BKTRMCMP.RVW 931002 Inter.Pact Press 11511 Pine St. N. Seminole, FL 34642 813-393-6600 fax: 813-393-6361 "Terminal Compromise", Schwartau, 1991, 0-962087000-5, U$19.95/C$24.95 wschwartau@mcimail.com p00506@psi.com "Terminal Compromise" was first published in 1991, and was enthusiastically promoted by some among the security community as the first fictional work to deal realistically with many aspects of data communications and security. Although still available in that form, recently is has been "re-issued" in a softcopy "shareware" version on the net. (It is available for ftp at such sites as ftp.uu.net, ftp.netsys.com, soda.berkeley.edu and wuarchive.wustl.edu. Use archie to look for TERMCOMP.) Some new material has been added, and some of the original sections updated. Again, it has been lauded in postings on security related newsgroups and distribution lists. Some of you may be old enough to recall that the characters current in "Outland" sprang from a previous Berke Breathed cartoon strip called "Bloom County". Opus, at one point, held the post of movie reviewer for the "Bloom County Picayune". I remember that one of his reviews started out, "This movie is bad, really bad, abominably bad, bad, bad, bad!" He considers this for a moment, and then adds, "Well, maybe not *that* bad, but Lord! it wasn't good!" A fairly large audience will probably enjoy it, if such trivialities as language, characterization and plot can be ignored. For once the "nerds" don't get beat on; indeed, they are the heroes (maybe). The use of computers is much more realistic than in most such works, and many ideas that should have greater currency are presented. The book will also appeal to paranoiacs, especially those who believe the US federal government is out to get them. Consistency is the hobgoblin of little minds -- but it does make for a smoother "read". "Terminal Compromise" would benefit from a run through a style checker ... and a grammar checker ... and a spelling checker. Constructions such as "which was to be the hypocenter of the blast if the Enola Gay hadn't missed its target" and "National Bureau of Standards which sets standards" are understandable, although awkward. In other places it appears words might be missing, and you have to read over sentences several times to puzzle out the meaning. (The softcopy/shareware version comes off a little worse here, with fragments of formatting codes left in the text.) On second thought, forget the spelling checker. Most of the words are spelled correctly: they are simply *used* incorrectly. A reference to an "itinerant professional" has nothing to do with travelling. (Maybe he meant "consummate": I couldn't think of a synonym starting with "i".) The "heroine" trade was probably intended to refer to white powder rather than white slavery. There are two automobile "wreak"s. "Umbrage" is used twice. An obscure seventeenth century usage did once refer to shelter given by islands to a harbour, but it's stretching the language a bit to make it refer to a covering for the naughty bits. Umbrage usually refers to offence, suspicion, doubt or rage, as in "I take umbrage at what I suspect is a doubtful use of the language". Characterization? There isn't any. The major characters are all supposed to be in their forties: they all, including the President of the United States, speak like unimaginative teenage boys whose vocabulary contains no adjectives other than obscenities. This makes it difficult at times to follow the dialogue, since there are no distinctives between speakers. (The one exception is the president of a software firm who makes a successful, although surprising, translation from "beard" to "suit", and is in the midst of the most moving and forceful speech in the book, dealing with our relationship to computers, when the author has him assassinated.) The book is particularly hard on women. There are no significant female characters. None. In the initial introduction and background of the hero there is no mention of a significant other. It is something of a shock later to discover he is married, then that he is divorced. Almost all of the females are simply bedroom furniture. The portrayals remind one of the descriptions in "Don Quixote" of women "so gay, striking and beautiful that the sight of her impressed them all; so vividly that, if they had not already seen [the others], they would have doubted whether she had her match for beauty". Which raises another point. All of the hackers, except some of the Amsterdam crew, are fit, athletic and extremely attractive to the female of the species. Even among the I-Hack crowd, while there may be some certifiable lunatics, nobody is unkempt or unclean. These urbane sophisticates drink "Glen Fetitch" and "Chevas" while lounging in "Louis Boston" suits on "elegant ... PVC furniture". Given that the hackers save the day (and ignoring, for the moment, that they caused the trouble in the first place) there seems to be more than a touch of wish fulfillment involved. (Schwartau tries to reiterate the "hackers aren't evil" point at every opportunity. However, he throws away opportunities to make any distinctions between different types of activities. Although the different terms of phreaks, hackers and crackers are sprinkled throughout the story they are not well defined as used by the online community. At one point the statement is made that "cracking is taking the machine to its limit". There is no indication of the divisions between phreaks, hackers and crackers within their various specialties, nor the utter disdain that all three have for virus writers. Cliff Stoll's "Hanover (sic) Hacker", Markus Hess, is described as a "well positioned and seemingly upstanding individual". This doesn't jibe with Stoll's own description of a "round faced, slightly overweight ... balding ... chain smoking" individual who was "never a central figure" with the Chaos Computer Club, and who, with a drug addict and a fast buck artist for partners "knew that he'd screwed up and was squirming to escape".) What little character is built during the story is unsteady. The author seems unable to decide whether the chief computer genius is one of the good guys or the bad. At times he is mercenary and self-centred; at others he is poetic, eloquent and visionary; in yet other scenes he is mentally unbalanced. (He also appropriates the persona and handle of another hacker. We are never told why, nor are we ever