You Must Control Net Connections

 
 
By Peter Coffee  |  Posted 2002-12-16
 
 
 

When CNN Headline News reporters asked me for comments on the Ptech incident, Ill bet they were anticipating a reassuring reality check. Id guess, based on the way they framed the questions, that they thought I would say the notion of software back doors being built in by devious developers was an exaggerated risk.

If so, they may have been surprised to hear me tell their Friday night audience on Dec. 6—Pearl Harbor eve, an ironic coincidence—that accidental data leakage is commonplace. It doesnt take a big imagination, I added, to foresee dire consequences from mixing Internet connections with a small amount of malice and a moderate amount of technical skill.

In yet another coincidence, that conversation took place the day after I finally got a DSL connection in my office near LAX, so the subject of vulnerable always-on connections was already on my mind when the Ptech story broke—and I wasnt enjoying my thoughts. According to the Norton Internet Security scanner on my office laptop system, there are roughly 80 applications on that machine that are potentially Internet-active. Thats many more than I have any desire to allow at-will Internet access.

Opera, because I use it, and Outlook, because I tolerate it, are the only two applications that Ill allow to talk to my connection whenever they like. But when I configure my firewall to complain about anything else trying to access the network, I find all sorts of things on my system attempting to chat with their unknown friends in unknown places.

Even if I knew exactly what they were sending, and to whom, I still could not be sure that there wasnt more information leaving my machine than met the eye. What if the time that data goes out is itself a signal? Or what if the number of bytes in each successive burst is encoding a password or other sensitive information?

In formal mathematics, you can prove that something is untrue or impossible in a universal sense. In the real world, absence of information is hard to prove unless you have complete control of what is sent, when and in what manner. Am I paranoid? No, just aware. And now, so are you.

Tell me what worries you at peter_coffee@ziffdavis.com.

Rocket Fuel