Want CNET to notify you of price drops and the latest stories?

Programmers protest with code

When ordinary citizens have a gripe, they might write a letter. When programmers have a gripe, they write code.

Paul Festa Staff Writer, CNET News.com
Paul Festa
covers browser development and Web standards.
Paul Festa
4 min read
When ordinary citizens have a gripe, they might write a letter to their congressional representative or to the editor of their local newspaper. When programmers have a gripe, they write code.

In a recent example that gained widespread attention, a group of self-described hackers known as the Cult of the Dead Cow created the "Back Orifice" program to demonstrate what it considers lax security standards in Microsoft's Windows 95 and Windows 98.

Back Orifice allows users to remotely control victims' desktops, potentially undetected.

Microsoft downplays the risk presented by Back Orifice, which it claims poses no threat to users who follow what it terms "safe computing practices." Critics are accusing Microsoft of ignoring a serious problem.

Back Orifice is not the only potentially damaging program to debut on the Internet this month from programmers making a point. Another, dubbed a "Spartan horse" by its creator, is aimed at fooling Internet users into handing over their Windows usernames and passwords. It presents a JavaScript dialog box that mimics a common Windows box that legitimately requests that information.

Like Back Orifice, the Spartan horse was created not with the intent to do harm, according to its author, but to demonstrate a vulnerability in the Windows security model. In this case, the programmer is using his code to illustrate what he considers to be the hazards of Microsoft's strategy of integrating its Windows operating system and its Internet Explorer Web browser.

"The Spartan horse points out the dangers of integrating operating systems and Internet browser software," reads a site posted by Dannie Gregoire, the program's creator and the proprietor of Louisville, Kentucky-based Internet service provider Iglou. "As the two merge, it becomes impossible for the end user to distinguish which applications are local and which are remote. This confusion provides ample opportunity for malicious persons to take advantage of the end user with a Spartan horse attack."

The "Spartan horse" is one of many techniques, some more technical than others, used by hackers to glean passwords from users.

In many cases, hackers can convince technical support workers to reveal other users' passwords over the phone, or manipulate users themselves to hand over that information either via email or over the phone. The process of talking someone out of their information, rather than using technical means to get it, is called "social engineering."

In other cases, hackers use "brute-force" computing methods to try millions of possible passwords--or millions of possible password encryptions--against each account until they get a match. Another technique, known as password sniffing, penetrates the network and collects passwords as they are sent back and forth.

Both of these techniques appear to have been used in the stealing of many thousands of passwords at the University of California at Berkeley and other universities in the United States and Europe earlier this year, according to UC Berkeley math department chairman Calvin Moore.

The incident, the subject of a CERT advisory last month, is under investigation by the FBI, according to Moore.

But the message of the recent round of hackers is that such brute-force methods are not necessary to gain access to people's desktops, and that the average Internet user--and even some fairly advanced ones--can easily be tricked into compromising their security.

"A good percentage of our ISP customers don't understand the basic technical aspects of their account," said Gregoire. "When they see something they're familiar with, they'll do what comes naturally."

Microsoft, which concedes that Windows 95 and 98 are not designed to be highly secure systems, says the best approach to these vulnerabilities is education.

"The best thing we can do is to educate the user who has to say yes or no to these things, who has to make the decision," said Karan Khanna, product manager for the Windows NT security team. She cited Microsoft education efforts such as posting articles to its Web site and to various magazines.

But in the end, Microsoft may just be waiting for the Internet to grow up. "It's a new medium, and users have to learn how to use it," Khanna added. "It's like the early days of driving. People had to learn the conventions."

Do activist programmers have qualms about writing potentially damaging software?

"Do you sweep these kinds of things under the rug, or get the problem out there and shed light on it so you can start solving it?" Gregoire asked rhetorically. "I think it's always important to get these problems out in the open and have them addressed as soon as possible."