Computer Chronicles Revisited 7 — Donn B. Parker and the Digi-Link


Roger Ebert wrote in his four-star review of the 1983 film WarGames, “Computers only do what they are programmed to do, and they will follow their programs to illogical conclusions.” In the movie, Matthew Broderick played a teenage hacker who managed to remotely access the United States missile defense system and initiate a “Global Thermonuclear War” scenario that he mistakes for a computer game. Ultimately, Ebert said the film’s message was, “Sooner or later, one of these self-satisfied, sublimely confident thinking machines is going to blow us all off the face of the planet.”

Worrying About a “New Kind of Spy”

Several months after WarGames premiered to strong reviews and box office sales, The Computer Chronicles broadcast its first episode on the subject of computer security. Stewart Cheifet directly referenced the film in his introduction, noting that typically, computer security did not involve “something spectacular” like nuclear war, but rather more mundane things like stealing money and information.

Cheifet asked Gary Kildall if data stored on a computer was really more secure than data stored by physical means, such as inside a locked filing cabinet drawer. Kildall replied there were techniques that could make data more secure, provided they were actually used. Unfortunately, it often took a “clever individual” breaking the system before such techniques were applied. Kildall said we’re raising a “whole new generation of computer-wise people through the personal computer revolution,” and some of those people would use that knowledge in a malicious way.

Indeed, Kildall said that today–in late 1983–computer crime was already a problem. Timesharing services were particularly vulnerable because they were designed to be used by a number of strangers who made a phone call. This led into a prerecorded demonstration by Cheifet of how someone could use a computer–in this case, what appeared to be a TRS-80 Data Terminal–to remotely access a computer database system. Cheifet noted that all someone needed was a personal computer, some terminal software, and a modem to connect their telephone to the computer. Obviously, you also needed to know the phone number of the computer you wanted to access.

Cheifet demonstrated what he meant by dualiing into a database from his terminal. (He noted it was a local call–not even a toll call!) He explained that you had to wait to hear a high-pitch tone, which indicated the host computer had answered. The remote computer then asked for an ID number and password. Cheifet pointed out the terminal did not display his password as he typed it. This was a security feature meant to prevent someone from stealing his password.

Cheifet also noted he was a “qualified user” and thus had proper credentials to access the remote database. But the problem was that even “unqualified users” could get into these computers. These people were known as “hackers,” and they break into computers just for the sake of finding out what’s inside. And by using common passwords–and sometimes randomly chosen code numbers–these hackers could get into banks, hospital records, and even federal agency computers.

Cheifet then provided narration over some footage from WarGames, noting that in the movie, adolescent hackers gained entry to top secret defense programs. Cheifet said experts claimed the possibility of this happening in real life was essentially zero. Nevertheless, federal officials were planning to strengthen existing security procedures. Cheifet said there were also professional computer hackers–a “new kind of spy” who traded in the trench coat and camera for a keyboard and a video display. A growing number of institutions were figuring out how to foil this new breed of thief. Ultimately, Cheifet said the question was, “Can a computer really be programmed to keep its secrets secret?”

The Escalation of Computer Crimes

Donn B. Parker of SRI International joined Cheifet and Kildall back in the studio. Parker was considered the country’s “foremost expert in computer crime,” as he’d been working in the field for 30 years. Kildall opened the discussion by asking Parker to talk about the scope of computer crime. Parker said that we did not have any firm statistics on the problem, so researchers like himself had to rely on a case-by-case analysis. He noted that in just the past four years, we’d seen a number of record financial losses attributed to computer crimes, including:

Parker said these stories illustrated that the more people used computers, the larger the potential losses from computer crimes were. Kildall asked Parker if that meant he saw “escalation” as the real problem. Parker said yes, noting that while overall business crime was probably going down to increased computer usage, the losses that did occur now tended to be significantly larger.

