mts@EMPTYS.CC.UMICH.EDU.UUCP (04/07/87)
I'm suprised about messages I receive where the intent of the author is to raise my consciousness by making me angry. What usually happens is this -- I get angry. So is the case with the message from Mark Crispin. The philsophy behind Unix largely seems quite reminiscent of the ... "security through obscurity;" The only security is through obscurity. It is precisely the lack of information which secures some system. As an example, consider publishing the passwords of all the accounts on a system, or the private parts of DES pair. entrust our systems and data to a open-ended set of youthful hackers (the current term is "gurus") who have mastered the arcane knowledge. I'm confused here about the term youthful hackers. Is youthful under 18? under 25? under 35? under 45? I know of many excellent programmers in all age groups. I also know malicious usage has no age range. Mark, if you are a manager, have you had occassion to use the same talents you are complaing about to solve some particular problem without getting involved? Are you complaing about their knowledge or about your unwillingness to learn what you need to know? The problem is further exacerbated by the multitude of slimy vendors who sell Unix boxes without sources and without an efficient means of dealing with security problems as they develop. The focus seems to have changed. If the discussion was about Unix problems, if the focus was about selection criterea for the people hired, the focus is now on vendor problems? Even so, I wasn't aware that lack of source was the key to the security problems on Unix systems. I'm not aware of too many unix vendors who are unwilling to share their code when they are reimbursed for their efforts. I don't see any relief, however. There are a lot of politics involved here. <here? Where is here? Stanford? Sumex? California? USA?> Some individuals would rather muzzle knowledge of Unix security problems and their fixes than see them fixed. This may be true. This may always be true. I feel it is *criminal* to have this attitude on the DDN, since our national security in wartime might ultimately depend upon it. If there is such a breach, those individuals will be better off if the Russians win the war, because if not there will be a Court of Inquiry to answer... Ah, after alot of though, I think I am beginning to understand what you are trying to write. Are you assuming the sensitive machines on the DDN to be Unix machines? And from there assuming they are unsecured? I would think people using machines and needing particular levels of security would be well aware of the issues, much more than you or I. I have seen some of the specs to come out of the military for secure system, and have felt very good about the militaries' own understanding of its needs. It may be necessary to take matters into our own hands, as you did once before. <focus? ranting?> I am seriously considering offering a cash reward for the first discoverer of a Unix security bug, provided that the bug is thoroughly documented (with both cause and fix). Now I am beginning to understand a bit more... so happends these kind of bugs have been found before. In fact, bugs have been discovered. In fact, information has been sent out, describing the problem, and the resolution. There would be a sliding cash scale based on how devastating the bug is and how many vendors' systems it affects. <focus?> My intention would be to propagate the knowledge as widely as possible with the express intension of getting these bugs FIXED everywhere. If that is your intention, then the process you are suggesting for making it happen is faulty. You are trying to get people to help you by making them angry at you. This will not work. Knowledge is power, and it properly belongs in the hands of system administrators and system programmers. It should NOT be the exclusive province of "gurus" who have a vested interest in keeping such details secret. Here I am very confused. Seems the people who are refered to as "gurus" are the very best system programmers. All the "gurus" I have ever met have many talents beyond programming; including leadership. Getting the leadership required excellant interpersonnel skills. As mentioned above, if this is not the case where you work, then the people responsible for selecting appropriate individuals for their positions have made mistakes. As for "in the hands of"; a case of analogy may make clear that this is not necessarily the best way... I would guess the same was said to the people making the atomic bomb; that they had the understanding the create the bomb, but not the understanding to use it correctly. Defering the responsibilty to the people who wanted it for "power" created an environment where those people used the very technology only for "power". I would say for you to focus on the knowledge itself, because for you, the knowledge will not be power.
Rudy.Nedved@H.CS.CMU.EDU.UUCP (04/08/87)
Michael, I read your message in response to Mark Cripin's flame. I only want to comment on guru versus system programmer misunderstanding you have. We have many people at CMU that can crack a system but are impossible to communicate with. These people are brilliant but their personaility is very very poor on interpersonal skills. In many cases, they are in control of important software. There is no intent to discourage such situations by management since all benefit....on the other hand they are not policy or decision makers except in their own "world". In some cases, I have dealt with people that control software and blantantly ignore management. Management is in a position of needing them and not feeling the issue is critical enough to fire (since they have a hard time evaluating the situation). The result is the hacker is viewed as a guru who controls the systems and runs it as he sees fit and management tolerates him until he leaves. In the final analysis, hacker is not the same as guru which is not the same as system programmer which is not the same as system manager. Luckily, many people have some or all of these "jobs" at the same time....makes life interesting. Cheers, -Rudy