informed of what happened to the original.) Following the characters isn't made any easier by the inconsistency of naming: in the space of five paragraphs we find that our hero, Scott Byron Mason (maybe) is the son of Marie Elizabeth Mason and Louis Horace Mason. Or possibly Evelyn Mason and Horace Stipton Mason. The main academic studying viral programs is Dr. Les (or Arnold) Brown (or Sternman) who is a professor at Sheffield (or MIT). (Interestingly, there is an obvious attempt to correct this in the later "softcopy" version of the book. At times the "corrections" make the problem worse.) For a "thriller", there is very little tension in the story. The unveiling of the plot takes place on a regular step by step basis. There is never any hint that the hero is in the slightest personal danger: the worst that happens is that one of his stories is quashed. Indeed, at the end of the book the computer attacks seem basically all to have succeeded, credit card companies are bankrupt, banks are in a mess, airlines are restricted, phone systems are unreliable and the bad guys are in charge. Yet our heroes end up rich and happy on an island in the sun. The author seems to be constantly sounding the alarm over the possibility of this disaster, but is unwilling, himself, to face the tremendous personal suffering that would be generated. Leaving literary values aside, let us examine the technical contents. The data security literate will find here a lot of accurate information. Much of the material is based on undisputed fact; much of the rest brings to light some important controversies. We are presented with a thinly disguised "Windows", a thinly disguised Fred Cohen (maybe two?), a severely twisted Electronic Freedom Foundation and a heavily mutated John Markoff. However, we are also presented with a great deal of speculation, fabrication and technical improbabilities. For the technically adept this would be automatically disregarded. For the masses, however (and this book seems to see itself in an educational light), dividing the wheat from the chaff would be difficult if not impossible. As with names, the author appears to have problems with the consistency of numbers. In the same paragraph, the softcopy version has the same number quoted as "over 5000", "almost 5000" and "three thousand". (It appears to have been "corrected" or updated from the original version without reading the context). A calculation of the number of hackers seems to be based upon numbers pulled out of the air, and a computer population an order of magnitude larger than really exists. The "network", seemingly referring to the Internet, has a population two orders of magnitude too large. Four million legal copies, with an equal number of pirate copies, of a virus infected program apparently result in only "between 1 and 5 million" infections. (I *knew* a lot of people had bought Windows but never used it!) Not the most prolific virus we've ever seen. Schwartau seems uncertain as to whether he wants to advertise real software or hide it. At various times the characters, incessantly typing to each other across the (long distance) phone lines use "xtalk" (the actual filename for Crosstalk), "ProCom" (ProComm, perhaps?), "ComPro" and "Protalk". They also make "4800 BAUD" connections (technically unlikely over voice grade lines, and even if he meant "bits per second" 4800 is rather an odd speed) and communicate with "7 bits, no parity, no stop bits" parameter settings. (The more common parameter settings are either 8 bits, no parity or 7 bits, even parity. You *must* have stop bits, usually one. And to forestall the obvious criticism, there is no indication in the book that a "non-standard" setting is being used for security reasons.) We are, at places in the text, given detailed descriptions of the operations of some of the purported viral programs. One hides in "Video RAM". Rather a stupid place to hide since any extensive video activity will overwrite it. (As I recall, the Proto-T hoax, which was supposed to use this same mechanism, started in 1991. Hmmm.) Another would erase the disk the first time the computer was turned on, which leads one to wonder how it was supposed to reproduce. (This same program was supposed to be able to burn out the printer port circuitry. Although certain very specific pieces of hardware may fail under certain software instructions, no printer port has ever been numbered among them.) One "hidden file" is supposed to hide itself by looking like a "bad cluster" to the system. "Hidden" is an attribute in MS-DOS, and assignable to any file. A "bad cluster" would not be assigned a file name and therefore would never, by itself, be executed by any computer system. We also have a report of MS-DOS viri wiping out a whole town full of Apple computers. Schwartau is not averse to making up his own virus terminology, if necessary. ("Stealth" is also reported as a specific virus.) At one point the book acknowledges that viral programs are almost invariably detected within weeks of release, yet the plot relies upon thousands of viri remaining undetected for years. At another point the use of "radio broadcasts" of viral programs to enemy systems is advocated, ignoring the fact that the simplest error checking for cleaning "noise" from digital radio transmissions would eliminate such activity. A number of respected security experts have expressed approval of "Terminal Compromise". This approbation is likely given on the basis that this book is so much better than other fictional works whose authors have obviously had no technical background. As such the enthusiasm is merited: "Terminal Compromise" raises many important points and issues which are currently lost on the general public. Unfortunately, the problems of the book, as a book, and the technical excesses will likely restrict its circulation and impact. As a fictional work the lack of literary values are going to restrict both its appeal and longevity. As an exhortative or tutorial work, the inability to distinguish between fact and fiction will reduce its value and effectiveness in promoting the cause of data security. copyright Robert M. Slade, 1993 BKTRMCMP.RVW 931002 ====================== DECUS Canada Communications, Desktop, Education and Security group newsletters Editor and/or reviewer ROBERTS@decus.ca, RSlade@sfu.ca, Rob Slade at 1:153/733 Author "Robert Slade's Guide to Computer Viruses" (contact: 1-800-SPRINGER)