Some Topics

• Characteristics of the Net

Stupid Net Tricks
Bill Cheswick
Bell Laboratories, Lucent Tech.
ches@bell-labs.com
• Security
– Exponential tricks
– Denial-of-service attacks (no time for it today)
• Names on the net
• Silicon snake oil - can the net replace the
library?
• Web search engine games

Some net attributes:

The Net
Performance
• The Net probably started around 1991 • We are currently all in one performance pot
– We were just messing around before then • Slow at 3PM
• Accessible to the common man • Lots of extra capacity for Saturday breakfast
– pick your port and go • Isochronous data works only if the load is
• Fairly homogeneous very light
– same OS – net phone
– same hardware – Mbone

More attributes: Security -

It’s easy to be anonymous
• Finland remailer is gone
• Easy to launder IP connections
• Thousands of volunteer sites
• National laws vary
• It takes a lot of effort to chase someone
down
Some lessons so far
• It is very hard to write software that is safe
• Simple is good, big is bad, but even the
TCP discard service can be part of a
successful attack
• The space of targets is fairly homogenous,
and growing like crazy
• System administrators are clueless: they
don’t have time or tools to get a clue

1
 Past targets
• sendmail
• anything using gets(2) or sprintf(2)
• password guessing and sniffing
• use and abuse of trust (rlogin, rsh)
• social engineering
The Security Arms Race
• We knew about sniffing in the early ‘80s
– massive sniffing attacks in 1994 (1992?)
• We knew about sequence-guessing attacks
in 1984
– common in 1994
• We knew about IP spoofing and address-
based authentication in the 80s
– tools available in 1994

The “Latest” Attacks on the infrastructure

• We’ve known about denial-of-service • Swamp routers
attacks since IP was invented • Divert packet flows
• Phrack and 2600 published SYN attack • BGP4 hijacking?
code this summer • DNS cache contamination
– we left it out of our book: no clear solution
• Swamp the technical support staff?
• Denial-of-service is the final net problem

Infrastructure Problems Exponential tricks-

Claffy’s Law Morris worm
• How do you simulate the backbones? • AT&T’s Intranet is larger than the net the
• Can it become unstable? worm attacked
– seen it at Netcom and others • How would it spread?
– AT&T phone system had it on MLK – CERN server bug (gets)?
– Net 18 – Java?
• Shiller’s law: there is a constant amount of
Clue on the net
– Tracebacks require Clue.

2
 Impact of future net attacks
• It would be much worse today
– “space” is larger and more homogenous
Click here to infect your system. – the net is more important now
• Encryption is a munition
• Ping(1) is a munition!

The Traveling Program

Telescript
Problem
• Every feature can be a bug • Return receipt implemented?
– CPU time • Program lifetime and “teleclicks”
– screen access – “Mail not delivered: out of teleclicks”
– file system access • Teleclick regeneration
– net access
• A virus uses fewer clicks than a real mailing
– email access list
• Security requires discipline
– market leaders have little discipline: other goals

Java Trust
• Derived from a set-top box project • I put my trust in these things
– Mid-course goal changes are a bad security sign – they are running as me
• I have no particular quarrel with the – they act on my behalf
language – they have access to my files
• Byte-code verifier is probably OK • I prefer source code, please
– Too fancy for my tastes • I vet and “decode” critical software, when I
– I solve the halting problem with ^C can

3
 Where Do Programs Run? What it should be
Program Kernel

Kernel Program

This model is wrong

Execution Environmental
Fears
Choices
• Untrusted dirty machine, with firewall • Average web users can’t be expected to
enforcing network restrictions understand the security consequences of
• Software containment their actions.
– operating system • Applets make execution of alien programs
– interpretive environment routine
• There are a lot of aliens out there
• Jackpot - exponential growth into a space
• Theorem prover is complex security

Big Fears
• “Native Methods” aren’t standardized Java has let
• All the security effort went into the Eric Allman
language -- the environment is an
afterthought
off the Hook
maybe
• A single security fault makes me suspect the
approach
• We’ve had a number of very bad holes
shown.

4
 Stupid URLS Stupid Domain Names
‡ KWWSZZZ • com.com, comdotcom.com,
‡ ILOHHWFSDVVZG comdotcomdotcom.com
‡ ILOHGHYPRXVH • macdonalds.com
‡ IWSORFDOKRVW • bell-labs.com, belllabs.com
‡ KWWSORFDOKRVW • att.org, mci.org
‡ KWWSVDGIONDMVGOIMDOVGNMIONVGMIONDV • bell-labs.com.au?
GMIONVGMIONVGMIONVGMIODNMVGONIDMVONI • localhost.com

Stupid Web Tricks:

Stupid Web Tricks
Secret Web Pages
• Secret pages • My family photo albums
– My photo album – is it published?
– Lost friends page – chessecretword
• http://counter.digits.com • test.html and test/index.html
• web awards - I haven’t over 180 of them!
• Free search engines! Free indexing!
• On-line white pages
• Free home pages! (Netscape)

Stupid Search Engine Tricks-

Keyword ideas
keywords
• They make reference librarians of us all • proprietary, top secret, company
• Keyword searches can be very easy confidential
• It’s useful to have a unique name, like • d00dz, stup1d, warez, eleet, appz, hack3r
Avolio, Ranum, Bellovin, or Cheswick • rootkit
• Lost friends page • “stupid net tricks”
• make your own: chesupdatetime

5
 Snake Oil? Web Questions
• The hype may have us firing librarians • How does cyanuric • What is a “global
acid stabilize the learner?”
• It is better to touch a book
chlorine in a • What is the hyperfine
• The net is the 1990 equivalent of filmstrips: swimming pool? interaction?
you don’t have to think! • What is the meaning • How do you throw a
• My stupid test: the web as a reference and etymology of “four seamer?”
librarian intinction? • What are the hand
– no netnews • Who plays Heidi on signals used in
Home Improvement? baseball like?
– no hard work

More web questions Web Answers

• What is “lumbago”? • What wavelengths • How does cyanuric • Who plays Heidi on
• What is the current stimulate acid stabilize the Home Improvement?
and historic price of photochromism? chlorine in a Learned all about her.
cobalt oxide, used as a • What is the rate of swimming pool? • What is a “global
paint pigment? colorblindness Unknown - Olin. learner?” No useful
• What do Mayan (bichromatism) in the • What is the meaning answers.
hieroglyphics look general population? and etymology of • What is the hyperfine
like? intinction? Found in a interaction? Found:
dictionary in Belgium there are physics texts
on the net.

More Web Answers More web Answers

• How do you throw a • What is “lumbago”? • What do Mayan • What is the rate of
“four seamer?” Found in a dictionary. hieroglyphics look colorblindness
Discussed but not • What is the current like? Found some (bichromatism) in the
described. and historic price of excellent photos and general population?
• What are the hand cobalt oxide, used as a descriptions. Not found. Plenty of
signals used in paint pigment? US • What wavelengths racial rants, though.
baseball like? Bureau of Mines had stimulate
Discussed, but not it. photochromism?
answered. Found at ppg.com.

6
 Web marketing tricks:
The Score
top of the list
• 8 answered • hidden text
• 4 not answered – used cars used cars used cars used cars
• This was better than I expected – same as background color
– very tiny font
• Netnews would have yielded thousands of
answers. Many would even be right – way below the first screen

• Stupid research. • CONTENT=“used cars used cars”

• Arms race: altavista.digital.com is more
experienced than www.infoseek.com

Conclusions
• If you want to see some of these efforts,
check out my web page.
• (Ask the search engine for the address)
• Keep experimenting!