oberman%icaen.DECnet@LLL-ICDC.ARPA.UUCP (02/06/87)
>What exactly is the harm in releasing this (i.e. security-related) >material to students ? As a security officer for some governmental systems of various classifications I guess I'll put in my two bits. First, I don't think its worth the effort to 'hide' info-vax from students, or for that matter much of anyone else. The distribution is wide enough that anyone who's really interested will get access to the information. Besides, there are several really good sources of information on how to break systems readily available from a variety of sources. Conversly, info-vax is full of all sorts of information that can give the student an idea of what the 'real world' of managing a system is like. Not to mention how silly system managers can be when they are sufficiently frustrated. From the other side, I would hope that all the folks out there have more sense than to tell people that you can crack VMS by ... But if people are silly enough to put that sort of thing on info-vax, they will almost certainly manage to spread the word to the wrong people in some other way. Now to the philosophical side. (Is that spelling even close?) There seem to be two schools of thought on how security issues should be handled. One is the 'lock it up' method where you can't tell anyone because you don't know who to trust. Another is the 'spread the word' method. This involves telling everyone in earshot about the problem (or at least the solution). This means that any poor soul who misses the information is wide open, but at least most will hear about it. This is supported by the notion that if a problem is found it will be posted on hacker bulletin boards everywhere. That means that hackers will know about it but the system managers won't. While I lean toward the latter approach, my employers take the first. I just hate to get a call from someone who casually mentions 'that old long password trick' that I've never heard of. The hole was, of course, published in a couple of hacker news letters and is on 30 different bulletin boards. I suppose it boils down to whether you want to want to wrap your head in a towel. It works for the ravenous Bug Bladder Beast, after all. But I suspect most hackers are smarter than that creature. I suppose I've rambled on long enough, so I'll leave it at a statement that I've never seen any information on this distribution that is a real breach of security. I don't see any reason not to make ths information available to students. If they really want it, they'll get it anyway. I just hope that the contibuters will show some discretion in what they post. I don't mind fixes but I don't need to see unfixed problems ever disseminated. You have to trust someone, so tell DEC! The above are my opinions and NOT those of my employer. They seem to want to put a CLASSIFIED stamp on most everything. R. Kevin Oberman LLNL arpa: oberman@lll-icdc.arpa (415) 422-6955 ------