Kildall asked Parker to describe the “characteristics of a computer criminal.” Parker said his research team had interviewed about 35 hackers to date, individuals he described as among the more “sophisticated computer criminals.” He noted they tended to be young, which was not a surprise given that people in the computer field were generally young. Parker said these individuals tended to exhibit a variation of “Robin Hood” syndrome–i.e., they stold from the rich but kept the money for themselves. At the same time, these hackers did not view themselves as criminals. They “very strongly” differentiated the idea of doing harm to people, which was immoral, with rationalizing the harm they did to organizations.

One such rationalization, Parker said, was that hackers saw their victims as the computers themselves. And a computer cannot “cry or hit back.” That made it an ideal target for someone who would not otherwise walk up to a person, stick a gun in their face, and steal their money. Such behavior was clearly criminal. But things were different when money was stolen through a computer terminal. Parker said hackers ultimately considered themselves “problem solvers.” That is, they had some “intense, unshareable problem they are trying to solve.” This led them to abuse a position of trust they had, as that was the easiest way to solve their problem.

Cheifet asked Parker to clarify if we were talking about “amateurs” or “career computer criminals.” Parker said so far, the problem was mostly amateur, white collar criminals. But we were starting to see an increasing number of career criminals involved with computers. He added such an increase was to be expected given that “for several years now, every major prison in the United States has been teaching data processing to prisoners.” As a result, many career criminals have found they are unable to commit “traditional crimes” outside of the computer environment.

Kildall asked about some of the specific techniques used to attack criminal systems. Parker noted that SRI had researched about 1,100 specific cases over the past 13 years, which led them to classify a number of techniques. He said the most common was data diddling, or altering data as it is entered into a computer system. Some of the other common techniques he listed included Trojan horses, logic bombs, salami attacks, piggybacking, data leakage, and super zapping.

At Kildall’s prompting, Parker explained one of the terms, Trojan horses, as an example. This referred to building secret instructions into a computer program, so when it is later executed on a system, it not only performed what it was supposed to do but also the additional instructions. Kildall said such instructions could be used to transfer money into someone’s bank account. Parker replied a Trojan horse could be used “for a whole variety of programmed frauds.” Another example was a logic bomb, where the program contained instructions that were triggered when certain conditions were met.

Kildall asked about the hypothetical scenario presented by WarGames, where a system was attacked from the outside by someone guessing passwords to gain entry. Parker said there were a “whole range of malicious system hacking techniques” to impersonate authorized users of computer systems via a remote terminal. This required knowledge of an authorized user’s ID and password. It was also possible to automatically or manually scan a list of telephone numbers or possible access codes.

Kildall asked if the advent of more “user-friendly” computer systems have helped or hindered computer crime? Parker observed that a friendly system was “almost of the opposite” of a secure one. So the trick was to “find the balance” between the two. As the number of people using computers continued to grow, the enemy was also expanding in size and sophistication. This meant that in some respects, we could “no longer allow systems to be as friendly as they have been.”

Kildall turned to the question of computer bulletin board systems, specifically so-called “pirate” boards used by hackers. Parker explained there were about 128 known pirate bulletin boards in use throughout the country. They were used primarily for “intelligence purposes” by “malicious systems hackers.” For example, pirate boards often broadcast the telephone numbers of computers and passwords that could be used to gain unauthorized access.

Promoting Basic Password Security

In the final segment, James L. Holmes of Tri-Data Corporation joined Cheifet, Kildall, and Parker, to demonstrate his company’s Digi-Link product. This device was designed to help secure dial-up computer networks. It basically consisted of a 212A modem with “answer verification” capabilities. Essentially, the Digi-Link would only give someone trying to access the protected system remotely one or two chances to correctly enter a password before automatically disconnecting the call. This was necessary as many systems of the time allowed an unlimited number of login attempts.

Holmes then explained the use of passwords to secure computer systens. He noted that the Digi-Link could accept passwords of between 1 and 250 characters. The typical password, however, was only about 5 or 6 characters. Obviously, the longer the password, the more difficult it was to break in, and many people who were “intent” on security would try to use passwords of 20 to 30 characters.

