Firewall Father Wants WikiLeaks Prosecuted
Cyber-threats should be taken seriously, and complex passwords should be dumped, says the father of the firewall, Bill Cheswick of AT&T
Continued from page 1
Bradley Manning, the alleged source of the WikiLeaks information, is believed to have accessed SIPRnet, the Secret Internet Protocol Router Network over which the US State Department and Department of Defense exchange secret information.
“This is a big network, and the takeway message is that big networks are hard to manage,” says Cheswick. “I’m sure there is some kind of firewall – the horses are gone but the barn door is shut.”
Before WikiLeaks, there was “political pressure” to make SIPRnet as convenient as possible, making it insecure, says Cheswick: “Wikileaks will push that balance.”
He disapproves of deliberate leaks, and slack security, but he does want governments to put appropriate data “out where people can get access to it.” Publishing information like underground train running details can lead to many more useful services: “the people who own the data do not imagine what can be done with it.”
And above all, the Internet is a force for democracy, as has been seen in Egypt. “I think tyrants do not want an open and free exchange of information.”
The 98th most important person on the Net?
At heart though, he is a security professional not a politician. He takes his celebrity lightly, and has limited ambitions for it.
Two years ago, eWEEK named Cheswick as one of the 100 most influential people in IT. He’s a bit rueful about his placing number 98 – but that is still two points ahead of the chairman of the Federal Reserve Ben Bernanke who was number 100.
“Like a Hollywood starlet, I decided what I wanted to do with my new found ‘fame’ was to save the world,” says Cheswick.
The campaign he started, he says, was to eliminate “crazy eye-of-newt passwords” which are forced on users by outmoded security rules on websites.
Users are told to include numbers, upper and lower case letters, and avoid real words, but “these rules were put in pace to frustrate dictionary attacks,” says Cheswick. “That was fine 20 years ago.”
Now, he says, most websites limit users to four login attempts, so no-one is hit by dictionary attacks. “That’s the right way to do it, not these stupid rules.”
“The real danger is people giving their passwords to phishers, or hackers breaking into servers which store them,” he says.
Cheswick wants to get sites to rethink their password rules, and has a “stump speech” he gives on the subject. He wants to see sites use alternatives to passwords, like pictures, gestures or places on a map.
But he doesn’t expect a major shift soon: “There are legacy sites out there. If my campaign succeeds it will take a decade or more – you don’t change Amazon’s password system every day.”
What about weak passwords?
He’s not overly-concerned about the opposite problem – people re-using the same password and using weak passwords. Most attackers simply want to gather a lot of credit card numbers and, while it’s possible to take one password and apply it to other sites, attackers motivated by greed won’t bother, he believes.
“People are not likely to go to someone’s Facebook page and then to their stock portfolio, unless they are personally attacking you,” he says.”You may not trust your office mates and spouses, but most attacks come in from a foreign country, so they can’t read your password hint.”
He’s pleased to see Facebook’s addition of SSL encryption to its sessions, but points out that the extra processing required, though justified, is extra work. “SSL does a fine job of stopping eavesdropping, but it adds to the load on the server.” While most PCs and other clients have enough horsepower to handle the encryption, it can add up on the server end for a site with millions of customers.