While working on my computer late at night and I receive an email from a trusted friend. I’m fully aware that one shouldn’t open any file attachments, but I trust the source and open it anyway. The email reads, “This is really cool, take a look!” I’ve been on the Internet a few years and I should be apprehensive to opening the attachment, against my better judgment, I open it anyway. The attachment has the filename “Happy99.exe.” The file extension “.exe” sends shivers down my spine. A word to the wise; don’t open any attachments with an ‘.exe’! Never, ever! The words ring in my head like a five bar fire alarm, but I go ahead and open the file anyway. I see clusters of colors burst on the screen simulating a very poor attempt of simulated fireworks. Yawn, it wasn’t very exiting if you ask me. Oh, but the party's just beginning Mr. Paul.

A few days later, I check into a posting forum that I frequent. The regulars in the forum are complaining about the attachment “Happy99.exe.” People are claiming it’s a self duplicating virus. Immediately I scoot over to Symantec.com and find that it's not a hoax. “Happy99.exe” is a Trojan horse. A program created by a hacker that replicates itself by installing onto your hard drive under some other file name. “Happy99” would copy your entire email address book and on the very next email you sent, "Happy99.exe" would mail itself to everyone in your address book. No wonder "Happy99.exe" is so happy! This particular virus was rather benign compared to the damage other viruses have done in the past. This incident was not the first nor will it be the last. Would serving hackers with stiffer penalties through the judicial system reduce the number of viruses passed through the Internet? Would recruiting hackers into the federal government working for the FBI or the NSA put their talents to a more productive use? Destructive talents used for productive means?

According to MSNBC.com, on August 19, 2003, FBI and Secret Service Agents searched Jeffrey Lee Parson's home and seized seven computers for analysis. Mr. Parson is currently under suspicion of being the author of the "SoBig" virus, a variant of the "MSBlaster.B" computer worm. 7,000 computers were reported as having caught the virus according to officials. I say reported in Italics to emphasize that according to the FBI, only thirty four percent of those infected with a virus are ever reported to authorities. Many companies never report a breach of computer security out of fear of losing their clients faith in protecting personal information. The reporting of breach in security would also negative impact on the company's stock if it was a publicly traded company. This was not Mr. Parson’s first incident. Two Internet Service Providers before this incident for creating mischief denied him service while he was their customer. This is typical of most apprehended hackers. They have been caught numerous times. Either hackers are not reported, or if tired in a court of law, they have been let off with a “hand slap,” i.e., “You naughty boy! Don’t do that again! Wack!” Bearing similarity to Sister Ellen Eberhart and her proverbial swat across the knuckles with a wooden ruler, which is not effective with the hard core offenders.

In a class discussion on Monday, September 15, 2003, Mr. Tate Redding, lecturer and Associate Director of the Undergraduate Program in Information Systems at the University of Maryland, Baltimore County, brought up the apprehension of Mr. Parson in my Computer Security course. What Mr. Redding added to my research was that Mr. Parson had cost industry 1.3 Billion dollars in lost revenue because of his attack on targeted web sites.

According to Tate Redding and my own research, the label "Hacker" is a rather broad paintbrush and is used by laymen to describe people who wreak havoc with computer systems. There are really two groups of hackers plus a third group, which are known as "Script Kiddies" in the computer industry.

Mr. Parson is not what the computer industry calls a "Hacker," but rather a "Script Kiddie." Michael Whitman and Herbert Mattord in their book "Principles of Information Security" improperly define the typical hacker. They claim a typical hacker's profile is a young male teenage boy between the ages of thirteen to eighteen with limited parental supervision on the computer. They spend most of their free time surfing the Web and doing things on the computer. This definition is more fitting of a script kiddie.

Mr. Parson is not the first of the script kiddies. When we look to a similar case to Mr. Parson’s, according to Edward H. Freeman, in his article “Prosecution of Computer Virus Authors”, he recalls the Melissa virus released on March 25, 1999. Melissa affected more than 100,000 users worldwide and caused an estimated $80 million dollars in damages to U.S. businesses alone. David Smith was apprehended for releasing the Melissa virus and in 2002 and appeared before Federal Judge Joseph Greenaway. Judge Greenaway sentenced Mr. Smith to twenty months of incarceration in a federal penitentiary and to pay a $5000 fine. In addition, he was sentenced to serve three years of supervised release, during which he could not use the Internet, computer networks, or bulletin boards unless authorized by the court.

Here I am going to expand the definition of a script kiddie. They are usually young, male teenagers between the ages of thirteen to eighteen and have only a low level understanding of coding, if they have any understanding of coding at all. Script kiddies search through known "Hacker's Web Sites" and download programs there. The script kiddie then alters the code slightly with a high level programming package such as Microsoft Visual Basic, assigns the program a new name and sends it back into the wild, otherwise known as the Internet. What the script kiddie has done is taken someone else's well known virus and created a variant of that virus. The new virus is not detected by old anti-virus software because these programs usually check for a virus by its file size. The script kiddie by adding a few lines of code has rendered the anti-viral software useless because the old virus has a new file size and goes undetected. The script kiddie's motivation is so he can go out and brag how he single-handedly crippled "x" number of computers.

A hacker, on the other hand, is a very highly skilled computer professional with high level understanding of how computers work and are usually programmers that are familiar with Assembler or C coding languages. Hackers understand exactly what each line of code they create is doing. It is this precise understanding of coding that separates hackers from script kiddies.

