The Cutting Edge: COMPUTING / TECHNOLOGY / INNOVATION : Computer World Expects Devil of a Time With Satan Program
MOUNTAIN VIEW, Calif. — Now that hacker legend Kevin Mitnick is safely in federal custody after an elaborate electronic chase ended last month, the biggest threat to the security of the world’s computer network may well be Dan Farmer.
He would disagree. If all goes according to the 32-year-old security expert’s plan, his controversial brainchild, a soon-to-be released program called Satan, may in fact render the Internet safer for private information than it has ever been before.
But the risk he is willing to create for the network’s 3 million host computers in order to achieve that goal has earned him public enemy status in the world of computer security, despite impeccable cyber cop credentials.
Farmer is the author of a widely used security program called COPS, a former member of the U.S. government’s main Internet security force and now a security czar at Silicon Graphics Inc.
Still, with his near-waist-length red hair, a fashion sense that tends toward Army surplus and a worldview that comes perilously close to the hacker credo “all information should be free,” he is not your typical corporate security type.
*
Notes Steve Bellovin, a security expert at Bell Laboratories: “Dan’s a bit more on the radical side than many.”
Satan, which Farmer wrote with Wietse Venema, a respected security programmer at the Netherlands’ University of Eindhoven who shares some of his heretical views, allows its users to scan any computer on the Internet--one of the Pentagon’s, say, or IBM’s--and identify its security holes.
The acronym, in which Farmer takes great delight, nominally stands for “security administrator tool for analyzing networks.” It is something of a sequel to COPS, which he wrote in college.
What distinguishes Satan from COPS and most other security tools is that it can be used remotely--you don’t have to have physical access to a given computer to scan it. A few other tools like Satan exist, but they are for the most part distributed commercially to a limited market of corporate and government system administrators.
Farmer and Venema plan to release Satan over the Internet, where anyone who wants a copy can get it for free. And therein lies the rub.
“The analogy we use is that Satan is like a gun, and this is like handing a gun to a 12-year-old,” says Mike Higgins, steering committee chairman for the Forum of Incident Response and Security Teams, a group of 43 cyber cop squads responsible for security on the Internet’s global web of networks. “An awful lot of people are going to use it in a bad way. It’s like they’re holding the network hostage.”
Higgins, who is also chief of the Defense Department’s computer security team, and others involved in security have asked Farmer to limit the program’s release to a small number of people who could be guaranteed to use it responsibly. He has refused.
Farmer’s position is that lax security on the part of the Internet’s operators is far more to blame for the network’s vulnerability than are the electronic forays of system crackers, and that Satan will force the operators to tighten up.
“If we do this right, a great number of systems will get hammered by this thing. That’s why we’re writing it,” Farmer says. “System administrators will be racing to fix their systems because Satan’s going to be out there and nothing can stop it.”
There are dozens of known holes--and corresponding plugs--in the network’s operating system. But because of either ignorance or laziness on the part of system administrators, the holes more often than not go unrepaired, leaving private e-mail, credit card numbers, corporate secrets and military documents unprotected.
Only heightening the sense of peril with a program like Satan, Farmer’s reasoning goes, will force administrators to secure their systems. And the risk of damage will, in the end, be worth it.
“I think it’s regrettable,” Farmer says of the damage that could be wrought with Satan’s help. “I don’t advocate it. But I don’t see any way around it. The holes are there whether or not my program exists.”
If Mitnick, one of the savviest hackers of the decade, is any barometer, Satan is likely to gain a strong following in the computer underground.
During the intense surveillance of Mitnick’s activities in early February, Farmer received a call from Tsutomu Shimomura, the computer security expert whose wrath upon discovering Mitnick’s having trespassed into his own computer led to the hacker’s arrest.
Shimomura, who Farmer says is a longtime friend and colleague, told him that Mitnick appeared to be breaking into his system. Farmer joined the surveillance team and watched the electronic intruder steal an early copy of Satan.
*
Eugene Spafford, a professor of computer science at Purdue University in Indiana who supervised Farmer’s work on COPS when he was a student there, says the two programmers’ reputations have a lot to do with the apprehension among their colleagues in the security world.
Satan is the first security program to emulate the easy-to-use look and feel of the popular World Wide Web browser Mosaic, so it is likely to be accessible to a broader number of users.
“People have a fair amount of respect for Dan’s and Wietse’s ability to write something,” Spafford said, “but it’s unclear if they’re really writing a tool that is supposed to help people that can’t protect themselves, or if they are trying to use those people to gain notoriety for themselves.”
Farmer has his own justification: “If you’re on a public network, you have a responsibility to say, ‘I am going to keep it as secure as reasonably possible.’ I don’t condemn people because they’re negligent, but it does mitigate my guilt a little bit in my own mind.”
Farmer is not entirely without remorse. In response to widespread criticism over the name, he wrote a little program called Repent shortly before releasing a prototype version of Satan to a few people last week. When activated, it replaces all references to Satan with Santa, and transforms the devil icon into a chuckling St. Nick.
An updated test version of Satan is scheduled for release on March 15, the Ides of March. Farmer hopes to get the final version out by April Fool’s Day.
“Using this program, I can break into more systems than anyone could before,” he says. “The idea is I want to give this to people so that they won’t be able to.”