CHIPS magazine is proud to be the publisher of Major Long's articles. Major Long's "Lazy Person's" series, with its unique blend of humor and good sense, has been a popular feature with our readers since its inception. CHIPS congratulates Major Long on his recognition by the Department of the Navy for knowledge sharing through his CHIPS articles. His articles convey a forward thinking approach to transform military business processes. Major Long received the DON eGov Award, For Outstanding Knowledge Sharing Across The Services. This one-of-a-kind award was given by the Department of the Navy Chief Information Officer (DON CIO) at Connecting Technology Spring 2001.
On June 19, 2001 Major Long retired from the United States Air Force after serving his country for 20 years.
This article will be the last one I write as an active duty member of the United States military. By the time you read this, my retirement ceremony will be over, my military quarters cleaned out and inspected, and my uniforms cleaned and stored in case I need them to enlist or commission my children some day. And despite my decision to retire, I will miss military life.
This is also my 32nd article for CHIPS magazine and the eighth anniversary of my first foray into writing about how computers, information, and people act, interact, and react to each other. I owe a great deal to Diane Hamblen, CHIPS editor in 1993. She accepted a piece of light "fluff" from an unknown author on emoticons, the little sideways smiley faces we used in e-mail to try and make up for the 93% of human communication not conveyed by plain text. For anyone who tells you that you can't develop any kind of personal relationship via e-mail, I submit in rebuttal that I still consider Diane one of the best friends I've never met.
I've also been asked on more than one occasion why an Air Force communicator writes for a Navy IT magazine. For one thing, when I started writing, CHIPS was the only IT publication of its type in the Department of Defense. I started reading it in 1989 while I was an aircraft maintenance squadron section commander. I had two computers at home, but had never done much but play games, write papers, and build a database or two to help administer regional Special Olympics. CHIPS sparked my interest in "going pro" with computers as a military career.
In addition, I consider myself not just a member of the Air Force, but of the military as a whole and the community of communicators in general. Our need to exchange and manage information cuts across all our various Services, agencies, and functional areas. It's not the Service we belong to that matters, but the service we jointly provide.
I can't say that this will be the last article that I write for CHIPS, but I believe it will be very different writing from outside the military communications community instead of within it. Therefore, I will treat this as the final episode of a long-running (and hopefully successful) series, but leave the option open for a spin-off or sequel.
And, as with all good final episodes, there must be at least one good revelation. So, in answer to the question I've been asked most often by CHIPS readers over the years, I will reveal the true identities of Zippy and Zippette.
But first, since is this is my last hurrah as a military officer; let's discuss how the unique nature of cyberspace affects the principles of war.
Warfare in the Virtual World
Computer networks are perceived as difficult to defend. However, in almost every other sort of warfare, attacking forces are at a disadvantage. I submit that there are some significant differences between defending a foxhole, fort, beach or city and defending a network.
A defender's advantage on a conventional battlefield generally comes from two broad strengths: maneuver and terrain.
Maneuver is often a defender's most critical advantage. Since defenders maintain "the position of the interior," they can usually shift, re-supply, and reinforce forces faster than attackers, who are normally spread over a larger area with longer logistical chains and lines of communication. Modern technology has changed this equation, but not conclusively.
A defender's knowledge of terrain also provides some strong advantages. He knows where the good hiding places are, where the mountain passes are, and where the bogs, sinkholes and quicksand are located. He can modify the terrain by building structures, digging trenches and positioning guns. Defenders can choose the terrain on which to stand and defend: behind a wall, on top of a hill, on the far side of a bridge, or in dense foliage.
Attackers are "stuck" with whatever terrain they are forced to traverse. This provides the defenders with an enormous advantage, particularly if they've had time to booby-trap the approaches prior to battle.
However, attackers do have two things going for them. First, defenders must be prepared to defend against every possible type of attack. Attackers, on the other hand, may choose whatever attack they want and can concentrate all their forces on that one attack. So, for example, let's say the defender is expecting a massive amphibious landing on his east coast and establishes his defenses accordingly. If the attacker does an end-around with ground forces to the west, the defender is, quite frankly, doomed.
Second, the attacker decides when the attack will occur. The attacking troops can be rested and ready to go when the operation starts because they know the schedule and the defenders don't. This gives the attacker an advantage, though most people would still probably rather be slightly sleepy and firing from behind a reinforced wall than wide awake and running across an open field.
In cyberspace, however the rules are somewhat different. The first change is that a defender's maneuver advantage pretty much disappears. Even though you're still defending a fixed emplacement, time and distance no longer hinder the attacker. In addition, an Internet attacker can easily multiply the number of forces available by replicating his attack programs at dozens or even hundreds of "slaved" servers, the vast majority of which are unwitting tools of the attacker. Last year's epidemic of "denial of service" attacks, for example, was based on this method.
