An Interview With Dr. Dorothy Denning
by Dr. Williams
Recently, I had the pleasure of posing questions to Dr. Dorothy Denning. Dr. Denning has been visible lately to the hacker community.
She participated with Sheldon Zenner in the defense of Craig Neidorf, and has written a paper, "Concerning Hackers Who Break Into Computer Systems." The paper was presented at a conference in Washington, D.C., where she also moderated a panel "Hackers: Who Are They?" in which Emmanuel Goldstein, Craig Neidorf, Sheldon Zenner, Frank Drake, Katie Hafner, and Gordon Meyer participated.
Dr. Dorothy Denning is well known in the computer security community as author of Cryptography and Data Security and numerous research papers. She is past President of the International Association for Cryptologic Research and works in Palo Alto.
This interview was conducted via e-mail over a two-month period.
Many members of the computer underground community believe there is a witch hunt afoot against hackers. Buck Bloombecker relates in his book, Spectacular Computer Crimes how Kevin Mitnick was harshly prosecuted by officials out to "get the little shit." Operation Sundevil utilized the efforts of over 150 agents, seizing equipment in 26 locations, but making only 9 arrests, 7 of those computer related.
Finally, even though the prosecutor in Craig Neidorf's trail is to be commended for dropping all charges instead of handing the matter over to the Jury, the fact the trial was started and later dropped leads one to believe they too were caught up in the witch hunt mentality before seeing the light. More examples exist. Do you think hackers are being persecuted by law enforcement fueled on by fear and ignorance, or are computer underground members not looking past their own bias to accurately judge the current state of affairs?
Let me begin by saying that I am not speaking on behalf of my company.
When I first heard the "witch hunt" analogy, it seemed to make sense.
Most computer crime is committed by insiders, and it seemed like law enforcement was over-reacting to the actual threat posed by hackers.
But as I've dug into some of the cases further and talked with people in law enforcement and industry, I've seen that some of the reports floating around in the computer underground were exaggerated, misleading, and failed to tell the whole story. Some companies have suffered large financial losses because of hackers.
So, the bottom line is that I do not agree that there is a witch hunt, but I can see how people could see it that way. It is true there are more serious problems in this country than that caused by hackers, but this does not mean the damages caused by hackers should be ignored.
Craig Neidorf's trial raises a plethora of questions. At the heart of the issue is why was the trial ever started in the first place.
Even to the casual observer familiar with Phrack, both sets of indictments appeared to be based more on inference than fact. The prosecutor's strongest card was showing the LOD/H was a band of rogue hackers and that Phrack and Craig Neidorf were associated with them, which implies weak evidence on the prosecutor's part. One cannot help but get the feeling BellSouth and the Secret Service were pushing hard for this trial - one could suggest pushing past the point of seeking justice. BellSouth was embarrassed by the publication of its E911 text document in Phrack and had hidden damaging evidence from the prosecutor. The Secret Service, after expending the efforts of over 150 agents in Operation Sundevil and claiming a national crackdown on hackers, but making only nine arrests, seemed to be grasping at straws and interested in saving a little face. It is no secret many disapproved of Phrack's content: bomb recipes, password crackers, hacking tips, lock picking suggestions, etc. The philosophizing could go on and on as more points are considered. Why did you think Craig Neidorf was really prosecuted?
I believe that the government prosecuted Neidorf because they thought he had broken the law. I believe that they accepted, perhaps without questioning, BellSouth's claim that the E911 document was highly sensitive and proprietary and that a hacker could use it to disrupt 911 service.
What was your motivation to be involved in Craig Neidorf's trail?
I believed he had not broken the law and that I could help with his defense. I was also concerned that a wrongful conviction - a distinct possibility in a highly technical trial - could have a negative impact on freedom of the press for electronic publications.
Many people feel the government was looking for the first opportunity to send a message that Phrack was not an acceptable publication. Do you speculate this is why the government accepted BellSouth's claims without questioning?