In response to a question from Kildall, Holmes said the Digi-Link did not dial back a user to confirm their identity, it only checked for a valid password to log on to the protected system. Cheifet noted there were other systems besides the Digi-Link that used what he called a “Pizza defense,” i.e., the pizza parlor calls you back to confirm you are the person who actually ordered the pizza. Similarly, these devices call the dialer back to make sure it was a “proper party” who was requesting services.

Kildall asked Donn Parker if devices like the Digi-Link adequately secured data. Parker said they added another layer of security and thus helped to provide “a significantly more secure system today” than existed in the past. That said, no computer system commercially available today was “adequately secure” relative to the value of the information it stored. It was therefore important to compensate for the technological limitations of systems through operational, physical, and procedural methods to make the organization itself more secure.

Cheifet pointed out that the American computer industry often looked to Japan when it came to the latest technology. He asked Parker if there was anything the Japanese were doing in terms of security that we could learn from. Parker said the Japanese were actually a “little bit behind” on this subject as they had not yet experienced the types of computer crimes seen in the United States. That was starting to change, however, and given the eagerness of Japanese manufacturers to enter the American market, they needed to have a stronger understanding of computer crime. Parker noted, “Crime is a very cultural thing,” so its understanding varied from one country to another.

On that point, Cheifet asked if the laws in the United States were adequate to deal with computer crimes. Parker said the laws were “improving a great deal” in this area, although there was still a long way to go. He noted there were now 21 states that had specific computer crimes laws, as well as several bills pending in Congress to provide “specific protection on a nationwide basis.”

Kildall asked about the role operating systems played in computer security. He noted that something like UNIX had source code that was now available to individuals. Could such access lead to security concerns? Parker quipped that with a big enough hammer, you could break anything. So any computer system could be broken with a sufficient amount of work, skills, knowledge, and access. In terms of long-term research on computer security, Parker said the ultimate goal was to develop a “provably secure system,” where you could prove how the computer would perform “under all conditions.”

Cheifet asked about the potential risks of computer crimes with respect to banks, noting they were now all tied to the electronic funds transfer system. What was the potential for a “major economic disaster” if that system were compromised. Parker said the potential was “catastrophic,” but overall the risk was “relatively low.” The key was making sure that security–the “electronic fences” protecting the bank–kept up with the developing technology.

Finally, Cheifet asked about the potential for cryptography as a solution to the problem of computer crime. Parker said cryptography was “the most powerful safeguard” ever developed to protect data through communications lines. At the present time there was “no problem to solve” in this area, i.e., there was no risk of “eavesdropping” by third parties. In the future, however, he said this would be a much more significant issue.

Writing the Book(s) on Computer Crime

There’s not much to say about James Holmes or Tri-Data. I could not locate much information about either. According to a 1988 article in Network World, Tri-Data made “modems, processors, and other support equipment.” As best I can tell, the company was in business from 1967 to around 1992.

Donn Parker, then and now, is one of the country’s top experts on computer crime. He literally wrote the book–several actually–on the subject. Parker began working with computers in the 1950s as a programmer on the UNIVAC 1103. After spending the early part of his career at General Dynamics and Control Data Corporation, Parker moved to SRI in 1969, where he remained until his retirement in 1997. Parker initially worked in management at SRI but shifted in the early 1970s towards researching the nascent field of computer crimes.

Parker told the University of Minnesota’s Jeffrey R. Yost in a 2003 interview that he got into computer crime research due to his interest in professional ethics. A “dedicated Christian,” Parker said his early research focused on “ethical conflicts in computer science,” such as the concept of owning computer software. In 1976, Parker authored Crime by Computer, widely considered the first definitive book on the subject. He went on to author six more books on computer crime, as well as the Criminal Justice Resource Manual for the U.S. Department of Justice.

Notes from the Random Access File