ch05.htm

来自「Maximum Security (First Edition) 网络安全 英文」· HTM 代码 · 共 978 行 · 第 1/4 页

design is so complex, the people who address its security charge substantial prices
for their services. Thus, the complexity of the Internet also influences more concrete
considerations.</P>
<P>There are other aspects of Internet design and composition that authors often
cite as sources of insecurity. For example, the Net allows a certain amount of anonymity;
this issue has good and bad aspects. The good aspects are that individuals who need
to communicate anonymously can do so if need be.
<H4><FONT COLOR="#000077"><B>Anonymity on the Net</B></FONT></H4>
<P>There are plenty of legitimate reasons for anonymous communication. One is that
people living in totalitarian states can smuggle out news about human rights violations.
(At least, this reason is regularly tossed around by media people. It is en vogue
to say such things, even though the percentage of people using the Internet for this
noble activity is incredibly small.) Nevertheless, there is no need to provide excuses
for why anonymity should exist on the Internet. We do not need to justify it. After
all, there is no reason why Americans should be forbidden from doing something on
a public network that they can lawfully do at any other place. If human beings want
to communicate anonymously, that is their right.</P>
<P>Most people use remailers to communicate anonymously. These are servers configured
to accept and forward mail messages. During that process, the header and originating
address are stripped from the message, thereby concealing its author and his or her
location. In their place, the address of the anonymous remailer is inserted.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>To learn more about anonymous
	remailers, check out the FAQ at <A HREF="http://www.well.com/user/abacard/remail.html"><TT>http://www.well.com/user/abacard/remail.html</TT></A>.
	This FAQ provides many useful links to other sites dealing with anonymous remailers.
	
<HR>


</BLOCKQUOTE>

<P>Anonymous remailers (hereafter <I>anon</I> <I>remailers</I>) have been the subject
of controversy in the past. Many people, particularly members of the establishment,
feel that anon remailers undermine the security of the Internet. Some portray the
situation as being darker than it really is:

<DL>
	<DD>By far the greatest threat to the commercial, economic and political viability
	of the Global Information Infrastructure will come from information terrorists...
	The introduction of Anonymous Re-mailers into the Internet has altered the capacity
	to balance attack and counter-attack, or crime and punishment.<FONT SIZE="2"><SUP>1</SUP></FONT>
</DL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT SIZE="2"><SUP>1</SUP></FONT>Paul A. Strassmann, U.S. Military Academy, West
	Point; Senior Advisor, SAIC and William Marlow, Senior Vice President, Science Applications
	International Corporation (SAIC). January 28-30, 1996. <I>Symposium on the Global
	Information Infrastructure: Information, Policy &amp; International Infrastructure</I>.
	
<HR>


</BLOCKQUOTE>


<DL>
	<DD>
</DL>

<P>I should explain that the preceding document was delivered by individuals associated
with the intelligence community. Intelligence community officials would naturally
be opposed to anonymity, for it represents one threat to effective, domestic intelligence-gathering
procedures. That is a given. Nevertheless, one occasionally sees even journalists
making similar statements, such as this one by Walter S. Mossberg:

<DL>
	<DD>In many parts of the digital domain, you don't have to use your real name. It's
	often impossible to figure out the identity of a person making political claims...When
	these forums operate under the cloak of anonymity, it's no different from printing
	a newspaper in which the bylines are admittedly fake, and the letters to the editor
	are untraceable.
</DL>

<P>This is an interesting statement. For many years, the U.S. Supreme Court has been
unwilling to require that political statements be accompanied by the identity of
the author. This refusal is to ensure that free speech is not silenced. In early
American history, pamphlets were distributed in this manner. Naturally, if everyone
had to sign their name to such documents, potential protesters would be driven into
the shadows. This is inconsistent with the concepts on which the country was founded.</P>
<P>To date, there has been no convincing argument for why anon remailers should not
exist. Nevertheless, the subject remains engaging. One amusing exchange occurred
during a hearing in Pennsylvania on the constitutionality of the Communications Decency
Act, an act brought by forces in Congress that were vehemently opposed to pornographic
images being placed on the Internet. The hearing occurred on March 22, 1996, before
the Honorable Dolores K. Sloviter, Chief Judge, United States Court of Appeals for
the Third Circuit. The case was <I>American Civil Liberties Union, et al (plaintiffs)
v. Janet Reno</I>, the Attorney General of the United States. The discussion went
as follows:

