pengo@tmpmbx.UUCP (Hans H. Huebner) (11/16/88)
Hello, If you think security is a matter of laws or moral, please hit 'n' now. -- What would your reaction have been, if RTM, instead of starting the virus by himself, would have been sending the complete and commented source code to the net ? Sure, somebody would have been starting it. Sure, the damage would have been far more serious. But SURELY more of people would actually have learned what the problem with computer security is. Every- body would have been able to learn the basics of the worm, and how such a program *actually* looks like. It's simply arrogant of some folks to split the network up into those people who have to roll their own code to learn about worms/virii and those who have seen how other's did it (not to mention the many think of security as a pure matter or moral/law). Yes, I would be interested in getting my hands on Morris' code, and I'm sure many others are as well. There is no such law which forbids programming or reading program source code or manuals carefully. All the moral stuff is void. If I want to know how a virus works, I write one. Maybe it contains a bug, and the same story thing happens again. There has to be more information to ensure proper protection. Just the guru's yelling around "Uhh... It was so hard disassembling this thing, but now *I* know it" is simply unconstructive. Maybe this is just the thing to propagate: "Hey hackers, just post your nifty little hacking programs to show the big guys here that you are no Masterminds". This would be the practical way to show hacker's ethics. The next steps ? Yeah -- Trust the people you can get your hands on. Punish THEM if they fail to do correct work (i.E. get your lawyers up to SUN). Subscribe to security@cpd.com. Post bug information to the widest possible audience. Force your computer vendor to provide sufficiently debugged and secure code. Be careful with connecting your machines to suspicious networks. If you do so, ask some guy whom you trust and who has security knowledge to check your system's security. Hire the hacker instead of criminalizing him. In a way, the last two years such a scheme has been successful in improving the security of VAX/VMS. Not only that the time from bug announcement to the release of a fix by DEC has significantly decreased, the basic security of VMS as it's initially installed at the end user has improved as well. Ask how this comes ? Well, just remember NASA/SPAN, Philips etc. As soon as the hackers started to use a bug for their purposes, DEC has been getting very busy in getting a fix out. There are still flaws in their basic configuration, but as soon as the next network gets clogged, I'm sure DEC will take the next step. But all this is void if the sysadms ignore security. I know, a policy like that could possibly do a big damage to the net as it is right now. But in my opinion it would be better to radically improve the mechanism how to deal with bugs than to do a post-mortem analysis every time some hacker feels like showing us how dumb we are. The latter will convince the executives that networks are unsecure and maybe to force disconnection from the rest of the world. The first would show some responsibility from our side, which in my opinion is much better. BTW, all the non-Computer people I discussed the RTM case in the last days with agreed with me in one point. The primary responsibilty for this case is in the hands of the programmers who wrote the buggy code, not in RTM who simply found out that the code was buggy. OK, they're only users, I know, nuffin to speak about ... But they trust us, and signs are that we're going to disappoint them. Please send Email in the case you feel this is the wrong place to discuss this topic. I'd be interested in discussing security serious, and not from the view "Shit, my boss is gonna fire me if he hears that i compiled sendmail with -DDEBUG.". There will be no fundamental change in the near future, but if anybody can find a practical solution to this problem, it's the people who know what they're talking about. Laws won't win, you cannot tell people to stop thinking. Waiting for the Boss to pull the wire is bad as well. -Hans -- Hans H. Huebner, netmbx | PSIMail: PSI%026245300043100::PENGO Woerther Str. 36 | DOMAIN: pengo@tmpmbx.UUCP D-1000 Berlin 20, W.Germany | Bang: ..!{pyramid,unido}!tmpmbx!pengo Phone: (+49 30) 882 54 29 | BITNET: huebner@db0tui6