bill@twwells.uucp (T. William Wells) (11/12/88)
In article <5366@medusa.cs.purdue.edu> spaf@cs.purdue.edu (Gene Spafford) writes: : In article <16742@agate.BERKELEY.EDU> weemba@garnet.berkeley.edu (Obnoxious Math Grad Student) writes: : >In article <44439@beno.seismo.CSS.GOV>, rick@seismo (Rick Adams) writes: : >>Does that make it less of a crime? : > : >Who cares? Why is it SO IMPORTANT to have the MORAL HIGH GROUND? So : >that you can feel justified about being smug and complacent re security? : : 2) Some of us are concerned about ethical issues in addition to : technical issues. Too many people are not concerned with ethics, : professionalism, liability, et. al. and we see technology as not : providing all the answers to important questions. That you are : unconcerned with ethics does not seem surprising to many of us. Consider this part of a posting from Mr. Wiener: <10185@agate.BERKELEY.EDU>, 21 May 88 07:50:12 GMT : What I'm saying is that I consider my perception of right and wrong : to really *be* a sense, like vision and hearing. It varies far more : strongly than the standard five senses, between people and over time, : yes, but it is still a basic sense. I would no more accept a theory : of ethics that contradicts my observations of right/wrong than I would : accept a physical theory that tells me I am seeing red when in fact : I am seeing blue. Here is my response to it: <251@proxftl.UUCP>, 3 Jun 88 04:35:36 GMT : Let me translate the previous paragraph: What I feel to be right : is right and what I feel to be wrong is wrong. Why? Because I : feel it. Suppose that you have a theory that tells me how to : distinguish right from wrong? If I do not feel it to be right, I : will reject it, no matter what its merits. : : What you have asserted (minus the "perception" window dressing) : is subjectivism (Websters Ninth collegiate: subjectivism 2b: a : doctrine that individual feeling or apprehension is the ultimate : criterion of the good and the right), pure and simple. Mr. Wiener is unqualified to think about anything requiring moral judgement. Which is to say, everything of importance. : 3) Please, please insult Indiana some more -- it makes you appear so : terribly clever and humorous. You're so cute when you're rabid. He is in my kill file because of a number of things; when I see the drivel he continues to spout (in the responses to said drivel) I am pleased that he is there. Mr. Spafford, you have been most reasonable in this debate; don't you think that it is a good idea to stop encouraging this ethical midget to post? --- Bill {uunet|novavax}!proxftl!twwells!bill
allbery@ncoast.UUCP (Brandon S. Allbery) (11/20/88)
As quoted from <172@twwells.uucp> by bill@twwells.uucp (T. William Wells): +--------------- | [about Weemba] | Mr. Spafford, you have been most reasonable in this debate; don't you | think that it is a good idea to stop encouraging this ethical midget | to post? +--------------- Much as it may annoy you, Weemba has a good point to make about this whole thing. (I do admit that his language is, as usual, almost(?) enough to obscure the point he's trying to make.) In this particular case, the simple point is that ethics isn't enough. Go ahead and sue Morris, or Cornell, or whoever; but DON'T ASSUME THAT DOING SO WILL SOLVE ALL YOUR PROBLEMS. Ethics is important, if only to encourage sysadmins to do something about any security holes that come to their attention -- but it's by no means the ultimate solution. Kids who are looking for "kicks" don't give a d*mn about the law; as far as they'd be concerned, all that suing Morris would prove is that they should make d*mn sure they aren't caught. Promoting ethics is only useful when in conjunction with *real* security. ++Brandon -- Brandon S. Allbery, comp.sources.misc moderator and one admin of ncoast PA UN*X uunet!hal.cwru.edu!ncoast!allbery <PREFERRED!> ncoast!allbery@hal.cwru.edu allberyb@skybridge.sdi.cwru.edu <ALSO> allbery@uunet.uu.net comp.sources.misc is moving off ncoast -- please do NOT send submissions direct Send comp.sources.misc submissions to comp-sources-misc@<backbone>.
bill@twwells.uucp (T. William Wells) (11/27/88)
In article <13150@ncoast.UUCP> allbery@ncoast.UUCP (Brandon S. Allbery) writes:
: As quoted from <172@twwells.uucp> by bill@twwells.uucp (T. William Wells):
: +---------------
: | [about Weemba]
: | Mr. Spafford, you have been most reasonable in this debate; don't you
: | think that it is a good idea to stop encouraging this ethical midget
: | to post?