According to Whitman and Mattord, the modern hacker is male or female, between eighteen and sixty and works within the company. According to Tate Redding and my own research, Whitman and Mattord’s definition does not take into account that some hackers operate from the inside of the company and some operate from the outside. Most times in language we have a word for every particular variant, but in this case language has not caught up to the fact that there are two variants of hackers. In order to clear the air, I will use the terms “Inside Hackers,” “Outside Hackers” and “Script Kiddies” to distinguish between the three groups.

Outside hackers operate from the outside of the company usually are trying to fulfill a political agenda. They typically attack government sites and company sites that oppose or stand in the way of their political ideologies. Outside hackers are harmful, but not as harmful as inside hackers.

Inside hackers are the most dangerous because it may take years before their actions are discovered. Many times inside hackers are disgruntled employees who believe they have been overlooked for promotions and see most of their co-workers rise in the ranks of the company above them. They have been with the company for so long, they usually are well trusted by management and have a great deal of experience which provides them with clearances that allow them greater access to the company’s computer files. Inside hackers are the most dangerous because management believes that they are loyal employees therefore it may take years before their actions are discovered.

Since the advent of Graphical User Interfaces or GUI's, and the exponential growth of the Internet, computer hacking has become an incessant nuisance. Hacking is a devastating problem to individuals, businesses, organizations, and governments around the world costing millions of dollars in damages, lost information, work stoppages, and lost productivity. Considering incarceration is a great loss of talent and a large economic burden what other alternatives exist that would put hacker's talents to good use? Most hackers have been juveniles, which reduces the effectiveness of trying them in a court of law. How might this hitch be circumvented? In addition, because they are juveniles, the current method of punishing them with fines is ineffective; juveniles have no source of income. Is their another way of penalizing hackers? Publicizing hackers apprehension elevates them to a position of stardom and infamy. Do we really need to hear all the news that is fit for print or does printing this information glorify the antics of the hackers, thereby causing more juveniles to hack in order to get their name in the newspapers?

The judicial penalties being served by hackers have been way too soft considering the amount of havoc they wreak. They should be dealt with in a completely different way than they are today. Hackers who have been apprehended have been served at most 6 year prison terms and have paid $250,000 in reparations. Computer users have lost millions of dollars in lost productivity, theft of intellectual property, physical damage, and investment in security schemes which have encompassed hardware, software and strategies in protecting themselves from hackers. Instead of trying hackers through the judicial system, agencies such as the NSA and FBI could be offering these people a silent ultimatum. They could be offered two choices; one alternative would be to drop the fines altogether and simply increase the time they serve. Fines have little effect because most hackers don't have a source on income. So who's going to pay the fines? The parents most likely will end up paying the fines when referring to the script kiddies.

Mr. Edward H. Freeman proposes that government agencies on the federal and state level must continue to take strong actions to prevent the spread of computer viruses and to increase the penalties for such acts. Under the Computer Fraud and Abuse Law of 1984, the first such law of its kind, Mr. Freeman states that someone convicted of such a crime can be sentenced to 20 years and a fine up to $250,000. Since that time, several more laws have been passed with stiffer penalties, such as the Patriot Act. How about 50 years minimum in jail without computer privileges? By that time the technology would have changed so much they wouldn’t be able to exploit computer systems. Current penalties on the books are harsh, but not as harsh as this. In the worst case scenario a hacker could be served 20 years of imprisonment. An alternative could be bringing them into the NSA and FBI utilizing their highly skilled talents for the purpose of computer espionage and national security with the stipulation that if the hacker ever leaks the information about the secret plea bargain they will end up serving their sentence in jail. This would put hacker’s talents to better use and would also save taxpayers money. Or would it? In addition if one was to interview male teenagers, how many do you think know what the federal penalties are for hacking? Probably very few. If teenage boys don’t know what the penalties are, how is this going to act as a deterrent to prevent them from hacking?

The script kiddies may be the easiest of the three groups to reprimand. Considering that they are juveniles, the court instead of putting them into juvenile corrections, could be serving them to perform community service within the FBI or the NSA. Considering that they are juveniles they would have to be highly supervised anyway, so watching what they do should be less of a problem and they also could be easily monitored from another terminal. The federal government is desperately seeking computer security people and is currently offering incentives to draw such talent. The federal government is offering to pay a student’s college tuition each year a student attends a computer security program in exchange for one year of service in a civil service position. Considering the federal government’s need, sentencing the script kiddies to community service within the government may be a way of reducing some of the strain. This would also avoid the problem associated with a silent plea bargain.

When sentencing the outside and inside hackers a silent plea bargain poses the problem of violating a person’s fifth constitutional right. A person cannot be punished without due process of law. The silent plea bargain would also violate their sixth constitutional right, a right to a trial by a jury. "As long as the human sprit is alive, there will always be hackers," said Eric Corley, aka Emmanuel Goldstein, an editor at 2600: The Hacker Quarterly. "We may have a hell of a fight on our hands if we (hackers) continue to be imprisoned and victimized for exploring, but that will do anything but stop us. I'm the first to say that people who cause damage should be punished, but I really don't think prison should be considered for something like this unless the offended is a true risk to society." I agree that the punishment does not agree with the penalty. Also bear in mind the underlying mindset is that a computer is an inanimate thing, therefore no matter what the damage, it will never be worth that of the loss of human life.

