SAN MATEO (02/28/2000) - On Feb. 15, Internet executives gathered at the U.S.
White House with Bill Clinton and his National Security Council. They met to make a federal case out of recent cracker attacks on the Internet.
The next day, Attorney General Janet Reno appeared before Congress to testify on behalf of the administration's proposals to spend $2 billion in 2001 on guarding infrastructure critical to national security.
Excuse me, but the Clinton-Gore record on national security is rivaled only by its efforts to banish sexual predation from the workplace.
Internet executives told reporters they were reassured by their 90-minute White House meeting.
At the inevitable photo opportunity, Clinton said what they wanted to hear: that the feds will not have regulatory relations with the Internet.
Clinton said there shall be more public-private cooperation, that we must spend $2 billion next year guarding but not regulating the Internet, and that we definitely need another commission or two on the matter, but fear not.
Such reassurance reminds me of TWA Flight 800. Clinton was on television within hours of the horrible crash, demanding stepped-up security measures at airports to catch terrorists.
These measures cut into privacy rights, increase travel inconvenience, and cost taxpayers billions of dollars.
Later we learned the crash wasn't caused by terrorists, but at least the feds had not been sitting idly by.
In the case of recent outages at Yahoo Inc., eBay Inc., and other Web sites, cowardly criminal acts were committed.
Last week the U.S. Federal Bureau of Investigation was looking to question anonymous people with aliases including Mixter, Coolio, Nachoman, and Mafiaboy.
Anonymity is the key.
Thirty years ago, the Internet was vulnerable to crackers because graduate students were in charge. We had few secrets and nothing important to put online.
But in case you think Internet security problems are new, see my early warning at info.internet.isi.edu:80/in-notes/rfc/files/rfc602.txt -- written in December 1973.
Decades later, we are still in a rush to grow and speed the Internet. We have little time or performance to spare for security. We are wrong.
At rock bottom, the Internet is vulnerable, especially to recent distributed denial of service attacks, because the Internet community remains conflicted about anonymity, which many confuse with privacy.
Anonymity should no longer be the rule on the Internet.
Anonymity should be supported, but as the exception, not the rule.
So, for example, routers and servers on the Internet should not ignore packet-source addresses.
They should be authenticated as packets enter the Internet and at intermediate points toward their destinations.
When a router receives a packet, it should confirm that the source address is consistent with the direction from which the packet arrived. If not, the packet should be dropped.
And source addresses should be used more often to filter service requests.
For example, it should not be the duty of every computer on the Internet to respond to pings from anyone, anywhere, anytime.
I wrote early Internet ping software, including a ping responder called pong, in 1971.
Back then, bringing computers up on the Internet was a major achievement and getting a pong from your ping was cause for celebration.
I was pinging a dozen hosts whose programmers I knew by their actual names.
Today's millions of routers and servers should pong only for a few authorized pingers. Promiscuous ponging is unnecessary and dangerous.
Recent attacks would have been thwarted if the Internet community were not so hung up on anonymity -- if ignoring source addresses and ping-pong promiscuity had been eliminated.
Perhaps this month's White House photo opportunity will provoke ISPs to take these two and other straightforward precautions. Might save us taxpayers a billion or two.
Technology pundit Bob Metcalfe just survived a thousand flaming e-mails from Linux lovers, most from "Anonymous Coward" at slashdot.org. Now he's ready for flames from privacy paranoids at firstname.lastname@example.org.