage was real.
Of course if the Net's problem is anarchy, the problem with personal computers is monarchy: Bill Gates. Microsoft "is indeed the evil empire when it comes to robust infrastructures," says Neumann.
Two viruses that recently swept through the world's computers, Melissa and Explore.zip, took advantage of the fact that so many millions of PCs run on a suite of Microsoft's programs. The company's latest offerings include security options--but the options are turned off at the factory. The security measures make computing a little clunkier, and cut users off from some of the bells and whistles that Microsoft writes into its programs. Says computer security expert Eugene Spafford of Purdue University, it's as if consumers "said they wanted faster cars," and so the vendors maximize speed by providing "faster cars, but with no brakes and no air bags!"
Release a virus that attacks that company's software specifically, and "it's analogous to the Spaniards bringing smallpox to the Incas," he says. "There was no immunity--they just wiped everybody out. . . . We've really set up our environment in an unsafe way."
Of course today's Internet is a mirror of society. It may have been conceived in a spirit of trust and information wanting to be free and good practical jokes. But today it's about--money. The frontier is getting settled by corporations worth billions, all of which are promising to sell us our future.
They have to deliver, so anti-virus programmers and network security consultants have a market opportunity.
It's a tough time for a system that was created in an age of innocence. It will be interesting to see if a network strong enough to survive nuclear attack can survive its own success.
© 1999 The Associated Press