On the other hand, what becomes a question in my mind is the usage of the word "exploring." Is this really exploring or more of a form of "electronic peeping tom" or an “electronic voyeur” peering into other people’s computers to see what they can find. If a hacker does find something interesting, what will they do with that information considering that the hacker isn’t supposed to be there in the first place.

Most computer-security experts have rejected Mr. Corley's reasoning. "Hacking is a felony — for good reason," said Charles C. Palmer of IBM, in Brian Hansen’s article with the CQ Weekly. "Some hackers think it's harmless if they don't do anything besides go in and look around. But if a stranger came to your house, looked through everything, touched several items, and left — after building a small, out-of-the way door to be sure he could easily enter again — would you consider that harmless?" When considering hacking from Mr. Palmer's viewpoint, hackers sound rather creepy don’t they? It could also be considered an electronic form of "breaking and entering." The only difference is that the tools used are now "high-tech."

The other side of this argument is that apprehending the hackers assigns them a type of infamy and martyrdom, which could easily cause hackers to band together and wreak more havoc than has been done in the past. Sarah Gordon, a virus expert at IBM’s research center was cited in Mr. Freeman’s article “Prosecution of Computer Virus Authors,” in her opinion tougher legislation is not the solution and could do more harm than good. Ms. Gordon goes on to say, “Legal intervention shows no positive correlation with the number of viruses in the wild. Police intervention does not offer a significant deterrent, and the media should not vilify or deify these people.” Hackers have Hacker’s Clubs, among them, the “2600,” which has readers and monthly meetings in locals similar to unions like “The Teamsters.” They also have software programs which allow them to connect to each other creating one huge network therefore pooling together their collective resources in say one huge super computer. This in itself has ominous implications that should be obvious.

Attorney Jennifer Stisa Granick at the San Francisco-based Computer Security Institute’s 27th Annual Computer Security Conference and Exhibition argued that harsher sentences for hackers would not serve as a deterrent. “When people do the crime, they don’t think they’re going to get caught,” said the San Francisco–based lawyer in Dan Verton’s article, “Attorneys Debate Making Cybercrime Laws Tougher.” Considering the profile of the script kiddies, teenage boys may not even be aware of what the current laws are on hacking. The counter argument that is used by law enforcement is that ignorance of the law is no excuse for breaking the law.

Now let us look at the arguments involved in recruiting hackers into the federal government. According to Ashby Jones of AM Law Tech, ‘Many former hackers have realized that they could cash in on their skills by teaching others how to insulate themselves from cybercrime. Many former hackers have become consultants to government agencies, banks, security firms, and law firms that are seeking to be hacker free.’ This is a far cry from directly recruiting hackers. Is this not the same as consulting reformed criminals to aid law enforcement in apprehending hackers? Looking at this from the opposing side, “Doesn’t law enforcement understand that people, who break into other people’s computers, convicted or not, are breaking the law? I guess we’ll be hiring un-convicted bank robbers, rapists, and murderers as police detectives next. Certainly they know about crime and criminals,” said Peter Stephenson, in his article “It’s a Strange, Strange, Strange, Strange World.” Peter Stephenson is the Director of Technology, Global Security Practice, Netigy Corp, in Redwood City, California, but his comparison of hackers to bank robbers is fundamentally flawed, or is it?

Hacking is a highly technical skill while the crimes Mr. Stephenson refers to are not. Many hackers do not hack into systems for individual gain, but moreover, they see hacking as an intellectual exercise or a game similar to taking a challenge of solving a complex mathematical problem. Hacking is how hackers flex their muscles. The glory is in a successful break in. The hacker has proven to himself that he has the wit and resources to break in. Certainly it is a bit of a stretch comparing what other criminals do for personal gain to hacking. In addition, information systems experts that are in charge of security attend hackers meetings, frequent hackers web sites and conventions, and discuss hacking with hackers in order to improve their company’s security measures. Many hackers are quite open about hacking. Some subscribe to the philosophy, “I’m a nice guy even though I’m a hacker. I’m performing a service by indicating where your security leaks exist. Once I’m in, I could do something malicious, but I don’t because I’m one of the good guys.”

On the other hand, recruiting hackers into the federal government could also be argued to being similar to putting the fox in charge of the hen house. As employees, could they really be trusted, especially in organizations such as the FBI and the NSA where everything is on a “need to know” basis? The answer is probably not. Therefore, there would be a need to use software programs that analyze and record their every keystroke and a high level supervisor monitoring them at all times watching for breaches in security. In the economic long run, we may be better leaving hackers on the outside and utilize their talents on a consulting basis as so many hackers have already done.

Michael E. Whitman, author of “Principles of Information Security,” claims that deterrence is the best method for preventing illegal activity and that there must be three conditions present; “The first condition is the person desiring to commit the act must fear the penalty. Threats of informal reprimand or verbal warnings may not have the same impact as the threat of imprisonment or forfeiture of pay.” Only in a few rare cases, such as Kevin Mitnick, did the assailant receive a harsh penalty. Kevin’s sentence was sixty-eight months in jail, three years probation, his access to computers and his employment in the computer industry was severely restricted, $4,125 in fines were paid, and Kevin had agreed that any profits he made on films or books that were based on his criminal activity would be assigned to the victims of his crimes for a period of seven years following his release from prison. Mr. Mitnick pleaded guilty to a grand total of 68 counts of intercepting wire communications, wire fraud and computer fraud according to United States Attorney Alejandro N. Mayorkas. Kevin Mitnick was given many warnings by various organizations, he was an adult, and was tried as an adult. Even so, Kevin was not given a maximum sentence.

