ch01.htm

来自「Maximum Security (First Edition) 网络安全 英文」· HTM 代码 · 共 591 行 · 第 1/3 页

<P>The answer to the question regarding the importance of education and Internet
security depends on your station in life. If you are a merchant or business person,
the answer is straightforward: In order to conduct commerce on the Net, you must
be assured of some reasonable level of data security. This reason is also shared
by consumers. If crackers are capable of capturing Net traffic containing sensitive
financial data, why buy over the Internet? And of course, between the consumer and
the merchant stands yet another class of individual concerned with data security:
the software vendor who supplies the tools to facilitate that commerce. These parties
(and their reasons for security) are obvious. However, there are some not so obvious
reasons.</P>
<P>Privacy is one such concern. The Internet represents the first real evidence that
an Orwellian society can be established. Every user should be aware that nonencrypted
communication across the Internet is totally insecure. Likewise, each user should
be aware that government agencies--not crackers--pose the greatest threat. Although
the Internet is a wonderful resource for research or recreation, it is not your friend
(at least, not if you have anything to hide).</P>
<P>There are other more concrete reasons to promote security education. I will focus
on these for a moment. The Internet is becoming more popular. Each day, development
firms introduce new and innovative ways to use the Network. It is likely that within
five years, the Internet will become an important and functional part of our lives.
<H3><FONT COLOR="#000077"><B>The Corporate Sector</B></FONT></H3>
<P>For the moment, set aside dramatic scenarios such as corporate espionage. These
subjects are exciting for purposes of discussion, but their actual incidence is rare.
Instead, I'd like to concentrate on a very real problem: cost.</P>
<P>The average corporate database is designed using proprietary software. Licensing
fees for these big database packages can amount to tens of thousands of dollars.
Fixed costs of these databases include programming, maintenance, and upgrade fees.
In short, development and sustained use of a large, corporate database is costly
and labor intensive.</P>
<P>When a firm maintains such a database onsite but without connecting it to the
Internet, security is a limited concern. To be fair, an administrator must grasp
the basics of network security to prevent aspiring hackers in this or that department
from gaining unauthorized access to data. Nevertheless, the number of potential perpetrators
is limited and access is usually restricted to a few, well-known protocols.</P>
<P>Now, take that same database and connect it to the Net. Suddenly, the picture
is drastically different. First, the number of potential perpetrators is unknown
and unlimited. An attack could originate from anywhere, here or overseas. Furthermore,
access is no longer limited to one or two protocols.</P>
<P>The very simple operation of connecting that database to the Internet opens many
avenues of entry. For example, database access architecture might require the use
of one or more foreign languages to get the data from the database to the HTML page.
I have seen scenarios that were incredibly complex. In one scenario, I observed a
six-part process. From the moment the user clicked a Submit button, a series of operations
were undertaken:

<DL>
	<DD><B>1. </B>The variable search terms submitted by the user were extracted and
	parsed by a Perl script.<BR>
	<BR>
	<B>2. </B>The Perl script fed these variables to an intermediate program designed
	to interface with a proprietary database package.<BR>
	<BR>
	<B>3. </B>The proprietary database package returned the result, passing it back to
	a Perl script that formatted the data into HTML.
</DL>