While it may be true that the government disapproved of Phrack, I know of no evidence that suggests this was a reason for prosecuting.
I speculate that the government just never considered the possibility that the information they got from BellSouth could be wrong and not hold up in court. I hope that in the future they will consult with disinterested experts before deciding whether to pursue an indictment.
Many articles in Computer Underground Digest and elsewhere have been critical of current laws governing hackers, viruses, computer usage, information concerning hacking and computer weaknesses, and fraud associated with computers on several grounds. Some laws have been shaped and enacted in crisis more by fear and misunderstanding than truth and good sense. Other laws dangerously erode our civil rights, fail to assign responsibility to computer owners to protect data, dish out harsher penalties to computer crimes over comparative crimes, do not give electronic media the same rights and privileges of printed media, have been motivated more by politics than protections, and in short, are just plain stupid, archaic, and frightening.
What is your opinion of the general worthiness of current laws governing hackers, viruses, computer usage, information concerning hacking and computer weaknesses, and fraud associated with computers?
I am not aware of any computer crime laws that erode civil rights or fail to give electronic media the same rights and privileges of printed media. Also, there are none that I assess as stupid, archaic, or frightening. While many laws may be initiated by a crisis, they generally undergo extensive review, sometimes over a period of several years, before they are adopted. Overall, I'd say the laws are pretty good. As deficiencies are discovered, they get amended and new laws added.
Current laws may provide a means of assigning responsibility to computer owners to protect data. I expect that an individual or company could sue an owner for failing to protect information about them, or failing to provide a promised service because negligent security practices allowed an unauthorized break-in. Nevertheless, I believe it is worthwhile to consider adopting a law where unauthorized entry into a system is at most a misdemeanor if certain standards are not followed and the damage to information on the system is not high. The difficulty is that it may be very hard to set appropriate standards and to determine whether an organization has adhered to them. Currently, it takes several years to evaluate a product according to the Department of Defense Trusted Computer System Evaluation Criteria.
For the most part, the penalties given to persons convicted of computer crimes have seemed reasonable. Although it can be frightening to see someone such as Neidorf facing 65 years in prison, it is fantasy to believe that a judge would assign anything even close to that. Most judges are fair and reasonable; this is why they are trusted with that position. If they assign a penalty that is unfair, public outrage will force them to reduce it. Still, it would be worthwhile to consider establishing a range of offenses with different penalties.
Information concerning hacking and computer fraud is sparse and often misleading. This is a consequence of the fact that the actual evidence in a case cannot be fully disclosed until the case comes to trial.
In addition, companies do not talk about hacker incidents since doing so is perceived to be harmful to business.
Information about computer weaknesses is widely disseminated through conferences, newsletters, professional journals, computer security courses, the CERT, and human networks.
Your paper, "Concerning Hackers Who Break Into Computer Systems," states one of the motivations behind hackers is a belief in the free flow of information. Free flow of information has helped propel us to our current heights of technology. Now, hackers point out the disturbing trend of treating information as property instead of the particular way information is expressed. Hackers feel restriction of information will deter learning and hurt the evolutionary process of technology. When information is kept secret behind computer doors, the result is bad for all of us. As the way Richard Stallman explains the statement in your paper, "I believe that all generally useful information should be free," do you agree with that point of view?
This is a tough issue on which I have more questions than answers.
On the surface it sounds compelling, at least for certain types of information, and I have always tried to operate from that principle myself by making my research results public. Stallman's arguments against software patents and user interface copyrights are especially convincing. The topic is definitely worth exploring and discussing.
But in any case, I believe it is wrong to use this principle to justify going into a computer system and downloading information to which you are not authorized, or to disseminate information obtained thusly.
One result of secured computers is secured information. What would be your reaction if the results of your research and work were applied to restrict the flow of information in a manner you morally disagree with? Does the effect of computer security on the flow of information ever concerned you?
Computer security per se does not restrict the flow of information. People do. If I want to restrict the flow of some information, I always have the option of not storing it on a computer at all or storing it on an isolated system. Indeed, these methods of handling sensitive data have been a common practice precisely because adequate security mechanisms were not available.