Mr. Whitman’s second condition is the assailant has to know that there is a strong possibility of being caught. Hackers are fully aware that this possibility does not exist unless they make mistakes in covering their electronic tracks. It takes a joint effort between government agencies and private businesses in the computer industry to trace hackers down and it’s not at all easy. Adding to the complexity of the problem, Internet Service Providers or ISP’s are not necessarily forthcoming with IP address information on suspected culprits. They will go to great lengths in protecting the privacy of their clients. An ISP will not release the information without a court injunction which may take months to get. By the time law enforcement officials do get the injunction, the hacker more than likely has moved on to another service provider. What also compounds the problem of tracing hackers is many ISP’s mail out free thirty day trials to promote their services. A hacker can use this as a tool to his advantage by using the ISP account to do his dirty work, cancel the subscription and move on compounding the problem of tracing.

The third condition Mr. Whitman asserts is an individual must believe that the penalty is severe, that they will get caught, and that they will actually receive the penalty. The problem here is not that the penalties on the books are not severe enough, but because most offenders are juveniles with no other convictions, judges assume that this one incident will cause the offender to think twice about their actions in the future. Therefore the judges assume just having to appear in court is enough to scare them so they serve the hacker with a light sentence. Furthermore because ISP’s are usually the first ones to see the abuses, they usually give the hacker a warning. The hacker discontinues his contract with the ISP and moves on to another provider. Therefore, there can be numerous incidents that go on without being reported which makes the job of apprehension even more difficult. Those who have been apprehended, once they have served their sentences emerge back into public life and are sought after as computer consultants in the field of security, henceforth handing them fame and fortune.

In summary, neither of my proposed alternatives are viable solutions to the problem of dealing with hackers. The only realistic solution is an improvement in security. Improving computer security may require a consortium of the federal government working in conjunction with the private sector. Both would have to utilize the same software tools the hackers use to breach a system to determine where the security holes exist and affect repairs to their systems. In addition, top level management, whether in the federal government or in the private sector would have to champion the cause in order for security procedures, polices and physical fixes to have the net required effect of securing computer systems. After all, computer security isn’t just hardware and software…its people management too.

Return to the top of the page

Works Cited:

Corley, Eric. Editor. 2600: The Hacker Quarterly. 5 Sept. 2003. http://www.2600.com

Freeman, Edward H. “Prosecution of Computer Virus Authors.” Information Systems Security. Vol. 12, Issue 1. Mar/Apr 2003. p5, 5p. Academic Search Premier. EBSCO. UMBC Albin O. Kuhn Lib. 16 Sept. 2003. http://search.epnet.com/direct.asp?an=9147465&db=aph

Hansen, Brian. "Early Hackers Wanted to Advance Technology, Not Diminish it." CQ Weekly. Vol. 60, Issue 26. 29 June, 2002. P1768, 2p. Academic Search Premier. EBSCO. UMBC Albin O. Kuhn Lib. 16 Sept. 2003. http://search.epnet.com/direct.asp?an=6943653&db=aph

Jones, Ashby, "Hackers to the Rescue." Am Law Tech. Jun 2001. P10, 2p, 1c. Academic Search Premier. EBSCO. UMBC Albin O. Kuhn Lib. 16 Sept. 2003. http://search.epnet.com/direct.asp?an=6593324&db=aph

Parson, Lee. Interview with Eric Ortner. “I’m not the one they need to get.” NBC Today Show. NBC. 2 Sept. 2003. Msnbc.com. 2 Sept. 2003. 4 Sept. 2003. http://www.msnbc.com/news/960377.asp?0cv=CB10

Stephenson, Peter. "It's a Strange, Strange, Strange, Strange, Strange World." Information Systems Security. Vol. 9 Issue 5. Nov./Dec. 2000. P5, 6p. Academic Search Premier. EBSCO. UMBC Albin O. Kuhn Lib. 16 Sept. 2003. http://search.epnet.com/direct.asp?an=3736365&db=aph

Verton, Dan. "Attorneys Debate Making Cybercrime Laws Tougher." Computerworld. Vol. 34, Issue 47. 20 Nov. 2000. p16, 1/3p. Academic Search Premier. EBSCO. UMBC Albin O. Kuhn Lib. 16 Sept. 2003. http://search.epnet.com/direct.asp?an=3925229&db=aph

Return to the top of the page

Works Consulted:

2600: The Hacker Quarterly. 5 Sept. 2003. http://www.2600.com

Bakst, Brian. "Accused Web Attacker Under House Arrest." Washingtonpost.com. The Associated Press. 30 Aug. 2003. 4 Sept. 2003. http://www.washingtonpost.com/wp-dyn/articles/A3440-2003Aug30.html

Hulme, George V. "Antiterrorism Law Targets Hacker Around the World." InformationWeek. Issue 866. 3 Dec. 2001. p22, 1/2p. Academic Search Premier. EBSCO. UMBC Albin O. Kuhn Lib. 16 Sept. 2003. http://search.epnet.com/direct.asp?an=5616621&db=aph

Mayorkas, Alejandro N., and Thom Mrozek. "Kevin Mitnick Sentenced to Nearly Four Years in Prison; Computer Hacker Ordered to Pay Restitution to Victim Companies Whose Systems Were Compromised." U.S. Department of Justice, United States Attorney's Office, Central District of California. 9 Aug. 1999. 4 Sept. 2003. http://usdoj.gov/criminal/cybercrime/mitnick.htm

Return to the top of the page

Paper #2: Quantum Cryptography

Individual Paper (Sole Author): Christopher Paul

Date: December 3, 2003

Quantum cryptography is a science which combines quantum computing, cryptography, and the laws of physics. This combination of technologies allows for quantum encryption, which has the ability to create unbreakable codes that make use of the laws of physics (Hackers Beware). Quantum cryptography is providing new methods by which cryptographers have the ability to create unique and indestructible coding algorithms, which in turn will make for completely secure data transmission and communications.

