A broken program is scaring many
by Joel Moses
Easy Access
In a scene reminiscent of a high-tech thriller novel, last week two college students cracked a supposedly invulnerable encryption and gained access to highly sensitive information. It took them only a few minutes last Sunday night to figure out the code, and by Monday, the word had spread far and wide.
The company responsible for the security encryption immediately took action, promising to fix the fatal flaw, while its stock price plunged. People across the world began to think twice about sending personal information over the Internet. Hacker groups began to spring to the forefront, quickly announcing the public release of information about how to crack the security. Across the nation, system gurus began to get very, very nervous, while the government—some of whose systems used the buggy security—went ballistic about the problem.
It sounds like science-fiction, but it’s real-life drama we’re describing. The problem: a flaw in a program called Netscape—the most popular of the Internet Web browsers—which allows a person to crack its code in mere minutes. From its introduction, Netscape’s promotional materials touted the program’s invulnerability to attack as being one of its greatest assets. One brochure claimed it would take millions of years for a huge supercomputer to break encrypted data sent by the browser. So when two U.C. Berkeley students were able to do it in less than 20 minutes, the world stood up and took notice.
Netscape, unlike any other competing Web browser, offers an extra level of security when conducting monetary transfers over the Internet. If you send a credit card number, for example, it performs a complex series of computations on the number, putting it in an unrecognizable code that can then be unlocked with a “key,” or another series of numbers.
Netscape’s flaw was that the method used for determining this “key” relied on obtaining a smaller number first and then calculating a random number from it. Unfortunately, this random number is too small and can be literally guessed by having a computer scroll through lists of possibilities. Once this small number was found, decoding the larger number was a simple matter for the two college students.
Engineers at Netscape Communications confirmed the flaw late Monday night, and by Tuesday they had announced a new version of the software, scheduled to hit the Internet in a week. The fixed version of the Netscape program will merely increase the original small “key” number to a much larger number. Company engineers say the complexity of the new number will make it much harder to guess—and thus more secure.
Netscape Communications dismisses any criticism of their security methods, insisting that there never really was a problem. “Netscape secure software has been in use for almost a year on the Internet by millions of customers and no thefts of actual customer information protected by our security have been reported,” says a company press release. “The posting on the Internet only reported a potential vulnerability, not an actual theft of information.”
The vulnerability of a supposedly invulnerable program has started many debates: How secure is the Internet against this type of theft? Experts will tell you the answer is surprising: It’s not secure, and it never will be.
My rule of thumb about sending any information you consider sensitive over the ’net is this: If it’s something you would do over a cordless phone, it’s just as safe to do it over the Internet. A cordless phone is perhaps less secure than a regular phone call: A call from one of these phones can be picked up by most hand-held HAM radio receivers. Any HAM radio operator can tell you that cordless calls (and even cellular phone calls) are on clear airwaves that can be picked up by anyone.
Media Star award
The Media Star award goes this week to local Internet access provider Telalink. One of their Web products has made it to prime time, appearing on both CNN and local media simultaneously, as well as in print in Wired. The much publicized product is the National Speedtrap Registry.
Vanderbilt student Andrew Warner created the registry after he got a speeding ticket. To avoid any more tickets, he put out a query on the Internet about notorious speedtraps nationwide. People in all 50 states responded, pinpointing hundreds of speedtraps.
Andy even made it to morning television; he was interviewed live, in his dorm room, Tuesday on ABC’s The most surprising part? The coverage isn’t over: Christian Science Monitor has called, among other publications.
Joel Moses can be reached via e-mail at joel@moses.com.