Terrain is also a different prospect in cyberspace. Rather than hinder or block defenders, the terrain often helps facilitate the attack. As systems become increasingly more complex, it becomes harder and harder for people to keep up with all the different security patches required to protect themselves. Remember: a defender must be ready for anything; an attacker can use any available attack. Scanning a network's defenses for vulnerabilities may only take a few seconds and it only takes one to cause problems.
In addition, the attacker is not really attacking the defenders, but the terrain itself. In conventional terms, network attacks ignore the defenders to poison the water and foul the air (viruses), steal resources (information and data theft), and clog or destroy infrastructure (denial of service attacks, Web defacements, and destructive code). Using terrain for protection is one thing; protecting the terrain itself is another.
OK, so how do we restore the balance in favor of the defender? I submit that we need to re-establish the defender's advantages on maneuver and terrain.
It's a military axiom that a determined attacker can eventually defeat any static defense. Consider these examples from World War II. The British Royal Air Force flew to engage the Luftwaffe, while General MacArthur bypassed stationary Japanese island defenders in the Pacific. Who mounted the more successful defense, the defenders who actively engaged or the ones who sat and waited?
In network defense, both detection and reaction are critical. For example, let's look at burglar alarms. The reason they work is that burglars don't know they're there. A thief might successfully bypass a door lock or sneak in through a window. But if he doesn't know that there are pressure plates under the rugs, motion sensors hidden in the bookcase, or an electric eye across a particular doorway, any burglar wandering through a well-alarmed building is guaranteed to trip something sooner or later.
In the terrain area, network administrators should know exactly how their network is built, what it is supposed to do, and how it is supposed to do it. Attackers, with the exception of a knowledgeable insider, will usually have to fumble around for and try a variety of exploits until they figure out where everything is and what's connected. This is a cyber-terrain advantage we can exploit, as we should be able to easily outmaneuver most attackers on our home territory, providing we're more familiar with it than our adversaries.
Bringing Cyber-War Home
Speaking of home territory, my wife and I recently got a first-hand look at a commercial instance of some modern-day cyber-warfare. Zippy had invited us to see his new satellite television setup one week before the Super Bowl. As usual, it was a marvel of modern technology without much practical application: 500 channels -- still nothing worth watching.
Zippy even confided that he'd gotten his access at a discount from a hacker friend of his who provided a custom-made set-top box. The smart card inside that decoded the signals apparently required frequent patching, but it was still cheaper that getting the service directly.
Now, I know Zippy's not the sharpest knife in the drawer, but pirating satellite television was a new low. However, technology usually backfires on Zippy. This time was no exception.
At 8:30 p.m., with absolutely no warning, Zippy's satellite signal went dead. After a little poking at the decoder box, Zippy tried calling his friend. I could only hear one side of the conversation until the very end, where I heard the voice on the other end yell, "Game over, man," followed by a loud click. We left Zippy sitting, disconsolate; staring at the static on his television screen, a casualty of a war he didn't even know was being waged. It wasn't until recently that I found out what really happened.
DirecTV was one of the very first large distributors of smart card technology in their satellite receivers. Each DirecTV receiver has a smart card located inside that is keyed to the subscriber and actively participates in the decryption of the digital satellite video stream. Hughes Corporation, DirecTV's owner, decided to make their own smart cards. In the context of our earlier discussion, this would be the equivalent of building part of their own terrain. However, considering Hughes decided on this technology when it was virtually in its infancy, they made several design mistakes in the cards that allowed the hacking community to "attack" the system and steal signals.
War raged, unknown to most of the rest of the world, between the hackers and DirecTV for over two years. At first, it looked like the hacking community would win this war, completely opening the DirecTV signal. Hackers reverse-engineered the smart cards and created smart card writers that could read and write to the smart card, allowing them to change their subscription model to receive all the channels.
Since the technology of satellite television is broadcast only, meaning you cannot send information to the satellite, the system requires a telephone line to communicate with DirecTV. The hackers re-wrote their smart cards so they could receive all the channels and then unplugged their telephone lines, leaving no way for DirecTV to track the abuse. The hackers had DirecTV on the defensive.
DirecTV had built a mechanism into their system that allowed the updating of these smart cards through the satellite stream. Every receiver was designed to apply these updates when it received them to the cards. DirecTV applied updates that looked for hacked cards, and then attempted to destroy the cards by writing updates that disabled them. The hacking community replied with yet another piece of hardware, an unlooper, which repaired the damage. The hacker community then designed software that trojanized the card, and removed the capability of the receivers to update the card. DirecTV could only send updates to the cards requiring the updates to be present in order to receive video.
Each month or so, DirecTV would send an update. Ten minutes later, the hacking community would update the software to work around the latest fixes. This was the status quo for almost two years. H cards regularly sold on eBay for over $400. DirecTV had apparently lost the battle and had been relegated to merely hunting down Web sites that discussed their product, and using their legal team to sue and intimidate them into submission.
