pengo@tmpmbx.UUCP (Hans H. Huebner) (11/16/88)
Hello,
If you think security is a matter of laws or moral, please hit 'n' now.
--
What would your reaction have been, if RTM, instead of starting the virus
by himself, would have been sending the complete and commented source code
to the net ? Sure, somebody would have been starting it. Sure, the
damage would have been far more serious. But SURELY more of people would
actually have learned what the problem with computer security is. Every-
body would have been able to learn the basics of the worm, and how such a
program *actually* looks like. It's simply arrogant of some folks to split
the network up into those people who have to roll their own code to learn
about worms/virii and those who have seen how other's did it (not to
mention the many think of security as a pure matter or moral/law). Yes, I
would be interested in getting my hands on Morris' code, and I'm sure many
others are as well.
There is no such law which forbids programming or reading program source
code or manuals carefully. All the moral stuff is void. If I want to know
how a virus works, I write one. Maybe it contains a bug, and the same
story thing happens again. There has to be more information to ensure
proper protection. Just the guru's yelling around "Uhh... It was so hard
disassembling this thing, but now *I* know it" is simply unconstructive.
Maybe this is just the thing to propagate: "Hey hackers, just post your
nifty little hacking programs to show the big guys here that you are no
Masterminds". This would be the practical way to show hacker's ethics.
The next steps ? Yeah -- Trust the people you can get your hands on. Punish
THEM if they fail to do correct work (i.E. get your lawyers up to SUN).
Subscribe to security@cpd.com. Post bug information to the widest possible
audience. Force your computer vendor to provide sufficiently debugged and
secure code. Be careful with connecting your machines to suspicious
networks. If you do so, ask some guy whom you trust and who has security
knowledge to check your system's security. Hire the hacker instead of
criminalizing him.
In a way, the last two years such a scheme has been successful in improving
the security of VAX/VMS. Not only that the time from bug announcement to
the release of a fix by DEC has significantly decreased, the basic security
of VMS as it's initially installed at the end user has improved as well.
Ask how this comes ? Well, just remember NASA/SPAN, Philips etc. As soon
as the hackers started to use a bug for their purposes, DEC has been
getting very busy in getting a fix out. There are still flaws in their
basic configuration, but as soon as the next network gets clogged, I'm sure
DEC will take the next step. But all this is void if the sysadms ignore
security.
I know, a policy like that could possibly do a big damage to the net as it
is right now. But in my opinion it would be better to radically improve
the mechanism how to deal with bugs than to do a post-mortem analysis every
time some hacker feels like showing us how dumb we are. The latter will
convince the executives that networks are unsecure and maybe to force
disconnection from the rest of the world. The first would show some
responsibility from our side, which in my opinion is much better.
BTW, all the non-Computer people I discussed the RTM case in the last days
with agreed with me in one point. The primary responsibilty for this case
is in the hands of the programmers who wrote the buggy code, not in RTM
who simply found out that the code was buggy. OK, they're only users, I
know, nuffin to speak about ... But they trust us, and signs are that we're
going to disappoint them.
Please send Email in the case you feel this is the wrong place to discuss
this topic. I'd be interested in discussing security serious, and not from
the view "Shit, my boss is gonna fire me if he hears that i compiled
sendmail with -DDEBUG.". There will be no fundamental change in the near
future, but if anybody can find a practical solution to this problem, it's
the people who know what they're talking about. Laws won't win, you
cannot tell people to stop thinking. Waiting for the Boss to pull the wire
is bad as well.
-Hans
--
Hans H. Huebner, netmbx | PSIMail: PSI%026245300043100::PENGO
Woerther Str. 36 | DOMAIN: pengo@tmpmbx.UUCP
D-1000 Berlin 20, W.Germany | Bang: ..!{pyramid,unido}!tmpmbx!pengo
Phone: (+49 30) 882 54 29 | BITNET: huebner@db0tui6