Related topics

Computer Program to Find Security Holes Bedevils Some Experts

April 5, 1995 GMT

SAN JOSE, Calif. (AP) _ Computer security experts could be in for a devil of a time from SATAN when its creator distributes it free on the Internet today.

SATAN is a new piece of software designed to find security gaps in computer systems and make them harder to crack, and Dan Farmer and his partner are releasing it despite fears that hackers will use it to execute break-ins.

``As far as abuse goes, I think it will actually decrease because people can make better decisions about improving their security,″ Farmer said Tuesday.

SATAN, which stands for Security Administrators Tool for Analyzing Networks, lets people who run computer systems directly linked to the Internet find security holes.

While there have been similar programs, and serious hackers already are familiar with ways of breaking into computer systems, experts say SATAN is significant because it is easy enough for novices to use.

Youngsters could easily play computer pranks, on-line vandals could scramble a hospital’s medical records and white-collar criminals could steal corporate secrets, said Donn Parker, a computer security consultant with SRI International, a consulting company in Menlo Park.

``It’s like any other powerful tool: It can be used for great good and great harm,″ Parker said.

Farmer, who lives in San Francisco, developed SATAN with Wietse Venema, a security expert at the University of Eindhoven in the Netherlands. They first planned to release the program on the Internet on April 1.

Then they realized that the day unofficially set aside for pranks fell on a Saturday, so they pushed the release date to April 5, Farmer’s 33rd birthday.

Parker said Farmer should have sold SATAN only to experts guarding computer systems, and he disputed the argument that SATAN will help protect against electronic intrusion.

Experts agree that the average home computer user won’t be affected, and the military’s computers holding classified information are isolated and also are not at risk.

But SATAN’s impending release has prompted government agencies and businesses to take steps against electronic intrusions.

Computer security experts at Lawrence Livermore National Laboratory near San Francisco have developed a program that alerts computer operators to SATAN attacks. The program, dubbed Courtney, sounds an alarm and identifies the computer where the intrusion originated. It also is available free on the Internet.

ADVERTISEMENT

Hewlett-Packard Co., one of several corporations that already have tested SATAN, has warned customers about it.

Reports about SATAN led to a disagreement between Farmer, a computer security expert, and his employer, Silicon Graphics Inc. in Mountain View. Farmer quit last month over what a company vice president, Bill Kelly, described as a difference in philosophies.

``The widespread distribution of this software in this manner is not a good idea,″ Kelly said.

Some security experts believe that managers of computer networks need to be more careful about security and that SATAN will force them to pay attention to weak spots.

Marcus Ranum, an engineering manager at Trusted Information Systems, a security consulting company in Glenwood, Md., said any organization that has sensitive material and is connected to the Internet should be worried about security, regardless of SATAN.

``It does happen, but those folks are like people who get in a car without fastening their seatbelt,″ he said.