lyndon@nexus.ca (Lyndon Nerenberg) (11/09/88)
In article <5343@medusa.cs.purdue.edu>, spaf@cs (Gene Spafford) writes: > >Now, if you have such a lock on your door, and you wake up in the >middle of the night to find that a stranger has broken into your home >and is wandering about, bumping into things in the dark and breaking >them, how do you react? Do you excuse him because the lock is easy to >circumvent? Do you thank him because he has shown you how poor your >locks are? Do you think *you* should be blamed because you never got >around to replacing the lock with a better one and installing a >burgler alarm? Gene, we have to (at least partially) excuse him, because WE gave him the key! The person who needs "prosecuted" is the person who hardwired the "wizards" password into sendmail. For accomplaces, round up every sys admin who didn't change it from the default. Does you car insurance cover theft of contents when you leave the doors unlocked?
rcj@moss.ATT.COM (11/09/88)
In article <5343@medusa.cs.purdue.edu> spaf@cs.purdue.edu (Gene Spafford) writes: }Consider an analogy: } }Locks built in to the handle of a door are usually quite poor; }deadbolts are a preferred lock, although they too are not always }secure. These standard, non deadbolt locks can be opened in a few }seconds with a screwdriver or a piece of plastic by someone with little }training. } }Now, if you have such a lock on your door, and you wake up in the }middle of the night to find that a stranger has broken into your home }and is wandering about, bumping into things in the dark and breaking }them, how do you react? Do you excuse him because the lock is easy to }circumvent? Do you thank him because he has shown you how poor your }locks are? Do you think *you* should be blamed because you never got }around to replacing the lock with a better one and installing a }burgler alarm? Dr. Analogy here -- this one doesn't wash, either, Spaf. It's better than most, though -- let's see if we can make it accurate. Add the fact that there are many people who have a key to the door of your house, that there are many people coming in, leaving, and wandering all over your house at all hours of the day and night. They aren't in your bedroom, because you have a super-good lock that only a few select people have keys to ;-) but they're everywhere else all the time. They're watching your TV, using your phones, reading your books, using your appliances, etc. In addition, you have a separate door that allows *anyone* in -- it isn't even locked! And there's an honor-system book exchange in the separate area of the house that it opens onto! NOW, are you going to be as upset if you find someone you don't know wandering around in your house in the middle of everyone else? Well, you're still going to be upset because his activities, while not damaging, have disrupted the entire household and brought all the other's activities to a standstill -- so much so that you have to empty the house while you deal with him. But it isn't nearly the fear, upset, and anger you would experience in the analogy you gave. }We have failed to imbue society with the understanding that computers }contain property, and that they are a form of business location. If }someone breaks our computers, they put us out of work. If someone }steals our information, it is really theft -- not some prank gone }awry. If someone broke into the NY Times and vandalized their printing }presses, it would not be dismissed as the work of a bored college }student, and even if it was the son of the editor, I doubt anyone would }make a statement that "It will ultimately be a good thing -- we'll be }forced to improve our security." This, I must admit is a very very valid viewpoint -- hadn't thought of it that way. Thanks. [Due to my rather flaming articles of recent, I feel compelled to clarify that this is NOT sarcasm!] I still take issue, though, Gene. My business location doesn't have people wandering around bumping into things because we have a security group and a lobby with guards. We don't shut ourselves off from the outside world, there are no fences, just security at the entrances. Bob Morris didn't come in through the window -- he came in through the door. }We cannot depend on making our systems completely secure. To do so }would require that we disconnect them from each other. There will }always be bugs and flaws, but we try to cover that by creating a sense }of responsibility and social mores that say that breaking and cracking }are bad things to do. Now we have to demonstrate to the world that "Computer Cracking -- Just Say No" You should get Nancy Reagan to help with your campaign -- look what she's done against drugs in the U.S. :-( I'm glad my bank doesn't have your attitude. Curtis Jackson -- att!moss!rcj 201-386-6409 "The cardinal rule of skydiving and ripcords: When in doubt, whip it out!"