: +---------------
: Much as it may annoy you, Weemba has a good point to make about this whole
: thing. (I do admit that his language is, as usual, almost(?) enough to
: obscure the point he's trying to make.)
Let me see. After perusing what postings remain of his (slogging
through sewage would have been more pleasant), I see four points he
is trying to make:
1) The Worm did us a favor by pointing out a security hole and by
increasing awareness of security issues.
2) It is no good blaming or prosecuting The Worm because that
doesn't accomplish anything.
3) Existing systems are not secure enough and this must change.
4) Things like The Worm should be done more often, to force
people to make their systems more secure.
Did I miss anything important?
1) It is true that The Worm did point out a security hole. It is
even arguable that he increased awareness of security issues,
though I believe that this is only a passing fad.
But. The cost of his method of pointing out the security hole
is, I imagine most sysadmins would agree, much greater than it
had to be. The counter-argument that no one would listen to
the other methods of presenting the hole is so much hogwash;
I'll not spend time (in this posting) re-explaining what's
wrong with this opinion.
2) It certainly won't replace the kilohours of other's time spent
by The Worm. Nor, by itself, will it prevent the future abuse
of systems by crashers. However, it will certainly raise the
perceived cost of crashing, with the effect of reducing the
number and maliciousness of crashers.
3) The systems are exactly as secure as the various people who
are responsible for them believe, all things considered, they
should be. Security has its costs; system administrators have
the current level of security as a consequence of balancing
the perceived cost of security over the perceived benefits of
security. This is a value judgement; Weemba the Mouth is
certainly not competent to make it for them.
As to whether system administrators would make their systems
more secure if they could, I imagine that most would; but that
decision, and its implementation, belongs to them and not to
Weemba.
4) If someone makes it a practice to exploit network security
holes on a regular basis, you can expect that most systems
will either be removed from the net, or will be given an
interface to the net that, while it will screen out most
security infringements, will also make the net much less useful
to the users. Economics virtually guarantees that result, at
least till technology makes it possible, if ever, to have a
secure network.
Let me put it this way: if some virus, worm, or what have you
were to come in over the net on a regular basis, we at
Proximity would simply disconnect from the net. Period. We
can't afford to have our machines put down by such problems;
the value of net access doesn't even come close to the cost of
recovering from them.
Are we unique? I don't think so. The attempt to *force*
security on the net will simply result in the fragmentation of
the net.
Screwing over relatively unsecure systems seems to be the core of the
Mouth's position: that since system administrators, vendors, and
others do not, in his overweening opinion. care enough about
security, they should be *forced* to care about it. Since there is
no legal compulsion available, one ought to pound on existing
security holes till the systems are as secure as the Mouth would like
them to be.
Like I said. Weemba the Mouth is not competent to make ethical
judgements, yet that is exactly what he is doing. Well, he's
entitled to his own incompetence, but we ought not to pay any
attention to his rantings.
---
Bill
{uunet|novavax}!proxftl!twwells!billallbery@ncoast.UUCP (Brandon S. Allbery) (12/03/88)
As quoted from <211@twwells.uucp> by bill@twwells.uucp (T. William Wells): +--------------- | In article <13150@ncoast.UUCP> allbery@ncoast.UUCP (Brandon S. Allbery) writes: | : As quoted from <172@twwells.uucp> by bill@twwells.uucp (T. William Wells): | : +--------------- | : | [about Weemba] | : | Mr. Spafford, you have been most reasonable in this debate; don't you | : | think that it is a good idea to stop encouraging this ethical midget | : | to post? | : +--------------- | : Much as it may annoy you, Weemba has a good point to make about this whole | : thing. (I do admit that his language is, as usual, almost(?) enough to | : obscure the point he's trying to make.) | | Let me see. After perusing what postings remain of his (slogging | through sewage would have been more pleasant), I see four points he | is trying to make: | > (deleted) | | Did I miss anything important? +--------------- Yup: (5) Finger-pointing, setting blame, and punishing the perpetrator isn't going to stop the NEXT person who gets it into his/her/its head to do something like the Worm. This is perhaps the most important point that has yet been made about the whole Worm debacle. It'd be nice if people paid attention to it. The others are either variations on this, or *suggestions* as to how to actually get people doing something instead of pointing fingers. ++Brandon -- Brandon S. Allbery, comp.sources.misc moderator and one admin of ncoast PA UN*X uunet!hal.cwru.edu!ncoast!allbery <PREFERRED!> ncoast!allbery@hal.cwru.edu allberyb@skybridge.sdi.cwru.edu <ALSO> allbery@uunet.uu.net comp.sources.misc is moving off ncoast -- please do NOT send submissions direct Send comp.sources.misc submissions to comp-sources-misc@<backbone>.
