Human-Nets-Request%rutgers@brl-bmd.UUCP (Human-Nets-Request@rutgers) (01/26/84)
HUMAN-NETS Digest Thursday, 26 Jan 1984 Volume 7 : Issue 15
Today's Topics:
Response to Query - (nf),
Computers and the Law - Malicious Access (4 msgs),
Computer Security - Re: Discouraging Password Guessing (2 msgs),
Computers and the Media - "hacker": Somebody Gets it Right,
Computers and People - Telecollaboration Model,
----------------------------------------------------------------------
Date: 24 January 1984 01:50 EST
From: Andrew Scott Beals <BANDY @ MIT-ML>
Subject: "(nf)" at end of subjects of messages
To: decwrl!rhea!elsie!insinga @ SU-SHASTA
This (nf) at the end of subjects of messages means "Notesfiles" ...
Notesfiles is a system that is used for reading and composing
messagaes sent on usenet.
It has been rumored on net.jokes (a jokes newsgroup, of course) that
the "(nf)" means "not funny". :-)
andy
------------------------------
Date: 24 January 1984 05:04 EST
From: Robert Elton Maas <REM @ MIT-MC>
Subject: rude / malicious / illegal
To: Reynolds @ RAND-UNIX
Why should our society care more about the rights
of computers with modems on telephone lines than about people with
audio units on phone lines?
This is just a guess. A computer with modem is vulnerable in the same
way as a child or mentally-retarded individual and needs special
protection. I think if you have a 3-yr-old child and some stranger
keeps calling up your 3-yr-old and commanding him to do things like
unlock your door or throw your wallet in the fireplace or stick your
jewlry in a bag out by the curb, and your nieve 3-yr-old believes it's
"daddy" telling him to do these things so he obeys, and despite your
attempts to get this caller to stop calling your 3-yr-old he keeps
calling and you suffer financial loss because of it... You get the
idea? Surely you'd want that caller charged with some crime?
Now just imagine you run a business in your home, and this fellow on
the phone impersonating "daddy" is getting your kid to give out
business secrets and make changes in the accounting books to the point
of transferring thousands of dollars of money into the caller's
account which the caller then withdraws in cash before you notice
what's going on... That should be a felony (grand theft or whatever),
shouldn't it?
Computers are even more adept than a child at playing havoc with your
business if a random caller manages to impersonate somebody with
priviledged access to your "books" and start modifying them.
------------------------------
Date: Tuesday, 24 January 1984, 13:47-PST
From: Reynolds at RAND-UNIX
Subject: rude / malicious / illegal
To: Robert Elton Maas <REM at MIT-MC>
Date: 24 January 1984 05:04 EST
From: Robert Elton Maas <REM @ MIT-MC>
From: Reynolds
... Why should our society care more about the rights of
computers with modems on telephone lines than about people
with audio units on phone lines? ...
This is just a guess. A computer with modem is vulnerable in the
same way as a child or mentally-retarded individual and needs
special protection. I think if you have a 3-yr-old child and some
stranger keeps calling up your 3-yr-old and commanding him to do
things like unlock your door or throw your wallet in the fireplace
or ... Now just imagine you run a business in your home, and this
fellow on the phone impersonating "daddy" is getting your kid to
give out business secrets and make changes in the accounting books
...
I think you are setting up a "straw man". You postulate a kid who
understands how to answer the phone and carry on a conversation with a
stranger but does not understand that he/she should not unlock the
door for strangers. I would make darn sure that my 3-year-old or my
retarded friend or my stupid computer either:
(1) knew how to intelligently deal with all phone calls
(2) knew how to spot and ignore "questionable" calls
(3) did not have access to a telephone line
My origninal point about crackers and computers is that if you answer
the phone, you have to take some responsibility for dealing with the
call. We cannot simply make it a crime to call into a computer. On
the other hand, it is obviously a crime to damage someone's property,
it doesn't matter if you did it by calling in on a modem or by aerial
bombardment. If the people who run computer centers are going to both
allow remote logins AND store valuable information on the computers,
they had better make darn sure that they trust their login security
protocols. I think such a facility manager has a pretty weak case if
they go crying to the FBI after a penetration which was allowed
because they didn't "lock the door". If you think this puts an unfair
burden on the system adminstrator, ask the police. They will laugh at
you just like they laughed at me the time my apartment was
burglerized. Its a long story but the gist of it was that the "door
was not locked". To paraphrase the cop: "... ha ha ha, what a jerk
you are, ho ho ho ..."
-c
------------------------------
Date: 24 Jan 1984 2003-EST
From: John R. Covert <RSX-DEV at DEC-MARLBORO>
Cc: reynolds at RAND-UNIX, pourne at MIT-MC
Subject: "Rights" of people and computers
I agree that our society should care as much about the rights of
people as about the "rights" of computers. However, I don't agree
that the difference is audio vs. data; I suggest that it is the type
of access. There should be no difference between a phone conversation
and a data conversation.
In regards to the following discussion:
Date: Friday, 20 January 1984, 15:00-PST
From: Reynolds at RAND-UNIX
Subject: rude / malicious / illegal
To: Jerry E. Pournelle <POURNE at MIT-MC>
I think that is that double standard that bothers me. When
some jerk (with whom I want no contact) calls at my home
phone, it is just "rude". When the same jerk calls into the
modem on my computer it becomes "malicious", it is illegal,
and I can probably get the FBI to hassle the guy. Why should
our society care more about the rights of computers with
modems on telephone lines than about people with audio units
on phone lines?
