Today's discussion of Internet security can be traced at least as far back as Robert Tappan Morris. In 1988, the 23-year-old doctoral student at Cornell released a 99-line program that ate its way through the Internet, propagating uncontrollably and slowing data transmission across the network nearly to a halt. In response to the unexpected shock, DARPA, (the Defense Advanced Research Projects Agency), a federal agency that oversaw the Net, formed a group of experts who could coordinate responses to worms like Morris'.

The group soon called itself CERT -- for Computer Emergency Response Team -- and the plan it came up with seemed simple. People were supposed to send information on vulnerabilities to the group; CERT would then verify that the hole existed and alert the vendor. Publishing only occurred once the vendor plugged the hole.

CERT still maintains the procedure, but after a few years, people started to rebel. "There were three main complaints," writes Schneier in an essay on the issue of publicizing vulnerabilities. "First, CERT got a lot of vulnerabilities reported to it, and there were complaints about CERT being slow in verifying them. Second, the vendors were slow about fixing the vulnerabilities once CERT told them. And third, CERT was slow about publishing reports even after the fixes were implemented."

Hackers who spotted vulnerabilities weren't the only ones unhappy with CERT's lack of speed. The larger community of computer scientists and, in particular, systems administrators and security specialists entrusted with the responsibility of keeping networks safe and reliable, also chafed at the ponderous pace. By the time a vendor plugged a hole in its software, a great deal of mischief could already have occurred.

Frustration with CERT led to what's now called "the full-disclosure movement" -- based on the hacker-friendly philosophy that more information is always better. Scott Chasin led the way, creating a mailing list in 1993 called Bugtraq that promised to publish vulnerabilities regardless of vendor response. Bugtraq's policies led to friction with vendors of software. Not only do software companies detest the bad publicity that is associated with news reports announcing serious problems with the software, but they are also wont to argue that publicizing a breach before a fix is available is tantamount to inviting a horde of juvenile delinquents to rummage through your unlocked home.

But "the environment at that time was such that vendors weren't making any patches," says Elias Levy, an early Bugtraq subscriber who has moderated the list since 1996. "So the focus was on how to fix software that companies weren't fixing."

Only a few hundred people signed up at first. In 1996, only 2,000 people subscribed.

But the messy dangers of security research hit home while Bugtraq was just getting started. In 1993, Randal Schwartz, an independent contractor working for Intel, decided to run a program that tested the vulnerability of passwords on the company's network. The program (called Crack) found 48 "weak" passwords (words that would be easy to guess) but Schwartz was hardly rewarded for his vigilance. Instead, he became the target of a criminal investigation, at the direct request of his own employer. An indictment came down in 1994 and in 1995, an Oregon judge sentenced him to 480 hours of community service, five years of probation, 90 days in jail and $68,471.45 in restitution. The Oregon Court of Appeals eventually suspended the jail time and reversed the restitution order, but upheld all the convictions.

"I'm now a triple felon for merely wanting to help my main client of five years, by running a simple tool to gather evidence that another group within the company was not providing the minimum company-mandated standard level of protection," Schwartz says. "This is crazy. All I wanted to do was help."

Then, Internet mania struck. With millions coming online, dot-coms appearing out of thin air and Web-based services like Hotmail growing exponentially, the security environment radically changed. More holes appeared and more people found them. Today, Bugtraq counts 46,000 subscribers, many of them journalists who spread news of vulnerabilities to millions.

The expanded attention at Bugtraq and other places on the Net has fueled the already heated debate. The discussion that had once taken place in the equivalent of a small theater has now moved into a cacophonous coliseum. Some maintain that those who exploit a vulnerability in order to prove that it exists are violating property rights. Others follow CERT's moderate stance, arguing that testing a hole was fine as long as the tester told the vendor about the hole and kept the vulnerability private.

At the other end of the spectrum sit those who take a more libertarian line. They argue that ferreting out vulnerabilities -- by any means possible -- is the best way to keep them from forming in the future. Some diehards even declare that high-profile crackers like Kevin Mitnick -- the notorious computer expert who spent five years in jail for illegally accessing corporate networks -- should be lauded as heroes, cyber-investigators who showed the world how fragile networks could be.

"These problems are complex and ambiguous," says Smith of the Privacy Foundation.

"It's an extremely difficult issue," adds Schneier, echoing the sentiments of other security experts. "The more I look at it, the harder it seems to get."

Recent Stories

Ask the pilot
Flying isn't much fun, but for now people keep doing it anyway. What can the airlines do to keep their customers happy?
Slick John McCain and the offshore oil ruse
The safety and economics of offshore drilling are distractions from the much larger challenges that humanity faces: Climate change and peak oil.
Ask the pilot
The smell of smoke in the cockpit, and it's back to Boston for a planeload of fixated Japanese tourists.
Ask the pilot
When a routine flight is plunged into weirdness after the crew smells smoke, how to deal with a possible emergency -- and a plane full of foreign tourists.
Ask the pilot
Has American stepped over the line with its baggage fee? Plus: What customers seem to value above all in choosing an airline.

Daily Newsletter

Get Salon in your mailbox!