Quantum computing uses a computer “in which data can be stored in a network of quantum mechanical two-level systems, such as spin-1/2 particles or two level atoms” (Los Alamos). Ordinary computing uses data registers that are always in either in a state of 0 or state of 1. Quantum computing allows the registers, called qubits, to be in an undetermined super position of 0 or 1. Calculations must be performed with a variety of two-level systems in such a manner that logical operations can determine the different qubits. The result is then realized by a measurement of quantum mechanical probability amplitudes at the end of the calculations (Los Alamos). Peter Shor has developed an algorithm (Shor’s algorithm) that determines the prime factors of large composite numbers effectively, this in turn has allowed for the ability to create remarkable applications.

Cryptography is within “the realm of knowledge that deals with creating methods to assure that a message is secretly sent and received” (Information Security, 326). Algorithms and keys are used in cryptography and allow for the creation of a document and the transmission of that document in a form that only the sender and receiver are hopefully able to view. The word hopefully is used because it is assumed that only the sender and recipient have the key or algorithm to decrypt the message. The algorithm is “a mathematical formula used to convert an unencrypted message into an encrypted message” (Information Security, 297), and the key “can be a series of bits used in a mathematical algorithm, or can be the knowledge of how to manipulate the plaintext” (Information Security, 297).

The combination of the principles of quantum computing, cryptography and the laws of physics result in quantum cryptography. The security feature comes from the fact that each qubit of information being transported by a single photon and each time the photon is viewed, it is altered, which results in the recipient having the ability to detect any and all eavesdropping that may have occurred (Quantum Cryptography). “The foundation of quantum cryptography lies within the Heisenberg uncertainty principle. Heisenberg uncertainty principle states that certain pairs of physical properties are related in such a way that measuring one property prevents the observer from simultaneously knowing the value of the other” (Quantum Cryptography). According to quantum theory, light waves are propagated as discrete particles known as photons. Quantum cryptography works with the polarization of photons as they pass through a number of filters, the orientation they are in as they pass through filters, and the keys used to decipher them. The first filter to be passed through will randomize the measurements of the second. The polarization of a photon and the choice of what direction it passes through the first filter affect all subsequent measurements. The angle of the second filter will determine the probability that the photon will be able to pass through it, with an approximation towards vertical being a greater probability and closer to horizontal having a lower probability. Figure 1 shows the polarization by a filter (Quantum Cryptography).

Figure 1: Polarization by a Filter

Unpolarized light enters a vertically aligned filter, which absorbs some of the light and polarizes the remainder in the vertical direction. A second filter tilted at some angle, absorbs some of the polarized light and transmits the rest, giving it a new polarization.

Courtesy of "Quantum Cryptography" by Charles H. Bennett, Gilles Brassard, and Arthur K. Ekert, http://www.cyberbeach.net/~jdwyer/quantum_crypto/quantum2.htm

A photon detector determines information about the photon’s polarization and is used to tell if it has passed through a filter (Quantum Cryptography). As a photon goes through the filter, the photon’s polarization changes. This is the security feature that enables the sender and receiver to detect any eavesdropping.

The problem quantum encryption solves is the distribution of keys. Users can suggest a key by transmitting randomly polarized photons. Performing this operation generates a sequence of numbers, known as a quantum key distribution. If the eavesdropper intercepts the key, it can be discarded, and another one sent until the key is not compromised. At the receipt of an uncompromised key, this key can be utilized to encrypt a message, which in turn can be transmitted by means we use today such as email, telephone, or even the U.S. mail (Quantum Cryptography).

An attack that quantum cryptography cannot resolve is the man in the middle attack. When the attacker intercepts a message and replies to the sender as the receiver and to the receiver as the sender, neither the sender nor the receiver may be aware that the message has been compromised. The attacker now has one key for the sender and another key for the recipient. The attacker can use these two keys to figure out the entire key, which would enable one to see the contents of each message exchanged Another problem with a quantum exchange is the fact that eavesdropping and noise are impossible to differentiate by the sender and receiver. This allows for someone to expect noise but they could actually be allowing an attacker to eavesdrop in the process (Quantum Cryptography).

Current technology associated with quantum cryptography has only allowed for transmission of data to a distance of sixty seven kilometers. It is expected that a reach of about one hundred kilometers can be obtained by the beginning of 2004 (Future Secure). As lengths approximate towards eighty kilometers, the arrival of photons is not guaranteed. Ideas have been discussed such as using devices similar to telephone repeaters, but this would only improve the signal without actually measuring it. Satellite transmission is a possibility, but only when scientists figure out how to send the transmission through open air (Quantum Cryptography). The first cryptographic protocol paper to be published defining the problem with key distribution, “Quantum Cryptography: Public Key Distribution”, referred to as BB84, after Charles Bennett and Gilles Brassard, describes an unconditionally secure quantum key distribution system as shown in Figure 2 (Quantum Cryptography).