However, starting in the fall of 2000, DirecTV changed their defensive strategy. They began sending several updates at a time, breaking their usual monthly update pattern. While the hacking community was able to bypass these batches, they did not understand the reasoning behind them. DirecTV was now sending four or five weekly updates at a time. Quite a few people thought Hughes was simply trying to annoy the hacker community into submission, as the updates contained apparently useless pieces of computer code that were then required to be present on the card to receive transmissions.
The hacking community adapted to this and compensated for these updates in their hacking software. However, they had lost sight of the terrain that DirecTV was building. When the final batch of updates arrived, the true defensive plan hit home.
The final updates made all those apparently useless bits of computer code join into a single, dynamic program that existed on the smart card itself. This program completely changed how the card worked, updating the old technology and effectively changing the lay of the land. The hacking community responded cautiously, understanding that this new ability for DirecTV to apply more advanced logic in the receiver was a dangerous new weapon but not yet really understanding the full impact of the change since they could still bypass protections and receive programming.
Then, DirecTV pulled the trigger and launched a series of attacks against the hackers, sending programmatic code through the satellite stream. The new dynamic code installed on the cards hunted down hacked smart cards and erased their embedded code. Internet Relay Chat DirecTV channels overflowed with thousands of people who had lost the ability to watch stolen television signals. Not only did the hackers lose their ability to watch television, but also some estimates indicate that the assault permanently destroyed 100,000 smart cards - wiping out about 98 percent of the hacked cards.
To add a personal touch to the operation, DirecTV actually signed the anti-hacker attack by rewriting the first eight computer bytes of all the formerly hacked cards to read, "GAME OVER." The hackers had been hacked.
Did this end the conflict between them? No. The hackers are back at it, trying to find ways to fix their smart cards. But this round definitely went to the defenders.
There are some lessons we can learn from this as we develop our own defenses for everything from desktop personal computers (PCs) to networks to secure communications.
First, no technology is impervious. Strong encryption will eventually be cracked, hardware safeties can be bypassed, and other security measures compromised through a variety of means, including human fallibility. Accept it and move on.
Second, never be satisfied with your current level of security or your adversaries certainly will be. However, using "plug-and-play" security is just asking for someone to poke at you until they find a weakness, particularly since the security holes in most commercial off-the-shelf products are well documented and a good hacker knows them all. DirecTV succeeded when they applied some good old-fashioned human inventiveness and outwitted the hackers at their own game.
Finally, don't sit still and just let people pound on you. While we can't always take direct action against people pinging our networks, we can work to identify and tag our attackers so law enforcement or other appropriate agencies can go root them out.
Unfortunately, in some places computer security isn't apparently a high priority. People simply establish access controls, install a firewall, and they're done. They'll patch their systems if someone tells them the patch is available or there's a break-in. Other than that, they concentrate on other aspects of managing their networks that either help make money or react to user-inflicted (or self-inflicted) pain and leave security to the automated monitoring tools.
Real cyber-security depends two things. It starts with effective sensors: firewalls, well-audited servers and routers, intrusion-detection products, and network burglar alarms. If you don't know you've been compromised, you can't do anything about it.
However, the most important component is trained security experts who can quickly separate the false alarms from the real attacks and who know how to respond. Human intelligence is critical for strong defense, regardless of the battlefield. Automatic tools, no matter how effective, can't do the job alone.
All right, since you made it this far...
There is a grain of truth, sometimes more, in every Zippy story. Real people have spammed the world with certified e-mail, spent time printing and then imaging e-mail, building Web pages that no one can read, and buying computer systems they don't know how to use. I won't give out names, of course, but you know who you are.
Sometimes, I'm Zippy, too. I like to think that there's a little bit of Zippy in all of us. Without a bit of Zippy, we'd never make any real progress. You have to try implementing some crazy ideas every once in a while to keep the world moving. Without them, we wouldn't have airplanes, rockets to the moon, the telephone, or $10 calculators that can outperform computers that filled entire rooms 50 years ago. The world would be a much less interesting place without those little extra zips.
On the other hand, the character of Zippette is based primarily on a friend of mine who, in the early days of the World-Wide Web, could do more with HTML in 15 minutes than I could in three days. She knows who she is, too.
I have one last admonition on my way out: specialization is for insects. It's great to be good at something, but not to the exclusion of everything else. Human beings are capable of learning virtually anything, limited only by our interest and available time.
If you're a technology person, learn something about organizational theory. If you're a manager, study technology. Get out of whatever rut you're in and really study something entirely new and radically different at least every three months. Trust me, it will make you that much better at what you're already good at.
That which is known can be learned. What we learn can be applied, and in that application generate new knowledge. This is how we make progress.
And with that, I wish you all fair winds, following seas, and happy networking!
The views expressed here are solely those of the author, and do not necessarily reflect those of the Department of the Navy, Department of Defense or the United States government.