INTERVIEW WITH RICHARD FORD, DIRECTOR OF RESEARCH,
THE NATIONAL COMPUTER SECURITY ASSOCIATION
Q - Please briefly describe the NCSA and the type of work you do.
My formal title is Director of Research, ... and I'm responsible for doing research to see how secure all systems are. NCSA is really an association of computer professionals and the idea is that we can provide security solutions that work in the real world. There's so much discussion at a high level about, "Is something cryptographically secure, can we go into such and such a port and such and such a package and open a system up..." where the security mistakes which I see in the real world are much, much simpler. We're not talking about real high tech penetration a lot of the time, we're talking about very simple security errors, like ruse accounts with guessable passwords, accounts with no passwords on systems, password files which the whole world can read and simply download. So, when I think about security, when I think about the kind of role that I have with the NCSA, it's to tell people about the really simple things we're doing wrong, and the really simple things that we can do better. And when we're doing the simple things better, maybe we can start doing the more complicated things better.
Q - Describe the differences between a system like CompuServe and the Internet.
CompuServe is one ... sub-network, while the Internet is a giant network that spreads across the whole world. It consists of lots of little subnetworks that all link together, and CompuServe is one of those subnetworks. So, the real difference between CompuServe and the Internet is very simple. It's the difference that you might find if you walked out of your building and went to see the rest of the world. CompuServe is like one little building in the world and the Internet makes up the rest of the surroundings. And when you walk out of the door of CompuServe, you're out there on the streets and there's all sorts of interesting and wonderful things out there. But there's also no security, no quality control, whereas inside the building, we have a controlled environment. We have security guards who are making certain over who gets in and who gets out. We have quality control to make certain everything is working. Whereas on the Internet we're out in the whole world and anything can happen. There's lots of fun things out there, but it's much less regulated, it's much more open.
Q - How secure is the Internet currently?
How secure is the Internet currently...real simple answer to this. It is not secure and it was never designed to be, it's really that simple.
Q - What advice would you offer to the general at-home Internet user about security?
The way you approach the Internet very much depends on how you access it. If you access the Internet through CompuServe, through Telnet and FTP sessions which you're allowed to create, or if you access the Internet through PPP and use a Web browser, then you probably don't need to worry that much about security because nobody can, or certainly if the software has been written correctly, nobody should be able to come back in and break into your personal machine because you're simply putting packets out there, there's no hooks that should allow anyone to come back in. So, in terms of break-ins to your personal machine you should be OK. But, what I should say is that the Internet is like a crowded room full of people talking, shouting at the top of their voice and anything I do on the Internet is like having a conversation with one of those people. As I have that conversation, anybody in that room could overhear me. But they're probably not going to do that because they're all talking to each other and they have their own lives to lead. But, if someone wanted to listen to me they could. That's what it's like when you send a password out over the Internet. If somebody wanted to sit there and eavesdrop they probably could. So the rules that I would give to the general use of the Internet is, if you wouldn't say it in a crowded room, if you wouldn't say it where you could be overheard, if you wouldn't do it where you could be seen, then you probably shouldn't do it on the Internet. If you can't afford to lose it, if you want to keep it private, don't put it out on the Internet. Certainly not with plain text, start thinking about using some sort of cryptography or some way of securing your data because the Internet is like a vast crowded room and anybody who wants to sit there and listen to you can.
Q - How would that advice differ for business use of the Internet, i.e., email communication and file transfer?
For a business user, the advice isn't really different. You're still in your crowded room, except that with a business it's even more critical, because very often for a business information is money, information means the difference between getting the deal and losing the deal. You would not sit in a crowded room and tell the innermost secrets of your company to one of your colleagues. You simply wouldn't do it. There's no difference between doing that and sending an email unencrypted to one of your colleagues that goes across the entire Internet to another remote site. There's no difference. So, it's important to remember that if you want something to be confidential you probably shouldn't send it out over the Internet. Again, it depends on what you have to lose. The chances of that information getting picked up by someone else and used are relatively small, unless there's somebody out there to get you. Just because you're paranoid doesn't mean you don't have enemies. I think it's important that we make it clear that if you step out of the building which is CompuServe, you're not just going to get hit upon by a whole pile of muggers, it's not like that. But, what you've got to look at is are you prepared to lose it or not, are you prepared for this information to be publicly available or not. Because, remember, anything you say on the Internet, even if it's just Internet mail to another site, is publicly visible to the world.
Q - Is there an advantage to the home user to have encryption software?
There is a tremendous advantage if you want to have the ability to authenticate messages, or if you want to send private or confidential information over the Internet. It's very easy software to use, it's widely available, and it gives you some level of confidence, a very high level of confidence if you use it correctly that a mail message came from who you think it did and that your mail is not being read by somebody else, because it's encrypted. Mail, data, all that stuff that passes over the Internet is generally not encrypted. If I typed my password, it will fly out there to the remote system unencrypted and anybody sitting in between with the right software can see it. It's not difficult to compile and use that type of software.
Q - Should I be concerned about sending my credit card number over the Internet?
Yes, be afraid, be very afraid. Let me qualify that... I think what it comes down to is would you shout your credit card number out in a roomful of people. Would you hold up a placard and turn round a couple of times showing everyone your credit card number? No, you wouldn't. Why wouldn't you? Because you don't want other people to have that information about you, you don't want other people you can't trust to have that information about you. Have I sent my credit card number over the Internet? Yes, I have, I've sent far more critical information than that to people over the Internet, but the difference is that I've used encryption software so I've had some level of guarantee that a causal eavesdropper, if they're listening, won't see the right number.
Q - What about email security? Is it necessary?
Email is like sending a postcard. So, anybody who has that type of postcard in their hand can read its contents if they like. Now, you'd send a chatty, Hi, I'm having a great time on holiday..., type message on a postcard, but you probably wouldn't send your private medical records printed on the back of a postcard -- the same with Internet email. But, not only is it like a postcard, it's a postcard that somebody typed so you can't recognize the writing, so you can't say, oh yeah, that's my friend Bill. I recognize that signature, I recognize that writing. It's not difficult to forge electronic mail from someone else, it's very simple. So what that means is, not only do we have our postcard which anyone can read as they go past, but we also have a system where I can send you a postcard and I can sign it with somebody else's name. Unless you're paying a lot of attention you're not going to realize that somebody's done that to you.
Q - What are some of the things that may ultimately be secured or sent in a secure fashion?
There are all sorts of things that people want to send over the Internet. We may have the ability to buy and sell things in our name over the Internet, to send cash over the Internet, all that type of stuff.. But the Internet is not secure and never will be. It's not about 100 percent security or 100 percent connectivity. What it is and what it always will be is a trade-off, so that you have an expectable level of security. The amount of security that you aim to have on any system is never 100 percent, it's enough. What is enough security for things we might be doing in the future? I don't think any of us really know where the Internet is going, I don't think anybody can really predict. Everything is growing very quickly. We may see all sorts of wonderful innovations -- we may see movies over the Internet ... and we can already go shopping. So, what type of things may ultimately be sent over the Internet in a secure fashion? I think anything, anything you can imagine, but the thing to recognize is that it's never going to be 100 percent secure, it's just going to be secure enough.
