Visit Your Local PBS Station PBS Home PBS Home Programs A-Z TV Schedules Watch Video Donate Shop PBS Search PBS
I, Cringely - The Survival of the Nerdiest with Robert X. Cringely
Search I,Cringely:

The Pulpit
The Pulpit

<< [ Quantum Dilemma ]   |  I'm From the Government, Trust Me  |   [ Y2K: The Winter of Our Disconnect? ] >>

Weekly Column

I'm From the Government, Trust Me: Why Russia Probably Isn'tInvading U.S. Government web Sites and Even if They are, It Doesn't Matter

Status: [CLOSED]
By Robert X. Cringely

Twenty years ago, I was working as an investigator for the Presidential Commission on the Accident at Three Mile Island. I was trying to help piece together what caused that nuclear power plant to almost go kablooey. The commission chairman was John Kemeny, inventor of the Basic programming language and then president of Dartmouth College. Back then, as now, nuclear safety was a hot news item, and the Commission was suffering from a news leak. So they called in the security consultants — men in white belts and white shoes who seemed to be always chomping on unlit cigars. The consultants installed an elaborate system of monitors and guards meant to keep our secrets secret. When asked exactly who they were trying to keep from breaking-in to the building, the chief white shoe said, "Why the Washington Post, of course."

The Post, which had been breaking all those TMI stories, never had a budget for burglary. They never needed one. In the case of Three Mile Island, all it took was picking up a few bar tabs at some corner dive. But you could never convince the security consultants of this, since it would mean that their jobs couldn't be justified. And that's the moral of this story: Always consider the personal interests of people who say we are in danger and should pay them to do something to protect us.

What brought all of this back to mind after two decades was reading a number of news stories about supposed Russian infiltration of web sites in the U.S. government. To read these stories, it sounds pretty dire, like we are enduring a Russian cyber invasion. Those complaining seem to be the U.S military and the FBI.

What a load of hogwash! Read the stories. What secrets have been lost? Well, none, but there has been lots of "sensitive data" transferred overseas. Sensitive data? What the heck does that mean? It means someone wants us to pay for something that doesn't require doing.

First let's deal with the difference between secrets and non-secrets. The U.S. government is absolutely mad for secrecy. It has hundreds of levels and types of secrecy, and has a tendency to declare as secret almost anything it considers to have value. Most U.S. secrets aren't worthy of being called secrets, yet they are. Is any of this "sensitive data" secret? Is it classified information? No. So the U.S. government has already decided that it doesn't really matter who reads this stuff. So why should we care, then, if some of the readers are from Russia?

U.S. rules say that if something is classified as secret, it can't be held on a computer that is reachable over the Internet.

So what we have lost apparently has little value, okay, but maybe what so worries our spooks is the volume of attacks from Russia or wherever. If that's the case, let's consider for a moment how search engines work. Excite, Alta Vista, Hotbot, Google, and all the rest use spider programs that go around the net, find web content, and drag it back to be indexed. All of these search engines — dozens of them — claim to be scouring the Internet on a daily basis. This means that they access every web server in Russia many times per day. Hey, doesn't that sound like an attack? Is Excite invading Russia? It also means they access every web server in the U.S. many times per day, including all the web servers holding that so-called "sensitive data." Is Alta Vista attacking U.S. security?

So maybe the Russian Academy of Sciences is developing a search engine. Do we have any idea whether it is accessing U.S. web sites that contain other than sensitive data? We don't know anything, because it is not in the interest of these alarmists to share with us that knowledge.

We make information available on the Internet — a global network — then raise an alarm when that information is actually accessed. What is wrong with this picture?

Of course, it is okay for us to do it, we are the good guys, remember? The CIA and the NSA visit every site they can on every server in every country including those we consider friendly. Is the CIA invading Australia? Regularly.

Somebody in the FBI or the U.S. military (or both) wants either to expand the definition of what is an official secret to include the hot lunch menu at your local elementary school, or they want more money for expanding their anti-cyber terrorism efforts. That is why these stories appear, not because there is any actual threat. This has to do with regulations or appropriations, but it doesn't have to do with real security.

Information that is declared to be for public consumption ought to be for public consumption anywhere. From a data security standpoint, such accesses are actually very good. They show us what is of interest to those we are afraid might become our enemies. And if those enemies actually DO find a nugget of real information in all that HTML, then they will have helped us make our systems better the next time. If there is a real data security story worth paying attention to, it's the IPv6 debate over whether every Internet packet should indicate the very PC upon which it originated. This is another weird situation where privacy proponents are up against those who advocate the protection of intellectual property. But I think the real situation is far different. Some of it is institutional paranoia, sure. But some of it is just busywork: The Internet Engineering Task Force decided 128 bits were needed for future Internet addresses, and they just couldn't bring themselves to allow any of those bits to go unused. We won't actually need 128 bits for decades, maybe centuries, but the idea of allowing some of them to just stay set at zero rankles engineers. So just for the heck of it, they decided to use 64 of those bits to designate the data source right down to the NIC address.

Is it stupid? Yes? Should it worry us? No. Our workaround to this point for the limitations of IP addressing has been to invent a variety of proxy and masquerading systems to allow a bunch of folks on a local area network to share a single IP address — even if that address is dynamically assigned by a DHCP server at Earthlink. The same thing will happen with IPv6, though in reverse. Somebody will start a business to make all those individual IP addresses look like a single address. Problem solved. And you can bet it WON'T be solved by anyone with matching white belt and shoes.

Comments from the Tribe

Status: [CLOSED] read all comments (0)