Tech sleuth tracked down Net flaw just for the `thrill'

Paul Watson is still digesting his flash of Internet fame this week, when he became the talk of the cybersecurity world.

The independent security researcher from Milwaukee became a tech celebrity of sorts after the British government Tuesday made public his research exposing a flaw in a core Internet technology that could allow hackers to shut down large portions of the global network.

The flurry of security bulletins and media coverage in recent days was the climax in a tale of how one man's tinkering rippled across the globe, gaining the attention of national governments and hundreds of high-tech companies and Internet service providers.

``I'm really just shocked and amazed at the response,'' said the 35-year-old Watson, who presented his research Thursday at the CanSecWest computer security conference in Vancouver, British Columbia.

Watson's brush with tech fame began anonymously in Las Vegas in late July, when he attended a presentation by two Cisco Systems scientists at a computer security conference. Watson said it was a ``fine presentation with outstanding research,'' but he nonetheless had lingering questions.

``It just didn't sound right,'' he said. ``What bothered me was no one else in the room seemed to think there was something wrong.''

On Aug. 5, Watson wrote on his personal Web site that he planned ``to compose a detailed and technical rebuttal.''

Watson, who works as a computer security officer for industrial automation company Rockwell Automation, began devoting much of his spare time to the issue. He said he spent evenings and two weeks of vacation holed up in his basement.

The resulting paper was ``Slipping in the Window: TCP Reset Attacks.''

Computer experts said Watson's research was a new approach to a long-known vulnerability previously considered too complex and time-consuming for hackers to exploit. The flaw in the TCP -- or Transmission Control Protocol -- could allow people to remotely attack computer systems and routers, the key devices that ferry traffic around the Internet, by tricking them to shut down.

Such attacks, security experts said, could temporarily cause broad lapses in Internet service. But the chance of a breach, it was thought, was remote because a hacker would have to guess a sequence of numbers within a certain ``window'' of time in order to end the TCP connection -- something that was considered about a 1-in-4 billion shot.

But Watson concluded that an accepted number actually could be guessed in just several seconds.

Watson sent his findings to Cisco, the world's biggest seller of Internet routers. Early this year, the San Jose company turned it over to the Department of Homeland Security's U.S. Computer Emergency Readiness Team (CERT) and then to Britain's National Infrastructure Security Co-ordination Centre.

From there, computer equipment makers and Internet service providers were warned about the vulnerability.

``The important thing is that a significant number of ISPs were given time to protect the core of the Internet before the release of the vulnerability,'' said Jeff Havrilla, an Internet security expert with U.S.-CERT.

Cisco praised Watson for his handling of the matter. ``We appreciate the high ethical ground he took by contacting our scientists,'' said Mojgan Khalili, spokeswoman for the San Jose company.

Independent computer researchers such as Watson are driven by some common motives including being first with a discovery and spurring tech companies to fix vulnerabilities, said Allan Paller, director of SANS Institute, which provides cybersecurity training.

``There's a dynamic that plays out with all of the researchers,'' Paller said. ``They want recognition for their excellence.''

Watson traces his motivations back to, well, being a dedicated geek.

``I go to work eight or 10 hours a day. I come home and spend four to six hours playing with the computer,'' he said, acknowledging his wife's patience.

One of his personal Web sites reflects his passion for computers, if in an alarming-sounding way. The name ``terrorist.net,'' he said, has to do with his fixation on computers and nothing else. Watson said he has owned the domain name for years, and the name became a running joke among his friends that was easy to remember. ``It has no connotation whatsoever to terrorism in any way,'' he said.

Watson, who grew up in Indiana, said he is largely self-taught in computer science. He served in the Air Force, working on computers for NORAD, North American Aerospace Defense Command, in Alaska.

Watson said he loves attending DefCon, the annual hackers convention in Las Vegas, but has never done anything illegal at the computer keyboard.

``It's the thrill of discovery,'' he said.