"a fish, a barrel, and a smoking gun"
for 15 February 2000. Updated every WEEKDAY.
IP, Freely



Last week's "distributed denial

of service" attack that disabled

Yahoo, Amazon, eBay, E*Trade and

other popular Web sites has

already produced some solid

results: helpless hand-wringing,

pompous declarations and

amusingly ineffectual government

conferences, to name a few. What

it hasn't produced as of this

writing is a perpetrator.


Which just means that

everybody's looking in the wrong

place. The guilty party is

obvious, and right under our



Does anybody know where

Kevin Mitnick is?


Only kidding. Mitnick

recently released from the Jenny

Craig Federal Correctional

Facility — is probably the

one person in the country who

can safely be ruled out, his

parole agreement forbidding him

to do anything more

technologically sophisticated

than banging two rocks together.


But that leaves plenty of other

people to point the finger at,

and the population of the Net

— never a group for quiet

reflection when wild hysteria

will do — has enjoyed a

merry week of pointing it at

just about everybody. Among the

potential culprits: Microsoft,

the National Security Agency,

the Russians, Linux,

the FBI, college students,

Microsoft, the affected sites

themselves, the disgruntled

DeCSS crew, the Chinese,

security experts, Microsoft,

and Suck.com.


The actual perpetrator is more

likely a surly thirteen-year-old

kid, tired of knocking over

neighbor's mailboxes. Or he's a

railing anti-consumerist, hopped

up on grade-B agitprop and ready

to take down the Man. Or he's a

Canadian — you just know

they're involved somehow —

amusing himself by testing what

makes Americans panic. The

specifics hardly matter.



He's armed himself with a Linux

box, a few readily available

tools, and enough free time to

set up both. The


impact ratio of this caper is

laughable low. Just a few hours

at the keyboard and wham! He's

notorious. Or he will be if he

fails to keep his mouth shut. If

you're looking for sponsorships,

Jacques, we'd like to make an



But the people who truly deserve

the blame for the public's

hours-long inability to swap

"Steam Engine" jackknives on

eBay are the short-sighted,

tight-fisted monkeys who managed

to build a multi-billion dollar

industry on an insecure

networking system, something so

fragile that it can be brought

to its knees by anyone willing

to bother. The fact that a

target as big and fat as Yahoo

is fundamentally vulnerable to

something as simple as a DoS

attack is a clear invitation to

go right ahead and shut them



And if such vandalism is

inevitable — and it is —

then the responsibility for

preventing it falls to the

targets, and the society that

they make up. If politicians,

business-owners and retailers

agree that the scourge of spray

paint is dangerous enough to

keep locked away from anyone not

old enough to be drafted, then

we sure as hell should be doing

something about IP.


IP, or "Internet Protocol," is

the Net's lingua franca, and it

was created decades ago. Its

main goal was military, to route

data around outages and ensure

that email could still be

delivered in the event that,

say, the Soviets managed to wipe

Chicago from the face of the

earth. Security did not play a

big part in the design of what

everybody assumed was going to

be a cooperative network. When

academics, programmers and

some forward-thinking companies

discovered that a resource

existed for easily communicating

among different, private

networks — a task bordering

on the impossible before the

Internet — they all jumped

on board. As the Net grew, the

inherent value of the common

protocol grew as well, until

suggestions to change it caused

people's bowels to loosen. Why

bother? Things are working fine!



Then the Web hit. Today,

billion-dollar companies, not to

mention trillion-dollar

economies, depend on IP for

their future growth, if not

their continued existence. Poor

IP just isn't up to the job. You

can fatten the pipes to shuffle

more data around, you can slap

cryptography around each packet

to make sure that your credit

card number arrives safely at

hotlesbiansexxx.com, but you

can't stop low-level hacks like

smurfing, SYN floods and other

denial-of-service attacks. IP is

broken, bucko, and there's

nothing you can do about it.


There are plenty of proposed

solutions to the basic failures

of the protocol, but all of them

have gone almost exactly

nowhere. A while ago, amid fears

that the Internet's "address

space" was running out, there

was a big push for an

improvement called IPv6. IPv6

solves many of the problems of

the current version, including

preventing untraceable network

attacks like last week's. But as

concern about address space

faded, so did the enthusiasm for

the switch-over. The earliest

date for an IPv6 Internet is a

decade in the future. The vast

majority of applications and

operating systems don't even

pretend to support it. As the

foundation of the Internet has

rotted away, the people capable

of pushing for improvements have

been too busy being fat and

happy. Why bother? Things are

working fine!


Of course, the improvements in

IPv6 are not without detractors.

The protocol, for instance,

allows each and every packet to

be traced back to its source.

This feature raises a host of

privacy issues, but all of them

are fairly easy to solve, and

most of the solutions are

already implemented, in the form

of anonymous remailers and

anonymizers. Keeping the

current, out-dated version of IP

on privacy grounds, because it

can be easily hacked to hide

your identity, is short-sighted

and stupid.



Internet apologists make loud

noises about how nobody was

really hurt by last week's

attacks, how no data was lost,

how this is all a big to-do

about nothing, foisted on us by

the clueless media herd. They

cite the "client side" as the

real problem, the millions of

badly administered computers

just waiting to be exploited by

crackers for their own ends.

They note that brick-and-mortar

stores are "down" for twelve

hours every night. But each of

these arguments misses some

fundamental points.


1) This is the brave new world

that we're talking about here.

Glibly comparing the Web's

limitations to the long-derided

weaknesses of "meatspace" may be

convenient, but it is a huge

rhetorical step backwards.


2) Securing the client side —

an enormous proposition,

even before the widespread

roll-out of DSL and cable modems —

addresses the symptoms,

not the cause. Excusing the

inadequacies of IP by shifting

the blame upward, to the

operating system or the system

administrator (especially if

that "system administrator" is

just a Windows user), does

nothing to solve the actual



3) Who says the next attack will

be on such meaningless targets?

Amazon may not be vital to your

life, but these problems affect

the very DNA of the network, the

foundation of the entire

Internet. Giggle into your

sleeve at all the hapless

suckers banging on the doors of

E*Trade if you want, but

everybody is walking around in a

bull's-eye t-shirt.


The Internet is a technological

marvel, regrettably built on a

rapidly expanding swamp. All the

laws and caveats and

justifications in the world

can't change that fact. Moving

to a more robust, more secure

protocol will be expensive,

inconvenient and time-consuming.

But until the major

beneficiaries of the Net —

the government, the dot-coms,

Microsoft, the Linux crowd,

everybody — manage to get

off the collective crapper and

do it, they've only got

themselves to blame for what's

happened and what's to come.

courtesy of Greg Knauss
picturesTerry Colon