The problem with these practices is that they also make it more difficult for people who need to have access to the information to do their work effectively. Computer security gives people the capability to computerize sensitive information and integrate it with other information more easily. This can be a big productivity boost. It makes controlled sharing and distribution of information easier.
If I'm on a network that provides a secure cryptographic facility, then I can use the net to send you a highly confidential report without worrying about someone else reading it. By providing mechanisms for controlled sharing, computer security does not restrict the flow of information so much as give you assurance that the information will be disseminated according to your wishes.
Even then, the assurances are weak unless you use mandatory policies for information flow, that is, policies based on classification and clearances and a strict rule forbidding the transfer of information from one security level to a lower one. But most organizations other than the military find mandatory policies too restrictive, and so adopt discretionary ones. With a discretionary policy, it is very hard to control what happens to information once you give anyone access to it. You have to trust that the other people will respect your wishes. Fortunately, most people do, so the lack of assurance may not be a practical problem.
Since I don't want to avoid your ethical question, let me try to outline a scenario that I think gets at it. Suppose that I know of some information that in my assessment will result in harm if it is not freely distributed, but that the person who produced the information is not letting it out.
Suppose further that I know the information is stored on some system with a security mechanism that I designed, and that without that mechanism, someone could get access to the information. How would I react? I have never been in a situation like this, so it's hard for me to say for sure what I'd do. I expect I'd go to the person with the information to find out why he or she does not want to give the information out.
My own view of the world is extremely small, so there may be some good reasons that I have not thought of. If I am not satisfied with the answer and I know what the information is and not just what it is about, I might consider disseminating the information myself. But, I would have to have very strong reasons for doing this, since the consequences to me or to others could be serious. Another action I might take would be to try to exert public pressure, e.g., by going to the media and reporting that so-and-so is hoarding this information. I might do nothing on the grounds that if the person who produced it had not been there, we would be no better off.
It's been said computer crime costs everybody. However, this statement is often said in glib without much underlying thought. Can you explain if and how computer crime effects everyone in two different examples?
Situation 1: Ten different department stores operate in one region. One store, Store A, is the victim of a computer crime costing a modest amount of its profits for the year. How then is everybody effected, customers and non-customers? Nothing has happened to the nine other stores, so life is exactly the same for all their customers. Raising prices to make up for the loss by Store A would backlash. In a competitive environment, customers of the victimized store would simply buy the same items priced less at the nine other stores, compounding Store A's losses further. It could be argued the lost money could have been used to pay bigger dividends to stockholders, be used for charitable contributions, increased customer services, etc.
In any scenario, counter arguments exist. Only a limited amount of people feel the loss, such as the stockholders, not everybody. If the lost money were to be spread around in a manner that truly touched everyone, the amount per person would be so minute to make its effect wholly ignorable. Finally, there are the doubts that if Store A had never lost the money, it would have been used in a manner that effects everyone in the first place.
Situation 2: A company earns 51.5 million dollars profit one year.
At the end of the year, a hacker breaks into their computers. The total cost to clean up his damage is 0.1 million dollars. How is everybody effected? It is not likely the company will specifically raise its prices next year to make up the lost 0.1 million. Instead, it will probably settle for 51.4 million dollars profit and a tax write off.
Again, the arguments could place the lost money being used for employee benefits, additional R&D efforts, etc. This moves back to the counter arguments of the last paragraph and leaves the question, "How is everybody effected?" Clearly, computer crime is wrong. These arguments are not made as an attempt to justify or lessen the effects of computer crime, but made in hopes of clarifying hard points.
In both situations, you identified the direct financial costs to the companies involved resulting from the crime itself, and then analyzed how these costs are transferred to individuals. In both cases, the costs that reach most individuals seem negligible - unless you're the employee that lost his or her job because of the reduced revenue.
However, the financial costs to the companies can be even greater if publicity about the crime leads to loss of credibility.