Figure 2: An Illustration of Quantum Key Distribution

A quantum cryptography system allows two people, say Alice and Bob, to exchange a secret key. Alice uses a transmitter to send photons in one of four polarizations: 0, 45, 90 or 135 degrees. Bob uses a receiver to measure each polarization in either the rectilinear basis (0 and 90) or the diagonal basis (45 and 135); according to the laws of quantum mechanics he cannot simultaneously make both measurements. The key distribution requires several steps. Alice sends photons with one of the four polarizations, which she chooses at random.

For each photon, Bob chooses at random the type of measurement: either the rectilinear type (+) or the diagonal type (X).

Bob records the result of his measurements but keeps it a secret.

After the transmission, Bob tells Alice the measurement types he used (but not his results) and Alice tells him which were correct for the photons she sent. This exchange may be overheard.

Alice and Bob keep all cases in which Bob should have measured the correct polarization. These cases are then translated into bits (0's and 1's) to define the key.

As a check, Alice and Bob choose some bits at random to reveal. If they agree, they can use the remaining bits with assurance that they have not been intercepted. But if they find a substantial number of discrepancies, it indicates unavoidable tampering due to eavesdropping, and they should start over to transmit another key.

Courtesy of "Quantum Cryptography" by Charles H. Bennett, Gilles Brassard, and Artur K. Ekert, http://www.cyberbeach.net/~jdwyer/quantum_crypto/quantum1.htm

The tools that make quantum key distribution feasible are the equipment to create single photons and that detect them (Quantum Cryptography). Northwestern University is currently attempting to use quantum cryptography to create unbreakable quantum codes for the data itself. Tests have transferred data at speeds up to 250 megabits per second, but Northwestern promises that within five years the speed will reach 2.5 gigabits per second (Hackers Beware). Currently quantum key distribution popularity has not picked up because “the current method for key distribution is good enough for most enterprises … there's not a lot of organizations that can afford to put in private fiber optic, and then protect that private optic” (Future Secure).

Quantum Cryptography is a science that is still in the process of maturation and will continue to grow with its supporting technologies. One day it may become the standard in the encryption field of encryption. The development of quantum cryptography is growing at exponential speeds and is working towards providing the most secure and tamper-proof transmissions to date.

Return to the top of the page

Works Cited:

Fonseca, Brian. “Future Secure.” InfoWorld Vol 25.2 (Jan. 13 2003): 1-6. http://search.epnet.com/direct.asp?an=8874788&db=aph

James, Daniel. "Quantum Computing." T-4 at Los Alamos National Laboratory. 12 Oct. 2003. http://www.t4.lanl.gov/dfvj/quantumcomp.html

Johnson, R. Colin. "Hackers Beware: Quantum Encryption is Coming." Electronic Engineering Times. 12 Nov. 2002. 12 Oct. 2003. http://www.eetimes.com/story/OEG20021111S0036

Vittorio, Salvatore. "Quantum Cryptography: Privacy Through Uncertainty." Cambridge Scientific Abstracts. 12 Oct. 2003. http://www.csa.com/hottopics/crypt/overview.html

Whitman, Michael E., and Mattord, Herbert J. Principles of Information Security. Boston, MA: Thomson Course Technology, 2003.

Return to the top of the page

#3: Thin Client Implementation: A Group Case Study

Authors: Christopher Paul, Adam Driscoll, Michael Caputi, Tarunkumar Patel

Date: December 3, 2003

What Is a Thin Client and What Are Its Benefits?

Thin client/server based computing is when the application is executed on the server and displayed on the client's system. This means that a thin client terminal only has to have sufficient power to render the display of the user session. This would include popular applications such as Microsoft Office, WordPerfect, Lotus Notes, Netscape and other applications using the familiar GUI from Microsoft Windows and Windows NT (Greenberg, 8). Therefore the user applications run on a powerful centralized server accessing the centralized data stores. These applications are designed to run on multi-user systems. They allow users to access applications and data from PC's or thin client terminals with software that provide a virtual desktop.

There are several benefits to thin client computing. Users have the ability to access any application from any device, anywhere, over any connection. Once you log onto the network with your unique identifier and password, you are connected to the server and can access the applications that the user is given permission to. This eases the processing burden on the users CPU since everything is located on the server.

The use of thin clients enhances remote connections. Thin clients reduces data transmission lags inherent to remotely connected users and enables centralized control of WAN, LAN, and remote access. This helps to centralize maintenance and the control functions of the system. All maintenance is done remotely therefore maintenance on local PC’s is eliminated. Another benefit of thin clients is a reduction in energy consumption. "Reduced power consumption directly lowers energy costs and indirectly lowers cooling requirements" (Newburn, 4). All of this dramatically cuts operating costs and saves time in maintenance.

Thin client will significantly decrease the amount of system failures as the Mean Time between Failures (MTBF) is significantly decreased (Harvard Group, 12). This added reliability stems from a few hardware and software factors. The first is the elimination of moving parts which are most likely to fail and the elimination of complex operating systems (Harvard Group, 12). There will be no ram to add or upgrading applications on the desktop because everything is on the server. If someone were to upgrade the processor or put more RAM in the server, all users of the system will get a performance boost (Howard, 168). If something were to go wrong with a thin client, within minutes one could have it up and running smoothly again.

