-
- The Guardian,
- Tuesday July 18 2000
One evening last week someone from Surinam tried to break into my computer. I was sitting in south London surfing the internet, and a person on another continent thousands of miles away was attempting to hack into my PC, right in front of my nose.
All my anonymous friend in Surinam did was the computer equivalent of trying a door to see if it was open. He or she rattled the handle a couple of times, couldn't get in, and left. So while it was disconcerting - like hearing someone try your front door in the middle of the night - it's no reason to rush out and get security guards.
Cyber-crime now worries a lot of people. As Tony Blair's emails leak, the government's Regulation of Investigatory Powers bill is going through the Lords. Not only is this one of the most sustained attacks on civil liberties in recent history - allowing for powers of surveillance that Stalin would have been delighted with - the bill will also fail in its aim of tightening computer security. It would be powerless against my Surinam visitor, as Jack Straw's writ does not run to South America just yet. Flawed computer software and inadequate management are the biggest contributors to cyber-crime in this country - not the Russian Mafia or spotty teenage hackers.
Imagine if cars were sold with just a standard key, which started every car of that model. That, in effect, is how most commercial software is released. Had I left my computer exactly as it was when I took it out of its box, my potential hacker from Surinam would have been able to get in. By rushing out new products, with little regard for security or time to check for dangerous flaws, software makers actually allow hackers to flourish. The majority of successful attacks on computers over the internet can be traced to the exploitation of one of a small number of security flaws. Microsoft is one of the worst offenders: it has just announced an update for its new Windows 2000 operating system that patches up 35 "access violation errors", and 65,000 bugs in total.
A Welsh teenager, Raphael Gray, was arrested this year for breaking into commercial websites and publishing details of customers' credit cards. Gray said: "You could teach your grandmother how to do what I was doing." That suggests Gray isn't really a hacker, but a "script kiddie" - the pejorative name proper hackers use for those who simply download free programs from the internet, and use them to exploit the well-publicised weaknesses in commercial software.
Gray says he first warned companies their sites were insecure. When they didn't respond, he posted thousands of credit card details on the internet until someone took notice. The FBI sent an agent, in regulation trench-coat, to the small village where Gray lives to be present at the bust. But something must be going wrong if an 18-year-old, with just a home computer and basic skills, can operate out of a bedroom in Wales and find confidential information.
Any shop that allowed a teenager to walk in off the street and scoop up pages of customers' bank details and credit cards would be guilty of lax security. Why should websites be any different? They are the ones with the IT departments and professional systems administrators who should be able to lock out the script kiddies. But enough of them aren't able to, because the most common mistake made by companies is to assign untrained people to maintain security.
While it's annoying to have sites defaced by snot-nosed punks, it does at least mean that systems are being tested in a relatively benign manner. The good news is that the majority of hackers aren't interested in stealing credit cards, and most of them don't break the law. They are curious about how computers work, and are more interested in the challenges involved in hacking than anything else. That's a small price, a sort of survival-of-the-smartest computer Darwinism, for exposing the hidden entrances and rickety defences of modern software.