<DL>
	<DD><B>Q: Could you explain for the Court what Anonymous Remailers are?<BR>
	<BR>
	A: </B>Yes, Anonymous Remailers and their -- and a related service called Pseudonymity
	Servers are computer services that privatize your identity in cyberspace. They allow
	individuals to, for example, post content for example to a Usenet News group or to
	send an E-mail without knowing the individual's true identity.<BR>
	<BR>
	The difference between an anonymous remailer and a pseudonymity server is very important
	because an anonymous remailer provides what we might consider to be true anonymity
	to the individual because there would be no way to know on separate instances who
	the person was who was making the post or sending the e-mail.<BR>
	<BR>
	But with a pseudonymity server, an individual can have what we consider to be a persistent
	presence in cyberspace, so you can have a pseudonym attached to your postings or
	your e-mails, but your true identity is not revealed. And these mechanisms allow
	people to communicate in cyberspace without revealing their true identities.<BR>
	<BR>
	<B>Q: I just have one question, Professor Hoffman, on this topic. You have not done
	any study or survey to sample the quantity or the amount of anonymous remailing on
	the Internet, correct?<BR>
	<BR>
	A: </B>That's correct. I think by definition it's a very difficult problem to study
	because these are people who wish to remain anonymous and the people who provide
	these services wish to remain anonymous.
</DL>

<P>Indeed, the court was clearly faced with a catch-22. In any case, whatever one's
position might be on anonymous remailers, they appear to be a permanent feature of
the Internet. Programmers have developed remailer applications to run on almost any
operating system, allowing the little guy to start a remailer with his PC.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>If you have more interest
	in anon remailers, visit <A HREF="http://www.cs.berkeley.edu/~raph/remailer-list.html"><TT>http://www.cs.berkeley.edu/~raph/remailer-list.html</TT></A>.
	This site contains extensive information on these programs, as well as links to personal
	anon remailing packages and other software tools for use in implementing an anonymous
	remailer. 
<HR>


</BLOCKQUOTE>

<P>In the end, e-mail anonymity on the Internet has a negligible effect on real issues
of Internet security. The days when one could exploit a hole by sending a simple
e-mail message are long gone. Those making protracted arguments against anonymous
e-mail are either nosy or outraged that someone can implement a procedure that they
cannot. If e-mail anonymity is an issue at all, it is for those in national security.
I readily admit that spies could benefit from anonymous remailers. In most other
cases, however, the argument expends good energy that could be better spent elsewhere.
<H3><FONT COLOR="#000077"><B>Proprietarism</B></FONT></H3>
<P>Yes, another ism. Before I start ranting, I want to define this term as it applies
here. <I>Proprietarism</I> is a practice undertaken by commercial vendors in which
they attempt to inject into the Internet various forms of proprietary design. By
doing so, they hope to create profits in an environment that has been previously
free from commercial reign. It is the modern equivalent of Colonialism plus Capitalism
in the computer age on the Internet. It interferes with Internet security structure
and defeats the Internet's capability to serve all individuals equally and effectively.
<H4><FONT COLOR="#000077"><B>ActiveX</B></FONT></H4>
<P>A good example of proprietarism in action is Microsoft Corporation's ActiveX technology.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>Those users unfamiliar
	with ActiveX technology should visit <A HREF="http://www.microsoft.com/activex/"><TT>http://www.microsoft.com/activex/</TT></A>.
	Users who already have some experience with ActiveX should go directly to the Microsoft
	page that addresses the security features: <A HREF="http://www.microsoft.com/security/"><TT>http://www.microsoft.com/security/</TT></A><TT>.</TT>
	
