"MCCORE::BOLTHOUSE@ti-eg.CSNET".UUCP (02/05/87)
>What exactly is the harm in releasing this (i.e. security-related) >material to students ? Not everybody is trustworthy, nor are they above using information gained from this conference in attempting to break other systems. Usually this activity is beneign, but when it isn't, it can cause extensive economic loss to the owning organization. When the organization in question is a university, it's not as large a problem wiping out a student's latest and greatest C program as it is when someone corrupts, say, the image for the FORTRAN compiler, perhaps causing it to issue invalid instructions... or, say, blowing away ACCOUNTNG.DAT (DP auditors don't like it when the figures don't add up...not to mention the government). We have ways of watching such activity, we try to stop it. However, we are all dependent upon VMS, and when it is compromised in any way, we are all hanging by a thread. Most of the industrial employees in this conference are system managers and have a vested interest in keeping malicious people off of their system. If they don't do their job, it's their head that rolls. Students have no such "incentive". After the recent incident at Stanford, you'd think such questions wouldn't even come up... DIGITAL had a watchful employee that saved them from experiencing the same problems. Had someone broken into DEC's Western Research Labs' machines, using information gained from this conference, wouldn't we be at least morally liable for any loss? A good lawyer might even have a few other things to say about it. How much is *your* accounting data worth in computer time billed back to your customers? How much is it worth in helping you manage development costs? How would *you* like to lose, say, a month's worth of the stuff? Whose head would roll then? I am against publishing security-related materials to the world. I understand system managers need to know about problems, but we need some level of assurance that people with "unusual motivation to use such information" will not see it. I know it's tough to regulate the flow of communication on a public network, but one way is to *not* make such information available to whoever bloody well wants it on the receiving end. The possibility of a VAX-MGMT conference has been mentioned before, but perhaps the revelations from CMU and other universities give such an idea greater plausibility. I *do* know I won't submit articles related to security in the future, and I suspect other corporate participants may feel the same. David L. Bolthouse Texas Instruments Defense Electronics Information Systems VAX System Support ma bell: 214-952-2059 csnet: bolthouse%mcopn1@ti-eg.csnet Disclaimer: The views represented herein are mine alone, and do not reflect those of my employer. But you can guess what they think.
andy@SHASTA.STANFORD.EDU.UUCP (02/06/87)
This mailing list appears on usenet as mod.computers.vax. Very few unix sites in the US do not have access to it; many outside the US do as well. It is naive to think that anything on it is unavailable to anyone who is interested. BTW - Security can not depend on ignorance by the attacker. If one really wants to attack VMS sites, one will buy a VMS system and (some?) sources. Much of this info is already available without this cost. If your system relies on VMS obscurity for protection, you are wide open. (Yes Virginia, the password encryption algorithm is available.) -andy -- Andy Freeman UUCP: ...!decwrl!shasta!andy forwards to ARPA: andy@sushi.stanford.edu (415) 329-1718/723-3088 home/cubicle