cc1@valhalla.cs.ucla.edu (R...for Rabbit) (11/09/88)
In article <10520@ncc.Nexus.CA> lyndon@nexus.ca (Lyndon Nerenberg) writes: ^In article <5343@medusa.cs.purdue.edu>, spaf@cs (Gene Spafford) writes: ^ [Gene's lock analogy deleted] ^Gene, we have to (at least partially) excuse him, because WE gave ^him the key! The person who needs "prosecuted" is the person who ^hardwired the "wizards" password into sendmail. For accomplaces, round ^up every sys admin who didn't change it from the default. ^Does you car insurance cover theft of contents when you leave the ^doors unlocked? But is the guy who did it still a criminal? Hell yes, he stole your stuff. Maybe you are at fault, but that doesn't make him any less criminal in his actions. If someone can effortlessly rip off stuff from a store, does that mean that they're not really stealing, because the store owners made it so easy? But enough of arguing analogies; we could do this all day. The point is, it doesn't matter how easy or hard it was for him to accomplish this, the point is that he did it. The question is, what should be done to him? I think you can't remove the blame from him, because the programmers made it easy for him to accomplish this. The ease of doing something doesn't determine if someone is guilty or not guilty. --R for Rabbit
rick@seismo.CSS.GOV (Rick Adams) (11/09/88)
> Does you car insurance cover theft of contents when you leave the > doors unlocked? Does that make it less of a crime?
dan@ccnysci.UUCP (Dan Schlitt) (11/09/88)
Spaf, you are probably correct in you comments, particularly those
about blaming the victim. However....
Well, I probably can view the problem of the worm with a bit of
detachment since we are not yet connected to the internet and thus did
not get attacked by the it. But there are a group of people who I
have not seen mentioned who should share a good part of the blame for
the extensive propagation of the worm.
When I get the BSD distribution as a university site I know what I am
getting. It is not a polished commercial product and I take the
responsibility for cleaning things up if they bother me. I saw the
trapdoor code several times as I looked at the source. I wasn't
curious enough to check out what it did nor sharp enough to see the
problems it might create. If I had been bitten then I would be
kicking myself for contributing to the problem.
On the other hand, some of the machines that were attacked were
running what purports to be a commercial product. In the tcp-ip group
there has recently been discussion of the documentation and setup on
the distributed operating system that creates many problems, including
security problems, when the machines are connected to the internet. It
seems to me that there is good reason for some serious soul searching
in some corporate headquarters over what has just happened.
And that shouldn't be applied just to that organization. I have a
computer from yet another vendor with the sendmail trapdoor. I will
patch that binary too. But I ask you, why should a vendor distribute
programs compiled with DEBUG defined?
--
Dan Schlitt Manager, Science Division Computer Facility
dan@ccnysci City College of New York
dan@ccnysci.bitnet New York, NY 10031
(212)690-6868pda@stiatl.UUCP (Paul Anderson) (11/10/88)
In article <44439@beno.seismo.CSS.GOV> rick@seismo.CSS.GOV (Rick Adams) writes: >> Does you car insurance cover theft of contents when you leave the >> doors unlocked? >Does that make it less of a crime? No. But the criminal doesn't *care*. And the student is sometimes misguided. Thats why senior engineers make project direction decisions (as opposed to coop and grad students). paul -- Paul Anderson gatech!stiatl!pda (404) 841-4000 X isn't just an adventure, X is a way of life...