<HR>


</BLOCKQUOTE>

<P>To understand the impact of ActiveX, a brief look at HTML would be instructive.
HTML was an incredible breakthrough in Internet technology. Imagine the excitement
of the researchers when they first tested it! It was (and still is) a protocol by
which any user, on any machine, anywhere in the world could view a document and that
document, to any other user similarly (or not similarly) situated, would look pretty
much the same. What an extraordinary breakthrough. It would release us forever from
proprietary designs. Whether you used a Mac, an Alpha, an Amiga, a SPARC, an IBM
compatible, or a tire hub (TRS-80, maybe?), you were <I>in</I>. You could see all
the wonderful information available on the Net, just like the next guy. Not any more.</P>
<P>ActiveX technology is a new method of presenting Web pages. It is designed to
interface with Microsoft's Internet Explorer. If you don't have it, forget it. Most
WWW pages designed with it will be nonfunctional for you either in whole or in part.</P>
<P>That situation may change, because Microsoft is pushing for ActiveX extensions
to be included within the HTML standardization process. Nevertheless, such extensions
(including scripting languages or even compiled languages) do alter the state of
Internet security in a wide and encompassing way.</P>
<P>First, they introduce new and untried technologies that are proprietary in nature.
Because they are proprietary, the technologies cannot be closely examined by the
security community. Moreover, these are not cross platform and therefore create limitations
to the Net, as opposed to heterogeneous solutions. To examine the problem firsthand
you may want to visit a page established by Kathleen A. Jackson, Team Leader, Division
Security Office, Computing, Information, and Communications Division at the Los Alamos
National Laboratory. Jackson points to key problems in ActiveX. On her WWW page,
she writes:

<DL>
	<DD>...The second big problem with ActiveX is security. A program that downloads
	can do anything the programmer wants. It can reformat your hard drive or shut down
	your computer...
</DL>

<P>This issue is more extensively covered in a paper delivered by Simon Garfinkel
at <I>Hot Wired</I>. When Microsoft was alerted to the problem, the solution was
to recruit a company that created digital signatures for ActiveX controls. This digital
signature is supposed to be signed by the control's programmer or creator. The company
responsible for this digital signature scheme has every software publisher sign a
software publisher's pledge, which is an agreement not to sign any software that
contains malicious code. If a user surfs a page that contains an unsigned control,
Microsoft's Internet Explorer puts up a warning message box that asks whether you
want to accept the unsigned control.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>Find the paper delivered
	by Simon Garfinkel at <I>Hot Wired</I> at <A HREF="http://www.packet.com/packet/garfinkel/"><TT>http://www.packet.com/packet/garfinkel/</TT></A>.
	
<HR>


</BLOCKQUOTE>

<P>You cannot imagine how absurd this seems to security professionals. What is to
prevent a software publisher from submitting malicious code, signed or unsigned,
on any given Web site? If it is signed, does that guarantee that the control is safe?
The Internet at large is therefore resigned to take the software author or publisher
at his or her word. This is impractical and unrealistic. And, although Microsoft
and the company responsible for the signing initiative will readily offer assurances,
what evidence is there that such signatures cannot be forged? More importantly, how
many small-time programmers will bother to sign their controls? And lastly, how many
users will refuse to accept an unsigned control? Most users confronted with the warning
box have no idea what it means. All it represents to them is an obstruction that
is preventing them from getting to a cool Web page.</P>
<P>There are now all manner of proprietary programs out there inhabiting the Internet.
Few have been truly tested for security. I understand that this will become more
prevalent and, to Microsoft's credit, ActiveX technology creates the most stunning
WWW pages available on the Net. These pages have increased functionality, including
drop-down boxes, menus, and other features that make surfing the Web a pleasure.
Nevertheless, serious security studies need to be made before these technologies