bill@twwells.uucp (T. William Wells) (12/06/88)
In article <13201@ncoast.UUCP> allbery@ncoast.UUCP (Brandon S. Allbery) writes: : As quoted from <211@twwells.uucp> by bill@twwells.uucp (T. William Wells): : | Let me see. After perusing what postings remain of his (slogging : | through sewage would have been more pleasant), I see four points he : | is trying to make: : | : > (deleted) : | : | Did I miss anything important? : +--------------- : : Yup: : : (5) Finger-pointing, setting blame, and punishing the perpetrator isn't : going to stop the NEXT person who gets it into his/her/its head to do : something like the Worm. But that is just a rephrase of point #2: > 2) It is no good blaming or prosecuting The Worm because that > doesn't accomplish anything. --- That disgusting Weemba sent me e-mail, of his typically abusive kind, in which he denies that he said #2. If you are correct in your assertion that he said (5), which is just a paraphrase of (2), then you have given me further evidence of his intellectual dishonesty. Since I don't have his messages any more, I can't verify that this is true; do you have one of the messages where he said it, or failing that, do you recall who it is that was archiving the worm discussion? --- Bill {uunet|novavax}!proxftl!twwells!bill
allbery@ncoast.UUCP (Brandon S. Allbery) (12/13/88)
As quoted from <242@twwells.uucp> by bill@twwells.uucp (T. William Wells): +--------------- | In article <13201@ncoast.UUCP> allbery@ncoast.UUCP (Brandon S. Allbery) writes: | : (5) Finger-pointing, setting blame, and punishing the perpetrator isn't | : going to stop the NEXT person who gets it into his/her/its head to do | : something like the Worm. | | But that is just a rephrase of point #2: +--------------- (Did this message get lost in a net.timewarp or something???!) I dropped a line: Thinking about security and TAKING ACTION TO PREVENT FURTHER ABUSES will stop the next person. The point was that constructive action is better than blaming everyone under the sun (or Sun, as the case may be) for what happened. And some people *still* haven't gotten the point yet. +--------------- | That disgusting Weemba sent me e-mail, of his typically abusive kind, | in which he denies that he said #2. +--------------- You're disclosing the contents of email? (Paraphrased, but still not proper.) +--------------- | If you are correct in your assertion that he said (5), which is just | a paraphrase of (2), then you have given me further evidence of his | intellectual dishonesty. +--------------- He said (not in so many words) the modified version of (5) above. He expended quite a few classic tantrums on it, in fact; and I jumped into the fray to try to rephrase them in a form acceptable to the rest of the world, BECAUSE he had a good point. And I think a distinction can be drawn between your #2 (which someone else, I forget who, DID propose) and my #5 even though they start out the same way: one is mindless flaming, the other offers an alternative and is therefore constructive. (Constructive?! Will the world end? ;-) +--------------- | Since I don't have his messages any more, I can't verify that this is | true; do you have one of the messages where he said it, or failing | that, do you recall who it is that was archiving the worm discussion? +--------------- Ncoast had them until our news partition ran out of inodes and we had to trash them to get inodes back (no, it ISN'T the System V Alzheimer's bug, System III doesn't do inode caching of that sort). ++Brandon -- Brandon S. Allbery, comp.sources.misc moderator and one admin of ncoast PA UN*X uunet!hal.cwru.edu!ncoast!allbery <PREFERRED!> ncoast!allbery@hal.cwru.edu allberyb@skybridge.sdi.cwru.edu <ALSO> allbery@uunet.uu.net comp.sources.misc is moving off ncoast -- please do NOT send submissions direct Send comp.sources.misc submissions to comp-sources-misc@<backbone>.