Security Issues

In this day and age, one of the most important things about a network is how secure it is. Thin clients by design are more secure. There are several security benefits that go along with the implementation of thin clients. The first one is a reduced threat from viruses because there is no floppy or CD-ROM drive to install malicious software. The lack of floppy and CD-ROM drives prevents the use of User ID/Password cracking software. Anti-viral software will only have to be updated on the server, which means every computer on the network will have the updated version of the software. This leads to a reduced threat by viruses sneaking into the system.

The next benefit is the elimination of local hard drives on the terminals. By eliminating the local hard drive the user has no document storage ability on the local device, thereby ensuring proper access control and backup. There are no temporary files to be deleted as well-written applications delete these temporary files, but knowledgeable hackers can access these files easily when they exist. If the files are not there, there is nothing to access. If user has no storage on the terminal or access to any files, there is a reduced risk of inappropriate access to confidential data.

Another security benefit is that it is literally impossible to interrupt an application session and resume that same session from an entirely different physical location on another client. The interrupted session will resume in exactly the same place with the same data on the screen. The thin client’s screen will display the results of application processing that happens at the central site, therefore physical location is irrelevant. This is particularly significant because a majority of security breaches in the past have been through web browsers and servers.

Thin client at first looks like a return to mainframe systems and does have some of the same security benefits, but also creates new problems for breaches in security. With the flexibility to access any application from any device, anywhere, and over any connection creates tremendous problems in maintaining the security of the network infrastructure. Most thin clients require multiple ports to be open on the corporate firewall to allow remote access to the application server. Liberal firewall rules are required to allow mobile users access from any source IP address. This provides Internet hackers an open door into the protected network thereby creating a security risk.

Thin client solutions are designed with universal access and ease of use functionality (V-One, 3). It is the ease of use that creates a nightmare for the information systems security team. It becomes necessary for additional measures to be taken to ensure strong authentication procedures, data encryption, and access control schemes to protect the enterprise's applications and data services (V-One, 3).

Thin client also adds some new security risks. The first risk associated with thin client is everything revolves around one central processing unit. This means that if this one central point is exposed, the entire network is vulnerable. In addition is the problem of physical security. Since everything is in one location, it becomes easier to steal or vandalize the central point.

The next security risk is email. Even though thin client does not have CD-ROM or floppy drives, they are still vulnerable to viruses. "E-mail security must be addressed though the overall IT strategy and still remains a potential leak for confidential data" (Newburn, 8). Thin client helps to reduce the introduction of a virus, but the system still should have some type of anti-viral software. Another option would be to have the e-mail server prevent all file attachments from being opened. "E-mail security will have to be addressed through current means. The current rules of not opening attachments or just securing the email so attachments cannot be accepted will go a long way in securing email” (Newburn 8).

Another area that thin client does not cover is the securing of cookies and local memory or cache from recently accessed web pages. These must be removed; otherwise the user could become a victim. If this occurs, this could lead to having the entire system under attack. ID’s and passwords is an additional area that is not covered by thin client technology. Unauthorized users can gain access through terminals with authorized ID’s and passwords. This can be avoided by implementing security policies or one of various biometric technologies to verify the user. An example of enforcing security policy would be instructing users not to leave your user name and password out in the open for anyone to steal.

The last drawback of thin client security is wireless devices. If a thin client is connected by wireless transmission, in other words, by portable laptops or PDA’s, it would be a minor challenge for someone with knowledge and suitable hardware such as a wireless protocol analyzer or a laptop equipped with a wireless access card to intercept vital transmissions. A person could sniff or capture the network for confidential data that is only supposed to be viewed by authorized users. Most wireless products conform to the 802.11b encryption standard and also offer an optional encryption technology known as Wired Equivalent Privacy (WEP). This encryption must be specifically turned on and is not part of the default setup of the system. Problem is that WEP is not entirely security proof as it was publicly cracked in 2001 (Cirrota).

There are solutions available for most of these problems. It’s impossible to have a network that is one-hundred percent secure. If hackers have enough time, resources, and skill they will find a way into the system. The first solution would be to have a major server vendor provide high reliability and fail-over options in their current product lines. The more money one spends, the more secure your system server will be.

A solution to eliminate the web browser cache problem would be to set the web browser preferences so that no local cookies are stored. A simpler solution is to use server-based browsers that do not have this inherent flaw. If you feel that this is not the best way to go, there is another option. One could use a software program such as "StayOnline" by stayonline.com that explicitly flushes data from memory-resident cache and will also purge instant messenger-style buddy lists to enhance security.

Physical security is another problem that must be dealt with for thin client architecture. Security guards should be utilized versus relying technology. Technology may be less expensive, but is not completely fool-proof as technology is a reactive solution, while guards are pro-active. Also, in the event of an emergency, a human guard can assess the situation and if necessary be the last person to leave in the case of a genuine emergency due to the requirement of having a fail-safe door. Doors may be secured with biometrics in order to allow only authorized personnel into the computer room. Fail-safe doors would have to be employed in order to provide anyone who may be in the computer room the ability in case of a genuine emergency. Firewalls must also be constructed on all four sides to prevent entrance through the plenum of the building.

Iris scanners use a hardware device that scans the user's eye with regular light and compares the iris color footprint to the scan currently on file. If there is a match, the user is given access. Iris color is unique to every individual and the technology is quite inexpensive at this time due to the falling costs of hardware. The only way currently to circumvent an iris scan is either to somehow get to the server to alter the iris scan database. One drawback is that they are rather physically intrusive to users because a person has to set their eye up to a device that performs the scan.