trn@warper.jhuapl.edu (Tony Nardo) (11/10/88)
In article <36111@clyde.ATT.COM> rcj@moss.UUCP (Curtis Jackson) writes: >...We don't shut ourselves off >from the outside world, there are no fences, just security at the >entrances. Bob Morris didn't come in through the window -- he came >in through the door. I can't speak for your house, but I know that *my* house does not have some unsuspected secret door leading in. If you mean to say that "sendmail" was the door, then the authors of "sendmail" should have to face a little fire of their own. They made at least one key to that door and left it sitting around -- WITHOUT openly telling the world that they had done so! ============================================================================== ARPA: trn%warper@aplvax.jhuapl.edu OR nardo%str.decnet@capsrv.jhuapl.edu BITNET: trn@warper.jhuapl.edu UUCP: {backbone!}mimsy!aplcomm!warper!trn 50% of my opinions are claimed by various federal, state and local governments. The other 50% are mine to dispense with as I see fit. ==============================================================================
wbt@cbnews.ATT.COM (William B. Thacker) (11/10/88)
In article <36111@clyde.ATT.COM> rcj@moss.UUCP (Curtis Jackson) writes: >In article <5343@medusa.cs.purdue.edu> spaf@cs.purdue.edu (Gene Spafford) writes: >}Consider an analogy: >} >}Locks built in to the handle of a door are usually quite poor; >}deadbolts are a preferred lock, although they too are not always >}secure. These standard, non deadbolt locks can be opened in a few >}seconds with a screwdriver or a piece of plastic by someone with little >}training. >} >}Now, if you have such a lock on your door, and you wake up in the >}middle of the night to find that a stranger has broken into your home >}and is wandering about, bumping into things in the dark and breaking >}them, how do you react? Do you excuse him because the lock is easy to >}circumvent? Do you thank him because he has shown you how poor your >}locks are? Do you think *you* should be blamed because you never got >}around to replacing the lock with a better one and installing a >}burgler alarm? > >Dr. Analogy here -- this one doesn't wash, either, Spaf. >It's better than most, though -- let's see if we can make it accurate. >Add the fact that there are many people who have a key to the door of >your house, that there are many people coming in, leaving, and wandering >all over your house at all hours of the day and night. They aren't in >your bedroom, because you have a super-good lock that only a few select >people have keys to ;-) but they're everywhere else all the time. >They're watching your TV, using your phones, reading your books, using >your appliances, etc. > >In addition, you have a separate door that allows *anyone* in -- it >isn't even locked! And there's an honor-system book exchange in the >separate area of the house that it opens onto! > >NOW, are you going to be as upset if you find someone you don't know >wandering around in your house in the middle of everyone else? Well, Well, while we're bashing analogies... yours is even further off the mark, Curtis. Consider that those many people with keys to your door are all your close friends, who you know you can trust; and that they contributed many of those books in your exchange. When your TV breaks down, one of them fixes it. You don't just give a key to anyone. Now, the door to your book exchange isn't locked; its hidden behind a secret panel. Maybe *you* didn't even know it was there. Certainly, it's impossible for 90% of the population to find. Finally, some stranger goes to school for four years, studying architecture. He gets the blueprints for your house and studies them, too, until he finally discovers that secret door. Instead of sending you a letter describing the door and advising you lock it, he decides for something a bit "showier". Thus, the next morning, you wake up to find strange, muddy bootprints all over your house, and all the rooms are filled to the ceiling with styrofoam peanuts. Sure, it only takes you a day or so to clean the place up, and he could have done more, but... In a related matter : What ever happened to Captain Midnight, the gentleman who commandeered HBO's satellite a few years ago ? I seem to recall that he was caught, but I don't know what happened after that. Seems to be rather an analogous case. ------------------------------ valuable coupon ------------------------------- Bill Thacker att!cbnews!wbt "C" combines the power of assembly language with the flexibility of assembly language. Disclaimer: Farg 'em if they can't take a joke ! ------------------------------- clip and save --------------------------------
sl@van-bc.UUCP (pri=-10 Stuart Lynne) (11/17/88)
In article <10520@ncc.Nexus.CA> you write: >In article <5343@medusa.cs.purdue.edu>, spaf@cs (Gene Spafford) writes: >> >Gene, we have to (at least partially) excuse him, because WE gave >him the key! The person who needs "prosecuted" is the person who >hardwired the "wizards" password into sendmail. For accomplaces, round >up every sys admin who didn't change it from the default. >Does you car insurance cover theft of contents when you leave the >doors unlocked? Actually in this case it's more like whether my insurance company would cover the theft if I knew that the door was locked but it was exceedingly easy to break past the "lock". It's more likely that the insurance company might try and recover costs from the manufacturer of my automobile for providing a car with locks that they knew where easy to get past. If you could prove that the manufacturer who distributed a product knew of a potentially expensive security hole (or should have based on reasonable man approach) and didn't close it they could quite probably be found liable for damages. Of course they would try and collect from the originator of the damage if they lost. The point being that they have deeper pockets and are much easier to track down. Check with your local consumer protection types for information on product liability cases. -- Stuart.Lynne@wimsey.bc.ca {ubc-cs,uunet}!van-bc!sl Vancouver,BC,604-937-7532 -- Stuart.Lynne@wimsey.bc.ca {ubc-cs,uunet}!van-bc!sl Vancouver,BC,604-937-7532