From time to time, programmers are accused of acting irresponsibly. It's no surprise that, more often than not, there's some truth to these accusations. I still have flashbacks, for instance, of a gaggle of Borland programmers dressed in togas, led by (then) Boss Man Kahn who was tootin' his saxophone into the wee hours. And then there was the trapeze. It was_well, take my word for it--Philippe and his merry pranksters went too far that night.
Considerably more serious charges have been leveled at Dan Farmer who, along with Wietse Venema, has written and released a program called "Security Administrator Tool for Analyzing Networks," or "Satan" for short. Satan collects information about machines, nets, and remote hosts by examining a variety of Internet and UNIX services (specifically SunOS and Irix), thereby spotting potential problems and security holes. Using a Mosaic-like interface, Satan queries the host, identifies the system type and available network services, and probes the host to determine if critical access controls are in place. The capability to actually break into systems hasn't been implemented.
Farmer and Venema know what they're talking about when it comes to system security. Until recently, Farmer was network-security manager, first at Sun Microsystems, then at Silicon Graphics. Farmer is also author of the widely used security program called "COPS" and a former member of the Internet security force. For his part, Venema is a noted security expert at the University of Eindhoven in the Netherlands.
When word of the freely distributed program got out, Farmer came under fire from all sides as his critics went ballistic, at least metaphorically. Mike Higgins, chief of the US Defense Department's computer-security team, said that "the analogy we use is that Satan is like a gun, and this is like handing a gun to a 12-year-old." SRI computer-security consultant Donn Parker concurred, stating that "[Satan] is an extremely dangerous tool. It's like distributing high-powered rocket launchers throughout the world, free of charge, available at your local library or school, and inviting people to try them out by shooting at somebody." As for Silicon Graphics, the company simply fired him.
Farmer acknowledges that Satan can be a dangerous tool. "Unfortunately this is going to cause some serious damage to some people," he says. "I'm certainly advocating responsible use, but I'm not so naive [as] to think it won't be abused." However, Farmer justifies releasing the program by insisting that Satan will make network administrators more diligent when it comes to security. Ironically, infamous network cracker Kevin Mitnick grabbed an early version of Satan when he broke into Farmer's system.
It should be underscored that, by itself, Satan does not attack network systems--the program simply collects data and identifies problems. Still, like the old story about your mother-in-law going over the cliff in your new Lexus, I'm having trouble with Satan. While I believe in the free flow of information as much as the next person, I'd be pretty mad if someone used Satan to wreck or steal from a system I'd built. What it all comes down to is that network administrators need to keep secure firewalls in place, and users should keep sensitive data in safe places. If Satan encourages these practices, then the program is successful, no matter what anyone says.
While I remain ambivalent about the rights and consequences surrounding Satan, there's little doubt in my mind that Vincent Yost, a Philadelphia embedded-system developer, has gone one toke over the line. Anyone who has lived in an automobile-congested urban area knows that one of life's little pleasures is finding a parking meter with time left on it. Now, thanks to an overzealous programmer, such pleasures may end up going the way of buggy whips and nickel candy bars.
Yost has developed a prototype parking meter that uses infrared sensors and microcontrollers to detect when you back your car out of a parking place. It then resets the meter to zero, requiring the person driving into the vacated spot to put more money into the meter. As if that weren't heinous enough, Yost's meter also foils people who don't move their cars--"meter feeders" who run out and pump money into the meter throughout the day. If time expires and your car hasn't been moved, the meter will continue to take your money but without giving you additional time.
Cash-starved, blood-sucking municipalities that have tried the "Yostmeter" love it. In some tests, the average weekly take per meter rose from $12.45 without the intelligent meter to $44.00 with it. I guess the best you can hope for in this brave new world is justice with a little irony. Security expert Dan Farmer got his system broken into by Kevin Mitnick. Hopefully, Vincent Yost will someday end up with a basketful of parking tickets under his windshield wiper.
editor-in-chief
Copyright © 1995, Dr. Dobb's Journal