<P>Anyone legitimately employed in Internet security can see that this scenario was
a disaster waiting to happen. Each stage of the operation boasted a potential security
hole. For exactly this reason, the development of database security techniques is
now a hot subject in many circles.</P>
<P>Administrative personnel are sometimes quick to deny (or restrict) funding for
security within their corporation. They see this cost as unnecessary, largely because
they do not understand the dire nature of the alternative. The reality is this: One
or more talented crackers could--in minutes or hours--destroy several years of data
entry.</P>
<P>Before business on the Internet can be reliably conducted, some acceptable level
of security must be reached. For companies, education is an economical way to achieve
at least minimal security. What they spend now may save many times that amount later.
<H3><FONT COLOR="#000077"><B>Government</B></FONT></H3>
<P>Folklore and common sense both suggest that government agencies know something
more, something special about computer security. Unfortunately, this simply isn't
true (with the notable exception of the National Security Agency). As you will learn,
government agencies routinely fail in their quest for security.</P>
<P>In the following chapters, I will examine various reports (including one very
recent one) that demonstrate the poor security now maintained by U.S. government
servers. The sensitivity of data accessed by hackers is amazing.</P>
<P>These arms of government (and their attending institutions) hold some of the most
personal data on Americans. More importantly, these folks hold sensitive data related
to national security. At the minimum, this information needs to be protected.
<H3><FONT COLOR="#000077"><B>Operating Systems</B></FONT></H3>
<P>There is substantial rivalry on the Internet between users of different operating
systems. Let me make one thing clear: It does not matter which operating system you
use. Unless it is a secure operating system (that is, one where the main purpose
of its design is network security), there will always be security holes, apparent
or otherwise. True, studies have shown that to date, fewer holes have been found
in Mac and PC-based operating systems (as opposed to UNIX, for example), at least
in the context to the Internet. However, such studies are probably premature and
unreliable.
<H4><FONT COLOR="#000077"><B>Open Systems</B></FONT></H4>
<P>UNIX is an open system. As such, its source is available to the public for examination.
In fact, many common UNIX programs come only in source form. Others include binary
distributions, but still include the source. (An illustrative example would be the
Gopher package from the University of Minnesota.) Because of this, much is known
about the UNIX operating system and its security flaws. Hackers can inexpensively
establish Linux boxes in their homes and hack until their faces turn blue.
<H4><FONT COLOR="#000077"><B>Closed and Proprietary Systems</B></FONT></H4>
<P>Conversely, the source of proprietary and closed operating systems is unavailable.
The manufacturers of such software furiously protect their source, claiming it to
be a trade secret. As these proprietary operating systems gravitate to the Net, their
security flaws will become more readily apparent. To be frank, this process depends
largely on the cracking community. As crackers put these operating systems (and their
newly implemented TCP/IP) to the test, interesting results will undoubtedly emerge.
But, to my point.</P>
<P>We no longer live in a world governed exclusively by a single operating system.
As the Internet grows in scope and size, all operating systems known to humankind
will become integral parts of the network. Therefore, operating-system rivalry must
be replaced by a more sensible approach. Network security now depends on having good,
general security knowledge. (Or, from another angle, successful hacking and cracking
depends on knowing all platforms, not just one.) So, I ask my readers to temporarily
put aside their bias. In terms of the Internet at least, the security of each one
of us depends on us all and that is no trivial statement.
<H2><FONT COLOR="#000077"><B>How Will This Book Affect the Internet Community?</B></FONT></H2>
<P>This section begins with a short bedtime story. It is called <I>The Loneliness
of the Long-Distance Net Surfer</I>.</P>
<P>The Information Superhighway is a dangerous place. Oh, the main highway isn't
so bad. Prodigy, America Online, Microsoft Network...these are fairly clean thoroughfares.
They are beautifully paved, with colorful signs and helpful hints on where to go
and what to do. But pick a wrong exit, and you travel down a different highway: one
littered with burned-out vehicles, overturned dumpsters, and graffiti on the walls.
You see smoke rising from fires set on each side of the road. If you listen, you
can hear echoes of a distant subway mixed with strange, exotic music.</P>
<P>You pull to a stop and roll down the window. An insane man stumbles from an alley,
his tattered clothes blowing in the wind. He careens toward your vehicle, his weathered
shoes scraping against broken glass and concrete. He is mumbling as he approaches
your window. He leans in and you can smell his acrid breath. He smiles--missing two
front teeth--and says &quot;Hey, buddy...got a light?&quot; You reach for the lighter,
he reaches for a knife. As he slits your throat, his accomplices emerge from the
shadows. They descend on your car as you fade into unconsciousness. Another Net Surfer
bites the dust. Others decry your fate. <I>He should have stayed on the main road!
Didn't the people at the pub tell him so? Unlucky fellow</I>.</P>
<P>This snippet is an exaggeration; a parody of horror stories often posted to the
Net. Most commonly, they are posted by commercial entities seeking to capitalize
on your fears and limited understanding of the Internet. These stories are invariably
followed by endorsements for this or that product. Protect your business! Shield
yourself now! This is an example of a phenomenon I refer to as Internet voodoo. To
practitioners of this secret art, the average user appears as a rather gullible chap.
A sucker.</P>
<P>If this book accomplishes nothing else, I hope it plays a small part in eradicating
Internet voodoo. It provides enough education to shield the user (or new system administrator)
from unscrupulous forces on the Net. Such forces give the Internet-security field
a bad name.</P>
<P>I am uncertain as to what other effects this book might have on the Internet community.
I suspect that these effects will be subtle or even imperceptible. Some of these
effects might admittedly be negative and for this, I apologize. I am aware that Chapter
9, &quot;Scanners,&quot; where I make most of the known scanners accessible to and
easily understood by anyone, will probably result in a slew of network attacks (probably
initiated by youngsters just beginning their education in hacking or cracking). Nevertheless,
I am hoping that new network administrators will also employ these tools against
their own networks. In essence, I have tried to provide a gateway through which any
user can become security literate. I believe that the value of the widespread dissemination
of security material will result in an increased number of hackers (and perhaps,
crackers).
<H2><FONT COLOR="#000077"><B>Summary</B></FONT></H2>
<P>I hope this chapter clearly articulates the reasons I wrote this book:

<UL>
	<LI>To provide inexperienced users with a comprehensive source about security<BR>
	<BR>
	
	<LI>To provide system administrators with a reference book<BR>
	<BR>
	
	<LI>To generally heighten public awareness of the need for adequate security
</UL>

<P>There is also another, one that is less general: I wanted to narrow the gap between
the radical and conservative information now available about Internet security. It
is significant that many valuable contributions to Internet security have come from
the fringe (a sector seldom recognized for its work). To provide the Internet community
with a book of value, these fringe elements had to be included.</P>
<P>The trouble is, if you examine security documents from the fringe, they are very
grass roots and revolutionary. This style--which is uniquely American if nothing
else--is often a bit much for square security folks. Likewise, serious security documents
can be stuffy, academic, and, to be frank, boring. I wanted to deliver a book of
equal value to readers aiming for either camp. I think that I have.</P>
<CENTER>
<P>
<HR>
<A HREF="../fm/fm.htm"><IMG SRC="../button/previous.gif" WIDTH="128" HEIGHT="28"
ALIGN="BOTTOM" ALT="Previous chapter" BORDER="0"></A><A HREF="../ch02/ch02.htm"><IMG
SRC="../button/next.gif" WIDTH="128" HEIGHT="28" ALIGN="BOTTOM" ALT="Next chapter"
BORDER="0"></A><A HREF="../index.htm"><IMG SRC="../button/contents.gif" WIDTH="128"
HEIGHT="28" ALIGN="BOTTOM" ALT="Contents" BORDER="0"></A><BR>
<BR>
<BR>
<IMG SRC="../button/corp.gif" WIDTH="284" HEIGHT="45" ALIGN="BOTTOM" ALT="Macmillan Computer Publishing USA"
BORDER="0"></P>

<P>&#169; <A HREF="../copy.htm">Copyright</A>, Macmillan Computer Publishing. All
rights reserved.
</CENTER>


</BODY>

</HTML>