When people say that computer crime costs everybody, they are usually referring to indirect costs. The indirect costs include increased tax dollars for law enforcement to fight computer crime, for research and development in computer security, and for government funded organizations such as the National Computer Security Center and the Computer Emergency Response Team. Indirect costs also include expenditures by vendors to develop secure products and by companies for security personnel, products, and training to protect their assets and operations. These costs, which may rise in response to increases in criminal activity, are passed on to customers. In your first situation, all ten department stores may feel compelled to beef up their security, and then raise their prices to absorb the costs.
Similarly, in your second situation, many companies operating on tighter profit margins may respond to a concern for suffering a similar loss by making security enhancements and raising prices.
I should point out that I do not view the above costs as bad, in the same way that I do not view the cost of airport security as bad. As a result of the latter, I can trust that the airplane I board is highly unlikely to be hijacked or blow up from a bomb. Similarly, if I have a secure system, I can trust it to preserve the secrecy and integrity of valuable information assets, and I can be confident that its operation will not be sabotaged.
But, some people say that security places a burden on users. Perhaps an analogy with the Tylenol scare is appropriate. As a result of one incident, it is now a major project just to open a bottle of vitamins!
A consequence of computer crime may be computer surveillance. Because of the widespread concern about break-ins and other forms of computer crime, computer security specialists are developing intrusion detection systems that will monitor systems for break-ins and other forms of abuse. If such systems are not carefully thought out and used, they could result in loss of privacy and degradation of trust in the workplace.
How has the proliferation of workstations changed the needs of computer security?
When workstations were first introduced, many people claimed they would solve the computer security problems of time sharing systems, because users and data would be isolated. In practice, they have introduced at least as many problems as they have solved, because nobody wants an isolated workstation. One challenge is to protect a workstation from attack by untrusted users and software running on other systems that are connected to the workstation.
Sun, for example, recently announced a patch for a security hole in SunView that allowed any remote system to read selected files from a workstation running SunView. Authentication of users, workstations, and software is becoming an increasingly important issue in networked environments in order to make sure that a remote request for service comes from the person or workstation claimed, and to make sure that programs such as login have not been replaced by Trojan horses or contaminated with viruses. A problem that arises with a workstation placed in a public place is how you prevent someone from rebooting the workstation, gaining root privileges, and then causing trouble on that workstation or other systems on the network.
Computer security scientists have developed good computer security procedures, but their record for simply preaching the practice of these developed procedures is less impressive. Today, many computer managers still fail to exercise basic computer security defenses. Can computer security scientists be faulted for failing to impale good security precautions into computer operators, or is that pointing the finger at the wrong person? Everybody plays a part is computer security, but who is most responsible: the user to use basic common sense, the operator to use tools already available, the vendor to develop secure OSes, or scientists to make computers more secure?
Everybody shares the responsibility. Individuals and organizations should look for ways to take greater responsibility rather than for excuses to assign it to others.
Some people in the security industry and system administrators I have had the pleasure of talking to essentially consider hackers to be gum on the bottom of your shoe: They usually get in only when security is weak, are more annoying than dangerous, lack the reason to cause harm but have the ignorance to, and just have the potential to cause an unpleasant mess. While this certainly isn't a glamorous analogy for hackers, would you consider it essentially correct?
It is a nice analogy, but it fails to tell the whole story. Some organizations report considerable losses from hacking and phreaking incidents. To them, hackers are a serious menace.
Do you think BBSes, by their nature, should be regulated as common carriers or as primary publications? Some have suggested regulating BBSes similar to ham radios and ham operators. Do you think this suggestion has merit?
Computer bulletin boards have been referred to metaphorically as electronic meeting places where assembly of people is not constrained by time or distance. Public boards are also a form of electronic publication. It would seem, therefore, that they are protected by the Constitution in the same way that public meeting places and non-electronic publications such as newspapers are protected. This, of course, does not necessarily mean they should be free of all controls, just as public meetings are not entirely free of control.