Consider the following: (this is a restatement of my philosophy on
access which I have stated in the past)
Someone you don't know calls your home phone and says, "I understand
you are an expert on xyz, and I'd like to learn more about xyz from
you," and continues to engage you in a conversation. Though you may
consider this rude, if you continue the conversation, you are
permitting the access. If you inform the caller that you don't want
to talk to him, and he goes away, fine. If he continues to call you,
that is harrassment.
But if he calls you and claims to be someone he is not in order to get
you to continue the conversation, that is impersonation, and
potentially fraud if he gains any benefits from it.
Likewise some random person calls your computer and says (using the
command language of the system) "Can I have a demo, do you allow
tourists, guests, unamed users" or at least does not misrepresent
himself.
If the system allows the login and allows the access to proceed, then
the caller has done nothing wrong.
If the system informs the caller that no guest access is allowed and
the caller goes away, then there is still nothing wrong. However,
repeated calls are harrassment. If the caller claims to be someone he
is not (by hacking for passwords belonging to authorized system users)
then this is impersonation. And if the caller succeeds in logging in
and gains any benefit (the use of a computer system is a marketable
commodity) then this is fraud.
/john
------------------------------
Date: Tuesday, 24 January 1984, 21:09-PST
From: Reynolds at RAND-UNIX
Subject: "Rights" of people and computers
To: John R. Covert <RSX-DEV at DEC-MARLBORO>
Cc: Reynolds at RAND-UNIX, Pourne at MIT-MC
Date: 24 Jan 1984 2003-EST
From: John R. Covert <RSX-DEV at DEC-MARLBORO>
I agree that our society should care as much about the rights of
people as about the "rights" of computers. However, I don't agree
that the difference is audio vs. data; I suggest that it is the
type of access. There should be no difference between a phone
conversation and a data conversation.
Yes, I agree with you on all points. The discussion in the rest of
your message is well thought out and crisply stated. I did not mean
that the law should treat audio or data communications differently.
Rather I was pointing out that public reaction to recent system
crackings DID seem to make that distinction, and that that was wrong.
That is, I think the tendency in our society today is to under-react
to abuse of people's home phones and to over-react to abuse of a
computer's dial-in lines.
-c
------------------------------
Date: 24 January 1984 02:02 EST
From: Andrew Scott Beals <BANDY @ MIT-ML>
Subject: A simple technique to discourage password guessing
To: HAGAN.Upenn-1100 @ RAND-RELAY
Ahh, but this simple technique can cause moby headaches for the users
of a system -- if I get a list of >all< the users of a system (let's
say, the equivalent of /etc/passwd), and then set my program loose on
all of those names, trying 10 times each (overnight (2^10secs is 17
minutes - an acceptible figure)), then noone will be able to login
within a `reasonable' amount of time to the system and the security
system will get flushed.
Now, if one id (say, root) doesn't have this scheme enforced for it,
the crackers will probably find out about it and shoot for breaking
that account.
andy
ps. True, you may not have broken >into< the system, but you have
prevented people from using it, which may be more satisfying to a
cracker -- esp when you haven't done any `permanent' damage.
pps. If you make it so that the delay time gets reset to 1 second
every time the cracker hangs up the phone, no problem -- an autodialer
is standard equipment these days for crackers.
ppps. It would seem to me that the current generation of crackers are
`Junior High School Hackers (to the extent that they pirate fairly
well)' who were given modems by their parents for some obscure reason
or another.
------------------------------
Date: 24 January 1984 05:14 EST
From: Robert Elton Maas <REM @ MIT-MC>
Subject: A simple technique to discourage password guessing??
To: HAGAN.Upenn-1100 @ RAND-RELAY
Doubling the time before the failed password can be retried is a nice
idea, but it has a fatal flaw. Suppose the smart intruder gets wind of
this method, after all it should be obvious that it's taking longer
and longer to respond and careful timing should reveal the doubling
algorithm. So the intruder programs his computer to double the time
then rdial and try again etc. Only the intruder knows when this
process of doubling started and hence when the next valid time to try
will be, thus has an immense advantage over the legitimate user in
logging in. The legitimate user is permanently locked out while the
intruder can toy with the account forever. Of course the intruder
can't actually get in unless the password can be gussed in a
reasonable number of tries, but he can sabotage the whole system by
doing this hack on every account, interleaving all the retries. In
fact the doubling works to his advantage because the longer he has
toyed with each account the longer he can inactivate it with just a
single fake retry, so eventually he can inactivate the whole system
with just one fake retry per day at such random times nobody can
predict his call and set up to trace it.
We must find security systems that not only prevent intruders from
gaining access, but also prevent intruders from preventing access by
legitimate users, in fact in most cases the latter is more important.
------------------------------
Date: 25 Jan 84 1309 PST
From: Robert Maas <REM@SU-AI>
Subject: "hacker" - Horay for As The World Turns
A couple minutes ago on the soap opera "As The World Turns", Craig was
intently working on a computer given to him as a gift a few weeks ago,
and when his wife Betsy came in she remarked that he was really taking
to the terminal and he replied something to the effect that he was
becoming a hacker! I.e. the original correct AI-jargon definition of
"hacker" as a compulsive computer-wizard was used, instead of the new
media-newspeak definition as electronic intruder.
------------------------------
Date: 24 January 1984 02:54 EST
From: Jerry E. Pournelle <POURNE @ MIT-MC>
Subject: simulation for decision analysis vs prediction
To: KIRK.TYM @ OFFICE-2
how many megatons was Tamboura?
------------------------------
End of HUMAN-NETS Digest
************************