CNN hosted an "Ask the President" program today. This program was a reasonable attempt to integrate two different media. The actual interview between Wolf Blitzer and President Clinton took place on the CNN station. Meanwhile, the CNN chat server was used by viewers to submit questions and see responses. The questions asked by viewers were filtered, selected, and relayed to Mr. Blitzer by CNN Online staff. At the same time, typists were repeating the statements made by Mr. Blitzer and President Clinton onto the CNN chat server.
[NOTE: What follows is my personal evaluation of the incident and what caused it. Webmaster has contacted me with a correction to this evaluation.]
Unfortunately, CNN chose some trouble-prone technology to support this venture. While the choice to use a standardized chat protocol (Internet Relay Chat) for their chat system is laudable, the actual choice of software resulted in problems. CNN chose to use WebMaster's ConferenceRoom product on a Windows NT platform. The instability of this software led to several problems during the session. According to WebMaster Incorporated, the actual crashes were caused by insufficient hardware resources. This lack of resources evidently triggered bugs in the ConferenceRoom software which resulted in crashes.
One of the largest IRC networks in the world, efnet (http://www.efnet.org) has been using Hybrid on the UNIX platform for years and the Hybrid development team has put man-years of effort into making improvements. It would be trivial to modify this system to provide a very scalable, secure chat system for CNN. Another IRC network called Dalnet already provides services very similar to those in ConferenceRoom, though it is known to have other problems.
On efnet, servers can routinely handle between 5,000 and 10,000 users on relatively low-end hardware, similar to what CNN used for their IRC server. In contrast, the CNN server crashed several times after reaching a user load of approximately 1,500 users. These crashes were what allowed one of the participants in the chat to pose as President Clinton for approximately one minute.
IRC networks require that each user provide a "nickname" when connecting to the server. This nickname is unique, and no other user can connect with that nickname. Once they have connected, a user can join any of a number of "channels" on the network. IRC channels are similar to chat rooms on other online services (the term is a holdover from IRC's predecessors, which were "CB radio simulators" with metaphorical channels). IRC provides controls to limit which users can speak in a channel. In particular, a "moderated" channel will only allow users who have been "given voice" to speak.
When the chat session first began, the typist for President Clinton connected with the nickname President_Clinton. After that, no one else could connect using the same nickname. This effectively prevented anyone from impersonating the President's typist. The typist then joined the #auditorium channel, and was given voice by an automatic system. This allowed the President_Clinton to speak directly into the #auditorium channel, while the text other users entered into this channel was forwarded to the moderators to be evaluated as potential interview questions. Another typist connected as Wolf_Blitzer and was given similar privileges.
When an IRC server crashes, all users are disconnected. After one of the many times the server disconnected, one of the chat users that had been using the nickname wankel reconnected. (This nickname is not any sort of sexual term. It is a reference to the ingenious motor design known as a Wankel Rotary Combustion Engine -- see http://www.monito.com/wankel). Seeing that the typist for President Clinton had not reconnected, he informed the CNN IRC server that he wanted to change his nickname to President_Clinton. Suprisingly, the server allowed this change without asking for any sort of password or other authentication. The user then joined #auditorium and was given voice in this channel, once again without any verification of his identity. This was the true failure of CNN's system. Even though the system did crash, no one would have been able to take advantage of the situation if CNN has properly utilized the tools provided by their software to protect the nicknames of President_Clinton and Wolf_Blitzer.
At this point, the user tested the priveleges by making the statement "Personally, I'd like to see more porn on the Internet." Approximately 5 seconds later, the typist for Wolf Blitzer reconnected and the user restated this as a question: "Wolf, how about you? Are you all for more porn on the Internet?" This sort of activity is common on public IRC networks. Users change their nick after someone else disconnects to impersonate them make humorous statements for the purpose of entertaining other users. In this case, political satire seemed appropriate and President Clinton's sexual indiscretion an obvious target.
Unfortunately, because the prank was unplanned and the user found himself in respiratory distress due to excessive laughter, he was unable to make any timely comments on US Politics or foreign affairs. Within approximately 30 seconds, someone at CNN was able to determine that this was, most likely not the President's typist and forced the user to disconnect from the server. The user's software, however, immediately reconnected with the same nickname, joined the same channel, and was given voice by the same automatic system that had caused the problem in the first place. The voice was quickly removed, and the user was able to say "okay, that was just too much. my apologies." shortly before being permanently banned from the CNN IRC server.
I would like to point out that anyone could have pulled off this prank. No special technical skills or knowledge were required. Any user connecting from the CNN web page could have performed the same act. This underscores the fact that this was not a "hack" but rather a legitimate user of the CNN chat system taking advantage of a misconfiguration to provide some levity to the proceedings.
The foxnews.com story describing this as "vandalism" and "hacking" is completely incorrect. foxnews.com (http://www.foxnews.com/vtech/021400/hack.sml) referenced unnamed "experts" who claimed that this "was almost certainly a hack." They also described this as "the latest in a recent wave of cyber-vandalism that has already targeted cnn.com,"despite the fact that this incident was completely unrelated and was not similar in method, design, or purpose to the malicious attacks launched over the past two weeks. This is very irresponsible journalism, and foxnews.com has been contacted to request that this story be corrected. I can see no reasons for Fox News to make such reckless statements unless purely out of ignorance, or in order to highlight problems one of their competitors has been experiencing.
CNN's claims that this was simply a "prank" and that they "were not hacked into" are correct. No illegal, intrusive, or abusive techniques were required or used in this prank. The problem was not that someone circumvented their security measures, but simply that there were no security measures in place. This is a classic example of technology being adopted by an organization because it is expedient and effective without consulting a knowledgable security expert to determine the potential impact it may have on the security of their information systems. In the case of an online news outlet such as CNN, this can be disastrous, and it is good that no one with malicious intent has abused the system yet.
I hope that this harmless prank has served to let CNN know that this system is insecure and needs to be overhauled before someone does actual harm to them or one of their guests. This should also serve as a reminder to all other online outlets that security is not something to be overlooked, even on a system as seemingly trivial as an IRC chat server.