In comparison to the severity of other crimes, hacking still makes relatively big headlines. Hacking's novelty has worn off, so why do you suppose it still continues to captures the press's fancy?
Recent articles have focused more on the constitutional issues raised by the Neidorf and Steve Jackson Games cases.
Your latest area of research concerns hackers. What is your personal motivation or interest to study hackers? Can you give us your answer to the question of your October 1990 Washington, D.C. conference, "Hackers: Who Are They?"
Curiosity and a concern about the growing number of young people committing computer crimes that adversely affect the companies owning the systems they attack. I'm still learning who hackers are. They're all different, of course, while sharing a discourse that is revealed in places like 2600.
The few I have talked with extensively have been helpful, candid, passionately interested in technology and learning, and ethically conscious and concerned about unethical behavior and the free flow of information in organizations and society. I have enjoyed talking with them. But I would not want to say all hackers are like the ones I've talked with. Many hackers may be unaware or unconcerned about the adverse consequences of their actions on others.
Hackers can be notorious for bragging and shooting off at the mouth, in verbal and in text. From your studies, would you say this is one of the greatest reasons leading to their capture and demise? If the characteristics of hackers are homogeneous enough to generalize, what is the typical life cycle of a hacker? Discovery and interest in computers at adolescence, hacker status by high school, in college and in trouble by 21, retired by 22?
Hackers are caught because they perform an act that someone in the company affected by the act assesses is serious enough to investigate, and because there is enough evidence to trace the act to the hacker. Cliff Stoll's book gives a good account of one such case. I haven't talked to enough hackers to know the typical life cycle.
Your husband, Peter Denning, is also a computer security scientist. Do your shared careers ever present interesting situations at home, i.e. stimulating dinner topics, computer religion debates, elaboration of projects, etc.?
Peter is a computer scientist, but security is just one of many areas he's interested in. He is by far my biggest supporter and biggest critic. I mean the latter in a positive way. He goes over all of my papers and offers comments and editorial suggestions. We have lots of interesting discussions, which often lead to new ideas and projects.
For example, the topic of my most recent paper on the Data Encryption Standard came up in a conversation. We never have computer religion debates. I showed Peter my response to this question, and the following dialog took place:
P: When you've been together for 18 years, you don't have many disagreements. You can't even tell where the ideas originate.
D: It has nothing to do with 18 years. We've never disagreed much on computer issues.
P: I completely disagree!
It has been predicted that passive eavesdropping will become the hacking of the 1990s. This seems credible as prices in surveillance equipment have dropped over the years. How do you think hacking will change during the next decade?
Well, I don't have any special talents with a crystal ball, but it seems that if the motivation behind hacking is learning about and exploring systems, then I would not expect to see many hackers engaged in passing eavesdropping. Or, is the real motivation to have fun with technology in an illicit way? I expect that there will always be some hackers who try to break through security mechanisms, despite the risks and penalties of getting caught.
Many systems will be practically impenetrable because of improvements in security, but there will be always be systems that are easy to penetrate. As computer security tightens, the attacks may get more sophisticated.
I speculate that there will be more attacks on computers for purposes of espionage, sabotage, or fraud. These attacks will be performed by organized crime, terrorist groups, spies, and individuals out to make a profit illegally. I have heard that organized crime is already trying to enlist hackers, and some hackers may become criminals this way.
You stated your original intent for accepting the Sir Francis Drake interview in W.O.R.M. was the hope of teaching hackers something. Unfortunately, the interview did not move into that direction. What was it you wanted to tell hackers?
The hope was that I might say something so elegant and convincing that it would have the effect of discouraging hackers from breaking into systems. Which reminds me of a wonderful story by Raymond Smullyan in This Book Needs No Title. Called "Another Sad Story," he describes a man who being overcome with mystical insight, wrote voluminously. When he finished writing, he read his manuscripts over with great pride and joy. Then one day, several years later, he reread his manuscript and could not understand a word of it.
Dorothy Denning can be reached on the Internet at: denning@src.dec.com