Thumbprint scanners are less obtrusive for users and there's also less objection by users to using them. The user places their thumb on the scanner and the image is compared to the scan on file. Drawback is the manufacture of plastic thumbs which have the prints of the user, more than likely the CEO. The other possibilities of breaching the system are cutting the person's thumb off, or again altering the database where the thumbprint data is stored.

One solution to the wireless security problem is encryption. The inherent problem with encryption technology is that it is computationally intensive. It requires a large number of processor cycles to accomplish the encryption of data which ties up the processor. The ICA protocol embedded on most thin client devices can encrypt data streams without any noticeable impact on performance because the underlying protocol places minimal requirements on the device (Harvard Computing Group, 14-15). Wired Equivalent Privacy Protocol, part of the IEEE 802.11b wireless networking standard for encryption, may not necessarily be strong enough, but should not be the exclusive means of protection when data confidentiality is a primary concern, for example, in a hospital when working with patients medical records (Cirrota).

Examples of Implementation

Thin client architecture can be highly advantageous for some applications. A few places that thin client well suited is staffing call centers, hospitals, insurance agencies, airline reservation centers, hotel front desk, and data keying centers. These applications are well suited for thin client implementation because they require secure systems, there is no special need to have stand alone computers, they decrease amount of time spent on maintenance, they save money in the long run, and many users may log on at once.

An excellent application that would lend itself to thin client architecture would be the Albin O. Kuhn Library on the UMBC campus. Thin client would be most suitable on the first floor of the library where networked PC’s are currently being used. Students that use these computers most often use Word, Excel, PowerPoint, and the Internet, all which are applications that do not require high quality graphics in order to run. This is important because the terminal monitors can only be set to display 256 colors when using thin client technology.

Increased security would be the other reason for implementing a thin client system at the UMBC library. There would be no CD-ROM or floppy drives, so students would not be able to introduce a virus into the system. Students would not be able to add external software or files which could contain some type of malicious code, leaving the entire system vulnerable. The drawback of not having any drives is that this may remove some usability. Those requiring the ability to access files from CD’s or floppies could utilize the stand alone computers within the basement of the UMBC library (Howard).

Leaving the systems that currently exist, hackers could use the UMBC network to their benefit. Hackers could use the UMBC PC’s to target systems on the Internet. If the targeted company attempted to track down the hacker, they would find UMBC as the source network at the end of the trail. This would cause several sources of litigation for UMBC.

An ongoing issue at UMBC is a lack of computers during prime time, 10am-4pm. Many times, students are standing around waiting for a computer to become available. If UMBC were to implement thin client technology, more terminals could be purchased at a lower cost thereby making more computers available. Thin client is much smaller and have the potential to be much faster.

As an exemplary model of thin client being utilized in a school computer lab would be the Evesham School District in Marlton, NJ. Evesham have been contemplating the idea of implementing thin client technology for two years and have recently tested the speed of a computer with a 486 processor connected to a thin client server against Pentium III PC’s that they currently use. The computer with the 486 processor ran faster than the Pentium III’s, showing that thin client can run faster with the right server (DiMattia).

In the long run it would be more cost effective to implement thin client architecture at UMBC. The total cost of ownership, which is the total cost of owning the system, could be lowered by twenty percent (Howard). This includes the cost of buying the terminals, server, and especially the maintenance of the system. It would be incredibly easy update software, manage the system, and there would be fewer employees staffed to help maintain thin client technology. An additional benefit to employing this architecture is that if one of user terminals break down, it is incredibly easy and cheap to replace.

Overall, thin client technology seems to be what the future holds for client/server networks. With all their benefits of security, maintenance, reliability, and cost effectiveness, thin client will be an excellent option to choose for universities, hospital, and all types of businesses.

Return to the top of the page

Works Cited:

Cirrota, Darrel. "Wireless Security Workshop" Systems Source Corporation. Hunt Valley, MD. UMBC IFSM Council of Majors. Baltimore, MD. 12 Nov. 2003.

DiMattia, Thomas. Interview on 26 Nov. 2003.

Greenberg, Steve. "What is Thin Client Computing?" Thin Client Computing. 2000. Accessed 24 Nov. 2003. http://www.thinclient.net

Howard, Bill. “Thin is Back.” PC Magazine. Vol. 19, Issue 7, p168. 04 April 2000.

Posey, Brian. “Thin Client Security.” Microsoft Exchange. June 16, 2003. Accessed 29 Nov. 2003. http://msd2d.com/newsletter_tip.aspx?section=Server&id=fa48ea72-1c75-4f6c-b0bb-8b50567178a4

"Security and Desktop Client Architectures: The road ahead." The Harvard Computing Group. 2002. Accessed 24 Nov. 2003. http://wp.bitpipe.com/resourse/org_996207416_636/harvad.pdf

"Smart Security for Thin Client Computing." V-One Corporation. Feb. 2002. Accessed 24 Nov. 2003. http://www.v-one.com

White, Andrew C. “Toasting the Thin Client as a Viable Solution to Public Web Access.” Computers in Libraries. Vol. 18, Issue 10, p. 20-26. Nov/Dec. 1998.

Return to the top of the page

The Integral Worm • Christopher Paul • Independent Senior Technical Writer/Editor

The Home Page · The Integral Worm · My Resume · My Show Car · My White Papers · Organizations I Belong To
Contact Me · FAQ · Useful Links
Return to the top of the page